Commit 1da348b2 authored by Simon Redman's avatar Simon Redman

Delete ip6tables rules before attepting to remove the ipt_NETFLOW module

parent ad0ab3b3
......@@ -26,23 +26,28 @@ Remove the ipt_NETFLOW module if it exists and then insert it with the new param
MODPROBE_TEMPLATE = "sudo modprobe -rq ipt_NETFLOW; sudo modprobe ipt_NETFLOW destination={collector_ip}:{port} protocol=9"
IPTABLES_LINE_TEMPLATE = "sudo ip6tables -D {table} -j NETFLOW 2>/dev/null; sudo ip6tables -I {table} -j NETFLOW"
IPTABLES_DELETE_LINE_TEMPLATE = "sudo ip6tables -D {table} -j NETFLOW"
IPTABLES_COLLECT_LINE_TEMPLATE = "sudo ip6tables -I {table} -j NETFLOW"
def _write_iptables_commands(router_sessions, iptables_commands: List[str]) -> None:
ssh_helper.run_commands_on_many_hosts(router_sessions, iptables_commands)
def _write_iptables_commands(router_sessions, iptables_commands: List[str]) -> List[str]:
outputs = ssh_helper.run_commands_on_many_hosts(router_sessions, iptables_commands)
return outputs
def _write_modprobe_commands(router_sessions, modprobe_commands: List[str]) -> None:
ssh_helper.run_commands_on_many_hosts(router_sessions, modprobe_commands)
def _write_modprobe_commands(router_sessions, modprobe_commands: List[str]) -> List[str]:
outputs = ssh_helper.run_commands_on_many_hosts(router_sessions, modprobe_commands)
return outputs
def _build_iptables_lines(number: int) -> List[str]:
def _build_iptables_lines(number: int, template: str) -> List[str]:
Build the iptables to collect all netflow traffic
:param number: Build this many copies. There is nothing node-unique about the iptables command.
:param template: Use this template. Should be one of the constants defined above.
line = " && ".join([IPTABLES_LINE_TEMPLATE.format(
line = " && ".join([template.format(
) for table in ["INPUT", "OUTPUT", "FORWARD"]])
return [line] * number
......@@ -83,12 +88,14 @@ def configure(netgraph: networkx.Graph, collector_node: str, border_routers: Lis
router_sessions = [netgraph._node[node]['session'] for node in border_routers]
port_nums: List[int] = _get_port_nums(netgraph, border_routers)
iptables_delete_lines: List[str] = _build_iptables_lines(len(border_routers), IPTABLES_DELETE_LINE_TEMPLATE)
modprobe_lines: List[str] = _build_modprobe_lines(netgraph, port_nums, collector_node)
iptables_collect_lines: List[str] = _build_iptables_lines(len(border_routers), IPTABLES_COLLECT_LINE_TEMPLATE)
iptables_lines: List[str] = _build_iptables_lines(len(border_routers))
# Deleting the iptables rules is expected to fail when no such rules exist. Run it with no error checking.
ssh_helper.unchecked_run_commands_on_many_hosts(router_sessions, iptables_delete_lines)
_write_modprobe_commands(router_sessions, modprobe_lines)
_write_iptables_commands(router_sessions, iptables_lines)
_write_iptables_commands(router_sessions, iptables_collect_lines)
if __name__ == "__main__":
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment