You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@vcl.apache.org by fa...@apache.org on 2014/09/09 20:40:57 UTC
svn commit: r1623867 - /vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm
Author: fapeeler
Date: Tue Sep 9 18:40:57 2014
New Revision: 1623867
URL: http://svn.apache.org/r1623867
Log:
VCL-753
Due to older versions of iptables. We need to added each IP scope as a seperate INPUT rule
This mod, splits the new_scope into an scope array and then builds the commands array.
Modified:
vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm
Modified: vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm
URL: http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm?rev=1623867&r1=1623866&r2=1623867&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm Tue Sep 9 18:40:57 2014
@@ -3612,28 +3612,32 @@ sub enable_firewall_port {
}
}
}
+
+ my @new_scope_list = split(/,/,$new_scope);
+
+ for my $scope_string (@new_scope_list) {
+ # Add the new rule to the array of iptables commands
+ my $new_rule_command;
+ $new_rule_command .= "/sbin/iptables -v -I INPUT 1";
+ $new_rule_command .= " -p $protocol";
+ $new_rule_command .= " -j ACCEPT";
+ $new_rule_command .= " -s $scope_string";
- # Add the new rule to the array of iptables commands
- my $new_rule_command;
- $new_rule_command .= "/sbin/iptables -v -I INPUT 1";
- $new_rule_command .= " -p $protocol";
- $new_rule_command .= " -j ACCEPT";
- $new_rule_command .= " -s $new_scope";
-
- if ($protocol =~ /icmp/i) {
- if ($port ne '255') {
- $new_rule_command .= " --icmp-type $port";
+ if ($protocol =~ /icmp/i) {
+ if ($port ne '255') {
+ $new_rule_command .= " --icmp-type $port";
+ }
}
- }
- else {
- $new_rule_command .= " -m state --state NEW,RELATED,ESTABLISHED";
+ else {
+ $new_rule_command .= " -m state --state NEW,RELATED,ESTABLISHED";
- if ($port =~ /^\d+$/) {
- $new_rule_command .= " -m $protocol --dport $port";
+ if ($port =~ /^\d+$/) {
+ $new_rule_command .= " -m $protocol --dport $port";
+ }
}
- }
- push @commands, $new_rule_command;
+ push @commands, $new_rule_command;
+ }
# Join the iptables commands together with ' && '
my $command = join(' && ', @commands);
@@ -3651,7 +3655,7 @@ sub enable_firewall_port {
return;
}
elsif ($exit_status == 0) {
- notify($ERRORS{'DEBUG'}, 0, "enabled firewall port on $computer_node_name, protocol: $protocol, port: $port, scope: $new_scope");
+ notify($ERRORS{'DEBUG'}, 0, "enabled firewall port on $computer_node_name, protocol: $protocol, port: $port, scope: $new_scope, command:\n$command");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to enable firewall port on $computer_node_name, protocol: $protocol, port: $port, scope: $new_scope, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));