systemvm/debian/root/health_checks/iptables_check.py

#!/usr/bin/python
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.

from os import sys, path
from subprocess import *
from utility import getHealthChecksData, formatPort


def main():
    portForwards = getHealthChecksData("portForwarding")
    if portForwards is None or len(portForwards) == 0:
        print("No portforwarding rules provided to check, skipping")
        exit(0)

    failedCheck = False
    failureMessage = "Missing port forwarding rules in Iptables-\n "
    for portForward in portForwards:
        entriesExpected = []
        destIp = portForward["destIp"]
        srcIpText = "-d " + portForward["sourceIp"]
        srcPortText = "--dport " + formatPort(portForward["sourcePortStart"], portForward["sourcePortEnd"], ":")
        dstText = destIp + ":" + formatPort(portForward["destPortStart"], portForward["destPortEnd"], "-")
        for algo in [["PREROUTING", "--to-destination"],
                     ["OUTPUT", "--to-destination"]]:
            entriesExpected.append([algo[0], srcIpText, srcPortText, algo[1] + " " + dstText])

        fetchIpTableEntriesCmd = "iptables-save | grep " + destIp
        pout = Popen(fetchIpTableEntriesCmd, shell=True, stdout=PIPE)
        if pout.wait() != 0:
            failedCheck = True
            failureMessage = failureMessage + "Unable to execute iptables-save command " \
                                              "for fetching rules by " + fetchIpTableEntriesCmd + "\n"
            continue

        ipTablesMatchingEntries = pout.communicate()[0].decode().strip().split('\n')
        for pfEntryListExpected in entriesExpected:
            foundPfEntryList = False
            for ipTableEntry in ipTablesMatchingEntries:
                # Check if all expected parts of pfEntryList
                # is present in this ipTableEntry
                foundAll = True
                for expectedEntry in pfEntryListExpected:
                    if ipTableEntry.find(expectedEntry) == -1:
                        foundAll = False
                        break

                if foundAll:
                    foundPfEntryList = True
                    break

            if not foundPfEntryList:
                failedCheck = True
                failureMessage = failureMessage + str(pfEntryListExpected) + "\n"

    if failedCheck:
        print(failureMessage)
        exit(1)
    else:
        print("Found all entries (count " + str(len(portForwards)) + ") in iptables")
        exit(0)


if __name__ == "__main__":
    if len(sys.argv) == 2 and sys.argv[1] == "advanced":
        main()