patches/systemvm/debian/config/root/firewallRule_egress.sh - cloudstack - Git at Google

 #!/usr/bin/env bash
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 # $Id: firewallRule_egress.sh 9947 2013-01-17 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewallRule_egress.sh $
 # firewallRule_egress.sh -- allow some ports / protocols from vm instances
 # @VERSION@

 source /root/func.sh

 lock="biglock"
 locked=$(getLockFile $lock)
 if [ "$locked" != "1" ]
 then
     exit 1
 fi
 #set -x
 usage() {
   printf "Usage: %s:  -a protocol:startport:endport:sourcecidrs>  \n" $(basename $0) >&2
   printf "sourcecidrs format:  cidr1-cidr2-cidr3-...\n"
 }

 fw_egress_remove_backup() {
   sudo iptables -D FW_OUTBOUND -j _FW_EGRESS_RULES
   sudo iptables -F _FW_EGRESS_RULES
   sudo iptables -X _FW_EGRESS_RULES
 }

 fw_egress_save() {
   sudo iptables -E FW_EGRESS_RULES _FW_EGRESS_RULES
 }

 fw_egress_chain () {
 #supress errors 2>/dev/null
   fw_egress_remove_backup
   fw_egress_save
   sudo iptables -N FW_EGRESS_RULES
   sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
 }

 fw_egress_backup_restore() {
    sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
    sudo iptables -E _FW_EGRESS_RULES FW_EGRESS_RULES
    fw_egress_remove_backup
 }


 fw_entry_for_egress() {
   local rule=$1

   local prot=$(echo $rule | cut -d: -f2)
   local sport=$(echo $rule | cut -d: -f3)
   local eport=$(echo $rule | cut -d: -f4)
   local cidrs=$(echo $rule | cut -d: -f5 | sed 's/-/ /g')
   if [ "$sport" == "0" -a "$eport" == "0" ]
   then
       DPORT=""
   else
       DPORT="--dport $sport:$eport"
   fi
   logger -t cloud "$(basename $0): enter apply fw egress rules for guest $prot:$sport:$eport:$cidrs"

   for lcidr in $cidrs
   do
     [ "$prot" == "reverted" ] && continue;
     if [ "$prot" == "icmp" ]
     then
       typecode="$sport/$eport"
       [ "$eport" == "-1" ] && typecode="$sport"
       [ "$sport" == "-1" ] && typecode="any"
       sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr --icmp-type $typecode \
                      -j ACCEPT
       result=$?
     elif [ "$prot" == "all" ]
     then
 	    sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j ACCEPT
 	    result=$?
     else
 	    sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr \
 	     	    $DPORT -j ACCEPT
 	    result=$?
     fi

     [ $result -gt 0 ] &&
        logger -t cloud "Error adding iptables entry for guest network $prot:$sport:$eport:$cidrs" &&
        break
   done

   logger -t cloud "$(basename $0): exit apply egress firewall rules for guest network"
   return $result
 }


 aflag=0
 rules=""
 rules_list=""
 ip=""
 dev=""
 shift
 shift
 while getopts 'a:' OPTION
 do
   case $OPTION in
   a)	aflag=1
 		rules="$OPTARG"
 		;;
   ?)	usage
                 unlock_exit 2 $lock $locked
 		;;
   esac
 done

 if [ "$aflag" != "1" ]
 then
   usage
   unlock_exit 2 $lock $locked
 fi

 if [ -n "$rules" ]
 then
   rules_list=$(echo $rules | cut -d, -f1- --output-delimiter=" ")
 fi

 # rule format
 # protocal:sport:eport:cidr
 #-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
 #    if any entry is reverted , entry will be in the format reverted:0:0:0
 # example : tcp:80:80:0.0.0.0/0:, tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0

 success=0

 fw_egress_chain
 for r in $rules_list
 do
   fw_entry_for_egress $r
   success=$?
   if [ $success -gt 0 ]
   then
     logger -t cloud "failure to apply fw egress rules "
     break
   else
     logger -t cloud "successful in applying fw egress rules"
   fi
 done

 if [ $success -gt 0 ]
 then
   logger -t cloud "restoring from backup for guest network"
   fw_egress_backup_restore
 else
   logger -t cloud "deleting backup for guest network"
 fi

 fw_egress_remove_backup

 unlock_exit $success $lock $locked
	#!/usr/bin/env bash
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	# $Id: firewallRule_egress.sh 9947 2013-01-17 19:34:24Z manuel $ $HeadURL: svn://svn.lab.vmops.com/repos/vmdev/java/patches/xenserver/root/firewallRule_egress.sh $
	# firewallRule_egress.sh -- allow some ports / protocols from vm instances
	# @VERSION@

	source /root/func.sh

	lock="biglock"
	locked=$(getLockFile $lock)
	if [ "$locked" != "1" ]
	then
	exit 1
	fi
	#set -x
	usage() {
	printf "Usage: %s: -a protocol:startport:endport:sourcecidrs> \n" $(basename $0) >&2
	printf "sourcecidrs format: cidr1-cidr2-cidr3-...\n"
	}

	fw_egress_remove_backup() {
	sudo iptables -D FW_OUTBOUND -j _FW_EGRESS_RULES
	sudo iptables -F _FW_EGRESS_RULES
	sudo iptables -X _FW_EGRESS_RULES
	}

	fw_egress_save() {
	sudo iptables -E FW_EGRESS_RULES _FW_EGRESS_RULES
	}

	fw_egress_chain () {
	#supress errors 2>/dev/null
	fw_egress_remove_backup
	fw_egress_save
	sudo iptables -N FW_EGRESS_RULES
	sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
	}

	fw_egress_backup_restore() {
	sudo iptables -A FW_OUTBOUND -j FW_EGRESS_RULES
	sudo iptables -E _FW_EGRESS_RULES FW_EGRESS_RULES
	fw_egress_remove_backup
	}


	fw_entry_for_egress() {
	local rule=$1

	local prot=$(echo $rule \| cut -d: -f2)
	local sport=$(echo $rule \| cut -d: -f3)
	local eport=$(echo $rule \| cut -d: -f4)
	local cidrs=$(echo $rule \| cut -d: -f5 \| sed 's/-/ /g')
	if [ "$sport" == "0" -a "$eport" == "0" ]
	then
	DPORT=""
	else
	DPORT="--dport $sport:$eport"
	fi
	logger -t cloud "$(basename $0): enter apply fw egress rules for guest $prot:$sport:$eport:$cidrs"

	for lcidr in $cidrs
	do
	[ "$prot" == "reverted" ] && continue;
	if [ "$prot" == "icmp" ]
	then
	typecode="$sport/$eport"
	[ "$eport" == "-1" ] && typecode="$sport"
	[ "$sport" == "-1" ] && typecode="any"
	sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr --icmp-type $typecode \
	-j ACCEPT
	result=$?
	elif [ "$prot" == "all" ]
	then
	sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr -j ACCEPT
	result=$?
	else
	sudo iptables -A FW_EGRESS_RULES -p $prot -s $lcidr \
	$DPORT -j ACCEPT
	result=$?
	fi

	[ $result -gt 0 ] &&
	logger -t cloud "Error adding iptables entry for guest network $prot:$sport:$eport:$cidrs" &&
	break
	done

	logger -t cloud "$(basename $0): exit apply egress firewall rules for guest network"
	return $result
	}


	aflag=0
	rules=""
	rules_list=""
	ip=""
	dev=""
	shift
	shift
	while getopts 'a:' OPTION
	do
	case $OPTION in
	a) aflag=1
	rules="$OPTARG"
	;;
	?) usage
	unlock_exit 2 $lock $locked
	;;
	esac
	done

	if [ "$aflag" != "1" ]
	then
	usage
	unlock_exit 2 $lock $locked
	fi

	if [ -n "$rules" ]
	then
	rules_list=$(echo $rules \| cut -d, -f1- --output-delimiter=" ")
	fi

	# rule format
	# protocal:sport:eport:cidr
	#-a tcp:80:80:0.0.0.0/0::tcp:220:220:0.0.0.0/0:,tcp:222:222:192.168.10.0/24-75.57.23.0/22-88.100.33.1/32
	# if any entry is reverted , entry will be in the format reverted:0:0:0
	# example : tcp:80:80:0.0.0.0/0:, tcp:220:220:0.0.0.0/0:,200.1.1.2:reverted:0:0:0

	success=0

	fw_egress_chain
	for r in $rules_list
	do
	fw_entry_for_egress $r
	success=$?
	if [ $success -gt 0 ]
	then
	logger -t cloud "failure to apply fw egress rules "
	break
	else
	logger -t cloud "successful in applying fw egress rules"
	fi
	done

	if [ $success -gt 0 ]
	then
	logger -t cloud "restoring from backup for guest network"
	fw_egress_backup_restore
	else
	logger -t cloud "deleting backup for guest network"
	fi

	fw_egress_remove_backup

	unlock_exit $success $lock $locked