Further overhaul of firewall code. NOTE: required bump of tmcd version to 34.
Firewalls now work with nodes which require a subboss. Had to introduce new firewall rules which skipped around the checks that no packets to/from node control net IPs should pass through the firewall, if the IP in question belongs to a subboss (since subboss is on the node control network). It actually checks for all Emulab servers (boss, ops, fs or any subboss), so the code should work for an Emulab install which has a non-segmented control network in which all servers were in the same subnet as the nodes. In addition to the new rules, we also had to pass in additional information via "tmcc firewallinfo" giving the IP/MAC of those server nodes that are on the node control network. We use this to establish ARP entries on the inside network so that nodes can find the servers. Since the existing client-side firewall code in libsetup.pm would blow up if it got a line that it didn't recognize, I had to bump the tmcd version number and add some conditional code to tmcd.c:dofwinfo() to not return the extra info for old versions. Added a couple of new firewall variables EMULAB_BOSSES and EMULAB_SERVERS that are used in the new rules. Fixed the support scripts in firewall/ to properly initialize these variables. IMPORTANT: tmcd looks up boss, ops, fs, and subbosses in the interfaces table to find their IPs and MAC addresses. By default, we do not create such interface table entries for boss/ops/fs. We have them at Utah for other reasons. These entries are only needed if you have a non-segmented control network (or a subboss) and you want to firewall such nodes. The script to initialize the firewall variables (initfwvars.pl) will print out a warning for configurations that are affected and don't have the entries.
Showing with 354 additions and 36 deletions