You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@vcl.apache.org by ac...@apache.org on 2013/07/16 23:36:37 UTC
svn commit: r1503907 -
/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm
Author: acoburn
Date: Tue Jul 16 21:36:37 2013
New Revision: 1503907
URL: http://svn.apache.org/r1503907
Log:
VCL-712
Added an ever-so-slightly modified `firewall_compare_update` subroutine (from OS::Linux) so that vcld checks for the ufw service instead of iptables
Modified:
vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm
Modified: vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm?rev=1503907&r1=1503906&r2=1503907&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm Tue Jul 16 21:36:37 2013
@@ -881,6 +881,99 @@ sub restart_network_interface {
#/////////////////////////////////////////////////////////////////////////////
+=head2 firewall_compare_update
+
+ Parameters : @scope_strings
+ Returns : 0 , 1
+ Description : Compare iptables for listed remote IP address in reservation
+
+=cut
+
+sub firewall_compare_update {
+ my $self = shift;
+ if (ref($self) !~ /linux/i) {
+ notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
+ return;
+ }
+
+ # Check to see if this distro has iptables
+ # If not return 1 so it does not fail
+ if (!($self->service_exists("ufw"))) {
+ notify($ERRORS{'WARNING'}, 0, "iptables does not exist on this OS");
+ return 1;
+ }
+
+ my $computer_node_name = $self->data->get_computer_node_name();
+ my $imagerevision_id = $self->data->get_imagerevision_id();
+ my $remote_ip = $self->data->get_reservation_remote_ip();
+
+ # collect connection_methods
+ # collect firewall_config
+ # For each port defined in connection_methods
+ # compare rule source address with remote_IP address
+
+ # Retrieve the connect method info hash
+ my $connect_method_info = get_connect_method_info($imagerevision_id);
+ if (!$connect_method_info) {
+ notify($ERRORS{'WARNING'}, 0, "no connect methods are configured for image revision $imagerevision_id");
+ return;
+ }
+
+ # Retrieve the firewall configuration
+ my $INPUT_CHAIN = "INPUT";
+ my $firewall_configuration = $self->get_firewall_configuration() || return;
+
+ for my $connect_method_id (sort keys %{$connect_method_info}) {
+
+ my $name = $connect_method_info->{$connect_method_id}{name};
+ my $description = $connect_method_info->{$connect_method_id}{description};
+ my $protocol = $connect_method_info->{$connect_method_id}{protocol} || 'TCP';
+ my $port = $connect_method_info->{$connect_method_id}{port};
+ my $scope;
+
+ $protocol = lc($protocol);
+
+ for my $num (sort keys %{$firewall_configuration->{$INPUT_CHAIN}}) {
+ my $existing_scope = $firewall_configuration->{$INPUT_CHAIN}{$num}{$protocol}{$port}{scope} || '';
+ if (!$existing_scope) {
+
+ }
+ else {
+ my $parsed_existing_scope = $self->parse_firewall_scope($existing_scope);
+ if (!$parsed_existing_scope) {
+ notify($ERRORS{'WARNING'}, 0, "failed to parse existing firewall scope: '$existing_scope'");
+ return;
+ }
+ $scope = $self->parse_firewall_scope("$remote_ip,$existing_scope");
+ if (!$scope) {
+ notify($ERRORS{'WARNING'}, 0, "failed to parse firewall scope argument appended with existing scope: '$remote_ip,$existing_scope'");
+ return;
+ }
+
+ if ($scope eq $parsed_existing_scope) {
+ notify($ERRORS{'DEBUG'}, 0, "firewall is already open on $computer_node_name, existing scope matches scope argument:\n" .
+ "name: '$name'\n" .
+ "protocol: $protocol\n" .
+ "port/type: $port\n" .
+ "scope: $scope\n"
+ );
+ return 1;
+ }
+ else {
+ if ($self->enable_firewall_port($protocol, $port, "$remote_ip/24", 0)) {
+ notify($ERRORS{'OK'}, 0, "opened firewall port $port on $computer_node_name for $remote_ip $name connect method");
+ }
+ }
+ }
+ }
+ }
+
+ return 1;
+}
+
+
+#/////////////////////////////////////////////////////////////////////////////
+
=head2 activate_interfaces
Parameters :