You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@vcl.apache.org by ac...@apache.org on 2013/07/16 23:36:37 UTC

svn commit: r1503907 - /vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm

Author: acoburn
Date: Tue Jul 16 21:36:37 2013
New Revision: 1503907

URL: http://svn.apache.org/r1503907
Log:
VCL-712

Added an ever-so-slightly modified `firewall_compare_update` subroutine (from OS::Linux) so that vcld checks for the ufw service instead of iptables


Modified:
    vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm

Modified: vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm?rev=1503907&r1=1503906&r2=1503907&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm Tue Jul 16 21:36:37 2013
@@ -881,6 +881,99 @@ sub restart_network_interface {
 
 #/////////////////////////////////////////////////////////////////////////////
 
+=head2 firewall_compare_update
+
+ Parameters  : @scope_strings
+ Returns     : 0 , 1
+ Description : Compare iptables for listed remote IP address in reservation
+
+=cut
+
+sub firewall_compare_update {
+	my $self = shift;
+	if (ref($self) !~ /linux/i) {
+		notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
+		return;
+	}
+	
+	# Check to see if this distro has iptables
+	# If not return 1 so it does not fail
+	if (!($self->service_exists("ufw"))) {
+		notify($ERRORS{'WARNING'}, 0, "iptables does not exist on this OS");
+		return 1;
+	}
+	
+	my $computer_node_name = $self->data->get_computer_node_name();
+	my $imagerevision_id   = $self->data->get_imagerevision_id();
+	my $remote_ip          = $self->data->get_reservation_remote_ip();
+	
+	# collect connection_methods
+	# collect firewall_config
+	# For each port defined in connection_methods
+	# compare rule source address with remote_IP address
+	
+	# Retrieve the connect method info hash
+	my $connect_method_info = get_connect_method_info($imagerevision_id);
+	if (!$connect_method_info) {
+		notify($ERRORS{'WARNING'}, 0, "no connect methods are configured for image revision $imagerevision_id");
+		return;
+	}
+	
+	# Retrieve the firewall configuration
+	my $INPUT_CHAIN = "INPUT";
+	my $firewall_configuration = $self->get_firewall_configuration() || return;
+	
+	for my $connect_method_id (sort keys %{$connect_method_info}) {
+		
+		my $name        = $connect_method_info->{$connect_method_id}{name};
+		my $description = $connect_method_info->{$connect_method_id}{description};
+		my $protocol    = $connect_method_info->{$connect_method_id}{protocol} || 'TCP';
+		my $port        = $connect_method_info->{$connect_method_id}{port};
+		my $scope;
+		
+		$protocol = lc($protocol);
+		
+		for my $num (sort keys %{$firewall_configuration->{$INPUT_CHAIN}}) {
+			my $existing_scope = $firewall_configuration->{$INPUT_CHAIN}{$num}{$protocol}{$port}{scope} || '';
+			if (!$existing_scope) {
+			
+			}
+			else {
+				my $parsed_existing_scope = $self->parse_firewall_scope($existing_scope);
+				if (!$parsed_existing_scope) {
+					notify($ERRORS{'WARNING'}, 0, "failed to parse existing firewall scope: '$existing_scope'");
+					return;
+				}
+				$scope = $self->parse_firewall_scope("$remote_ip,$existing_scope");
+				if (!$scope) {
+					notify($ERRORS{'WARNING'}, 0, "failed to parse firewall scope argument appended with existing scope: '$remote_ip,$existing_scope'");
+					return;
+				}
+			
+				if ($scope eq $parsed_existing_scope) {
+					notify($ERRORS{'DEBUG'}, 0, "firewall is already open on $computer_node_name, existing scope matches scope argument:\n" .
+						"name: '$name'\n" .
+						"protocol: $protocol\n" .
+						"port/type: $port\n" .
+						"scope: $scope\n"
+					);
+					return 1;
+				}
+				else {
+					if ($self->enable_firewall_port($protocol, $port, "$remote_ip/24", 0)) {
+						notify($ERRORS{'OK'}, 0, "opened firewall port $port on $computer_node_name for $remote_ip $name connect method");
+					}
+				}
+			}
+		}
+	}
+	
+	return 1;
+}
+
+
+#/////////////////////////////////////////////////////////////////////////////
+
 =head2 activate_interfaces
 
  Parameters  :