ipset_manager

Author: Athanasios Gkaraliakos email: a.gkaraliakos@gmail.com email: athanasios.gkaraliakos@cern.ch

The script is written on python >=2.6

Script to create/modify/delete ipsets on CentOS6.x and older of IPv4 and/or IPv6 (if exists) from CERN’s network sets.

bin.ipset_manager.create_ip_set(simulate, ips, setname, iptype, settype, port, generate_file, file_override)[source]

This function receives a list of ip addresses and tries to create an ip set using the system “ipset” command

Parameters:
  • simulate – If is true just prints the actions on the screen and does not create a set
  • ips – List with ip addresses (IPv4 or IPv6)
  • setname – The name for the ipset
  • iptype – Type of ip addresses and set family (IPv4 -> inet, IPv6 -> inet6)
  • settype – Type of the ip set
  • port – Port number if the ipset uses ports
  • generate_file – Flag to write the ipset on the config file or not
  • file_override – Flag to write a new config file or append to the current one in the folder
Returns:

Does not return anything. Prints output messages and error messages if any
bin.ipset_manager.destroy_ip_set(simulate, setname, iptype)[source]

This function destroys a running ipset

Parameters:
  • simulate – If is true just prints the actions on the screen and does not create a set
  • setname – The name for the ipset
  • iptype – Type of ip addresses and set family (IPv4 -> inet, IPv6 -> inet6)
Returns:

Does not return anything. Prints output messages and error messages if any
bin.ipset_manager.extract_ips_from_ipset(set_name)[source]

This function receives the name of an ipset currently active on the kernel strips out the part that contains the ip addresses and creates a list of those ip address ( along with the ports if the ipset contains ports also )

Parameters:set_name – Active kernel ipset
Returns:return a list with all the addresses inside this ipset of nothing if the ipset is empty or does not exist
bin.ipset_manager.extract_ips_from_network_set(network_set, iptype)[source]

This function receives a list of host names and ip addresses and returns a list containing only ip addresses

Parameters:
  • network_set – List like machines[ [hostname, ipv4, ..., ipv6, ...], [hostname, ipv4, ..., ipv6, ...] ]
  • iptype – Define ip version (IPv4 or IPv6)
Returns:

A list of ip addresses
bin.ipset_manager.get_current_ipsets()[source]

This function is used to get the current running ipsets in memory and print it to a file

Returns:void
bin.ipset_manager.get_network_sets(set_names, iptype, username=None, password=None)[source]

The function uses the ip_extraction.py python script to query LanDB service based on a network set name and extract all the ip addresses of each machine inside this network set.

Parameters:
  • set_names – Network set names to queried on LanDB
  • iptype – define the ip version to use (IPv4 or IPv6)
  • username – optional username for the LanDB service authentication
  • password – mandatory if you specify username for the LanDB service authentication
Returns:

String output containing all the ip address if they are successfully resolved
bin.ipset_manager.handle_custom_set(simulate, action, setname, iptype, settype, ips=None, hostnames=None, port=None, netgroup_net_list=None, generate_file=False, file_override=False, cmd=False)[source]

This function handles the action to be performed based on the provided input action of the user. The main role of this function is to call the appropriate end function that performs the task.

Parameters:
  • simulate – Flag to passed to the handling function
  • action – Action to be performed ( create, update, destroy )
  • setname – The name of set
  • iptype – IP type ( IPv4 or IPv6 )
  • settype – IPset type. Only the allowed sets
  • ips – Individual ips to be added or deleted from the ipset
  • hostnames – The hostnames of either single boxes or aliases ( to resolved via dns ) that will be added in the ipset
  • port – Port number if the set type contains port
  • netgroup_net_list – A list of cern network set names to be added into the set.
  • generate_file – Flag whether or not to generate ipset file
  • file_override – Flag whether or not to override ipset file
  • cmd – Flag to save current ipset state if script was called vim the command line
Returns:

Does not return anything
bin.ipset_manager.handle_list_set(simul, action, set_name, set_names_list, generate_file=False)[source]

This function is used to handle the operation on list:set type of ipset.

