# Copyright 2013-2014 Eucalyptus Systems, Inc.
#
# Redistribution and use of this software in source and binary forms,
# with or without modification, are permitted provided that the following
# conditions are met:
#
# Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
import socket
from requestbuilder import Arg, MutuallyExclusiveArgList
from requestbuilder.exceptions import ArgumentError
from euca2ools.commands.ec2 import EC2Request, parse_ports
class _ModifyNetworkAclEntry(EC2Request):
DESCRIPTION = ('Modify a network ACL entry\n\nThis is not an '
'actual EC2 request -- see euca-create-network-acl-'
'entry(1) or euca-replace-network-acl-entry(1) for '
'something usable.')
ARGS = [Arg('NetworkAclId', metavar='NACL',
help='ID of the network ACL to add the entry to (required)'),
Arg('-n', '--rule-number', dest='RuleNumber', metavar='INT',
required=True, type=int,
help='rule number for the new entry (required)'),
MutuallyExclusiveArgList(
Arg('--allow', dest='RuleAction', action='store_const',
const='allow',
help='make the new entry allow the traffic it matches'),
Arg('--deny', dest='RuleAction', action='store_const',
const='deny',
help='make the new entry block the traffic it matches'))
.required(),
Arg('-r', '--cidr', dest='CidrBlock', metavar='CIDR',
required=True,
help='CIDR address range the entry should affect (required)'),
Arg('-P', '--protocol', dest='Protocol', default='-1',
help='protocol the entry should apply to (default: all)'),
Arg('--egress', dest='Egress', action='store_true',
help='''make the entry affect outgoing (egress) network
traffic (default: affect incoming (ingress) traffic)'''),
Arg('-p', '--port-range', dest='port_range', metavar='RANGE',
route_to=None, help='''range of ports (specified as "from-to")
or a single port number (required for tcp and udp)'''),
Arg('-t', '--icmp-type-code', dest='icmp_type_code',
metavar='TYPE:CODE', route_to=None, help='''ICMP type and
code (specified as "type:code") (required for icmp)''')]
def process_cli_args(self):
self.process_port_cli_args()
def configure(self):
EC2Request.configure(self)
if not self.params.get('Egress'):
self.params['Egress'] = False
proto = self.args.get('Protocol') or -1
try:
self.params['Protocol'] = int(proto)
except ValueError:
if proto.lower() == 'all':
self.params['Protocol'] = -1
else:
try:
self.params['Protocol'] = socket.getprotobyname(proto)
except socket.error:
raise ArgumentError('argument -n/--rule-number: unknown '
'protocol "{0}"'.format(proto))
from_port, to_port = parse_ports(proto, self.args.get('port_range'),
self.args.get('icmp_type_code'))
if self.params['Protocol'] == 1: # ICMP
self.params['Icmp.Type'] = from_port
self.params['Icmp.Code'] = to_port
else:
self.params['PortRange.From'] = from_port
self.params['PortRange.To'] = to_port
def print_result(self, _):
if self.args.get('Egress'):
direction = 'egress'
else:
direction = 'ingress'
protocol = self.params['Protocol']
port_map = {-1: 'all', 1: 'icmp', 6: 'tcp', 17: 'udp', 132: 'sctp'}
try:
protocol = port_map.get(int(protocol), int(protocol))
except ValueError:
pass
print self.tabify((
'ENTRY', direction, self.params.get('RuleNumber'),
self.params.get('RuleAction'), self.params.get('CidrBlock'),
protocol,
self.params.get('Icmp.Type') or self.params.get('PortRange.From'),
self.params.get('Icmp.Code') or self.params.get('PortRange.To')))
class CreateNetworkAclEntry(_ModifyNetworkAclEntry):
DESCRIPTION = 'Create a new entry in a VPC network ACL'
class ReplaceNetworkAclEntry(_ModifyNetworkAclEntry):
DESCRIPTION = 'Replace an entry in a VPC network ACL'