aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergey Poznyakoff <gray@gnu.org.ua>2015-11-19 15:03:47 +0200
committerSergey Poznyakoff <gray@gnu.org.ua>2015-11-19 15:06:33 +0200
commit0a3f8aae4a41c4aa8435214e235af509cd5f4435 (patch)
tree6b5e73c8ab74121123584dd2c62b80931d23a636
parentbedc4dc0057f4d713a4186e79d812f5e9552cfc2 (diff)
downloadeclat-0a3f8aae4a41c4aa8435214e235af509cd5f4435.tar.gz
eclat-0a3f8aae4a41c4aa8435214e235af509cd5f4435.tar.bz2
Add operations on egress rules for VPC security groups.
* src/sg-cl.opt: New options: --input (--ingress, -I), and --output (--egress, -O). * src/sg.c (command): const. * doc/eclat-sg.1: Document --input/--output modifiers. * TODO: Likewise. * etc/sg.fln: Add support for egress responses.
-rw-r--r--TODO4
-rw-r--r--doc/eclat-sg.135
-rw-r--r--etc/sg.fln10
-rw-r--r--src/sg-cl.opt32
-rw-r--r--src/sg.c2
5 files changed, 74 insertions, 9 deletions
diff --git a/TODO b/TODO
index 1a1686b..4fa62d9 100644
--- a/TODO
+++ b/TODO
@@ -14,13 +14,13 @@ AssociateAddress assocaddr [X] [X]
AssociateDhcpOptions - [ ] [ ]
AssociateRouteTable assocrtab [X] [ ]
AttachInternetGateway atigw [X] [ ]
AttachNetworkInterface - [ ] [ ]
AttachVolume atvol [X] [X]
AttachVpnGateway - [ ] [ ]
-AuthorizeSecurityGroupEgress - [ ] [ ]
+AuthorizeSecurityGroupEgress sg [X] [X]
AuthorizeSecurityGroupIngress sg [X] [X]
BundleInstance - [ ] [ ]
CancelBundleTask - [ ] [ ]
CancelConversionTask - [ ] [ ]
CancelExportTask - [ ] [ ]
CancelReservedInstancesListing - [ ] [ ]
@@ -143,13 +143,13 @@ ReplaceRouteTableAssociation - [ ] [ ]
ReportInstanceStatus - [ ] [ ]
RequestSpotInstances - [ ] [ ]
ResetImageAttribute - [ ] [ ]
ResetInstanceAttribute - [ ] [ ]
ResetNetworkInterfaceAttribute - [ ] [ ]
ResetSnapshotAttribute clrsattr [X] [X]
-RevokeSecurityGroupEgress - [ ] [ ]
+RevokeSecurityGroupEgress sg [X] [X]
RevokeSecurityGroupIngress sg [X] [X]
RunInstances mkinst [X] [X]
StartInstances start [X] [X]
StopInstances stop [X] [X]
TerminateInstances killinst [ ] [ ]
UnassignPrivateIpAddresses - [ ] [ ]
diff --git a/doc/eclat-sg.1 b/doc/eclat-sg.1
index 06a51cd..d60639b 100644
--- a/doc/eclat-sg.1
+++ b/doc/eclat-sg.1
@@ -10,19 +10,21 @@
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
.\" GNU General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with Eclat. If not, see <http://www.gnu.org/licenses/>.
-.TH ECLAT-SG 1 "January 26, 2015" "ECLAT" "Eclat User Reference"
+.TH ECLAT-SG 1 "November 19, 2015" "ECLAT" "Eclat User Reference"
.SH NAME
eclat-sg \- manipulate security groups
.SH SYNOPSIS
.nh
.na
-\fBeclat sg\fR \fB\-A\fR|\fB\-D\fR|\fB\-\-add\fR|\fB\-\-delete\fR [\fB\-Nn\fR]\
+\fBeclat sg\fR\
+ [\fB\-\-input\fR|\fB\-\-ingress\fR|\fB\-I\fR|\fB\-\-output\fR|\fB\-\-egress\fR|\fB\-O\fR]\
+ \fB\-A\fR|\fB\-D\fR|\fB\-\-add\fR|\fB\-\-delete\fR [\fB\-Nn\fR]\
[\fB\-G\fR \fINAME\fR] [\fB\-P\fR \fIPORT\fR[\fB\-\fIPORT\fR]]\
[\fB\-g\fR \fIID\fR] [\fB\-p\fR \fIPROTO\fR] [\fB\-s\fR \fICIDR\fR]\
[\fB\-u\fR \fIUSER\fR] [\fB\-\-group\-id\fR=\fIID\fR]\
[\fB\-\-group\-name\fR=\fINAME\fR] [\fB\-\-name\fR]\
[\fB\-\-next\fR, \fB\-\-new\fR]\
[\fB\-\-port\fR=\fIPORT\fR[\fB\-\fIPORT\fR]] [\fB\-\-protocol\fr=\fIPROTO\fR]\
@@ -45,14 +47,14 @@ groups. When invoked with the \fB\-\-list\fR (\fB\-L\fR) argument, it
displays information about the given group, or all groups in the
account, if the \fIGROUP\fR argument is not provided. The argument is
either the group ID, or group name. In the latter case, the
\fB\-\-name\fR (\fB\-n\fR) option should be given.
.PP
When used with \fB\-\-add\fR (\fB\-A\fR) option, the command adds the
-rules to the security groups. The rules are described using the command
-line options. For example:
+rules to the security groups. The rules to add are
+described by the command line options that follow. For example:
.PP
.EX
.B eclat sg --add --proto tcp --port 22 --source 192.0.2.0/24 sg-01234567
.EE
.PP
This command adds to the security group \fBsg\-01234567\fR a rule
@@ -69,13 +71,38 @@ Several rules can be added in one invocation. The \fB\-\-next\fR
.B eclat sg --add --proto tcp --port 22 --source 192.0.2.0/24 --next \\\\
.B --proto icmp --source 192.0.2.0/24 sg-01234567
.EE
.PP
The \fB\-\-delete\fR (\fB\-D\fR) option deletes existing rules, which
are defined using the same syntax as described above.
+.PP
+By default, both \fB\-\-add\fR and \fB\-\-delete\fR operate on ingress
+rules. This can be changed by placing the \fB\-\-output\fR
+(\fB\-O\fR) option before them. The \fB\-\-output\fR option remains
+in effect for all options that follow it. The \fB\-\-input option
+cancels its effect.
+.PP
+The \fB\-\-list\fR (\fB\-L\fR) option instructs the program to list
+rules in the named security group. If no group is specified, all
+existing groups will be listed.
.SH OPTIONS
+.SS Modifiers
+.TP
+\fB\-\-input\fR, \fB\-\-ingress\fR, \fB\-I\fR
+Operate on the ingress rules.
+.TP
+\fB\-\-output\fR, \fB\-\-egress\fR, \fB\-O\fR
+Operate on the egress rules.
+.PP
+These modifiers apply to all \fB\-\-add\fR and \fB\-\-delete\fR
+options that follow them, until another modifier or end of line is
+encountered.
+.PP
+By default, \fB\-\-input\fR is assumed.
+.PP
+The \fB\-\-output\fR modifier is valid only for EC2-VPC.
.SS Commands
These options define the operation to be performed over the security
group. A valid invocation of the \fBsg\fR subcommand must contain
exactly one of these:
.TP
.BR \-A , \-\-add
diff --git a/etc/sg.fln b/etc/sg.fln
index 7050c3a..10dac18 100644
--- a/etc/sg.fln
+++ b/etc/sg.fln
@@ -21,8 +21,18 @@ if (.AuthorizeSecurityGroupIngressResponse.return) {
}
} else if (.RevokeSecurityGroupIngressResponse.return) {
if (!.RevokeSecurityGroupIngressResponse.return[true]) {
error("Return: ",.RevokeSecurityGroupIngressResponse.return,"\n");
exit(1);
}
+} else if (.AuthorizeSecurityGroupEgressResponse.return) {
+ if (!.AuthorizeSecurityGroupEgressResponse.return[true]) {
+ error("Return: ",.AuthorizeSecurityGroupEressResponse.return,"\n");
+ exit(1);
+ }
+} else if (.RevokeSecurityGroupEgressResponse.return) {
+ if (!.RevokeSecurityGroupEgressResponse.return[true]) {
+ error("Return: ",.RevokeSecurityGroupEgressResponse.return,"\n");
+ exit(1);
+ }
}
diff --git a/src/sg-cl.opt b/src/sg-cl.opt
index 6b223b2..a54192a 100644
--- a/src/sg-cl.opt
+++ b/src/sg-cl.opt
@@ -11,26 +11,54 @@
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Eclat. If not, see <http://www.gnu.org/licenses/>. */
+#define DIR_INGRESS 0
+#define DIR_EGRESS 1
+
+static char const *authorize_comtab[] = {
+ "AuthorizeSecurityGroupIngress",
+ "AuthorizeSecurityGroupEgress"
+};
+static char const *revoke_comtab[] = {
+ "RevokeSecurityGroupIngress",
+ "RevokeSecurityGroupEgress"
+};
+static int direction = DIR_INGRESS;
+
ECLAT_CL_BEGIN([<modify ingress rules of a security group>],
[<[GROUPARG]>])
+GROUP(Direction)
+OPTION(input,I,,
+ [<input (ingress)>])
+ALIAS(ingress)
+BEGIN
+ direction = DIR_INGRESS;
+END
+
+OPTION(output,O,,
+ [<output (egress)>])
+ALIAS(egress)
+BEGIN
+ direction = DIR_EGRESS;
+END
+
GROUP(Commands)
OPTION(add,A,,
[<add rules>])
BEGIN
- command = "AuthorizeSecurityGroupIngress";
+ command = authorize_comtab[direction];
END
OPTION(delete,D,,
[<delete rules>])
BEGIN
- command = "RevokeSecurityGroupIngress";
+ command = revoke_comtab[direction];
END
OPTION(list,L,,
[<list rules>])
BEGIN
list_option = 1;
diff --git a/src/sg.c b/src/sg.c
index a1842c3..4ae0b60 100644
--- a/src/sg.c
+++ b/src/sg.c
@@ -23,13 +23,13 @@
struct groupkw groupkw[] = {
{ "GroupId", MAP_GROUPID },
{ "GroupName", MAP_GROUPNAME }
};
static struct ec2_request *request;
-static char *command;
+static char const *command;
static int list_option;
static int dest_n = GROUP_ID;
static char *proto = "tcp";
static int rule_n = 1;
static char *user;

Return to:

Send suggestions and report system problems to the System administrator.