Discussion:
problems when writing a iptable test module, may be silly..
kirsten
2011-04-29 03:15:37 UTC
Permalink
Hi,

I am trying to add an module to change iptable rules on slave1 and test
it with slave2. But when i restart func, i can not find my module with
"funcd --list-modules".

"port" and "ip" change iptable, drop from port ** and ip "slave2"
"portreset" and "ip" change iptable, accept from port ** and ip "slave2"
"test" run "sendip", which is a tool that sends ip packages with various
options. This is meant to run on slave2.
"tcpdump" run tcpdump with -c on slave1, to detect whether these
packages are received.

And here is my
module,"/usr/lib/python2.7/site-packages/func/minion/modules/fwtest.py"
I am a rookie, it may be silly..

#
# Copyright 2011
# Liu Jun <liujun.ee-***@public.gmane.org>
#
# This software may be freely redistributed under the terms of the GNU
# general public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

import func_module
from func.minion.codes import FuncException
from func.minion import sub_process
from func.minion.modules.iptables import *
import service


class Fwtest(func_module.FuncModule):

# Update these if need be.
version = "0.0.1"
api_version = "0.0.1"
description = "firewall test"

"""
A firewalltest example on target minion
example destination = slave1
example source = slave2
example port = 1725
You can also choose your own
"""

def port(self, sourceport):
"""
Set firewall input port rules
func "*" call fwtest port 1725
"""
service.stop(iptables)
iptables.port.drop_from(sourceport)
iptables.save()
service.start(iptables)
return True

def portreset(self, sourceport):
"""
reset firewall input port rules
func "*" call fwtest portreset 1725
"""
service.stop(iptables)
iptables.port.accept_from(sourceport)
iptables.save()
service.start(iptables)
return True

def ip(self, sourceip=slave2):
"""
Set firewall input ip rules
func "*" call fwtest ip slave2
"""
service.stop(iptables)
iptables.drop_from(sourceip)
iptables.save()
service.start(iptables)
return True

def ipreset(self, sourceip=slave2):
"""
reset firewall input ip rules
func "*" call fwtest ipreset slave2
"""
service.stop(iptables)
iptables.drop_from(sourceip)
iptables.save()
service.start(iptables)
return True


def tcpdump(self, *args):
"""
Tcpdump on slave1, host slave2
"""
if '-c' not in args:
raise(FuncException("You must define a count with -c!"))
return self.__run_command('/usr/sbin/tcpdump',
self.__args_to_list(args))

def test(self, *args):
"""
Test firewall input port rules
func "*" call fwtest porttest 23
"""
return self.__run_command('/usr/bin/sendip',
self.__args_to_list(args))

def __args_to_list(self, args):
return [arg for arg in args]

def __run_command(self, command, opts=[]):
full_cmd = [command] + opts
cmd = sub_process.Popen(full_cmd, stdout=sub_process.PIPE,
close_fds=True)
return [line for line in cmd.communicate()[0].split('\n')]
kirsten
2011-04-29 03:25:24 UTC
Permalink
Hi,

I am trying to add an module to change iptable rules on slave1 and test
it with slave2. But when i restart func, i can not find my module with
"funcd --list-modules".

"port" and "ip" change iptable, drop from port ** and ip "slave2"
"portreset" and "ip" change iptable, accept from port ** and ip "slave2"
"test" run "sendip", which is a tool that sends ip packages with various
options. This is meant to run on slave2.
"tcpdump" run tcpdump with -c on slave1, to detect whether these
packages are received.

And here is my
module,"/usr/lib/python2.7/site-packages/func/minion/modules/fwtest.py"
I am a rookie, it may be silly..

#
# Copyright 2011
# Liu Jun <liujun.ee-***@public.gmane.org>
#
# This software may be freely redistributed under the terms of the GNU
# general public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

import func_module
from func.minion.codes import FuncException
from func.minion import sub_process
from func.minion.modules.iptables import *
import service


class Fwtest(func_module.FuncModule):

# Update these if need be.
version = "0.0.1"
api_version = "0.0.1"
description = "firewall test"

"""
A firewalltest example on target minion
example destination = slave1
example source = slave2
example port = 1725
You can also choose your own
"""

def port(self, sourceport):
"""
Set firewall input port rules
func "*" call fwtest port 1725
"""
service.stop(iptables)
iptables.port.drop_from(sourceport)
iptables.save()
service.start(iptables)
return True

def portreset(self, sourceport):
"""
reset firewall input port rules
func "*" call fwtest portreset 1725
"""
service.stop(iptables)
iptables.port.accept_from(sourceport)
iptables.save()
service.start(iptables)
return True

def ip(self, sourceip=slave2):
"""
Set firewall input ip rules
func "*" call fwtest ip slave2
"""
service.stop(iptables)
iptables.drop_from(sourceip)
iptables.save()
service.start(iptables)
return True

def ipreset(self, sourceip=slave2):
"""
reset firewall input ip rules
func "*" call fwtest ipreset slave2
"""
service.stop(iptables)
iptables.drop_from(sourceip)
iptables.save()
service.start(iptables)
return True


def tcpdump(self, *args):
"""
Tcpdump on slave1, host slave2
"""
if '-c' not in args:
raise(FuncException("You must define a count with -c!"))
return self.__run_command('/usr/sbin/tcpdump',
self.__args_to_list(args))

def test(self, *args):
"""
Test firewall input port rules
func "*" call fwtest porttest 23
"""
return self.__run_command('/usr/bin/sendip',
self.__args_to_list(args))

def __args_to_list(self, args):
return [arg for arg in args]

def __run_command(self, command, opts=[]):
full_cmd = [command] + opts
cmd = sub_process.Popen(full_cmd, stdout=sub_process.PIPE,
close_fds=True)
return [line for line in cmd.communicate()[0].split('\n')]
Jan-Frode Myklebust
2011-04-29 07:15:37 UTC
Permalink
Post by kirsten
I am trying to add an module to change iptable rules on slave1 and test
it with slave2. But when i restart func, i can not find my module with
"funcd --list-modules".
Check /var/log/func/func.log. It should tell you why it can't load the
module ("slave2" not being defined when you do sourceip=slave2).


-jf
kirsten
2011-04-29 07:46:07 UTC
Permalink
"slave2" is a hostname defined in /etc/hosts, will that be a problem?
And it is only a default parameter.

/var/log/func/audit.log does not provide any thing usefull, and files
in /var/log/func/methods are all 0 size. There is no other file there.
Post by Jan-Frode Myklebust
Post by kirsten
I am trying to add an module to change iptable rules on slave1 and test
it with slave2. But when i restart func, i can not find my module with
"funcd --list-modules".
Check /var/log/func/func.log. It should tell you why it can't load the
module ("slave2" not being defined when you do sourceip=slave2).
-jf
Jan-Frode Myklebust
2011-04-29 07:56:41 UTC
Permalink
Post by kirsten
"slave2" is a hostname defined in /etc/hosts, will that be a problem?
Ok, then it's supposed to be a string, and you need to quote it:

- def ip(self, sourceip=slave2):
+ def ip(self, sourceip="slave2"):

- def ipreset(self, sourceip=slave2):
+ def ipreset(self, sourceip="slave2"):


-jf
kirsten
2011-04-29 08:21:19 UTC
Permalink
So it is..

Module found now. But it comes with "InvalidMethodException". I will
trying to debug it.
Post by kirsten
"slave2" is a hostname defined in /etc/hosts, will that be a problem?
-jf
seth vidal
2011-04-29 12:50:36 UTC
Permalink
Post by kirsten
So it is..
Module found now. But it comes with "InvalidMethodException". I will
trying to debug it.
Post by kirsten
"slave2" is a hostname defined in /etc/hosts, will that be a problem?
-jf
just by eyeballing the code you have
from func.minion.modules.iptables import *

and then you're using:
iptables.methods()

I suspect that's the invalid method it can't find b/c you've imported
the methods w/o the namespace of iptables being included in them.


but paste the invalidmethod exception and it will be clearer.

-sv
kirsten
2011-05-03 01:45:25 UTC
Permalink
Post by seth vidal
Post by kirsten
So it is..
Module found now. But it comes with "InvalidMethodException". I will
trying to debug it.
Post by kirsten
"slave2" is a hostname defined in /etc/hosts, will that be a problem?
-jf
just by eyeballing the code you have
from func.minion.modules.iptables import *
iptables.methods()
I suspect that's the invalid method it can't find b/c you've imported
the methods w/o the namespace of iptables being included in them.
but paste the invalidmethod exception and it will be clearer.
-sv
I changed "ip" to "ipchange" and "port" to "portchange". It still had
the problem:

[***@overlord modules]# func slave1 call fwtest ipchange 172.31.31.14
{'slave1': ['REMOTE_ERROR'
'func.minion.codes.InvalidMethodException',
'',
' File
"/usr/lib/python2.7/site-packages/func/minion/server.py", line 324, in
_dispatch\n return self.get_dispatch_method(method)(*params)\n File
"/usr/lib/python2.7/site-packages/func/minion/server.py", line 162, in
get_dispatch_method\n raise codes.InvalidMethodException\n']}

kirsten
2011-04-29 03:19:08 UTC
Permalink
Hi,

I am trying to add an module to change iptable rules on slave1 and test
it with slave2. But when i restart func, i can not find my module with
"funcd --list-modules".

"port" and "ip" change iptable, drop from port ** and ip "slave2"
"portreset" and "ip" change iptable, accept from port ** and ip "slave2"
"test" run "sendip", which is a tool that sends ip packages with various
options. This is meant to run on slave2.
"tcpdump" run tcpdump with -c on slave1, to detect whether these
packages are received.

And here is my
module,"/usr/lib/python2.7/site-packages/func/minion/modules/fwtest.py"
I am a rookie, it may be silly..

#
# Copyright 2011
# Liu Jun <liujun.ee-***@public.gmane.org>
#
# This software may be freely redistributed under the terms of the GNU
# general public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

import func_module
from func.minion.codes import FuncException
from func.minion import sub_process
from func.minion.modules.iptables import *
import service


class Fwtest(func_module.FuncModule):

# Update these if need be.
version = "0.0.1"
api_version = "0.0.1"
description = "firewall test"

"""
A firewalltest example on target minion
example destination = slave1
example source = slave2
example port = 1725
You can also choose your own
"""

def port(self, sourceport):
"""
Set firewall input port rules
func "*" call fwtest port 1725
"""
service.stop(iptables)
iptables.port.drop_from(sourceport)
iptables.save()
service.start(iptables)
return True

def portreset(self, sourceport):
"""
reset firewall input port rules
func "*" call fwtest portreset 1725
"""
service.stop(iptables)
iptables.port.accept_from(sourceport)
iptables.save()
service.start(iptables)
return True

def ip(self, sourceip=slave2):
"""
Set firewall input ip rules
func "*" call fwtest ip slave2
"""
service.stop(iptables)
iptables.drop_from(sourceip)
iptables.save()
service.start(iptables)
return True

def ipreset(self, sourceip=slave2):
"""
reset firewall input ip rules
func "*" call fwtest ipreset slave2
"""
service.stop(iptables)
iptables.drop_from(sourceip)
iptables.save()
service.start(iptables)
return True


def tcpdump(self, *args):
"""
Tcpdump on slave1, host slave2
"""
if '-c' not in args:
raise(FuncException("You must define a count with -c!"))
return self.__run_command('/usr/sbin/tcpdump',
self.__args_to_list(args))

def test(self, *args):
"""
Test firewall input port rules
func "*" call fwtest porttest 23
"""
return self.__run_command('/usr/bin/sendip',
self.__args_to_list(args))

def __args_to_list(self, args):
return [arg for arg in args]

def __run_command(self, command, opts=[]):
full_cmd = [command] + opts
cmd = sub_process.Popen(full_cmd, stdout=sub_process.PIPE,
close_fds=True)
return [line for line in cmd.communicate()[0].split('\n')]
Loading...