XCP-ng firewall
-
I have a UPS connected to XCP-ng via USB. I have a backup server I need to setup to monitor the UPS for shutdown as a secondary NUT host.
XCP-ng blocks NUT server communication. What would be the best way to edit iptables (or nftables, I forget which XCP-ng uses) to allow the NUT secondary server to communicate with the primary NUT service running on XCP-ng?
-
@Byte0 Hi!
/etc/xapi.d/plugins/firewall-port {open|close} port protocolshould do the trick. Beware we advised against modifying this config for obvious security consideration.
So know what you're doing
-
@BenjiReis am I crazy or does the firewall-port script have a bug? If I use the firewall-port script to open the port then use firewall-port check 3493 tcp as a way to check, it reports that it is not open. The code needs to be fixed from
check) if [[ -z `iptables -S $CHAIN | grep " $PORT "` ]] then echo "Port $PORT open: true" else echo "Port $PORT open: false" fi ;;to
check) if [[ -n `iptables -S $CHAIN | grep " $PORT "` ]] then echo "Port $PORT open: true" else echo "Port $PORT open: false" fi ;;or
check) if [[ -z `iptables -S $CHAIN | grep " $PORT "` ]] then echo "Port $PORT open: false" else echo "Port $PORT open: true" fi ;;If I knew how to do a git pull request and all that I'd do it, however I do not.
-
@BenjiReis just checked the repo: https://github.com/xcp-ng/xcp-ng-xapi-plugins/tree/master/SOURCES/etc/xapi.d/plugins
That doesn't even have the firewall-port script in it, so not sure what repository contains that to send a fix to.
-
Ping @stormi
-
@Byte0 Hi the script is not provided by this repo but directly by the xapi rpm:
[10:47 r620-s2 ~]# rpm -qf /etc/xapi.d/plugins/firewall-port xapi-core-1.249.36-1.2.xcpng8.2.x86_64Anyway yes the
checkmethod is weird because it answer the opposite of the reality - but... it's by design according to upstream: https://github.com/xapi-project/xen-api/blob/45d934eec88def324799e0c428df14e726eb8566/ocaml/xapi/dbsync_slave.ml#L129-L134But the
open/closemethod works as expected and then you can see the rules are correctly added to iptables. -
@Byte0
Hi
There was a time this summer or spring when NUT-server was unavailable from the repo.
I decided to follow the "don't fiddle with dom0"
I let a mini server control theUPSand remotely activate a script on the host at power failure.
edit: changed USB > UPS -
@BenjiReis The xapi is written in OCaml? That is pretty cool. I would love to learn OCaml one day.
Anyways, doesn't seem intuitive to design it this way:
Going to file an issue in that repo to see what happens. I suppose they would have to fix the OCaml code you linked as well.
-
This post is deleted!
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login