Author: fapeeler
Date: Tue Sep 27 18:41:31 2011
New Revision: 1176511

URL: http://svn.apache.org/viewvc?rev=1176511&view=rev
Log:
VCL-517
VCL-453

517: removes udev 70-net rule

453: iptables, for each connection port defined add entry to iptables.


Modified:
    incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm

Modified: incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm?rev=1176511&r1=1176510&r2=1176511&view=diff
==============================================================================
--- incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm (original)
+++ incubator/vcl/trunk/managementnode/lib/VCL/Module/OS/Linux.pm Tue Sep 27 
18:41:31 2011
@@ -130,7 +130,12 @@ sub pre_capture {
 
        # Clear SSH idenity keys from /root/.ssh 
        if (!$self->clear_private_keys()) {
-               notify($ERRORS{'WARNING'}, 0, "unable to clear known identity 
keys");
+         notify($ERRORS{'WARNING'}, 0, "unable to clear known identity keys");
+       }
+       
+       # Clear files
+       if (!$self->remove_known_files()) {
+               notify($ERRORS{'WARNING'}, 0, "unable to remove known files");
        }
 
        # Write /etc/rc.local script
@@ -431,6 +436,42 @@ sub clear_private_keys {
 
 #/////////////////////////////////////////////////////////////////////////////
 
+=head2 clear_known_files
+
+ Parameters  :
+ Returns     :
+ Description :
+
+=cut
+
+sub clear_known_files {
+   my $self = shift;
+      unless (ref($self) && $self->isa('VCL::Module')) {
+      notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a 
VCL::Module module object method");
+      return;
+   }
+
+   notify($ERRORS{'DEBUG'}, 0, "perparing to clear known files");
+   my $management_node_keys = $self->data->get_management_node_keys();
+   my $computer_short_name  = $self->data->get_computer_short_name();
+   my $computer_node_name   = $self->data->get_computer_node_name();
+       
+       my $filelist = "/etc/udev/rules.d/70-persistent-net.rules";
+
+   #Clear ssh idenity keys from /root/.ssh 
+   my $clear_known_files = "/bin/rm -f $filelist";
+   if (run_ssh_command($computer_node_name, $management_node_keys, 
$clear_known_files, "root")) {
+      notify($ERRORS{'DEBUG'}, 0, "cleared known files, filelist: $filelist");
+      return 1;
+   }
+   else {
+      notify($ERRORS{'CRITICAL'}, 0, "failed to clear known files");
+      return 0;
+   }
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
 =head2 set_static_public_address
 
  Parameters  : none
@@ -3153,22 +3194,22 @@ sub stop_service {
 
 sub check_connection_on_port {
        my $self = shift;
-        if (ref($self) !~ /linux/i) {
-                notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a 
function, it must be called as a class method");
-                return;
-        }
+   if (ref($self) !~ /linux/i) {
+       notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it 
must be called as a class method");
+       return;
+   }
 
-        my $management_node_keys       = 
$self->data->get_management_node_keys();
-        my $computer_node_name         = $self->data->get_computer_node_name();
+       my $management_node_keys        = 
$self->data->get_management_node_keys();
+       my $computer_node_name          = $self->data->get_computer_node_name();
        my $remote_ip                   = 
$self->data->get_reservation_remote_ip();
        my $computer_ip_address         = 
$self->data->get_computer_ip_address();
        my $request_state_name          = $self->data->get_request_state_name();
 
-        my $port = shift;
-        if (!$port) {
-                notify($ERRORS{'WARNING'}, 0, "port variable was not passed as 
an argument");
-                return "failed";
-        }
+       my $port = shift;
+       if (!$port) {
+               notify($ERRORS{'WARNING'}, 0, "port variable was not passed as 
an argument");
+               return "failed";
+       }
        
        my $ret_val = "no";     
        my $command = "netstat -an";
@@ -3336,6 +3377,132 @@ sub get_total_memory {
        }
 }
 
+#/////////////////////////////////////////////////////////////////////////////
+
+=head2 enable_firewall_port
+ 
+  Parameters  : none
+  Returns     : 1 successful, 0 failed
+  Description : updates iptables for given port for collect IPaddress range 
and mode
+ 
+=cut
+
+sub enable_firewall_port {
+       my $self = shift;
+   if (ref($self) !~ /VCL::Module/i) {
+      notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it 
must be called as a class method");
+      return;
+   }
+       
+       my $port = shift;
+       if(!$port) {
+               notify($ERRORS{'CRITICAL'}, 0, "Input variable port was not 
passed in as an argument");
+               return 0;
+       } 
+       
+       my $mode = shift;
+       if(!$mode) {
+               notify($ERRORS{'DEBUG'}, 0, "firewall mode not passed in as an 
argument setting to loose");
+               $mode = "medium";
+       }
+       
+   my $computer_node_name = $self->data->get_computer_node_name();
+       my $remote_ip = $self->data->get_reservation_remote_ip();
+       
+       my $scope;
+       my $command;
+               
+       if ( $mode =~ /loose/i ) {
+               $command = "/sbin/iptables -I INPUT 1 -m state --state 
NEW,RELATED,ESTABLISHED -m tcp -p tcp --dport $port -j ACCEPT";
+       }        
+       elsif($mode =~ /medium/i) {     
+               $scope = "$remote_ip/16";
+               $command = "/sbin/iptables -I INPUT 1 -s $scope -m state 
--state NEW,RELATED,ESTABLISHED -m tcp -p tcp --dport $port -j ACCEPT";
+       }
+       elsif( $mode =~ /tight/i) {
+               $scope = "$remote_ip/24";
+               $command = "/sbin/iptables -I INPUT 1 -s $scope -m state 
--state NEW,RELATED,ESTABLISHED -m tcp -p tcp --dport $port -j ACCEPT";
+       }
+       elsif( $mode =~ /locked/i) {
+               $command = "/sbin/iptables -I INPUT 1 -s $remote_ip -m state 
--state NEW,RELATED,ESTABLISHED -m tcp -p tcp --dport $port -j ACCEPT";
+       }
+
+       #copy original config
+       my $cp_iptables_config = "cp /etc/sysconfig/iptables 
/etc/sysconfig/iptables_pre_$port";
+       my ($status_cp, $output_cp) = $self->execute($cp_iptables_config);      
+       if (defined $status_cp && $status_cp == 0) {
+               notify($ERRORS{'DEBUG'}, 0, "executed command 
$cp_iptables_config on $computer_node_name");
+       }
+       
+       # Add rule
+       my ($status, $output) = $self->execute($command);       
+       if (defined $status && $status == 0) {
+               notify($ERRORS{'DEBUG'}, 0, "executed command $command on 
$computer_node_name");
+       }
+       else {
+               notify($ERRORS{'WARNING'}, 0, "output from iptables:" . 
join("\n", @$output));
+       }
+       
+       #Save rules to sysconfig/iptables -- incase of reboot
+       my $iptables_save_cmd = "/sbin/iptables-save > /etc/sysconfig/iptables";
+       my ($status_save, $output_save) = $self->execute($iptables_save_cmd);   
+       if (defined $status_save && $status_save == 0) {
+               notify($ERRORS{'DEBUG'}, 0, "executed command 
$iptables_save_cmd on $computer_node_name");
+       }
+       
+       return 1;
+}
+
+#/////////////////////////////////////////////////////////////////////////////
+
+=head2 disable_firewall_port
+ 
+  Parameters  : none
+  Returns     : 1 successful, 0 failed
+  Description : updates iptables for given port for collect IPaddress range 
and mode
+ 
+=cut
+
+sub disable_firewall_port {
+   my $self = shift;
+   if (ref($self) !~ /VCL::Module/i) {
+      notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it 
must be called as a class method");
+      return;
+   }
+
+   my $port = shift;
+   if(!$port) {
+      notify($ERRORS{'CRITICAL'}, 0, "Input variable port was not passed in as 
an argument");
+      return 0;
+   }
+
+   my $computer_node_name = $self->data->get_computer_node_name();
+   my $remote_ip = $self->data->get_reservation_remote_ip();
+
+       my $command = "sed -i -e '/.*-p tcp --dport $port -j ACCEPT$/d' 
/etc/sysconfig/iptables";
+       my ($status, $output) = $self->execute($command);
+
+       if (defined $status && $status == 0) {
+      notify($ERRORS{'DEBUG'}, 0, "executed command $command on 
$computer_node_name");
+   }
+   else {
+      notify($ERRORS{'WARNING'}, 0, "output from iptables:" . join("\n", 
@$output));
+   }
+       
+       #restart iptables
+       $command = "/etc/init.d/iptables restart";
+       my ($status_iptables,$output_iptables) = $self->execute($command);
+       if (defined $status_iptables && $status_iptables == 0) {
+      notify($ERRORS{'DEBUG'}, 0, "executed command $command on 
$computer_node_name");
+       }
+       else {
+      notify($ERRORS{'WARNING'}, 0, "output from iptables:" . join("\n", 
@$output));
+       }
+
+       return 1;
+
+}
+
 ##/////////////////////////////////////////////////////////////////////////////
 
 1;


Reply via email to