[LON-CAPA-cvs] cvs: loncom / lciptables /configuration Firewall.pm /init.d loncontrol

[raeburn]

raeburn		Thu Dec 30 18:40:38 2010 EDT

  Modified files:              
    /loncom	lciptables 
    /loncom/configuration	Firewall.pm 
    /loncom/init.d	loncontrol 
  Log:
  - No longer stop and start of firewall rules for existing hosts when loncron
    calls lciptables.
  - Additional arg in Firewall::firewall_close_port() - ref to %iphosts
    hash of hosts in cluster. 
  
  
Index: loncom/lciptables
diff -u loncom/lciptables:1.3 loncom/lciptables:1.4
--- loncom/lciptables:1.3	Tue Oct 12 10:17:10 2010
+++ loncom/lciptables	Thu Dec 30 18:40:19 2010
@@ -2,7 +2,7 @@
 #
 # The Learning Online Network with CAPA
 #
-# $Id: lciptables,v 1.3 2010/10/12 10:17:10 foxr Exp $
+# $Id: lciptables,v 1.4 2010/12/30 18:40:19 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -103,7 +103,7 @@
 my @fw_chains = &LONCAPA::Firewall::get_fw_chains();
 my $iptables = &LONCAPA::Firewall::get_pathto_iptables();
 my $firewall_result = 
-     &LONCAPA::Firewall::firewall_close_port($iptables,\@fw_chains,$lond_port,[$lond_port]);
+     &LONCAPA::Firewall::firewall_close_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]);
 if ($firewall_result) {
     print "$firewall_result\n";
 }
Index: loncom/configuration/Firewall.pm
diff -u loncom/configuration/Firewall.pm:1.6 loncom/configuration/Firewall.pm:1.7
--- loncom/configuration/Firewall.pm:1.6	Thu Mar 25 01:47:45 2010
+++ loncom/configuration/Firewall.pm	Thu Dec 30 18:40:29 2010
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Firewall configuration to allow internal LON-CAPA communication between servers   
 #
-# $Id: Firewall.pm,v 1.6 2010/03/25 01:47:45 raeburn Exp $
+# $Id: Firewall.pm,v 1.7 2010/12/30 18:40:29 raeburn Exp $
 #
 # The LearningOnline Network with CAPA
 #
@@ -183,11 +183,11 @@
     # check if firewall is active or installed
     return if (! &firewall_is_active());
     my $count = 0;
-    if (open(PIPE,"$iptables -L $fw_chain -n 2>/dev/null |")) {
+    if (open(PIPE,"$iptables -L $fw_chain -n |")) {
         while(<PIPE>) {
             if ($port eq $lond_port) {
                 if (ref($iphost) eq 'HASH') {
-                    if (/^ACCEPT\s+tcp\s+\-{2}\s+([\S]+)\s+/) {
+                    if (/^ACCEPT\s+tcp\s+\-{2}\s+(\S+)\s+\S+\s+tcp\s+dpt\:\Q$port\E/) {
                         my $ip = $1;
                         if ($iphost->{$ip}) {
                             $count ++;
@@ -218,7 +218,7 @@
 }
 
 sub firewall_close_port {
-    my ($iptables,$fw_chains,$lond_port,$ports) = @_;
+    my ($iptables,$fw_chains,$lond_port,$iphost,$ports) = @_;
     return 'inactive firewall' if (!&firewall_is_active());
     return 'port number unknown' if !$lond_port;
     return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
@@ -254,7 +254,16 @@
                         chomp();
                         next unless (/dpt:\Q$port\E\s*$/);
                         if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) {
-                            $to_close{$1} = $port;
+                            my $ip = $1;
+                            my $keepopen = 0;
+                            if (ref($iphost) eq 'HASH') {
+                                if (exists($iphost->{$ip})) {
+                                    $keepopen = 1; 
+                                }
+                            }
+                            unless ($keepopen) {
+                                $to_close{$ip} = $port;
+                            }
                         }
                     }
                     close(PIPE);
@@ -446,7 +455,7 @@
 
 =over 4
 
-=item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$ports );
+=item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$iphost,$ports );
 
 =back
 
Index: loncom/init.d/loncontrol
diff -u loncom/init.d/loncontrol:1.40 loncom/init.d/loncontrol:1.41
--- loncom/init.d/loncontrol:1.40	Sat Apr 17 16:54:24 2010
+++ loncom/init.d/loncontrol	Thu Dec 30 18:40:38 2010
@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-# $Id: loncontrol,v 1.40 2010/04/17 16:54:24 raeburn Exp $
+# $Id: loncontrol,v 1.41 2010/12/30 18:40:38 raeburn Exp $
 #
 # The LearningOnline Network with CAPA
 #
@@ -122,7 +122,7 @@
     my $iptables = &LONCAPA::Firewall::get_pathto_iptables();
     my @fw_chains = &LONCAPA::Firewall::get_fw_chains($iptables);
     my $lond_port = &LONCAPA::Firewall::get_lond_port();
-    my %iphost = &Apache::lonnet::get_iphost();
+    my %iphost;
     if ($command eq 'stop') {
         print 'Stopping LON-CAPA'."\n";
         foreach my $daemon ('lonsql','lond','lonc','lonmemcached','lonmaxima','lonr') {
@@ -131,12 +131,13 @@
 	    &stop_daemon($daemon,$killallname);
         }
         my $firewall_result = 
-            &LONCAPA::Firewall::firewall_close_port($iptables,\@fw_chains,$lond_port,[$lond_port]);
+            &LONCAPA::Firewall::firewall_close_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]);
         if ($firewall_result) {
             print "$firewall_result\n";
         }
         &clean_sockets();
     } elsif ($command eq "start") {
+        %iphost = &Apache::lonnet::get_iphost();
         my $firewall_result = 
             &LONCAPA::Firewall::firewall_open_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]);
         if (($firewall_result eq 'ok') || ($firewall_result eq 'inactive firewall')) {
@@ -156,6 +157,7 @@
             }
         }
     } elsif ($command eq "status") {
+        %iphost = &Apache::lonnet::get_iphost();
         my $response=`/bin/cat /home/httpd/perl/logs/*.pid 2>&1`;
         if ($response=~/No such file or directory/) {
 	    print 'LON-CAPA is not running.'."\n";