Permalink
Browse files

Now the whole "FIREWALL=..." directive (with its content) could be pr…

…efixed by "#" comment characters to avoid OpenVZ warnings about non-supported multiline directives.
  • Loading branch information...
Dmitry
Dmitry committed Dec 18, 2013
1 parent e782a47 commit 77e5a7f05752bdcdc2203b15ff0906b5acba9586
Showing with 36 additions and 63 deletions.
  1. +29 −26 README.txt
  2. +7 −37 vzfirewall
View
@@ -29,34 +29,37 @@ chmod +x vzfirewall
SYNOPSIS
--------
-1. Modify the file /etc/sysconfig/vz-scripts/4.conf:
+1. Modify the file e.g. /etc/vz/conf/4.conf (note that the whole FIREWALL
+ directive is prefixed by "#" character, because else OpenVZ issues
+ warnings about multi-line directives which are not supported):
...
- FIREWALL="
- host.allowed.to.every.port
- yet.another.host
- * # means "any host"
-
- [25]
- host.allowed.to.access.smtp
- * # means "any"
-
- [80,443]
- hosts.allowed.to.access.two.ports
-
- [udp:53]
- *
-
- [CUSTOM]
- # You may use "$THIS" macro which is replaced by this machine IP
- # (and, if the machine has many IPs, it will be multiplicated).
- -A INPUT -i eth2 -d $THIS -j ACCEPT
- # Or you may use commands with no references to $THIS (only
- # such commands are allowed for 0.conf file).
- -A INPUT -i eth1 -j ACCEPT
- "
+ #FIREWALL="
+ # host.allowed.to.every.port
+ # yet.another.host
+ # * # means "any host"
+ #
+ # [25]
+ # host.allowed.to.access.smtp
+ # * # means "any"
+ #
+ # [80,443]
+ # hosts.allowed.to.access.two.ports
+ #
+ # [udp:53]
+ # *
+ #
+ # [CUSTOM]
+ # # You may use "$THIS" macro which is replaced by this machine IP
+ # # (and, if the machine has many IPs, it will be multiplicated).
+ # -A INPUT -i eth2 -d $THIS -j ACCEPT
+ # # Or you may use commands with no references to $THIS (only
+ # # such commands are allowed for 0.conf file).
+ # -A INPUT -i eth1 -j ACCEPT
+ #"
...
- We use FIREWALL directive in plain VE configs to allow to
- vzmigrate it easily from one node to another.
+ We use FIREWALL directive in plain VE configs, not in separate files,
+ to allow to vzmigrate it easily from one node to another. Note the "#"
+ characters again.
2. Run:
# vzfirewall -a - to apply rules
View
44 vzfirewall 100644 → 100755
@@ -3,39 +3,7 @@ use strict;
use File::Basename;
use POSIX 'strftime';
-my $VERSION = "1.05, 2013-01-09";
-
-=head1
-File /etc/sysconfig/vz-scripts/4.conf, FIREWALL directive
----------------------------------------------------------
-FIREWALL="
- host.allowed.to.every.port
- yet.another.host
- * # means "any host"
-
- [25]
- host.allowed.to.access.smtp
- * # means "any"
-
- [80,443]
- hosts.allowed.to.access.two.ports
-
- [udp:53]
- *
-
- [CUSTOM]
- # You may use "$THIS" macro which is replaced by this machine IP
- # (and, if the machine has many IPs, it will be multiplicated).
- -A INPUT -i eth2 -d $THIS -j ACCEPT
- # Or you may use commands with no references to $THIS (only
- # such commands are allowed for 0.conf file).
- -A INPUT -i eth1 -j ACCEPT
-"
-----------------------------------------------------------------
-We use FIREWALL directive in plain VE configs to allow to
-vzmigrate it easily from one node to another.
-=cut
-
+my $VERSION = "1.06, 2013-12-18";
my $IPTABLES = "/etc/sysconfig/iptables";
my ($DIR) = grep { -d $_ } ("/etc/sysconfig/vz-scripts", "/etc/vz/conf");
@@ -230,7 +198,7 @@ sub generate_open_rule {
$proto = $1;
$dst_port = $2;
}
- my $rule =
+ my $rule =
($src_ip && $src_ip ne "*"? " -s $src_ip" : "") .
($dst_ip && $dst_ip ne "*"? " -d $dst_ip" : "") .
($dst_port ne "*"? " -m multiport -p $proto --dports $dst_port" : "") .
@@ -258,9 +226,11 @@ sub read_conf {
$_ = <F>;
close(F);
my %opts = ();
- my @matches = m/^\s* (\w+) \s* = \s* " ([^\"]*) "/mxg;
- for (my $i = 0; $i < @matches; $i += 2) {
- $opts{$matches[$i]} = $matches[$i + 1];
+ my @matches = m/^([#](?=FIREWALL))? (\w+) \s* = \s* " ([^\"]*) "/mxg;
+ for (my $i = 0; $i < @matches; $i += 3) {
+ my $data = $matches[$i + 2];
+ $data =~ s/^#//mg if $matches[$i];
+ $opts{$matches[$i + 1]} = $data;
}
return \%opts;
}

0 comments on commit 77e5a7f

Please sign in to comment.