bundles: use a common metadata key for firewall restrictions, use repo.libs.tools.resolve_identifier()

2021-02-15 14:16:35 +01:00 · 2021-02-15 14:16:35 +01:00 · 5c1eba0d58
commit 5c1eba0d58
parent 9a2f9038c4
8 changed files with 92 additions and 49 deletions
--- a/bundles/nginx/metadata.py
+++ b/bundles/nginx/metadata.py
@ -146,22 +146,28 @@ def monitoring(metadata):
    'iptables/bundle_rules/nginx',
 )
 def iptables(metadata):
-    interfaces = metadata.get('nginx/restrict-to-interfaces', set())
-    rules = []
+    identifiers = metadata.get('nginx/restrict-to', set())
+    rules = set()

-    if interfaces:
-        for iface in sorted(interfaces):
-            rules.append(f'iptables_both -A INPUT -i {iface} -p tcp --dport 80 -j ACCEPT')
-            rules.append(f'iptables_both -A INPUT -i {iface} -p tcp --dport 443 -j ACCEPT')
+    if identifiers:
+        for identifier in sorted(identifiers):
+            resolved = repo.libs.tools.resolve_identifier(repo, identifier)

+            for address in resolved['ipv4']:
+                rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 80 -j ACCEPT')
+                rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 443 -j ACCEPT')
+
+            for address in resolved['ipv6']:
+                rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 80 -j ACCEPT')
+                rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 443 -j ACCEPT')
    else:
-        rules.append('iptables_both -A INPUT -p tcp --dport 80 -j ACCEPT')
-        rules.append('iptables_both -A INPUT -p tcp --dport 443 -j ACCEPT')
+        rules.add('iptables_both -A INPUT -p tcp --dport 80 -j ACCEPT')
+        rules.add('iptables_both -A INPUT -p tcp --dport 443 -j ACCEPT')

    return {
        'iptables': {
            'bundle_rules': {
-                'nginx': rules,
+                'nginx': list(sorted(rules)),
            },
        },
    }