• Mike Hibler's avatar
    Further overhaul of firewall code. NOTE: required bump of tmcd version to 34. · 6a26b246
    Mike Hibler authored
    Firewalls now work with nodes which require a subboss. Had to introduce new
    firewall rules which skipped around the checks that no packets to/from
    node control net IPs should pass through the firewall, if the IP in question
    belongs to a subboss (since subboss is on the node control network). It
    actually checks for all Emulab servers (boss, ops, fs or any subboss),
    so the code should work for an Emulab install which has a non-segmented
    control network in which all servers were in the same subnet as the nodes.
    In addition to the new rules, we also had to pass in additional information
    via "tmcc firewallinfo" giving the IP/MAC of those server nodes that are on
    the node control network. We use this to establish ARP entries on the
    inside network so that nodes can find the servers. Since the existing
    client-side firewall code in libsetup.pm would blow up if it got a line
    that it didn't recognize, I had to bump the tmcd version number and add
    some conditional code to tmcd.c:dofwinfo() to not return the extra info for
    old versions.
    Added a couple of new firewall variables EMULAB_BOSSES and EMULAB_SERVERS
    that are used in the new rules. Fixed the support scripts in firewall/
    to properly initialize these variables.
    IMPORTANT: tmcd looks up boss, ops, fs, and subbosses in the interfaces
    table to find their IPs and MAC addresses. By default, we do not create
    such interface table entries for boss/ops/fs. We have them at Utah for
    other reasons. These entries are only needed if you have a non-segmented
    control network (or a subboss) and you want to firewall such nodes.
    The script to initialize the firewall variables (initfwvars.pl) will
    print out a warning for configurations that are affected and don't have
    the entries.
genconfig.pl 3.07 KB