Skip to content

Commit

Permalink
Call firewall-port in IPv6 when management is in IPv6
Browse files Browse the repository at this point in the history 
Signed-off-by: Benjamin Reis <[email protected]>
  • Loading branch information
@benjamreis
benjamreis committed Nov 5, 2024
1 parent 2221964 commit 0291690
Show file tree
Hide file tree
Showing 5 changed files with 73 additions and 19 deletions.
9 changes: 8 additions & 1 deletion ocaml/xapi/dbsync_slave.ml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,8 +126,15 @@ let refresh_localhost_info ~__context info =
) else
Db.Host.remove_from_other_config ~__context ~self:host
~key:Xapi_globs.host_no_local_storage ;
let options =
match Helpers.get_management_iface_primary_address_type ~__context with
| `IPv4 ->
["check"; "80"]
| `IPv6 ->
["-6"; "check"; "80"]
in
let script_output =
Helpers.call_script !Xapi_globs.firewall_port_config_script ["check"; "80"]
Helpers.call_script !Xapi_globs.firewall_port_config_script options
in
try
let network_state = Scanf.sscanf script_output "Port 80 open: %B" Fun.id in
Expand Down
17 changes: 17 additions & 0 deletions ocaml/xapi/helpers.ml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,18 @@ let get_management_ip_addr ~__context =
let dbg = Context.string_of_task __context in
Option.map fst (Networking_info.get_management_ip_addr ~dbg)

let get_management_interface ~__context ~host =
let pifs =
Db.PIF.get_refs_where ~__context
~expr:
(And
( Eq (Field "host", Literal (Ref.string_of host))
, Eq (Field "management", Literal "true")
)
)
in
match pifs with [] -> raise Not_found | pif :: _ -> pif

let get_localhost_uuid () =
Xapi_inventory.lookup Xapi_inventory._installation_uuid

Expand All @@ -165,6 +177,11 @@ let get_localhost ~__context =
| true ->
get_localhost_uncached ~__context

let get_management_iface_primary_address_type ~__context =
let host = get_localhost ~__context in
let management_pif = get_management_interface ~__context ~host in
Db.PIF.get_primary_address_type ~__context ~self:management_pif

(* Determine the gateway and DNS PIFs:
* If one of the PIFs with IP has other_config:defaultroute=true, then
* pick this one as gateway PIF. If there are multiple, pick a random one of these.
Expand Down
22 changes: 21 additions & 1 deletion ocaml/xapi/nm.ml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -796,10 +796,20 @@ let bring_pif_up ~__context ?(management_interface = false) (pif : API.ref_PIF)
| `vxlan ->
debug
"Opening VxLAN UDP port for tunnel with protocol 'vxlan'" ;
let options =
match
Helpers.get_management_iface_primary_address_type
~__context
with
| `IPv4 ->
["open"; "4789"; "udp"]
| `IPv6 ->
["-6"; "open"; "4789"; "udp"]
in
ignore
@@ Helpers.call_script
!Xapi_globs.firewall_port_config_script
["open"; "4789"; "udp"]
options
| `gre ->
()
)
Expand Down Expand Up @@ -857,6 +867,16 @@ let bring_pif_down ~__context ?(force = false) (pif : API.ref_PIF) =
in
if no_more_vxlan then (
debug "Last VxLAN tunnel was closed, closing VxLAN UDP port" ;
let options =
match
Helpers.get_management_iface_primary_address_type
~__context
with
| `IPv4 ->
["close"; "4789"; "udp"]
| `IPv6 ->
["-6"; "close"; "4789"; "udp"]
in
ignore
@@ Helpers.call_script
!Xapi_globs.firewall_port_config_script
Expand Down
22 changes: 18 additions & 4 deletions ocaml/xapi/xapi_clustering.ml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -274,9 +274,18 @@ module Daemon = struct
raise Api_errors.(Server_error (not_implemented, ["Cluster.create"]))
) ;
( try
let options =
match
Helpers.get_management_iface_primary_address_type ~__context
with
| `IPv4 ->
["open"; port]
| `IPv6 ->
["-6"; "open"; port]
in
maybe_call_script ~__context
!Xapi_globs.firewall_port_config_script
["open"; port] ;
options ;
maybe_call_script ~__context !Xapi_globs.systemctl ["enable"; service] ;
maybe_call_script ~__context !Xapi_globs.systemctl ["start"; service]
with _ ->
Expand All @@ -295,9 +304,14 @@ module Daemon = struct
Atomic.set enabled false ;
maybe_call_script ~__context !Xapi_globs.systemctl ["disable"; service] ;
maybe_call_script ~__context !Xapi_globs.systemctl ["stop"; service] ;
maybe_call_script ~__context
!Xapi_globs.firewall_port_config_script
["close"; port] ;
let options =
match Helpers.get_management_iface_primary_address_type ~__context with
| `IPv4 ->
["close"; port]
| `IPv6 ->
["-6"; "close"; port]
in
maybe_call_script ~__context !Xapi_globs.firewall_port_config_script options ;
debug "Cluster daemon: disabled & stopped"

let restart ~__context =
Expand Down
22 changes: 9 additions & 13 deletions ocaml/xapi/xapi_host.ml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1221,16 +1221,7 @@ let syslog_reconfigure ~__context ~host:_ =
()

let get_management_interface ~__context ~host =
let pifs =
Db.PIF.get_refs_where ~__context
~expr:
(And
( Eq (Field "host", Literal (Ref.string_of host))
, Eq (Field "management", Literal "true")
)
)
in
match pifs with [] -> raise Not_found | pif :: _ -> pif
Helpers.get_management_interface ~__context ~host

let change_management_interface ~__context interface primary_address_type =
debug "Changing management interface" ;
Expand Down Expand Up @@ -3045,10 +3036,15 @@ let set_https_only ~__context ~self ~value =
let state = match value with true -> "close" | false -> "open" in
match cc_prep () with
| false ->
let options =
match Helpers.get_management_iface_primary_address_type ~__context with
| `IPv4 ->
[state; "80"]
| `IPv6 ->
["-6"; state; "80"]
in
ignore
@@ Helpers.call_script
!Xapi_globs.firewall_port_config_script
[state; "80"] ;
@@ Helpers.call_script !Xapi_globs.firewall_port_config_script options ;
Db.Host.set_https_only ~__context ~self ~value
| true when value = Db.Host.get_https_only ~__context ~self ->
(* the new value is the same as the old value *)
Expand Down

0 comments on commit 0291690

Please sign in to comment.