Skip to content

Commit 64da201

Browse files
committed
CP-308800: Add firewalld control function
Signed-off-by: Bengang Yuan <[email protected]>
1 parent 1fbdaae commit 64da201

File tree

3 files changed

+153
-10
lines changed

3 files changed

+153
-10
lines changed

ocaml/xapi/firewall.ml

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,82 @@
1+
(*
2+
* Copyright (c) Cloud Software Group, Inc.
3+
*
4+
* This program is free software; you can redistribute it and/or modify
5+
* it under the terms of the GNU Lesser General Public License as published
6+
* by the Free Software Foundation; version 2.1 only. with the special
7+
* exception on linking described in file LICENSE.
8+
*
9+
* This program is distributed in the hope that it will be useful,
10+
* but WITHOUT ANY WARRANTY; without even the implied warranty of
11+
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12+
* GNU Lesser General Public License for more details.
13+
*)
14+
15+
module D = Debug.Make (struct let name = "firewall" end)
16+
17+
open D
18+
19+
type firewall_status = Enabled | Disabled
20+
21+
type firewall_service =
22+
| Dlm
23+
| Nbd
24+
| Nrpe
25+
| Snmp
26+
| Ssh
27+
| Vxlan
28+
| Xapi_insecure
29+
| Xenha
30+
31+
let service_type_to_string = function
32+
| Dlm ->
33+
"dlm"
34+
| Nbd ->
35+
"nbd"
36+
| Nrpe ->
37+
"nrpe"
38+
| Snmp ->
39+
"snmp"
40+
| Ssh ->
41+
"ssh"
42+
| Vxlan ->
43+
"vxlan"
44+
| Xapi_insecure ->
45+
"xapi-insecure"
46+
| Xenha ->
47+
"xenha"
48+
49+
(* Dynamically updates the firewalld service for the given service based on
50+
status. If dynamic_control_firewalld_service is true, it enables or disables
51+
the corresponding service using the firewall command. *)
52+
let update_firewall_status ~service ~status =
53+
if !Xapi_globs.dynamic_control_firewalld_service then
54+
try
55+
let service_option =
56+
match status with
57+
| Enabled ->
58+
"--add-service"
59+
| Disabled ->
60+
"--remove-service"
61+
in
62+
Helpers.call_script !Xapi_globs.firewall_cmd
63+
[service_option; service_type_to_string service]
64+
|> ignore
65+
with e ->
66+
error "Failed to update firewall service status: %s" (Printexc.to_string e)
67+
68+
(* Queries if the specified firewall service is enabled.
69+
Returns true if the service is enabled, otherwise returns false. *)
70+
let is_firewall_service_enabled ~service =
71+
try
72+
let output =
73+
Helpers.call_script !Xapi_globs.firewall_cmd
74+
["--query-service"; service_type_to_string service]
75+
|> String.trim
76+
|> String.lowercase_ascii
77+
in
78+
let status = Scanf.sscanf output "%s" Fun.id in
79+
match status with "yes" -> true | _ -> false
80+
with e ->
81+
error "Failed to check firewall service status: %s" (Printexc.to_string e) ;
82+
false

ocaml/xapi/firewall.mli

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
(*
2+
* Copyright (c) Cloud Software Group, Inc.
3+
*
4+
* This program is free software; you can redistribute it and/or modify
5+
* it under the terms of the GNU Lesser General Public License as published
6+
* by the Free Software Foundation; version 2.1 only. with the special
7+
* exception on linking described in file LICENSE.
8+
*
9+
* This program is distributed in the hope that it will be useful,
10+
* but WITHOUT ANY WARRANTY; without even the implied warranty of
11+
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12+
* GNU Lesser General Public License for more details.
13+
*)
14+
15+
type firewall_status = Enabled | Disabled
16+
17+
type firewall_service =
18+
| Dlm
19+
| Nbd
20+
| Nrpe
21+
| Snmp
22+
| Ssh
23+
| Vxlan
24+
| Xapi_insecure
25+
| Xenha
26+
27+
val update_firewall_status :
28+
service:firewall_service -> status:firewall_status -> unit
29+
(** [update_firewall_status ~service ~status]
30+
Dynamically updates the firewalld service for the given [service] based on [status].
31+
If [Xapi_globs.dynamic_control_firewalld_service] is true, it enables or disables
32+
thecorresponding service using the firewall command.
33+
- [service]: The firewall service to update (of type [firewall_service]).
34+
- [status]: The desired firewall status ([Enabled] or [Disabled]).
35+
*)
36+
37+
val is_firewall_service_enabled : service:firewall_service -> bool
38+
(** [is_firewall_service_enabled ~service]
39+
Queries if the specified firewall service is enabled.
40+
Returns [true] if the service is enabled, otherwise returns [false].
41+
- [service]: The firewall service to query (of type [firewall_service]).
42+
*)

ocaml/xapi/xapi_globs.ml

Lines changed: 29 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -861,6 +861,10 @@ let nbd_firewall_config_script =
861861

862862
let firewall_port_config_script = ref "/etc/xapi.d/plugins/firewall-port"
863863

864+
let firewall_cmd = ref "/usr/bin/firewall-cmd"
865+
866+
let firewall_cmd_wrapper = ref "/usr/bin/firewall-cmd-wrapper"
867+
864868
let nbd_client_manager_script =
865869
ref "/opt/xensource/libexec/nbd_client_manager.py"
866870

@@ -1317,6 +1321,12 @@ let ssh_monitor_service = ref "xapi-ssh-monitor"
13171321

13181322
let ssh_auto_mode_default = ref true
13191323

1324+
(* Firewall backend to use. iptables in XS 8, firewalld in XS 9. *)
1325+
let firewall_backend = ref "firewalld"
1326+
1327+
(* For firewalld, if dynamic control firewalld service. *)
1328+
let dynamic_control_firewalld_service = ref true
1329+
13201330
(* Fingerprint of default patch key *)
13211331
let citrix_patch_key =
13221332
"NERDNTUzMDMwRUMwNDFFNDI4N0M4OEVCRUFEMzlGOTJEOEE5REUyNg=="
@@ -1762,12 +1772,6 @@ let other_options =
17621772
, (fun () -> string_of_bool !validate_reusable_pool_session)
17631773
, "Enable validation of reusable pool sessions before use"
17641774
)
1765-
; ( "ssh-auto-mode"
1766-
, Arg.Bool (fun b -> ssh_auto_mode_default := b)
1767-
, (fun () -> string_of_bool !ssh_auto_mode_default)
1768-
, "Defaults to true; overridden to false via \
1769-
/etc/xapi.conf.d/ssh-auto-mode.conf(e.g., in XenServer 8)"
1770-
)
17711775
; ( "vm-sysprep-enabled"
17721776
, Arg.Set vm_sysprep_enabled
17731777
, (fun () -> string_of_bool !vm_sysprep_enabled)
@@ -1778,6 +1782,17 @@ let other_options =
17781782
, (fun () -> string_of_float !vm_sysprep_wait)
17791783
, "Time in seconds to wait for VM to recognise inserted CD"
17801784
)
1785+
; ( "firewall-backend"
1786+
, Arg.Set_string firewall_backend
1787+
, (fun () -> !firewall_backend)
1788+
, "Firewall backend. iptables (in XS 8) or firewalld (in XS 9 or later XS \
1789+
version)"
1790+
)
1791+
; ( "dynamic-control-firewalld-service"
1792+
, Arg.Bool (fun b -> dynamic_control_firewalld_service := b)
1793+
, (fun () -> string_of_bool !dynamic_control_firewalld_service)
1794+
, "Enable dynamic control firewalld service"
1795+
)
17811796
]
17821797

17831798
(* The options can be set with the variable xapiflags in /etc/sysconfig/xapi.
@@ -1912,10 +1927,14 @@ module Resources = struct
19121927
, "Executed after NBD-related networking changes to configure the \
19131928
firewall for NBD"
19141929
)
1915-
; ( "firewall-port-config"
1916-
, firewall_port_config_script
1917-
, "Executed when starting/stopping xapi-clusterd to configure firewall \
1918-
port"
1930+
; ( "firewall-cmd"
1931+
, firewall_cmd
1932+
, "Executed when enable/disable a service on a firewalld zone"
1933+
)
1934+
; ( "firewall-cmd-wrapper"
1935+
, firewall_cmd_wrapper
1936+
, "Executed when enable/disable a service on a firewalld zone and \
1937+
interface"
19191938
)
19201939
; ( "nbd_client_manager"
19211940
, nbd_client_manager_script

0 commit comments

Comments
 (0)