Esempio n. 1
0
 /**
  * Vrací pravidla připravená k nasazení.
  * Musí být platná všechna, jinak se neaplikuje nic.
  * Příkazy jsou upravené: místo INPUT a OUTPUT obsahují INPUT_x a OUTPUT_x, kde x je id IP adresy.
  * @param int $ipId – id IP adresy
  * @return array pole pravidel (FirewallRule) dané ip adresy,
  * nebo false, pokud některé z pravidel nebylo schváleno
  * Pověsit Frantu za uši do průvanu a nechat viset aspoň tejden za $rule->command (objektovej přístup všude kde se to nehodí :-D)
  */
 function getCheckedRules($ipId)
 {
     $rules = $this->getRules($ipId);
     foreach ($rules as $rule) {
         $rule->command = $this->rewriteTableInCommand($rule->command, $ipId);
         if (!$rule->approved) {
             return false;
         }
         $ret[rules][] = $rule->command;
     }
     if (count($rules) < 1) {
         return false;
     }
     $ip = get_ip_by_id($ipId);
     $ret[ip_v] = $ip[ip_v];
     $ret[ip_id] = $ip[ip_id];
     return $ret;
 }
Esempio n. 2
0
function do_transaction($t)
{
    // debug
    print_r($t);
    global $db, $firewall, $cluster_cfg, $cluster;
    $ret = false;
    $output[0] = 'SUCCESS';
    if ($t['t_server'] == SERVER_ID && !DEMO_MODE) {
        switch ($t['t_type']) {
            case T_START_VE:
                if ($vps = vps_load($t['t_vps'])) {
                    exec_wrapper(BIN_VZCTL . ' start ' . $db->check($vps->veid), $output, $retval);
                    $ret = $retval == 0;
                }
                break;
            case T_STOP_VE:
                if ($vps = vps_load($t['t_vps'])) {
                    exec_wrapper(BIN_VZCTL . ' stop ' . $db->check($vps->veid), $output, $retval);
                    $ret = $retval == 0;
                }
                break;
            case T_RESTART_VE:
                if ($vps = vps_load($t['t_vps'])) {
                    exec_wrapper(BIN_VZCTL . ' stop ' . $db->check($vps->veid), $output, $retval);
                    if ($retval != 0) {
                        $ret = false;
                    } else {
                        exec_wrapper(BIN_VZCTL . ' start ' . $db->check($vps->veid), $output, $retval);
                        $ret = $retval == 0;
                    }
                }
                break;
            case T_EXEC_LIMITS:
            case T_EXEC_PASSWD:
            case T_EXEC_HOSTNAME:
            case T_EXEC_DNS:
            case T_EXEC_IPADD:
            case T_EXEC_IPDEL:
                if ($vps = vps_load($t['t_vps'])) {
                    exec_wrapper(BIN_VZCTL . ' set ' . $db->check($vps->veid) . ' --save ' . $db->check(unserialize($t['t_param'])), $output, $retval);
                    $ret = $retval == 0;
                }
                break;
            case T_EXEC_OTHER:
                break;
            case T_CREATE_VE:
                $params = unserialize($t['t_param']);
                // download template
                $get_template = get_template($db->check($params['template']));
                if ($get_template == false) {
                    $ret = false;
                    $sql = "delete from vps where vpsid=" . $db->check($t['t_vps']);
                    $db->query($sql);
                    break;
                }
                exec_wrapper(BIN_VZCTL . ' create ' . $db->check($t['t_vps']) . ' --ostemplate ' . $db->check($params['template']) . ' --hostname ' . $db->check($params['hostname']), $output, $retval);
                if ($retval != 0) {
                    $ret = false;
                    $sql = "delete from vps where vpsid=" . $db->check($t['t_vps']);
                    $db->query($sql);
                } else {
                    exec_wrapper(BIN_VZCTL . ' set ' . $db->check($t['t_vps']) . ' --save --nameserver ' . $db->check($params['nameserver']) . ' --onboot yes', $output, $retval);
                    $ret = $retval == 0;
                    // delete template
                    unlink('/vz/template/cache/' . $db->check($params['template']) . '.tar.gz');
                }
                break;
            case T_DESTROY_VE:
                // check if runnig ??
                $run = exec(BIN_VZLIST . ' ' . $db->check($t['t_vps']));
                if (strstr($run, 'running')) {
                    // stop
                    exec_wrapper(BIN_VZCTL . ' stop ' . $t['t_vps'], $output, $retval);
                }
                exec_wrapper(BIN_VZCTL . ' destroy ' . $db->check($t['t_vps']), $output, $retval);
                $ret = $retval == 0;
                break;
            case T_REINSTALL_VE:
                $retval = $retvala = $retvalb = $retvalc = $retvald = 1;
                $params = unserialize($t['t_param']);
                exec_wrapper(BIN_VZCTL . ' stop ' . $t['t_vps'], $output, $retval);
                if ($retval == 0) {
                    exec_wrapper(BIN_VZCTL . ' destroy ' . $db->check($t['t_vps']), $output, $retvala);
                }
                if ($retvala == 0) {
                    exec_wrapper(BIN_VZCTL . ' create ' . $db->check($t['t_vps']) . ' --ostemplate ' . $db->check($params['template']) . ' --hostname ' . $db->check($params['hostname']), $output, $retvalb);
                }
                if ($retvalb == 0) {
                    exec_wrapper(BIN_VZCTL . ' set ' . $db->check($t['t_vps']) . ' --save --nameserver ' . $db->check($params['nameserver']) . ' --onboot yes', $output, $retvalc);
                }
                if ($retvalc == 0) {
                    exec_wrapper(BIN_VZCTL . ' start ' . $db->check($t['t_vps']), $output, $retvald);
                }
                $ret = $retvald == 0;
                break;
            case T_MIGRATE_OFFLINE:
                $params = unserialize($t['t_param']);
                exec_wrapper('vzmigrate ' . $db->check($params['target']) . ' ' . $db->check($t['t_vps']), $output, $retval);
                $ret = $retval == 0;
                break;
            case T_MIGRATE_ONLINE:
                $params = unserialize($t['t_param']);
                exec_wrapper('vzmigrate --online ' . $db->check($params['target']) . ' ' . $db->check($t['t_vps']), $output, $retval);
                // If we were not successful using online migration, fall back to offline one
                if ($retval != 0 && $params) {
                    $sql = 'UPDATE transactions SET t_type=' . T_MIGRATE_OFFLINE . ' WHERE t_id=' . $db->check($t['t_id']);
                    $db->query($sql);
                    exec_wrapper('vzmigrate ' . $db->check($params['target']) . ' ' . $db->check($t['t_vps']), $output, $retval);
                }
                $ret = $retval == 0;
                break;
            case T_SNAPSHOT:
                $params = unserialize($t['t_param']);
                exec_wrapper('vzdump --suspend ' . $db->check($t['t_vps']), $output, $retval);
                $ret = $retval == 0;
                break;
            case T_FIREWALL_RELOAD:
                $rules_to_apply = unserialize($t['t_param']);
                $fault = false;
                if ($rules_to_apply) {
                    if ($rules_to_apply['ip_v'] == 4) {
                        $firewall->commit_rule('-F OUTPUT_' . $rules_to_apply['ip_id']);
                        $firewall->commit_rule('-F INPUT_' . $rules_to_apply['ip_id']);
                    } else {
                        $firewall->commit_rule6('-F OUTPUT_' . $rules_to_apply['ip_id']);
                        $firewall->commit_rule6('-F INPUT_' . $rules_to_apply['ip_id']);
                    }
                    foreach ($rules_to_apply['rules'] as $rule) {
                        if (!$fault) {
                            if ($rules_to_apply['ip_v'] == 4) {
                                $res = $firewall->commit_rule($rule);
                            } else {
                                $res = $firewall->commit_rule6($rule);
                            }
                            $fault = !$res;
                        }
                    }
                } else {
                    $fault = true;
                }
                if ($fault) {
                    /* TODO Apocalypse scheme */
                }
                $ret = !$fault;
                break;
            case T_FIREWALL_FLUSH:
                $ip_id = unserialize($t['t_param']);
                $ip = get_ip_by_id($ip_id);
                if ($ip['ip_v'] == 4) {
                    $res1 = $firewall->commit_rule('-F OUTPUT_' . $ip['ip_id']);
                    $res2 = $firewall->commit_rule('-F INPUT_' . $ip['ip_id']);
                } else {
                    $res1 = $firewall->commit_rule6('-F OUTPUT_' . $ip['ip_id']);
                    $res2 = $firewall->commit_rule6('-F INPUT_' . $ip['ip_id']);
                }
                $ret = $res1 && $res2;
                break;
            case T_CLUSTER_TEMPLATE_COPY:
                $params = unserialize($t["t_param"]);
                $this_node = new cluster_node(SERVER_ID);
                $ret = $this_node->fetch_remote_template($params["templ_id"], $params["remote_server_id"]);
                break;
            case T_CLUSTER_TEMPLATE_DELETE:
                $params = unserialize($t["t_param"]);
                $this_node = new cluster_node(SERVER_ID);
                $ret = $this_node->delete_template($params["templ_id"]);
                break;
            case T_CLUSTER_IP_REGISTER:
                $params = unserialize($t["t_param"]);
                $ret = true;
                if ($params["ip_v"] == 6) {
                    $ret &= $firewall->commit_rule6("-N INPUT_" . $params["ip_id"]);
                    $ret &= $firewall->commit_rule6("-N OUTPUT_" . $params["ip_id"]);
                    $ret &= $firewall->commit_rule6("-A FORWARD -s {$params["ip_addr"]} -g OUTPUT_{$params["ip_id"]}");
                    $ret &= $firewall->commit_rule6("-A FORWARD -d {$params["ip_addr"]} -g INPUT_{$params["ip_id"]}");
                    $ret &= $firewall->commit_rule6("-A aztotal -s {$params["ip_addr"]}");
                    $ret &= $firewall->commit_rule6("-A aztotal -d {$params["ip_addr"]}");
                } else {
                    $ret &= $firewall->commit_rule("-N INPUT_" . $params["ip_id"]);
                    $ret &= $firewall->commit_rule("-N OUTPUT_" . $params["ip_id"]);
                    $ret &= $firewall->commit_rule("-A FORWARD -s {$params["ip_addr"]} -g OUTPUT_{$params["ip_id"]}");
                    $ret &= $firewall->commit_rule("-A FORWARD -d {$params["ip_addr"]} -g INPUT_{$params["ip_id"]}");
                    $ret &= $firewall->commit_rule("-A anix -s {$params["ip_addr"]}");
                    $ret &= $firewall->commit_rule("-A anix -d {$params["ip_addr"]}");
                    $ret &= $firewall->commit_rule("-A atranzit -s {$params["ip_addr"]}");
                    $ret &= $firewall->commit_rule("-A atranzit -d {$params["ip_addr"]}");
                    $ret &= $firewall->commit_rule("-A aztotal -s {$params["ip_addr"]}");
                    $ret &= $firewall->commit_rule("-A aztotal -d {$params["ip_addr"]}");
                }
                break;
            case T_ENABLE_DEVICES:
                $params = unserialize($t["t_param"]);
                $devices_cmd = '';
                if ($params[0]) {
                    foreach ($params as $device) {
                        $devices_cmd .= ' --devices ' . $device;
                    }
                    exec_wrapper(BIN_VZCTL . ' set ' . $db->check($t['t_vps']) . ' ' . $devices_cmd . ' --save', $output, $retval);
                }
                $ret = $retval == 0;
                break;
            case T_ENABLE_TUNTAP:
                exec_wrapper(BIN_VZCTL . ' stop ' . $db->check($t['t_vps']), $trash, $trash2);
                exec_wrapper(BIN_VZCTL . ' set ' . $db->check($t['t_vps']) . ' --capability net_admin:on --save', $output, $retval);
                exec_wrapper(BIN_VZCTL . ' start ' . $db->check($t['t_vps']), $trash, $trash2);
                if ($retval == 0) {
                    exec_wrapper(BIN_VZCTL . ' exec ' . $db->check($t['t_vps']) . ' mkdir -p /dev/net', $output, $retval);
                }
                if ($retval == 0) {
                    exec_wrapper(BIN_VZCTL . ' exec ' . $db->check($t['t_vps']) . ' mknod /dev/net/tun c 10 200', $output, $retval);
                }
                if ($retval == 0) {
                    exec_wrapper(BIN_VZCTL . ' exec ' . $db->check($t['t_vps']) . ' chmod 600 /dev/net/tun', $output, $retval);
                }
                $ret = $retval == 0;
                break;
            case T_ENABLE_FUSE:
                exec_wrapper(BIN_VZCTL . ' exec ' . $db->check($t['t_vps']) . ' mknod /dev/fuse c 10 229', $output, $retval);
                $ret = $retval == 0;
                break;
            case T_ENABLE_IPTABLES:
                exec_wrapper(BIN_VZCTL . ' stop ' . $db->check($t['t_vps']), $trash, $trash2);
                $modules = array('ip_conntrack', 'ip_conntrack_ftp', 'ip_conntrack_irc', 'ip_nat_ftp', 'ip_nat_irc', 'ip_tables', 'ipt_LOG', 'ipt_REDIRECT', 'ipt_REJECT', 'ipt_TCPMSS', 'ipt_TOS', 'ipt_conntrack', 'ipt_helper', 'ipt_length', 'ipt_limit', 'ipt_multiport', 'ipt_state', 'ipt_tcpmss', 'ipt_tos', 'ipt_ttl', 'iptable_filter', 'iptable_mangle', 'iptable_nat');
                $iptables_cmd = '';
                foreach ($modules as $module) {
                    $iptables_cmd .= ' --iptables ' . $module;
                }
                exec_wrapper(BIN_VZCTL . ' set ' . $db->check($t['t_vps']) . ' ' . $iptables_cmd . ' --save', $output, $retval);
                if ($retval == 0) {
                    exec_wrapper(BIN_VZCTL . ' set ' . $db->check($t['t_vps']) . ' --numiptent 200 --save', $output, $retval);
                }
                exec_wrapper(BIN_VZCTL . ' start ' . $db->check($t['t_vps']), $trash, $trash2);
                $ret = $retval == 0;
                break;
            case T_RESTART_NODE:
                $sql = 'UPDATE transactions SET t_done=1,
				t_success=1,
				t_output="' . serialize($ret) . '"
				WHERE t_id=' . $db->check($t['t_id']);
                $db->query($sql);
                exec_wrapper('reboot', $output, $retval);
                $ret = true;
                break;
            default:
                return false;
        }
    } else {
        $ret = false;
    }
    if (DEMO_MODE) {
        $ret = true;
    }
    // if success
    if ($ret != false) {
        $sql = 'UPDATE transactions SET t_done=1,
				t_success=1,
				t_output="' . serialize($ret) . '"
				WHERE t_id=' . $db->check($t['t_id']);
    } else {
        $sql = 'UPDATE transactions SET t_done=1, t_success=0 WHERE t_id=' . $db->check($t['t_id']);
    }
    $db->query($sql);
    return $ret;
}