Commit 0aee91f8 authored by Mike Hibler's avatar Mike Hibler

Bring the various scripts into sync with the actual DB state.

One addition: allow frisbee client reports through to boss/subboss.
parent bc182b29
......@@ -59,22 +59,53 @@ iptables-domU-%.sql: genconfig-iptables.pl iptables-fw-domU-rules
%.sql: genconfig.pl
$(SRCDIR)/genconfig.pl -f $(SRCDIR)/fw-rules -M $* > $@
insertvars: initfwvars.pl
@if ! `mysqldump $(MDOPTS) $(TBDB) default_firewall_vars >vars.old`; then \
insertvars: initfwvars.pl dumpoldvars
chmod +x ./initfwvars.pl
./initfwvars.pl
insertrules: $(FW_FILES) dumpoldrules
cat $(FW_FILES) | mysql $(TBDB)
echo 'FW rules updated in DB'
dumpold: dumpoldvars dumpoldrules
dumpoldvars:
@if ! `mysqldump $(MDOPTS) -w "1 order by name" $(TBDB) default_firewall_vars >vars.old`; then \
echo -n '*** default_firewall_vars table does not exist, '; \
echo 'see sql/database-migrate.txt'; \
exit 1; \
else \
chmod +x ./initfwvars.pl; \
./initfwvars.pl; \
fi
insertrules: $(FW_FILES)
dumpoldrules:
@if ! `mysqldump $(MDOPTS) -w "1 order by type,style,ruleno" $(TBDB) default_firewall_rules >rules.old`; then \
echo -n '*** default_firewall_rules table does not exist, '; \
echo 'see sql/database-migrate.txt'; \
exit 1; \
else \
cat $(FW_FILES) | mysql $(TBDB); \
echo 'FW rules updated in DB'; \
fi
dumpnew: dumpnewvars dumpnewrules
dumpnewvars: initfwvars.pl
chmod +x ./initfwvars.pl
initfwvars.pl -n >vars.new
dumpnewrules: $(FW_FILES)
cat open.sql closed.sql basic.sql elabinelab.sql | \
grep -v 'DELETE FROM' >rules.new
cat iptables-vlan-open.sql iptables-vlan-closed.sql \
iptables-vlan-basic.sql iptables-vlan-elabinelab.sql | \
grep -v 'DELETE FROM' >>rules.new
cat iptables-dom0-open.sql iptables-dom0-closed.sql \
iptables-dom0-basic.sql | \
grep -v 'DELETE FROM' >>rules.new
cat iptables-domU-open.sql iptables-domU-closed.sql \
iptables-domU-basic.sql | \
grep -v 'DELETE FROM' >>rules.new
dump: dumpvars dumprules
dumpvars: dumpoldvars dumpnewvars
dumprules: dumpoldrules dumpnewrules
clean:
rm -f *.old *.new *.sql initfwvars.pl
#
# Copyright (c) 2005-2014 University of Utah and the Flux Group.
# Copyright (c) 2005-2017 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -368,9 +368,9 @@ allow tcp from myboss to EMULAB_BOSSES 64494 in via vlan0 setup keep-state # 600
# from 60047).
#
allow udp from any to EMULAB_MCADDR EMULAB_MCPORT in via vlan0 # 60046: BASIC,CLOSED
allow udp from myboss to EMULAB_MCADDR EMULAB_MCPORT in via vlan0 # 60046: ELABINELAB
allow udp from EMULAB_BOSSES EMULAB_MCPORT to EMULAB_MCADDR EMULAB_MCPORT # 60047: BASIC,CLOSED,ELABINELAB
allow udp from EMULAB_BOSSES EMULAB_MCPORT to any EMULAB_MCPORT keep-state # 60048: BASIC,CLOSED
allow udp from myboss to EMULAB_MCADDR EMULAB_MCPORT in via vlan0 # 60046: ELABINELAB
allow udp from EMULAB_BOSSES EMULAB_MCPORT to myboss EMULAB_MCPORT keep-state # 60048: ELABINELAB
allow igmp from any to any # 60049: BASIC,CLOSED,ELABINELAB
......
#!/usr/bin/perl -w
#
# Copyright (c) 2005-2014 University of Utah and the Flux Group.
# Copyright (c) 2005-2017 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -53,18 +53,23 @@ my %fwvars;
sub getfwvars()
{
# XXX for Utah Emulab as of 04/14
# XXX for Utah Emulab as of 02/17
$fwvars{EMULAB_GWIP} = "155.98.36.1";
$fwvars{EMULAB_GWMAC} = "c0:ea:e4:b1:b4:04";
$fwvars{EMULAB_VGWIP} = "172.16.0.1";
# XXX assume vnode GW MAC same as GW MAC
$fwvars{EMULAB_GWMAC} = "00:d0:bc:f4:14:f8";
$fwvars{EMULAB_NS} = "155.98.32.70";
$fwvars{EMULAB_CNET} = "155.98.36.0/22";
$fwvars{EMULAB_VNET} = "172.16.0.0/12";
$fwvars{EMULAB_BOSSES} = "boss,subboss,subboss2";
$fwvars{EMULAB_SERVERS} = "boss,subboss,subboss2,ops";
$fwvars{EMULAB_MCADDR} = "234.0.0.0/8";
$fwvars{EMULAB_MCPORT} = "1025-65535";
$fwvars{EMULAB_VCNET} = "172.16.0.0/12";
$fwvars{EMULAB_VCNET_BOSS} = "172.17.254.254";
$fwvars{EMULAB_VCNET_OPS} = "172.17.253.254";
$fwvars{EMULAB_VCBOSS} = "172.17.254.254";
$fwvars{EMULAB_VCOPS} = "172.17.253.254";
$fwvars{EMULAB_FSIPS} = "155.98.33.74,172.17.253.254";
$fwvars{EMULAB_BOSSES} = "boss,subboss,subboss2,subboss3";
$fwvars{EMULAB_SERVERS} = "boss,subboss,subboss2,subboss3,ops";
$fwvars{EMULAB_MCADDR} = "234.0.0.0/8,239.0.0.0/8";
$fwvars{EMULAB_MCPORT} = "21700-21799";
}
sub expandfwvars($)
......@@ -139,8 +144,6 @@ sub doconfig($$)
}
}
}
print "\n";
}
%options = ();
......
#!/usr/bin/perl -w
#
# Copyright (c) 2005-2014 University of Utah and the Flux Group.
# Copyright (c) 2005-2017 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -50,18 +50,23 @@ my %fwvars;
sub getfwvars()
{
# XXX for Utah Emulab as of 04/14
# XXX for Utah Emulab as of 02/17
$fwvars{EMULAB_GWIP} = "155.98.36.1";
$fwvars{EMULAB_GWMAC} = "c0:ea:e4:b1:b4:04";
$fwvars{EMULAB_VGWIP} = "172.16.0.1";
# XXX assume vnode GW MAC same as GW MAC
$fwvars{EMULAB_GWMAC} = "00:d0:bc:f4:14:f8";
$fwvars{EMULAB_NS} = "155.98.32.70";
$fwvars{EMULAB_CNET} = "155.98.36.0/22";
$fwvars{EMULAB_VNET} = "172.16.0.0/12";
$fwvars{EMULAB_BOSSES} = "boss,subboss,subboss2";
$fwvars{EMULAB_SERVERS} = "boss,subboss,subboss2,ops";
$fwvars{EMULAB_MCADDR} = "234.0.0.0/8";
$fwvars{EMULAB_MCPORT} = "1025-65535";
$fwvars{EMULAB_VCNET} = "172.16.0.0/12";
$fwvars{EMULAB_VCNET_BOSS} = "172.17.254.254";
$fwvars{EMULAB_VCNET_OPS} = "172.17.253.254";
$fwvars{EMULAB_VCBOSS} = "172.17.254.254";
$fwvars{EMULAB_VCOPS} = "172.17.253.254";
$fwvars{EMULAB_FSIPS} = "155.98.33.74,172.17.253.254";
$fwvars{EMULAB_BOSSES} = "boss,subboss,subboss2,subboss3";
$fwvars{EMULAB_SERVERS} = "boss,subboss,subboss2,subboss3,ops";
$fwvars{EMULAB_MCADDR} = "234.0.0.0/8,239.0.0.0/8";
$fwvars{EMULAB_MCPORT} = "21700-21799";
}
sub expandfwvars($)
......@@ -136,8 +141,6 @@ sub doconfig($)
}
}
}
print "\n";
}
%options = ();
......
#!/usr/bin/perl -w
#
# Copyright (c) 2005-2014 University of Utah and the Flux Group.
# Copyright (c) 2005-2017 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -49,6 +49,7 @@ my $USERNODE_IP = "@USERNODE_IP@";
my $FSNODE_IP = "@FSNODE_IP@";
my $FRISBEE_MCASTADDR = "@FRISEBEEMCASTADDR@";
my $FRISBEE_MCASTPORT = "@FRISEBEEMCASTPORT@";
my $FRISBEE_MCNUMPORT = "@FRISEBEENUMPORTS@";
#
# Sorry these are hardwired; boss/ops addresses on the virtual control
# network, on non-segmented networks like the IG racks.
......@@ -96,6 +97,10 @@ my $str;
my $res;
my $subbosses = 0;
if (@ARGV > 0 && $ARGV[0] eq "-n") {
$doit = 0;
}
#
# Create EMULAB_BOSSES variable.
#
......@@ -218,19 +223,19 @@ DBQueryFatal($str)
# so here.
# XXX assumptions III (as of 11/11). Frisbee master server running on
# subboss can open up the port range even wider, by default starting at 1025.
# XXX assumptions IV (as of 5/15). Frisbee master server now constrains
# server/client to a configurable range.
# XXX assumptions V (as of 2/17). Subbosses use the same port range as boss.
#
my @mcaddr = split /\./, $FRISBEE_MCASTADDR, 4;
$FRISBEE_MCASTADDR = $mcaddr[0] . ".0.0.0/8";
if ($bstr ne "boss") {
$FRISBEE_MCASTPORT = 1025
if ($FRISBEE_MCASTPORT > 1025);
}
$FRISBEE_MCASTPORT = $FRISBEE_MCASTPORT . "-65535";
# XXX hack for subbosses
if ($subbosses > 0 && $mcaddr[0] != 239) {
$FRISBEE_MCASTADDR .= ",239.0.0.0/8";
}
my $loport = ($FRISBEE_MCASTPORT == 0) ? 1025 : $FRISBEE_MCASTPORT;
my $hiport = ($FRISBEE_MCNUMPORT == 0) ? 65535 : $loport + $FRISBEE_MCNUMPORT - 1;
$FRISBEE_MCASTPORT = "$loport-$hiport";
$str = "replace into default_firewall_vars values ('EMULAB_MCADDR', '$FRISBEE_MCASTADDR')";
print "$str\n"
......
......@@ -171,3 +171,14 @@ iptables -P OUTPUT DROP # BASIC,CLOSED,ELABINELAB
#iptables -A INPUT -j LOG --log-prefix "INPUT: " --log-level 5 # BASIC,CLOSED,ELABINELAB
#iptables -A OUTPUT -j LOG --log-prefix "OUTPUT: " --log-level 5 # BASIC,CLOSED,ELABINELAB
#
# Control access to the rpcbind port.
# XXX these were added straight to the DB by someone.
#
iptables -A FORWARD -s 127.0.0.1/32 -p tcp -m physdev --physdev-in eth0 -m tcp --dport 111 -j ACCEPT # BASIC,CLOSED
iptables -A FORWARD -s EMULAB_VCNET -p tcp -m physdev --physdev-in eth0 -m tcp --dport 111 -j ACCEPT # BASIC,CLOSED
iptables -A FORWARD -s EMULAB_VCNET -p udp -m physdev --physdev-in eth0 -m udp --dport 111 -j ACCEPT # BASIC,CLOSED
iptables -A FORWARD -s EMULAB_CNET -p tcp -m physdev --physdev-in eth0 -m tcp --dport 111 -j ACCEPT # BASIC,CLOSED
iptables -A FORWARD -s EMULAB_CNET -p udp -m physdev --physdev-in eth0 -m udp --dport 111 -j ACCEPT # BASIC,CLOSED
iptables -A FORWARD -p tcp -m physdev --physdev-in eth0 -m tcp --dport 111 -j DROP # BASIC,CLOSED
iptables -A FORWARD -p udp -m physdev --physdev-in eth0 -m udp --dport 111 -j DROP # BASIC,CLOSED
#
# Copyright (c) 2005-2014 University of Utah and the Flux Group.
# Copyright (c) 2005-2017 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -250,6 +250,7 @@ iptables -A INSIDE -p tcp -s myboss -d EMULAB_BOSSES --dport 64494 --syn -m conn
#
# Frisbee multicast with boss
# * nodes mcast everything to boss (joins, leaves and requests): 60046
# * except for reports, which are unicast to boss: 60046
# * boss mcasts blocks to same mcaddr/port: 60047
# * boss unicasts join replies to same port: 60048
# * node and switch need to IGMP: 60049
......@@ -269,7 +270,7 @@ iptables -A INSIDE -p tcp -s myboss -d EMULAB_BOSSES --dport 64494 --syn -m conn
# from 60047).
#
iptables -A INSIDE -p udp -d EMULAB_MCADDR --dport EMULAB_MCPORT -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d EMULAB_MCADDR,EMULAB_BOSSES --dport EMULAB_MCPORT -j ACCEPT # BASIC,CLOSED
iptables -A OUTSIDE -p udp -s EMULAB_BOSSES --sport EMULAB_MCPORT -d EMULAB_MCADDR --dport EMULAB_MCPORT -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p udp -s EMULAB_BOSSES --sport EMULAB_MCPORT --dport EMULAB_MCPORT -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d EMULAB_MCADDR --dport EMULAB_MCPORT -j ACCEPT # ELABINELAB
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment