svn commit: r1623867 - /vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm

Tue, 09 Sep 2014 11:42:13 -0700 

Author: fapeeler
Date: Tue Sep  9 18:40:57 2014
New Revision: 1623867

URL: http://svn.apache.org/r1623867
Log:
VCL-753

Due to older versions of iptables. We need to added each IP scope as a seperate 
INPUT rule

This mod, splits the new_scope into an scope array and then builds the commands 
array. 

Modified:
    vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm

Modified: vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm
URL: 
http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm?rev=1623867&r1=1623866&r2=1623867&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm (original)
+++ vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm Tue Sep  9 18:40:57 2014
@@ -3612,28 +3612,32 @@ sub enable_firewall_port {
                        }
                }
        }
+
+       my @new_scope_list = split(/,/,$new_scope);
+       
+       for my $scope_string (@new_scope_list) {
+               # Add the new rule to the array of iptables commands
+               my $new_rule_command;
+               $new_rule_command .= "/sbin/iptables -v -I INPUT 1";
+               $new_rule_command .= " -p $protocol";
+               $new_rule_command .= " -j ACCEPT";
+               $new_rule_command .= " -s $scope_string";
        
-       # Add the new rule to the array of iptables commands
-       my $new_rule_command;
-       $new_rule_command .= "/sbin/iptables -v -I INPUT 1";
-       $new_rule_command .= " -p $protocol";
-       $new_rule_command .= " -j ACCEPT";
-       $new_rule_command .= " -s $new_scope";
-       
-       if ($protocol =~ /icmp/i) {
-               if ($port ne '255') {
-                       $new_rule_command .= "  --icmp-type $port";
+               if ($protocol =~ /icmp/i) {
+                       if ($port ne '255') {
+                               $new_rule_command .= "  --icmp-type $port";
+                       }
                }
-       }
-       else {
-               $new_rule_command .= " -m state --state 
NEW,RELATED,ESTABLISHED";
+               else {
+                       $new_rule_command .= " -m state --state 
NEW,RELATED,ESTABLISHED";
                
-               if ($port =~ /^\d+$/) {
-                       $new_rule_command .= " -m $protocol --dport $port";
+                       if ($port =~ /^\d+$/) {
+                               $new_rule_command .= " -m $protocol --dport 
$port";
+                       }
                }
-       }
        
-       push @commands, $new_rule_command;
+               push @commands, $new_rule_command;
+       }
        
        # Join the iptables commands together with ' && '
        my $command = join(' && ', @commands);
@@ -3651,7 +3655,7 @@ sub enable_firewall_port {
                return;
        }
        elsif ($exit_status == 0) {
-               notify($ERRORS{'DEBUG'}, 0, "enabled firewall port on 
$computer_node_name, protocol: $protocol, port: $port, scope: $new_scope");
+               notify($ERRORS{'DEBUG'}, 0, "enabled firewall port on 
$computer_node_name, protocol: $protocol, port: $port, scope: $new_scope, 
command:\n$command");
        }
        else {
                notify($ERRORS{'WARNING'}, 0, "failed to enable firewall port 
on $computer_node_name, protocol: $protocol, port: $port, scope: $new_scope, 
exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", 
@$output));

Reply via email to