From: Evan Broder Date: Sun, 5 Oct 2008 05:23:04 +0000 (-0400) Subject: invirt-configurize sipb-xen-iptables X-Git-Tag: sipb-xen-iptables/2^0 X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/commitdiff_plain/41910267b9c749ae6d6f49fd2569600689dd9914 invirt-configurize sipb-xen-iptables svn path=/trunk/packages/sipb-xen-iptables/; revision=1055 --- diff --git a/code/iptables.rules b/code/iptables.rules deleted file mode 100644 index 7587a89..0000000 --- a/code/iptables.rules +++ /dev/null @@ -1,17 +0,0 @@ -*nat -:PREROUTING ACCEPT [5:300] -:POSTROUTING ACCEPT [8:674] -:OUTPUT ACCEPT [8:674] --A PREROUTING -s ! 18.181.0.60 -i eth0 -p tcp -m tcp --dport 10003 -j DNAT --to-destination 18.181.0.60:10003 --A POSTROUTING -d 18.181.0.60 -o eth0 -p tcp -m tcp --dport 10003 -j SNAT --to-source 18.181.0.62 --A PREROUTING -s ! 18.181.0.165 -i eth0 -p tcp -m tcp --dport 10004 -j DNAT --to-destination 18.181.0.165:10003 --A POSTROUTING -d 18.181.0.165 -o eth0 -p tcp -m tcp --dport 10003 -j SNAT --to-source 18.181.0.62 -COMMIT - -*filter -:INPUT ACCEPT [366:44912] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [292:53151] --A FORWARD -d 18.181.0.60 -i eth0 -o eth0 -p tcp -m tcp --dport 10003 -j ACCEPT --A FORWARD -d 18.181.0.165 -i eth0 -o eth0 -p tcp -m tcp --dport 10003 -j ACCEPT -COMMIT diff --git a/config.todo b/config.todo deleted file mode 100644 index a6abc51..0000000 --- a/config.todo +++ /dev/null @@ -1,22 +0,0 @@ -# will differ dev/prod -files/etc/apache2/sites-available/ssl: web hostname -files/etc/apache2/sites-available/svn: web hostname -code/Makefile: base URI - -# may differ dev/prod? -files/etc/apache2/sites-available/default: assumes trac -files/etc/init.d/apache2.invirt: afs cell (for svn?) -code/templates/error.tmpl: xvm@mit.edu -code/templates/help.tmpl: assumes trac -code/templates/list.tmpl: SIPB Virtual Servers -code/templates/skeleton.tmpl: SIPB Virtual Servers (twice) -code/templates/skeleton.tmpl: xvm@mit.edu -code/templates/unauth.tmpl: tons of text -code/templates/unauth.tmpl: https://xvm.mit.edu -code/static/about.html: tons of text -code/static/about.html: SIPB Virtual Servers - -# will take real code to generalize -code/getafsgroups.py: lockers, /mit -code/getafsgroups.py: use of pts for authz -code/main.py: lockers, pts, in help text diff --git a/debian/changelog b/debian/changelog index 84320f2..aeb4e05 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,137 +1,11 @@ -sipb-xen-www (3.14.3) unstable; urgency=low +sipb-xen-iptables (2) unstable; urgency=low - * Actually stop Apache on shutdown + * invirt-configurize sipb-xen-iptables - -- Evan Broder Sun, 05 Oct 2008 00:24:40 -0400 + -- Evan Broder Sun, 05 Oct 2008 01:22:25 -0400 -sipb-xen-www (3.14.2) unstable; urgency=low - - * Be a good debian package and undo what you did on uninstall - - -- Evan Broder Sun, 05 Oct 2008 00:06:30 -0400 - -sipb-xen-www (3.14.1) unstable; urgency=low - - * Try again, now that I actually understand what the problem is - - -- Evan Broder Sat, 04 Oct 2008 23:58:46 -0400 - -sipb-xen-www (3.14) unstable; urgency=low - - * Try to fix startup ordering problem by specifying that the new startup - script depends on $remote_fs - - -- Evan Broder Sat, 04 Oct 2008 23:32:14 -0400 - -sipb-xen-www (3.13.1) unstable; urgency=low - - * Don't add another Listen 443 directive - apache gets angry - * And this, kids, is why you should always test your code before - committing - - -- Evan broder Fri, 03 Oct 2008 22:01:22 -0400 - -sipb-xen-www (3.13) unstable; urgency=low - - * Make sure we're listening on all the necessary ports - - -- Evan Broder Fri, 03 Oct 2008 21:40:47 -0400 - -sipb-xen-www (3.12) unstable; urgency=low - - * invirt-confiscate the SVN checkout - - -- Evan Broder Fri, 03 Oct 2008 21:01:33 -0400 - -sipb-xen-www (3.11) unstable; urgency=low - - * fix distribution - - -- Greg Price Tue, 30 Sep 2008 23:48:37 -0400 - -sipb-xen-www (3.10) hardy; urgency=low - - * depend on debathena-afs-config and python-flup - - -- Greg Price Mon, 29 Sep 2008 05:58:01 +0000 - -sipb-xen-www (3.9) unstable; urgency=low - - * further integration of invirt.config - - -- Yang Zhang Fri, 8 Aug 2008 02:39:15 -0400 - -sipb-xen-www (3.8) unstable; urgency=low - - * sipb_xen_database -> invirt.database in cache_acls.py - - -- Yang Zhang Sun, 3 Aug 2008 19:45:19 -0400 - -sipb-xen-www (3.7) unstable; urgency=low - - uncommitted changes in /etc/apache2 on xvm.mit.edu: - * rewrite static/ uris for admin mode - * allow ~ uris - - * take instance from keytab in k5start apache2.init wrapper - - -- Greg Price Mon, 4 Aug 2008 01:22:47 -0400 - -sipb-xen-www (3.6) unstable; urgency=low - - * Add Anders' kstart-using apache2 init script. - * Add some dependencies the svn site needs. - * Use daemon/xvm-2.mit.edu for svn site, as it's on xvm-2 now - - -- Greg Price Fri, 1 Aug 2008 20:23:50 -0400 - -sipb-xen-www (3.5) unstable; urgency=low - - * Use FCGI. - * Lengthen timeouts to let the autoinstaller work. - - -- Greg Price Sun, 15 Jun 2008 21:51:59 -0400 - -sipb-xen-www (3.4) unstable; urgency=low - - * xvm.mit.edu rather than sipb-xen-dev.mit.edu - - -- Greg Price Sun, 11 May 2008 00:49:58 -0400 - -sipb-xen-www (3.3) unstable; urgency=low - - * Fix the SVN server to point to the new AFS mountpoint - - -- Evan Broder Fri, 9 May 2008 02:37:21 -0400 - -sipb-xen-www (3.2) unstable; urgency=low - - * Check in (part of?) the Apache config. - * Modify it to allow an informative front page without certs. - * Add that front page. - - -- Greg Price Fri, 9 May 2008 02:11:04 -0400 - -sipb-xen-www (3.1) unstable; urgency=low - - * Fixed the crontab definition - - -- SIPB Xen Project Mon, 31 Mar 2008 05:49:32 -0400 - -sipb-xen-www (3) unstable; urgency=low - - * Refresh the ACL cache every 5 minutes - - -- SIPB Xen Project Mon, 31 Mar 2008 05:38:16 -0400 - -sipb-xen-www (2) unstable; urgency=low - - * Create sipb-xen group in preinst script. - - -- Eric Price Sat, 29 Mar 2008 18:45:02 -0400 - -sipb-xen-www (1) unstable; urgency=low +sipb-xen-iptables (1) unstable; urgency=low * Initial Release. - -- SIPB Xen Project Fri, 28 Mar 2008 22:43:12 -0500 + -- SIPB Xen Project Fri, 28 Mar 2008 21:22:12 -0500 diff --git a/debian/rules b/debian/rules index 1c529e4..e6192f6 100755 --- a/debian/rules +++ b/debian/rules @@ -1,13 +1,3 @@ #!/usr/bin/make -f -DEB_DIVERT_EXTENSION = .invirt -DEB_DIVERT_FILES_sipb-xen-www += \ - /etc/init.d/apache2 - include /usr/share/cdbs/1/rules/debhelper.mk -include /usr/share/cdbs/1/rules/config-package.mk - -DEB_UPDATE_RCD_PARAMS_sipb-xen-www += defaults 91 9 - -binary-fixup/sipb-xen-www:: - svn co $$(invirt-getconf svn.uri)/trunk/packages/sipb-xen-www/code/ $(DEB_DESTDIR)/var/www/sipb-xen-www diff --git a/debian/sipb-xen-iptables.init b/debian/sipb-xen-iptables.init new file mode 100755 index 0000000..1c8d933 --- /dev/null +++ b/debian/sipb-xen-iptables.init @@ -0,0 +1,116 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: sipb-xen-iptables +# Required-Start: $local_fs $remote_fs +# Required-Stop: $local_fs $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: sipb-xen iptables rules +# Description: +### END INIT INFO + +# Author: SIPB Xen Project + +# Do NOT "set -e" + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="Load the sipb-xen iptables rules" +NAME=sipb-xen-iptables +RULES=/usr/share/sipb-xen-iptables/iptables.rules + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + for i in /usr/share/sipb-xen-iptables/iptables.rules + do mako-render $i.mako > $i + done + + /sbin/iptables-restore < $RULES +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + return 0 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + #reload|force-reload) + # + # If do_reload() is not implemented then leave this commented out + # and leave 'force-reload' as an alias for 'restart'. + # + #log_daemon_msg "Reloading $DESC" "$NAME" + #do_reload + #log_end_msg $? + #;; + restart|force-reload) + # + # If the "reload" option is implemented then remove the + # 'force-reload' alias + # + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 + echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2 + exit 3 + ;; +esac + +: diff --git a/files/usr/share/sipb-xen-iptables/iptables.rules.mako b/files/usr/share/sipb-xen-iptables/iptables.rules.mako new file mode 100644 index 0000000..a8f218b --- /dev/null +++ b/files/usr/share/sipb-xen-iptables/iptables.rules.mako @@ -0,0 +1,26 @@ +<% + +from invirt.config import structs as cfg +h_port = cfg.vnc.base_port +port = cfg.vnc.base_port + +%>\ +*nat +:PREROUTING ACCEPT [5:300] +:POSTROUTING ACCEPT [8:674] +:OUTPUT ACCEPT [8:674] +% for h in cfg.hosts: +-A PREROUTING -s ! ${h.ip} -i eth0 -p tcp -m tcp --dport ${port} -j DNAT --to-destination ${h.ip}:${h_port} +-A POSTROUTING -d ${h.ip} -o eth0 -p tcp -m tcp --dport ${h_port} -j SNAT --to-source ${cfg.vnc.proxy_ip} +<% port += 1 %> +% endfor +COMMIT + +*filter +:INPUT ACCEPT [366:44912] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [292:53151] +% for h in cfg.hosts: +-A FORWARD -d ${h.ip} -i eth0 -o eth0 -p tcp -m tcp --dport ${h_port} -j ACCEPT +% endfor +COMMIT