val firewallDir = "/home/clinton/misc/hcoop/firewall/output"
val firewallNodes = ["bog"]
+val reload = "/usr/bin/sudo /usr/local/sbin/domtool-publish firewall"
+
end
val firewallNodes : string list (* Nodes to firewall *)
val firewallDir : string (* Output directory for ferm config *)
val firewallRules : string (* Rules file *)
+
+ val reload : string (* Command to reload configuration *)
end
/bin/cp /var/domtool/waklog.conf /etc/apache2/
/etc/init.d/apache2 reload
;;
+ firewall)
+ /etc/init.d/ferm reload
+ ;;
*)
- echo "Usage: domtool-publish [apache|bind|courier|exim|mailman|smtplog STRING|users]"
+ echo "Usage: domtool-publish [apache|bind|courier|exim|mailman|smtplog STRING|users|firewall]"
;;
esac
("Requested mysql-fixperms, but execution failed!",
SOME "Script execution failed."))
(fn () => ()))
+ | MsgFirewallRegen =>
+ doIt (fn () => if Acl.query {user = user, class = "priv", value = "all"} andalso List.exists (fn x => x = host) Config.Firewall.firewallNodes then
+ if (Firewall.generateFirewallConfig (Firewall.parseRules ()) andalso Firewall.publishConfig ())
+ then
+ ("Firewall rules regenerated.", NONE)
+ else
+ ("Rules regeneration failed!", SOME "Script execution failed.")
+ else
+ ("Not authorized to regenerate firewall.", SOME ("Unauthorized user " ^ user ^ "attempted to regenerated firewall")))
+ (fn () => ())
| _ => (OpenSSL.close bio;
loop ())
OpenSSL.writeString (bio, s))
| MsgReUsers => OpenSSL.writeInt (bio, 41)
| MsgVmailChanged => OpenSSL.writeInt (bio, 42)
+ | MsgFirewallRegen => OpenSSL.writeInt (bio, 43)
fun checkIt v =
case v of
| 40 => Option.map MsgDescription (OpenSSL.readString bio)
| 41 => SOME MsgReUsers
| 42 => SOME MsgVmailChanged
+ | 43 => SOME MsgFirewallRegen
| _ => NONE)
end
(* Rerun all callbacks for cases where the set of users has changed *)
| MsgVmailChanged
(* Server tells slave that vmail user information has changed *)
+ | MsgFirewallRegen
+ (* Regenerate firewall on user machines *)
end
(* HCoop Domtool (http://hcoop.sourceforge.net/)
* Copyright (c) 2006-2007, Adam Chlipala
+ * Copyright (c) 2011, Clinton Ebadi <clinton@unknownlamer.org>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*)
-(* Firewall rule querying *)
+(* Firewall rule querying/generation *)
signature FIREWALL = sig
+ type firewall_rules = { server_rules : (string list DataStructures.StringMap.map),
+ client_rules : (string list DataStructures.StringMap.map)}
+
val query : string -> string list
(* List a user's local firewall rules. *)
- val generateFirewallConfig : unit -> unit
+ val parseRules : unit -> firewall_rules
+ val generateFirewallConfig : firewall_rules -> bool
+
+ val publishConfig : unit -> bool
end
structure Firewall :> FIREWALL = struct
+type firewall_rules = { server_rules : (string list DataStructures.StringMap.map),
+ client_rules : (string list DataStructures.StringMap.map)}
+
structure StringMap = DataStructures.StringMap
fun parseRules _ =
end
-fun generateFirewallConfig _ =
+fun generateFirewallConfig {server_rules, client_rules} =
(* rule generation must happen on the node (not really, but I'd rather
avoid codifying that uids must be consistent between hosts) *)
let
- val {server_rules, client_rules} = parseRules ()
val users_tcp_out_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users_tcp_out.conf")
val users_tcp_in_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users_tcp_in.conf")
val users_conf = TextIO.openOut (Config.Firewall.firewallDir ^ "/users.conf")
TextIO.closeOut users_conf;
TextIO.closeOut users_tcp_out_conf;
- TextIO.closeOut users_tcp_in_conf
+ TextIO.closeOut users_tcp_in_conf;
+
+ true
end
-
+
+fun publishConfig _ =
+ Slave.shell [Config.Firewall.reload]
end