X-Git-Url: https://git.hcoop.net/hcoop/domtool2.git/blobdiff_plain/73b9542320e82ad398689b66bc1938c78cc53be0..7ceba9683f4372dfc348e0774a550a573fdcfefa:/src/plugins/firewall.sml diff --git a/src/plugins/firewall.sml b/src/plugins/firewall.sml index 70c45b5..9fd64f9 100644 --- a/src/plugins/firewall.sml +++ b/src/plugins/firewall.sml @@ -23,20 +23,20 @@ structure Firewall :> FIREWALL = struct -type firewall_rules = { server_rules : (string list DataStructures.StringMap.map), - client_rules : (string list DataStructures.StringMap.map)} +type firewall_rules = { server_rules : ((string * string) list DataStructures.StringMap.map), + client_rules : ((string * string) list DataStructures.StringMap.map)} structure StringMap = DataStructures.StringMap -fun parseRules _ = +fun parseRules () = let val inf = TextIO.openIn Config.Firewall.firewallRules val out_lines = ref StringMap.empty val in_lines = ref StringMap.empty - fun confLine r (uname, line) = + fun confLine r (node, uname, line) = let - val line = String.concat ["\t", line, "\n"] + val line = (node, String.concat ["\t", line, "\n"]) val lines = case StringMap.find (!r, uname) of NONE => [] | SOME lines => lines @@ -63,14 +63,20 @@ fun parseRules _ = NONE => () | SOME line => case String.tokens Char.isSpace line of - uname :: rest => + node :: uname :: rest => (case rest of "Client" :: ports :: hosts => - confLine_out (uname, String.concat ["dport ", parsePorts ports, parseHosts "daddr" hosts, " ACCEPT;"]) + confLine_out (node, uname, String.concat ["dport ", parsePorts ports, parseHosts "daddr" hosts, " ACCEPT;"]) | "Server" :: ports :: hosts => - confLine_in (uname, String.concat ["dport ", parsePorts ports, parseHosts "daddr" hosts, " ACCEPT;"]) + confLine_in (node, uname, String.concat ["dport ", parsePorts ports, parseHosts "saddr" hosts, " ACCEPT;"]) + | ["ProxiedServer", ports] => + (* should this also allow access on lo? fixme: open output ports on apache node *) + (confLine_in (node, uname, String.concat ["saddr $WEBNODES dport ", parsePorts ports, " ACCEPT;"]); + (* Warning: duplicates code of Client case *) + List.map (fn (node, _) => confLine_out (node, uname, String.concat ["dport ", parsePorts ports, Domain.nodeIp node, " ACCEPT;"] )) + Config.Apache.webNodes_all; ()) | ["LocalServer", ports] => - confLine_in (uname, String.concat ["saddr $WE dport ", parsePorts ports, " ACCEPT;"]) + confLine_in (node, uname, String.concat ["saddr 127.0.0.1/8 dport ", parsePorts ports, " ACCEPT;"]) | _ => print "Invalid config line\n"; loop ()) | _ => loop () @@ -83,30 +89,38 @@ fun query uname = let val rules = parseRules () in - getOpt (StringMap.find (#server_rules rules, uname), []) @ getOpt (StringMap.find (#client_rules rules, uname), []) + List.map (fn (n,r) => r ^ " #host: " ^ n) (getOpt (StringMap.find (#server_rules rules, uname), []) @ getOpt (StringMap.find (#client_rules rules, uname), [])) end fun generateFirewallConfig {server_rules, client_rules} = -(* rule generation must happen on the node (not really, but I'd rather - avoid codifying that uids must be consistent between hosts) *) + (* rule generation must happen on the node (mandating the even + service users be pts users would make it possible to do on the + server, but that's not happening any time soon) *) let val users_tcp_out_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users_tcp_out.conf") val users_tcp_in_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users_tcp_in.conf") - val users_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users.conf") + val users_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/user_chains.conf") + + fun filter_node_rules lines = + (* filter out rules for other hosts here... really not + ideal, but it should work for the time being *) + List.map (fn (node, line) => line) + (List.filter (fn (node, line) => node = Slave.hostname ()) lines) fun write_user_tcp_conf (rules, outf, suffix) = - StringMap.appi (fn (uname, lines) => + StringMap.appi (fn (uname, rules) => let val uid = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname))) + val lines = filter_node_rules rules in TextIO.output (outf, String.concat ["mod owner uid-owner ", Int.toString uid, - " { goto user_", + " { jump user_", uname, suffix, - "; goto lreject; }\n"]); + "; DROP; }\n"]); (* Is there any point to splitting the rules like this? *) TextIO.output (users_conf, String.concat ("chain user_" @@ -117,8 +131,33 @@ fun generateFirewallConfig {server_rules, client_rules} = @ ["}\n\n"])) end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n") rules + + fun write_tcp_in_conf (rules, outf, suffix) = + (* Lame hack: can't use iptables to restrict port binding, + punting on SELinux &c for now and just opening every + port any user requests *) + + let + in + TextIO.output (outf, String.concat ["@def $WEBNODES = (", + (String.concatWith ", " (List.map (fn (_, ip) => ip) + (List.filter (fn (node, _) => List.exists (fn (n) => n = node) (List.map (fn (node, _) => node) (Config.Apache.webNodes_all @ Config.Apache.webNodes_admin))) + Config.nodeIps))), + ");\n\n"]); + StringMap.appi (fn (uname, rules) => + let + val uid = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname))) + val lines = filter_node_rules rules + in + TextIO.output (outf, + String.concat ("proto tcp {\n" + :: lines + @ ["}\n\n"])) + end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n") + rules + end in - write_user_tcp_conf (server_rules, users_tcp_in_conf, "_tcp_in"); + write_tcp_in_conf (server_rules, users_tcp_in_conf, "_tcp_in"); write_user_tcp_conf (client_rules, users_tcp_out_conf, "_tcp_out"); TextIO.closeOut users_conf;