Commit 6eff9de6 authored by Leigh Stoller's avatar Leigh Stoller

Checkpoint the rest of my changes to support swapmod of both ElabInElab and

Firewalled experiments (see tbsetup/elabinelab.in for the other stuff).

* To support firewalled experiments, needed to add a new virt_firewalls
  table to split the existing firewalls table up, which included both
  virtual and physical stuff. There are the usual frontend changes and a
  few other things scattered around, including tmcd.c.

* The firewall code in tbswap got some beefing up to support adding and
  deleting nodes from the its special control net vlan. Note that I have
  not made any progress on containment of deleted nodes, just as we do not
  do anything now for teardown (unless its paniced, in which case the
  experiment cannot be modified anyway).

* ptopgen and assign_wrapper got some interesting modifications: Unlike
  regular swapmod, we cannot just tear down all the vlans since that would
  interrupt everything inside the inner elab. Instead, leave the vlans as
  is. The problem is that when assign runs, it can just as easily pick
  different interfaces on the same nodes, which would be a royal pain in
  the ass to deal with! So, ptopgen got a new option (-u) that assign
  wrapper uses to tell ptopgen that it should prune out unused interfaces
  from nodes that are already allocated to the experiment. This is, at
  best, as pathetically gross hack, but it makes sure that all the
  interfaces stay the same across swapmods.

* The unrelated revision of elabinelab has a bunch of new code for adding
  and deleting nodes from the inner elab. Mostly it deals with dhcpd (inner
  and outer, waiting for nodes to reboot, etc). It also deals with updating
  the vlans table in the DB, pruning out any nodes (ports) that are deleted
  but for which there are still interfaces in existing vlans. Said ports
  are them moved back to the default vlan with calls to snmpit. Also under
  another revision a a couple of weeks ago are the web interface changes to
  support the newnode MFS inside an inner Emulab.

* swapexp and endexp got some more checks for firewalled and paniced
  experiments, which were missing.
parent b031d1a7
......@@ -168,6 +168,7 @@ use vars qw(@ISA @EXPORT);
TBLeaderMailList ExpGroup TBExptSetSwapUID TBExptSetThumbNail
TBNodeAllocCheck TBPlabNodeUsername MarkPhysNodeDown TBExptIsElabInElab
TBExptFirewall TBNodeFirewall TBSetExptFirewallVlan
TBClearExptFirewallVlan
TBNodeType TBNodeTypeProcInfo TBNodeTypeBiosWaittime
......@@ -3193,7 +3194,7 @@ sub TBRobotLabExpt($$)
"nseconfigs",
"eventlist",
"event_groups",
"firewalls",
"virt_firewalls",
"firewall_rules",
"virt_tiptunnels",
"ipsubnets",
......@@ -3201,7 +3202,6 @@ sub TBRobotLabExpt($$)
@physicalTables = ("delays",
"vlans",
"elabinelab_vlans",
"tunnels",
"ipport_ranges",
"v2pmap",
......@@ -3812,13 +3812,12 @@ sub TBExptFirewall ($$;$$$) {
my $query_result;
#
# Short form: is there a firewall?
# Only check the firewalls table so that we can be called for a swapped
# experiment (swapped experiments don't have reserved table info).
# Short form: is there a firewall? Use the virt_firewalls table so can
# be called for a swapped or active experiment.
#
if (!defined($fwnodep)) {
$query_result =
DBQueryWarn("SELECT eid FROM firewalls ".
DBQueryWarn("SELECT eid FROM virt_firewalls ".
"WHERE pid='$pid' and eid='$eid' ".
"AND type LIKE '%-vlan'");
if (!$query_result || $query_result->num_rows == 0) {
......@@ -3833,10 +3832,12 @@ sub TBExptFirewall ($$;$$$) {
# will be NULL.
#
$query_result =
DBQueryWarn("SELECT r.node_id,f.vlan,f.vlanid FROM firewalls AS f ".
"LEFT JOIN reserved AS r ".
" ON f.pid=r.pid AND f.eid=r.eid AND f.fwname=r.vname ".
"WHERE f.pid='$pid' and f.eid='$eid'");
DBQueryWarn("select r.node_id,f.vlan,f.vlanid from ".
" virt_firewalls as v ".
