From 5ab5f8d5ac3fe033027e0167f36677314d1aac1e Mon Sep 17 00:00:00 2001 From: Leigh B Stoller Date: Mon, 31 Mar 2014 16:12:08 -0600 Subject: [PATCH] On a non-segmented control network (like an IG rack), boss/ops have aliases on the virtual node network. Allows these though too. --- firewall/initfwvars.pl.in | 15 +++++++++++++++ firewall/iptables-fw-domU-rules | 4 ++++ 2 files changed, 19 insertions(+) diff --git a/firewall/initfwvars.pl.in b/firewall/initfwvars.pl.in index f4cabbb93..15bb112c3 100755 --- a/firewall/initfwvars.pl.in +++ b/firewall/initfwvars.pl.in @@ -174,6 +174,21 @@ if ($VIRTNODE_NETWORK =~ /^(\d+\.\d+\.\d+)\.0$/) { if ($doit); } +# +# Sorry these are hardwired. +# +my $EMULAB_VCNET_BOSS = "172.17.254.254"; +my $EMULAB_VCNET_OPS = "172.17.253.254"; + +$str = "replace into default_firewall_vars values ". + "('EMULAB_VCNET_BOSS', '$EMULAB_VCNET_BOSS'), ". + "('EMULAB_VCNET_OPS', '$EMULAB_VCNET_OPS')"; + +print "$str\n" + if (!$doit); +DBQueryFatal($str) + if ($doit); + # # Create EMULAB_MCADDR and EMULAB_MCPORT variables # diff --git a/firewall/iptables-fw-domU-rules b/firewall/iptables-fw-domU-rules index a73d4c49d..13fb35416 100644 --- a/firewall/iptables-fw-domU-rules +++ b/firewall/iptables-fw-domU-rules @@ -81,6 +81,10 @@ # Allow everything from the gateway, since the gateway may be part of the node control net iptables -A OUTSIDE -s EMULAB_GWIP,EMULAB_VGWIP -j ACCEPT # BASIC,CLOSED,ELABINELAB +# On a non-segmented control network (like an IG rack), boss/ops +# have aliases on the virtual node network. Allows these though. +iptables -A OUTSIDE -s EMULAB_VCNET_BOSS,EMULAB_VCNET_OPS -j ACCEPT # BASIC,CLOSED,ELABINELAB + # # No one on the inside can talk to other experiments' nodes and visa-versa. # -- GitLab