You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@vcl.apache.org by fa...@apache.org on 2014/09/09 20:40:57 UTC
svn commit: r1623867 - /vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm

Author: fapeeler
Date: Tue Sep  9 18:40:57 2014
New Revision: 1623867

URL: http://svn.apache.org/r1623867
Log:
VCL-753

Due to older versions of iptables. We need to added each IP scope as a seperate INPUT rule

This mod, splits the new_scope into an scope array and then builds the commands array. 

Modified:
    vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm

Modified: vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm?rev=1623867&r1=1623866&r2=1623867&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm Tue Sep  9 18:40:57 2014
@@ -3612,28 +3612,32 @@ sub enable_firewall_port {
 			}
 		}
 	}
+
+	my @new_scope_list = split(/,/,$new_scope);
+	
+	for my $scope_string (@new_scope_list) {
+		# Add the new rule to the array of iptables commands
+		my $new_rule_command;
+		$new_rule_command .= "/sbin/iptables -v -I INPUT 1";
+		$new_rule_command .= " -p $protocol";
+		$new_rule_command .= " -j ACCEPT";
+		$new_rule_command .= " -s $scope_string";
 	
-	# Add the new rule to the array of iptables commands
-	my $new_rule_command;
-	$new_rule_command .= "/sbin/iptables -v -I INPUT 1";
-	$new_rule_command .= " -p $protocol";
-	$new_rule_command .= " -j ACCEPT";
-	$new_rule_command .= " -s $new_scope";
-	
-	if ($protocol =~ /icmp/i) {
-		if ($port ne '255') {
-			$new_rule_command .= "  --icmp-type $port";
+		if ($protocol =~ /icmp/i) {
+			if ($port ne '255') {
+				$new_rule_command .= "  --icmp-type $port";
+			}
 		}
-	}
-	else {
-		$new_rule_command .= " -m state --state NEW,RELATED,ESTABLISHED";
+		else {
+			$new_rule_command .= " -m state --state NEW,RELATED,ESTABLISHED";
 		
-		if ($port =~ /^\d+$/) {
-			$new_rule_command .= " -m $protocol --dport $port";
+			if ($port =~ /^\d+$/) {
+				$new_rule_command .= " -m $protocol --dport $port";
+			}
 		}
-	}
 	
-	push @commands, $new_rule_command;
+		push @commands, $new_rule_command;
+	}
 	
 	# Join the iptables commands together with ' && '
 	my $command = join(' && ', @commands);
@@ -3651,7 +3655,7 @@ sub enable_firewall_port {
 		return;
 	}
 	elsif ($exit_status == 0) {
-		notify($ERRORS{'DEBUG'}, 0, "enabled firewall port on $computer_node_name, protocol: $protocol, port: $port, scope: $new_scope");
+		notify($ERRORS{'DEBUG'}, 0, "enabled firewall port on $computer_node_name, protocol: $protocol, port: $port, scope: $new_scope, command:\n$command");
 	}
 	else {
 		notify($ERRORS{'WARNING'}, 0, "failed to enable firewall port on $computer_node_name, protocol: $protocol, port: $port, scope: $new_scope, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));