Merge "Agent iptables output filter support"

agent/lib/agent/bootstrap.rb

@@ -9,7 +9,6 @@
 module Bosh::Agent
   class Bootstrap
 
-    # TODO: set up iptables
     def initialize
       FileUtils.mkdir_p(File.join(base_dir, 'bosh'))
       @platform = Bosh::Agent::Config.platform
@@ -34,6 +33,7 @@ def configure
       logger.info("Loaded settings: #{@settings.inspect}")
 
       if @settings
+        update_iptables
         update_passwords
         update_agent_id
         update_hostname
@@ -58,6 +58,38 @@ def load_settings
       Bosh::Agent::Config.settings = @settings
     end
 
+    def iptables(cmd)
+      output = %x{iptables #{cmd} 2> /dev/null}
+      if $?.exitstatus != 0
+        raise Bosh::Agent::Error, "`iptables #{cmd}` failed"
+      end
+      output
+    end
+
+    def update_iptables
+      return unless rules = @settings['iptables']
+
+      if rules["drop_output"]
+        chain = "agent-filter"
+        append_chain = "-A OUTPUT -j #{chain}"
+
+        begin
+          iptables("-N #{chain}")
+        rescue
+          iptables("-F #{chain}")
+        end
+
+        unless iptables("-S").include?(append_chain)
+          iptables(append_chain)
+        end
+
+        rules["drop_output"].each do |dest|
+          rule = "-A #{chain} -d #{dest} -m owner ! --uid-owner root -j DROP"
+          iptables(rule)
+        end
+      end
+    end
+
     def update_passwords
       @platform.update_passwords(@settings) unless @settings["env"].nil?
     end

agent/spec/unit/bootstrap_spec.rb

@@ -21,6 +21,58 @@
     @processor.stub(:mem_total).and_return(3951616)
   end
 
+  it "should not setup iptables without settings" do
+    @processor.load_settings
+    @processor.stub!(:iptables).and_raise(Bosh::Agent::Error)
+    @processor.update_iptables
+  end
+
+  it "should create new iptables filter chain" do
+    new = "-N agent-filter"
+    append_chain = "-A OUTPUT -j agent-filter"
+    default_rules = ["-P INPUT ACCEPT", "-P FORWARD ACCEPT", "-P OUTPUT ACCEPT"]
+    list_rules = default_rules.join("\n")
+
+    settings = complete_settings
+    settings["iptables"] = {"drop_output" => ["n.n.n.n", "x.x.x.x"]}
+    Bosh::Agent::Config.infrastructure.stub(:load_settings).and_return(settings)
+    @processor.load_settings
+
+    @processor.should_receive(:iptables).with(new).and_return("")
+    @processor.should_receive(:iptables).with("-S").and_return(list_rules)
+    @processor.should_receive(:iptables).with(append_chain).and_return("")
+
+    settings["iptables"]["drop_output"].each do |dest|
+      rule = "-A agent-filter -d #{dest} -m owner ! --uid-owner root -j DROP"
+      @processor.should_receive(:iptables).with(rule).and_return("")
+    end
+
+    @processor.update_iptables
+  end
+
+  it "should update existing iptables filter chain" do
+    new = "-N agent-filter"
+    append_chain = "-A OUTPUT -j agent-filter "
+    default_rules = ["-P INPUT ACCEPT", "-P FORWARD ACCEPT", "-P OUTPUT ACCEPT"]
+    list_rules = default_rules.join("\n") + append_chain
+
+    settings = complete_settings
+    settings["iptables"] = {"drop_output" => ["n.n.n.n", "x.x.x.x"]}
+    Bosh::Agent::Config.infrastructure.stub(:load_settings).and_return(settings)
+    @processor.load_settings
+
+    @processor.should_receive(:iptables).with(new).and_raise(Bosh::Agent::Error)
+    @processor.should_receive(:iptables).with("-F agent-filter").and_return("")
+    @processor.should_receive(:iptables).with("-S").and_return(list_rules)
+
+    settings["iptables"]["drop_output"].each do |dest|
+      rule = "-A agent-filter -d #{dest} -m owner ! --uid-owner root -j DROP"
+      @processor.should_receive(:iptables).with(rule).and_return("")
+    end
+
+    @processor.update_iptables
+  end
+
   # This doesn't quite belong here
   it "should configure mbus with nats server uri" do
     @processor.load_settings