diff options
author | Martin Polden <mpolden@mpolden.no> | 2022-08-18 13:24:07 +0200 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2022-08-24 11:05:14 +0200 |
commit | 63e1792a84d3f4fbcb07e43cbc5eb79d7b77994d (patch) | |
tree | 21d92e8d0850e2a49b9fbb1bcf6820a67c323be3 /node-admin | |
parent | 26d0b997cc573bac2a1d7eda7a2494449452e121 (diff) |
Restrict ZooKeeper ports
Diffstat (limited to 'node-admin')
8 files changed, 213 insertions, 68 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java index e721ac3fc20..dd78e08aaa6 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java @@ -2,9 +2,11 @@ package com.yahoo.vespa.hosted.node.admin.configserver.noderepository; import com.google.common.net.InetAddresses; +import com.yahoo.config.provision.NodeType; import com.yahoo.vespa.hosted.node.admin.task.util.network.IPVersion; import java.net.InetAddress; +import java.util.Collection; import java.util.Collections; import java.util.HashSet; import java.util.LinkedList; @@ -43,7 +45,7 @@ public class Acl { this(trustedPorts, trustedNodes, Set.of()); } - public List<String> toRules(IPVersion ipVersion) { + public List<String> toRules(IPVersion ipVersion, NodeType nodeType) { List<String> rules = new LinkedList<>(); // We reject with rules instead of using policies @@ -62,8 +64,24 @@ public class Acl { // Allow trusted ports if any if (!trustedPorts.isEmpty()) { - String ports = trustedPorts.stream().map(i -> Integer.toString(i)).sorted().collect(Collectors.joining(",")); - rules.add("-A INPUT -p tcp -m multiport --dports " + ports + " -j ACCEPT"); + rules.add("-A INPUT -p tcp -m multiport --dports " + joinPorts(trustedPorts) + " -j ACCEPT"); + } + + // Trust ZooKeeper from other config servers/controllers only + if (nodeType.isConfigServerLike()) { + Set<Integer> zooKeeperPorts = Set.of(2181, 2182, 2183); + List<String> clusterAddresses = getTrustedNodes(ipVersion).stream() + .filter(node -> node.type() == nodeType) + .map(Node::inetAddressString) + .sorted() + .toList(); + for (var ipAddress : clusterAddresses) { + rules.add("-A INPUT -p tcp -m multiport --dports " + joinPorts(zooKeeperPorts) + " -s " + + ipAddress + ipVersion.singleHostCidr() + " -j ACCEPT"); + } + // Reject any other connections to ZooKeeper + rules.add("-A INPUT -p tcp -m multiport --dports " + joinPorts(zooKeeperPorts) + + " -j REJECT --reject-with " + ipVersion.icmpPortUnreachable()); } // Allow traffic from trusted nodes @@ -84,6 +102,10 @@ public class Acl { return Collections.unmodifiableList(rules); } + private static String joinPorts(Collection<Integer> ports) { + return ports.stream().map(String::valueOf).sorted().collect(Collectors.joining(",")); + } + public Set<Node> getTrustedNodes() { return trustedNodes; } @@ -136,25 +158,10 @@ public class Acl { return Optional.ofNullable(set).map(Set::copyOf).orElseGet(Set::of); } - public static class Node { - private final String hostname; - private final InetAddress inetAddress; - - public Node(String hostname, String ipAddress) { - this(hostname, InetAddresses.forString(ipAddress)); - } - - public Node(String hostname, InetAddress inetAddress) { - this.hostname = hostname; - this.inetAddress = inetAddress; - } - - public String hostname() { - return hostname; - } + public record Node(String hostname, NodeType type, InetAddress inetAddress) { - public InetAddress inetAddress() { - return inetAddress; + public Node(String hostname, NodeType type, String ipAddress) { + this(hostname, type, InetAddresses.forString(ipAddress)); } public String inetAddressString() { @@ -162,25 +169,12 @@ public class Acl { } @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - Node node = (Node) o; - return Objects.equals(hostname, node.hostname) && - Objects.equals(inetAddress, node.inetAddress); - } - - @Override - public int hashCode() { - return Objects.hash(hostname, inetAddress); - } - - @Override public String toString() { return "Node{" + - "hostname='" + hostname + '\'' + - ", inetAddress=" + inetAddress + - '}'; + "hostname='" + hostname + '\'' + + ", inetAddress=" + inetAddress + + ", nodeType=" + type + + '}'; } } @@ -203,12 +197,12 @@ public class Acl { return this; } - public Builder withTrustedNode(String hostname, String ipAddress) { - return withTrustedNode(new Node(hostname, ipAddress)); + public Builder withTrustedNode(String hostname, String ipAddress, NodeType nodeType) { + return withTrustedNode(new Node(hostname, nodeType, ipAddress)); } - public Builder withTrustedNode(String hostname, InetAddress inetAddress) { - return withTrustedNode(new Node(hostname, inetAddress)); + public Builder withTrustedNode(String hostname, InetAddress inetAddress, NodeType nodeType) { + return withTrustedNode(new Node(hostname, nodeType, inetAddress)); } public Builder withTrustedPorts(Integer... ports) { diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java index a524243e2fb..51111a66d10 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/RealNodeRepository.java @@ -98,7 +98,7 @@ public class RealNodeRepository implements NodeRepository { .collect(Collectors.groupingBy( GetAclResponse.Node::getTrustedBy, Collectors.mapping( - node -> new Acl.Node(node.hostname, node.ipAddress), + node -> new Acl.Node(node.hostname, NodeType.valueOf(node.nodeType), node.ipAddress), Collectors.toSet()))); // Group trusted networks by container hostname that trusts them diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java index f228743a33f..9afee6f7463 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/bindings/GetAclResponse.java @@ -39,6 +39,9 @@ public class GetAclResponse { @JsonProperty("hostname") public final String hostname; + @JsonProperty("type") + public final String nodeType; + @JsonProperty("ipAddress") public final String ipAddress; @@ -46,9 +49,11 @@ public class GetAclResponse { public final String trustedBy; @JsonCreator - public Node(@JsonProperty("hostname") String hostname, @JsonProperty("ipAddress") String ipAddress, + public Node(@JsonProperty("hostname") String hostname, @JsonProperty("type") String nodeType, + @JsonProperty("ipAddress") String ipAddress, @JsonProperty("trustedBy") String trustedBy) { this.hostname = hostname; + this.nodeType = nodeType; this.ipAddress = ipAddress; this.trustedBy = trustedBy; } diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java index cb2134b36af..435dc9cae85 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.java @@ -55,8 +55,8 @@ public class AclMaintainer { if (context.isDisabled(NodeAgentTask.AclMaintainer)) return; // Apply acl to the filter table - editFlushOnError(context, IPVersion.IPv4, "filter", FilterTableLineEditor.from(context.acl(), IPVersion.IPv4)); - editFlushOnError(context, IPVersion.IPv6, "filter", FilterTableLineEditor.from(context.acl(), IPVersion.IPv6)); + editFlushOnError(context, IPVersion.IPv4, "filter", FilterTableLineEditor.from(context.acl(), IPVersion.IPv4, context.nodeType())); + editFlushOnError(context, IPVersion.IPv6, "filter", FilterTableLineEditor.from(context.acl(), IPVersion.IPv6, context.nodeType())); ipAddresses.getAddress(context.hostname().value(), IPVersion.IPv4).ifPresent(addr -> applyRedirect(context, addr)); ipAddresses.getAddress(context.hostname().value(), IPVersion.IPv6).ifPresent(addr -> applyRedirect(context, addr)); diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java index 462790b8d0f..82dc388568b 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditor.java @@ -1,6 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.node.admin.maintenance.acl; +import com.yahoo.config.provision.NodeType; import com.yahoo.vespa.hosted.node.admin.configserver.noderepository.Acl; import com.yahoo.vespa.hosted.node.admin.task.util.file.LineEdit; import com.yahoo.vespa.hosted.node.admin.task.util.file.LineEditor; @@ -22,8 +23,8 @@ class FilterTableLineEditor implements LineEditor { this.wantedRules = List.copyOf(wantedRules); } - static FilterTableLineEditor from(Acl acl, IPVersion ipVersion) { - List<String> rules = acl.toRules(ipVersion); + static FilterTableLineEditor from(Acl acl, IPVersion ipVersion, NodeType nodeType) { + List<String> rules = acl.toRules(ipVersion, nodeType); return new FilterTableLineEditor(rules); } diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java index 78971dc30c7..e1a481ea4ff 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/AclTest.java @@ -1,6 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.node.admin.configserver.noderepository; +import com.yahoo.config.provision.NodeType; import com.yahoo.vespa.hosted.node.admin.task.util.network.IPVersion; import org.junit.jupiter.api.Test; @@ -28,7 +29,7 @@ public class AclTest { @Test void no_trusted_ports() { - String listRulesIpv4 = String.join("\n", aclWithoutPorts.toRules(IPVersion.IPv4)); + String listRulesIpv4 = String.join("\n", aclWithoutPorts.toRules(IPVersion.IPv4, NodeType.tenant)); assertEquals( "-P INPUT ACCEPT\n" + "-P FORWARD ACCEPT\n" + @@ -43,7 +44,7 @@ public class AclTest { @Test void ipv4_rules() { - String listRulesIpv4 = String.join("\n", aclCommon.toRules(IPVersion.IPv4)); + String listRulesIpv4 = String.join("\n", aclCommon.toRules(IPVersion.IPv4, NodeType.tenant)); assertEquals( "-P INPUT ACCEPT\n" + "-P FORWARD ACCEPT\n" + @@ -59,7 +60,7 @@ public class AclTest { @Test void ipv6_rules() { - String listRulesIpv6 = String.join("\n", aclCommon.toRules(IPVersion.IPv6)); + String listRulesIpv6 = String.join("\n", aclCommon.toRules(IPVersion.IPv6, NodeType.tenant)); assertEquals( "-P INPUT ACCEPT\n" + "-P FORWARD ACCEPT\n" + @@ -82,7 +83,7 @@ public class AclTest { Set.of()); for (IPVersion ipVersion : IPVersion.values()) { - assertEquals(aclCommon.toRules(ipVersion), aclCommonDifferentOrder.toRules(ipVersion)); + assertEquals(aclCommon.toRules(ipVersion, NodeType.tenant), aclCommonDifferentOrder.toRules(ipVersion, NodeType.tenant)); } } @@ -100,7 +101,7 @@ public class AclTest { "-A INPUT -s 127.0.0.1/32 -j ACCEPT\n" + "-A INPUT -s 10.0.0.0/24 -j ACCEPT\n" + "-A INPUT -j REJECT --reject-with icmp-port-unreachable", - String.join("\n", acl.toRules(IPVersion.IPv4))); + String.join("\n", acl.toRules(IPVersion.IPv4, NodeType.tenant))); assertEquals("-P INPUT ACCEPT\n" + "-P FORWARD ACCEPT\n" + @@ -111,12 +112,57 @@ public class AclTest { "-A INPUT -p tcp -m multiport --dports 4080 -j ACCEPT\n" + "-A INPUT -s 2001:db8::/32 -j ACCEPT\n" + "-A INPUT -j REJECT --reject-with icmp6-port-unreachable", - String.join("\n", acl.toRules(IPVersion.IPv6))); + String.join("\n", acl.toRules(IPVersion.IPv6, NodeType.tenant))); + } + + @Test + void config_server_acl() { + Acl acl = new Acl(Set.of(22, 4443), testNodes(NodeType.config, "172.17.0.41", "172.17.0.42", "172.17.0.43"), Set.of()); + assertEquals(""" + -P INPUT ACCEPT + -P FORWARD ACCEPT + -P OUTPUT ACCEPT + -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + -A INPUT -i lo -j ACCEPT + -A INPUT -p icmp -j ACCEPT + -A INPUT -p tcp -m multiport --dports 22,4443 -j ACCEPT + -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 172.17.0.41/32 -j ACCEPT + -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 172.17.0.42/32 -j ACCEPT + -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 172.17.0.43/32 -j ACCEPT + -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -j REJECT --reject-with icmp-port-unreachable + -A INPUT -s 172.17.0.41/32 -j ACCEPT + -A INPUT -s 172.17.0.42/32 -j ACCEPT + -A INPUT -s 172.17.0.43/32 -j ACCEPT + -A INPUT -j REJECT --reject-with icmp-port-unreachable""", + String.join("\n", acl.toRules(IPVersion.IPv4, NodeType.config))); + + Acl acl2 = new Acl(Set.of(22, 4443), testNodes(NodeType.config, "2001:db8::41", "2001:db8::42", "2001:db8::43"), Set.of()); + assertEquals(""" + -P INPUT ACCEPT + -P FORWARD ACCEPT + -P OUTPUT ACCEPT + -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + -A INPUT -i lo -j ACCEPT + -A INPUT -p ipv6-icmp -j ACCEPT + -A INPUT -p tcp -m multiport --dports 22,4443 -j ACCEPT + -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 2001:db8::41/128 -j ACCEPT + -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 2001:db8::42/128 -j ACCEPT + -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 2001:db8::43/128 -j ACCEPT + -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -j REJECT --reject-with icmp6-port-unreachable + -A INPUT -s 2001:db8::41/128 -j ACCEPT + -A INPUT -s 2001:db8::42/128 -j ACCEPT + -A INPUT -s 2001:db8::43/128 -j ACCEPT + -A INPUT -j REJECT --reject-with icmp6-port-unreachable""", + String.join("\n", acl2.toRules(IPVersion.IPv6, NodeType.config))); } private static Set<Acl.Node> testNodes(String... address) { + return testNodes(NodeType.tenant, address); + } + + private static Set<Acl.Node> testNodes(NodeType nodeType, String... address) { return Arrays.stream(address) - .map(a -> new Acl.Node("hostname", a)) + .map(addr -> new Acl.Node("hostname", nodeType, addr)) .collect(Collectors.toUnmodifiableSet()); } diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java index 6b2ac98ad0b..a71afad942e 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java @@ -1,6 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.node.admin.maintenance.acl; +import com.yahoo.config.provision.NodeType; import com.yahoo.vespa.hosted.node.admin.configserver.noderepository.Acl; import com.yahoo.vespa.hosted.node.admin.container.ContainerOperations; import com.yahoo.vespa.hosted.node.admin.nodeagent.NodeAgentContext; @@ -47,10 +48,10 @@ public class AclMaintainerTest { @Test void configures_full_container_acl_from_empty() { Acl acl = new Acl.Builder().withTrustedPorts(22, 4443) - .withTrustedNode("hostname1", "3001::abcd") - .withTrustedNode("hostname2", "3001::1234") - .withTrustedNode("hostname1", "192.168.0.5") - .withTrustedNode("hostname4", "172.16.5.234").build(); + .withTrustedNode("hostname1", "3001::abcd", NodeType.tenant) + .withTrustedNode("hostname2", "3001::1234", NodeType.tenant) + .withTrustedNode("hostname1", "192.168.0.5", NodeType.tenant) + .withTrustedNode("hostname4", "172.16.5.234", NodeType.tenant).build(); NodeAgentContext context = contextGenerator.apply(acl); ipAddresses.addAddress(context.hostname().value(), "2001::1"); @@ -162,7 +163,7 @@ public class AclMaintainerTest { @Test void only_configure_iptables_for_ipversion_that_differs() { - Acl acl = new Acl.Builder().withTrustedPorts(22, 4443).withTrustedNode("hostname1", "3001::abcd").build(); + Acl acl = new Acl.Builder().withTrustedPorts(22, 4443).withTrustedNode("hostname1", "3001::abcd", NodeType.tenant).build(); NodeAgentContext context = contextGenerator.apply(acl); ipAddresses.addAddress(context.hostname().value(), "2001::1"); @@ -208,7 +209,7 @@ public class AclMaintainerTest { @Test void rollback_is_attempted_when_applying_acl_fail() { - Acl acl = new Acl.Builder().withTrustedPorts(22, 4443).withTrustedNode("hostname1", "3001::abcd").build(); + Acl acl = new Acl.Builder().withTrustedPorts(22, 4443).withTrustedNode("hostname1", "3001::abcd", NodeType.tenant).build(); NodeAgentContext context = contextGenerator.apply(acl); ipAddresses.addAddress(context.hostname().value(), "2001::1"); @@ -244,6 +245,101 @@ public class AclMaintainerTest { aclMaintainer.converge(context); } + @Test + public void config_server_acl() { + Acl acl = new Acl.Builder().withTrustedPorts(22, 4443) + .withTrustedNode("cfg1", "2001:db8::1", NodeType.config) + .withTrustedNode("cfg2", "2001:db8::2", NodeType.config) + .withTrustedNode("cfg3", "2001:db8::3", NodeType.config) + .withTrustedNode("cfg1", "172.17.0.41", NodeType.config) + .withTrustedNode("cfg2", "172.17.0.42", NodeType.config) + .withTrustedNode("cfg3", "172.17.0.43", NodeType.config) + .build(); + NodeAgentContext context = NodeAgentContextImpl.builder("cfg3.example.com") + .fileSystem(fileSystem) + .acl(acl) + .nodeSpecBuilder(builder -> builder.type(NodeType.config)) + .build(); + + ipAddresses.addAddress(context.hostname().value(), "2001:db8::3"); + ipAddresses.addAddress(context.hostname().value(), "172.17.0.43"); + + whenListRules(context, "filter", IPVersion.IPv4, EMPTY_FILTER_TABLE); + whenListRules(context, "filter", IPVersion.IPv6, EMPTY_FILTER_TABLE); + whenListRules(context, "nat", IPVersion.IPv4, EMPTY_NAT_TABLE); + whenListRules(context, "nat", IPVersion.IPv6, EMPTY_NAT_TABLE); + + aclMaintainer.converge(context); + + verify(containerOperations, times(4)).executeCommandInNetworkNamespace(eq(context), any(), eq("-S"), eq("-t"), any()); + verify(containerOperations, times(2)).executeCommandInNetworkNamespace(eq(context), eq("iptables-restore"), any()); + verify(containerOperations, times(2)).executeCommandInNetworkNamespace(eq(context), eq("ip6tables-restore"), any()); + verifyNoMoreInteractions(containerOperations); + + List<String> expected = List.of( + // IPv4 filter table restore + """ + *filter + -P INPUT ACCEPT + -P FORWARD ACCEPT + -P OUTPUT ACCEPT + -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + -A INPUT -i lo -j ACCEPT + -A INPUT -p icmp -j ACCEPT + -A INPUT -p tcp -m multiport --dports 22,4443 -j ACCEPT + -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 172.17.0.41/32 -j ACCEPT + -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 172.17.0.42/32 -j ACCEPT + -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 172.17.0.43/32 -j ACCEPT + -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -j REJECT --reject-with icmp-port-unreachable + -A INPUT -s 172.17.0.41/32 -j ACCEPT + -A INPUT -s 172.17.0.42/32 -j ACCEPT + -A INPUT -s 172.17.0.43/32 -j ACCEPT + -A INPUT -j REJECT --reject-with icmp-port-unreachable + COMMIT + """, + // IPv6 filter table restore + """ + *filter + -P INPUT ACCEPT + -P FORWARD ACCEPT + -P OUTPUT ACCEPT + -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + -A INPUT -i lo -j ACCEPT + -A INPUT -p ipv6-icmp -j ACCEPT + -A INPUT -p tcp -m multiport --dports 22,4443 -j ACCEPT + -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 2001:db8::1/128 -j ACCEPT + -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 2001:db8::2/128 -j ACCEPT + -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -s 2001:db8::3/128 -j ACCEPT + -A INPUT -p tcp -m multiport --dports 2181,2182,2183 -j REJECT --reject-with icmp6-port-unreachable + -A INPUT -s 2001:db8::1/128 -j ACCEPT + -A INPUT -s 2001:db8::2/128 -j ACCEPT + -A INPUT -s 2001:db8::3/128 -j ACCEPT + -A INPUT -j REJECT --reject-with icmp6-port-unreachable + COMMIT + """, + // IPv4 nat table restore + """ + *nat + -P PREROUTING ACCEPT + -P INPUT ACCEPT + -P OUTPUT ACCEPT + -P POSTROUTING ACCEPT + -A OUTPUT -d 172.17.0.43/32 -j REDIRECT + COMMIT + """, + // IPv6 nat table restore + """ + *nat + -P PREROUTING ACCEPT + -P INPUT ACCEPT + -P OUTPUT ACCEPT + -P POSTROUTING ACCEPT + -A OUTPUT -d 2001:db8::3/128 -j REDIRECT + COMMIT + """); + assertEquals(expected, writtenFileContents); + } + @BeforeEach public void setup() { doAnswer(invoc -> { @@ -258,4 +354,5 @@ public class AclMaintainerTest { eq(context), eq(ipVersion.iptablesCmd()), eq("-S"), eq("-t"), eq(table))) .thenReturn(new CommandResult(null, 0, output)); } + } diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditorTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditorTest.java index 6cd4038975b..39d1a46f198 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditorTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/FilterTableLineEditorTest.java @@ -1,6 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.node.admin.maintenance.acl; +import com.yahoo.config.provision.NodeType; import com.yahoo.vespa.hosted.node.admin.configserver.noderepository.Acl; import com.yahoo.vespa.hosted.node.admin.task.util.file.Editor; import com.yahoo.vespa.hosted.node.admin.task.util.network.IPVersion; @@ -18,7 +19,7 @@ public class FilterTableLineEditorTest { @Test void filter_set_wanted_rules() { - Acl acl = new Acl.Builder().withTrustedPorts(22).withTrustedNode("hostname", "3001::1").build(); + Acl acl = new Acl.Builder().withTrustedPorts(22).withTrustedNode("hostname", "3001::1", NodeType.tenant).build(); assertFilterTableLineEditorResult( acl, IPVersion.IPv6, @@ -59,7 +60,7 @@ public class FilterTableLineEditorTest { private static void assertFilterTableLineEditorResult( Acl acl, IPVersion ipVersion, String currentFilterTable, String expectedRestoreFileContent) { - FilterTableLineEditor filterLineEditor = FilterTableLineEditor.from(acl, ipVersion); + FilterTableLineEditor filterLineEditor = FilterTableLineEditor.from(acl, ipVersion, NodeType.tenant); Editor editor = new Editor( "nat-table", () -> List.of(currentFilterTable.split("\n")), @@ -70,16 +71,17 @@ public class FilterTableLineEditorTest { private static void assertFilterTableDiff(List<Integer> currentIpSuffix, List<Integer> wantedIpSuffix, String diff) { Acl.Builder currentAcl = new Acl.Builder(); - currentIpSuffix.forEach(i -> currentAcl.withTrustedNode("host" + i, "2001::" + i)); + NodeType nodeType = NodeType.tenant; + currentIpSuffix.forEach(i -> currentAcl.withTrustedNode("host" + i, "2001::" + i, nodeType)); List<String> currentTable = new ArrayList<>(); Acl.Builder wantedAcl = new Acl.Builder(); - wantedIpSuffix.forEach(i -> wantedAcl.withTrustedNode("host" + i, "2001::" + i)); + wantedIpSuffix.forEach(i -> wantedAcl.withTrustedNode("host" + i, "2001::" + i, nodeType)); - new Editor("table", List::of, currentTable::addAll, FilterTableLineEditor.from(currentAcl.build(), IPVersion.IPv6)) + new Editor("table", List::of, currentTable::addAll, FilterTableLineEditor.from(currentAcl.build(), IPVersion.IPv6, nodeType)) .edit(log -> {}); - new Editor("table", () -> currentTable, result -> {}, FilterTableLineEditor.from(wantedAcl.build(), IPVersion.IPv6)) + new Editor("table", () -> currentTable, result -> {}, FilterTableLineEditor.from(wantedAcl.build(), IPVersion.IPv6, nodeType)) .edit(log -> assertEquals(diff, log)); } -}
\ No newline at end of file +} |