[
https://issues.apache.org/jira/browse/VCL-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15949911#comment-15949911
]
ASF subversion and git services commented on VCL-1031:
------------------------------------------------------
Commit 1789589 from [email protected] in branch 'vcl/trunk'
[ https://svn.apache.org/r1789589 ]
VCL-1031
(Note: accidentally hit enter on previous commit before finished typing
comments. See 1789585 for additional changes.)
Removed all iptables code from Linux.pm and rewrote it in iptables.pm. It now
creates and utilizes a different chain for each reservation stage:
vcl-post_load, vcl-reserved, vcl-inuse, vcl-pre_capture. When access needs to
be revoked, the corresponding chain is simply flushed and deleted. This makes
it much safer and easier to determine which rules vcld added and are safe to
delete.
Added subroutines:
DataStructure.pm::get_connect_method_protocol_port_array
Linux.pm::get_management_node_connected_ip_address
utils.pm::get_collapsed_hash_reference
firewalld.pm::process_post_load
firewalld.pm::process_reserved
firewalld.pm::process_inuse
firewalld.pm::process_sanitize
firewalld.pm::process_pre_capture
firewalld.pm::get_matching_rules
firewalld.pm::delete_connect_method_rules
firewalld.pm::chain_exists
firewalld.pm::get_pre_capture_chain_name
firewalld.pm::get_post_load_chain_name
firewalld.pm::get_reserved_chain_name
firewalld.pm::get_reservation_chain_name
firewalld.pm::get_inuse_chain_name
Removed subroutines and all calls to them:
Linux.pm::grant_management_node_access
Linux.pm::enable_firewall_port
Linux.pm::disable_firewall_port
Linux.pm::save_firewall_configuration
Linux.pm::get_firewall_configuration
Linux.pm::parse_firewall_scope
Linux.pm::clean_iptables
Ubuntu.pm::clean_iptables
Ubuntu.pm::enable_firewall_port
Ubuntu.pm::disable_firewall_port
Ubuntu.pm::get_firewall_configuration
Renamed subroutines:
iptables.pm::configure_nat --> nat_configure_host
iptables.pm::configure_nat_reservation --> nat_configure_reservation
iptables.pm::add_nat_port_forward --> nat_add_port_forward
iptables.pm::sanitize_reservation --> sanitize_nat_reservation
Added calls to firewall module subroutines if the object implements it:
OS.pm::firewall_compare_update --> firewall/process_inuse
Linux.pm::pre_capture --> firewall/process_pre_capture
Linux.pm::post_load --> firewall/process_post_load
Linux.pm::grant_access --> firewall/process_reserved
Linux.pm::sanitize --> firewall/process_sanitize
reserved.pm::process -->process_inuse
Reworked iptables.pm::delete_rule and renamed it delete_rules.
Other
Added file count to vcld.log output in Provisioning.pm::retrieve_image.
Commented out Linux.pm::get_user_remote_ip_addresses and added a warning
comment. This sub isn't being called from anywhere.
Removed /s option from 2 regex's in utils.pm::run_ssh_command. They were
causing a subroutine in VIM_SSH.pm to hang for 1-2 minutes while parsing the
output.
> Update iptables.pm to be used for all iptables configuration
> ------------------------------------------------------------
>
> Key: VCL-1031
> URL: https://issues.apache.org/jira/browse/VCL-1031
> Project: VCL
> Issue Type: Improvement
> Components: vcld (backend)
> Reporter: Andy Kurth
> Assignee: Andy Kurth
> Fix For: 2.5
>
>
> The iptables.pm module was created when the NAT functionality was added. Up
> to this point, it is only being used to configure the firewall on the NAT
> host. The Linux OS modules are still used to configure iptables. With the
> addition of firewalld (VCL-972) and ufw (VCL-971), all of the Linux firewall
> code should be pulled out of the main OS module and into the dedicated file.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
