--- loncom/lciptables 2010/12/30 18:40:19 1.4 +++ loncom/lciptables 2019/06/09 02:35:37 1.9 @@ -2,7 +2,7 @@ # # The Learning Online Network with CAPA # -# $Id: lciptables,v 1.4 2010/12/30 18:40:19 raeburn Exp $ +# $Id: lciptables,v 1.9 2019/06/09 02:35:37 raeburn Exp $ # # Copyright Michigan State University Board of Trustees # @@ -73,52 +73,68 @@ if (@ARGV != 1) { &Exit(2); } my $tmpfile = $ARGV[0]; -if (-e $tmpfile) { - if (open(my $fh,"<$tmpfile")) { - while(<$fh>) { - chomp(); - $iphost{$_} = 1; +if ($tmpfile =~ m{^\Q/home/httpd/perl/tmp/lciptables_iphost_\E\d+$}) { + if (-e $tmpfile) { + if (open(my $fh,"<$tmpfile")) { + while(<$fh>) { + chomp(); + if (/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) { + if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) { + $iphost{$_} = 1; + } + } + } + close($fh); + } else { + &Exit(3); } - close($fh); } else { - &Exit(3); + print "Error. File containing IP addresses of hosts in cluster does not exist\n" unless $noprint; + &Exit(3); } } else { - print "Error. File containing IP addresses of hosts in cluster does not exist\n" unless $noprint; + print "Error. Invalid filename for file containing IP addresses\n" unless $noprint; &Exit(3); } -# --------------------------- Handle case of another lciptables process (locking) -unless (&try_to_lock("/tmp/lock_lciptables")) { - print "Error. Too many other simultaneous iptables manipulation requests being ". - "made.\n" unless $noprint; - &Exit(4); -} - +my ($opened,$closed); my $lond_port = &LONCAPA::Firewall::get_lond_port(); +if (($lond_port eq '') || ($lond_port =~ /\D/)) { + print "Error. Invalid lond port\n" unless $noprint; + &Exit(3); +} +my $iptables = &LONCAPA::Firewall::get_pathto_iptables(); +if ($iptables eq '') { + print "Error. No path to iptables\n" unless $noprint; + &Exit(3); +} +my ($firewalld) = &LONCAPA::Firewall::uses_firewalld(); &EnableRoot(); - my @fw_chains = &LONCAPA::Firewall::get_fw_chains(); -my $iptables = &LONCAPA::Firewall::get_pathto_iptables(); -my $firewall_result = - &LONCAPA::Firewall::firewall_close_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]); -if ($firewall_result) { - print "$firewall_result\n"; -} -my $firewall_result = &LONCAPA::Firewall::firewall_open_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port]); -if ($firewall_result) { - print "$firewall_result\n"; +if ($firewalld) { + $<=0; +} +$opened = + &LONCAPA::Firewall::firewall_close_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port],$firewalld); +$closed = + &LONCAPA::Firewall::firewall_open_port($iptables,\@fw_chains,$lond_port,\%iphost,[$lond_port],$firewalld); +if ($firewalld) { + $<=$wwwid; } +&DisableRoot(); # -------------------------------------------------------- Exit script +if ($opened) { + print "$opened\n"; +} +if ($closed) { + print "$closed\n"; +} print "lciptables Exiting\n" unless $noprint; -&DisableRoot; -unlink('/tmp/lock_lciptables'); &Exit(0); - sub EnableRoot { if ($wwwid==$>) { ($<,$>)=($>,$<); @@ -140,42 +156,6 @@ sub DisableRoot { } } -sub try_to_lock { - my ($lockfile)=@_; - my $currentpid; - my $lastpid; - # Do not manipulate lock file as root - if ($>==0) { - return 0; - } - # Try to generate lock file. - # Wait 3 seconds. If same process id is in - # lock file, then assume lock file is stale, and - # go ahead. If process id's fluctuate, try - # for a maximum of 10 times. - for (0..10) { - if (-e $lockfile) { - open(LOCK,"<$lockfile"); - $currentpid=; - close LOCK; - if ($currentpid==$lastpid) { - last; - } - sleep 3; - $lastpid=$currentpid; - } else { - last; - } - if ($_==10) { - return 0; - } - } - open(LOCK,">$lockfile"); - print LOCK $$; - close LOCK; - return 1; -} - sub Exit { my ($code) = @_; &DisableRoot();