Alon Bar-Lev has uploaded a new change for review.
Change subject: packaging: cleanup _configIptables
......................................................................
packaging: cleanup _configIptables
1. use template file, do not search for comments.
2. remove code duplications.
3. handle files correctly.
4. misc cleanups.
Change-Id: Ic08891752b537ea04c56e8aef2040cc5e89cbea3
Signed-off-by: Alon Bar-Lev <alo...@redhat.com>
---
M packaging/fedora/setup/engine-setup.py
M packaging/fedora/setup/iptables.default
2 files changed, 21 insertions(+), 28 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/73/8373/1
diff --git a/packaging/fedora/setup/engine-setup.py
b/packaging/fedora/setup/engine-setup.py
index e11330d..b423d5b 100755
--- a/packaging/fedora/setup/engine-setup.py
+++ b/packaging/fedora/setup/engine-setup.py
@@ -898,44 +898,36 @@
def _configIptables():
logging.debug("configuring iptables")
try:
- file = open(basedefs.FILE_IPTABLES_DEFAULT, "r")
- fileContent = file.read()
- file.close()
- outputText = fileContent
+ with open(basedefs.FILE_IPTABLES_DEFAULT, "r") as f:
+ fileContent = f.read()
- PORTS_LIST=[]
- #get the location of the drop all rule comment
- list = outputText.split("\n")
- location = None
- counter = 0
- for line in list:
- if line == "#drop all rule":
- location = counter
- counter += 1
- if not location:
- logging.error(output_messages.ERR_EXP_FAILED_IPTABLES_RULES)
- raise Exception(output_messages.ERR_EXP_FAILED_IPTABLES_RULES)
-
- insertLocation = location - len(list)
+ ports = []
+ lines = []
for port in [controller.CONF["HTTP_PORT"],
controller.CONF["HTTPS_PORT"]]:
- lineToAdd = "-A RH-Firewall-1-INPUT -m state --state NEW -p tcp
--dport %s -j ACCEPT" % port
- list.insert(insertLocation, lineToAdd)
+ ports.append({
+ 'port': port,
+ 'protocol': ['tcp']
+ })
if utils.compareStrIgnoreCase(controller.CONF["CONFIG_NFS"], "yes"):
- PORTS_LIST = PORTS_LIST + NFS_IPTABLES_PORTS
+ ports += NFS_IPTABLES_PORTS
- for portCfg in PORTS_LIST:
+ for portCfg in ports:
portNumber = portCfg["port"]
for protocol in portCfg["protocol"]:
- lineToAdd = "-A RH-Firewall-1-INPUT -m state --state NEW -p %s
--dport %s -j ACCEPT"%(protocol, portNumber)
- list.insert(insertLocation, lineToAdd)
+ lines.append(
+ "-A RH-Firewall-1-INPUT -m state --state NEW -p %s --dport
%s -j ACCEPT" % (
+ protocol,
+ portNumber
+ )
+ )
- outputText = "\n".join(list)
+ outputText = fileContent.replace('@CUSTOM_RULES@', "\n".join(lines))
logging.debug(outputText)
- exampleFile = open(basedefs.FILE_IPTABLES_EXAMPLE, "w")
- exampleFile.write(outputText)
- exampleFile.close()
+
+ with open(basedefs.FILE_IPTABLES_EXAMPLE, "w") as f:
+ f.write(outputText)
if controller.CONF["OVERRIDE_IPTABLES"] == "yes":
if os.path.isfile("%s/iptables"%(basedefs.DIR_ETC_SYSCONFIG)):
diff --git a/packaging/fedora/setup/iptables.default
b/packaging/fedora/setup/iptables.default
index 63bdae8..4c7b0f1 100644
--- a/packaging/fedora/setup/iptables.default
+++ b/packaging/fedora/setup/iptables.default
@@ -11,6 +11,7 @@
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+@CUSTOM_RULES@
#drop all rule
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
--
To view, visit http://gerrit.ovirt.org/8373
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ic08891752b537ea04c56e8aef2040cc5e89cbea3
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alon Bar-Lev <alo...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
