proper networking configuration
This commit is contained in:
parent
7397de8a5b
commit
ea6403258b
|
@ -115,6 +115,7 @@ class CloreClient:
|
||||||
unique_monitoring = list(set(monitoring_data))
|
unique_monitoring = list(set(monitoring_data))
|
||||||
for service_name in unique_monitoring:
|
for service_name in unique_monitoring:
|
||||||
self.last_service_heartbeat[service_name]=utils.unix_timestamp()
|
self.last_service_heartbeat[service_name]=utils.unix_timestamp()
|
||||||
|
if config.debug:
|
||||||
log.success(self.last_service_heartbeat)
|
log.success(self.last_service_heartbeat)
|
||||||
for service_name in self.last_service_heartbeat.keys():
|
for service_name in self.last_service_heartbeat.keys():
|
||||||
last_hearthbeat = self.last_service_heartbeat[service_name]
|
last_hearthbeat = self.last_service_heartbeat[service_name]
|
||||||
|
|
|
@ -213,7 +213,7 @@ def validate_and_secure_networks():
|
||||||
this_ipv4_range = ''
|
this_ipv4_range = ''
|
||||||
for if_name in network_interfaces_with_subnet.keys():
|
for if_name in network_interfaces_with_subnet.keys():
|
||||||
can_be_docker = True
|
can_be_docker = True
|
||||||
if if_name[:3] in ["eth", "enp", "eno", "ens", "wlp"]:
|
if if_name[:3] in ["eth", "enp", "eno", "ens", "wlp", "vet"]:
|
||||||
can_be_docker = False
|
can_be_docker = False
|
||||||
ipv4_range = network_interfaces_with_subnet[if_name]
|
ipv4_range = network_interfaces_with_subnet[if_name]
|
||||||
if ipv4_range==docker_network.IPAM[0].Subnet and can_be_docker:
|
if ipv4_range==docker_network.IPAM[0].Subnet and can_be_docker:
|
||||||
|
@ -223,8 +223,36 @@ def validate_and_secure_networks():
|
||||||
if this_if_name:
|
if this_if_name:
|
||||||
#print(this_if_name)
|
#print(this_if_name)
|
||||||
#print(this_ipv4_range)
|
#print(this_ipv4_range)
|
||||||
|
|
||||||
|
outside_ranges_ip_network = networking.exclude_network(this_ipv4_range)
|
||||||
|
outside_ranges = []
|
||||||
|
for outside_range_ip_network in outside_ranges_ip_network:
|
||||||
|
outside_ranges.append(str(outside_range_ip_network))
|
||||||
|
|
||||||
#print(docker_network)
|
#print(docker_network)
|
||||||
for rule_template in config.clore_iptables_rules:
|
for rule_template in config.clore_iptables_rules:
|
||||||
|
if rule_template[:2]=='-I':
|
||||||
|
for outside_range in outside_ranges:
|
||||||
|
needed_iptables_rule = rule_template.replace("<subnet>",outside_range).replace("<interface>",this_if_name)
|
||||||
|
for_comparison_rule = "-A"+needed_iptables_rule[2:] if needed_iptables_rule[:2]=="-I" else needed_iptables_rule
|
||||||
|
for_comparison_rule_normalized = utils.normalize_rule(utils.parse_rule_to_dict(for_comparison_rule))
|
||||||
|
|
||||||
|
is_rule_active = False
|
||||||
|
# Iterate in reverse to safely remove items while iterating
|
||||||
|
for i in range(len(normalized_iptables_rules) - 1, -1, -1):
|
||||||
|
if normalized_iptables_rules[i] == for_comparison_rule_normalized:
|
||||||
|
is_rule_active = True
|
||||||
|
# Remove the matched rule
|
||||||
|
normalized_iptables_rules.pop(i)
|
||||||
|
not_normalized_iptables_rules.pop(i)
|
||||||
|
|
||||||
|
#print(for_comparison_rule, '|', is_rule_active)
|
||||||
|
|
||||||
|
if not is_rule_active:
|
||||||
|
succesfully_appended = networking.add_iptables_rule(needed_iptables_rule)
|
||||||
|
if not succesfully_appended:
|
||||||
|
failed_appending_iptables_rule = True
|
||||||
|
else:
|
||||||
needed_iptables_rule = rule_template.replace("<subnet>",this_ipv4_range).replace("<interface>",this_if_name)
|
needed_iptables_rule = rule_template.replace("<subnet>",this_ipv4_range).replace("<interface>",this_if_name)
|
||||||
for_comparison_rule = "-A"+needed_iptables_rule[2:] if needed_iptables_rule[:2]=="-I" else needed_iptables_rule
|
for_comparison_rule = "-A"+needed_iptables_rule[2:] if needed_iptables_rule[:2]=="-I" else needed_iptables_rule
|
||||||
for_comparison_rule_normalized = utils.normalize_rule(utils.parse_rule_to_dict(for_comparison_rule))
|
for_comparison_rule_normalized = utils.normalize_rule(utils.parse_rule_to_dict(for_comparison_rule))
|
||||||
|
@ -287,7 +315,7 @@ def validate_and_secure_networks():
|
||||||
if key=="-s" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet:
|
if key=="-s" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet:
|
||||||
any_unmatching_values=True
|
any_unmatching_values=True
|
||||||
break
|
break
|
||||||
elif key=="-i" and not_matched_rule[key][:3] in ["eth", "enp", "eno", "ens", "wlp"]:
|
elif key=="-i" and not_matched_rule[key][:3] in ["eth", "enp", "eno", "ens", "wlp", "vet"]:
|
||||||
any_unmatching_values=True
|
any_unmatching_values=True
|
||||||
break
|
break
|
||||||
elif key=="-d" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet:
|
elif key=="-d" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet:
|
||||||
|
|
|
@ -27,16 +27,16 @@ def get_network_interfaces_with_subnet():
|
||||||
|
|
||||||
def exclude_network(excluded_network):
|
def exclude_network(excluded_network):
|
||||||
# Convert exclude_network to ip_network object
|
# Convert exclude_network to ip_network object
|
||||||
exclude_network = ip_network(exclude_network)
|
excluded_network = ip_network(excluded_network)
|
||||||
|
|
||||||
# Remove the excluded network from the local_ranges list
|
# Remove the excluded network from the local_ranges list
|
||||||
local_ranges = [ip_network(range_) for range_ in config.local_ipv4_ranges if ip_network(range_) != exclude_network]
|
local_ranges = [ip_network(range_) for range_ in config.local_ipv4_ranges if ip_network(range_) != exclude_network]
|
||||||
|
|
||||||
ranges_outside_exclude = []
|
ranges_outside_exclude = []
|
||||||
for local_range in local_ranges:
|
for local_range in local_ranges:
|
||||||
if local_range.overlaps(exclude_network):
|
if local_range.overlaps(excluded_network):
|
||||||
# If there's an overlap, split the range into parts excluding the excluded network
|
# If there's an overlap, split the range into parts excluding the excluded network
|
||||||
for subnet in local_range.address_exclude(exclude_network):
|
for subnet in local_range.address_exclude(excluded_network):
|
||||||
ranges_outside_exclude.append(subnet)
|
ranges_outside_exclude.append(subnet)
|
||||||
else:
|
else:
|
||||||
ranges_outside_exclude.append(local_range)
|
ranges_outside_exclude.append(local_range)
|
||||||
|
|
Loading…
Reference in New Issue