Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adapt firewall-port to IPv6 #6099

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Adapt firewall-port to IPv6 #6099

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fd5faa0
Adapt `firewall-port` to IPv6
benjamreis Nov 4, 2024
cc4c324
Call `firewall-port` in IPv6 when management is in IPv6
benjamreis Nov 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion ocaml/xapi/dbsync_slave.ml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,8 +126,15 @@ let refresh_localhost_info ~__context info =
) else
Db.Host.remove_from_other_config ~__context ~self:host
~key:Xapi_globs.host_no_local_storage ;
let options =
match Helpers.get_management_iface_primary_address_type with
| `IPv4 ->
["check"; "80"]
| `IPv6 ->
["-6"; "check"; "80"]
in
let script_output =
Helpers.call_script !Xapi_globs.firewall_port_config_script ["check"; "80"]
Helpers.call_script !Xapi_globs.firewall_port_config_script options
in
try
let network_state = Scanf.sscanf script_output "Port 80 open: %B" Fun.id in
Expand Down
4 changes: 4 additions & 0 deletions ocaml/xapi/helpers.ml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,10 @@ let get_localhost ~__context =
| true ->
get_localhost_uncached ~__context

let get_management_iface_primary_address_type =
Record_util.primary_address_type_of_string
(Xapi_inventory.lookup Xapi_inventory._management_address_type)

(* Determine the gateway and DNS PIFs:
* If one of the PIFs with IP has other_config:defaultroute=true, then
* pick this one as gateway PIF. If there are multiple, pick a random one of these.
Expand Down
18 changes: 16 additions & 2 deletions ocaml/xapi/nm.ml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -796,10 +796,17 @@ let bring_pif_up ~__context ?(management_interface = false) (pif : API.ref_PIF)
| `vxlan ->
debug
"Opening VxLAN UDP port for tunnel with protocol 'vxlan'" ;
let options =
match Helpers.get_management_iface_primary_address_type with
| `IPv4 ->
["open"; "4789"; "udp"]
| `IPv6 ->
["-6"; "open"; "4789"; "udp"]
in
ignore
@@ Helpers.call_script
!Xapi_globs.firewall_port_config_script
["open"; "4789"; "udp"]
options
| `gre ->
()
)
Expand Down Expand Up @@ -857,10 +864,17 @@ let bring_pif_down ~__context ?(force = false) (pif : API.ref_PIF) =
in
if no_more_vxlan then (
debug "Last VxLAN tunnel was closed, closing VxLAN UDP port" ;
let options =
match Helpers.get_management_iface_primary_address_type with
| `IPv4 ->
["close"; "4789"; "udp"]
| `IPv6 ->
["-6"; "close"; "4789"; "udp"]
in
ignore
@@ Helpers.call_script
!Xapi_globs.firewall_port_config_script
["close"; "4789"; "udp"]
options
)
| `gre ->
()
Expand Down
20 changes: 16 additions & 4 deletions ocaml/xapi/xapi_clustering.ml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -274,9 +274,16 @@ module Daemon = struct
raise Api_errors.(Server_error (not_implemented, ["Cluster.create"]))
) ;
( try
let options =
match Helpers.get_management_iface_primary_address_type with
| `IPv4 ->
["open"; port]
| `IPv6 ->
["-6"; "open"; port]
in
maybe_call_script ~__context
!Xapi_globs.firewall_port_config_script
["open"; port] ;
options ;
maybe_call_script ~__context !Xapi_globs.systemctl ["enable"; service] ;
maybe_call_script ~__context !Xapi_globs.systemctl ["start"; service]
with _ ->
Expand All @@ -295,9 +302,14 @@ module Daemon = struct
Atomic.set enabled false ;
maybe_call_script ~__context !Xapi_globs.systemctl ["disable"; service] ;
maybe_call_script ~__context !Xapi_globs.systemctl ["stop"; service] ;
maybe_call_script ~__context
!Xapi_globs.firewall_port_config_script
["close"; port] ;
let options =
match Helpers.get_management_iface_primary_address_type with
| `IPv4 ->
["close"; port]
| `IPv6 ->
["-6"; "close"; port]
in
maybe_call_script ~__context !Xapi_globs.firewall_port_config_script options ;
debug "Cluster daemon: disabled & stopped"

let restart ~__context =
Expand Down
11 changes: 8 additions & 3 deletions ocaml/xapi/xapi_host.ml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3045,10 +3045,15 @@ let set_https_only ~__context ~self ~value =
let state = match value with true -> "close" | false -> "open" in
match cc_prep () with
| false ->
let options =
match Helpers.get_management_iface_primary_address_type with
| `IPv4 ->
[state; "80"]
| `IPv6 ->
["-6"; state; "80"]
in
ignore
@@ Helpers.call_script
!Xapi_globs.firewall_port_config_script
[state; "80"] ;
@@ Helpers.call_script !Xapi_globs.firewall_port_config_script options ;
Db.Host.set_https_only ~__context ~self ~value
| true when value = Db.Host.get_https_only ~__context ~self ->
(* the new value is the same as the old value *)
Expand Down
45 changes: 31 additions & 14 deletions scripts/plugins/firewall-port
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,28 @@ set -e
# protocol.
#
# Usage:
# ./firewall-port {open|close} port protocol
# ./firewall-port [-6] {open|close} port protocol
#
#################################################

usage() {
echo $"Usage: $0 [-6] {open|close|check} {port} {protocol}" 1>&2
}

BINARY=iptables
while getopts ":6" option; do
case $option in
6)
BINARY=ip6tables
;;
*)
usage
lindig marked this conversation as resolved.
Show resolved Hide resolved
exit 1
;;
esac
shift
done

OP="$1"
PORT="$2"
PROTOCOL="${3:-tcp}"
Expand All @@ -29,37 +47,36 @@ esac

case "${OP}" in
open)
if ! iptables -C $CHAIN $RULE 2>/dev/null
if ! $BINARY -C $CHAIN $RULE 2>/dev/null
then # first ensure chain exists
if iptables -N "${CHAIN}" 2>/dev/null
if $BINARY -N "${CHAIN}" 2>/dev/null
then #chain did not exist but does now
iptables -A "${CHAIN}" -j RETURN
iptables -I INPUT -j "${CHAIN}"
fi # asuume chain is used if it exists
iptables -I "${CHAIN}" $RULE
/usr/libexec/iptables/iptables.init save
$BINARY -A "${CHAIN}" -j RETURN
$BINARY -I INPUT -j "${CHAIN}"
fi # assume chain is used if it exists
$BINARY -I "${CHAIN}" $RULE
/usr/libexec/iptables/"$BINARY".init save
fi
;;
close)
if iptables -C $CHAIN $RULE 2>/dev/null
if $BINARY -C $CHAIN $RULE 2>/dev/null
then # close port if it was opened
iptables -D $CHAIN $RULE
/usr/libexec/iptables/iptables.init save
$BINARY -D $CHAIN $RULE
/usr/libexec/iptables/"$BINARY".init save
fi
;;
check)
if [[ -z `iptables -S $CHAIN | grep " $PORT "` ]]
if [[ -z `$BINARY -S $CHAIN | grep " $PORT "` ]]
then
echo "Port $PORT open: true"
else
echo "Port $PORT open: false"
fi
;;
*)
echo $"Usage: $0 {open|close|check} {port} {protocol}" 1>&2
usage
exit 1
;;
esac

exit 0

Loading