Commit c284bf82 authored by Francesc Guasch's avatar Francesc Guasch
Browse files

[#51] close other IPs after opening for client

parent 0b1f1e75
...@@ -98,7 +98,11 @@ before 'start' => \&_start_preconditions; ...@@ -98,7 +98,11 @@ before 'start' => \&_start_preconditions;
after 'start' => \&_post_start; after 'start' => \&_post_start;
before 'pause' => \&_allow_manage; before 'pause' => \&_allow_manage;
after 'pause' => \&_post_pause;
before 'resume' => \&_allow_manage; before 'resume' => \&_allow_manage;
after 'resume' => \&_post_resume;
before 'shutdown' => \&_allow_manage_args; before 'shutdown' => \&_allow_manage_args;
after 'shutdown' => \&_post_shutdown; after 'shutdown' => \&_post_shutdown;
...@@ -700,6 +704,13 @@ sub clone { ...@@ -700,6 +704,13 @@ sub clone {
); );
} }
sub _post_pause {
my $self = shift;
my $user = shift;
$self->_remove_iptables(user => $user);
}
sub _post_shutdown { sub _post_shutdown {
my $self = shift; my $self = shift;
...@@ -715,9 +726,15 @@ sub _remove_iptables { ...@@ -715,9 +726,15 @@ sub _remove_iptables {
my $ipt_obj = _open_iptables(); my $ipt_obj = _open_iptables();
my $iptables = $self->_last_iptable($args->{user}); my $sth = $$CONNECTOR->dbh->prepare(
"UPDATE iptables SET time_deleted=?"
$ipt_obj->delete_ip_rule(@$iptables) if $iptables; ." WHERE id=?"
);
for my $row ($self->_active_iptables($args->{user})) {
my ($id, $iptables) = @$row;
$ipt_obj->delete_ip_rule(@$iptables);
$sth->execute(Ravada::Utils::now(), $id);
}
} }
sub _remove_temporary_machine { sub _remove_temporary_machine {
...@@ -743,6 +760,10 @@ sub _remove_temporary_machine { ...@@ -743,6 +760,10 @@ sub _remove_temporary_machine {
} }
} }
sub _post_resume {
return _post_start(@_);
}
sub _post_start { sub _post_start {
my $self = shift; my $self = shift;
...@@ -771,9 +792,17 @@ sub _add_iptable { ...@@ -771,9 +792,17 @@ sub _add_iptable {
,{'protocol' => 'tcp', 's_port' => 0, 'd_port' => $local_port}); ,{'protocol' => 'tcp', 's_port' => 0, 'd_port' => $local_port});
my ($rv, $out_ar, $errs_ar) = $ipt_obj->append_ip_rule(@iptables_arg); my ($rv, $out_ar, $errs_ar) = $ipt_obj->append_ip_rule(@iptables_arg);
$self->{_iptables} = \@iptables_arg;
$self->_store_log(command => 'create', iptables => \@iptables_arg, @_); $self->_log_iptable(iptables => \@iptables_arg, @_);
@iptables_arg = ( '0.0.0.0'
,$local_ip, 'filter', $IPTABLES_CHAIN, 'DROP',
,{'protocol' => 'tcp', 's_port' => 0, 'd_port' => $local_port});
($rv, $out_ar, $errs_ar) = $ipt_obj->append_ip_rule(@iptables_arg);
$self->_log_iptable(iptables => \@iptables_arg, @_);
} }
sub _open_iptables { sub _open_iptables {
...@@ -813,7 +842,7 @@ sub _open_iptables { ...@@ -813,7 +842,7 @@ sub _open_iptables {
return $ipt_obj; return $ipt_obj;
} }
sub _store_log { sub _log_iptable {
my $self = shift; my $self = shift;
if (scalar(@_) %2 ) { if (scalar(@_) %2 ) {
carp "Odd number ".Dumper(\@_); carp "Odd number ".Dumper(\@_);
...@@ -823,35 +852,36 @@ sub _store_log { ...@@ -823,35 +852,36 @@ sub _store_log {
lock_hash(%args); lock_hash(%args);
my $remote_ip = $args{remote_ip};#~ or return; my $remote_ip = $args{remote_ip};#~ or return;
my $user = $args{user}; my $user = $args{user};
my $command = $args{command};
my $iptables = $args{iptables}; my $iptables = $args{iptables};
my $sth = $$CONNECTOR->dbh->prepare( my $sth = $$CONNECTOR->dbh->prepare(
"INSERT INTO log_commands" "INSERT INTO iptables "
."(id_domain, id_user, command, remote_ip, timereq, iptables)" ."(id_domain, id_user, remote_ip, time_req, iptables)"
."VALUES(?, ?, ?, ?, ?, ?)" ."VALUES(?, ?, ?, ?, ?)"
); );
$sth->execute($self->id, $user->id,$command, $remote_ip, Ravada::Utils::now() $sth->execute($self->id, $user->id, $remote_ip, Ravada::Utils::now()
,encode_json($iptables)); ,encode_json($iptables));
$sth->finish; $sth->finish;
} }
sub _last_iptable { sub _active_iptables {
my $self = shift; my $self = shift;
my $user = shift; my $user = shift;
my $sth = $$CONNECTOR->dbh->prepare( my $sth = $$CONNECTOR->dbh->prepare(
"SELECT iptables FROM log_commands" "SELECT id,iptables FROM iptables "
." WHERE command='create' " ." WHERE "
." AND id_domain=?" ." id_domain=?"
." AND id_user=? " ." AND id_user=? "
." ORDER BY timereq DESC " ." AND time_deleted IS NULL"
." ORDER BY time_req DESC "
); );
$sth->execute($self->id, $user->id); $sth->execute($self->id, $user->id);
while (my ($iptables) = $sth->fetchrow) { my @iptables;
return decode_json($iptables); while (my ($id, $iptables) = $sth->fetchrow) {
push @iptables, [ $id, decode_json($iptables)];
} }
return; return @iptables;
} }
1; 1;
...@@ -24,7 +24,7 @@ our %FIELD_RO = map { $_ => 1 } qw(id name); ...@@ -24,7 +24,7 @@ our %FIELD_RO = map { $_ => 1 } qw(id name);
our $args_manage = { name => 1 , uid => 1 }; our $args_manage = { name => 1 , uid => 1 };
our $args_prepare = { id_domain => 1 , uid => 1 }; our $args_prepare = { id_domain => 1 , uid => 1 };
our $args_remove_base = { domain => 1 , uid => 1 }; our $args_remove_base = { domain => 1 , uid => 1 };
our $args_manage_ip = {%$args_manage, remote_ip => 1};
our %VALID_ARG = ( our %VALID_ARG = (
create_domain => { create_domain => {
...@@ -38,10 +38,11 @@ our %VALID_ARG = ( ...@@ -38,10 +38,11 @@ our %VALID_ARG = (
,disk => 2 ,disk => 2
,network => 2 ,network => 2
} }
,open_iptables => $args_manage_ip
,remove_base => $args_remove_base ,remove_base => $args_remove_base
,prepare_base => $args_prepare ,prepare_base => $args_prepare
,pause_domain => $args_manage ,pause_domain => $args_manage
,resume_domain => $args_manage ,resume_domain => {%$args_manage, remote_ip => 1 }
,remove_domain => $args_manage ,remove_domain => $args_manage
,shutdown_domain => { name => 1, uid => 1, timeout => 2 } ,shutdown_domain => { name => 1, uid => 1, timeout => 2 }
,screenshot_domain => { id_domain => 1, filename => 2 } ,screenshot_domain => { id_domain => 1, filename => 2 }
......
SQL:= ../sqlite/bases.sql ../sqlite/iso_images.sql ../sqlite/lxc_templates.sql ../sqlite/requests.sql ../sqlite/file_base_images.sql ../sqlite/domains_network.sql ../sqlite/messages.sql ../sqlite/networks.sql ../sqlite/domains.sql ../sqlite/users.sql ../sqlite/log_commands.sql SQL:= ../sqlite/bases.sql ../sqlite/iso_images.sql ../sqlite/lxc_templates.sql ../sqlite/requests.sql ../sqlite/file_base_images.sql ../sqlite/domains_network.sql ../sqlite/messages.sql ../sqlite/networks.sql ../sqlite/domains.sql ../sqlite/users.sql ../sqlite/iptables.sql
ALL: $(SQL) ALL: $(SQL)
......
CREATE TABLE log_commands( CREATE TABLE iptables (
id integer auto_increment primary key, id integer auto_increment primary key,
id_domain int not null, id_domain int not null,
id_user int not null, id_user int not null,
command char(32) not null,
remote_ip char(16) not null, remote_ip char(16) not null,
timereq datetime not null, time_req datetime not null,
time_deleted datetime ,
iptables varchar(255) not null iptables varchar(255) not null
); );
CREATE TABLE log_commands( CREATE TABLE iptables (
id integer PRIMARY KEY AUTOINCREMENT id integer PRIMARY KEY AUTOINCREMENT
, id_domain int not null , id_domain int not null
, id_user int not null , id_user int not null
, command char(32) not null
, remote_ip char(16) not null , remote_ip char(16) not null
, timereq datetime not null , time_req datetime not null
, time_deleted datetime
, iptables varchar(255) not null , iptables varchar(255) not null
); );
...@@ -8,7 +8,7 @@ sql: ...@@ -8,7 +8,7 @@ sql:
- ../../sql/sqlite/messages.sql - ../../sql/sqlite/messages.sql
- ../../sql/sqlite/networks.sql - ../../sql/sqlite/networks.sql
- ../../sql/sqlite/domains_network.sql - ../../sql/sqlite/domains_network.sql
- ../../sql/sqlite/log_commands.sql - ../../sql/sqlite/iptables.sql
- ../../sql/data/insert_lxc_templates.sql - ../../sql/data/insert_lxc_templates.sql
- ../../sql/data/insert_networks.sql - ../../sql/data/insert_networks.sql
- ../../sql/sqlite/file_base_images.sql - ../../sql/sqlite/file_base_images.sql
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment