[LON-CAPA-cvs] cvs: loncom /configuration Firewall.pm
raeburn
raeburn at source.lon-capa.org
Thu Sep 12 23:52:03 EDT 2024
raeburn Fri Sep 13 03:52:03 2024 EDT
Modified files:
/loncom/configuration Firewall.pm
Log:
- Bug 6993. For LON-CAPA servers/VMs using firewalld: firewall rules added
by lciptables made "permanent" so they persist after firewall-cmd --reload
Index: loncom/configuration/Firewall.pm
diff -u loncom/configuration/Firewall.pm:1.27 loncom/configuration/Firewall.pm:1.28
--- loncom/configuration/Firewall.pm:1.27 Thu Jun 13 17:18:38 2024
+++ loncom/configuration/Firewall.pm Fri Sep 13 03:52:03 2024
@@ -1,7 +1,7 @@
# The LearningOnline Network with CAPA
# Firewall configuration to allow internal LON-CAPA communication between servers
#
-# $Id: Firewall.pm,v 1.27 2024/06/13 17:18:38 raeburn Exp $
+# $Id: Firewall.pm,v 1.28 2024/09/13 03:52:03 raeburn Exp $
#
# The LearningOnline Network with CAPA
#
@@ -82,10 +82,11 @@
return 'inactive firewall' if (!&firewall_is_active());
return 'port number unknown' if !$lond_port;
return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
- my (@opened, at okchains,$zone);
+ my (@opened, at okchains,$zone,$firewalld_num_opened);
if ($firewalld) {
$zone = &get_default_zone();
return 'invalid zone' if ($zone eq '');
+ $firewalld_num_opened = 0;
} else {
my @badchains;
foreach my $chain (@{$fw_chains}) {
@@ -161,6 +162,7 @@
close(PIPE);
if ($result eq 'success') {
push(@lond_port_open,$ip);
+ $firewalld_num_opened ++;
} else {
push(@port_error,$ip);
}
@@ -242,6 +244,7 @@
close(PIPE);
if ($result eq 'success') {
push(@opened,$port);
+ $firewalld_num_opened ++;
} else {
$port_error = $port;
}
@@ -282,6 +285,9 @@
}
}
}
+ if ($firewalld && $firewalld_num_opened) {
+ system('firewall-cmd --runtime-to-permanent');
+ }
foreach my $port (@{$ports}) {
if (!grep(/^\Q$port\E$/, at opened)) {
return 'Required port not open: '.$port."\n";
@@ -389,10 +395,11 @@
return 'inactive firewall' if (!&firewall_is_active());
return 'port number unknown' if !$lond_port;
return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
- my (@okchains,$zone);
+ my (@okchains,$zone,$firewalld_num_closed);
if ($firewalld) {
$zone = &get_default_zone();
return 'no default zone' if ($zone eq '');
+ $firewalld_num_closed = 0;
} else {
my @badchains;
foreach my $chain (@{$fw_chains}) {
@@ -449,6 +456,7 @@
close(PIPE);
if ($result eq 'success') {
push(@lond_port_close,$ip);
+ $firewalld_num_closed ++;
} else {
push(@port_error,$ip);
}
@@ -537,6 +545,7 @@
close(PIPE);
if ($result eq 'success') {
print "Port: $port closed in zone: $zone.\n";
+ $firewalld_num_closed ++;
} else {
print "Error closing port: $port in zone: $zone.\n";
}
@@ -577,6 +586,9 @@
}
}
}
+ if ($firewalld && $firewalld_num_closed) {
+ system('firewall-cmd --runtime-to-permanent');
+ }
return;
}
@@ -614,6 +626,7 @@
close(PIPE);
if ($result eq 'success') {
print 'Port '.$port.' closed for source "anywhere"'."\n";
+ system('firewall-cmd --runtime-to-permanent');
} else {
print 'Error closing port '.$port.' for source "anywhere".'."\n";
}
More information about the LON-CAPA-cvs
mailing list