Parameters:
  • simul – Flag to print or not
  • action – the action to perform
  • set_name – name of the set
  • set_names_list – list of names of other existing ipsets to add
  • generate_file – Flag to write to the ipset generated file or not
Returns:

0 if ok or 1 if not ok
bin.ipset_manager.handle_netgroups_set(simulate, action, iptype, set_names, settype, port, custom_name=None, username=None, password=None, generate_file=False, file_override=False, cmd=False)[source]

This function handles the action to be performed based on the provided input action of the user. The main role of this function is to call the appropriate end function that performs the task.

Parameters:
  • simulate – Flag to passed to the handling function
  • action – Action to be performed ( create, update, destroy )
  • iptype – IP type ( IPv4 or IPv6 )
  • set_names – A list of cern ‘s network sets names on which the defined action will be performed upon
  • settype – IPset type. Only the allowed sets
  • port – Port number if the set type contains port
  • custom_name – Custom ipset name if the regular name is to large of if the user wants a shorter one
  • username – optional username for the LanDB service authentication
  • password – mandatory if you specify username for the LanDB service authentication
  • generate_file – Flag whether or not to generate ipset file
  • file_override – Flag whether or not to override ipset file
  • cmd – Flag to save current ipset state if script was called vim the command line
Returns:

Does not return anything
bin.ipset_manager.ip_validation_check(ips, iptype, settype)[source]

Check the validity of the given ip list

Parameters:
  • ips – list of ip addresses provided
  • iptype – version of ip to check against
  • settype – determine if is a net or regular ip set
Returns:

return True or False
bin.ipset_manager.ipset_manager(args=None, action=None, iptype=None, settype=None, port=None, setname=None, netgroup_networks=None, netgroup_set_list=None, hostnames=None, ips=None, simul=False, generate_file=False, file_override=False, set_names=None)[source]

This function handles all the logic of running the script, both from terminal and as a module

Parameters:
  • args – Arguments if ran from terminal
  • action – action to perform
  • iptype – type of ip address
  • settype – type of ipset
  • port – port number (optional protocol) udp:53
  • setname – custom name for the ipset
  • netgroup_networks – name of the netgroups networkset
  • netgroup_set_list – list of netgroups network sets to be added
  • hostnames – hostnames to resolve ips from
  • ips – ips to add
  • simul – simulate mode
  • generate_file – generate ipset file for use with ipset-restore
  • file_override – tell the script whether to override the ipset file
  • set_names – Names of existing sets to be added inside a list:set ipset
Returns:

0 if ok 1 if error
bin.ipset_manager.main()[source]

This is the main function. It parses the command line arguments and calls the appropriate function to handle each the job.

Returns:Does not return anything
bin.ipset_manager.save_current_ipset(simulate)[source]

This function is used to save the ipset configuration currently in memory

Parameters:simulate – Flag to tell the method whether to actually save or just print the command
Returns:void
bin.ipset_manager.update_ip_set(simulate, ips, set_name, ip_type, settype, port)[source]

This function receives a list of ip addresses and tries to update a current running ip set using the system “ipset” command

Parameters:
  • simulate – If is true just prints the actions on the screen and does not create a set
  • ips – List with ip addresses (IPv4 or IPv6)
  • set_name – The name for the ipset
  • ip_type – Type of ip addresses and set family (IPv4 -> inet, IPv6 -> inet6)
  • settype – Type of the ip set
  • port – Port number if the ipset uses ports
Returns:

Does not return anything. Prints output messages and error messages if any
bin.ipset_manager.write_config_file(set_name, lines, override)[source]

This function is used to write the generated ipsets configuration to a file for use with the ipset-restore command

Parameters:
  • set_name – Name of an ipset
  • lines – IPset elements to add to the set. Actually is the IPs or IPs with ports or triplets
  • override – Flag to tell to the function whether to write a new file or not
Returns:

void