diff options
| author | Stig Thormodsrud <stig@vyatta.com> | 2009-04-09 11:27:31 -0700 |
|---|---|---|
| committer | Stig Thormodsrud <stig@vyatta.com> | 2009-04-09 11:27:31 -0700 |
| commit | 22ca661c3cd95ef08459b83d010b31bd6e851b67 (patch) | |
| tree | 90bf70fd3fabc277faf1a0e55268642d92bfb57f | |
| parent | 789bb8a2bbce86b064460ac62fa09c25323d5f44 (diff) | |
| download | vyatta-cfg-firewall-22ca661c3cd95ef08459b83d010b31bd6e851b67.tar.gz vyatta-cfg-firewall-22ca661c3cd95ef08459b83d010b31bd6e851b67.zip | |
Add ability for firename to select default policy.
| -rw-r--r-- | lib/Vyatta/IpTables/Rule.pm | 10 | ||||
| -rwxr-xr-x | scripts/firewall/vyatta-firewall.pl | 60 | ||||
| -rw-r--r-- | templates/firewall/ipv6-modify/node.tag/default-policy/node.def | 12 | ||||
| -rw-r--r-- | templates/firewall/ipv6-name/node.tag/default-policy/node.def | 12 | ||||
| -rw-r--r-- | templates/firewall/modify/node.tag/default-policy/node.def | 12 | ||||
| -rw-r--r-- | templates/firewall/name/node.tag/default-policy/node.def | 12 |
6 files changed, 109 insertions, 9 deletions
diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm index 46925ac..46f3acf 100644 --- a/lib/Vyatta/IpTables/Rule.pm +++ b/lib/Vyatta/IpTables/Rule.pm @@ -122,10 +122,18 @@ sub new { } sub setupDummy { - my $self = shift; + my ($self, $level) = @_; + %{$self} = %dummy_rule; $src = new Vyatta::IpTables::AddressFilter; $dst = new Vyatta::IpTables::AddressFilter; + + # set the default policy + my $config = new Vyatta::Config; + $config->setLevel("$level"); + my $policy = $config->returnOrigValue('default-policy'); + $policy = 'drop' if ! defined $policy; + $self->{_action} = $policy; } sub setup_base { diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index 6f73c77..32704eb 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -60,6 +60,10 @@ my %inhook_hash = ( 'filter' => 'FORWARD', my %outhook_hash = ( 'filter' => 'FORWARD', 'mangle' => 'POSTROUTING' ); +# mapping from vyatta 'default-policy' to iptables jump target +my %policy_hash = ( 'drop' => 'DROP', + 'accept' => 'RETURN' ); + sub other_table { my $this = shift; return (($this eq 'filter') ? 'mangle' : 'filter'); @@ -224,8 +228,11 @@ sub update_rules { # Iterate through ruleset names under "name" or "modify" for my $name (keys %nodes) { - - log_msg "update_rules: status of node $name is $nodes{$name} \n"; + $config->setLevel("firewall $tree $name"); + my $policy = $config->returnValue("default-policy"); + $policy = 'drop' if ! defined $policy; + my $old_policy = $config->returnOrigValue("default-policy"); + log_msg "update_rules: status of node $name is $nodes{$name} [$policy]\n"; if ($nodes{$name} eq "static") { # not changed. check if stateful. @@ -251,7 +258,7 @@ sub update_rules { . "Rule set name \"$name\" already used in \"$ctree\"\n"; exit 1; } - setup_chain($table, "$name", $iptables_cmd); + setup_chain($table, "$name", $iptables_cmd, $policy); # handle the rules below. } elsif ($nodes{$name} eq "deleted") { @@ -281,7 +288,6 @@ sub update_rules { # note that this clears the counters on the default DROP rule. # we could delete rule one by one if those are important. run_cmd("$iptables_cmd -t $table -F $name", 1, 1); - add_default_drop_rule($table, $name, $iptables_cmd); next; } @@ -366,8 +372,12 @@ sub update_rules { die "$iptables_cmd error: $! - $rule" if ($? >> 8); } } + } # foreach rule + + if (defined $old_policy and $policy ne $old_policy) { + change_default_policy($table, $name, $iptables_cmd, $policy); } - } + } # foreach name if ($stateful) { enable_fw_conntrack($iptables_cmd); @@ -593,11 +603,45 @@ sub setup_iptables { sub add_default_drop_rule { my ($table, $chain, $iptables_cmd) = @_; - run_cmd("$iptables_cmd -t $table -A $chain -m comment --comment \"$chain-1025\" -j DROP", 1, 1); + log_msg("add_default_drop_rule($iptables_cmd, $table, $chain)"); + my $comment = "-m comment --comment \"$chain-1025\""; + run_cmd("$iptables_cmd -t $table -A $chain $comment -j DROP", 1, 1); } -sub setup_chain { +sub set_default_policy { + my ($table, $chain, $iptables_cmd, $policy) = @_; + + $policy = 'drop' if ! defined $policy; + log_msg("set_default_policy($iptables_cmd, $table, $chain, $policy)"); + my $target = $policy_hash{$policy}; + my $comment = "-m comment --comment \"$chain-1025 default-policy $policy\""; + run_cmd("$iptables_cmd -t $table -A $chain $comment -j $target", 1, 1); +} + +sub count_iptables_rules { my ($table, $chain, $iptables_cmd) = @_; + my @lines = `$iptables_cmd -t $table -L $chain -n --line`; + my $cnt = 0; + foreach my $line (@lines) { + $cnt++ if $line =~ /^\d/; + } + return $cnt; +} + +sub change_default_policy { + my ($table, $chain, $iptables_cmd, $policy) = @_; + + $policy = 'drop' if ! defined $policy; + log_msg("change_default_policy($iptables_cmd, $table, $chain, $policy)"); + my $target = $policy_hash{$policy}; + my $comment = "-m comment --comment \"$chain-1025 default-policy $policy\""; + my $default_rule = count_iptables_rules($table, $chain, $iptables_cmd); + run_cmd("$iptables_cmd -t $table -A $chain $comment -j $target", 1, 1); + run_cmd("$iptables_cmd -t $table -D $chain $default_rule", 1, 1); +} + +sub setup_chain { + my ($table, $chain, $iptables_cmd, $policy) = @_; my $configured = `$iptables_cmd -t $table -n -L $chain 2>&1 | head -1`; @@ -605,7 +649,7 @@ sub setup_chain { if (!/^Chain $chain/) { run_cmd("$iptables_cmd -t $table --new-chain $chain", 0, 0); die "iptables error: $table $chain --new-chain: $!" if ($? >> 8); - add_default_drop_rule($table, $chain, $iptables_cmd); + set_default_policy($table, $chain, $iptables_cmd, $policy); } } diff --git a/templates/firewall/ipv6-modify/node.tag/default-policy/node.def b/templates/firewall/ipv6-modify/node.tag/default-policy/node.def new file mode 100644 index 0000000..d88d82f --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/default-policy/node.def @@ -0,0 +1,12 @@ +type: txt + +help: Set firewall default-policy + +default: "drop" + +syntax:expression: $VAR(@) in "drop", "accept"; + "default-policy must be either drop or accept" + +comp_help: possible completions: + drop Drop if no prior rules are hit (default) + accept Accept if no prior rules are hit diff --git a/templates/firewall/ipv6-name/node.tag/default-policy/node.def b/templates/firewall/ipv6-name/node.tag/default-policy/node.def new file mode 100644 index 0000000..d88d82f --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/default-policy/node.def @@ -0,0 +1,12 @@ +type: txt + +help: Set firewall default-policy + +default: "drop" + +syntax:expression: $VAR(@) in "drop", "accept"; + "default-policy must be either drop or accept" + +comp_help: possible completions: + drop Drop if no prior rules are hit (default) + accept Accept if no prior rules are hit diff --git a/templates/firewall/modify/node.tag/default-policy/node.def b/templates/firewall/modify/node.tag/default-policy/node.def new file mode 100644 index 0000000..d88d82f --- /dev/null +++ b/templates/firewall/modify/node.tag/default-policy/node.def @@ -0,0 +1,12 @@ +type: txt + +help: Set firewall default-policy + +default: "drop" + +syntax:expression: $VAR(@) in "drop", "accept"; + "default-policy must be either drop or accept" + +comp_help: possible completions: + drop Drop if no prior rules are hit (default) + accept Accept if no prior rules are hit diff --git a/templates/firewall/name/node.tag/default-policy/node.def b/templates/firewall/name/node.tag/default-policy/node.def new file mode 100644 index 0000000..d88d82f --- /dev/null +++ b/templates/firewall/name/node.tag/default-policy/node.def @@ -0,0 +1,12 @@ +type: txt + +help: Set firewall default-policy + +default: "drop" + +syntax:expression: $VAR(@) in "drop", "accept"; + "default-policy must be either drop or accept" + +comp_help: possible completions: + drop Drop if no prior rules are hit (default) + accept Accept if no prior rules are hit |