From ea6403258b9657125d475c111276d0a94c89361d Mon Sep 17 00:00:00 2001 From: clore Date: Tue, 26 Mar 2024 00:39:51 +0000 Subject: [PATCH] proper networking configuration --- clore_hosting/main.py | 3 +- lib/docker_interface.py | 66 +++++++++++++++++++++++++++++------------ lib/networking.py | 6 ++-- 3 files changed, 52 insertions(+), 23 deletions(-) diff --git a/clore_hosting/main.py b/clore_hosting/main.py index e23b697..2908570 100644 --- a/clore_hosting/main.py +++ b/clore_hosting/main.py @@ -115,7 +115,8 @@ class CloreClient: unique_monitoring = list(set(monitoring_data)) for service_name in unique_monitoring: self.last_service_heartbeat[service_name]=utils.unix_timestamp() - log.success(self.last_service_heartbeat) + if config.debug: + log.success(self.last_service_heartbeat) for service_name in self.last_service_heartbeat.keys(): last_hearthbeat = self.last_service_heartbeat[service_name] if last_hearthbeat < utils.unix_timestamp()-config.maximum_pull_service_loop_time and service_name=="handle_container_cache": diff --git a/lib/docker_interface.py b/lib/docker_interface.py index f6308a0..287b47c 100644 --- a/lib/docker_interface.py +++ b/lib/docker_interface.py @@ -213,7 +213,7 @@ def validate_and_secure_networks(): this_ipv4_range = '' for if_name in network_interfaces_with_subnet.keys(): can_be_docker = True - if if_name[:3] in ["eth", "enp", "eno", "ens", "wlp"]: + if if_name[:3] in ["eth", "enp", "eno", "ens", "wlp", "vet"]: can_be_docker = False ipv4_range = network_interfaces_with_subnet[if_name] if ipv4_range==docker_network.IPAM[0].Subnet and can_be_docker: @@ -223,27 +223,55 @@ def validate_and_secure_networks(): if this_if_name: #print(this_if_name) #print(this_ipv4_range) + + outside_ranges_ip_network = networking.exclude_network(this_ipv4_range) + outside_ranges = [] + for outside_range_ip_network in outside_ranges_ip_network: + outside_ranges.append(str(outside_range_ip_network)) + #print(docker_network) for rule_template in config.clore_iptables_rules: - needed_iptables_rule = rule_template.replace("",this_ipv4_range).replace("",this_if_name) - for_comparison_rule = "-A"+needed_iptables_rule[2:] if needed_iptables_rule[:2]=="-I" else needed_iptables_rule - for_comparison_rule_normalized = utils.normalize_rule(utils.parse_rule_to_dict(for_comparison_rule)) + if rule_template[:2]=='-I': + for outside_range in outside_ranges: + needed_iptables_rule = rule_template.replace("",outside_range).replace("",this_if_name) + for_comparison_rule = "-A"+needed_iptables_rule[2:] if needed_iptables_rule[:2]=="-I" else needed_iptables_rule + for_comparison_rule_normalized = utils.normalize_rule(utils.parse_rule_to_dict(for_comparison_rule)) - is_rule_active = False - # Iterate in reverse to safely remove items while iterating - for i in range(len(normalized_iptables_rules) - 1, -1, -1): - if normalized_iptables_rules[i] == for_comparison_rule_normalized: - is_rule_active = True - # Remove the matched rule - normalized_iptables_rules.pop(i) - not_normalized_iptables_rules.pop(i) - - #print(for_comparison_rule, '|', is_rule_active) + is_rule_active = False + # Iterate in reverse to safely remove items while iterating + for i in range(len(normalized_iptables_rules) - 1, -1, -1): + if normalized_iptables_rules[i] == for_comparison_rule_normalized: + is_rule_active = True + # Remove the matched rule + normalized_iptables_rules.pop(i) + not_normalized_iptables_rules.pop(i) - if not is_rule_active: - succesfully_appended = networking.add_iptables_rule(needed_iptables_rule) - if not succesfully_appended: - failed_appending_iptables_rule = True + #print(for_comparison_rule, '|', is_rule_active) + + if not is_rule_active: + succesfully_appended = networking.add_iptables_rule(needed_iptables_rule) + if not succesfully_appended: + failed_appending_iptables_rule = True + else: + needed_iptables_rule = rule_template.replace("",this_ipv4_range).replace("",this_if_name) + for_comparison_rule = "-A"+needed_iptables_rule[2:] if needed_iptables_rule[:2]=="-I" else needed_iptables_rule + for_comparison_rule_normalized = utils.normalize_rule(utils.parse_rule_to_dict(for_comparison_rule)) + + is_rule_active = False + # Iterate in reverse to safely remove items while iterating + for i in range(len(normalized_iptables_rules) - 1, -1, -1): + if normalized_iptables_rules[i] == for_comparison_rule_normalized: + is_rule_active = True + # Remove the matched rule + normalized_iptables_rules.pop(i) + not_normalized_iptables_rules.pop(i) + + #print(for_comparison_rule, '|', is_rule_active) + + if not is_rule_active: + succesfully_appended = networking.add_iptables_rule(needed_iptables_rule) + if not succesfully_appended: + failed_appending_iptables_rule = True else: remove_docker_network(docker_network.Name) except Exception as e2: @@ -287,7 +315,7 @@ def validate_and_secure_networks(): if key=="-s" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet: any_unmatching_values=True break - elif key=="-i" and not_matched_rule[key][:3] in ["eth", "enp", "eno", "ens", "wlp"]: + elif key=="-i" and not_matched_rule[key][:3] in ["eth", "enp", "eno", "ens", "wlp", "vet"]: any_unmatching_values=True break elif key=="-d" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet: diff --git a/lib/networking.py b/lib/networking.py index a61bb4b..5c27afc 100644 --- a/lib/networking.py +++ b/lib/networking.py @@ -27,16 +27,16 @@ def get_network_interfaces_with_subnet(): def exclude_network(excluded_network): # Convert exclude_network to ip_network object - exclude_network = ip_network(exclude_network) + excluded_network = ip_network(excluded_network) # Remove the excluded network from the local_ranges list local_ranges = [ip_network(range_) for range_ in config.local_ipv4_ranges if ip_network(range_) != exclude_network] ranges_outside_exclude = [] for local_range in local_ranges: - if local_range.overlaps(exclude_network): + if local_range.overlaps(excluded_network): # If there's an overlap, split the range into parts excluding the excluded network - for subnet in local_range.address_exclude(exclude_network): + for subnet in local_range.address_exclude(excluded_network): ranges_outside_exclude.append(subnet) else: ranges_outside_exclude.append(local_range)