--- loncom/configuration/Firewall.pm 2021/12/21 16:42:15 1.25 +++ loncom/configuration/Firewall.pm 2024/09/13 03:52:03 1.28 @@ -1,7 +1,7 @@ # The LearningOnline Network with CAPA # Firewall configuration to allow internal LON-CAPA communication between servers # -# $Id: Firewall.pm,v 1.25 2021/12/21 16:42:15 raeburn Exp $ +# $Id: Firewall.pm,v 1.28 2024/09/13 03:52:03 raeburn Exp $ # # The LearningOnline Network with CAPA # @@ -82,10 +82,11 @@ sub firewall_open_port { return 'inactive firewall' if (!&firewall_is_active()); return 'port number unknown' if !$lond_port; return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY'); - my (@opened,@okchains,$zone); + my (@opened,@okchains,$zone,$firewalld_num_opened); if ($firewalld) { $zone = &get_default_zone(); return 'invalid zone' if ($zone eq ''); + $firewalld_num_opened = 0; } else { my @badchains; foreach my $chain (@{$fw_chains}) { @@ -161,6 +162,7 @@ sub firewall_open_port { close(PIPE); if ($result eq 'success') { push(@lond_port_open,$ip); + $firewalld_num_opened ++; } else { push(@port_error,$ip); } @@ -242,6 +244,7 @@ sub firewall_open_port { close(PIPE); if ($result eq 'success') { push(@opened,$port); + $firewalld_num_opened ++; } else { $port_error = $port; } @@ -282,6 +285,9 @@ sub firewall_open_port { } } } + if ($firewalld && $firewalld_num_opened) { + system('firewall-cmd --runtime-to-permanent'); + } foreach my $port (@{$ports}) { if (!grep(/^\Q$port\E$/,@opened)) { return 'Required port not open: '.$port."\n"; @@ -332,7 +338,7 @@ sub firewall_is_port_open { while() { if ($port eq $lond_port) { if (ref($iphost) eq 'HASH') { - if (/^ACCEPT\s+tcp\s+\-{2}\s+(\S+)\s+\S+\s+tcp\s+dpt\:\Q$port\E/) { + if (/^ACCEPT\s+(?:tcp|6)\s+\-{2}\s+(\S+)\s+\S+\s+tcp\s+dpt\:\Q$port\E/) { my $ip = $1; if ($iphost->{$ip}) { $count ++; @@ -365,6 +371,18 @@ sub firewall_is_active { } close(PIPE); } + unless ($status) { + if (open(PIPE,'nft list tables |')) { + while() { + chomp(); + if (/filter$/) { + $status = 1; + last; + } + } + close(PIPE); + } + } } unless ($status) { $status = &uses_firewalld(); @@ -377,10 +395,11 @@ sub firewall_close_port { return 'inactive firewall' if (!&firewall_is_active()); return 'port number unknown' if !$lond_port; return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY'); - my (@okchains,$zone); + my (@okchains,$zone,$firewalld_num_closed); if ($firewalld) { $zone = &get_default_zone(); return 'no default zone' if ($zone eq ''); + $firewalld_num_closed = 0; } else { my @badchains; foreach my $chain (@{$fw_chains}) { @@ -437,6 +456,7 @@ sub firewall_close_port { close(PIPE); if ($result eq 'success') { push(@lond_port_close,$ip); + $firewalld_num_closed ++; } else { push(@port_error,$ip); } @@ -458,7 +478,7 @@ sub firewall_close_port { while () { chomp(); next unless (/dpt:\Q$port\E/); - if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) { + if (/^ACCEPT\s+(?:tcp|6)\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) { my $ip = $1; my $keepopen = 0; if (ref($iphost) eq 'HASH') { @@ -525,6 +545,7 @@ sub firewall_close_port { close(PIPE); if ($result eq 'success') { print "Port: $port closed in zone: $zone.\n"; + $firewalld_num_closed ++; } else { print "Error closing port: $port in zone: $zone.\n"; } @@ -565,6 +586,9 @@ sub firewall_close_port { } } } + if ($firewalld && $firewalld_num_closed) { + system('firewall-cmd --runtime-to-permanent'); + } return; } @@ -602,6 +626,7 @@ sub firewall_close_anywhere { close(PIPE); if ($result eq 'success') { print 'Port '.$port.' closed for source "anywhere"'."\n"; + system('firewall-cmd --runtime-to-permanent'); } else { print 'Error closing port '.$port.' for source "anywhere".'."\n"; } @@ -613,7 +638,7 @@ sub firewall_close_anywhere { while () { next unless (/dpt:\Q$port\E/); chomp(); - if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) { + if (/^(\d+)\s+ACCEPT\s+(?:tcp|6)\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) { my $firewall_command = "$iptables -D $fw_chain $1"; system($firewall_command); my $return_status = $?>>8;