kunsi/bundlewrap
1
0
Fork 0
Code Issues 1 Pull requests 2 Releases Activity

bundles: use a common metadata key for firewall restrictions, use repo.libs.tools.resolve_identifier()
All checks were successful
bundlewrap/pipeline/head This commit looks good
Details

Browse source
This commit is contained in:
Franzi 2021-02-15 14:16:35 +01:00
parent 9a2f9038c4
commit 5c1eba0d58
Signed by: kunsi
GPG key ID: 12E3D2136B818350
8 changed files with 92 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

25
bundles/icinga2/metadata.py
View file

@ -96,3 +96,28 @@ def add_users_from_json(metadata):
'icinga_users': users,
},
}
@metadata_reactor.provides(
'iptables/bundle_rules/icinga2',
)
def iptables(metadata):
identifiers = metadata.get('icinga2/restrict-to', set())
rules = set()
if identifiers:
for identifier in sorted(identifiers):
resolved = repo.libs.tools.resolve_identifier(repo, identifier)
for address in resolved['ipv4']:
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 5665 -j ACCEPT')
else:
rules.add('iptables -A INPUT -p tcp --dport 5665 -j ACCEPT')
return {
'iptables': {
'bundle_rules': {
'icinga2': list(sorted(rules)),
},
},
}

16
bundles/netdata/metadata.py
View file

@ -20,20 +20,22 @@ defaults = {
'iptables/bundle_rules/netdata',
)
def iptables(metadata):
interfaces = metadata.get('netdata/restrict-to-interfaces', set())
rules = []
identifiers = metadata.get('netdata/restrict-to', set())
rules = set()
if interfaces:
for iface in sorted(interfaces):
rules.append(f'iptables_both -A INPUT -i {iface} -p tcp --dport 19999 -j ACCEPT')
if identifiers:
for identifier in sorted(identifiers):
resolved = repo.libs.tools.resolve_identifier(repo, identifier)
for address in resolved['ipv4']:
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 19999 -j ACCEPT')
else:
rules.append('iptables_both -A INPUT -p tcp --dport 19999 -j ACCEPT')
rules.add('iptables -A INPUT -p tcp --dport 19999 -j ACCEPT')
return {
'iptables': {
'bundle_rules': {
'netdata': rules,
'netdata': list(sorted(rules)),
},
},
}

24
bundles/nginx/metadata.py
View file

@ -146,22 +146,28 @@ def monitoring(metadata):
'iptables/bundle_rules/nginx',
)
def iptables(metadata):
interfaces = metadata.get('nginx/restrict-to-interfaces', set())
rules = []
identifiers = metadata.get('nginx/restrict-to', set())
rules = set()
if interfaces:
for iface in sorted(interfaces):
rules.append(f'iptables_both -A INPUT -i {iface} -p tcp --dport 80 -j ACCEPT')
rules.append(f'iptables_both -A INPUT -i {iface} -p tcp --dport 443 -j ACCEPT')
if identifiers:
for identifier in sorted(identifiers):
resolved = repo.libs.tools.resolve_identifier(repo, identifier)
for address in resolved['ipv4']:
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 80 -j ACCEPT')
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 443 -j ACCEPT')
for address in resolved['ipv6']:
rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 80 -j ACCEPT')
rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 443 -j ACCEPT')
else:
rules.append('iptables_both -A INPUT -p tcp --dport 80 -j ACCEPT')
rules.append('iptables_both -A INPUT -p tcp --dport 443 -j ACCEPT')
rules.add('iptables_both -A INPUT -p tcp --dport 80 -j ACCEPT')
rules.add('iptables_both -A INPUT -p tcp --dport 443 -j ACCEPT')
return {
'iptables': {
'bundle_rules': {
'nginx': rules,
'nginx': list(sorted(rules)),
},
},
}

24
bundles/transmission/metadata.py
View file

@ -37,26 +37,34 @@ defaults = {
'iptables/bundle_rules/transmission',
)
def iptables(metadata):
interfaces = metadata.get('transmission/webinterface-on-interfaces', set())
rules = []
identifiers = metadata.get('transmission/restrict-to', set())
rules = set()
rules.append('iptables_both -A INPUT -p udp --dport {} -j ACCEPT'.format(
rules.add('iptables_both -A INPUT -p udp --dport {} -j ACCEPT'.format(
metadata.get('transmission/config/peer-port'),
))
rules.append('iptables_both -A INPUT -p tcp --dport {} -j ACCEPT'.format(
rules.add('iptables_both -A INPUT -p tcp --dport {} -j ACCEPT'.format(
metadata.get('transmission/config/peer-port'),
))
for iface in sorted(interfaces):
rules.append('iptables_both -A INPUT -i {} -p tcp --dport {} -j ACCEPT'.format(
iface,
if identifiers:
for identifier in sorted(identifiers):
resolved = repo.libs.tools.resolve_identifier(repo, identifier)
for address in resolved['ipv4']:
rules.add('iptables -A INPUT -p tcp -s {} --dport {} -j ACCEPT'.format(
address,
metadata.get('transmission/config/rpc-port'),
))
else:
rules.add('iptables -A INPUT -p tcp --dport {} -j ACCEPT'.format(
metadata.get('transmission/config/rpc-port'),
))
return {
'iptables': {
'bundle_rules': {
'transmission': rules,
'transmission': list(sorted(rules)),
},
},
}

20
bundles/unbound/metadata.py
View file

@ -41,17 +41,25 @@ def cpu_cores_to_config_values(metadata):
'iptables/bundle_rules/unbound',
)
def iptables(metadata):
interfaces = metadata.get('unbound/restrict-to-interfaces', set())
rules = []
identifiers = metadata.get('unbound/restrict-to', set())
rules = set()
for iface in sorted(interfaces):
rules.append(f'iptables_both -A INPUT -i {iface} -p tcp --dport 53 -j ACCEPT')
rules.append(f'iptables_both -A INPUT -i {iface} -p udp --dport 53 -j ACCEPT')
if identifiers:
for identifier in sorted(identifiers):
resolved = repo.libs.tools.resolve_identifier(repo, identifier)
for address in resolved['ipv4']:
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 53 -j ACCEPT')
rules.add(f'iptables -A INPUT -p udp -s {address} --dport 53 -j ACCEPT')
for address in resolved['ipv6']:
rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 53 -j ACCEPT')
rules.add(f'ip6tables -A INPUT -p udp -s {address} --dport 53 -j ACCEPT')
return {
'iptables': {
'bundle_rules': {
'unbound': rules,
'unbound': list(sorted(rules)),
},
},
}