summaryrefslogblamecommitdiffstats
path: root/remote/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall
blob: 2773150cc9c0b15c051e205c02d9b4cff250f89f (plain) (tree)


































































                                                                            
                                                                                              





























































                                                                   
#!/bin/bash

# Do not rename/move this script, or change fwtool.c accordingly

[ "$UID" = "0" ] || exit 1

declare -rg RULES=$(mktemp)

[ -n "$RULES" ] || exit 2

[ -n "$1" ] || exit 3

[ "${#1}" -ge 10 ] || exit 4
[ "${#1}" -lt 40 ] || exit 5

. /opt/openslx/config

for TOOL in iptables ip6tables; do
	$TOOL -w -F runvirt-INPUT || $TOOL -w -N runvirt-INPUT
	$TOOL -w -F runvirt-OUTPUT || $TOOL -w -N runvirt-OUTPUT

	if ! $TOOL -w -C INPUT -i br0 -j runvirt-INPUT; then
		$TOOL -w -A INPUT -i br0 -j runvirt-INPUT
	fi
	if ! $TOOL -w -C OUTPUT -o br0 -j runvirt-OUTPUT; then
		$TOOL -w -A OUTPUT -o br0 -j runvirt-OUTPUT
	fi
	if ! $TOOL -w -C FORWARD -i br0 -j runvirt-INPUT; then
		$TOOL -w -A FORWARD -i br0 -j runvirt-INPUT
	fi
	if ! $TOOL -w -C FORWARD -o br0 -j runvirt-OUTPUT; then
		$TOOL -w -A FORWARD -o br0 -j runvirt-OUTPUT
	fi
	$TOOL -A runvirt-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
	$TOOL -A runvirt-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
done

declare -rg AUTORULES=$(mktemp)

add_ips () {
	# add_ips "IN/OUT" "IP1 IP2 IPn" "PORT" "ACCEPT/REJECT"
	local IP
	[ -z "$1" -o -z "$2" -o -z "$3" -o -z "$4" ] && return 1
	for IP in $2; do
		echo "$1 $IP $3 $4" >> "${AUTORULES}"
	done
}

add_ips "IN" "127.0.0.0/8" 0 "ACCEPT"
add_ips "OUT" "127.0.0.0/8" 0 "ACCEPT"
add_ips "OUT" "$SLX_DNS" 53 "ACCEPT"
add_ips "OUT" "$SLX_DNBD3_SERVERS" 5003 "ACCEPT"
add_ips "OUT" "$SLX_KCL_SERVERS $SLX_SERVER_IP" 0 "ACCEPT"

if [ -n "$SLX_VM_NFS" ]; then
	IP=
	if [ "${SLX_VM_NFS:0:2}" = '//' ]; then
		IP=${SLX_VM_NFS:2}
		IP=${IP%%/*}
	else
		IP=${SLX_VM_NFS%%:*}
	fi
	[ -n "$IP" ] && add_ips "OUT" "$IP" 0 "ACCEPT"
fi

sort -u "${AUTORULES}" > "${RULES}"

wget -T 6 -O - "${SLX_VMCHOOSER_BASE_URL}/lecture/$1/netrules" >> "${RULES}" 2> "${AUTORULES}"
RET=$?

if [ "$RET" != "0" ]; then
	echo "wget exit code: $RET :-("
	grep -q "ERROR 404" "${AUTORULES}" && exit 0
	exit 6
fi

declare -rg V4='^[0-9]+(\.[0-9]+)*(/[0-9]+)?$'
declare -rg V6='^([0-9a-fA-F]+|:)(:+[0-9a-fA-F]*)*(/[0-9]+)?$'

while read -r DIR DEST PORT ACTION GARBAGE || [ -n "$DIR" ]; do
	if [ -z "$DEST" -o -z "$PORT" -o -z "$ACTION" ]; then
		echo "Invalid rule: '$DIR $DEST $PORT $ACTION'"
		continue
	fi
	IPLINE1=" -w"
	IPLINE2=
	if [ "$DIR" = "IN" ]; then
		IPLINE1+=" -A runvirt-INPUT"
	elif [ "$DIR" = "OUT" ]; then
		IPLINE1+=" -A runvirt-OUTPUT"
	else
		continue
	fi
	if ! [[ $PORT =~ ^[0-9]+$ ]] || [ "$PORT" -gt 65535 ]; then
		echo "Invalid port: '$PORT'"
		continue
	fi
	if [ "$DEST" != "*" ]; then
		if [ "$DIR" = "OUT" ]; then
			IPLINE1+=" -d $DEST"
		else
			IPLINE1+=" -s $DEST"
		fi
	fi
	if [ "$PORT" != 0 ]; then
		IPLINE2+=" --dport $PORT"
	fi
	IPLINE2+=" -j $ACTION"
	# IPv6?
	if ! [[ $DEST =~ $V4 ]]; then
		if [ "$PORT" = 0 ]; then
			ip6tables $IPLINE1 $IPLINE2
		else
			ip6tables $IPLINE1 -p tcp $IPLINE2
			ip6tables $IPLINE1 -p udp $IPLINE2
		fi
	fi
	# IPv4
	if ! [[ $DEST =~ $V6 ]]; then
		if [ "$PORT" = 0 ]; then
			iptables $IPLINE1 $IPLINE2
		else
			iptables $IPLINE1 -p tcp $IPLINE2
			iptables $IPLINE1 -p udp $IPLINE2
		fi
	fi
done < "$RULES"

exit 0