XCP-ng firewall

Byte0

I have a UPS connected to XCP-ng via USB. I have a backup server I need to setup to monitor the UPS for shutdown as a secondary NUT host.

XCP-ng blocks NUT server communication. What would be the best way to edit iptables (or nftables, I forget which XCP-ng uses) to allow the NUT secondary server to communicate with the primary NUT service running on XCP-ng?

BenjiReis

@Byte0 Hi!

/etc/xapi.d/plugins/firewall-port {open|close} port protocol should do the trick. Beware we advised against modifying this config for obvious security consideration.
So know what you're doing

Byte0

@BenjiReis am I crazy or does the firewall-port script have a bug? If I use the firewall-port script to open the port then use firewall-port check 3493 tcp as a way to check, it reports that it is not open. The code needs to be fixed from

    check)
        if [[ -z `iptables -S $CHAIN | grep " $PORT "` ]]
        then
            echo "Port $PORT open: true"
        else
            echo "Port $PORT open: false"
        fi
        ;;

to

    check)
        if [[ -n `iptables -S $CHAIN | grep " $PORT "` ]]
        then
            echo "Port $PORT open: true"
        else
            echo "Port $PORT open: false"
        fi
        ;;

or

    check)
        if [[ -z `iptables -S $CHAIN | grep " $PORT "` ]]
        then
            echo "Port $PORT open: false"
        else
            echo "Port $PORT open: true"
        fi
        ;;

If I knew how to do a git pull request and all that I'd do it, however I do not.

Byte0

@BenjiReis just checked the repo: https://github.com/xcp-ng/xcp-ng-xapi-plugins/tree/master/SOURCES/etc/xapi.d/plugins

That doesn't even have the firewall-port script in it, so not sure what repository contains that to send a fix to.

olivierlambert

Ping @stormi

BenjiReis

@Byte0 Hi the script is not provided by this repo but directly by the xapi rpm:

[10:47 r620-s2 ~]# rpm -qf /etc/xapi.d/plugins/firewall-port
xapi-core-1.249.36-1.2.xcpng8.2.x86_64

Anyway yes the check method is weird because it answer the opposite of the reality - but... it's by design according to upstream: https://github.com/xapi-project/xen-api/blob/45d934eec88def324799e0c428df14e726eb8566/ocaml/xapi/dbsync_slave.ml#L129-L134

But the open/close method works as expected and then you can see the rules are correctly added to iptables.

ph7

@Byte0
Hi
There was a time this summer or spring when NUT-server was unavailable from the repo.
I decided to follow the "don't fiddle with dom0"
I let a mini server control the UPS and remotely activate a script on the host at power failure.
edit: changed USB > UPS

Byte0

@BenjiReis The xapi is written in OCaml? That is pretty cool. I would love to learn OCaml one day.

Anyways, doesn't seem intuitive to design it this way:
334b8d7a-6f7e-4796-97c2-3c1fe4144fb6-Screenshot from 2024-10-22 08-02-03.png

Going to file an issue in that repo to see what happens. I suppose they would have to fix the OCaml code you linked as well.

Byte0

This post is deleted!