From 06228918d6c4c3d12d1dfb77baabfc16e3109560 Mon Sep 17 00:00:00 2001 From: Digimer Date: Thu, 24 Jan 2019 01:41:40 -0500 Subject: [PATCH] * Finished fixing anvil-manage-firewall so that it works with RHEL8. Signed-off-by: Digimer --- share/words.xml | 4 +- tools/anvil-manage-firewall | 100 ++++++++++++++++-------------------- 2 files changed, 45 insertions(+), 59 deletions(-) diff --git a/share/words.xml b/share/words.xml index 95351d9d..a1dbea96 100644 --- a/share/words.xml +++ b/share/words.xml @@ -239,7 +239,7 @@ About to try to download aproximately: [#!variable!packages!#] packages needed t Storage Network ##!variable!number!# - Used for DRBD communication between nodes and DR hosts. Should be VLAN-isolated from the IFN and, thus, trusted. Internet/Intranet-Facing Network ##!variable!number!# - Used for all client/user facing traffic. Likely connected to a semi-trusted network only. Updating / configuring the firewall. - Found an unneeded zone: [#!variable!zone!#], it will be removed. + #!free!# The zone: [#!variable!zone!#] file: [#!variable!file!#] needs to be updated. The zone: [#!variable!zone!#] file: [#!variable!file!#] doesn't exist, it will now be created. The interface: [#!variable!interface!#] will be added to the zone: [#!variable!zone!#]. @@ -527,7 +527,7 @@ The body of the file: [#!variable!file!#] does not match the new body. The file 'Install Target' job: [#!data!switches::job-uuid!#] picked up. 'Install Target' job: [#!data!switches::job-uuid!#] aborted, system not yet configured. Package list loaded. - The firewall zone: [#!variable!zone!#] is not needed. The zone file: [#!variable!file!#] has been backed up to: [#!variable!backup!#] and will now be removed. + #!free!# [ Error ] - Failed to delete the file: [#!variable!file!#]. [ Warning ] - None of the databases are accessible. ScanCore will try to connect once a minute until a database is accessible. [ Cleared ] - We now have databases accessible, proceeding. diff --git a/tools/anvil-manage-firewall b/tools/anvil-manage-firewall index e823e519..baac5eb8 100755 --- a/tools/anvil-manage-firewall +++ b/tools/anvil-manage-firewall @@ -83,17 +83,17 @@ sub check_initial_setup my $internet_zone = ""; foreach my $interface (sort {$a cmp $b} keys %{$anvil->data->{sys}{network}{interface}}) { - $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { interface => $interface }}); + $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { interface => $interface }}); if ($interface =~ /^((bcn|ifn|sn)\d+)_/) { # We'll use the start of the string (network type) as the zone, though it should # always be overridden by the ZONE="" variable in each interface's config. my $zone = $1; - $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { zone => $zone }}); + $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { zone => $zone }}); if ((exists $anvil->data->{sys}{network}{interface}{$interface}{variable}{ZONE}) && ($anvil->data->{sys}{network}{interface}{$interface}{variable}{ZONE})) { $zone = $anvil->data->{sys}{network}{interface}{$interface}{variable}{ZONE}; - $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { zone => $zone }}); + $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { zone => $zone }}); } push @{$needed_zones}, $zone; @@ -119,56 +119,31 @@ sub check_initial_setup foreach my $zone (sort {$a cmp $b} keys %{$anvil->data->{firewall}{zone}}) { my $file = exists $anvil->data->{firewall}{zone}{$zone}{file} ? $anvil->data->{firewall}{zone}{$zone}{file} : $anvil->data->{path}{directories}{firewalld_zones}."/".$zone.".xml"; - $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { + $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { "s1:zone" => $zone, "s2:file" => $file, }}); ### NOTE: This is probably overkill. -# # Is this a zone I want/need? -# my $wanted = 0; -# foreach my $needed_zone (sort {$a cmp $b} @{$needed_zones}) -# { -# $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { -# "s1:zone" => $zone, -# "s2:needed_zone" => $needed_zone, -# }}); -# if ($needed_zone eq $zone) -# { -# $wanted = 1; -# $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { wanted => $wanted }}); -# last; -# } -# } -# -# # Remove the file if needed, and then skip this zone if we don't care about it. -# $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { wanted => $wanted }}); -# if (not $wanted) -# { -# $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 2, key => "message_0135", variables => { zone => $zone }}); -# if (-e $file) -# { -# # Archive and delete it. -# my $backup_file = $anvil->Storage->backup({file => $file }); -# $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 0, secure => 0, key => "log_0242", variables => { -# zone => $zone, -# file => $file, -# backup => $backup_file, -# }}); -# unlink $file; -# -# if (-e $file) -# { -# # Failed to unlink the unneeed zone file. -# $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0243", variables => { file => $file }}); -# $anvil->nice_exit({exit_code => 1}); -# } -# } -# delete $anvil->data->{firewall}{zone}{$zone}; -# -# reload_firewall($anvil); -# next; -# } + # Is this a zone I want/need? + my $wanted = 0; + foreach my $needed_zone (sort {$a cmp $b} @{$needed_zones}) + { + $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { + "s1:zone" => $zone, + "s2:needed_zone" => $needed_zone, + }}); + if ($needed_zone eq $zone) + { + $wanted = 1; + $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { wanted => $wanted }}); + last; + } + } + + # Skip if this is a zone I don't care about. + $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { wanted => $wanted }}); + next if not $wanted; # Create or update the zone file, if needed. my $template = ""; @@ -191,7 +166,12 @@ sub check_initial_setup $template = "ifn_zone"; $description = $anvil->Words->string({key => "message_0133", variables => { number => $number }}); } - $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { + else + { + # This should never be hit, but it's a fail-safe in we're in a zone we don't manage. + next; + } + $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { "s1:template" => $template, "s2:description" => $description, }}); @@ -202,6 +182,12 @@ sub check_initial_setup }}); $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { new_zone_body => $new_zone_body }}); + # This is another fail safe, don't edit unless we have a new file body. + if (not $new_zone_body) + { + next; + } + # If there isn't a body, see if the file exists. If it doesn't, create it. If it does, read it. my $update_file = 0; my $old_zone_body = exists $anvil->data->{firewall}{zone}{$zone}{body} ? $anvil->data->{firewall}{zone}{$zone}{body} : ""; @@ -210,13 +196,13 @@ sub check_initial_setup { # Has it changed? my $diff = diff \$old_zone_body, \$new_zone_body, { STYLE => 'Unified' }; - $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { diff => $diff }}); + $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { diff => $diff }}); if ($diff) { # Update it $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 1, key => "message_0136", variables => { zone => $zone, file => $file }}); $update_file = 1; - $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { update_file => $update_file }}); + $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { update_file => $update_file }}); } } else @@ -224,10 +210,10 @@ sub check_initial_setup # Create it $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, 'print' => 1, level => 1, key => "message_0137", variables => { zone => $zone, file => $file }}); $update_file = 1; - $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { update_file => $update_file }}); + $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { update_file => $update_file }}); } - $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { update_file => $update_file }}); + $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { update_file => $update_file }}); if ($update_file) { my $error = $anvil->Storage->write_file({ @@ -238,7 +224,7 @@ sub check_initial_setup mode => "0644", overwrite => 1, }); - $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { error => $error }}); + $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { error => $error }}); if ($error) { @@ -253,13 +239,13 @@ sub check_initial_setup foreach my $interface (sort {$a cmp $b} keys %{$anvil->data->{firewall}{zone}{$zone}{interface}}) { my $in_zone = exists $anvil->data->{firewall}{interface}{$interface}{zone} ? $anvil->data->{firewall}{interface}{$interface}{zone} : ""; - $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { + $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { "s1:interface" => $interface, "s2:in_zone" => $in_zone, "s3:zone" => $zone, }}); - $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { in_zone => $in_zone, zone => $zone }}); + $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { in_zone => $in_zone, zone => $zone }}); if ((not $in_zone) or ($zone ne $in_zone)) { # Add it @@ -269,7 +255,7 @@ sub check_initial_setup }}); my $output = $anvil->System->call({debug => 2, shell_call => $anvil->data->{path}{exe}{'firewall-cmd'}." --zone=".$zone." --change-interface=".$interface}); - $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { output => $output }}); + $anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { output => $output }}); reload_firewall($anvil); }