[node-patches] Change in ovirt-node[master]: add dynamic firewall creation for plugins

jboggs at redhat.com jboggs at redhat.com
Thu Aug 8 14:02:29 UTC 2013 

Joey Boggs has uploaded a new change for review.

Change subject: add dynamic firewall creation for plugins
......................................................................

add dynamic firewall creation for plugins

Change-Id: Ia6b364cba46afe490b1ab84ba8fe2f879eed4dcf
Signed-off-by: Joey Boggs <jboggs at redhat.com>
---
M scripts/ovirt-init-functions.sh.in
M src/Makefile.am
A src/ovirt/node/utils/firewall.py
3 files changed, 105 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/43/17843/1

diff --git a/scripts/ovirt-init-functions.sh.in b/scripts/ovirt-init-functions.sh.in
index e4a8b54..4e555d8 100644
--- a/scripts/ovirt-init-functions.sh.in
+++ b/scripts/ovirt-init-functions.sh.in
@@ -917,6 +917,10 @@
         fi
     done
 
+    python <<EOP
+from ovirt.node.utils import firewall
+firewall.process_plugins()
+EOP
     return 0
 }
 
diff --git a/src/Makefile.am b/src/Makefile.am
index 3cc81f2..194de0c 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -95,6 +95,7 @@
 pyovirt_node_utils_PYTHON = \
   ovirt/node/utils/__init__.py \
   ovirt/node/utils/console.py \
+  ovirt/node/utils/firewall.py \
   ovirt/node/utils/fs.py \
   ovirt/node/utils/network.py \
   ovirt/node/utils/process.py \
diff --git a/src/ovirt/node/utils/firewall.py b/src/ovirt/node/utils/firewall.py
new file mode 100644
index 0000000..5a4a8c5
--- /dev/null
+++ b/src/ovirt/node/utils/firewall.py
@@ -0,0 +1,100 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+# firewall.py - Copyright (C) 2013 Red Hat, Inc.
+# Written by Joey Burns <jboggs at redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+# MA  02110-1301, USA.  A copy of the GNU General Public License is
+# also available at http://www.gnu.org/copyleft/gpl.html.
+
+import os
+from ovirt.node.utils import process
+from glob import glob
+
+PLUGIN_DIR = "/etc/ovirt-plugins.d/"
+PLUGIN_XML_OUT = "/etc/firewalld/services/node-plugin.xml"
+plugin_files = []
+fw_conf = []
+
+FIREWALLD_PORT_XML = """<port protocol="%(proto)s" port="%(port)s"/>\n  """
+
+FIREWALLD_XML_TEMPLATE = """<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>firewall plugin</short>
+  <description>This service opens necessary ports for ovirt-node plugin operations</description>
+  %(port_section)s
+</service>
+"""
+
+
+def is_firewalld():
+    if os.path.exists("/etc/firewalld"):
+        return True
+    else:
+        return False
+
+
+def setup_iptables(conf):
+    for rule in conf:
+        try:
+            port, proto = rule.split(",")
+        except:
+            raise RuntimeError("Failed to split rule: %s" % rule)
+        cmd = ["iptables", "-I", "INPUT", "1", "-p", proto,
+               "--dport", port, "-j", "ACCEPT"]
+        process.check_call(cmd, shell=True)
+
+
+def setup_firewalld(conf):
+    port_conf = ""
+    for rule in conf:
+        try:
+            port, proto = rule.split(",")
+            rule_dict = {"port": port,
+                         "proto": proto
+                         }
+
+            port_conf += FIREWALLD_PORT_XML % rule_dict
+        except:
+            raise RuntimeError("Failed to enabled rule: %s" % rule)
+    port_dict = {"port_section": port_conf}
+    with open(PLUGIN_XML_OUT, "w") as f:
+        f.write(FIREWALLD_XML_TEMPLATE % port_dict)
+
+    process.call(["firewall-cmd", "--reload"])
+    process.call(["firewall-cmd", "--permanent", "--add-service",
+                  "node-plugin"])
+    process.check_call(["firewall-cmd", "--reload"])
+
+
+def process_plugins():
+    for plugin in glob(PLUGIN_DIR + "*.firewall"):
+        plugin_files.append(plugin)
+
+    for f in plugin_files:
+        with open(f) as i:
+            conf = i.readlines()
+        for line in conf:
+            if not line.startswith("#"):
+                fw_conf.append(line.strip())
+
+    if is_firewalld():
+        setup_firewalld(fw_conf)
+    else:
+        setup_iptables(fw_conf)
+
+
+if __name__ == "__main__":
+    process_plugins()


-- 
To view, visit http://gerrit.ovirt.org/17843
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia6b364cba46afe490b1ab84ba8fe2f879eed4dcf
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Joey Boggs <jboggs at redhat.com>

More information about the node-patches mailing list