From: Clinton Ebadi <clinton@unknownlamer.org>
Date: Fri, 14 Sep 2012 05:27:07 +0000 (-0400)
Subject: Fix firewall input rules, add ProxiedServer directive
X-Git-Tag: release_20121207~10
X-Git-Url: https://git.hcoop.net/hcoop/domtool2.git/commitdiff_plain/acef55cc1820116d689a0ecb8722453a4d353b8e?hp=1362b18d2c9a93305dea156253af62113079ec80

Fix firewall input rules, add ProxiedServer directive
* mod uid-owner only works for output connections, hack it for now and
  just open the ports for everyone
* ProxiedServer allows connections from all webNodes, but does not
  open up output ports from them
---

diff --git a/src/plugins/firewall.sml b/src/plugins/firewall.sml
index 378e127..f6ede4c 100644
--- a/src/plugins/firewall.sml
+++ b/src/plugins/firewall.sml
@@ -68,9 +68,12 @@ fun parseRules () =
 			"Client" :: ports :: hosts =>
 			confLine_out (node, uname, String.concat ["dport ", parsePorts ports, parseHosts "daddr" hosts, " ACCEPT;"])
 		      | "Server" :: ports :: hosts =>
-			confLine_in (node, uname, String.concat ["dport ", parsePorts ports, parseHosts "daddr" hosts, " ACCEPT;"])
+			confLine_in (node, uname, String.concat ["dport ", parsePorts ports, parseHosts "saddr" hosts, " ACCEPT;"])
+		      | ["ProxiedServer", ports] =>
+			(* should this also allow access on lo? fixme: open output ports on apache node *)
+			confLine_in (node, uname, String.concat ["saddr $WEBNODES dport ", parsePorts ports, " ACCEPT;"])
 		      | ["LocalServer", ports] =>
-			confLine_in (node, uname, String.concat ["saddr $WE dport ", parsePorts ports, " ACCEPT;"])
+			confLine_in (node, uname, String.concat ["saddr 127.0.0.1/8 dport ", parsePorts ports, " ACCEPT;"])
 		      | _ => print "Invalid config line\n";
 		     loop ())
 		  | _ => loop ()
@@ -125,8 +128,33 @@ fun generateFirewallConfig {server_rules, client_rules} =
 								 @ ["}\n\n"]))
 			       end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n")
 			   rules
+
+	fun write_tcp_in_conf (rules, outf, suffix) =
+	    (* Lame hack: can't use iptables to restrict port binding,
+	       punting on SELinux &c for now and just opening every
+	       port any user requests *)
+
+	    let
+	    in
+		TextIO.output (outf, String.concat ["@def $WEBNODES = (",
+						    (String.concatWith ", " (List.map (fn (_, ip) => ip) 
+										      (List.filter (fn (node, _) => List.exists (fn (n) => n = node) (List.map (fn (node, _) => node) (Config.Apache.webNodes_all @ Config.Apache.webNodes_admin)))
+												   Config.nodeIps))),
+						    ");\n\n"]);
+		StringMap.appi (fn (uname, rules) =>
+				   let
+				       val uid = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname)))
+				       val lines = filter_node_rules rules
+				   in
+				       TextIO.output (outf,
+						      String.concat ("proto tcp {\n"
+								     :: lines
+								     @ ["}\n\n"]))
+				   end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n")
+			       rules
+	    end
     in
-	write_user_tcp_conf (server_rules, users_tcp_in_conf, "_tcp_in");
+	write_tcp_in_conf (server_rules, users_tcp_in_conf, "_tcp_in");
 	write_user_tcp_conf (client_rules, users_tcp_out_conf, "_tcp_out");
 
 	TextIO.closeOut users_conf;