/** * Vrací pravidla připravená k nasazení. * Musí být platná všechna, jinak se neaplikuje nic. * Příkazy jsou upravené: místo INPUT a OUTPUT obsahují INPUT_x a OUTPUT_x, kde x je id IP adresy. * @param int $ipId – id IP adresy * @return array pole pravidel (FirewallRule) dané ip adresy, * nebo false, pokud některé z pravidel nebylo schváleno * Pověsit Frantu za uši do průvanu a nechat viset aspoň tejden za $rule->command (objektovej přístup všude kde se to nehodí :-D) */ function getCheckedRules($ipId) { $rules = $this->getRules($ipId); foreach ($rules as $rule) { $rule->command = $this->rewriteTableInCommand($rule->command, $ipId); if (!$rule->approved) { return false; } $ret[rules][] = $rule->command; } if (count($rules) < 1) { return false; } $ip = get_ip_by_id($ipId); $ret[ip_v] = $ip[ip_v]; $ret[ip_id] = $ip[ip_id]; return $ret; }
function do_transaction($t) { // debug print_r($t); global $db, $firewall, $cluster_cfg, $cluster; $ret = false; $output[0] = 'SUCCESS'; if ($t['t_server'] == SERVER_ID && !DEMO_MODE) { switch ($t['t_type']) { case T_START_VE: if ($vps = vps_load($t['t_vps'])) { exec_wrapper(BIN_VZCTL . ' start ' . $db->check($vps->veid), $output, $retval); $ret = $retval == 0; } break; case T_STOP_VE: if ($vps = vps_load($t['t_vps'])) { exec_wrapper(BIN_VZCTL . ' stop ' . $db->check($vps->veid), $output, $retval); $ret = $retval == 0; } break; case T_RESTART_VE: if ($vps = vps_load($t['t_vps'])) { exec_wrapper(BIN_VZCTL . ' stop ' . $db->check($vps->veid), $output, $retval); if ($retval != 0) { $ret = false; } else { exec_wrapper(BIN_VZCTL . ' start ' . $db->check($vps->veid), $output, $retval); $ret = $retval == 0; } } break; case T_EXEC_LIMITS: case T_EXEC_PASSWD: case T_EXEC_HOSTNAME: case T_EXEC_DNS: case T_EXEC_IPADD: case T_EXEC_IPDEL: if ($vps = vps_load($t['t_vps'])) { exec_wrapper(BIN_VZCTL . ' set ' . $db->check($vps->veid) . ' --save ' . $db->check(unserialize($t['t_param'])), $output, $retval); $ret = $retval == 0; } break; case T_EXEC_OTHER: break; case T_CREATE_VE: $params = unserialize($t['t_param']); // download template $get_template = get_template($db->check($params['template'])); if ($get_template == false) { $ret = false; $sql = "delete from vps where vpsid=" . $db->check($t['t_vps']); $db->query($sql); break; } exec_wrapper(BIN_VZCTL . ' create ' . $db->check($t['t_vps']) . ' --ostemplate ' . $db->check($params['template']) . ' --hostname ' . $db->check($params['hostname']), $output, $retval); if ($retval != 0) { $ret = false; $sql = "delete from vps where vpsid=" . $db->check($t['t_vps']); $db->query($sql); } else { exec_wrapper(BIN_VZCTL . ' set ' . $db->check($t['t_vps']) . ' --save --nameserver ' . $db->check($params['nameserver']) . ' --onboot yes', $output, $retval); $ret = $retval == 0; // delete template unlink('/vz/template/cache/' . $db->check($params['template']) . '.tar.gz'); } break; case T_DESTROY_VE: // check if runnig ?? $run = exec(BIN_VZLIST . ' ' . $db->check($t['t_vps'])); if (strstr($run, 'running')) { // stop exec_wrapper(BIN_VZCTL . ' stop ' . $t['t_vps'], $output, $retval); } exec_wrapper(BIN_VZCTL . ' destroy ' . $db->check($t['t_vps']), $output, $retval); $ret = $retval == 0; break; case T_REINSTALL_VE: $retval = $retvala = $retvalb = $retvalc = $retvald = 1; $params = unserialize($t['t_param']); exec_wrapper(BIN_VZCTL . ' stop ' . $t['t_vps'], $output, $retval); if ($retval == 0) { exec_wrapper(BIN_VZCTL . ' destroy ' . $db->check($t['t_vps']), $output, $retvala); } if ($retvala == 0) { exec_wrapper(BIN_VZCTL . ' create ' . $db->check($t['t_vps']) . ' --ostemplate ' . $db->check($params['template']) . ' --hostname ' . $db->check($params['hostname']), $output, $retvalb); } if ($retvalb == 0) { exec_wrapper(BIN_VZCTL . ' set ' . $db->check($t['t_vps']) . ' --save --nameserver ' . $db->check($params['nameserver']) . ' --onboot yes', $output, $retvalc); } if ($retvalc == 0) { exec_wrapper(BIN_VZCTL . ' start ' . $db->check($t['t_vps']), $output, $retvald); } $ret = $retvald == 0; break; case T_MIGRATE_OFFLINE: $params = unserialize($t['t_param']); exec_wrapper('vzmigrate ' . $db->check($params['target']) . ' ' . $db->check($t['t_vps']), $output, $retval); $ret = $retval == 0; break; case T_MIGRATE_ONLINE: $params = unserialize($t['t_param']); exec_wrapper('vzmigrate --online ' . $db->check($params['target']) . ' ' . $db->check($t['t_vps']), $output, $retval); // If we were not successful using online migration, fall back to offline one if ($retval != 0 && $params) { $sql = 'UPDATE transactions SET t_type=' . T_MIGRATE_OFFLINE . ' WHERE t_id=' . $db->check($t['t_id']); $db->query($sql); exec_wrapper('vzmigrate ' . $db->check($params['target']) . ' ' . $db->check($t['t_vps']), $output, $retval); } $ret = $retval == 0; break; case T_SNAPSHOT: $params = unserialize($t['t_param']); exec_wrapper('vzdump --suspend ' . $db->check($t['t_vps']), $output, $retval); $ret = $retval == 0; break; case T_FIREWALL_RELOAD: $rules_to_apply = unserialize($t['t_param']); $fault = false; if ($rules_to_apply) { if ($rules_to_apply['ip_v'] == 4) { $firewall->commit_rule('-F OUTPUT_' . $rules_to_apply['ip_id']); $firewall->commit_rule('-F INPUT_' . $rules_to_apply['ip_id']); } else { $firewall->commit_rule6('-F OUTPUT_' . $rules_to_apply['ip_id']); $firewall->commit_rule6('-F INPUT_' . $rules_to_apply['ip_id']); } foreach ($rules_to_apply['rules'] as $rule) { if (!$fault) { if ($rules_to_apply['ip_v'] == 4) { $res = $firewall->commit_rule($rule); } else { $res = $firewall->commit_rule6($rule); } $fault = !$res; } } } else { $fault = true; } if ($fault) { /* TODO Apocalypse scheme */ } $ret = !$fault; break; case T_FIREWALL_FLUSH: $ip_id = unserialize($t['t_param']); $ip = get_ip_by_id($ip_id); if ($ip['ip_v'] == 4) { $res1 = $firewall->commit_rule('-F OUTPUT_' . $ip['ip_id']); $res2 = $firewall->commit_rule('-F INPUT_' . $ip['ip_id']); } else { $res1 = $firewall->commit_rule6('-F OUTPUT_' . $ip['ip_id']); $res2 = $firewall->commit_rule6('-F INPUT_' . $ip['ip_id']); } $ret = $res1 && $res2; break; case T_CLUSTER_TEMPLATE_COPY: $params = unserialize($t["t_param"]); $this_node = new cluster_node(SERVER_ID); $ret = $this_node->fetch_remote_template($params["templ_id"], $params["remote_server_id"]); break; case T_CLUSTER_TEMPLATE_DELETE: $params = unserialize($t["t_param"]); $this_node = new cluster_node(SERVER_ID); $ret = $this_node->delete_template($params["templ_id"]); break; case T_CLUSTER_IP_REGISTER: $params = unserialize($t["t_param"]); $ret = true; if ($params["ip_v"] == 6) { $ret &= $firewall->commit_rule6("-N INPUT_" . $params["ip_id"]); $ret &= $firewall->commit_rule6("-N OUTPUT_" . $params["ip_id"]); $ret &= $firewall->commit_rule6("-A FORWARD -s {$params["ip_addr"]} -g OUTPUT_{$params["ip_id"]}"); $ret &= $firewall->commit_rule6("-A FORWARD -d {$params["ip_addr"]} -g INPUT_{$params["ip_id"]}"); $ret &= $firewall->commit_rule6("-A aztotal -s {$params["ip_addr"]}"); $ret &= $firewall->commit_rule6("-A aztotal -d {$params["ip_addr"]}"); } else { $ret &= $firewall->commit_rule("-N INPUT_" . $params["ip_id"]); $ret &= $firewall->commit_rule("-N OUTPUT_" . $params["ip_id"]); $ret &= $firewall->commit_rule("-A FORWARD -s {$params["ip_addr"]} -g OUTPUT_{$params["ip_id"]}"); $ret &= $firewall->commit_rule("-A FORWARD -d {$params["ip_addr"]} -g INPUT_{$params["ip_id"]}"); $ret &= $firewall->commit_rule("-A anix -s {$params["ip_addr"]}"); $ret &= $firewall->commit_rule("-A anix -d {$params["ip_addr"]}"); $ret &= $firewall->commit_rule("-A atranzit -s {$params["ip_addr"]}"); $ret &= $firewall->commit_rule("-A atranzit -d {$params["ip_addr"]}"); $ret &= $firewall->commit_rule("-A aztotal -s {$params["ip_addr"]}"); $ret &= $firewall->commit_rule("-A aztotal -d {$params["ip_addr"]}"); } break; case T_ENABLE_DEVICES: $params = unserialize($t["t_param"]); $devices_cmd = ''; if ($params[0]) { foreach ($params as $device) { $devices_cmd .= ' --devices ' . $device; } exec_wrapper(BIN_VZCTL . ' set ' . $db->check($t['t_vps']) . ' ' . $devices_cmd . ' --save', $output, $retval); } $ret = $retval == 0; break; case T_ENABLE_TUNTAP: exec_wrapper(BIN_VZCTL . ' stop ' . $db->check($t['t_vps']), $trash, $trash2); exec_wrapper(BIN_VZCTL . ' set ' . $db->check($t['t_vps']) . ' --capability net_admin:on --save', $output, $retval); exec_wrapper(BIN_VZCTL . ' start ' . $db->check($t['t_vps']), $trash, $trash2); if ($retval == 0) { exec_wrapper(BIN_VZCTL . ' exec ' . $db->check($t['t_vps']) . ' mkdir -p /dev/net', $output, $retval); } if ($retval == 0) { exec_wrapper(BIN_VZCTL . ' exec ' . $db->check($t['t_vps']) . ' mknod /dev/net/tun c 10 200', $output, $retval); } if ($retval == 0) { exec_wrapper(BIN_VZCTL . ' exec ' . $db->check($t['t_vps']) . ' chmod 600 /dev/net/tun', $output, $retval); } $ret = $retval == 0; break; case T_ENABLE_FUSE: exec_wrapper(BIN_VZCTL . ' exec ' . $db->check($t['t_vps']) . ' mknod /dev/fuse c 10 229', $output, $retval); $ret = $retval == 0; break; case T_ENABLE_IPTABLES: exec_wrapper(BIN_VZCTL . ' stop ' . $db->check($t['t_vps']), $trash, $trash2); $modules = array('ip_conntrack', 'ip_conntrack_ftp', 'ip_conntrack_irc', 'ip_nat_ftp', 'ip_nat_irc', 'ip_tables', 'ipt_LOG', 'ipt_REDIRECT', 'ipt_REJECT', 'ipt_TCPMSS', 'ipt_TOS', 'ipt_conntrack', 'ipt_helper', 'ipt_length', 'ipt_limit', 'ipt_multiport', 'ipt_state', 'ipt_tcpmss', 'ipt_tos', 'ipt_ttl', 'iptable_filter', 'iptable_mangle', 'iptable_nat'); $iptables_cmd = ''; foreach ($modules as $module) { $iptables_cmd .= ' --iptables ' . $module; } exec_wrapper(BIN_VZCTL . ' set ' . $db->check($t['t_vps']) . ' ' . $iptables_cmd . ' --save', $output, $retval); if ($retval == 0) { exec_wrapper(BIN_VZCTL . ' set ' . $db->check($t['t_vps']) . ' --numiptent 200 --save', $output, $retval); } exec_wrapper(BIN_VZCTL . ' start ' . $db->check($t['t_vps']), $trash, $trash2); $ret = $retval == 0; break; case T_RESTART_NODE: $sql = 'UPDATE transactions SET t_done=1, t_success=1, t_output="' . serialize($ret) . '" WHERE t_id=' . $db->check($t['t_id']); $db->query($sql); exec_wrapper('reboot', $output, $retval); $ret = true; break; default: return false; } } else { $ret = false; } if (DEMO_MODE) { $ret = true; } // if success if ($ret != false) { $sql = 'UPDATE transactions SET t_done=1, t_success=1, t_output="' . serialize($ret) . '" WHERE t_id=' . $db->check($t['t_id']); } else { $sql = 'UPDATE transactions SET t_done=1, t_success=0 WHERE t_id=' . $db->check($t['t_id']); } $db->query($sql); return $ret; }