summaryrefslogtreecommitdiffstats
path: root/remote/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall
blob: 2773150cc9c0b15c051e205c02d9b4cff250f89f (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/bin/bash

# Do not rename/move this script, or change fwtool.c accordingly

[ "$UID" = "0" ] || exit 1

declare -rg RULES=$(mktemp)

[ -n "$RULES" ] || exit 2

[ -n "$1" ] || exit 3

[ "${#1}" -ge 10 ] || exit 4
[ "${#1}" -lt 40 ] || exit 5

. /opt/openslx/config

for TOOL in iptables ip6tables; do
	$TOOL -w -F runvirt-INPUT || $TOOL -w -N runvirt-INPUT
	$TOOL -w -F runvirt-OUTPUT || $TOOL -w -N runvirt-OUTPUT

	if ! $TOOL -w -C INPUT -i br0 -j runvirt-INPUT; then
		$TOOL -w -A INPUT -i br0 -j runvirt-INPUT
	fi
	if ! $TOOL -w -C OUTPUT -o br0 -j runvirt-OUTPUT; then
		$TOOL -w -A OUTPUT -o br0 -j runvirt-OUTPUT
	fi
	if ! $TOOL -w -C FORWARD -i br0 -j runvirt-INPUT; then
		$TOOL -w -A FORWARD -i br0 -j runvirt-INPUT
	fi
	if ! $TOOL -w -C FORWARD -o br0 -j runvirt-OUTPUT; then
		$TOOL -w -A FORWARD -o br0 -j runvirt-OUTPUT
	fi
	$TOOL -A runvirt-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
	$TOOL -A runvirt-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
done

declare -rg AUTORULES=$(mktemp)

add_ips () {
	# add_ips "IN/OUT" "IP1 IP2 IPn" "PORT" "ACCEPT/REJECT"
	local IP
	[ -z "$1" -o -z "$2" -o -z "$3" -o -z "$4" ] && return 1
	for IP in $2; do
		echo "$1 $IP $3 $4" >> "${AUTORULES}"
	done
}

add_ips "IN" "127.0.0.0/8" 0 "ACCEPT"
add_ips "OUT" "127.0.0.0/8" 0 "ACCEPT"
add_ips "OUT" "$SLX_DNS" 53 "ACCEPT"
add_ips "OUT" "$SLX_DNBD3_SERVERS" 5003 "ACCEPT"
add_ips "OUT" "$SLX_KCL_SERVERS $SLX_SERVER_IP" 0 "ACCEPT"

if [ -n "$SLX_VM_NFS" ]; then
	IP=
	if [ "${SLX_VM_NFS:0:2}" = '//' ]; then
		IP=${SLX_VM_NFS:2}
		IP=${IP%%/*}
	else
		IP=${SLX_VM_NFS%%:*}
	fi
	[ -n "$IP" ] && add_ips "OUT" "$IP" 0 "ACCEPT"
fi

sort -u "${AUTORULES}" > "${RULES}"

wget -T 6 -O - "${SLX_VMCHOOSER_BASE_URL}/lecture/$1/netrules" >> "${RULES}" 2> "${AUTORULES}"
RET=$?

if [ "$RET" != "0" ]; then
	echo "wget exit code: $RET :-("
	grep -q "ERROR 404" "${AUTORULES}" && exit 0
	exit 6
fi

declare -rg V4='^[0-9]+(\.[0-9]+)*(/[0-9]+)?$'
declare -rg V6='^([0-9a-fA-F]+|:)(:+[0-9a-fA-F]*)*(/[0-9]+)?$'

while read -r DIR DEST PORT ACTION GARBAGE || [ -n "$DIR" ]; do
	if [ -z "$DEST" -o -z "$PORT" -o -z "$ACTION" ]; then
		echo "Invalid rule: '$DIR $DEST $PORT $ACTION'"
		continue
	fi
	IPLINE1=" -w"
	IPLINE2=
	if [ "$DIR" = "IN" ]; then
		IPLINE1+=" -A runvirt-INPUT"
	elif [ "$DIR" = "OUT" ]; then
		IPLINE1+=" -A runvirt-OUTPUT"
	else
		continue
	fi
	if ! [[ $PORT =~ ^[0-9]+$ ]] || [ "$PORT" -gt 65535 ]; then
		echo "Invalid port: '$PORT'"
		continue
	fi
	if [ "$DEST" != "*" ]; then
		if [ "$DIR" = "OUT" ]; then
			IPLINE1+=" -d $DEST"
		else
			IPLINE1+=" -s $DEST"
		fi
	fi
	if [ "$PORT" != 0 ]; then
		IPLINE2+=" --dport $PORT"
	fi
	IPLINE2+=" -j $ACTION"
	# IPv6?
	if ! [[ $DEST =~ $V4 ]]; then
		if [ "$PORT" = 0 ]; then
			ip6tables $IPLINE1 $IPLINE2
		else
			ip6tables $IPLINE1 -p tcp $IPLINE2
			ip6tables $IPLINE1 -p udp $IPLINE2
		fi
	fi
	# IPv4
	if ! [[ $DEST =~ $V6 ]]; then
		if [ "$PORT" = 0 ]; then
			iptables $IPLINE1 $IPLINE2
		else
			iptables $IPLINE1 -p tcp $IPLINE2
			iptables $IPLINE1 -p udp $IPLINE2
		fi
	fi
done < "$RULES"

exit 0