From 820d16d840f462bf1b614f487cef1ddb589084b4 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 4 Aug 2016 16:01:53 +0200
Subject: [run-virt] Implement automatic firewalling

---
 .../opt/openslx/scripts/includes/setup_firewall.inc     | 12 ++++++++++++
 .../pam_script_ses_close.d/runvirt-firewall-clear       | 17 +++++++++++++++++
 .../data/opt/openslx/scripts/vmchooser-run_virt         |  4 ++++
 3 files changed, 33 insertions(+)
 create mode 100644 remote/modules/run-virt/data/opt/openslx/scripts/includes/setup_firewall.inc
 create mode 100644 remote/modules/run-virt/data/opt/openslx/scripts/pam_script_ses_close.d/runvirt-firewall-clear

(limited to 'remote/modules/run-virt/data/opt/openslx/scripts')

diff --git a/remote/modules/run-virt/data/opt/openslx/scripts/includes/setup_firewall.inc b/remote/modules/run-virt/data/opt/openslx/scripts/includes/setup_firewall.inc
new file mode 100644
index 00000000..f0820ed7
--- /dev/null
+++ b/remote/modules/run-virt/data/opt/openslx/scripts/includes/setup_firewall.inc
@@ -0,0 +1,12 @@
+
+setup_firewall () {
+	local LOGF="${TMPDIR}/firewall.log"
+	local RET
+	[ "$DISPLAY" = ":0" ] || return 0 # For now, to avoid conflicts, we only do this on display :0
+	slxfwtool "$IMGUUID" > "$LOGF" 2>&1
+	RET=$?
+	if [ "$RET" != "0" ]; then
+		slxlog "runvirt-firewall" "Error setting up firewall rules for lecture $IMGUUID (Exit code $RET)" "$LOGF"
+	fi
+	return 0
+}
diff --git a/remote/modules/run-virt/data/opt/openslx/scripts/pam_script_ses_close.d/runvirt-firewall-clear b/remote/modules/run-virt/data/opt/openslx/scripts/pam_script_ses_close.d/runvirt-firewall-clear
new file mode 100644
index 00000000..dab08190
--- /dev/null
+++ b/remote/modules/run-virt/data/opt/openslx/scripts/pam_script_ses_close.d/runvirt-firewall-clear
@@ -0,0 +1,17 @@
+#!/bin/ash
+
+# Sourced by pam_script_ses_close
+
+runvirt_fw_clear () {
+	iptables -w -F runvirt-INPUT
+	ip6tables -w -F runvirt-INPUT
+	iptables -w -F runvirt-OUTPUT
+	ip6tables -w -F runvirt-OUTPUT
+}
+
+if [ "x$PAM_TTY" = "x:0" ]; then
+	runvirt_fw_clear > /dev/null 2>&1
+fi
+
+true
+
diff --git a/remote/modules/run-virt/data/opt/openslx/scripts/vmchooser-run_virt b/remote/modules/run-virt/data/opt/openslx/scripts/vmchooser-run_virt
index 5353d21a..ea3cfe8e 100755
--- a/remote/modules/run-virt/data/opt/openslx/scripts/vmchooser-run_virt
+++ b/remote/modules/run-virt/data/opt/openslx/scripts/vmchooser-run_virt
@@ -64,6 +64,10 @@ else
 	# This include does not currently work. TODO.
 	# source ${RUNVIRTINCLUDEDIR}/check_runvirt_needed_files.inc && filecheck
 
+	# Firewall
+	source "${RUNVIRTINCLUDEDIR}/setup_firewall.inc" || writelog "Could not source setup_firewall"
+	setup_firewall || writelog "Could not run setup_firewall"
+
 	# Read needed variables from XML file
 	source ${RUNVIRTINCLUDEDIR}/get_xml_file_variables.inc
 
-- 
cgit v1.2.3-55-g7522