From 0a3f8aae4a41c4aa8435214e235af509cd5f4435 Mon Sep 17 00:00:00 2001 From: Sergey Poznyakoff Date: Thu, 19 Nov 2015 15:03:47 +0200 Subject: Add operations on egress rules for VPC security groups. * src/sg-cl.opt: New options: --input (--ingress, -I), and --output (--egress, -O). * src/sg.c (command): const. * doc/eclat-sg.1: Document --input/--output modifiers. * TODO: Likewise. * etc/sg.fln: Add support for egress responses. --- TODO | 4 ++-- doc/eclat-sg.1 | 35 +++++++++++++++++++++++++++++++---- etc/sg.fln | 10 ++++++++++ src/sg-cl.opt | 32 ++++++++++++++++++++++++++++++-- src/sg.c | 2 +- 5 files changed, 74 insertions(+), 9 deletions(-) diff --git a/TODO b/TODO index 1a1686b..4fa62d9 100644 --- a/TODO +++ b/TODO @@ -17,7 +17,7 @@ AttachInternetGateway atigw [X] [ ] AttachNetworkInterface - [ ] [ ] AttachVolume atvol [X] [X] AttachVpnGateway - [ ] [ ] -AuthorizeSecurityGroupEgress - [ ] [ ] +AuthorizeSecurityGroupEgress sg [X] [X] AuthorizeSecurityGroupIngress sg [X] [X] BundleInstance - [ ] [ ] CancelBundleTask - [ ] [ ] @@ -146,7 +146,7 @@ ResetImageAttribute - [ ] [ ] ResetInstanceAttribute - [ ] [ ] ResetNetworkInterfaceAttribute - [ ] [ ] ResetSnapshotAttribute clrsattr [X] [X] -RevokeSecurityGroupEgress - [ ] [ ] +RevokeSecurityGroupEgress sg [X] [X] RevokeSecurityGroupIngress sg [X] [X] RunInstances mkinst [X] [X] StartInstances start [X] [X] diff --git a/doc/eclat-sg.1 b/doc/eclat-sg.1 index 06a51cd..d60639b 100644 --- a/doc/eclat-sg.1 +++ b/doc/eclat-sg.1 @@ -13,13 +13,15 @@ .\" .\" You should have received a copy of the GNU General Public License .\" along with Eclat. If not, see . -.TH ECLAT-SG 1 "January 26, 2015" "ECLAT" "Eclat User Reference" +.TH ECLAT-SG 1 "November 19, 2015" "ECLAT" "Eclat User Reference" .SH NAME eclat-sg \- manipulate security groups .SH SYNOPSIS .nh .na -\fBeclat sg\fR \fB\-A\fR|\fB\-D\fR|\fB\-\-add\fR|\fB\-\-delete\fR [\fB\-Nn\fR]\ +\fBeclat sg\fR\ + [\fB\-\-input\fR|\fB\-\-ingress\fR|\fB\-I\fR|\fB\-\-output\fR|\fB\-\-egress\fR|\fB\-O\fR]\ + \fB\-A\fR|\fB\-D\fR|\fB\-\-add\fR|\fB\-\-delete\fR [\fB\-Nn\fR]\ [\fB\-G\fR \fINAME\fR] [\fB\-P\fR \fIPORT\fR[\fB\-\fIPORT\fR]]\ [\fB\-g\fR \fIID\fR] [\fB\-p\fR \fIPROTO\fR] [\fB\-s\fR \fICIDR\fR]\ [\fB\-u\fR \fIUSER\fR] [\fB\-\-group\-id\fR=\fIID\fR]\ @@ -48,8 +50,8 @@ either the group ID, or group name. In the latter case, the \fB\-\-name\fR (\fB\-n\fR) option should be given. .PP When used with \fB\-\-add\fR (\fB\-A\fR) option, the command adds the -rules to the security groups. The rules are described using the command -line options. For example: +rules to the security groups. The rules to add are +described by the command line options that follow. For example: .PP .EX .B eclat sg --add --proto tcp --port 22 --source 192.0.2.0/24 sg-01234567 @@ -72,7 +74,32 @@ Several rules can be added in one invocation. The \fB\-\-next\fR .PP The \fB\-\-delete\fR (\fB\-D\fR) option deletes existing rules, which are defined using the same syntax as described above. +.PP +By default, both \fB\-\-add\fR and \fB\-\-delete\fR operate on ingress +rules. This can be changed by placing the \fB\-\-output\fR +(\fB\-O\fR) option before them. The \fB\-\-output\fR option remains +in effect for all options that follow it. The \fB\-\-input option +cancels its effect. +.PP +The \fB\-\-list\fR (\fB\-L\fR) option instructs the program to list +rules in the named security group. If no group is specified, all +existing groups will be listed. .SH OPTIONS +.SS Modifiers +.TP +\fB\-\-input\fR, \fB\-\-ingress\fR, \fB\-I\fR +Operate on the ingress rules. +.TP +\fB\-\-output\fR, \fB\-\-egress\fR, \fB\-O\fR +Operate on the egress rules. +.PP +These modifiers apply to all \fB\-\-add\fR and \fB\-\-delete\fR +options that follow them, until another modifier or end of line is +encountered. +.PP +By default, \fB\-\-input\fR is assumed. +.PP +The \fB\-\-output\fR modifier is valid only for EC2-VPC. .SS Commands These options define the operation to be performed over the security group. A valid invocation of the \fBsg\fR subcommand must contain diff --git a/etc/sg.fln b/etc/sg.fln index 7050c3a..10dac18 100644 --- a/etc/sg.fln +++ b/etc/sg.fln @@ -24,5 +24,15 @@ if (.AuthorizeSecurityGroupIngressResponse.return) { error("Return: ",.RevokeSecurityGroupIngressResponse.return,"\n"); exit(1); } +} else if (.AuthorizeSecurityGroupEgressResponse.return) { + if (!.AuthorizeSecurityGroupEgressResponse.return[true]) { + error("Return: ",.AuthorizeSecurityGroupEressResponse.return,"\n"); + exit(1); + } +} else if (.RevokeSecurityGroupEgressResponse.return) { + if (!.RevokeSecurityGroupEgressResponse.return[true]) { + error("Return: ",.RevokeSecurityGroupEgressResponse.return,"\n"); + exit(1); + } } diff --git a/src/sg-cl.opt b/src/sg-cl.opt index 6b223b2..a54192a 100644 --- a/src/sg-cl.opt +++ b/src/sg-cl.opt @@ -14,20 +14,48 @@ You should have received a copy of the GNU General Public License along with Eclat. If not, see . */ +#define DIR_INGRESS 0 +#define DIR_EGRESS 1 + +static char const *authorize_comtab[] = { + "AuthorizeSecurityGroupIngress", + "AuthorizeSecurityGroupEgress" +}; +static char const *revoke_comtab[] = { + "RevokeSecurityGroupIngress", + "RevokeSecurityGroupEgress" +}; +static int direction = DIR_INGRESS; + ECLAT_CL_BEGIN([], [<[GROUPARG]>]) +GROUP(Direction) +OPTION(input,I,, + []) +ALIAS(ingress) +BEGIN + direction = DIR_INGRESS; +END + +OPTION(output,O,, + []) +ALIAS(egress) +BEGIN + direction = DIR_EGRESS; +END + GROUP(Commands) OPTION(add,A,, []) BEGIN - command = "AuthorizeSecurityGroupIngress"; + command = authorize_comtab[direction]; END OPTION(delete,D,, []) BEGIN - command = "RevokeSecurityGroupIngress"; + command = revoke_comtab[direction]; END OPTION(list,L,, diff --git a/src/sg.c b/src/sg.c index a1842c3..4ae0b60 100644 --- a/src/sg.c +++ b/src/sg.c @@ -26,7 +26,7 @@ struct groupkw groupkw[] = { }; static struct ec2_request *request; -static char *command; +static char const *command; static int list_option; static int dest_n = GROUP_ID; static char *proto = "tcp"; -- cgit v1.2.1