"left join firewalls as f on f.pid=v.pid and f.eid=v.eid ".
"left join reserved as r on r.pid=v.pid and ".
" r.eid=v.eid and r.vname=v.fwname ".
"where v.pid='$pid' and v.eid='$eid'");
if (!$query_result || $query_result->num_rows == 0) {
return 0;
}
......@@ -3859,8 +3860,7 @@ sub TBExptFirewall ($$;$$$) {
}
#
# Set (fwvlan!=undef) or clear (fwvlan==undef) the firewall VLAN number
# for an experiment.
# Set the firewall VLAN number for an experiment.
#
# XXX this will need to change if we support multiple firewalls per experiment.
#
......@@ -3872,29 +3872,51 @@ sub TBSetExptFirewallVlan($$$$) {
return 0;
}
if (!defined($fwvlanid)) {
$fwvlanid = "NULL";
}
if (!defined($fwvlan)) {
$fwvlan = "NULL";
}
#
# Need the virtual name since we use that to ensure uniqness in the
# firewalls table.
#
my $query_result =
DBQueryWarn("select fwname from virt_firewalls ".
"WHERE pid='$pid' AND eid='$eid'");
return -1
if (!$query_result || $query_result->num_rows == 0);
my ($fwname) = $query_result->fetchrow_array();
#
# Change the firewalls table entry to reflect the VLAN
#
DBQueryWarn("UPDATE firewalls set vlan=$fwvlan,vlanid=$fwvlanid ".
"WHERE pid='$pid' AND eid='$eid'");
DBQueryWarn("replace into firewalls (pid,eid,fwname,vlan,vlanid) ".
"values ('$pid', '$eid', '$fwname', $fwvlan, $fwvlanid)");
#
# Change the reserved table entries for all firewalled nodes to reflect it.
#
# XXX when clearing, we don't bother with reserved since the row may
DBQueryWarn("UPDATE reserved set cnet_vlan=$fwvlan ".
"WHERE pid='$pid' AND eid='$eid' AND node_id!='$fwnode'");
}
#
# Clear the firewall VLAN number for an experiment.
#
# XXX this will need to change if we support multiple firewalls per experiment.
#
sub TBClearExptFirewallVlan($$)
{
my ($pid, $eid) = @_;
#
# Clear entry from the firewalls table.
#
DBQueryWarn("delete from firewalls ".
"where pid='$pid' and eid='$eid'");
#
# XXX when clearing, do not bother with reserved since the row may
# already be gone.
#
if (defined($fwvlan)) {
DBQueryWarn("UPDATE reserved set cnet_vlan=$fwvlan ".
"WHERE pid='$pid' AND eid='$eid' AND node_id!='$fwnode'");
}
}
#
......
......@@ -123,9 +123,9 @@ my %virtual_tables =
tag => "event_groups",
row => "event_group",
attrs => [ "group_name", "agent-name" ]},
"firewalls" => { rows => undef,
tag => "firewalls",
row => "firewall",
"virt_firewalls" => { rows => undef,
tag => "virt_firewalls",
row => "virt_firewall",
attrs => [ "fwname", "type", "style" ]},
"firewall_rules" => { rows => undef,
tag => "firewall_rules",
......
......@@ -451,8 +451,6 @@ CREATE TABLE firewalls (
pid varchar(12) NOT NULL default '',
eid varchar(32) NOT NULL default '',
fwname varchar(32) NOT NULL default '',
type enum('ipfw','ipfw2','ipchains','ipfw2-vlan') NOT NULL default 'ipfw',
style enum('open','closed','basic','emulab') NOT NULL default 'basic',
vlan int(11) default NULL,
vlanid int(11) default NULL,
PRIMARY KEY (pid,eid,fwname),
......@@ -1942,6 +1940,19 @@ CREATE TABLE virt_agents (
PRIMARY KEY (pid,eid,vname,vnode)
) TYPE=MyISAM;
--
-- Table structure for table `virt_firewalls`
--
CREATE TABLE virt_firewalls (
pid varchar(12) NOT NULL default '',
eid varchar(32) NOT NULL default '',
fwname varchar(32) NOT NULL default '',
type enum('ipfw','ipfw2','ipchains','ipfw2-vlan') NOT NULL default 'ipfw',
style enum('open','closed','basic','emulab') NOT NULL default 'basic',
PRIMARY KEY (pid,eid,fwname)
) TYPE=MyISAM;
--
-- Table structure for table `virt_lan_lans`
--
......
......@@ -684,11 +684,11 @@ REPLACE INTO table_regex VALUES ('event_groups','agent_name','text','redirect','
REPLACE INTO table_regex VALUES ('virt_lan_lans','pid','text','redirect','projects:pid',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_lan_lans','eid','text','redirect','experiments:eid',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_lan_lans','vname','text','redirect','virt_nodes:vname',0,0,NULL);
REPLACE INTO table_regex VALUES ('firewalls','pid','text','redirect','projects:pid',0,0,NULL);
REPLACE INTO table_regex VALUES ('firewalls','eid','text','redirect','experimenets:eid',0,0,NULL);
REPLACE INTO table_regex VALUES ('firewalls','fwname','text','redirect','virt_nodes:vname',0,0,NULL);
REPLACE INTO table_regex VALUES ('firewalls','type','text','regex','^(ipfw|ipfw2|ipchains|ipfw2-vlan)$',0,0,NULL);
REPLACE INTO table_regex VALUES ('firewalls','style','text','regex','^(open|closed|basic|emulab)$',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_firewalls','pid','text','redirect','projects:pid',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_firewalls','eid','text','redirect','experimenets:eid',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_firewalls','fwname','text','redirect','virt_nodes:vname',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_firewalls','type','text','regex','^(ipfw|ipfw2|ipchains|ipfw2-vlan)$',0,0,NULL);
REPLACE INTO table_regex VALUES ('virt_firewalls','style','text','regex','^(open|closed|basic|emulab)$',0,0,NULL);
REPLACE INTO table_regex VALUES ('firewall_rules','pid','text','redirect','projects:pid',0,0,NULL);
REPLACE INTO table_regex VALUES ('firewall_rules','eid','text','redirect','experimenets:eid',0,0,NULL);
REPLACE INTO table_regex VALUES ('firewall_rules','fwname','text','redirect','virt_nodes:vname',0,0,NULL);
......
......@@ -2615,8 +2615,26 @@ last_net_act,last_cpu_act,last_ext_act);
alter table reserved add inner_elab_boot tinyint(1) default '0' \
after inner_elab_role;
update reserved set inner_elab_boot=1 where inner_elab_role is not null;
1.333: Some minor changes for elabinelab support of newnodes.
alter table wires change column type type enum('Node','Serial','Power','Dnard','Control','Trunk','OuterControl') NOT NULL default 'Node';
1.334: Split the firewalls table into virt and phys parts.
CREATE TABLE virt_firewalls (
pid varchar(12) NOT NULL default '',
eid varchar(32) NOT NULL default '',
fwname varchar(32) NOT NULL default '',
type enum('ipfw','ipfw2','ipchains','ipfw2-vlan') NOT NULL default 'ipfw',
style enum('open','closed','basic','emulab') NOT NULL default 'basic',
PRIMARY KEY (pid,eid,fwname),
) TYPE=MyISAM;
insert into virt_firewalls (pid,eid,fwname,type,style) \
select pid,eid,fwname,type,style from firewalls;
alter table firewalls drop type;
alter table firewalls drop style;
......@@ -310,6 +310,7 @@ my $multiplex_factor;
my $experiment_idx;
my $useprepass;
my $delaycap_override;
my $elabinelab = 0;
# For admission control. Not well defined yet.
my $cpu_usage;
......@@ -597,6 +598,8 @@ sub RunAssign ()
my $ptopargs = "-p $pid ";
$ptopargs .= "-e $eid "
if ($updating);
$ptopargs .= "-u "
if ($updating && $elabinelab);
$ptopargs .= "-m $multiplex_factor "
if (defined($multiplex_factor));
$ptopargs .= "-v "
......@@ -3753,12 +3756,12 @@ sub LoadExperiment()
" multiplex_factor,usewatunnels, ".
" cpu_usage,mem_usage,allowfixnode, ".
" jail_osname,delay_osname,idx, " .
" useprepass,delay_capacity " .
" useprepass,delay_capacity,elab_in_elab " .
" from experiments ".
