Commit 2faea2f3 authored by Leigh Stoller's avatar Leigh Stoller

Server side of firewall support for XEN containers.

This differs from the current firewall support, which assumes a single
firewall for an entire experiment, hosted on a dedicated physical
node. At some point, it would be better to host the dedicated firewall
inside a XEN container, but that is a project for another day (year).

Instead, I added two sets of firewall rules to the default_firewall_rules
table, one for dom0 and another for domU. These follow the current
style setup of open,basic,closed, while elabinelab is ignored since it
does not make sense for this yet.

These two rules sets are independent, the dom0 rules can be applied to
the physical host, and domU rules can be applied to specific
containers.

My goal is that all shared nodes will get the dom0 closed rules (ssh
from local boss only) to avoid the ssh attacks that all of the racks
are seeing.

DomU rules can be applied on a per-container (node) basis. As
mentioned above this is quite different, and needed minor additions to
the virt_nodes table to allow it.
parent dd2cb49c
...@@ -507,7 +507,7 @@ CREATE TABLE `datapository_databases` ( ...@@ -507,7 +507,7 @@ CREATE TABLE `datapository_databases` (
DROP TABLE IF EXISTS `default_firewall_rules`; DROP TABLE IF EXISTS `default_firewall_rules`;
CREATE TABLE `default_firewall_rules` ( CREATE TABLE `default_firewall_rules` (
`type` enum('ipfw','ipfw2','iptables','ipfw2-vlan','iptables-vlan') NOT NULL default 'ipfw', `type` enum('ipfw','ipfw2','iptables','ipfw2-vlan','iptables-vlan','iptables-dom0','iptables-domU') NOT NULL default 'ipfw',
`style` enum('open','closed','basic','emulab') NOT NULL default 'basic', `style` enum('open','closed','basic','emulab') NOT NULL default 'basic',
`enabled` tinyint(4) NOT NULL default '0', `enabled` tinyint(4) NOT NULL default '0',
`ruleno` int(10) unsigned NOT NULL default '0', `ruleno` int(10) unsigned NOT NULL default '0',
...@@ -4957,6 +4957,8 @@ CREATE TABLE `virt_nodes` ( ...@@ -4957,6 +4957,8 @@ CREATE TABLE `virt_nodes` (
`numeric_id` int(11) default NULL, `numeric_id` int(11) default NULL,
`sharing_mode` varchar(32) default NULL, `sharing_mode` varchar(32) default NULL,
`role` enum('node','bridge') NOT NULL default 'node', `role` enum('node','bridge') NOT NULL default 'node',
`firewall_style` tinytext,
`firewall_log` tinytext,
PRIMARY KEY (`exptidx`,`vname`), PRIMARY KEY (`exptidx`,`vname`),
UNIQUE KEY `pideid` (`pid`,`eid`,`vname`), UNIQUE KEY `pideid` (`pid`,`eid`,`vname`),
KEY `pid` (`pid`,`eid`,`vname`) KEY `pid` (`pid`,`eid`,`vname`)
......
...@@ -1109,6 +1109,8 @@ REPLACE INTO table_regex VALUES ('virt_firewalls','fwname','text','redirect','vi ...@@ -1109,6 +1109,8 @@ REPLACE INTO table_regex VALUES ('virt_firewalls','fwname','text','redirect','vi
REPLACE INTO table_regex VALUES ('virt_firewalls','type','text','regex','^(ipfw|ipfw2|iptables|ipfw2-vlan|iptables-vlan)$',0,0,NULL); REPLACE INTO table_regex VALUES ('virt_firewalls','type','text','regex','^(ipfw|ipfw2|iptables|ipfw2-vlan|iptables-vlan)$',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_firewalls','style','text','regex','^(open|closed|basic|emulab)$',0,0,NULL); REPLACE INTO table_regex VALUES ('virt_firewalls','style','text','regex','^(open|closed|basic|emulab)$',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_nodes','firewall_style','text','regex','^(open|closed|basic|emulab)$',0,0,NULL);
REPLACE INTO table_regex VALUES ('mailman_lists','pid_idx','text','redirect','projects:pid_idx',0,0,NULL); REPLACE INTO table_regex VALUES ('mailman_lists','pid_idx','text','redirect','projects:pid_idx',0,0,NULL);
REPLACE INTO table_regex VALUES ('mailman_lists','password1','text','redirect','default:tinytext',0,0,NULL); REPLACE INTO table_regex VALUES ('mailman_lists','password1','text','redirect','default:tinytext',0,0,NULL);
