CP-308800: Add firewalld control function

BengangY · BengangY · commit 64da2012ddf5 · 2025-08-20T07:19:18.000Z
Signed-off-by: Bengang Yuan &lt;bengang.yuan@cloud.com&gt;
diff --git a/ocaml/xapi/firewall.ml b/ocaml/xapi/firewall.ml
@@ -0,0 +1,82 @@
+(*
+ * Copyright (c) Cloud Software Group, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; version 2.1 only. with the special
+ * exception on linking described in file LICENSE.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *)
+
+module D = Debug.Make (struct let name = "firewall" end)
+
+open D
+
+type firewall_status = Enabled | Disabled
+
+type firewall_service =
+  | Dlm
+  | Nbd
+  | Nrpe
+  | Snmp
+  | Ssh
+  | Vxlan
+  | Xapi_insecure
+  | Xenha
+
+let service_type_to_string = function
+  | Dlm ->
+      "dlm"
+  | Nbd ->
+      "nbd"
+  | Nrpe ->
+      "nrpe"
+  | Snmp ->
+      "snmp"
+  | Ssh ->
+      "ssh"
+  | Vxlan ->
+      "vxlan"
+  | Xapi_insecure ->
+      "xapi-insecure"
+  | Xenha ->
+      "xenha"
+
+(* Dynamically updates the firewalld service for the given service based on
+   status. If dynamic_control_firewalld_service is true, it enables or disables
+   the corresponding service using the firewall command. *)
+let update_firewall_status ~service ~status =
+  if !Xapi_globs.dynamic_control_firewalld_service then
+    try
+      let service_option =
+        match status with
+        | Enabled ->
+            "--add-service"
+        | Disabled ->
+            "--remove-service"
+      in
+      Helpers.call_script !Xapi_globs.firewall_cmd
+        [service_option; service_type_to_string service]
+      |> ignore
+    with e ->
+      error "Failed to update firewall service status: %s" (Printexc.to_string e)
+
+(* Queries if the specified firewall service is enabled.
+   Returns true if the service is enabled, otherwise returns false. *)
+let is_firewall_service_enabled ~service =
+  try
+    let output =
+      Helpers.call_script !Xapi_globs.firewall_cmd
+        ["--query-service"; service_type_to_string service]
+      |> String.trim
+      |> String.lowercase_ascii
+    in
+    let status = Scanf.sscanf output "%s" Fun.id in
+    match status with "yes" -> true | _ -> false
+  with e ->
+    error "Failed to check firewall service status: %s" (Printexc.to_string e) ;
+    false
diff --git a/ocaml/xapi/firewall.mli b/ocaml/xapi/firewall.mli
@@ -0,0 +1,42 @@
+(*
+ * Copyright (c) Cloud Software Group, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; version 2.1 only. with the special
+ * exception on linking described in file LICENSE.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *)
+
+type firewall_status = Enabled | Disabled
+
+type firewall_service =
+  | Dlm
+  | Nbd
+  | Nrpe
+  | Snmp
+  | Ssh
+  | Vxlan
+  | Xapi_insecure
+  | Xenha
+
+val update_firewall_status :
+  service:firewall_service -> status:firewall_status -> unit
+(** [update_firewall_status ~service ~status]
+   Dynamically updates the firewalld service for the given [service] based on [status].
+   If [Xapi_globs.dynamic_control_firewalld_service] is true, it enables or disables
+   thecorresponding service using the firewall command.
+   - [service]: The firewall service to update (of type [firewall_service]).
+   - [status]: The desired firewall status ([Enabled] or [Disabled]).
+*)
+
+val is_firewall_service_enabled : service:firewall_service -> bool
+(** [is_firewall_service_enabled ~service]
+   Queries if the specified firewall service is enabled.
+   Returns [true] if the service is enabled, otherwise returns [false].
+   - [service]: The firewall service to query (of type [firewall_service]).
+*)
diff --git a/ocaml/xapi/xapi_globs.ml b/ocaml/xapi/xapi_globs.ml
@@ -861,6 +861,10 @@ let nbd_firewall_config_script =
 
 let firewall_port_config_script = ref "/etc/xapi.d/plugins/firewall-port"
 
+let firewall_cmd = ref "/usr/bin/firewall-cmd"
+
+let firewall_cmd_wrapper = ref "/usr/bin/firewall-cmd-wrapper"
+
 let nbd_client_manager_script =
   ref "/opt/xensource/libexec/nbd_client_manager.py"
 
@@ -1317,6 +1321,12 @@ let ssh_monitor_service = ref "xapi-ssh-monitor"
 
 let ssh_auto_mode_default = ref true
 
+(* Firewall backend to use. iptables in XS 8, firewalld in XS 9. *)
+let firewall_backend = ref "firewalld"
+
+(* For firewalld, if dynamic control firewalld service. *)
+let dynamic_control_firewalld_service = ref true
+
 (* Fingerprint of default patch key *)
 let citrix_patch_key =
   "NERDNTUzMDMwRUMwNDFFNDI4N0M4OEVCRUFEMzlGOTJEOEE5REUyNg=="
@@ -1762,12 +1772,6 @@ let other_options =
     , (fun () -> string_of_bool !validate_reusable_pool_session)
     , "Enable validation of reusable pool sessions before use"
     )
-  ; ( "ssh-auto-mode"
-    , Arg.Bool (fun b -> ssh_auto_mode_default := b)
-    , (fun () -> string_of_bool !ssh_auto_mode_default)
-    , "Defaults to true; overridden to false via \
-       /etc/xapi.conf.d/ssh-auto-mode.conf(e.g., in XenServer 8)"
-    )
   ; ( "vm-sysprep-enabled"
     , Arg.Set vm_sysprep_enabled
     , (fun () -> string_of_bool !vm_sysprep_enabled)
@@ -1778,6 +1782,17 @@ let other_options =
     , (fun () -> string_of_float !vm_sysprep_wait)
     , "Time in seconds to wait for VM to recognise inserted CD"
     )
+  ; ( "firewall-backend"
+    , Arg.Set_string firewall_backend
+    , (fun () -> !firewall_backend)
+    , "Firewall backend. iptables (in XS 8) or firewalld (in XS 9 or later XS \
+       version)"
+    )
+  ; ( "dynamic-control-firewalld-service"
+    , Arg.Bool (fun b -> dynamic_control_firewalld_service := b)
+    , (fun () -> string_of_bool !dynamic_control_firewalld_service)
+    , "Enable dynamic control firewalld service"
+    )
   ]
 
 (* The options can be set with the variable xapiflags in /etc/sysconfig/xapi.
@@ -1912,10 +1927,14 @@ module Resources = struct
       , "Executed after NBD-related networking changes to configure the \
          firewall for NBD"
       )
-    ; ( "firewall-port-config"
-      , firewall_port_config_script
-      , "Executed when starting/stopping xapi-clusterd to configure firewall \
-         port"
+    ; ( "firewall-cmd"
+      , firewall_cmd
+      , "Executed when enable/disable a service on a firewalld zone"
+      )
+    ; ( "firewall-cmd-wrapper"
+      , firewall_cmd_wrapper
+      , "Executed when enable/disable a service on a firewalld zone and \
+         interface"
       )
     ; ( "nbd_client_manager"
       , nbd_client_manager_script
