Firewalls now work with nodes which require a subboss. Had to introduce new
firewall rules which skipped around the checks that no packets to/from
node control net IPs should pass through the firewall, if the IP in question
belongs to a subboss (since subboss is on the node control network). It
actually checks for all Emulab servers (boss, ops, fs or any subboss),
so the code should work for an Emulab install which has a non-segmented
control network in which all servers were in the same subnet as the nodes.
In addition to the new rules, we also had to pass in additional information
via "tmcc firewallinfo" giving the IP/MAC of those server nodes that are on
the node control network. We use this to establish ARP entries on the
inside network so that nodes can find the servers. Since the existing
client-side firewall code in libsetup.pm would blow up if it got a line
that it didn't recognize, I had to bump the tmcd version number and add
some conditional code to tmcd.c:dofwinfo() to not return the extra info for
Added a couple of new firewall variables EMULAB_BOSSES and EMULAB_SERVERS
that are used in the new rules. Fixed the support scripts in firewall/
to properly initialize these variables.
IMPORTANT: tmcd looks up boss, ops, fs, and subbosses in the interfaces
table to find their IPs and MAC addresses. By default, we do not create
such interface table entries for boss/ops/fs. We have them at Utah for
other reasons. These entries are only needed if you have a non-segmented
control network (or a subboss) and you want to firewall such nodes.
The script to initialize the firewall variables (initfwvars.pl) will
print out a warning for configurations that are affected and don't have