bubblev
/
bubble
9
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 130 Wiki Activity
The main Bubble source repository. Contains the Bubble API server, the web UI, documentation and utilities. https://getbubblenow.com
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
183 Commits
10 Branches
66 MiB
 
 
 
 
Tree: 3d47811402
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3d47811402'
${ noResults }
bubble/automation/roles/firewall/files/bubble_peer_manager.py

181 lines
5.8 KiB
Raw Blame History 

  1. #!/usr/bin/python3

  2. 

  3. import json

  4. import logging

  5. import os

  6. import sys

  7. import time

  8. import subprocess

  9. 

  10. logger = logging.getLogger(__name__)

  11. logger.setLevel(logging.INFO)

  12. 

  13. EMPTY_PEERS = {'peers': [], 'ports': []}

  14. 

  15. 

  16. class PeerPort(object):

  17.     def __init__(self, port):

  18.         if ':' in port:

  19.             self.proto = port[0:port.index(':')]

  20.             self.port = port[port.index(':') + 1:]

  21.         else:

  22.             self.proto = 'tcp'

  23.             self.port = port

  24. 

  25.     def __str__(self):

  26.         return self.proto + ':' + self.port

  27. 

  28. 

  29. def find_peers(port):

  30.     out = subprocess.run(['iptables', '-vnL', 'INPUT'],

  31.                          stdout=subprocess.PIPE,

  32.                          stderr=subprocess.PIPE)

  33.     peers = []

  34.     for line in out.stdout.decode('utf-8').split('\n'):

  35.         line = line.strip()

  36.         if len(line) == 0 or line.startswith('Chain ') or line.startswith('pkts '):

  37.             continue

  38.         for parts in line.split(' '):

  39.             packets = parts[0]

  40.             bytes = parts[1]

  41.             target = parts[2]

  42.             proto = parts[3]

  43.             if proto != port.proto:

  44.                 continue

  45.             opt = parts[4]

  46.             iface_in = parts[5]

  47.             iface_out = parts[6]

  48.             source = parts[7]

  49.             if source == '0.0.0.0/0':

  50.                 continue

  51.             dest = parts[8]

  52.             if parts[9] != port.proto:

  53.                 continue

  54.             if parts[10].startswith('dpt:'):

  55.                 dest_port = int(parts[10][len('dpt:'):])

  56.                 if dest_port == port.port:

  57.                     peers.append(source)

  58.     return peers

  59. 

  60. 

  61. def add_peers(peers, port):

  62.     out = subprocess.run(['iptables', '-vnL', 'INPUT'],

  63.                          stdout=subprocess.PIPE,

  64.                          stderr=subprocess.PIPE)

  65.     lines = out.stdout.decode('utf-8').split('\n')

  66.     insert_at = len(lines) - 2

  67.     if insert_at < 2:

  68.         raise ValueError('add_peers: insert_at was < 2: '+str(insert_at))

  69.     for peer in peers:

  70.         logger.info("add_peers: alllowing peer: " + peer + " on port " + port)

  71.         out = subprocess.run(['iptables', '-I', 'INPUT', str(insert_at),

  72.                               '-p', port.proto, '-s', peer + '/32',

  73.                               '--dport', port.port, '-j', 'ACCEPT'])

  74.         logger.info("add_peers: allowed peer: " + peer + " on port " + port)

  75. 

  76. 

  77. def remove_peers(peers, port):

  78.     for peer in peers:

  79.         remove_peer(peer, port)

  80. 

  81. 

  82. def remove_peer(peer, port):

  83.     out = subprocess.run(['iptables', '-vnL', 'INPUT'],

  84.                          stdout=subprocess.PIPE,

  85.                          stderr=subprocess.PIPE)

  86.     index = 0

  87.     for line in out.stdout.decode('utf-8').split('\n'):

  88.         line = line.strip()

  89.         if len(line) == 0 or line.startswith('Chain ') or line.startswith('pkts '):

  90.             continue

  91.         index = index + 1

  92.         for parts in line.split(' '):

  93.             packets = parts[0]

  94.             bytes = parts[1]

  95.             target = parts[2]

  96.             proto = parts[3]

  97.             if proto != port.proto:

  98.                 continue

  99.             opt = parts[4]

  100.             iface_in = parts[5]

  101.             iface_out = parts[6]

  102.             source = parts[7]

  103.             if not source.startswith(peer+'/32'):

  104.                 continue

  105.             dest = parts[8]

  106.             if parts[9] != port.proto:

  107.                 continue

  108.             if parts[10].startswith('dpt:'):

  109.                 dest_port = int(parts[10][len('dpt:'):])

  110.                 if dest_port == port.port:

  111.                     logger.info("remove_peer: removing peer: " + peer + " on port " + port)

  112.                     out = subprocess.run(['iptables', '-D', 'INPUT', str(index)],

  113.                                          stdout=subprocess.PIPE,

  114.                                          stderr=subprocess.PIPE)

  115.                     return True

  116.     return False

  117. 

  118. 

  119. class BubblePeers(object):

  120. 

  121.     def __init__(self, peer_path, self_path):

  122.         self.peer_path = peer_path

  123.         if os.path.exists(peer_path):

  124.             self.last_modified = os.path.getmtime(self.peer_path)

  125.         else:

  126.             self.last_modified = 0

  127. 

  128.         self.last_update = None

  129.         self.peers = []

  130.         self.ports = []

  131. 

  132.         self.self_path = self_path

  133.         self.self_node = {}

  134. 

  135.     def load_peers(self):

  136.         if os.path.exists(self.peer_path):

  137.             with open(self.peer_path) as f:

  138.                 val = json.load(f)

  139.         else:

  140.             val = EMPTY_PEERS

  141.         self.peers = val['peers']

  142.         self.ports = []

  143.         for port in val['ports']:

  144.             self.ports.append(PeerPort(port))

  145. 

  146.     def load_self(self):

  147.         if os.path.exists(self.self_path):

  148.             with open(self.self_path) as f:

  149.                 self.self_node = json.load(f)

  150. 

  151.     def monitor(self):

  152.         self.load_peers()

  153.         self.load_self()

  154.         if os.path.exists(self.peer_path):

  155.             self.last_modified = os.path.getmtime(self.peer_path)

  156.             if self.last_update is None or self.last_update < self.last_modified:

  157.                 self.load_peers()

  158.                 for port in self.ports:

  159.                     peers_on_port = find_peers(port)

  160.                     peers_to_remove = []

  161.                     peers_to_add = []

  162.                     for peer in peers_on_port:

  163.                         if peer not in self.peers:

  164.                             peers_to_remove.append(peer)

  165.                     for peer in self.peers:

  166.                         if peer not in peers_on_port:

  167.                             peers_to_add.append(peer)

  168.                     remove_peers(peers_to_remove, port)

  169.                     add_peers(peers_to_add, port)

  170. 

  171. 

  172. if __name__ == "__main__":

  173.     peers = BubblePeers(sys.argv[1], sys.argv[2])

  174.     interval = int(sys.argv[3])

  175.     try:

  176.         while True:

  177.             peers.monitor()

  178.             time.sleep(interval)

  179.     except Exception as e:

  180.         logger.error("Unexpected error: " + repr(e))