* Added a check in System->manage_firewall to check iptables-save for the requested port and return immediately if the requested port is open and the task wasn't 'close'. This speeds up firewall checks substantially.

Signed-off-by: Digimer <digimer@alteeve.ca>
main
Digimer 7 years ago
parent c1b21f96be
commit eaf900d5c3
  1. 1
      AN/Tools.pm
  2. 34
      AN/Tools/System.pm

@ -675,6 +675,7 @@ sub _set_paths
gethostip => "/usr/bin/gethostip", gethostip => "/usr/bin/gethostip",
hostname => "/usr/bin/hostname", hostname => "/usr/bin/hostname",
ip => "/usr/sbin/ip", ip => "/usr/sbin/ip",
'iptables-save' => "/usr/sbin/iptables-save",
journalctl => "/usr/bin/journalctl", journalctl => "/usr/bin/journalctl",
logger => "/usr/bin/logger", logger => "/usr/bin/logger",
'mkdir' => "/usr/bin/mkdir", 'mkdir' => "/usr/bin/mkdir",

@ -424,6 +424,35 @@ sub manage_firewall
return("!!error!!"); return("!!error!!");
} }
# This will be set if the port is found to be open.
my $open = 0;
# Checking the iptables rules in memory is very fast, relative to firewall-cmd. So we'll do an
# initial check there to see if the port in question is listed.
my $shell_call = $an->data->{path}{exe}{'iptables-save'};
$an->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { shell_call => $shell_call }});
my $iptables = $an->System->call({shell_call => $shell_call});
foreach my $line (split/\n/, $iptables)
{
$an->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { line => $line }});
if (($line =~ /-m $protocol /) && ($line =~ /--dport $port_number /) && ($line =~ /ACCEPT/))
{
$open = 1;
$an->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { 'open' => $open }});
last;
}
}
# If the port is open and the task is 'check' or 'open', we're done and can return now and save a lot
# of time.
$an->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { 'task' => $task, 'open' => $open }});
if ((($task eq "check") or ($task eq "open")) && ($open))
{
$an->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, list => { 'open' => $open }});
return($open);
}
# Before we do anything, what zone is active? # Before we do anything, what zone is active?
my $active_zone = ""; my $active_zone = "";
if (not $active_zone) if (not $active_zone)
@ -452,16 +481,13 @@ sub manage_firewall
return("!!error!!"); return("!!error!!");
} }
# See if the requested port is open.
my $open = 0;
# If we have an active zone, see if the requested port is open. # If we have an active zone, see if the requested port is open.
my $zone_file = $an->data->{path}{directories}{firewalld_zones}."/".$active_zone.".xml"; my $zone_file = $an->data->{path}{directories}{firewalld_zones}."/".$active_zone.".xml";
$an->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { zone_file => $zone_file }}); $an->Log->variables({source => $THIS_FILE, line => __LINE__, level => 3, list => { zone_file => $zone_file }});
if (not -e $zone_file) if (not -e $zone_file)
{ {
#... #...
return("!!error!!"); return($open);
} }
# Read the XML to see what services are opened already and translate those into port numbers and # Read the XML to see what services are opened already and translate those into port numbers and

Loading…
Cancel
Save