Use jump instead of goto in firewall
[hcoop/domtool2.git] / src / plugins / firewall.sml
index 378e127..9fd64f9 100644 (file)
@@ -68,9 +68,15 @@ fun parseRules () =
                        "Client" :: ports :: hosts =>
                        confLine_out (node, uname, String.concat ["dport ", parsePorts ports, parseHosts "daddr" hosts, " ACCEPT;"])
                      | "Server" :: ports :: hosts =>
-                       confLine_in (node, uname, String.concat ["dport ", parsePorts ports, parseHosts "daddr" hosts, " ACCEPT;"])
+                       confLine_in (node, uname, String.concat ["dport ", parsePorts ports, parseHosts "saddr" hosts, " ACCEPT;"])
+                     | ["ProxiedServer", ports] =>
+                       (* should this also allow access on lo? fixme: open output ports on apache node *)
+                       (confLine_in (node, uname, String.concat ["saddr $WEBNODES dport ", parsePorts ports, " ACCEPT;"]);
+                        (* Warning: duplicates code of Client case *)
+                        List.map (fn (node, _) => confLine_out (node, uname, String.concat ["dport ", parsePorts ports, Domain.nodeIp node, " ACCEPT;"] )) 
+                                 Config.Apache.webNodes_all; ())
                      | ["LocalServer", ports] =>
-                       confLine_in (node, uname, String.concat ["saddr $WE dport ", parsePorts ports, " ACCEPT;"])
+                       confLine_in (node, uname, String.concat ["saddr 127.0.0.1/8 dport ", parsePorts ports, " ACCEPT;"])
                      | _ => print "Invalid config line\n";
                     loop ())
                  | _ => loop ()
@@ -111,7 +117,7 @@ fun generateFirewallConfig {server_rules, client_rules} =
                                   TextIO.output (outf, String.concat
                                                            ["mod owner uid-owner ",
                                                             Int.toString uid,
-                                                            " { goto user_",
+                                                            " { jump user_",
                                                             uname,
                                                             suffix,
                                                             "; DROP; }\n"]);
@@ -125,8 +131,33 @@ fun generateFirewallConfig {server_rules, client_rules} =
                                                                 @ ["}\n\n"]))
                               end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n")
                           rules
+
+       fun write_tcp_in_conf (rules, outf, suffix) =
+           (* Lame hack: can't use iptables to restrict port binding,
+              punting on SELinux &c for now and just opening every
+              port any user requests *)
+
+           let
+           in
+               TextIO.output (outf, String.concat ["@def $WEBNODES = (",
+                                                   (String.concatWith ", " (List.map (fn (_, ip) => ip) 
+                                                                                     (List.filter (fn (node, _) => List.exists (fn (n) => n = node) (List.map (fn (node, _) => node) (Config.Apache.webNodes_all @ Config.Apache.webNodes_admin)))
+                                                                                                  Config.nodeIps))),
+                                                   ");\n\n"]);
+               StringMap.appi (fn (uname, rules) =>
+                                  let
+                                      val uid = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname)))
+                                      val lines = filter_node_rules rules
+                                  in
+                                      TextIO.output (outf,
+                                                     String.concat ("proto tcp {\n"
+                                                                    :: lines
+                                                                    @ ["}\n\n"]))
+                                  end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n")
+                              rules
+           end
     in
-       write_user_tcp_conf (server_rules, users_tcp_in_conf, "_tcp_in");
+       write_tcp_in_conf (server_rules, users_tcp_in_conf, "_tcp_in");
        write_user_tcp_conf (client_rules, users_tcp_out_conf, "_tcp_out");
 
        TextIO.closeOut users_conf;