"where pid='$pid' and eid='$eid'");
my ($o1,$o2,$o3,$o4,$o5,$o6,$o7,$jail_osname,$delay_osname,
$idx,$o8,$delay_capacity) = $query_result->fetchrow_array();
my ($o1,$o2,$o3,$o4,$o5,$o6,$o7,$jail_osname,$delay_osname,$idx,
$o8,$delay_capacity,$eine) = $query_result->fetchrow_array();
# Do not override settings if already defined above.
$uselinkdelays = $o1
......@@ -3796,6 +3799,7 @@ sub LoadExperiment()
$expt_stats{"delay_capacity"} = $delay_capacity;
}
$experiment_idx = $idx;
$elabinelab = $eine;
#
# Command line option from tbswap overrides user.
......
......@@ -1110,7 +1110,7 @@ sub RemoveNodes()
}
print "Asking inner boss ($bossnode) to delete $node\n";
system("$SSH -host $bossnode sudo -u elabman ".
" $wap $deletenode -b $node");
" $wap $deletenode -b -q -f $node");
if ($?) {
#
# This error is bad.
......
......@@ -2,7 +2,7 @@
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2004 University of Utah and the Flux Group.
# Copyright (c) 2000-2005 University of Utah and the Flux Group.
# All rights reserved.
#
......@@ -88,6 +88,7 @@ my $dbuid;
my $user_name;
my $user_email;
my @row;
my $isadmin;
#
# Untaint the path
......@@ -150,6 +151,7 @@ if (! UNIX2DBUID($UID, \$dbuid)) {
die("*** $0:\n".
" You do not exist in the Emulab Database.\n");
}
$isadmin = TBAdmin($UID);
#
# Get email info for user.
......@@ -163,7 +165,7 @@ if (! UserDBInfo($dbuid, \$user_name, \$user_email)) {
# Verify that this person is allowed to end the experiment.
# Note that any script down the line has to do an admin check also.
#
if ($UID && !TBAdmin($UID) &&
if ($UID && !$isadmin &&
!TBExptAccessCheck($dbuid, $pid, $eid, TB_EXPT_DESTROY)) {
die("*** $0:\n".
" You do not have permission to end this experiment!\n");
......@@ -202,6 +204,8 @@ my $expt_path = $hashrow{'path'};
my $isbatchexpt = $hashrow{'batchmode'};
my $cancelflag = $hashrow{'canceled'};
my $expt_locked = $hashrow{'expt_locked'};
my $elabinelab = $hashrow{'elab_in_elab'};
my $lockdown = $hashrow{'lockdown'};
#
# Batch experiments get a different protocol to avoid races with the
......@@ -225,6 +229,10 @@ if ($batch) {
if (!defined($expt_locked) ||
$batchstate ne BATCHSTATE_LOCKED());
die("*** $0:\n".
" Batch experiment $pid/$eid is locked down; cannot be swapped!\n")
if ($lockdown);
die("*** $0:\n".
" Batch experiment $pid/$eid is not in the correct state!\n".
" Currently $estate, but should be SWAPPED,QUEUED, or ACTIVE\n")
......@@ -245,6 +253,9 @@ else {
ExitWithStatus(1, "Batch experiment $pid/$eid is still canceling!")
if ($cancelflag);
ExitWithStatus(1, "Batch experiment $pid/$eid is locked down!")
if ($lockdown);
#
# Set the canceled flag. This will prevent the batch_daemon
# from trying to run it (once the table is unlocked). It might
......@@ -267,8 +278,8 @@ else {
}
else {
#
# If the cancel flag is set, then user must wait for that to clear before
# we can do anything else.
# If the cancel flag is set, then user must wait for that to clear
# before we can do anything else.
#
ExitWithStatus(1,
"Experiment $pid/$eid has its cancel flag set!\n".
......@@ -276,6 +287,10 @@ else {
"terminate the experiment.\n")
if ($cancelflag);
ExitWithStatus(1,
"Experiment $pid/$eid is locked down; cannot swap!\n")
if ($lockdown);
#
# Must be unlocked if called by the user.
#
......@@ -297,6 +312,18 @@ else {
$estate ne EXPTSTATE_NEW() &&
$estate ne EXPTSTATE_TERMINATED() &&
$estate ne EXPTSTATE_ACTIVE());
#
# Must be an admin person to swap out an experiment that
# has had its panic button pressed.
#
if ($estate eq EXPTSTATE_PANICED() && !$isadmin) {
ExitWithStatus(1,
"Experiment $pid/$eid had its panic ".
"button pressed!\n".
"Only a testbed administrator can swap ".
"this experiment out.");
}
}
}
......
......@@ -151,7 +151,7 @@ Firewall instproc updatedb {DB} {
# XXX add the firewall to the virt_nodes table to avoid assign hacking
$sim spitxml_data "virt_nodes" [list "vname" "type" "ips" "osname" "cmd_line" "rpms" "startupcmd" "tarfiles" "fixed" ] [list "$self" "pc" "" $osid $cmdline "" "" "" "" ]
$sim spitxml_data "firewalls" [list "fwname" "type" "style"] [list $self $type $style]
$sim spitxml_data "virt_firewalls" [list "fwname" "type" "style"] [list $self $type $style]
foreach rule [array names rules] {
set names [list "fwname" "ruleno" "rule"]
set vals [list $self $rule $rules($rule)]
......
......@@ -21,11 +21,12 @@ sub usage()
" -s Include stuff for topologies with simulated nodes\n".
" -a Include even reserved nodes\n".
" -m Override multiplex_factor\n".
" -u Prune unused interfaces of allocated nodes (-e)\n".
" -c Delay capacity override\n".
" -n Add in modelnet core and edge node features\n");
exit(-1);
}
my $optlist = "s:e:m:vp:rSan:c:";
my $optlist = "s:e:m:vp:rSan:c:u";
my $mfactor;
my $virtstuff = 0;
my $widearea = 0;
......@@ -33,6 +34,7 @@ my $simstuff = 0;
my $allnodes = 0;
my $mnetcores = 0;
my $mnetedges = 0;
my $prune = 0;
my $delaycap_override;
#
......@@ -112,6 +114,9 @@ if (defined($options{"p"})) {
if (defined($options{"a"})) {
$allnodes = 1;
}
if (defined($options{"u"})) {
$prune = 1;
}
if (defined($options{"c"})) {
$delaycap_override = $options{"c"};
}
......@@ -129,6 +134,8 @@ if (defined($options{"e"})) {
usage()
if (!defined($pid));
}
usage()
if ($prune && !defined($exempt_eid));
# Read class/type maps
my $result =
......@@ -666,8 +673,13 @@ while (($node,$iface,$switch) = $result->fetchrow_array) {
}
# Read interface cards and ports
$result = DBQueryFatal("SELECT node_id, iface, card, port FROM interfaces");
while (($node,$iface,$card,$port) = $result->fetchrow_array) {
$result = DBQueryFatal("SELECT node_id, iface, card, port, IP ".
"FROM interfaces");
while (($node,$iface,$card,$port,$IP) = $result->fetchrow_array) {
next
if ($prune && $is_reserved{$node} && (!defined($IP) || $IP eq ""));
$interfacecardports{"$node:$iface"} = [$card,$port];
}
......@@ -681,6 +693,10 @@ while (($node1,$card1,$port1,$node2,$card2,$port2) =
$iface2 = get_iface($node2,$card2,$port2);
$iface1bw = get_ifacebw($node1,$card1,$port1,"ethernet");
$iface2bw = get_ifacebw($node2,$card2,$port2,"ethernet");
next
if (! exists($interfacecardports{"$node1:$iface1"}));
# XXX - This is a bad, bad hack - we use our knowledge that in the
# wires table links to the switch always come as node2. We also assume
# that node interfaces are plugged into switch ports of the same speed.
......
......@@ -457,8 +457,11 @@ else {
$batchstate ne BATCHSTATE_UNLOCKED());
ExitWithStatus(1, "Cannot modify a firewalled experiment (yet).")
if ($firewalled);
if ($firewalled && !$isadmin);
ExitWithStatus(1, "Cannot modify an ElabInElab experiment (yet).")
if ($elabinelab && !$isadmin);
#
# Otherwise, proceed with the modify. The experiment will be
# locked below, and so it cannot be injected or otherwise messed
......@@ -489,16 +492,6 @@ else {
"or modify the experiment.\n")
if ($canceled);
#
# Cannot swapmod an active elabinelab experiment, yet.
#
ExitWithStatus(1,
"Experiment $pid/$eid is an active ElabInElab.\n".
"You cannot modify this type of experiment while it\n".
"is swapped in. We hope to support this soon.\n")
if ($inout eq "modify" && $elabinelab &&
$estate ne EXPTSTATE_SWAPPED());
ExitWithStatus(1,
"Experiment $pid/$eid is locked down; cannot swap!\n")
if ($lockdown);
......@@ -566,8 +559,12 @@ else {
"SWAPPED to modify!\n");
}
ExitWithStatus(1,
"Cannot modify a firewalled experiment (yet).")
if ($firewalled);
"Cannot modify a firewalled experiment (yet).")
if ($firewalled && !$isadmin);
ExitWithStatus(1,
"Cannot modify an ElabInElab experiment (yet).")
if ($elabinelab && !$isadmin);
last SWITCH;
};
......@@ -814,6 +811,11 @@ elsif ($inout eq "modify") {
GatherSwapStats($pid, $eid, $dbuid,
TBDB_STATS_SWAPMODIFY, 0, TBDB_STATS_FLAGS_PREMODIFY);
# Gather up some firewall state for later comparison.
if (GatherFWinfo() < 0) {
fatal("Could not gather firewall info; cannot safely continue!");
}
print "Backing up old experiment state ... " . TBTimeStamp() . "\n";
if (TBExptBackupVirtualState($pid, $eid)) {
fatal("Could not backup experiment state; cannot safely continue!");
......@@ -828,6 +830,7 @@ elsif ($inout eq "modify") {
print STDOUT "Running 'tbprerun $pid $eid $modnsfile'\n";
if (system("$tbdir/tbprerun $pid $eid $modnsfile") != 0) {
print STDOUT "Modify Error: tbprerun failed.\n";
FWHOSED:
print STDOUT "Recovering experiment state...\n";
if (TBExptRemoveVirtualState($pid, $eid) ||
......@@ -847,6 +850,15 @@ elsif ($inout eq "modify") {
fatal("Update aborted; old virtual state restored.");
# Never returns;
}
#
# Okay, whenever a new NS file is presented, we need to do some
# checks on the firewall to make sure the user is not trying to
# do something "unsafe".
#
if (CheckFWinfo($estate) != 0) {
# All the stuff for recovering is right above, so go there.
goto FWHOSED;
}
}
#
......@@ -1209,6 +1221,139 @@ sub cleanup()
return;
}
#
# Some firewall related stuff. There are special rules governing the
# modification of a firewalled experiment, and this is the easiest place
# to deal with it. We need to compare the virtual firewall info before
# and after the parse, and disallow some changes. Maybe move this someplace
# else at some point.
#
my $wasfirewalled;
my $fwname;
my $fwtype;
my $fwstyle;
sub GatherFWinfo()
{
$wasfirewalled = 0;
my $query_result =
DBQueryWarn("select fwname,type,style from virt_firewalls ".
"where pid='$pid' and eid='$eid'");
return -1
if (!$query_result);
# Not firewalled.
return 0
if (!$query_result->numrows);
$wasfirewalled = 1;
($fwname,$fwtype,$fwstyle) = $query_result->fetchrow_array();
return 0;
}
sub CheckFWinfo($)
{
my ($curstate) = @_;
my $msg = "";
my $nowfirewalled = 0;
my %fwstyle_mapping = ("open" => 0, "basic" => 1,
"closed" => 2, "emulab" => 3);
my $query_result =
DBQueryWarn("select fwname,type,style from virt_firewalls ".
"where pid='$pid' and eid='$eid'");
return -1
if (!$query_result);
$nowfirewalled = $query_result->numrows;
# Do nothing if not firewalled before or after!
goto okay
if (!$wasfirewalled && !$nowfirewalled);
# Experiment cannot go from firewalled to not firewalled, in either the
# swapped or active state.
if ($wasfirewalled && !$nowfirewalled) {
$msg = "Not allowed to turn off firewalling!";
goto noway;
}
#
# Make sure there is at least one other node besides the firewalled node.
# Rob sez we could eat too many VLANs if we allowed this, so only admin
# users, not mere users.
#
if (!$isadmin && $nowfirewalled) {
my $virt_result =
DBQueryWarn("select vname from virt_nodes ".
"where pid='$pid' and eid='$eid'");
return -1
if (!$virt_result);
if (! ($virt_result->numrows > $query_result->numrows)) {
$msg = "Must have at least one firewalled node!";
goto noway;
}
}
# Experiment cannot go from not firewalled to firewalled while in the
# active state. We will allow this later.
if (!$wasfirewalled && $nowfirewalled) {
if ($curstate eq EXPTSTATE_ACTIVE()) {
$msg = "Not allowed to turn on firewalling while active!";
goto noway;
}
goto okay;
}
my ($new_fwname,$new_fwtype,$new_fwstyle) =
$query_result->fetchrow_array();
# Not allowed to change the name of the firewall while active.
if ($curstate eq EXPTSTATE_ACTIVE() && $fwname ne $new_fwname) {
$msg = "Not allowed to change the name of the firewall!";
goto noway;
}
# Not allowed to change the type of the firewall at all yet.
if ($fwtype ne $new_fwtype) {
$msg = "Not allowed to change the type of the firewall!";
goto noway;
}
# Dealing with the style is harder. First off, while active we do not
# allow the style to be changed.
if ($curstate eq EXPTSTATE_ACTIVE() && $fwstyle ne $new_fwstyle) {
$msg = "Not allowed to change the style (level) of the firewall!";
goto noway;
}
# Okay, while experiment is swapped, can only go from less firewalled
# to more firewalled.
if ($curstate eq EXPTSTATE_SWAPPED() && $fwstyle ne $new_fwstyle) {
if (!exists($fwstyle_mapping{$new_fwstyle})) {
$msg = "Unknown firewall style (level): '$new_fwstyle'!";
goto noway;
}
if (!exists($fwstyle_mapping{$fwstyle})) {
$msg = "Unknown firewall style (level): '$fwstyle'!";
goto noway;
}
if ($fwstyle_mapping{$new_fwstyle} < $fwstyle_mapping{$fwstyle}) {
$msg = "Not allowed to reduce the firewall level!";
goto noway;
}
}
okay:
return 0;
noway:
print STDOUT "*** $msg\n";
return 1;
}
#
# We need this END block to make sure that we clean up after a fatal
# exit in the library. This is problematic, cause we could be exiting
......
......@@ -817,7 +817,7 @@ if ($showevents) {
#
if ($showfwinfo) {
my $result_fw =
DBQueryFatal("select fwname,type,style from firewalls ".
DBQueryFatal("select fwname,type,style from virt_firewalls ".
"where pid='$pid' and eid='$eid' ");
if ($result_fw->numrows) {
print "Firewall information:\n";
......
This diff is collapsed.
......@@ -5280,14 +5280,18 @@ COMMAND_PROTOTYPE(dofwinfo)
*
* XXX will only work if there is one firewall per experiment.
*/
res = mydb_query("select r.node_id,f.type,f.style,f.fwname,i.IP,i.mac,f.vlan "
res = mydb_query("select r.node_id,v.type,v.style,f.fwname,i.IP, "
" i.mac,f.vlan "
"from firewalls as f "
"left join reserved as r on"
" f.pid=r.pid and f.eid=r.eid and f.fwname=r.vname "
"left join virt_firewalls as v on "
" v.pid=f.pid and v.eid=f.eid and v.fwname=f.fwname "
"left join interfaces as i on r.node_id=i.node_id "
"where f.pid='%s' and f.eid='%s' "
"and i.role='ctrl'", /* XXX */
7, reqp->pid, reqp->eid);
if (!res) {
error("FWINFO: %s: DB Error getting firewall info!\n",
reqp->nodeid);
......
......@@ -1926,11 +1926,9 @@ function TBPlabAvail() {
function TBExptFirewall($pid, $eid) {
#
# Short form: is there a firewall?
# Only check the firewalls table so that we can be called for a swapped
# experiment (swapped experiments don't have reserved table info).
#
$query_result =
DBQueryWarn("SELECT eid FROM firewalls ".
DBQueryWarn("SELECT eid FROM virt_firewalls ".
"WHERE pid='$pid' and eid='$eid' ".
"AND type LIKE '%-vlan'");
if (!$query_result || !mysql_num_rows($query_result))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment