Commit ec2f5e1e authored by Ryan Jackson's avatar Ryan Jackson

More linux firwall rule fixes

parent 5bf2b449
......@@ -1287,6 +1287,7 @@ sub os_fwconfig_line($@) {
$upline .= "vconfig add $pdev $vlanno > /dev/null\n";
$upline .= "ifconfig $vlandev up\n";
$upline .= "brctl addbr br0\n";
$upline .= "brctl stp br0 on\n";
$upline .= "ifconfig br0 up\n";
$upline .= "brctl addif br0 $pdev\n";
$upline .= "brctl addif br0 $vlandev\n";
......@@ -1429,12 +1430,16 @@ sub os_fwconfig_line($@) {
}
@fwrules = @new_rules;
# For now, if a rule fails to load we want to fail open, not closed. Otherwise
# it may be difficult to debug things.
foreach my $rulestr (@fwrules) {
if ($rulestr =~ /^iptables\s+/) {
$upline .= " $rulestr || {\n";
$upline .= " echo 'WARNING: could not load iptables rule:'\n";
$upline .= " echo ' $rulestr'\n";
$upline .= " iptables -F\n";
$upline .= " iptables -P INPUT ACCEPT\n";
$upline .= " iptables -P OUTPUT ACCEPT\n";
$upline .= " exit 1\n";
$upline .= " }\n";
} elsif ($rulestr =~ /^ebtables\s+/) {
......@@ -1442,6 +1447,8 @@ sub os_fwconfig_line($@) {
$upline .= " echo 'WARNING: could not load ebtables rule:'\n";
$upline .= " echo ' $rulestr'\n";
$upline .= " ebtables -F\n";
$upline .= " ebtables -P INPUT ACCEPT\n";
$upline .= " ebtables -P OUTPUT ACCEPT\n";
$upline .= " exit 1\n";
$upline .= " }\n";
}
......
......@@ -87,6 +87,9 @@ iptables -F OUTSIDE # BASIC,CLOSED,ELABINELAB
iptables -A FORWARD -m physdev --physdev-in vlandev -s EMULAB_CNET,0.0.0.0/32,255.255.255.255 -j INSIDE # BASIC,CLOSED,ELABINELAB
iptables -A FORWARD -m physdev --physdev-in pdev -j OUTSIDE # BASIC,CLOSED,ELABINELAB
# Allow everything from the gateway, since the gateway may be part of the node control net
iptables -A OUTSIDE -s EMULAB_GWIP -j ACCEPT # BASIC,CLOSED,ELABINELAB
# Can talk to myself. Does this do anything?
# This appears to be used by elvind?
#iptables -A INPUT -s me -d me -j ACCEPT # BASIC,CLOSED,ELABINELAB
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment