[node-patches] Change in ovirt-node[master]: firewall: Fix plain iptables logic

Fri Sep 13 16:36:39 UTC 2013

Fabian Deutsch has uploaded a new change for review.

Change subject: firewall: Fix plain iptables logic
......................................................................

firewall: Fix plain iptables logic

Previously the port was opened but this changed wasn't saved. This case
lead to a situation where the iptables service got restarted and
overwrote/closed the previously opened ports.
Now the configuration is saved (and persisted) after a port got opened.

Change-Id: If33424f62c006720a4c553b32af38d2b033579cc
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1007417
Signed-off-by: Fabian Deutsch <fabiand at fedoraproject.org>
---
M src/ovirt/node/utils/firewall.py
1 file changed, 35 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/26/19226/1

diff --git a/src/ovirt/node/utils/firewall.py b/src/ovirt/node/utils/firewall.py
index 5617cfa..ab5633a 100644
--- a/src/ovirt/node/utils/firewall.py
+++ b/src/ovirt/node/utils/firewall.py
@@ -19,9 +19,12 @@
 # MA  02110-1301, USA.  A copy of the GNU General Public License is
 # also available at http://www.gnu.org/copyleft/gpl.html.
 
-import os
-from ovirt.node.utils import process
 from glob import glob
+import os
+from ovirt.node.utils import process, fs
+import logging
+
+LOGGER = logging.getLogger(__name__)
 
 PLUGIN_DIR = "/etc/ovirt-plugins.d/"
 PLUGIN_XML_OUT = "/etc/firewalld/services/node-plugin.xml"
@@ -47,9 +50,36 @@
 
 
 def setup_iptables(port, proto):
+    rules = "/etc/sysconfig/iptables"
+
+    def is_open():
+        pat = "%s dpt:%s" % (proto, port)
+        for rule in process.check_output(["iptables", "-L", "-n"]).split("\n"):
+            if rule.strip().endswith(pat):
+                return True
+        return False
+
+    def open_port():
         cmd = ["iptables", "-I", "INPUT", "1", "-p", proto,
                "--dport", port, "-j", "ACCEPT"]
         process.check_call(cmd)
+
+    def load_rules():
+        process.check_call("iptables-restore -c < %s" % rules,
+                           shell=True)
+
+    def save_rules():
+        process.check_call("iptables-save -c > %s" % rules,
+                           shell=True)
+
+        fs.Config().persist(rules)
+
+    if not is_open():
+        # We need to load the rules before, to prevent overwriting them
+        # when they weren't loaded.
+        load_rules()
+        open_port()
+        save_rules()
 
 
 def setup_firewalld(port, proto):
@@ -70,10 +100,12 @@
 
 
 def process_plugins():
+    LOGGER.debug("Handling plugin firewall rules")
     for plugin in glob(PLUGIN_DIR + "*.firewall"):
         plugin_files.append(plugin)
 
     for f in plugin_files:
+        LOGGER.debug("Parsing firewall rules: %s" % f)
         with open(f) as i:
             conf = i.readlines()
         for line in conf:
@@ -82,6 +114,7 @@
                 fw_conf.append((port, proto))
 
     for i in fw_conf:
+        LOGGER.debug("Opening firewall ports: %s" % str(i))
         port, proto = i
         if is_firewalld():
             setup_firewalld(port, proto)


-- 
To view, visit http://gerrit.ovirt.org/19226
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: If33424f62c006720a4c553b32af38d2b033579cc
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Fabian Deutsch <fabiand at fedoraproject.org>