REPLACE INTO table_regex VALUES ('mailman_lists','password2','text','redirect','default:tinytext',0,0,NULL); REPLACE INTO table_regex VALUES ('mailman_lists','password2','text','redirect','default:tinytext',0,0,NULL);
......
#
# New firewall type.
#
use strict;
use libdb;
sub DoUpdate($$$)
{
my ($dbhandle, $dbname, $version) = @_;
DBQueryFatal("alter table default_firewall_rules change `type` ".
" `type` enum('ipfw','ipfw2','iptables','ipfw2-vlan',".
" 'iptables-vlan','iptables-dom0', ".
" 'iptables-domU') ".
" NOT NULL default 'ipfw'");
if (!DBSlotExists("virt_nodes", "firewall_style")) {
DBQueryFatal("alter table virt_nodes add ".
" `firewall_style` tinytext");
}
DBQueryFatal("REPLACE INTO table_regex VALUES ".
"('virt_nodes','firewall_style','text','regex',".
"'^(open|closed|basic|emulab)\$',0,0,NULL)");
if (!DBSlotExists("virt_nodes", "firewall_log")) {
DBQueryFatal("alter table virt_nodes add ".
" `firewall_log` tinytext");
}
}
# Local Variables:
# mode:perl
# End:
# -*- tcl -*- # -*- tcl -*-
# #
# Copyright (c) 2000-2013 University of Utah and the Flux Group. # Copyright (c) 2000-2014 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -146,6 +146,9 @@ Node instproc init {s} { ...@@ -146,6 +146,9 @@ Node instproc init {s} {
# This is a blockstore thing. # This is a blockstore thing.
$self set bstore_agent 0 $self set bstore_agent 0
# Per node firewall thing.
$self set fw_style ""
} }
Bridge instproc init {s} { Bridge instproc init {s} {
...@@ -229,6 +232,7 @@ Node instproc updatedb {DB} { ...@@ -229,6 +232,7 @@ Node instproc updatedb {DB} {
$self instvar simulated $self instvar simulated
$self instvar sharing_mode $self instvar sharing_mode
$self instvar topo $self instvar topo
$self instvar fw_style
$self instvar X_ $self instvar X_
$self instvar Y_ $self instvar Y_
$self instvar orientation_ $self instvar orientation_
...@@ -402,6 +406,11 @@ Node instproc updatedb {DB} { ...@@ -402,6 +406,11 @@ Node instproc updatedb {DB} {
lappend values $parent_osid lappend values $parent_osid
} }
if { $fw_style != "" } {
lappend fields "firewall_style"
lappend values $fw_style
}
$sim spitxml_data "virt_nodes" $fields $values $sim spitxml_data "virt_nodes" $fields $values
if {$topo != "" && ($type == "robot" || $hwtype_class($type) == "robot")} { if {$topo != "" && ($type == "robot" || $hwtype_class($type) == "robot")} {
......
...@@ -73,6 +73,7 @@ proc tb-set-endnodeshaping {link onoff} {} ...@@ -73,6 +73,7 @@ proc tb-set-endnodeshaping {link onoff} {}
proc tb-set-noshaping {link onoff} {} proc tb-set-noshaping {link onoff} {}
proc tb-set-useveth {link onoff} {} proc tb-set-useveth {link onoff} {}
proc tb-set-link-encap {link style} {} proc tb-set-link-encap {link style} {}
proc tb-set-fw-style {vnode style} {}
proc tb-set-allowcolocate {lanlink onoff} {} proc tb-set-allowcolocate {lanlink onoff} {}
proc tb-set-colocate-factor {factor} {} proc tb-set-colocate-factor {factor} {}
proc tb-set-sync-server {node} {} proc tb-set-sync-server {node} {}
......
...@@ -2290,6 +2290,20 @@ proc tb-set-elabinelab-fw-type {type} { ...@@ -2290,6 +2290,20 @@ proc tb-set-elabinelab-fw-type {type} {
set elabinelab_fw_type $type set elabinelab_fw_type $type
} }
#
# Set firewall style for an individual node. Really only makes sense
# for linux nodes with iptables. Might need to add an os_feature.
#
proc tb-set-fw-style {vnode style}
{
if ($style != "basic" && $style != "closed" &&
$style != "open" && $style != "elabinelab") {
perror "\[tb-set-fw-style] $style is not a valid type"
return
}
$vnode set fw_style $style
}
# #
# Set numeric ID (this is a mote thing) # Set numeric ID (this is a mote thing)
# #
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment