diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2015-11-19 15:03:47 +0200 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2015-11-19 15:06:33 +0200 |
commit | 0a3f8aae4a41c4aa8435214e235af509cd5f4435 (patch) | |
tree | 6b5e73c8ab74121123584dd2c62b80931d23a636 | |
parent | bedc4dc0057f4d713a4186e79d812f5e9552cfc2 (diff) | |
download | eclat-0a3f8aae4a41c4aa8435214e235af509cd5f4435.tar.gz eclat-0a3f8aae4a41c4aa8435214e235af509cd5f4435.tar.bz2 |
Add operations on egress rules for VPC security groups.
* src/sg-cl.opt: New options: --input (--ingress, -I), and
--output (--egress, -O).
* src/sg.c (command): const.
* doc/eclat-sg.1: Document --input/--output modifiers.
* TODO: Likewise.
* etc/sg.fln: Add support for egress responses.
-rw-r--r-- | TODO | 4 | ||||
-rw-r--r-- | doc/eclat-sg.1 | 35 | ||||
-rw-r--r-- | etc/sg.fln | 10 | ||||
-rw-r--r-- | src/sg-cl.opt | 32 | ||||
-rw-r--r-- | src/sg.c | 2 |
5 files changed, 74 insertions, 9 deletions
@@ -14,13 +14,13 @@ AssociateAddress assocaddr [X] [X] AssociateDhcpOptions - [ ] [ ] AssociateRouteTable assocrtab [X] [ ] AttachInternetGateway atigw [X] [ ] AttachNetworkInterface - [ ] [ ] AttachVolume atvol [X] [X] AttachVpnGateway - [ ] [ ] -AuthorizeSecurityGroupEgress - [ ] [ ] +AuthorizeSecurityGroupEgress sg [X] [X] AuthorizeSecurityGroupIngress sg [X] [X] BundleInstance - [ ] [ ] CancelBundleTask - [ ] [ ] CancelConversionTask - [ ] [ ] CancelExportTask - [ ] [ ] CancelReservedInstancesListing - [ ] [ ] @@ -143,13 +143,13 @@ ReplaceRouteTableAssociation - [ ] [ ] ReportInstanceStatus - [ ] [ ] RequestSpotInstances - [ ] [ ] ResetImageAttribute - [ ] [ ] ResetInstanceAttribute - [ ] [ ] ResetNetworkInterfaceAttribute - [ ] [ ] ResetSnapshotAttribute clrsattr [X] [X] -RevokeSecurityGroupEgress - [ ] [ ] +RevokeSecurityGroupEgress sg [X] [X] RevokeSecurityGroupIngress sg [X] [X] RunInstances mkinst [X] [X] StartInstances start [X] [X] StopInstances stop [X] [X] TerminateInstances killinst [ ] [ ] UnassignPrivateIpAddresses - [ ] [ ] diff --git a/doc/eclat-sg.1 b/doc/eclat-sg.1 index 06a51cd..d60639b 100644 --- a/doc/eclat-sg.1 +++ b/doc/eclat-sg.1 @@ -10,19 +10,21 @@ .\" but WITHOUT ANY WARRANTY; without even the implied warranty of .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\" GNU General Public License for more details. .\" .\" You should have received a copy of the GNU General Public License .\" along with Eclat. If not, see <http://www.gnu.org/licenses/>. -.TH ECLAT-SG 1 "January 26, 2015" "ECLAT" "Eclat User Reference" +.TH ECLAT-SG 1 "November 19, 2015" "ECLAT" "Eclat User Reference" .SH NAME eclat-sg \- manipulate security groups .SH SYNOPSIS .nh .na -\fBeclat sg\fR \fB\-A\fR|\fB\-D\fR|\fB\-\-add\fR|\fB\-\-delete\fR [\fB\-Nn\fR]\ +\fBeclat sg\fR\ + [\fB\-\-input\fR|\fB\-\-ingress\fR|\fB\-I\fR|\fB\-\-output\fR|\fB\-\-egress\fR|\fB\-O\fR]\ + \fB\-A\fR|\fB\-D\fR|\fB\-\-add\fR|\fB\-\-delete\fR [\fB\-Nn\fR]\ [\fB\-G\fR \fINAME\fR] [\fB\-P\fR \fIPORT\fR[\fB\-\fIPORT\fR]]\ [\fB\-g\fR \fIID\fR] [\fB\-p\fR \fIPROTO\fR] [\fB\-s\fR \fICIDR\fR]\ [\fB\-u\fR \fIUSER\fR] [\fB\-\-group\-id\fR=\fIID\fR]\ [\fB\-\-group\-name\fR=\fINAME\fR] [\fB\-\-name\fR]\ [\fB\-\-next\fR, \fB\-\-new\fR]\ [\fB\-\-port\fR=\fIPORT\fR[\fB\-\fIPORT\fR]] [\fB\-\-protocol\fr=\fIPROTO\fR]\ @@ -45,14 +47,14 @@ groups. When invoked with the \fB\-\-list\fR (\fB\-L\fR) argument, it displays information about the given group, or all groups in the account, if the \fIGROUP\fR argument is not provided. The argument is either the group ID, or group name. In the latter case, the \fB\-\-name\fR (\fB\-n\fR) option should be given. .PP When used with \fB\-\-add\fR (\fB\-A\fR) option, the command adds the -rules to the security groups. The rules are described using the command -line options. For example: +rules to the security groups. The rules to