Skip to content

Commit

Permalink
Firewalld Fix logger
Browse files Browse the repository at this point in the history
  • Loading branch information
@JeGoi
JeGoi committed May 17, 2024
1 parent 2e59da9 commit 77e3f89
Showing 1 changed file with 69 additions and 57 deletions.
126 changes: 69 additions & 57 deletions lib/pf/firewalld.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,9 +157,10 @@ sub firewalld_generate_pfconf_configs {

sub fd_create_all_zones {
my $name_files = util_get_name_files_from_dir("zones");
my $logger = get_logger();
foreach my $tint ( @listen_ints ) {
if ( defined $name_files && exists $name_files->{$tint} ) {
get_logger->error( "Network Interface $tint is handle by configuration files" );
$logger->error( "Network Interface $tint is handle by configuration files" );
} else {
util_firewalld_job( " --permanent --delete-zone=$tint" );
util_firewalld_job( " --permanent --new-zone=$tint" );
Expand Down Expand Up @@ -322,26 +323,28 @@ sub fd_radiusd_lb_rules {
sub fd_proxysql_rules {
# Proxysql
my $action = shift;
my $logger = get_logger();
if ( util_reload_firewalld() ) {
my $tint = $management_network->{Tint};
service_to_zone($tint, $action, "proxysql");
util_reload_firewalld();
} else {
get_logger()->warn("Firewalld is not started yet");
$logger->warn("Firewalld is not started yet");
print("FD Not started");
}
}

sub fd_haproxy_admin_rules {
# Web Admin
my $action = shift;
my $logger = get_logger();
if ( util_reload_firewalld() ) {
my $tint = $management_network->{Tint};
my $web_admin_port = $Config{'ports'}{'admin'};
util_direct_rule( "ipv4 filter INPUT 0 -i $tint -p tcp --match tcp --dport $web_admin_port -j ACCEPT", $action );
util_reload_firewalld();
} else {
get_logger()->warn("Firewalld is not started yet");
$logger->warn("Firewalld is not started yet");
print("FD Not started");
}
}
Expand Down Expand Up @@ -371,14 +374,15 @@ sub fd_httpd_aaa_rules {
sub fd_api_frontend_rules {
# Unified API
my $action = shift;
my $logger = get_logger();
if ( util_reload_firewalld() ) {
my $mgnt_zone = $management_network->{Tint};
my $unifiedapi_port = $Config{'ports'}{'unifiedapi'};
util_direct_rule( "ipv4 filter INPUT 0 -i $mgnt_zone -p tcp --match tcp --dport $unifiedapi_port -j ACCEPT", $action );
service_to_zone( $mgnt_zone, $action, "api_frontend");
util_reload_firewalld();
} else {
get_logger()->warn("Firewalld is not started yet");
$logger->warn("Firewalld is not started yet");
print("FD Not started");
}
}
Expand Down Expand Up @@ -471,7 +475,6 @@ sub fd_pfdns_rules {
service_to_zone($tint, $action, "dns");
}
# OAuth
oauth_passthrough_rules();
my $internal_portal_ip = $Config{captive_portal}{ip_address};
foreach my $interface (@internal_nets) {
my @all_dev_rules;
Expand All @@ -488,18 +491,18 @@ sub fd_pfdns_rules {
util_direct_rule( "ipv4 filter INPUT 0 -i $tint -d $internal_portal_ip -p udp -m udp --dport 53 -j ACCEPT", $action );
}
}
oauth_passthrough_rules();
util_reload_firewalld();
}

sub oauth_passthrough_rules {
my $action = shift;
my $logger = get_logger();
# OAuth
my $passthrough_enabled = (isenabled($Config{'fencing'}{'passthrough'}) || isenabled($Config{'fencing'}{'isolation_passthrough'}));
my $isolation_passthrough_enabled = isenabled($Config{'fencing'}{'isolation_passthrough'});
if ($passthrough_enabled) {
my $logger = get_logger();
$logger->info("Adding Forward rules to allow connections to the OAuth2 Providers and passthrough.");
my $passthrough_enabled = (isenabled($Config{'fencing'}{'passthrough'}) || isenabled($Config{'fencing'}{'isolation_passthrough'}));
my $isolation_passthrough_enabled = isenabled($Config{'fencing'}{'isolation_passthrough'});
foreach my $interface (@internal_nets) {
my $tint = $interface->tag("int");
my $ip = $interface->tag("vip") || $interface->tag("ip");
Expand Down Expand Up @@ -651,7 +654,6 @@ sub fd_pfdhcp_rules {

sub fd_pfipset_rules {
my $action = shift;
pfipset_provisioning_passthroughs();
my $passthrough_enabled = (isenabled($Config{'fencing'}{'passthrough'}) || isenabled($Config{'fencing'}{'isolation_passthrough'}));
my $isolation_passthrough_enabled = isenabled($Config{'fencing'}{'isolation_passthrough'});
foreach my $interface (@internal_nets) {
Expand Down Expand Up @@ -682,54 +684,55 @@ sub fd_pfipset_rules {
}
}
}
pfipset_provisioning_passthroughs();
util_reload_firewalld();
}

sub pfipset_provisioning_passthroughs {
my $logger = get_logger();
$logger->debug("Installing passthroughs for provisioning");
foreach my $config (tied(%ConfigProvisioning)->search(type => 'kandji')) {
$logger->info("Adding passthrough for Kandji");
my $enroll_host = $config->{enroll_url} ? URI->new($config->{enroll_url})->host : $config->{host};
my $enroll_port = $config->{enroll_url} ? URI->new($config->{enroll_url})->port : $config->{port};
my $cmd = untaint_chain("sudo ipset --add pfsession_passthrough ".$enroll_host.",".$enroll_port." 2>&1");
pf_run($cmd);
}
my $passthrough_enabled = (isenabled($Config{'fencing'}{'passthrough'}) || isenabled($Config{'fencing'}{'isolation_passthrough'}));
if ($passthrough_enabled) {
$logger->debug("Installing passthroughs for provisioning");
foreach my $config (tied(%ConfigProvisioning)->search(type => 'kandji')) {
$logger->info("Adding passthrough for Kandji");
my $enroll_host = $config->{enroll_url} ? URI->new($config->{enroll_url})->host : $config->{host};
my $enroll_port = $config->{enroll_url} ? URI->new($config->{enroll_url})->port : $config->{port};
my $cmd = untaint_chain("sudo ipset --add pfsession_passthrough ".$enroll_host.",".$enroll_port." 2>&1");
pf_run($cmd);
}

foreach my $config (tied(%ConfigProvisioning)->search(type => 'mobileiron')) {
$logger->info("Adding passthrough for MobileIron");
# Allow the host for the onboarding of devices
my $cmd = untaint_chain("sudo ipset --add pfsession_passthrough $config->{boarding_host},$config->{boarding_port} 2>&1");
my @lines = pf_run($cmd);
# Allow http communication with the MobileIron server
$cmd = untaint_chain("sudo ipset --add pfsession_passthrough $config->{boarding_host},$HTTP_PORT 2>&1");
pf_run($cmd);
# Allow https communication with the MobileIron server
$cmd = untaint_chain("sudo ipset --add pfsession_passthrough $config->{boarding_host},$HTTPS_PORT 2>&1");
pf_run($cmd);
}
foreach my $config (tied(%ConfigProvisioning)->search(type => 'mobileiron')) {
$logger->info("Adding passthrough for MobileIron");
# Allow the host for the onboarding of devices
my $cmd = untaint_chain("sudo ipset --add pfsession_passthrough $config->{boarding_host},$config->{boarding_port} 2>&1");
my @lines = pf_run($cmd);
# Allow http communication with the MobileIron server
$cmd = untaint_chain("sudo ipset --add pfsession_passthrough $config->{boarding_host},$HTTP_PORT 2>&1");
pf_run($cmd);
# Allow https communication with the MobileIron server
$cmd = untaint_chain("sudo ipset --add pfsession_passthrough $config->{boarding_host},$HTTPS_PORT 2>&1");
pf_run($cmd);
}

foreach my $config (tied(%ConfigProvisioning)->search(type => 'opswat')) {
$logger->info("Adding passthrough for OPSWAT");
# Allow http communication with the OSPWAT server
my $cmd = untaint_chain("sudo ipset --add pfsession_passthrough $config->{host},$HTTP_PORT 2>&1");
pf_run($cmd);
# Allow https communication with the OPSWAT server
$cmd = untaint_chain("sudo ipset --add pfsession_passthrough $config->{host},$HTTPS_PORT 2>&1");
pf_run($cmd);
}
foreach my $config (tied(%ConfigProvisioning)->search(type => 'opswat')) {
$logger->info("Adding passthrough for OPSWAT");
# Allow http communication with the OSPWAT server
my $cmd = untaint_chain("sudo ipset --add pfsession_passthrough $config->{host},$HTTP_PORT 2>&1");
pf_run($cmd);
# Allow https communication with the OPSWAT server
$cmd = untaint_chain("sudo ipset --add pfsession_passthrough $config->{host},$HTTPS_PORT 2>&1");
pf_run($cmd);
}

foreach my $config (tied(%ConfigProvisioning)->search(type => 'sentinelone')) {
$logger->info("Adding passthrough for SentinelOne");
# Allow http communication with the SentinelOne server
my $cmd = untaint_chain("sudo ipset --add pfsession_passthrough $config->{host},$HTTP_PORT 2>&1");
pf_run($cmd);
# Allow https communication with the SentinelOne server
$cmd = untaint_chain("sudo ipset --add pfsession_passthrough $config->{host},$HTTPS_PORT 2>&1" );
pf_run($cmd);
}
my $passthrough_enabled = (isenabled($Config{'fencing'}{'passthrough'}) || isenabled($Config{'fencing'}{'isolation_passthrough'}));
if ($passthrough_enabled) {
foreach my $config (tied(%ConfigProvisioning)->search(type => 'sentinelone')) {
$logger->info("Adding passthrough for SentinelOne");
# Allow http communication with the SentinelOne server
my $cmd = untaint_chain("sudo ipset --add pfsession_passthrough $config->{host},$HTTP_PORT 2>&1");
pf_run($cmd);
# Allow https communication with the SentinelOne server
$cmd = untaint_chain("sudo ipset --add pfsession_passthrough $config->{host},$HTTPS_PORT 2>&1" );
pf_run($cmd);
}
$logger->info("Adding IP based passthrough for connectivitycheck.gstatic.com");
# Allow the host for the onboarding of devices
my $cmd = untaint_chain("sudo ipset --add pfsession_passthrough 172.217.13.99,80 2>&1");
Expand Down Expand Up @@ -769,6 +772,7 @@ sub fd_pfconnector_server_rules {

sub fd_galera_autofix_rules {
my $action = shift;
my $logger = get_logger();
if ( util_reload_firewalld() ) {
foreach my $network ( @ha_ints ) {
my $tint = $network->{Tint};
Expand All @@ -778,19 +782,20 @@ sub fd_galera_autofix_rules {
service_to_zone($tint, $action, "galera-autofix");
}
} else {
get_logger()->warn("Firewalld is not started yet");
$logger->warn("Firewalld is not started yet");
print("FD Not started");
}
}

sub fd_mariadb_rules {
my $action = shift;
my $logger = get_logger();
if ( util_reload_firewalld() ) {
my $tint = $management_network->{Tint};
service_to_zone($tint, $action, "mysql");
util_reload_firewalld();
} else {
get_logger()->warn("Firewalld is not started yet");
$logger->warn("Firewalld is not started yet");
print("FD Not started");
}
}
Expand Down Expand Up @@ -862,7 +867,7 @@ sub fd_radiusd_eduroam_rules {
util_reload_firewalld();
}
else {
get_logger->info( "# eduroam integration is not configured" );
$logger->info( "# eduroam integration is not configured" );
}
}

Expand Down Expand Up @@ -893,29 +898,35 @@ sub generate_chains {
postrouting-inline-routed
prerouting-int-vlan-if
);
my $logger = get_logger();
$logger->info("Generate Chains started.");

for my $chain (@chains) {
generate_chain( "ipv4", "filter", $chain, $action );
}

$logger->info("Generate Chains end.");
}

sub generate_chain {
my $ipv = shift;
my $table = shift;
my $chain = shift;
my $action = shift;
my $logger = get_logger();
if ( ! defined $ipv || $ipv eq "" ){
get_logger->error( "The generate_chain ipv is not defined or empty. default will be 'ipv4'." );
$logger->error( "The generate_chain ipv is not defined or empty. default will be 'ipv4'." );
$ipv = "ipv4";
}
if ( ! defined $table || $table eq "" ){
get_logger->error( "The generate_chain table is not defined or empty. default will be 'filter'." );
$logger->error( "The generate_chain table is not defined or empty. default will be 'filter'." );
$table = "filter";
}
if ( ! defined $action || $action eq "" ){
get_logger->error( "The generate_chain action is not defined or empty. default will be 'add'." );
$logger->error( "The generate_chain action is not defined or empty. default will be 'add'." );
$action = "add";
}
util_chain( "ipv4", "filter", $chain, $action );
util_chain( $ipv, $table, $chain, $action );
}

sub nat_back_inline_rules {
Expand Down Expand Up @@ -1262,11 +1273,12 @@ sub service_to_zone {
my $zone = shift;
my $action = shift;
my $service = shift;
my $logger = get_logger();

if ( defined is_service_available($service) && defined is_zone_available( $zone ) ) {
util_firewalld_job( " --zone=$zone --$action-service=$service --permanent" );
} else {
get_logger->error( "Please run generate config to create services and zones" );
$logger->error( "Please run generate config to create services and zones" );
}
}

Expand Down

0 comments on commit 77e3f89

Please sign in to comment.