CP-308800: Add firewalld control function

Signed-off-by: Bengang Yuan <[email protected]>

Author: BengangY

ocaml/xapi/firewall.ml

@@ -0,0 +1,131 @@
+(*
+ * Copyright (c) Cloud Software Group, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; version 2.1 only. with the special
+ * exception on linking described in file LICENSE.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *)
+
+module D = Debug.Make (struct let name = "firewall" end)
+
+open D
+
+type status = Enabled | Disabled
+
+type service = Dlm | Nbd | Ssh | Vxlan | Http | Xenha
+
+let service_type_to_string = function
+  | Dlm ->
+      "dlm"
+  | Nbd ->
+      "nbd"
+  | Ssh ->
+      "ssh"
+  | Vxlan ->
+      "vxlan"
+  | Http ->
+      "xapi-insecure"
+  | Xenha ->
+      "xenha"
+
+let service_type_to_service_info = function
+  | Dlm ->
+      ("dlm", !Xapi_globs.xapi_clusterd_port, "TCP")
+  | Nbd ->
+      ("nbd", 10809, "TCP")
+  | Ssh ->
+      ("ssh", 22, "TCP")
+  | Vxlan ->
+      ("vxlan", 4789, "UDP")
+  | Http ->
+      ("xapi-insecure", Constants.http_port, "TCP")
+  | Xenha ->
+      ("xenha", Xapi_globs.xha_udp_port, "UDP")
+
+module type FIREWALL = sig
+  val update_firewall_status : service:service -> status:status -> unit
+
+  val is_firewall_service_enabled : service:service -> bool
+end
+
+module Firewalld : FIREWALL = struct
+  let update_firewall_status ~service ~status =
+    if !Xapi_globs.dynamic_control_firewalld_service then
+      try
+        let service_option =
+          match status with
+          | Enabled ->
+              "--add-service"
+          | Disabled ->
+              "--remove-service"
+        in
+        let service_name, _, _ = service_type_to_service_info service in
+        Helpers.call_script !Xapi_globs.firewall_cmd
+          [service_option; service_name]
+        |> ignore
+      with e ->
+        error "Failed to update firewall service status: %s"
+          (Printexc.to_string e)
+
+  let is_firewall_service_enabled ~service =
+    let service_name, _, _ = service_type_to_service_info service in
+    try
+      let output =
+        Helpers.call_script !Xapi_globs.firewall_cmd
+          ["--query-service"; service_name]
+        |> String.trim
+        |> String.lowercase_ascii
+      in
+      let status = Scanf.sscanf output "%s" Fun.id in
+      match status with "yes" -> true | _ -> false
+    with e ->
+      error "Failed to check firewall service status: %s" (Printexc.to_string e) ;
+      false
+end
+
+module Iptables : FIREWALL = struct
+  let update_firewall_status ~service ~status =
+    let op = match status with Enabled -> "open" | Disabled -> "close" in
+    let _, port, protocol = service_type_to_service_info service in
+    ignore
+    @@ Helpers.call_script
+         !Xapi_globs.firewall_port_config_script
+         [op; string_of_int port; protocol]
+
+  let is_firewall_service_enabled ~service =
+    let _, port, protocol = service_type_to_service_info service in
+    let script_output =
+      Helpers.call_script
+        !Xapi_globs.firewall_port_config_script
+        ["check"; string_of_int port; protocol]
+    in
+    try
+      debug "firewall-port check result: %s" script_output ;
+      let _, enabled =
+        (* The firewall-port script returns true if port 80 is blocked and false
+           if it is not. *)
+        Scanf.sscanf script_output "Port %d open: %B" (fun port is_blocked ->
+            (port, not is_blocked)
+        )
+      in
+      enabled
+    with _ ->
+      Helpers.internal_error
+        "unexpected output from /etc/xapi.d/plugins/firewall-port: %s"
+        script_output
+end
+
+let firewall_provider (backend : string) : (module FIREWALL) =
+  match backend with
+  | "firewalld" ->
+      (module Firewalld)
+  | "iptables" ->
+      (module Iptables)
+  | _ ->
+      Helpers.internal_error "unknown firewall backend: %s" backend

ocaml/xapi/firewall.mli

@@ -0,0 +1,29 @@
+(*
+ * Copyright (c) Cloud Software Group, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; version 2.1 only. with the special
+ * exception on linking described in file LICENSE.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *)
+
+type status = Enabled | Disabled
+
+type service = Dlm | Nbd | Ssh | Vxlan | Http | Xenha
+
+module type FIREWALL = sig
+  val update_firewall_status : service:service -> status:status -> unit
+
+  val is_firewall_service_enabled : service:service -> bool
+end
+
+module Firewalld : FIREWALL
+
+module Iptables : FIREWALL
+
+val firewall_provider : string -> (module FIREWALL)

ocaml/xapi/xapi_globs.ml

@@ -861,6 +861,10 @@ let nbd_firewall_config_script =
 
 let firewall_port_config_script = ref "/etc/xapi.d/plugins/firewall-port"
 
+let firewall_cmd = ref "/usr/bin/firewall-cmd"
+
+let firewall_cmd_wrapper = ref "/usr/bin/firewall-cmd-wrapper"
+
 let nbd_client_manager_script =
   ref "/opt/xensource/libexec/nbd_client_manager.py"
 
@@ -1317,6 +1321,12 @@ let ssh_monitor_service = ref "xapi-ssh-monitor"
 
 let ssh_auto_mode_default = ref true
 
+(* Firewall backend to use. iptables in XS 8, firewalld in XS 9. *)
+let firewall_backend = ref "firewalld"
+
+(* For firewalld, if dynamic control firewalld service. *)
+let dynamic_control_firewalld_service = ref true
+
 (* Fingerprint of default patch key *)
 let citrix_patch_key =
   "NERDNTUzMDMwRUMwNDFFNDI4N0M4OEVCRUFEMzlGOTJEOEE5REUyNg=="
@@ -1762,12 +1772,6 @@ let other_options =
     , (fun () -> string_of_bool !validate_reusable_pool_session)
     , "Enable validation of reusable pool sessions before use"
     )
-  ; ( "ssh-auto-mode"
-    , Arg.Bool (fun b -> ssh_auto_mode_default := b)
-    , (fun () -> string_of_bool !ssh_auto_mode_default)
-    , "Defaults to true; overridden to false via \
-       /etc/xapi.conf.d/ssh-auto-mode.conf(e.g., in XenServer 8)"
-    )
   ; ( "vm-sysprep-enabled"
     , Arg.Set vm_sysprep_enabled
     , (fun () -> string_of_bool !vm_sysprep_enabled)
@@ -1778,6 +1782,17 @@ let other_options =
     , (fun () -> string_of_float !vm_sysprep_wait)
     , "Time in seconds to wait for VM to recognise inserted CD"
     )
+  ; ( "firewall-backend"
+    , Arg.Set_string firewall_backend
+    , (fun () -> !firewall_backend)
+    , "Firewall backend. iptables (in XS 8) or firewalld (in XS 9 or later XS \
+       version)"
+    )
+  ; ( "dynamic-control-firewalld-service"
+    , Arg.Bool (fun b -> dynamic_control_firewalld_service := b)
+    , (fun () -> string_of_bool !dynamic_control_firewalld_service)
+    , "Enable dynamic control firewalld service"
+    )
   ]
 
 (* The options can be set with the variable xapiflags in /etc/sysconfig/xapi.
@@ -1912,10 +1927,14 @@ module Resources = struct
       , "Executed after NBD-related networking changes to configure the \
          firewall for NBD"
       )
-    ; ( "firewall-port-config"
-      , firewall_port_config_script
-      , "Executed when starting/stopping xapi-clusterd to configure firewall \
-         port"
+    ; ( "firewall-cmd"
+      , firewall_cmd
+      , "Executed when enable/disable a service on a firewalld zone"
+      )
+    ; ( "firewall-cmd-wrapper"
+      , firewall_cmd_wrapper
+      , "Executed when enable/disable a service on a firewalld zone and \
+         interface"
       )
     ; ( "nbd_client_manager"
       , nbd_client_manager_script