Author: acoburn
Date: Tue Jul 16 21:36:37 2013
New Revision: 1503907
URL: http://svn.apache.org/r1503907
Log:
VCL-712
Added an ever-so-slightly modified `firewall_compare_update` subroutine (from
OS::Linux) so that vcld checks for the ufw service instead of iptables
Modified:
vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm
Modified: vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm
URL:
http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm?rev=1503907&r1=1503906&r2=1503907&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/Ubuntu.pm Tue Jul 16
21:36:37 2013
@@ -881,6 +881,99 @@ sub restart_network_interface {
#/////////////////////////////////////////////////////////////////////////////
+=head2 firewall_compare_update
+
+ Parameters : @scope_strings
+ Returns : 0 , 1
+ Description : Compare iptables for listed remote IP address in reservation
+
+=cut
+
+sub firewall_compare_update {
+ my $self = shift;
+ if (ref($self) !~ /linux/i) {
+ notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a
function, it must be called as a class method");
+ return;
+ }
+
+ # Check to see if this distro has iptables
+ # If not return 1 so it does not fail
+ if (!($self->service_exists("ufw"))) {
+ notify($ERRORS{'WARNING'}, 0, "iptables does not exist on this
OS");
+ return 1;
+ }
+
+ my $computer_node_name = $self->data->get_computer_node_name();
+ my $imagerevision_id = $self->data->get_imagerevision_id();
+ my $remote_ip = $self->data->get_reservation_remote_ip();
+
+ # collect connection_methods
+ # collect firewall_config
+ # For each port defined in connection_methods
+ # compare rule source address with remote_IP address
+
+ # Retrieve the connect method info hash
+ my $connect_method_info = get_connect_method_info($imagerevision_id);
+ if (!$connect_method_info) {
+ notify($ERRORS{'WARNING'}, 0, "no connect methods are
configured for image revision $imagerevision_id");
+ return;
+ }
+
+ # Retrieve the firewall configuration
+ my $INPUT_CHAIN = "INPUT";
+ my $firewall_configuration = $self->get_firewall_configuration() ||
return;
+
+ for my $connect_method_id (sort keys %{$connect_method_info}) {
+
+ my $name =
$connect_method_info->{$connect_method_id}{name};
+ my $description =
$connect_method_info->{$connect_method_id}{description};
+ my $protocol =
$connect_method_info->{$connect_method_id}{protocol} || 'TCP';
+ my $port =
$connect_method_info->{$connect_method_id}{port};
+ my $scope;
+
+ $protocol = lc($protocol);
+
+ for my $num (sort keys
%{$firewall_configuration->{$INPUT_CHAIN}}) {
+ my $existing_scope =
$firewall_configuration->{$INPUT_CHAIN}{$num}{$protocol}{$port}{scope} || '';
+ if (!$existing_scope) {
+
+ }
+ else {
+ my $parsed_existing_scope =
$self->parse_firewall_scope($existing_scope);
+ if (!$parsed_existing_scope) {
+ notify($ERRORS{'WARNING'}, 0, "failed
to parse existing firewall scope: '$existing_scope'");
+ return;
+ }
+ $scope =
$self->parse_firewall_scope("$remote_ip,$existing_scope");
+ if (!$scope) {
+ notify($ERRORS{'WARNING'}, 0, "failed
to parse firewall scope argument appended with existing scope:
'$remote_ip,$existing_scope'");
+ return;
+ }
+
+ if ($scope eq $parsed_existing_scope) {
+ notify($ERRORS{'DEBUG'}, 0, "firewall
is already open on $computer_node_name, existing scope matches scope
argument:\n" .
+ "name: '$name'\n" .
+ "protocol: $protocol\n" .
+ "port/type: $port\n" .
+ "scope: $scope\n"
+ );
+ return 1;
+ }
+ else {
+ if
($self->enable_firewall_port($protocol, $port, "$remote_ip/24", 0)) {
+ notify($ERRORS{'OK'}, 0,
"opened firewall port $port on $computer_node_name for $remote_ip $name connect
method");
+ }
+ }
+ }
+ }
+ }
+
+ return 1;
+}
+
+
+#/////////////////////////////////////////////////////////////////////////////
+
=head2 activate_interfaces
Parameters :
