rework iptables configuration
All checks were successful
bundlewrap/pipeline/head This commit looks good
All checks were successful
bundlewrap/pipeline/head This commit looks good
This commit is contained in:
parent
d3ea06c3e8
commit
b943d2d465
GPG key ID:
12E3D2136B818350
8 changed files with 93 additions and 98 deletions
|
|
@ -1,3 +1,5 @@
|
|||
from bundlewrap.metadata import atomic
|
||||
|
||||
defaults = {
|
||||
'apt': {
|
||||
'repos': {
|
||||
|
|
@ -150,31 +152,15 @@ def monitoring(metadata):
|
|||
|
||||
|
||||
@metadata_reactor.provides(
|
||||
'iptables/bundle_rules/nginx',
|
||||
'iptables/port_rules/80',
|
||||
'iptables/port_rules/443',
|
||||
)
|
||||
def iptables(metadata):
|
||||
identifiers = metadata.get('nginx/restrict-to', set())
|
||||
rules = set()
|
||||
|
||||
if identifiers:
|
||||
for identifier in sorted(identifiers):
|
||||
resolved = repo.libs.tools.resolve_identifier(repo, identifier)
|
||||
|
||||
for address in resolved['ipv4']:
|
||||
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 80 -j ACCEPT')
|
||||
rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 443 -j ACCEPT')
|
||||
|
||||
for address in resolved['ipv6']:
|
||||
rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 80 -j ACCEPT')
|
||||
rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 443 -j ACCEPT')
|
||||
else:
|
||||
rules.add('iptables_both -A INPUT -p tcp --dport 80 -j ACCEPT')
|
||||
rules.add('iptables_both -A INPUT -p tcp --dport 443 -j ACCEPT')
|
||||
|
||||
return {
|
||||
'iptables': {
|
||||
'bundle_rules': {
|
||||
'nginx': list(sorted(rules)),
|
||||
'port_rules': {
|
||||
'80': atomic(metadata.get('nginx/restrict-to', set('*'))),
|
||||
'443': atomic(metadata.get('nginx/restrict-to', set('*'))),
|
||||
},
|
||||
},
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue