[LON-CAPA-cvs] cvs: loncom /configuration Firewall.pm

raeburn raeburn at source.lon-capa.org
Tue May 7 17:18:24 EDT 2019 

raeburn		Tue May  7 21:18:24 2019 EDT

  Modified files:              
    /loncom/configuration	Firewall.pm 
  Log:
  - Dynamic management of LON-CAPA port 5663 compatible with firewalld
    - &uses_firewalld() gets default zone when firewalld is in use.
  
  
Index: loncom/configuration/Firewall.pm
diff -u loncom/configuration/Firewall.pm:1.16 loncom/configuration/Firewall.pm:1.17
--- loncom/configuration/Firewall.pm:1.16	Wed Dec 12 03:34:04 2018
+++ loncom/configuration/Firewall.pm	Tue May  7 21:18:24 2019
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Firewall configuration to allow internal LON-CAPA communication between servers   
 #
-# $Id: Firewall.pm,v 1.16 2018/12/12 03:34:04 raeburn Exp $
+# $Id: Firewall.pm,v 1.17 2019/05/07 21:18:24 raeburn Exp $
 #
 # The LearningOnline Network with CAPA
 #
@@ -42,7 +42,7 @@
     if ($distro eq '') {
         $distro = &get_distro();
     }
-    my ($inuse, $checkfirewalld);
+    my ($inuse,$checkfirewalld,$zone);
     if ($distro =~ /^(suse|sles)([\d\.]+)$/) {
         if (($1 eq 'sles') && ($2 >= 15)) {
             $checkfirewalld = 1;
@@ -71,10 +71,19 @@
             close(PIPE);
         }
         if (($loaded eq 'loaded') || ($active eq 'active')) {
-            $inuse = 1;     
+            $inuse = 1;
+            my $cmd = 'firewall-cmd --get-default-zone';
+            if (open(PIPE,"$cmd |")) {
+                my $result = <PIPE>;
+                chomp($result);
+                close(PIPE);
+                if ($result =~ /^\w+$/) {
+                    $zone = $result;
+                }
+            }
         }
     }
-    return $inuse;
+    return ($inuse,$zone);
 }
 
 sub firewall_open_port {
@@ -96,7 +105,7 @@
     if (ref($ports) ne 'ARRAY') {
         return 'List of ports to open needed.';
     }
-    my $firewalld = &uses_firewalld();
+    my ($firewalld,$zone) = &uses_firewalld();
     foreach my $portnum (@{$ports}) {
         my $port = '';
         if ($portnum =~ /^(\d+)$/) {
@@ -137,7 +146,7 @@
                         } else {
                             foreach my $fw_chain (@okchains) {
                                 if ($firewalld) {
-                                    my $cmd = 'firewall-cmd --zone=public --add-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
+                                    my $cmd = 'firewall-cmd --zone='.$zone.' --add-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
                                     if (open(PIPE,"$cmd |")) {
                                         my $result = <PIPE>;
                                         chomp($result);
@@ -206,7 +215,7 @@
             my (@port_errors,%command_errors);
             foreach my $fw_chain (@okchains) {
                 if ($firewalld) {
-                    my $cmd = 'firewall-cmd --zone=public --add-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
+                    my $cmd = 'firewall-cmd --zone='.$zone.' --add-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
                     if (open(PIPE,"$cmd |")) {
                         my $result = <PIPE>;
                         chomp($result);
@@ -327,7 +336,7 @@
     if (ref($ports) ne 'ARRAY') {
         return 'List of ports to close needed.';
     }
-    my $firewalld = &uses_firewalld();
+    my ($firewalld,$zone) = &uses_firewalld();
     foreach my $portnum (@{$ports}) {
         my $port = '';
         if ($portnum =~ /^(\d+)$/) {
@@ -364,7 +373,7 @@
                 if (keys(%to_close) > 0) {
                     foreach my $ip (keys(%to_close)) {
                         if ($firewalld) {
-                            my $cmd = 'firewall-cmd --zone=public --remove-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
+                            my $cmd = 'firewall-cmd --zone='.$zone.' --remove-rich-rule \'rule family="ipv4" source address="'.$ip.'/32" port port="'.$port.'" protocol="tcp" accept\'';
                             if (open(PIPE,"$cmd |")) {
                                 my $result = <PIPE>;
                                 chomp($result);
@@ -423,7 +432,7 @@
                 }
                 if ($to_close) {
                     if ($firewalld) {
-                        my $cmd = 'firewall-cmd --zone=public --remove-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
+                        my $cmd = 'firewall-cmd --zone='.$zone.' --remove-rich-rule \'rule family="ipv4" port port="'.$port.'" protocol="tcp" accept\'';
                         if (open(PIPE,"$cmd|")) {
                             my $result = <PIPE>;
                             chomp($result);
@@ -461,7 +470,7 @@
 
 sub firewall_close_anywhere {
     my ($iptables,$fw_chain,$port) = @_;
-    my $firewalld = &uses_firewalld();
+    my ($firewalld,$zone) = &uses_firewalld();
     if (open(PIPE, "$iptables --line-numbers -n -L $fw_chain |")) {
         while (<PIPE>) {
             next unless (/dpt:\Q$port\E/);
@@ -522,8 +531,13 @@
     my @fw_chains;
     my $suse_config = "/etc/sysconfig/SuSEfirewall2";
     my $ubuntu_config = "/etc/ufw/ufw.conf";
-    if (&uses_firewalld($distro)) {
-        push(@fw_chains,'IN_public_allow');
+    my ($firewalld,$zone) = &uses_firewalld($distro);
+    if ($firewalld) {
+        if ($zone ne '') {
+            push(@fw_chains,'IN_'.$zone.'_allow');
+        } else {
+            push(@fw_chains,'IN_public_allow');
+        }
     } elsif (-e $suse_config) {
         push(@fw_chains,'input_ext');
     } else {

More information about the LON-CAPA-cvs mailing list