func (cmd *find) Run(f *flag.FlagSet) error {
ctx := context.TODO()
host, err := cmd.HostSystem()
if err != nil {
return err
}
fs, err := host.ConfigManager().FirewallSystem(ctx)
if err != nil {
return err
}
if cmd.check {
esxfw, err := esxcli.GetFirewallInfo(host)
if err != nil {
return err
}
if !esxfw.Enabled {
fmt.Fprintln(os.Stderr, "host firewall is disabled")
}
}
info, err := fs.Info(ctx)
if err != nil {
return err
}
if f.NArg() != 0 {
// TODO: f.Args() -> types.HostFirewallRulesetIpList
return flag.ErrHelp
}
rs := object.HostFirewallRulesetList(info.Ruleset)
matched, err := rs.EnabledByRule(cmd.HostFirewallRule, cmd.enabled)
if err != nil {
return err
}
for _, r := range matched {
fmt.Println(r.Key)
}
return nil
}
func (v *Validator) CheckFirewall(ctx context.Context) {
if v.DisableFirewallCheck {
return
}
defer trace.End(trace.Begin(""))
var hosts []*object.HostSystem
var err error
rule := types.HostFirewallRule{
Port: constants.SerialOverLANPort, // serialOverLANPort
PortType: types.HostFirewallRulePortTypeDst,
Protocol: string(types.HostFirewallRuleProtocolTcp),
Direction: types.HostFirewallRuleDirectionOutbound,
}
errMsg := "Firewall check SKIPPED"
if !v.sessionValid(errMsg) {
return
}
if hosts, err = v.Session.Datastore.AttachedClusterHosts(ctx, v.Session.Cluster); err != nil {
log.Errorf("Unable to get the list of hosts attached to given storage: %s", err)
v.NoteIssue(err)
return
}
var misconfiguredEnabled []string
var misconfiguredDisabled []string
var correct []string
for _, host := range hosts {
fs, err := host.ConfigManager().FirewallSystem(ctx)
if err != nil {
v.NoteIssue(err)
break
}
disabled := false
esxfw, err := esxcli.GetFirewallInfo(host)
if err != nil {
v.NoteIssue(err)
break
}
if !esxfw.Enabled {
disabled = true
log.Infof("Firewall status: DISABLED on %q", host.InventoryPath)
} else {
log.Infof("Firewall status: ENABLED on %q", host.InventoryPath)
}
info, err := fs.Info(ctx)
if err != nil {
v.NoteIssue(err)
break
}
rs := object.HostFirewallRulesetList(info.Ruleset)
_, err = rs.EnabledByRule(rule, true)
if err != nil {
if !disabled {
misconfiguredEnabled = append(misconfiguredEnabled, host.InventoryPath)
} else {
misconfiguredDisabled = append(misconfiguredDisabled, host.InventoryPath)
}
} else {
correct = append(correct, host.InventoryPath)
}
}
if len(correct) > 0 {
log.Info("Firewall configuration OK on hosts:")
for _, h := range correct {
log.Infof(" %q", h)
}
}
if len(misconfiguredEnabled) > 0 {
log.Error("Firewall configuration incorrect on hosts:")
for _, h := range misconfiguredEnabled {
log.Errorf(" %q", h)
}
// TODO: when we can intelligently place containerVMs on hosts with proper config, install
// can proceed if there is at least one host properly configured. For now this prevents install.
err = fmt.Errorf("Firewall must permit %d/tcp outbound to use VIC", rule.Port)
log.Error(err)
v.NoteIssue(err)
}
if len(misconfiguredDisabled) > 0 {
log.Warning("Firewall configuration will be incorrect if firewall is reenabled on hosts:")
for _, h := range misconfiguredDisabled {
log.Warningf(" %q", h)
}
log.Warnf("Firewall must permit %d/tcp outbound if firewall is reenabled", rule.Port)
}
return
}