add are +described by the command line options that follow. For example: .PP .EX .B eclat sg --add --proto tcp --port 22 --source 192.0.2.0/24 sg-01234567 .EE .PP This command adds to the security group \fBsg\-01234567\fR a rule @@ -69,13 +71,38 @@ Several rules can be added in one invocation. The \fB\-\-next\fR .B eclat sg --add --proto tcp --port 22 --source 192.0.2.0/24 --next \\\\ .B --proto icmp --source 192.0.2.0/24 sg-01234567 .EE .PP The \fB\-\-delete\fR (\fB\-D\fR) option deletes existing rules, which are defined using the same syntax as described above. +.PP +By default, both \fB\-\-add\fR and \fB\-\-delete\fR operate on ingress +rules. This can be changed by placing the \fB\-\-output\fR +(\fB\-O\fR) option before them. The \fB\-\-output\fR option remains +in effect for all options that follow it. The \fB\-\-input option +cancels its effect. +.PP +The \fB\-\-list\fR (\fB\-L\fR) option instructs the program to list +rules in the named security group. If no group is specified, all +existing groups will be listed. .SH OPTIONS +.SS Modifiers +.TP +\fB\-\-input\fR, \fB\-\-ingress\fR, \fB\-I\fR +Operate on the ingress rules. +.TP +\fB\-\-output\fR, \fB\-\-egress\fR, \fB\-O\fR +Operate on the egress rules. +.PP +These modifiers apply to all \fB\-\-add\fR and \fB\-\-delete\fR +options that follow them, until another modifier or end of line is +encountered. +.PP +By default, \fB\-\-input\fR is assumed. +.PP +The \fB\-\-output\fR modifier is valid only for EC2-VPC. .SS Commands These options define the operation to be performed over the security group. A valid invocation of the \fBsg\fR subcommand must contain exactly one of these: .TP .BR \-A , \-\-add @@ -21,8 +21,18 @@ if (.AuthorizeSecurityGroupIngressResponse.return) { } } else if (.RevokeSecurityGroupIngressResponse.return) { if (!.RevokeSecurityGroupIngressResponse.return[true]) { error("Return: ",.RevokeSecurityGroupIngressResponse.return,"\n"); exit(1); } +} else if (.AuthorizeSecurityGroupEgressResponse.return) { + if (!.AuthorizeSecurityGroupEgressResponse.return[true]) { + error("Return: ",.AuthorizeSecurityGroupEressResponse.return,"\n"); + exit(1); + } +} else if (.RevokeSecurityGroupEgressResponse.return) { + if (!.RevokeSecurityGroupEgressResponse.return[true]) { + error("Return: ",.RevokeSecurityGroupEgressResponse.return,"\n"); + exit(1); + } } diff --git a/src/sg-cl.opt b/src/sg-cl.opt index 6b223b2..a54192a 100644 --- a/src/sg-cl.opt +++ b/src/sg-cl.opt @@ -11,26 +11,54 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with Eclat. If not, see <http://www.gnu.org/licenses/>. */ +#define DIR_INGRESS 0 +#define DIR_EGRESS 1 + +static char const *authorize_comtab[] = { + "AuthorizeSecurityGroupIngress", + "AuthorizeSecurityGroupEgress" +}; +static char const *revoke_comtab[] = { + "RevokeSecurityGroupIngress", + "RevokeSecurityGroupEgress" +}; +static int direction = DIR_INGRESS; + ECLAT_CL_BEGIN([<modify ingress rules of a security group>], [<[GROUPARG]>]) +GROUP(Direction) +OPTION(input,I,, + [<input (ingress)>]) +ALIAS(ingress) +BEGIN + direction = DIR_INGRESS; +END + +OPTION(output,O,, + [<output (egress)>]) +ALIAS(egress) +BEGIN + direction = DIR_EGRESS; +END + GROUP(Commands) OPTION(add,A,, [<add rules>]) BEGIN - command = "AuthorizeSecurityGroupIngress"; + command = authorize_comtab[direction]; END OPTION(delete,D,, [<delete rules>]) BEGIN - command = "RevokeSecurityGroupIngress"; + command = revoke_comtab[direction]; END OPTION(list,L,, [<list rules>]) BEGIN list_option = 1; @@ -23,13 +23,13 @@ struct groupkw groupkw[] = { { "GroupId", MAP_GROUPID }, { "GroupName", MAP_GROUPNAME } }; static struct ec2_request *request; -static char *command; +static char const *command; static int list_option; static int dest_n = GROUP_ID; static char *proto = "tcp"; static int rule_n = 1; static char *user; |