Commit 9d88a47d authored by Leigh B Stoller's avatar Leigh B Stoller
Browse files

Minor changes for dom0 firewall style; do not flush all the

tables for disable, since that would wipe out the rules for
domUs too.
parent bb4fac7f
#!/usr/bin/perl -wT #!/usr/bin/perl -wT
# #
# Copyright (c) 2000-2013 University of Utah and the Flux Group. # Copyright (c) 2000-2014 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -1319,7 +1319,9 @@ sub os_fwconfig_line($@) { ...@@ -1319,7 +1319,9 @@ sub os_fwconfig_line($@) {
$mymask = `cat $BOOTDIR/mynetmask`; $mymask = `cat $BOOTDIR/mynetmask`;
chomp($mymask); chomp($mymask);
if ($fwinfo->{TYPE} ne "iptables" && $fwinfo->{TYPE} ne "iptables-vlan") { if ($fwinfo->{TYPE} ne "iptables" &&
$fwinfo->{TYPE} ne "iptables-vlan" &&
$fwinfo->{TYPE} ne "iptables-dom0") {
warn "*** WARNING: unsupported firewall type '", $fwinfo->{TYPE}, "'\n"; warn "*** WARNING: unsupported firewall type '", $fwinfo->{TYPE}, "'\n";
return ("false", "false"); return ("false", "false");
} }
...@@ -1453,8 +1455,10 @@ sub os_fwconfig_line($@) { ...@@ -1453,8 +1455,10 @@ sub os_fwconfig_line($@) {
$upline .= "sleep 30\n"; $upline .= "sleep 30\n";
} else { } else {
$upline .= "sysctl -w net.ipv4.ip_forward=1\n"; if ($fwinfo->{TYPE} ne "iptables-dom0") {
$downline .= "sysctl -w net.ipv4.ip_forward=0\n"; $upline .= "sysctl -w net.ipv4.ip_forward=1\n";
$downline .= "sysctl -w net.ipv4.ip_forward=0\n";
}
} }
# XXX This is ugly. Older version of iptables can't handle source or # XXX This is ugly. Older version of iptables can't handle source or
...@@ -1523,7 +1527,8 @@ sub os_fwconfig_line($@) { ...@@ -1523,7 +1527,8 @@ sub os_fwconfig_line($@) {
$upline .= " $rulestr || {\n"; $upline .= " $rulestr || {\n";
$upline .= " echo 'WARNING: could not load iptables rule:'\n"; $upline .= " echo 'WARNING: could not load iptables rule:'\n";
$upline .= " echo ' $rulestr'\n"; $upline .= " echo ' $rulestr'\n";
$upline .= " iptables -F\n"; $upline .= " iptables -F\n"
if ($fwinfo->{TYPE} ne "iptables-dom0");
$upline .= " iptables -P INPUT ACCEPT\n"; $upline .= " iptables -P INPUT ACCEPT\n";
$upline .= " iptables -P OUTPUT ACCEPT\n"; $upline .= " iptables -P OUTPUT ACCEPT\n";
$upline .= " exit 1\n"; $upline .= " exit 1\n";
...@@ -1532,7 +1537,8 @@ sub os_fwconfig_line($@) { ...@@ -1532,7 +1537,8 @@ sub os_fwconfig_line($@) {
$upline .= " $rulestr || {\n"; $upline .= " $rulestr || {\n";
$upline .= " echo 'WARNING: could not load ebtables rule:'\n"; $upline .= " echo 'WARNING: could not load ebtables rule:'\n";
$upline .= " echo ' $rulestr'\n"; $upline .= " echo ' $rulestr'\n";
$upline .= " ebtables -F\n"; $upline .= " ebtables -F\n"
if ($fwinfo->{TYPE} ne "iptables-dom0");
$upline .= " ebtables -P INPUT ACCEPT\n"; $upline .= " ebtables -P INPUT ACCEPT\n";
$upline .= " ebtables -P OUTPUT ACCEPT\n"; $upline .= " ebtables -P OUTPUT ACCEPT\n";
$upline .= " exit 1\n"; $upline .= " exit 1\n";
...@@ -1541,23 +1547,39 @@ sub os_fwconfig_line($@) { ...@@ -1541,23 +1547,39 @@ sub os_fwconfig_line($@) {
} }
#
# In dom0, we cannot just flush the entire rule set, as below.
#
if ($fwinfo->{TYPE} eq "iptables-dom0") {
$downline .= " iptables -P INPUT ACCEPT\n";
$downline .= " iptables -P OUTPUT ACCEPT\n";
$downline .=
" iptables -F INPUT > /dev/null 2>&1 || true\n";
$downline .=
" iptables -F OUTPUT > /dev/null 2>&1 || true\n";
}
# This is a brute-force way to flush all ebtables and iptables # This is a brute-force way to flush all ebtables and iptables
# rules, delete all custom chains, and restore all built-in # rules, delete all custom chains, and restore all built-in
# chains to their default policies. This will produce errors # chains to their default policies. This will produce errors
# since not all tables exist for both tools, and not every # since not all tables exist for both tools, and not every
# chain exists for all tables, so all output is sent to /dev/null. # chain exists for all tables, so all output is sent to /dev/null.
for my $table (qw/filter nat mangle raw broute/) { for my $table (qw/filter nat mangle raw broute/) {
$downline .= if ($fwinfo->{TYPE} ne "iptables-dom0") {
" iptables -t $table -F > /dev/null 2>&1 || true\n"; $downline .=
$downline .= " iptables -t $table -F > /dev/null 2>&1 || true\n";
" iptables -t $table -X > /dev/null 2>&1 || true\n"; $downline .=
" iptables -t $table -X > /dev/null 2>&1 || true\n";
}
$downline .= $downline .=
" ebtables -t $table -F > /dev/null 2>&1 || true\n"; " ebtables -t $table -F > /dev/null 2>&1 || true\n";
$downline .= $downline .=
" ebtables -t $table -X > /dev/null 2>&1 || true\n"; " ebtables -t $table -X > /dev/null 2>&1 || true\n";
for my $chain (qw/INPUT OUTPUT FORWARD PREROUTING POSTROUTING BROUTING/) { for my $chain (qw/INPUT OUTPUT FORWARD PREROUTING POSTROUTING BROUTING/) {
$downline .= if ($fwinfo->{TYPE} ne "iptables-dom0") {
" iptables -t $table -P $chain ACCEPT > /dev/null 2>&1 || true\n"; $downline .=
" iptables -t $table -P $chain ACCEPT > /dev/null 2>&1 || true\n";
}
$downline .= $downline .=
" ebtables -t $table -P $chain ACCEPT > /dev/null 2>&1 || true\n"; " ebtables -t $table -P $chain ACCEPT > /dev/null 2>&1 || true\n";
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment