Commit 262d2d67 authored by Mike Hibler's avatar Mike Hibler

Changes to firewall setup.

tmcd firewallinfo now returns MACs for all nodes so that firewall
can act as an ARP proxy.
parent d52cbcc8
......@@ -2,7 +2,7 @@
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2005 University of Utah and the Flux Group.
# Copyright (c) 2000-2006 University of Utah and the Flux Group.
# All rights reserved.
#
# TODO: Signal handlers for protecting db files.
......@@ -47,7 +47,7 @@ use libtmcc;
#
# BE SURE TO BUMP THIS AS INCOMPATIBILE CHANGES TO TMCD ARE MADE!
#
sub TMCD_VERSION() { 25; };
sub TMCD_VERSION() { 26; };
libtmcc::configtmcc("version", TMCD_VERSION());
# Control tmcc timeout.
......@@ -1044,6 +1044,7 @@ sub getfwconfig($$;$)
my $fwinfo = {};
my @fwrules = ();
my @fwhosts = ();
my %fwhostmacs = ();
$$infoptr = undef;
@$rptr = ();
......@@ -1052,11 +1053,11 @@ sub getfwconfig($$;$)
return -1;
}
my $rempat = q(TYPE=remote FWIP=([0-9\.]*));
my $rempat = q(TYPE=remote FWIP=([\d\.]*));
my $fwpat = q(TYPE=([-\w]+) STYLE=(\w+) IN_IF=(\w*) OUT_IF=(\w*) IN_VLAN=(\d+) OUT_VLAN=(\d+));
my $rpat = q(RULENO=(\d*) RULE="(.*)");
my $vpat = q(VAR=(EMULAB_\w+) VALUE="(.*)");
my $hpat = q(HOST=([-\w]+) CNETIP=([0-9\.]*));
my $hpat = q(HOST=([-\w]+) CNETIP=([\d\.]*) CNETMAC=([\da-f]{12}));
$fwinfo->{"TYPE"} = "none";
foreach my $line (@tmccresults) {
......@@ -1103,15 +1104,38 @@ sub getfwconfig($$;$)
} elsif ($line =~ /$vpat/) {
$fwvars{$1} = $2;
} elsif ($line =~ /$hpat/) {
my $host = $1;
my $ip = $2;
my $mac = $3;
# create a tmcc hostlist format string
push(@fwhosts,
"NAME=$1 IP=$2 ALIASES=''");
"NAME=$host IP=$ip ALIASES=''");
# and save off the MACs
$fwhostmacs{$host} = $mac;
} else {
warn("*** WARNING: Bad firewall info line: $line\n");
return 1;
}
}
# XXX inner elab: make sure we have a "myfs" entry
if (defined($fwhostmacs{"myboss"}) && !defined($fwhostmacs{"myfs"})) {
for my $host (@fwhosts) {
if ($host =~ /NAME=myops/) {
$host =~ s/ALIASES=''/ALIASES='myfs'/;
}
}
}
# info for proxy ARP
$fwinfo->{"GWIP"} = $fwvars{"EMULAB_GWIP"};
$fwinfo->{"GWMAC"} = $fwvars{"EMULAB_GWMAC"};
if (%fwhostmacs) {
$fwinfo->{"MACS"} = \%fwhostmacs;
}
# make a pass over the rules, expanding variables
my $bad = 0;
foreach my $rule (@fwrules) {
......
......@@ -2,7 +2,7 @@
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2005 University of Utah and the Flux Group.
# Copyright (c) 2000-2006 University of Utah and the Flux Group.
# All rights reserved.
#
......@@ -526,6 +526,21 @@ sub os_fwconfig_line($@)
my $logaccept = defined($fwinfo->{LOGACCEPT}) ? $fwinfo->{LOGACCEPT} : 0;
my $logreject = defined($fwinfo->{LOGREJECT}) ? $fwinfo->{LOGREJECT} : 0;
#
# Convert MAC info to a useable form and filter out the firewall itself
#
my $href = $fwinfo->{MACS};
while (my ($node,$mac) = each(%$href)) {
if ($mac eq $fwinfo->{OUT_IF}) {
delete($$href{$node});
} elsif ($mac =~ /^(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})(\w{2})$/) {
$$href{$node} = "$1:$2:$3:$4:$5:$6";
} else {
warn "*** WARNING: Bad MAC returned for $node in fwinfo: $mac\n";
return ("false", "false");
}
}
#
# VLAN enforced layer2 firewall with FreeBSD/IPFW2
#
......@@ -546,11 +561,31 @@ sub os_fwconfig_line($@)
$upline .= " fi\n";
$upline .= " sysctl net.link.ether.bridge_vlan=0\n";
$upline .= " sysctl net.link.ether.bridge_ipfw=1\n";
$upline .= " sysctl net.link.ether.ipfw=0\n";
$upline .= " sysctl net.link.ether.bridge_cfg=$vlandev,$pdev\n";
$upline .= " if [ -z \"`sysctl net.inet.ip.fw.enable 2>/dev/null`\" ]; then\n";
$upline .= " kldload ipfw.ko >/dev/null 2>&1\n";
$upline .= " fi\n";
#
# Setup proxy ARP entries
#
if (defined($fwinfo->{MACS})) {
$upline .= " sysctl net.link.ether.inet.proxygwonly=1\n";
# XXX must have an IP on the vlan dev for the arp to work
$upline .= " ifconfig $vlandev inet 10.0.0.1 netmask 255.255.255.255\n";
# provide GW MAC to inside
$upline .= " arp -i $vlandev -s " .
$fwinfo->{GWIP} . " " . $fwinfo->{GWMAC} . " pub only\n";
# provide node MACs to outside
my $href = $fwinfo->{MACS};
while (my ($node,$mac) = each %$href) {
$upline .= " arp -i $pdev -s $node $mac pub only\n";
}
}
foreach my $rule (sort { $a->{RULENO} <=> $b->{RULENO}} @fwrules) {
my $rulestr = $rule->{RULE};
if ($logaccept && $rulestr =~ /^(allow|accept|pass|permit)\s.*/) {
......@@ -579,6 +614,15 @@ sub os_fwconfig_line($@)
$downline .= " sysctl net.link.ether.bridge_cfg=\"\"\n";
$downline .= " sysctl net.link.ether.bridge_ipfw=0\n";
$downline .= " sysctl net.link.ether.bridge_vlan=1\n";
if (defined($fwinfo->{MACS})) {
$downline .= " arp -i $vlandev -d " . $fwinfo->{GWIP} . " pub\n";
my $href = $fwinfo->{MACS};
while (my ($node,$mac) = each %$href) {
$downline .= " arp -i $pdev -d $node pub\n";
}
$downline .= " sysctl net.link.ether.inet.proxygwonly=0\n";
}
$downline .= " ifconfig $vlandev destroy";
return ($upline, $downline);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment