The quantum.agent.linux.iptables_manager Module

Implements iptables rules using linux utilities.

class quantum.agent.linux.iptables_manager.IptablesManager(_execute=None, state_less=False, root_helper=None, use_ipv6=False, namespace=None)

Bases: object

Wrapper for iptables.

See IptablesTable for some usage docs

A number of chains are set up to begin with.

First, quantum-filter-top. It’s added at the top of FORWARD and OUTPUT. Its name is not wrapped, so it’s shared between the various nova workers. It’s intended for rules that need to live at the top of the FORWARD and OUTPUT chains. It’s in both the ipv4 and ipv6 set of tables.

For ipv4 and ipv6, the built-in INPUT, OUTPUT, and FORWARD filter chains are wrapped, meaning that the “real” INPUT chain has a rule that jumps to the wrapped INPUT chain, etc. Additionally, there’s a wrapped chain named “local” which is jumped to from quantum-filter-top.

For ipv4, the built-in PREROUTING, OUTPUT, and POSTROUTING nat chains are wrapped in the same was as the built-in filter chains. Additionally, there’s a snat chain that is applied after the POSTROUTING chain.

apply()

defer_apply_off()

defer_apply_on()

class quantum.agent.linux.iptables_manager.IptablesRule(chain, rule, wrap=True, top=False)

Bases: object

An iptables rule.

You shouldn’t need to use this class directly, it’s only used by IptablesManager.

class quantum.agent.linux.iptables_manager.IptablesTable

Bases: object

An iptables table.

add_chain(name, wrap=True)

Adds a named chain to the table.

The chain name is wrapped to be unique for the component creating it, so different components of Nova can safely create identically named chains without interfering with one another.

At the moment, its wrapped name is <binary name>-<chain name>, so if nova-compute creates a chain named ‘OUTPUT’, it’ll actually end up named ‘nova-compute-OUTPUT’.

add_rule(chain, rule, wrap=True, top=False)

Add a rule to the table.

This is just like what you’d feed to iptables, just without the ‘-A <chain name>’ bit at the start.

However, if you need to jump to one of your wrapped chains, prepend its name with a ‘$’ which will ensure the wrapping is applied correctly.

empty_chain(chain, wrap=True)

Remove all rules from a chain.

ensure_remove_chain(name, wrap=True)

Ensure the chain is removed.

This removal “cascades”. All rule in the chain are removed, as are all rules in other chains that jump to it.

remove_chain(name, wrap=True)

Remove named chain.

This removal “cascades”. All rule in the chain are removed, as are all rules in other chains that jump to it.

If the chain is not found, this is merely logged.

remove_rule(chain, rule, wrap=True, top=False)

Remove a rule from a chain.

Note: The rule must be exactly identical to the one that was added. You cannot switch arguments around like you can with the iptables CLI tool.

quantum.agent.linux.iptables_manager.get_chain_name(chain_name, wrap=True)