Skip to content

Commit

Permalink
Call firewall-port in IPv6 when management is in IPv6
Browse files Browse the repository at this point in the history
Signed-off-by: Benjamin Reis <[email protected]>
  • Loading branch information
benjamreis committed Nov 13, 2024
1 parent 026fd62 commit 962e8ce
Show file tree
Hide file tree
Showing 5 changed files with 52 additions and 10 deletions.
9 changes: 8 additions & 1 deletion ocaml/xapi/dbsync_slave.ml
Original file line number Diff line number Diff line change
Expand Up @@ -126,8 +126,15 @@ let refresh_localhost_info ~__context info =
) else
Db.Host.remove_from_other_config ~__context ~self:host
~key:Xapi_globs.host_no_local_storage ;
let options =
match Helpers.get_management_iface_primary_address_type with
| `IPv4 ->
["check"; "80"]
| `IPv6 ->
["-6"; "check"; "80"]
in
let script_output =
Helpers.call_script !Xapi_globs.firewall_port_config_script ["check"; "80"]
Helpers.call_script !Xapi_globs.firewall_port_config_script options
in
try
let network_state = Scanf.sscanf script_output "Port 80 open: %B" Fun.id in
Expand Down
4 changes: 4 additions & 0 deletions ocaml/xapi/helpers.ml
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,10 @@ let get_localhost ~__context =
| true ->
get_localhost_uncached ~__context

let get_management_iface_primary_address_type =
Record_util.primary_address_type_of_string
(Xapi_inventory.lookup Xapi_inventory._management_address_type)

(* Determine the gateway and DNS PIFs:
* If one of the PIFs with IP has other_config:defaultroute=true, then
* pick this one as gateway PIF. If there are multiple, pick a random one of these.
Expand Down
16 changes: 15 additions & 1 deletion ocaml/xapi/nm.ml
Original file line number Diff line number Diff line change
Expand Up @@ -796,10 +796,17 @@ let bring_pif_up ~__context ?(management_interface = false) (pif : API.ref_PIF)
| `vxlan ->
debug
"Opening VxLAN UDP port for tunnel with protocol 'vxlan'" ;
let options =
match Helpers.get_management_iface_primary_address_type with
| `IPv4 ->
["open"; "4789"; "udp"]
| `IPv6 ->
["-6"; "open"; "4789"; "udp"]
in
ignore
@@ Helpers.call_script
!Xapi_globs.firewall_port_config_script
["open"; "4789"; "udp"]
options
| `gre ->
()
)
Expand Down Expand Up @@ -857,6 +864,13 @@ let bring_pif_down ~__context ?(force = false) (pif : API.ref_PIF) =
in
if no_more_vxlan then (
debug "Last VxLAN tunnel was closed, closing VxLAN UDP port" ;
let options =
match Helpers.get_management_iface_primary_address_type with
| `IPv4 ->
["close"; "4789"; "udp"]
| `IPv6 ->
["-6"; "close"; "4789"; "udp"]
in
ignore
@@ Helpers.call_script
!Xapi_globs.firewall_port_config_script
Expand Down
22 changes: 17 additions & 5 deletions ocaml/xapi/xapi_clustering.ml
Original file line number Diff line number Diff line change
Expand Up @@ -274,12 +274,19 @@ module Daemon = struct
raise Api_errors.(Server_error (not_implemented, ["Cluster.create"]))
) ;
( try
let options =
match Helpers.get_management_iface_primary_address_type with
| `IPv4 ->
["open"; port]
| `IPv6 ->
["-6"; "open"; port]
in
maybe_call_script ~__context
!Xapi_globs.firewall_port_config_script
["open"; port] ;
options ;
maybe_call_script ~__context !Xapi_globs.systemctl ["enable"; service] ;
maybe_call_script ~__context !Xapi_globs.systemctl ["start"; service]
with _ ->
with e ->
raise
Api_errors.(
Server_error
Expand All @@ -295,9 +302,14 @@ module Daemon = struct
Atomic.set enabled false ;
maybe_call_script ~__context !Xapi_globs.systemctl ["disable"; service] ;
maybe_call_script ~__context !Xapi_globs.systemctl ["stop"; service] ;
maybe_call_script ~__context
!Xapi_globs.firewall_port_config_script
["close"; port] ;
let options =
match Helpers.get_management_iface_primary_address_type with
| `IPv4 ->
["close"; port]
| `IPv6 ->
["-6"; "close"; port]
in
maybe_call_script ~__context !Xapi_globs.firewall_port_config_script options ;
debug "Cluster daemon: disabled & stopped"

let restart ~__context =
Expand Down
11 changes: 8 additions & 3 deletions ocaml/xapi/xapi_host.ml
Original file line number Diff line number Diff line change
Expand Up @@ -3045,10 +3045,15 @@ let set_https_only ~__context ~self ~value =
let state = match value with true -> "close" | false -> "open" in
match cc_prep () with
| false ->
let options =
match Helpers.get_management_iface_primary_address_type with
| `IPv4 ->
[state; "80"]
| `IPv6 ->
["-6"; state; "80"]
in
ignore
@@ Helpers.call_script
!Xapi_globs.firewall_port_config_script
[state; "80"] ;
@@ Helpers.call_script !Xapi_globs.firewall_port_config_script options ;
Db.Host.set_https_only ~__context ~self ~value
| true when value = Db.Host.get_https_only ~__context ~self ->
(* the new value is the same as the old value *)
Expand Down

0 comments on commit 962e8ce

Please sign in to comment.