Fabian Deutsch has uploaded a new change for review. Change subject: firewall: Fix plain iptables logic ......................................................................
firewall: Fix plain iptables logic Previously the port was opened but this changed wasn't saved. This case lead to a situation where the iptables service got restarted and overwrote/closed the previously opened ports. Now the configuration is saved (and persisted) after a port got opened. Change-Id: If33424f62c006720a4c553b32af38d2b033579cc Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1007417 Signed-off-by: Fabian Deutsch <[email protected]> --- M src/ovirt/node/utils/firewall.py 1 file changed, 35 insertions(+), 2 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/26/19226/1 diff --git a/src/ovirt/node/utils/firewall.py b/src/ovirt/node/utils/firewall.py index 5617cfa..ab5633a 100644 --- a/src/ovirt/node/utils/firewall.py +++ b/src/ovirt/node/utils/firewall.py @@ -19,9 +19,12 @@ # MA 02110-1301, USA. A copy of the GNU General Public License is # also available at http://www.gnu.org/copyleft/gpl.html. -import os -from ovirt.node.utils import process from glob import glob +import os +from ovirt.node.utils import process, fs +import logging + +LOGGER = logging.getLogger(__name__) PLUGIN_DIR = "/etc/ovirt-plugins.d/" PLUGIN_XML_OUT = "/etc/firewalld/services/node-plugin.xml" @@ -47,9 +50,36 @@ def setup_iptables(port, proto): + rules = "/etc/sysconfig/iptables" + + def is_open(): + pat = "%s dpt:%s" % (proto, port) + for rule in process.check_output(["iptables", "-L", "-n"]).split("\n"): + if rule.strip().endswith(pat): + return True + return False + + def open_port(): cmd = ["iptables", "-I", "INPUT", "1", "-p", proto, "--dport", port, "-j", "ACCEPT"] process.check_call(cmd) + + def load_rules(): + process.check_call("iptables-restore -c < %s" % rules, + shell=True) + + def save_rules(): + process.check_call("iptables-save -c > %s" % rules, + shell=True) + + fs.Config().persist(rules) + + if not is_open(): + # We need to load the rules before, to prevent overwriting them + # when they weren't loaded. + load_rules() + open_port() + save_rules() def setup_firewalld(port, proto): @@ -70,10 +100,12 @@ def process_plugins(): + LOGGER.debug("Handling plugin firewall rules") for plugin in glob(PLUGIN_DIR + "*.firewall"): plugin_files.append(plugin) for f in plugin_files: + LOGGER.debug("Parsing firewall rules: %s" % f) with open(f) as i: conf = i.readlines() for line in conf: @@ -82,6 +114,7 @@ fw_conf.append((port, proto)) for i in fw_conf: + LOGGER.debug("Opening firewall ports: %s" % str(i)) port, proto = i if is_firewalld(): setup_firewalld(port, proto) -- To view, visit http://gerrit.ovirt.org/19226 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: If33424f62c006720a4c553b32af38d2b033579cc Gerrit-PatchSet: 1 Gerrit-Project: ovirt-node Gerrit-Branch: master Gerrit-Owner: Fabian Deutsch <[email protected]> _______________________________________________ node-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/node-patches
