Author: arkurth
Date: Tue May 30 17:45:33 2017
New Revision: 1796905
URL: http://svn.apache.org/viewvc?rev=1796905&view=rev
Log:
VCL-1031
Added iptables comment to all rules added by VCL in iptables.pm -- some of the
original NAT rules were not adding comments. Updated all comment text to begin
with 'VCL: ' for consistency.
Modified:
vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/firewall/iptables.pm
Modified: vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/firewall/iptables.pm
URL:
http://svn.apache.org/viewvc/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/firewall/iptables.pm?rev=1796905&r1=1796904&r2=1796905&view=diff
==============================================================================
--- vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/firewall/iptables.pm
(original)
+++ vcl/trunk/managementnode/lib/VCL/Module/OS/Linux/firewall/iptables.pm Tue
May 30 17:45:33 2017
@@ -182,7 +182,7 @@ sub process_post_load {
},
'match_extensions' => {
'comment' => {
- 'comment' => "VCL: Allow traffic from
management node ($timestamp)",
+ 'comment' => "VCL: allow traffic from
management node ($timestamp)",
},
},
}
@@ -293,7 +293,7 @@ sub process_reserved {
'dport' => $port,
},
'comment' => {
- 'comment' => "VCL: Allow
traffic from any IP address to connect method ports during reserved stage of
reservation $reservation_id ($timestamp)",
+ 'comment' => "VCL: allow
traffic from any IP address to connect method ports during reserved stage of
reservation $reservation_id ($timestamp)",
},
},
}
@@ -391,7 +391,7 @@ sub process_inuse {
'dport' => $port,
},
'comment' => {
- 'comment' => "VCL: Allow
traffic from $remote_ip_address to $protocol/$port during the inuse stage of
reservation $reservation_id ($timestamp)",
+ 'comment' => "VCL: allow
traffic from $remote_ip_address to $protocol/$port during the inuse stage of
reservation $reservation_id ($timestamp)",
},
},
}
@@ -493,7 +493,7 @@ sub process_pre_capture {
'destination-port' => 22,
},
'comment' => {
- 'comment' => "VCL: Allow traffic to SSH
port 22 from any IP address ($timestamp)",
+ 'comment' => "VCL: allow traffic to SSH
port 22 from any IP address ($timestamp)",
},
},
}
@@ -579,7 +579,7 @@ sub process_cluster {
},
'match_extensions' => {
'comment' => {
- 'comment' => "VCL: jump to rules added
during the cluster stage ($timestamp)",
+ 'comment' => "VCL: jump to rules added
during for cluster reservation ($timestamp)",
},
},
}
@@ -597,7 +597,7 @@ sub process_cluster {
},
'match_extensions' => {
'comment' => {
- 'comment' => "VCL: Allow all traffic
from other computers assigned to cluster request $request_id ($timestamp)",
+ 'comment' => "VCL: allow all traffic
from other computers assigned to cluster request $request_id ($timestamp)",
},
},
}
@@ -2069,7 +2069,7 @@ sub nat_configure_host {
},
'match_extensions' => {
'comment' => {
- 'comment' => "VCL: jump from nat table
POSTROUTING chain to to NAT host $nat_host_chain_name chain",
+ 'comment' => "VCL: jump from nat table
POSTROUTING chain to NAT host $nat_host_chain_name chain",
},
},
}
@@ -2109,6 +2109,9 @@ sub nat_configure_host {
'multiport' => {
'destination-ports' =>
$destination_ports,
},
+ 'comment' => {
+ 'comment' => "VCL: allow inbound TCP
traffic on the NAT port ranges to public $public_interface_name",
+ },
},
}
)) {
@@ -2130,6 +2133,9 @@ sub nat_configure_host {
'multiport' => {
'destination-ports' =>
$destination_ports,
},
+ 'comment' => {
+ 'comment' => "VCL: allow inbound UDP
traffic on the NAT port ranges to public $public_interface_name",
+ },
},
}
)) {
@@ -2148,7 +2154,7 @@ sub nat_configure_host {
'state' => 'NEW,RELATED,ESTABLISHED',
},
'comment' => {
- 'comment' => "forward inbound packets
from public $public_interface_name to internal $internal_interface_name",
+ 'comment' => "VCL: forward inbound
packets from public $public_interface_name to internal
$internal_interface_name",
},
},
}
@@ -2168,7 +2174,7 @@ sub nat_configure_host {
'state' => 'NEW,RELATED,ESTABLISHED',
},
'comment' => {
- 'comment' => "forward outbound packets
from internal $internal_interface_name to public $public_interface_name",
+ 'comment' => "VCL: forward outbound
packets from internal $internal_interface_name to public
$public_interface_name",
},
},
}
@@ -2210,22 +2216,22 @@ sub nat_configure_reservation {
return;
}
- my $chain_name = $self->get_nat_reservation_chain_name();
+ my $reservation_nat_chain_name =
$self->get_nat_reservation_chain_name();
# Check if chain for reservation has already been created
- if (defined($nat_table_info->{$chain_name})) {
- notify($ERRORS{'DEBUG'}, 0, "'$chain_name' chain already exists
in nat table on $computer_name");
+ if (defined($nat_table_info->{$reservation_nat_chain_name})) {
+ notify($ERRORS{'DEBUG'}, 0, "'$reservation_nat_chain_name'
chain already exists in nat table on $computer_name");
}
- elsif (!$self->create_chain('nat', $chain_name)) {
- notify($ERRORS{'WARNING'}, 0, "failed to configure NAT host
$computer_name for reservation, failed to add '$chain_name' chain to nat
table");
+ elsif (!$self->create_chain('nat', $reservation_nat_chain_name)) {
+ notify($ERRORS{'WARNING'}, 0, "failed to configure NAT host
$computer_name for reservation, failed to add '$reservation_nat_chain_name'
chain to nat table");
return;
}
# Check if rule to jump to reservation's chain already exists in the
PREROUTING table
for my $rule (@{$nat_table_info->{PREROUTING}{rules}}) {
my $rule_specification_string = $rule->{rule_specification};
- if ($rule_specification_string =~ /-j $chain_name(\s|$)/) {
- notify($ERRORS{'DEBUG'}, 0, "PREROUTING chain in nat
table on $computer_name already contains a rule to jump to '$chain_name' chain:
$rule_specification_string");
+ if ($rule_specification_string =~ /-j
$reservation_nat_chain_name(\s|$)/) {
+ notify($ERRORS{'DEBUG'}, 0, "PREROUTING chain in nat
table on $computer_name already contains a rule to jump to
'$reservation_nat_chain_name' chain: $rule_specification_string");
return 1;;
}
}
@@ -2234,11 +2240,16 @@ sub nat_configure_reservation {
if (!$self->insert_rule('nat', 'PREROUTING',
{
'parameters' => {
- 'jump' => $chain_name,
+ 'jump' => $reservation_nat_chain_name,
+ },
+ 'match_extensions' => {
+ 'comment' => {
+ 'comment' => "VCL: jump from nat table
PREROUTING chain to reservation NAT chain $reservation_nat_chain_name",
+ },
},
}
)) {
- notify($ERRORS{'WARNING'}, 0, "failed to configure NAT host
$computer_name for reservation, failed to create rule in PREROUTING chain in
nat table to jump to '$chain_name' chain");
+ notify($ERRORS{'WARNING'}, 0, "failed to configure NAT host
$computer_name for reservation, failed to create rule in PREROUTING chain in
nat table to jump to '$reservation_nat_chain_name' chain");
return;
}
@@ -2334,7 +2345,7 @@ sub nat_add_port_forward {
},
'match_extensions' => {
'comment' => {
- 'comment' => "forward:
$public_interface_name:$source_port -->
$destination_ip_address:$destination_port ($protocol)",
+ 'comment' => "VCL: forward
$public_interface_name:$protocol/$source_port -->
$destination_ip_address:$destination_port",
},
$protocol => {
'destination-port' => $source_port,
