summaryrefslogtreecommitdiffstats
path: root/node-admin/src
diff options
context:
space:
mode:
authorValerij Fredriksen <valerijf@oath.com>2018-04-30 17:13:40 +0200
committerValerij Fredriksen <valerij92@gmail.com>2018-04-30 21:37:54 +0200
commit2e6c591d502e203d01b597cbff6eda9a7acef72f (patch)
treea96ed51ca7054e4e435e6c2c5b47c328cc0eb95b /node-admin/src
parent0297d3a9540808cd741973ee5204652912b3abe5 (diff)
Use LinkedList to create rules
Diffstat (limited to 'node-admin/src')
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java39
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java5
-rw-r--r--node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java (renamed from node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclTest.java)13
3 files changed, 31 insertions, 26 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java
index ef49822e825..03c4466a3b1 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java
@@ -8,6 +8,7 @@ import com.yahoo.vespa.hosted.node.admin.task.util.network.IPVersion;
import java.net.InetAddress;
import java.util.Collections;
+import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
@@ -32,34 +33,38 @@ public class Acl {
this.trustedPorts = trustedPorts != null ? ImmutableList.copyOf(trustedPorts) : Collections.emptyList();
}
- public String toRules(IPVersion ipVersion) {
+ public List<String> toRules(IPVersion ipVersion) {
+ List<String> rules = new LinkedList<>();
- String basics = String.join("\n"
- // We reject with rules instead of using policies
- , "-P INPUT ACCEPT"
- , "-P FORWARD ACCEPT"
- , "-P OUTPUT ACCEPT"
- // Allow packets belonging to established connections
- , "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT"
- // Allow any loopback traffic
- , "-A INPUT -i lo -j ACCEPT"
- // Allow ICMP packets. See http://shouldiblockicmp.com/
- , "-A INPUT -p " + ipVersion.icmpProtocol() + " -j ACCEPT");
+ // We reject with rules instead of using policies
+ rules.add("-P INPUT ACCEPT");
+ rules.add("-P FORWARD ACCEPT");
+ rules.add("-P OUTPUT ACCEPT");
+
+ // Allow packets belonging to established connections
+ rules.add( "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT");
+
+ // Allow any loopback traffic
+ rules.add("-A INPUT -i lo -j ACCEPT");
+
+ // Allow ICMP packets. See http://shouldiblockicmp.com/
+ rules.add("-A INPUT -p " + ipVersion.icmpProtocol() + " -j ACCEPT");
// Allow trusted ports if any
String commaSeparatedPorts = trustedPorts.stream().map(i -> Integer.toString(i)).collect(Collectors.joining(","));
- String ports = commaSeparatedPorts.isEmpty() ? "" : "-A INPUT -p tcp -m multiport --dports " + commaSeparatedPorts + " -j ACCEPT\n";
+ if (!commaSeparatedPorts.isEmpty())
+ rules.add("-A INPUT -p tcp -m multiport --dports " + commaSeparatedPorts + " -j ACCEPT");
// Allow traffic from trusted nodes
- String nodes = trustedNodes.stream()
+ trustedNodes.stream()
.filter(ipVersion::match)
.map(ipAddress -> "-A INPUT -s " + InetAddresses.toAddrString(ipAddress) + ipVersion.singleHostCidr() + " -j ACCEPT")
- .collect(Collectors.joining("\n"));
+ .forEach(rules::add);
// We reject instead of dropping to give us an easier time to figure out potential network issues
- String rejectEverythingElse = "-A INPUT -j REJECT --reject-with " + ipVersion.icmpPortUnreachable();
+ rules.add("-A INPUT -j REJECT --reject-with " + ipVersion.icmpPortUnreachable());
- return basics + "\n" + ports + nodes + "\n" + rejectEverythingElse;
+ return Collections.unmodifiableList(rules);
}
@Override
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java
index 4e5906d3c34..163af77a0fe 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java
@@ -5,7 +5,6 @@ import com.yahoo.vespa.hosted.node.admin.task.util.file.LineEdit;
import com.yahoo.vespa.hosted.node.admin.task.util.file.LineEditor;
import com.yahoo.vespa.hosted.node.admin.task.util.network.IPVersion;
-import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
@@ -16,12 +15,12 @@ class FilterTableLineEditor implements LineEditor {
private final LinkedList<String> wantedRules;
- FilterTableLineEditor(List<String> wantedRules) {
+ private FilterTableLineEditor(List<String> wantedRules) {
this.wantedRules = new LinkedList<>(wantedRules);
}
static FilterTableLineEditor from(Acl acl, IPVersion ipVersion) {
- List<String> rules = Arrays.asList(acl.toRules(ipVersion).split("\n"));
+ List<String> rules = acl.toRules(ipVersion);
return new FilterTableLineEditor(rules);
}
diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java
index 181928fa438..8bbbd076b49 100644
--- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclTest.java
+++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java
@@ -1,7 +1,6 @@
-package com.yahoo.vespa.hosted.node.admin.maintenance.acl;
+package com.yahoo.vespa.hosted.node.admin.configserver.noderepository;
import com.google.common.net.InetAddresses;
-import com.yahoo.vespa.hosted.node.admin.configserver.noderepository.Acl;
import com.yahoo.vespa.hosted.node.admin.task.util.network.IPVersion;
import org.junit.Assert;
import org.junit.Test;
@@ -16,7 +15,7 @@ public class AclTest {
private final Acl aclCommon = new Acl(
createPortList(1234, 453),
- createTrustedNodes("192.1.2.2", "fb00::1", "fe80::2"));
+ createTrustedNodes("192.1.2.2", "fb00::1", "fe80::2", "fe80::3"));
private final Acl aclNoPorts = new Acl(
Collections.emptyList(),
@@ -24,7 +23,7 @@ public class AclTest {
@Test
public void no_trusted_ports() {
- String listRulesIpv4 = aclNoPorts.toRules(IPVersion.IPv4);
+ String listRulesIpv4 = String.join("\n", aclNoPorts.toRules(IPVersion.IPv4));
Assert.assertEquals(
"-P INPUT ACCEPT\n" +
"-P FORWARD ACCEPT\n" +
@@ -39,7 +38,7 @@ public class AclTest {
@Test
public void ipv4_list_rules() {
- String listRulesIpv4 = aclCommon.toRules(IPVersion.IPv4);
+ String listRulesIpv4 = String.join("\n", aclCommon.toRules(IPVersion.IPv4));
Assert.assertEquals(
"-P INPUT ACCEPT\n" +
"-P FORWARD ACCEPT\n" +
@@ -55,7 +54,7 @@ public class AclTest {
@Test
public void ipv6_list_rules() {
- String listRulesIpv6 = aclCommon.toRules(IPVersion.IPv6);
+ String listRulesIpv6 = String.join("\n", aclCommon.toRules(IPVersion.IPv6));
Assert.assertEquals(
"-P INPUT ACCEPT\n" +
"-P FORWARD ACCEPT\n" +
@@ -66,9 +65,11 @@ public class AclTest {
"-A INPUT -p tcp -m multiport --dports 1234,453 -j ACCEPT\n" +
"-A INPUT -s fb00::1/128 -j ACCEPT\n" +
"-A INPUT -s fe80::2/128 -j ACCEPT\n" +
+ "-A INPUT -s fe80::3/128 -j ACCEPT\n" +
"-A INPUT -j REJECT --reject-with icmp6-port-unreachable", listRulesIpv6);
}
+
private List<Integer> createPortList(Integer... ports) {
return Arrays.asList(ports);
}