/
firewall_openner.go
70 lines (58 loc) · 1.73 KB
/
firewall_openner.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
package iptables
import (
"code.cloudfoundry.org/garden"
"code.cloudfoundry.org/lager/v3"
)
//counterfeiter:generate . RuleTranslator
type RuleTranslator interface {
TranslateRule(handle string, gardenRule garden.NetOutRule) ([]Rule, error)
}
type FirewallOpener struct {
ruleTranslator RuleTranslator
iptables IPTables
}
func NewFirewallOpener(ruleTranslator RuleTranslator, iptables IPTables) *FirewallOpener {
return &FirewallOpener{
ruleTranslator: ruleTranslator,
iptables: iptables,
}
}
func (f *FirewallOpener) Open(logger lager.Logger, instance, handle string, rule garden.NetOutRule) error {
chain := f.iptables.InstanceChain(instance)
logger = logger.Session("prepend-filter-rule", lager.Data{
"rule": rule,
"instance": instance,
"chain": chain,
})
logger.Debug("started")
defer logger.Debug("ending")
iptableRules, err := f.ruleTranslator.TranslateRule(handle, rule)
if err != nil {
return err
}
for _, iptableRules := range iptableRules {
if err := f.iptables.PrependRule(chain, iptableRules); err != nil {
return err
}
}
return nil
}
func (f *FirewallOpener) BulkOpen(logger lager.Logger, instance, handle string, rules []garden.NetOutRule) error {
chain := f.iptables.InstanceChain(instance)
logger = logger.Session("prepend-filter-rule", lager.Data{
"rules": rules,
"instance": instance,
"chain": chain,
})
logger.Debug("started")
defer logger.Debug("ending")
collatedIPTablesRules := []Rule{}
for _, rule := range rules {
iptablesRules, err := f.ruleTranslator.TranslateRule(handle, rule)
if err != nil {
return err
}
collatedIPTablesRules = append(collatedIPTablesRules, iptablesRules...)
}
return f.iptables.BulkPrependRules(chain, collatedIPTablesRules)
}