More linux firwall rule fixes

ec2f5e1e · Ryan Jackson · 5bf2b449 · ec2f5e1e · ec2f5e1e
Commit ec2f5e1e authored Jan 26, 2012 by Ryan Jackson
--- a/clientside/tmcc/linux/liblocsetup.pm
+++ b/clientside/tmcc/linux/liblocsetup.pm
@@ -1287,6 +1287,7 @@ sub os_fwconfig_line($@) {
 		$upline .= "vconfig add $pdev $vlanno > /dev/null\n";
 		$upline .= "ifconfig $vlandev up\n";
 		$upline .= "brctl addbr br0\n";
+		$upline .= "brctl stp br0 on\n";
 		$upline .= "ifconfig br0 up\n";
 		$upline .= "brctl addif br0 $pdev\n";
 		$upline .= "brctl addif br0 $vlandev\n";
@@ -1429,12 +1430,16 @@ sub os_fwconfig_line($@) {
 	}
 	@fwrules = @new_rules;

+	# For now, if a rule fails to load we want to fail open, not closed.  Otherwise
+	# it may be difficult to debug things.
 	foreach my $rulestr (@fwrules) {
 		if ($rulestr =~ /^iptables\s+/) {
 			$upline .= "    $rulestr || {\n";
 			$upline .= "        echo 'WARNING: could not load iptables rule:'\n";
 			$upline .= "        echo '  $rulestr'\n";
 			$upline .= "        iptables -F\n";
+			$upline .= "        iptables -P INPUT ACCEPT\n";
+			$upline .= "        iptables -P OUTPUT ACCEPT\n";
 			$upline .= "        exit 1\n";
 			$upline .= "    }\n";
 		} elsif ($rulestr =~ /^ebtables\s+/) {
@@ -1442,6 +1447,8 @@ sub os_fwconfig_line($@) {
 			$upline .= "        echo 'WARNING: could not load ebtables rule:'\n";
 			$upline .= "        echo '  $rulestr'\n";
 			$upline .= "        ebtables -F\n";
+			$upline .= "        ebtables -P INPUT ACCEPT\n";
+			$upline .= "        ebtables -P OUTPUT ACCEPT\n";
 			$upline .= "        exit 1\n";
 			$upline .= "    }\n";
 		}

--- a/firewall/iptables-fw-rules
+++ b/firewall/iptables-fw-rules
@@ -87,6 +87,9 @@ iptables -F OUTSIDE # BASIC,CLOSED,ELABINELAB
 iptables -A FORWARD -m physdev --physdev-in vlandev -s EMULAB_CNET,0.0.0.0/32,255.255.255.255 -j INSIDE # BASIC,CLOSED,ELABINELAB
 iptables -A FORWARD -m physdev --physdev-in pdev -j OUTSIDE # BASIC,CLOSED,ELABINELAB

+# Allow everything from the gateway, since the gateway may be part of the node control net
+iptables -A OUTSIDE -s EMULAB_GWIP -j ACCEPT # BASIC,CLOSED,ELABINELAB
+
 # Can talk to myself.  Does this do anything?
 # This appears to be used by elvind?
 #iptables -A INPUT -s me -d me -j ACCEPT # BASIC,CLOSED,ELABINELAB