# vim: tabstop=4 shiftwidth=4 softtabstop=4 # Copyright 2010 United States Government as represented by the # Administrator of the National Aeronautics and Space Administration. # All Rights Reserved. # Copyright (c) 2010 Citrix Systems, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. from eventlet import tpool from nova import context from nova import db from nova import flags from nova import log as logging from nova import utils from nova.virt.libvirt import netutils LOG = logging.getLogger("nova.virt.libvirt.firewall") FLAGS = flags.FLAGS try: import libvirt except ImportError: LOG.warn(_("Libvirt module could not be loaded. NWFilterFirewall will " "not work correctly.")) class FirewallDriver(object): def prepare_instance_filter(self, instance, network_info): """Prepare filters for the instance. At this point, the instance isn't running yet.""" raise NotImplementedError() def unfilter_instance(self, instance, network_info): """Stop filtering instance""" raise NotImplementedError() def apply_instance_filter(self, instance, network_info): """Apply instance filter. Once this method returns, the instance should be firewalled appropriately. This method should as far as possible be a no-op. It's vastly preferred to get everything set up in prepare_instance_filter. """ raise NotImplementedError() def refresh_security_group_rules(self, security_group_id): """Refresh security group rules from data store Gets called when a rule has been added to or removed from the security group.""" raise NotImplementedError() def refresh_security_group_members(self, security_group_id): """Refresh security group members from data store Gets called when an instance gets added to or removed from the security group.""" raise NotImplementedError() def refresh_provider_fw_rules(self): """Refresh common rules for all hosts/instances from data store. Gets called when a rule has been added to or removed from the list of rules (via admin api). """ raise NotImplementedError() def setup_basic_filtering(self, instance, network_info): """Create rules to block spoofing and allow dhcp. This gets called when spawning an instance, before :method:`prepare_instance_filter`. """ raise NotImplementedError() def instance_filter_exists(self, instance, network_info): """Check nova-instance-instance-xxx exists""" raise NotImplementedError() class NWFilterFirewall(FirewallDriver): """ This class implements a network filtering mechanism versatile enough for EC2 style Security Group filtering by leveraging libvirt's nwfilter. First, all instances get a filter ("nova-base-filter") applied. This filter provides some basic security such as protection against MAC spoofing, IP spoofing, and ARP spoofing. This filter drops all incoming ipv4 and ipv6 connections. Outgoing connections are never blocked. Second, every security group maps to a nwfilter filter(*). NWFilters can be updated at runtime and changes are applied immediately, so changes to security groups can be applied at runtime (as mandated by the spec). Security group rules are named "nova-secgroup-" where is the internal id of the security group. They're applied only on hosts that have instances in the security group in question. Updates to security groups are done by updating the data model (in response to API calls) followed by a request sent to all the nodes with instances in the security group to refresh the security group. Each instance has its own NWFilter, which references the above mentioned security group NWFilters. This was done because interfaces can only reference one filter while filters can reference multiple other filters. This has the added benefit of actually being able to add and remove security groups from an instance at run time. This functionality is not exposed anywhere, though. Outstanding questions: The name is unique, so would there be any good reason to sync the uuid across the nodes (by assigning it from the datamodel)? (*) This sentence brought to you by the redundancy department of redundancy. """ def __init__(self, get_connection, **kwargs): self._libvirt_get_connection = get_connection self.static_filters_configured = False self.handle_security_groups = False def apply_instance_filter(self, instance, network_info): """No-op. Everything is done in prepare_instance_filter""" pass def _get_connection(self): return self._libvirt_get_connection() _conn = property(_get_connection) def nova_dhcp_filter(self): """The standard allow-dhcp-server filter is an one, so it uses ebtables to allow traffic through. Without a corresponding rule in iptables, it'll get blocked anyway.""" return ''' 891e4787-e5c0-d59b-cbd6-41bc3c6b36fc ''' def nova_ra_filter(self): return ''' d707fa71-4fb5-4b27-9ab7-ba5ca19c8804 ''' def setup_basic_filtering(self, instance, network_info): """Set up basic filtering (MAC, IP, and ARP spoofing protection)""" logging.info('called setup_basic_filtering in nwfilter') if self.handle_security_groups: # No point in setting up a filter set that we'll be overriding # anyway. return logging.info('ensuring static filters') self._ensure_static_filters() if instance['image_ref'] == str(FLAGS.vpn_image_id): base_filter = 'nova-vpn' else: base_filter = 'nova-base' for (network, mapping) in network_info: nic_id = mapping['mac'].replace(':', '') instance_filter_name = self._instance_filter_name(instance, nic_id) self._define_filter(self._filter_container(instance_filter_name, [base_filter])) def _ensure_static_filters(self): """Static filters are filters that have no need to be IP aware. There is no configuration or tuneability of these filters, so they can be set up once and forgotten about. """ if self.static_filters_configured: return self._define_filter(self._filter_container('nova-base', ['no-mac-spoofing', 'no-ip-spoofing', 'no-arp-spoofing', 'allow-dhcp-server'])) self._define_filter(self._filter_container('nova-vpn', ['allow-dhcp-server'])) self._define_filter(self.nova_base_ipv4_filter) self._define_filter(self.nova_base_ipv6_filter) self._define_filter(self.nova_dhcp_filter) self._define_filter(self.nova_ra_filter) if FLAGS.allow_same_net_traffic: self._define_filter(self.nova_project_filter) if FLAGS.use_ipv6: self._define_filter(self.nova_project_filter_v6) self.static_filters_configured = True def _filter_container(self, name, filters): xml = '''%s''' % ( name, ''.join(["" % (f,) for f in filters])) return xml def nova_base_ipv4_filter(self): retval = "" for protocol in ['tcp', 'udp', 'icmp']: for direction, action, priority in [('out', 'accept', 399), ('in', 'drop', 400)]: retval += """ <%s /> """ % (action, direction, priority, protocol) retval += '' return retval def nova_base_ipv6_filter(self): retval = "" for protocol in ['tcp-ipv6', 'udp-ipv6', 'icmpv6']: for direction, action, priority in [('out', 'accept', 399), ('in', 'drop', 400)]: retval += """ <%s /> """ % (action, direction, priority, protocol) retval += '' return retval def nova_project_filter(self): retval = "" for protocol in ['tcp', 'udp', 'icmp']: retval += """ <%s srcipaddr='$PROJNET' srcipmask='$PROJMASK' /> """ % protocol retval += '' return retval def nova_project_filter_v6(self): retval = "" for protocol in ['tcp-ipv6', 'udp-ipv6', 'icmpv6']: retval += """ <%s srcipaddr='$PROJNETV6' srcipmask='$PROJMASKV6' /> """ % (protocol) retval += '' return retval def _define_filter(self, xml): if callable(xml): xml = xml() # execute in a native thread and block current greenthread until done tpool.execute(self._conn.nwfilterDefineXML, xml) def unfilter_instance(self, instance, network_info): """Clear out the nwfilter rules.""" instance_name = instance.name for (network, mapping) in network_info: nic_id = mapping['mac'].replace(':', '') instance_filter_name = self._instance_filter_name(instance, nic_id) try: self._conn.nwfilterLookupByName(instance_filter_name).\ undefine() except libvirt.libvirtError: LOG.debug(_('The nwfilter(%(instance_filter_name)s) ' 'for %(instance_name)s is not found.') % locals()) instance_secgroup_filter_name =\ '%s-secgroup' % (self._instance_filter_name(instance)) try: self._conn.nwfilterLookupByName(instance_secgroup_filter_name)\ .undefine() except libvirt.libvirtError: LOG.debug(_('The nwfilter(%(instance_secgroup_filter_name)s) ' 'for %(instance_name)s is not found.') % locals()) def prepare_instance_filter(self, instance, network_info): """Creates an NWFilter for the given instance. In the process, it makes sure the filters for the provider blocks, security groups, and base filter are all in place. """ self.refresh_provider_fw_rules() ctxt = context.get_admin_context() instance_secgroup_filter_name = \ '%s-secgroup' % (self._instance_filter_name(instance)) instance_secgroup_filter_children = ['nova-base-ipv4', 'nova-base-ipv6', 'nova-allow-dhcp-server'] if FLAGS.use_ipv6: networks = [network for (network, _m) in network_info if network['gateway_v6']] if networks: instance_secgroup_filter_children.\ append('nova-allow-ra-server') for security_group in \ db.security_group_get_by_instance(ctxt, instance['id']): self.refresh_security_group_rules(security_group['id']) instance_secgroup_filter_children.append('nova-secgroup-%s' % security_group['id']) self._define_filter( self._filter_container(instance_secgroup_filter_name, instance_secgroup_filter_children)) network_filters = self.\ _create_network_filters(instance, network_info, instance_secgroup_filter_name) for (name, children) in network_filters: self._define_filters(name, children) def _create_network_filters(self, instance, network_info, instance_secgroup_filter_name): if instance['image_ref'] == str(FLAGS.vpn_image_id): base_filter = 'nova-vpn' else: base_filter = 'nova-base' result = [] for (_n, mapping) in network_info: nic_id = mapping['mac'].replace(':', '') instance_filter_name = self._instance_filter_name(instance, nic_id) instance_filter_children = [base_filter, 'nova-provider-rules', instance_secgroup_filter_name] if FLAGS.allow_same_net_traffic: instance_filter_children.append('nova-project') if FLAGS.use_ipv6: instance_filter_children.append('nova-project-v6') result.append((instance_filter_name, instance_filter_children)) return result def _define_filters(self, filter_name, filter_children): self._define_filter(self._filter_container(filter_name, filter_children)) def refresh_security_group_rules(self, security_group_id): return self._define_filter( self.security_group_to_nwfilter_xml(security_group_id)) def refresh_provider_fw_rules(self): """Update rules for all instances. This is part of the FirewallDriver API and is called when the provider firewall rules change in the database. In the `prepare_instance_filter` we add a reference to the 'nova-provider-rules' filter for each instance's firewall, and by changing that filter we update them all. """ xml = self.provider_fw_to_nwfilter_xml() return self._define_filter(xml) def security_group_to_nwfilter_xml(self, security_group_id): security_group = db.security_group_get(context.get_admin_context(), security_group_id) rule_xml = "" v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'} for rule in security_group.rules: rule_xml += "" if rule.cidr: version = netutils.get_ip_version(rule.cidr) if(FLAGS.use_ipv6 and version == 6): net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (v6protocol[rule.protocol], net, prefixlen) else: net, mask = netutils.get_net_and_mask(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (rule.protocol, net, mask) if rule.protocol in ['tcp', 'udp']: rule_xml += "dstportstart='%s' dstportend='%s' " % \ (rule.from_port, rule.to_port) elif rule.protocol == 'icmp': LOG.info('rule.protocol: %r, rule.from_port: %r, ' 'rule.to_port: %r', rule.protocol, rule.from_port, rule.to_port) if rule.from_port != -1: rule_xml += "type='%s' " % rule.from_port if rule.to_port != -1: rule_xml += "code='%s' " % rule.to_port rule_xml += '/>\n' rule_xml += "\n" xml = "