florian.haas at linbit
Jul 20, 2009, 9:51 AM
Post #1 of 5
(1182 views)
Permalink
|
|
[PATCH] RA: portblock: [updated] add ability to filter on a per-IP basis
|
|
# HG changeset patch
# User Florian Haas <florian.haas [at] linbit>
# Date 1248108690 -7200
# Node ID b31687c07100a7b0aca6f49edadb7b554bf1cf65
# Parent 64f4592952ea4530b1396bacc21ba7911659d459
RA: portblock: [updated] add ability to filter on a per-IP basis
This patch allows to block access to a destination IP address and
port, as opposed to just the port. It retains the previous default
behavior by using the wildcard address 0.0.0.0/0 as the destination IP
by default.
Please credit Phil Reisner <philipp.reisner [at] linbit> as the patch
author. I only added the default and heartbeat R1 compatible wrapper.
This updated patch fixes $OCF_RESOURCE_INSTANCE, which was incorrectly
set in the R1 wrapper.
Andrew or Lars, maybe one of you can review this in Dejan's
absence. Thanks!
Cheers,
Florian
diff -r 64f4592952ea -r b31687c07100 resources/OCF/portblock
--- a/resources/OCF/portblock Wed Jul 15 15:10:57 2009 +0200
+++ b/resources/OCF/portblock Mon Jul 20 18:51:30 2009 +0200
@@ -12,12 +12,17 @@
# OCF_RESKEY_protocol
# OCF_RESKEY_portno
# OCF_RESKEY_action
+# OCF_RESKEY_ip
#######################################################################
# Initialization:
. ${OCF_ROOT}/resource.d/heartbeat/.ocf-shellfuncs
. ${HA_DIR}/shellfuncs
+# Defaults
+OCF_RESKEY_ip_default="0.0.0.0/0"
+
+: ${OCF_RESKEY_ip=${OCF_RESKEY_ip_default}}
#######################################################################
CMD=`basename $0`
@@ -86,6 +91,14 @@
<content type="integer" default="" />
</parameter>
+<parameter name="ip" unique="0" required="0">
+<longdesc lang="en">
+The IP address used to be blocked/unblocked.
+</longdesc>
+<shortdesc lang="en">ip</shortdesc>
+<content type="string" default="${OCF_RESKEY_ip_default}" />
+</parameter>
+
<parameter name="action" unique="0" required="1">
<longdesc lang="en">
The action (block/unblock) to be done on the protocol::portno.
@@ -127,13 +140,13 @@
{
w="[ ][ ]*"
any="0\\.0\\.0\\.0/0"
- echo "^DROP${w}${1}${w}--${w}${any}${w}${any}${w}multiport${w}dports${w}${2} "
+ echo "^DROP${w}${1}${w}--${w}${any}${w}${3}${w}multiport${w}dports${w}${2} "
}
-#chain_isactive {udp|tcp} portno,portno
+#chain_isactive {udp|tcp} portno,portno ip
chain_isactive()
{
- PAT=`active_grep_pat "$1" "$2"`
+ PAT=`active_grep_pat "$1" "$2" "$3"`
$IPTABLES -n -L INPUT | grep "$PAT" >/dev/null
}
@@ -152,13 +165,13 @@
echo "$CMD DROP rule for INPUT chain [$*] is inactive"
}
-#IptablesStatus {udp|tcp} portno,portno {block|unblock}
+#IptablesStatus {udp|tcp} portno,portno ip {block|unblock}
IptablesStatus() {
local rc
rc=$OCF_ERR_GENERIC
activewords="$CMD $1 $2 is running (OK)"
- if chain_isactive "$1" "$2"; then
- case $3 in
+ if chain_isactive "$1" "$2" "$3"; then
+ case $4 in
block)
SayActive $*
rc=$OCF_SUCCESS
@@ -169,7 +182,7 @@
;;
esac
else
- case $3 in
+ case $4 in
block)
if ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" status; then
SayConsideredActive $*
@@ -190,27 +203,27 @@
return $rc
}
-#IptablesBLOCK {udp|tcp} portno,portno
+#IptablesBLOCK {udp|tcp} portno,portno ip
IptablesBLOCK()
{
if
- chain_isactive "$1" "$2"
+ chain_isactive "$1" "$2" "$3"
then
: OK -- chain already active
else
- $IPTABLES -I INPUT -p "$1" -m multiport --dports "$2" -j DROP
+ $IPTABLES -I INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
fi
return $?
}
-#IptablesUNBLOCK {udp|tcp} portno,portno
+#IptablesUNBLOCK {udp|tcp} portno,portno ip
IptablesUNBLOCK()
{
if
- chain_isactive "$1" "$2"
+ chain_isactive "$1" "$2" "$3"
then
- $IPTABLES -D INPUT -p "$1" -m multiport --dports "$2" -j DROP
+ $IPTABLES -D INPUT -p "$1" -d "$3" -m multiport --dports "$2" -j DROP
else
: Chain Not active
fi
@@ -218,11 +231,11 @@
return $?
}
-#IptablesStart {udp|tcp} portno,portno {block|unblock}
+#IptablesStart {udp|tcp} portno,portno ip {block|unblock}
IptablesStart()
{
ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" start
- case $3 in
+ case $4 in
block) IptablesBLOCK "$@";;
unblock) IptablesUNBLOCK "$@";;
*) usage; return 1;
@@ -231,11 +244,11 @@
return $?
}
-#IptablesStop {udp|tcp} portno,portno {block|unblock}
+#IptablesStop {udp|tcp} portno,portno ip {block|unblock}
IptablesStop()
{
ha_pseudo_resource "${OCF_RESOURCE_INSTANCE}" stop
- case $3 in
+ case $4 in
block) IptablesUNBLOCK "$@";;
unblock) IptablesBLOCK "$@";;
*) usage; return 1;;
@@ -326,18 +339,19 @@
protocol=$OCF_RESKEY_protocol
portno=$OCF_RESKEY_portno
action=$OCF_RESKEY_action
+ip=$OCF_RESKEY_ip
case $1 in
start)
- IptablesStart $protocol $portno $action
+ IptablesStart $protocol $portno $ip $action
;;
stop)
- IptablesStop $protocol $portno $action
+ IptablesStop $protocol $portno $ip $action
;;
status|monitor)
- IptablesStatus $protocol $portno $action
+ IptablesStatus $protocol $portno $ip $action
;;
validate-all)
diff -r 64f4592952ea -r b31687c07100 resources/heartbeat/portblock.in
--- a/resources/heartbeat/portblock.in Wed Jul 15 15:10:57 2009 +0200
+++ b/resources/heartbeat/portblock.in Mon Jul 20 18:51:30 2009 +0200
@@ -1,3 +1,4 @@
+
#!/bin/sh
#
#
@@ -24,10 +25,11 @@
OCF_RESKEY_protocol=$1
OCF_RESKEY_portno=$2
OCF_RESKEY_action=$3
-export OCF_RESKEY_action OCF_RESKEY_portno OCF_RESKEY_action
+OCF_RESKEY_ip=$4
+export OCF_RESKEY_action OCF_RESKEY_portno OCF_RESKEY_action OCF_RESKEY_ip
OCF_TYPE=portblock
-OCF_RESOURCE_INSTANCE=${OCF_TYPE}_$1_$2_$3
+OCF_RESOURCE_INSTANCE=${OCF_TYPE}_$1_$2_$3_$4
export OCF_TYPE OCF_RESOURCE_INSTANCE
ra_execocf $4
_______________________________________________________
Linux-HA-Dev: Linux-HA-Dev [at] lists
http://lists.linux-ha.org/mailman/listinfo/linux-ha-dev
Home Page: http://linux-ha.org/
|
signature.asc
