All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit 3b0e4b2a authored by Mike Hibler's avatar Mike Hibler

Changes to allow variable expansion in firewall rules

parent 4b617de5
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
# Copyright (c) 2004 University of Utah and the Flux Group.
# Copyright (c) 2004, 2005 University of Utah and the Flux Group.
# All rights reserved.
#
use English;
use Getopt::Std;
#
# For firewall rule logging: log accepted or rejected packets.
# XXX debugging
#
my $logaccept = 0;
my $logreject = 1;
#
# Hosts we need un-firewalled static routes for
#
......@@ -174,6 +181,10 @@ sub doboot()
sub firewaller()
{
# XXX debugging
$fwinfo->{LOGACCEPT} = $logaccept;
$fwinfo->{LOGREJECT} = $logreject;
my ($upline, $downline) = os_fwconfig_line($fwinfo, @fwrules);
print FWC "case \"\$action\" in\n";
......
......@@ -2,7 +2,7 @@
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2004 University of Utah and the Flux Group.
# Copyright (c) 2000-2005 University of Utah and the Flux Group.
# All rights reserved.
#
# TODO: Signal handlers for protecting db files.
......@@ -844,6 +844,29 @@ sub gettunnelconfig($)
return 0;
}
my %fwvars = ();
#
# Substitute values of variables in a firewall rule.
#
sub expandfwvars($)
{
my ($rule) = @_;
if ($rule->{RULE} =~ /EMULAB_\w+/) {
foreach my $key (keys %fwvars) {
$rule->{RULE} =~ s/$key/$fwvars{$key}/
if (defined($fwvars{$key}));
}
if ($rule->{RULE} =~ /EMULAB_\w+/) {
warn("*** WARNING: Unexpanded firewall variable in: \n".
" $rule->{RULE}\n");
return 1;
}
}
return 0;
}
#
# Return the firewall configuration. We parse tmcd output here and return
# a list of hash entries to the caller.
......@@ -865,6 +888,7 @@ sub getfwconfig($$)
my $rempat = q(TYPE=remote FWIP=([0-9\.]*));
my $fwpat = q(TYPE=([\w-]+) STYLE=(\w+) IN_IF=(\w*) OUT_IF=(\w*) IN_VLAN=(\d+) OUT_VLAN=(\d+));
my $rpat = q(RULENO=(\d*) RULE="(.*)");
my $vpat = q(VAR=(EMULAB_\w+) VALUE="(.*)");
$fwinfo->{"TYPE"} = "none";
foreach my $line (@tmccresults) {
......@@ -908,15 +932,23 @@ sub getfwconfig($$)
$fw->{"RULENO"} = $ruleno;
$fw->{"RULE"} = $rule;
push(@fwrules, $fw);
} elsif ($line =~ /$vpat/) {
$fwvars{$1} = $2;
} else {
warn("*** WARNING: Bad firewall info line: $line\n");
return 1;
}
}
# make a pass over the rules, expanding variables
my $bad = 0;
foreach my $rule (@fwrules) {
$bad += expandfwvars($rule);
}
$$infoptr = $fwinfo;
@$rptr = @fwrules;
return 0;
return $bad;
}
......
......@@ -2,7 +2,7 @@
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2004 University of Utah and the Flux Group.
# Copyright (c) 2000-2005 University of Utah and the Flux Group.
# All rights reserved.
#
......@@ -522,6 +522,10 @@ sub os_fwconfig_line($@)
my ($fwinfo, @fwrules) = @_;
my ($upline, $downline);
# XXX debugging
my $logaccept = defined($fwinfo->{LOGACCEPT}) ? $fwinfo->{LOGACCEPT} : 0;
my $logreject = defined($fwinfo->{LOGREJECT}) ? $fwinfo->{LOGREJECT} : 0;
#
# VLAN enforced layer2 firewall with FreeBSD/IPFW2
#
......@@ -546,10 +550,26 @@ sub os_fwconfig_line($@)
$upline .= " if [ -z \"`sysctl net.inet.ip.fw.enable 2>/dev/null`\" ]; then\n";
$upline .= " kldload ipfw.ko >/dev/null 2>&1\n";
$upline .= " fi\n";
$upline .= " sysctl net.inet.ip.fw.enable=1 || {\n";
$upline .= " echo 'WARNING: could not enable firewall'\n";
$upline .= " exit 1\n";
$upline .= " }\n";
foreach my $rule (sort { $a->{RULENO} <=> $b->{RULENO}} @fwrules) {
$upline .= " ipfw add $rule->{RULENO} $rule->{RULE} || {\n";
my $rulestr = $rule->{RULE};
if ($logaccept && $rulestr =~ /^(allow|accept|pass|permit)\s.*/) {
my $action = $1;
$rulestr =~ s/$action/$action log/;
} elsif ($logreject && $rulestr =~ /^(deny|drop)\s.*/) {
my $action = $1;
$rulestr =~ s/$action/$action log/;
}
$upline .= " ipfw add $rule->{RULENO} $rulestr || {\n";
$upline .= " echo 'WARNING: could not load ipfw rule:'\n";
$upline .= " echo ' $rule->{RULE}'\n";
$upline .= " echo ' $rulestr'\n";
$upline .= " ipfw -q flush\n";
$upline .= " exit 1\n";
$upline .= " }\n";
}
......@@ -571,10 +591,26 @@ sub os_fwconfig_line($@)
$upline = "if [ -z \"`sysctl net.inet.ip.fw.enable 2>/dev/null`\" ]; then\n";
$upline .= " kldload ipfw.ko >/dev/null 2>&1\n";
$upline .= " fi\n";
$upline .= " sysctl net.inet.ip.fw.enable=1 || {\n";
$upline .= " echo 'WARNING: could not enable firewall'\n";
$upline .= " exit 1\n";
$upline .= " }\n";
foreach my $rule (sort { $a->{RULENO} <=> $b->{RULENO}} @fwrules) {
$upline .= " ipfw add $rule->{RULENO} $rule->{RULE} || {\n";
my $rulestr = $rule->{RULE};
if ($logaccept && $rulestr =~ /^(allow|accept|pass|permit)\s.*/) {
my $action = $1;
$rulestr =~ s/$action/$action log/;
} elsif ($logreject && $rulestr =~ /^(deny|drop)\s.*/) {
my $action = $1;
$rulestr =~ s/$action/$action log/;
}
$upline .= " ipfw add $rule->{RULENO} $rulestr || {\n";
$upline .= " echo 'WARNING: could not load ipfw rule:'\n";
$upline .= " echo ' $rule->{RULE}'\n";
$upline .= " echo ' $rulestr'\n";
$upline .= " ipfw -q flush\n";
$upline .= " exit 1\n";
$upline .= " }\n";
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment