mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
172 lines
4.3 KiB
Bash
Executable File
172 lines
4.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
# $Id: firewallRule_egress.sh 9947 2013-01-17 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewallRule_egress.sh $
|
|
# firewallRule_egress.sh -- allow some ports / protocols from vm instances
|
|
# @VERSION@
|
|
|
|
source /root/func.sh
|
|
|
|
lock="biglock"
|
|
locked=$(getLockFile $lock)
|
|
if [ "$locked" != "1" ]
|
|
then
|
|
exit 1
|
|
fi
|
|
#set -x
|
|
usage() {
|
|
printf "Usage: %s: -a protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
|
|
printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
|
|
}
|
|
|
|
fw_egress_remove_backup() {
|
|
sudo iptables -D FW_OUTBOUND -j _FW_EGRESS_RULES
|
|
sudo iptables -F _FW_EGRESS_RULES
|
|
sudo iptables -X _FW_EGRESS_RULES
|
|
}
|
|
|
|
fw_egress_save() {
|
|
sudo iptables -E FW_EGRESS_RULES _FW_EGRESS_RULES
|
|
}
|
|
|
|
fw_egress_chain () {
|
|
#supress errors 2>/dev/null
|
|
fw_egress_remove_backup
|
|
fw_egress_save
|
|
sudo iptables -N FW_EGRESS_RULES
|
|
sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
|
|
}
|
|
|
|
fw_egress_backup_restore() {
|
|
sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
|
|
sudo iptables -E _FW_EGRESS_RULES FW_EGRESS_RULES
|
|
fw_egress_remove_backup
|
|
}
|
|
|
|
|
|
fw_entry_for_egress() {
|
|
local rule=$1
|
|
|
|
local prot=$(echo $rule | cut -d: -f2)
|
|
local sport=$(echo $rule | cut -d: -f3)
|
|
local eport=$(echo $rule | cut -d: -f4)
|
|
local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
|
|
if [ "$sport" == "0" -a "$eport" == "0" ]
|
|
then
|
|
DPORT=""
|
|
else
|
|
DPORT="--dport $sport:$eport"
|
|
fi
|
|
logger -t cloud "$(basename $0): enter apply fw egress rules for guest $prot:$sport:$eport:$cidrs"
|
|
|
|
for lcidr in $cidrs
|
|
do
|
|
[ "$prot" == "reverted" ] && continue;
|
|
if [ "$prot" == "icmp" ]
|
|
then
|
|
typecode="$sport/$eport"
|
|
[ "$eport" == "-1" ] && typecode="$sport"
|
|
[ "$sport" == "-1" ] && typecode="any"
|
|
sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr --icmp-type $typecode \
|
|
-j ACCEPT
|
|
result=$?
|
|
elif [ "$prot" == "all" ]
|
|
then
|
|
sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j ACCEPT
|
|
result=$?
|
|
else
|
|
sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr \
|
|
$DPORT -j ACCEPT
|
|
result=$?
|
|
fi
|
|
|
|
[ $result -gt 0 ] &&
|
|
logger -t cloud "Error adding iptables entry for guest network $prot:$sport:$eport:$cidrs" &&
|
|
break
|
|
done
|
|
|
|
logger -t cloud "$(basename $0): exit apply egress firewall rules for guest network"
|
|
return $result
|
|
}
|
|
|
|
|
|
aflag=0
|
|
rules=""
|
|
rules_list=""
|
|
ip=""
|
|
dev=""
|
|
shift
|
|
shift
|
|
while getopts 'a:' OPTION
|
|
do
|
|
case $OPTION in
|
|
a) aflag=1
|
|
rules="$OPTARG"
|
|
;;
|
|
?) usage
|
|
unlock_exit 2 $lock $locked
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [ "$aflag" != "1" ]
|
|
then
|
|
usage
|
|
unlock_exit 2 $lock $locked
|
|
fi
|
|
|
|
if [ -n "$rules" ]
|
|
then
|
|
rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
|
|
fi
|
|
|
|
# rule format
|
|
# protocal:sport:eport:cidr
|
|
#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
|
|
# if any entry is reverted , entry will be in the format reverted:0:0:0
|
|
# example : tcp:80:80:0.0.0.0/0:, tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0
|
|
|
|
success=0
|
|
|
|
fw_egress_chain
|
|
for r in $rules_list
|
|
do
|
|
fw_entry_for_egress $r
|
|
success=$?
|
|
if [ $success -gt 0 ]
|
|
then
|
|
logger -t cloud "failure to apply fw egress rules "
|
|
break
|
|
else
|
|
logger -t cloud "successful in applying fw egress rules"
|
|
fi
|
|
done
|
|
|
|
if [ $success -gt 0 ]
|
|
then
|
|
logger -t cloud "restoring from backup for guest network"
|
|
fw_egress_backup_restore
|
|
else
|
|
logger -t cloud "deleting backup for guest network"
|
|
fi
|
|
|
|
fw_egress_remove_backup
|
|
|
|
unlock_exit $success $lock $locked
|
|
|
|
|