Merge invirt-web-iptables into invirt-web and use the new

invirt-iptables interface.

svn path=/trunk/packages/invirt-web/; revision=2863

diff --git a/debian/changelog b/debian/changelog
index acb4e06..c489ddc 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+invirt-web (0.1.4) unstable; urgency=low
+
+  * Merge invirt-web-iptables into invirt-web and use the new
+    invirt-iptables interface.
+
+ -- Evan Broder <broder@mit.edu>  Sun, 03 Jan 2010 16:36:47 -0500
+
 invirt-web (0.1.3) unstable; urgency=low
 
   * Add some more user-friendly error handling for common errors. (LP:

diff --git a/debian/control b/debian/control
index e22a9ff..f2a3f00 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Architecture: all
 Depends: ${misc:Depends},
 # other Invirt
  invirt-base, invirt-database,
- invirt-dns, invirt-vnc-client, invirt-web-iptables,
+ invirt-dns, invirt-vnc-client, invirt-iptables,
 # web server
  apache2, libapache2-mod-fcgid, libapache2-svn,
  libapache2-mod-auth-sslcert, libapache2-mod-auth-kerb,
@@ -26,4 +26,5 @@ Depends: ${misc:Depends},
  cron,
 Provides: ${diverted-files}
 Conflicts: ${diverted-files}
+Replaces: invirt-web-iptables (<= 0.0.2)
 Description: the Invirt web interface

diff --git a/debian/invirt-web.init b/debian/invirt-web.init
index e8524ee..ad4c37c 100755 (executable)
--- a/debian/invirt-web.init
+++ b/debian/invirt-web.init
@@ -11,7 +11,7 @@
 
 PACKAGE=invirt-web
 PARENTPACKAGE=apache2
-GEN_FILES=(/etc/apache2/sites-available/{default,ssl,svn})
+GEN_FILES=(/etc/apache2/sites-available/{default,ssl,svn} /etc/invirt-iptables/rules.d/50-invirt-web)
 
 . /lib/init/config-init.sh
 config_init "$1"

diff --git a/files/etc/invirt-iptables/rules.d/50-invirt-web.mako b/files/etc/invirt-iptables/rules.d/50-invirt-web.mako
new file mode 100644 (file)
index 0000000..a8f218b
--- /dev/null
+++ b/files/etc/invirt-iptables/rules.d/50-invirt-web.mako
@@ -0,0 +1,26 @@
+<%
+
+from invirt.config import structs as cfg
+h_port = cfg.vnc.base_port
+port = cfg.vnc.base_port
+
+%>\
+*nat
+:PREROUTING ACCEPT [5:300]
+:POSTROUTING ACCEPT [8:674]
+:OUTPUT ACCEPT [8:674]
+% for h in cfg.hosts:
+-A PREROUTING -s ! ${h.ip} -i eth0 -p tcp -m tcp --dport ${port} -j DNAT --to-destination ${h.ip}:${h_port}
+-A POSTROUTING -d ${h.ip} -o eth0 -p tcp -m tcp --dport ${h_port} -j SNAT --to-source ${cfg.vnc.proxy_ip}
+<% port += 1 %>
+% endfor
+COMMIT
+
+*filter
+:INPUT ACCEPT [366:44912]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [292:53151]
+% for h in cfg.hosts:
+-A FORWARD -d ${h.ip} -i eth0 -o eth0 -p tcp -m tcp --dport ${h_port} -j ACCEPT 
+% endfor
+COMMIT