diff options
Diffstat (limited to 'core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall')
-rw-r--r-- | core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall | 76 |
1 files changed, 65 insertions, 11 deletions
diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall b/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall index 01c7472c..51047a99 100644 --- a/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall +++ b/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall @@ -4,10 +4,15 @@ [ "$UID" = "0" ] || exit 1 -declare -rg RULES=$(mktemp) +declare -rg RULES="$( mktemp )" +declare -rg AUTORULES="$( mktemp )" +declare -rg REMOTERULES="$( mktemp )" +declare -rg LOGFILE="$( mktemp )" [ -n "$RULES" ] || exit 2 +trap 'rm -f -- "$RULES" "$AUTORULES" "$REMOTERULES" "$LOGFILE"' EXIT + [ -n "$1" ] || exit 3 [ "${#1}" -ge 10 ] || exit 4 @@ -31,18 +36,40 @@ for TOOL in iptables ip6tables; do if ! $TOOL -w -C FORWARD -o br0 -j runvirt-OUTPUT; then $TOOL -w -A FORWARD -o br0 -j runvirt-OUTPUT fi - $TOOL -A runvirt-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT - $TOOL -A runvirt-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT + $TOOL -A runvirt-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + $TOOL -A runvirt-OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT done -declare -rg AUTORULES=$(mktemp) + +parse_uri () { + local scheme + ip="${1,,}" + scheme="${ip%%://*}" + ip="${ip#*://}" + port="${ip##*:}" + if [[ "$port" =~ ^[0-9]+$ ]]; then + ip="${ip%:*}" + elif [ "$scheme" = "ldaps" ]; then + port=636 + else + port=389 + fi + (( port >= 0 && port <= 65535 )) || port=0 +} add_ips () { # add_ips "IN/OUT" "IP1 IP2 IPn" "PORT" "ACCEPT/REJECT" - local IP - [ -z "$1" -o -z "$2" -o -z "$3" -o -z "$4" ] && return 1 - for IP in $2; do - echo "$1 $IP $3 $4" >> "${AUTORULES}" + local ip port port_def + port_def="$3" + [ -z "$1" -o -z "$2" -o -z "$port_def" -o -z "$4" ] && return 1 + for ip in $2; do + port="${ip#*:}" + if (( port > 0 && port < 65536 )); then + ip="${ip%:*}" + else + port="$port_def" + fi + echo "$1 ${ip} ${port} $4" >> "${AUTORULES}" done } @@ -52,6 +79,24 @@ add_ips "OUT" "$SLX_DNS" 53 "ACCEPT" add_ips "OUT" "$SLX_DNBD3_SERVERS" 5003 "ACCEPT" add_ips "OUT" "$SLX_KCL_SERVERS $SLX_SERVER_IP" 0 "ACCEPT" +# sssd +sssd="$( < /etc/sssd/sssd.conf grep -P '^\s*ldap_(backup_)?uri\s*=' | sed -r 's/^[^=]*=//' )" +sssd="${sssd//,/ }" +for uri in $sssd; do + parse_uri "$uri" + add_ips "OUT" "$ip" "$port" "ACCEPT" +done + +# pam-slx-plug +for file in /opt/openslx/pam/slx-ldap.d/*; do + [ -f "$file" ] || continue + uris="$( grep -Po "(?<=LDAP_URI=')[^']*" "$file" )" + for uri in $uris; do + parse_uri "$uri" + add_ips "OUT" "$ip" "$port" "ACCEPT" + done +done + if [ -n "$SLX_VM_NFS" ]; then IP= if [ "${SLX_VM_NFS:0:2}" = '//' ]; then @@ -66,19 +111,28 @@ fi sort -u "${AUTORULES}" > "${RULES}" # determine the URL to download the netrules from -. /opt/openslx/vmchooser/config/resource_urls.conf +if [ -s /opt/openslx/vmchooser/config/resource_urls.conf ]; then + . /opt/openslx/vmchooser/config/resource_urls.conf +fi NETRULES_URL= [ -n "$url_lecture_netrules" ] && NETRULES_URL="${url_lecture_netrules//%UUID%/${1}}" [ -z "$NETRULES_URL" ] && NETRULES_URL="${SLX_VMCHOOSER_BASE_URL}/lecture/$1/netrules" -wget -T 6 -O - "${NETRULES_URL}" >> "${RULES}" 2> "${AUTORULES}" +wget -T 8 -O - "${NETRULES_URL}" > "${REMOTERULES}" 2> "${LOGFILE}" RET=$? if [ "$RET" != "0" ]; then echo "wget exit code: $RET :-(" - grep -q "ERROR 404" "${AUTORULES}" && exit 0 + grep -q "ERROR 404" "${LOGFILE}" && exit 0 # Old sat, doesn't support firewall rules + echo "WGET error output:" + cat "${LOGFILE}" + echo "------------ Downloaded content follows" + cat "${REMOTERULES}" exit 6 fi +# Download OK, append to rules +cat "${REMOTERULES}" >> "${RULES}" + declare -rg V4='^[0-9]+(\.[0-9]+)*(/[0-9]+)?$' declare -rg V6='^([0-9a-fA-F]+|:)(:+[0-9a-fA-F]*)*(/[0-9]+)?$' |