* Use fd 8 for readconfig stdout parking rather than fd 10, to avoid

[autopkgtest.git] / xen / initscript

#!/bin/bash
set -e
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

### BEGIN INIT INFO
# Provides: adtxenlvm
# Required-Start: $network $local_fs
# Required-Stop:
# Should-Start: $remote_fs
# Should-Stop: $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Prepare firewall tables for autopkgtest Xen guests
### END INIT INFO

lsbif=/lib/lsb/init-functions
if test -e $lsbif; then
  . $lsbif
else
  log_daemon_msg () { printf "%s: " "$1"; }
  log_progress_msg () { printf "%s " "$1"; }
  log_end_msg () { echo "done."; }
fi
. /etc/default/rcS

chains='AdtXenIn AdtXenFwd AdtXenIcmp'

if ! type iptables >/dev/null 2>&1 || ! type xm >/dev/null 2>&1; then
  exit 0
fi

safety () {
  log_progress_msg block
  iptables -I INPUT -j DROP
  iptables -I FORWARD -j DROP
  trap '
    for chain in $chains; do iptables -I $chain -j DROP; done
    unsafety
    exit 127
  ' 0
}

unsafety () {
  log_progress_msg unblock
  iptables -D INPUT -j DROP
  iptables -D FORWARD -j DROP
  trap '' 0
}

case "$1" in
stop)
  log_daemon_msg "adtxenlvm: removing firewall rules"
  safety
  log_progress_msg clear
  for chain in $chains; do
    if iptables -L -n $chain >/dev/null 2>&1; then
      log_progress_msg $chain
      iptables -F $chain
      iptables -X $chain
    fi
  done
  unsafety
  log_end_msg 0
  exit 0
  ;;
start|restart|force-reload)
  ;;
'')
  echo >&2 "usage: /etc/init.d/adt-xen stop|start|restart|force-reload"
  exit 1
  ;;
*)
  echo >&2 "init.d/adt-xen unsupported action $1"
  exit 1
  ;;
esac

set --

exec 8>&1
case "$VERBOSE" in
no)     exec >/dev/null ;;
esac

printf "adtxenlvm: reading configuration for firewall setup:\n"
. ${ADT_XENLVM_SHARE:=/usr/share/autopkgtest/xenlvm}/readconfig

exec >&8 8>&-

log_daemon_msg "adtxenlvm: installing firewall rules"

safety

log_progress_msg create
for chain in $chains; do
  log_progress_msg $chain
  iptables -N $chain >/dev/null 2>&1 || iptables -F $chain
  iptables -I $chain -j DROP
done
unsafety

log_progress_msg rules

iptables -A AdtXenIcmp -j ACCEPT -p icmp --icmp-type echo-request
# per RFC1122, allow ICMP echo exchanges with anyone we can talk to at all

for oktype in                                   \
        echo-reply                              \
        destination-unreachable source-quench   \
        time-exceeded parameter-problem         \
;do
  iptables -A AdtXenIcmp -j ACCEPT -m conntrack --ctstate ESTABLISHED \
                -p icmp --icmp-type  $oktype
done

main=AdtXenFwd

for i in $adt_fw_localmirrors; do
  iptables -A $main -d $i -j ACCEPT -p tcp --dport 80
  iptables -A $main -d $i -j AdtXenIcmp -p icmp
done

exec </etc/resolv.conf
while read command rest; do
  if [ "x$command" = "xnameserver" ]; then
    iptables -A $main -d $rest -j ACCEPT -p tcp --dport 53
    iptables -A $main -d $rest -j ACCEPT -p udp --dport 53
    iptables -A $main -d $rest -j AdtXenIcmp -p icmp
  fi
done

for i in $adt_fw_testbedclients; do
  iptables -A $main -d $i -j ACCEPT -p tcp ! --syn
  iptables -A $main -d $i -j AdtXenIcmp -p icmp
done

for i in $adt_fw_prohibnets; do
  iptables -A $main -d $i -j REJECT --reject-with icmp-net-prohibited
done

if [ x"$adt_fw_allowglobalports" != x ]; then
  iptables -A $main -p icmp -j AdtXenIcmp
fi
for port in $adt_fw_allowglobalports; do
  iptables -A $main -p tcp --dport $port -j ACCEPT
done

if [ "x$adt_fw_hook" != x ]; then
  log_progress_msg hook
  . $adt_fw_hook
fi

log_progress_msg confirm

iptables -A $main -j REJECT --reject-with icmp-admin-prohibited
iptables -D $main -j DROP

log_progress_msg engage

iptables -A AdtXenIn -j ACCEPT -p icmp --icmp-type echo-request
iptables -A AdtXenIn -j ACCEPT -m conntrack --ctstate ESTABLISHED
iptables -A AdtXenIn -j AdtXenFwd
iptables -D AdtXenIn -j DROP

iptables -D AdtXenIcmp -j DROP

log_progress_msg proxyarp

echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp 

log_end_msg 0