Commit 3b0e4b2a authored by Mike Hibler's avatar Mike Hibler
Browse files

Changes to allow variable expansion in firewall rules

parent 4b617de5
#!/usr/bin/perl -w
#
# EMULAB-COPYRIGHT
# Copyright (c) 2004 University of Utah and the Flux Group.
# Copyright (c) 2004, 2005 University of Utah and the Flux Group.
# All rights reserved.
#
use English;
use Getopt::Std;
#
# For firewall rule logging: log accepted or rejected packets.
# XXX debugging
#
my $logaccept = 0;
my $logreject = 1;
#
# Hosts we need un-firewalled static routes for
#
......@@ -174,6 +181,10 @@ sub doboot()
sub firewaller()
{
# XXX debugging
$fwinfo->{LOGACCEPT} = $logaccept;
$fwinfo->{LOGREJECT} = $logreject;
my ($upline, $downline) = os_fwconfig_line($fwinfo, @fwrules);
print FWC "case \"\$action\" in\n";
......
......@@ -2,7 +2,7 @@
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2004 University of Utah and the Flux Group.
# Copyright (c) 2000-2005 University of Utah and the Flux Group.
# All rights reserved.
#
# TODO: Signal handlers for protecting db files.
......@@ -844,6 +844,29 @@ sub gettunnelconfig($)
return 0;
}
my %fwvars = ();
#
# Substitute values of variables in a firewall rule.
#
sub expandfwvars($)
{
my ($rule) = @_;
if ($rule->{RULE} =~ /EMULAB_\w+/) {
foreach my $key (keys %fwvars) {
$rule->{RULE} =~ s/$key/$fwvars{$key}/
if (defined($fwvars{$key}));
}
if ($rule->{RULE} =~ /EMULAB_\w+/) {
warn("*** WARNING: Unexpanded firewall variable in: \n".
" $rule->{RULE}\n");
return 1;
}
}
return 0;
}
#
# Return the firewall configuration. We parse tmcd output here and return
# a list of hash entries to the caller.
......@@ -865,6 +888,7 @@ sub getfwconfig($$)
my $rempat = q(TYPE=remote FWIP=([0-9\.]*));
my $fwpat = q(TYPE=([\w-]+) STYLE=(\w+) IN_IF=(\w*) OUT_IF=(\w*) IN_VLAN=(\d+) OUT_VLAN=(\d+));
my $rpat = q(RULENO=(\d*) RULE="(.*)");
my $vpat = q(VAR=(EMULAB_\w+) VALUE="(.*)");
$fwinfo->{"TYPE"} = "none";
foreach my $line (@tmccresults) {
......@@ -908,15 +932,23 @@ sub getfwconfig($$)
$fw->{"RULENO"} = $ruleno;
$fw->{"RULE"} = $rule;
push(@fwrules, $fw);
} elsif ($line =~ /$vpat/) {
$fwvars{$1} = $2;
} else {
warn("*** WARNING: Bad firewall info line: $line\n");
return 1;
}
}
# make a pass over the rules, expanding variables
my $bad = 0;
foreach my $rule (@fwrules) {
$bad += expandfwvars($rule);
}
$$infoptr = $fwinfo;
@$rptr = @fwrules;
return 0;
return $bad;
}
......
......@@ -2,7 +2,7 @@
#
# EMULAB-COPYRIGHT
# Copyright (c) 2000-2004 University of Utah and the Flux Group.
# Copyright (c) 2000-2005 University of Utah and the Flux Group.
# All rights reserved.
#
......@@ -522,6 +522,10 @@ sub os_fwconfig_line($@)
my ($fwinfo, @fwrules) = @_;
my ($upline, $downline);
# XXX debugging
my $logaccept = defined($fwinfo->{LOGACCEPT}) ? $fwinfo->{LOGACCEPT} : 0;
my $logreject = defined($fwinfo->{LOGREJECT}) ? $fwinfo->{LOGREJECT} : 0;
#
# VLAN enforced layer2 firewall with FreeBSD/IPFW2
#
......@@ -546,10 +550,26 @@ sub os_fwconfig_line($@)
$upline .= " if [ -z \"`sysctl net.inet.ip.fw.enable 2>/dev/null`\" ]; then\n";
$upline .= " kldload ipfw.ko >/dev/null 2>&1\n";
$upline .= " fi\n";
$upline .= " sysctl net.inet.ip.fw.enable=1 || {\n";
$upline .= " echo 'WARNING: could not enable firewall'\n";
$upline .= " exit 1\n";
$upline .= " }\n";
foreach my $rule (sort { $a->{RULENO} <=> $b->{RULENO}} @fwrules) {
$upline .= " ipfw add $rule->{RULENO} $rule->{RULE} || {\n";
my $rulestr = $rule->{RULE};
if ($logaccept && $rulestr =~ /^(allow|accept|pass|permit)\s.*/) {
my $action = $1;
$rulestr =~ s/$action/$action log/;
} elsif ($logreject && $rulestr =~ /^(deny|drop)\s.*/) {
my $action = $1;
$rulestr =~ s/$action/$action log/;
}
$upline .= " ipfw add $rule->{RULENO} $rulestr || {\n";
$upline .= " echo 'WARNING: could not load ipfw rule:'\n";
$upline .= " echo ' $rule->{RULE}'\n";
$upline .= " echo ' $rulestr'\n";
$upline .= " ipfw -q flush\n";
$upline .= " exit 1\n";
$upline .= " }\n";
}
......@@ -571,10 +591,26 @@ sub os_fwconfig_line($@)
$upline = "if [ -z \"`sysctl net.inet.ip.fw.enable 2>/dev/null`\" ]; then\n";
$upline .= " kldload ipfw.ko >/dev/null 2>&1\n";
$upline .= " fi\n";
$upline .= " sysctl net.inet.ip.fw.enable=1 || {\n";
$upline .= " echo 'WARNING: could not enable firewall'\n";
$upline .= " exit 1\n";
$upline .= " }\n";
foreach my $rule (sort { $a->{RULENO} <=> $b->{RULENO}} @fwrules) {
$upline .= " ipfw add $rule->{RULENO} $rule->{RULE} || {\n";
my $rulestr = $rule->{RULE};
if ($logaccept && $rulestr =~ /^(allow|accept|pass|permit)\s.*/) {
my $action = $1;
$rulestr =~ s/$action/$action log/;
} elsif ($logreject && $rulestr =~ /^(deny|drop)\s.*/) {
my $action = $1;
$rulestr =~ s/$action/$action log/;
}
$upline .= " ipfw add $rule->{RULENO} $rulestr || {\n";
$upline .= " echo 'WARNING: could not load ipfw rule:'\n";
$upline .= " echo ' $rule->{RULE}'\n";
$upline .= " echo ' $rulestr'\n";
$upline .= " ipfw -q flush\n";
$upline .= " exit 1\n";
$upline .= " }\n";
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment