blob: 2773150cc9c0b15c051e205c02d9b4cff250f89f (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
#!/bin/bash
# Do not rename/move this script, or change fwtool.c accordingly
[ "$UID" = "0" ] || exit 1
declare -rg RULES=$(mktemp)
[ -n "$RULES" ] || exit 2
[ -n "$1" ] || exit 3
[ "${#1}" -ge 10 ] || exit 4
[ "${#1}" -lt 40 ] || exit 5
. /opt/openslx/config
for TOOL in iptables ip6tables; do
$TOOL -w -F runvirt-INPUT || $TOOL -w -N runvirt-INPUT
$TOOL -w -F runvirt-OUTPUT || $TOOL -w -N runvirt-OUTPUT
if ! $TOOL -w -C INPUT -i br0 -j runvirt-INPUT; then
$TOOL -w -A INPUT -i br0 -j runvirt-INPUT
fi
if ! $TOOL -w -C OUTPUT -o br0 -j runvirt-OUTPUT; then
$TOOL -w -A OUTPUT -o br0 -j runvirt-OUTPUT
fi
if ! $TOOL -w -C FORWARD -i br0 -j runvirt-INPUT; then
$TOOL -w -A FORWARD -i br0 -j runvirt-INPUT
fi
if ! $TOOL -w -C FORWARD -o br0 -j runvirt-OUTPUT; then
$TOOL -w -A FORWARD -o br0 -j runvirt-OUTPUT
fi
$TOOL -A runvirt-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
$TOOL -A runvirt-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
done
declare -rg AUTORULES=$(mktemp)
add_ips () {
# add_ips "IN/OUT" "IP1 IP2 IPn" "PORT" "ACCEPT/REJECT"
local IP
[ -z "$1" -o -z "$2" -o -z "$3" -o -z "$4" ] && return 1
for IP in $2; do
echo "$1 $IP $3 $4" >> "${AUTORULES}"
done
}
add_ips "IN" "127.0.0.0/8" 0 "ACCEPT"
add_ips "OUT" "127.0.0.0/8" 0 "ACCEPT"
add_ips "OUT" "$SLX_DNS" 53 "ACCEPT"
add_ips "OUT" "$SLX_DNBD3_SERVERS" 5003 "ACCEPT"
add_ips "OUT" "$SLX_KCL_SERVERS $SLX_SERVER_IP" 0 "ACCEPT"
if [ -n "$SLX_VM_NFS" ]; then
IP=
if [ "${SLX_VM_NFS:0:2}" = '//' ]; then
IP=${SLX_VM_NFS:2}
IP=${IP%%/*}
else
IP=${SLX_VM_NFS%%:*}
fi
[ -n "$IP" ] && add_ips "OUT" "$IP" 0 "ACCEPT"
fi
sort -u "${AUTORULES}" > "${RULES}"
wget -T 6 -O - "${SLX_VMCHOOSER_BASE_URL}/lecture/$1/netrules" >> "${RULES}" 2> "${AUTORULES}"
RET=$?
if [ "$RET" != "0" ]; then
echo "wget exit code: $RET :-("
grep -q "ERROR 404" "${AUTORULES}" && exit 0
exit 6
fi
declare -rg V4='^[0-9]+(\.[0-9]+)*(/[0-9]+)?$'
declare -rg V6='^([0-9a-fA-F]+|:)(:+[0-9a-fA-F]*)*(/[0-9]+)?$'
while read -r DIR DEST PORT ACTION GARBAGE || [ -n "$DIR" ]; do
if [ -z "$DEST" -o -z "$PORT" -o -z "$ACTION" ]; then
echo "Invalid rule: '$DIR $DEST $PORT $ACTION'"
continue
fi
IPLINE1=" -w"
IPLINE2=
if [ "$DIR" = "IN" ]; then
IPLINE1+=" -A runvirt-INPUT"
elif [ "$DIR" = "OUT" ]; then
IPLINE1+=" -A runvirt-OUTPUT"
else
continue
fi
if ! [[ $PORT =~ ^[0-9]+$ ]] || [ "$PORT" -gt 65535 ]; then
echo "Invalid port: '$PORT'"
continue
fi
if [ "$DEST" != "*" ]; then
if [ "$DIR" = "OUT" ]; then
IPLINE1+=" -d $DEST"
else
IPLINE1+=" -s $DEST"
fi
fi
if [ "$PORT" != 0 ]; then
IPLINE2+=" --dport $PORT"
fi
IPLINE2+=" -j $ACTION"
# IPv6?
if ! [[ $DEST =~ $V4 ]]; then
if [ "$PORT" = 0 ]; then
ip6tables $IPLINE1 $IPLINE2
else
ip6tables $IPLINE1 -p tcp $IPLINE2
ip6tables $IPLINE1 -p udp $IPLINE2
fi
fi
# IPv4
if ! [[ $DEST =~ $V6 ]]; then
if [ "$PORT" = 0 ]; then
iptables $IPLINE1 $IPLINE2
else
iptables $IPLINE1 -p tcp $IPLINE2
iptables $IPLINE1 -p udp $IPLINE2
fi
fi
done < "$RULES"
exit 0
|
