diff options
| author | Bob Gilligan <gilligan@vyatta.com> | 2009-01-21 17:27:31 -0800 |
|---|---|---|
| committer | Bob Gilligan <gilligan@vyatta.com> | 2009-01-21 17:27:31 -0800 |
| commit | c1b35e85eff4bb00ed7e7098fa1aee54d919608a (patch) | |
| tree | 55d0f19e36d14f4a6fa4e24d14949fa3ae769d15 | |
| parent | cc811731ba98e6b5f76cfea66960c2c8e2943532 (diff) | |
| download | vyatta-cfg-firewall-c1b35e85eff4bb00ed7e7098fa1aee54d919608a.tar.gz vyatta-cfg-firewall-c1b35e85eff4bb00ed7e7098fa1aee54d919608a.zip | |
Initial support for IPv6.
51 files changed, 451 insertions, 91 deletions
diff --git a/lib/Vyatta/IpTables/AddressFilter.pm b/lib/Vyatta/IpTables/AddressFilter.pm index f2a60e6..3689ee2 100755 --- a/lib/Vyatta/IpTables/AddressFilter.pm +++ b/lib/Vyatta/IpTables/AddressFilter.pm @@ -44,6 +44,7 @@ my %fields = ( _port => undef, _protocol => undef, _src_mac => undef, + _name => undef, ); sub new { @@ -63,6 +64,8 @@ sub setup { $config->setLevel("$level"); + $self->{_name} = $config->returnParent(".. .. .. .. .."); + # setup needed parent nodes $self->{_srcdst} = $config->returnParent(".."); $self->{_protocol} = $config->returnValue(".. protocol"); @@ -95,6 +98,8 @@ sub setupOrig { $config->setLevel("$level"); + $self->{_name} = $config->returnParent(".. .. .. .. .."); + # setup needed parent nodes $self->{_srcdst} = $config->returnParent(".."); $self->{_protocol} = $config->returnOrigValue(".. protocol"); @@ -140,6 +145,30 @@ sub rule { my ($self) = @_; my $rule = ""; my $can_use_port = 1; + + my $addr_checker; + my $prefix_checker; + my $ip_term; + my $prefix_term; + + if (($self->{_name} eq "name") || ($self->{_name} eq "modify")) { + # This is an IPv4 rule + + $addr_checker = 'ipv4_negate'; + $prefix_checker = 'ipv4net_negate'; + $ip_term = "IPv4"; + $prefix_term = "subnet"; + } elsif (($self->{_name} eq "ipv6-name") || + ($self->{_name} eq "ipv6-modify")) { + # This is an IPv6 rule + + $addr_checker = 'ipv6_negate'; + $prefix_checker = 'ipv6net_negate'; + $ip_term = "IPv6"; + $prefix_term = "prefix" + } else { + return (undef, "Invalid firewall tree: $self->{_name}"); + } if (!defined($self->{_protocol}) || !defined($_protocolswithports{$self->{_protocol}})) { @@ -156,17 +185,18 @@ sub rule { # set the address filter parameters if (defined($self->{_network})) { my $str = $self->{_network}; - return (undef, "\"$str\" is not a valid IP subnet") - if (!Vyatta::TypeChecker::validateType('ipv4net_negate', $str, 1)); + return (undef, "\"$str\" is not a valid $ip_term $prefix_term") + if (!Vyatta::TypeChecker::validateType($prefix_checker, $str, 1)); $str =~ s/^\!(.*)$/! $1/; $rule .= "--$self->{_srcdst} $str "; } elsif (defined($self->{_address})) { my $str = $self->{_address}; - return (undef, "\"$str\" is not a valid IP address") - if (!Vyatta::TypeChecker::validateType('ipv4_negate', $str, 1)); + return (undef, "\"$str\" is not a valid $ip_term address") + if (!Vyatta::TypeChecker::validateType($addr_checker, $str, 1)); $str =~ s/^\!(.*)$/! $1/; $rule .= "--$self->{_srcdst} $str "; } elsif ((defined $self->{_range_start}) && (defined $self->{_range_stop})) { + # Ranges are supported for IPv4 only my $start = $self->{_range_start}; my $stop = $self->{_range_stop}; return (undef, "\"$start-$stop\" is not a valid IP range") @@ -209,3 +239,8 @@ sub outputXml { outputXmlElem("${prefix}_port", $self->{_port}, $fh); } +# Local Variables: +# mode: perl +# indent-tabs-mode: nil +# perl-indent-level: 2 +# End: diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm index 23755a6..a53b167 100644 --- a/lib/Vyatta/IpTables/Rule.pm +++ b/lib/Vyatta/IpTables/Rule.pm @@ -581,3 +581,9 @@ Date should use yyyy-mm-dd format and lie in between 1970-01-01 and 2038-01-19") } 1; + +# Local Variables: +# mode: perl +# indent-tabs-mode: nil +# perl-indent-level: 2 +# End: diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index 0ad6a77..9625c43 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -9,19 +9,37 @@ use Getopt::Long; # Send output of shell commands to syslog for debugging and so that # the user is not confused by it. Log at debug level, which is supressed # by default, so that we don't unnecessarily fill up the syslog file. - my $logger = 'logger -t firewall-cfg -p local0.debug --'; +# Enable printing debug output to stdout. +my $debug_flag = 0; + +# Enable sending debug output to syslog. +my $syslog_flag = 0; + my @updateints = (); GetOptions("setup" => \$setup, "teardown" => \$teardown, "update-rules" => \$updaterules, "update-interfaces=s{4}" => \@updateints, + "debug" => \$debug_flag, + "syslog" => \$syslog_flag ); -# mapping from config node to iptables table -my %table_hash = ( 'name' => 'filter', - 'modify' => 'mangle', ); +# mapping from config node to iptables/ip6tables table +my %table_hash = ( 'name' => 'filter', + 'ipv6-name' => 'filter', + 'modify' => 'mangle', + 'ipv6-modify' => 'mangle' ); + +# mapping from config node to iptables command. Note that this table +# has the same keys as %table hash, so a loop iterating through the +# keys of %table_hash can use the same keys to find the value associated +# with the key in this table. +my %cmd_hash = ( 'name' => 'iptables', + 'ipv6-name' => 'ip6tables', + 'modify' => 'iptables', + 'ipv6-modify' => 'ip6tables'); sub other_table { my $this = shift; @@ -29,12 +47,14 @@ sub other_table { } if (defined $setup) { - setup_iptables(); + setup_iptables(iptables); + setup_iptables(ip6tables); exit 0; } my $update_zero_count = 0; if (defined $updaterules) { + # Iterate through the top-level trees under "firewall" foreach (keys %table_hash) { update_rules($_); } @@ -45,6 +65,7 @@ if ($#updateints == 3) { my ($action, $int_name, $direction, $chain) = @updateints; my $tree = chain_configured(0, $chain, undef); my $table = $table_hash{$tree}; + my $iptables_cmd = $cmd_hash{$tree}; if ($action eq "update") { # make sure chain exists if (!defined($tree)) { @@ -55,18 +76,23 @@ if ($#updateints == 3) { } # chain must have been set up. no need to set up again. # user may specify a chain in a different tree. try to delete it - # from the "other" tree first. - update_ints('delete', $int_name, $direction, $chain, other_table($table)); + # from the "other" trees first. + foreach $other_tree (keys %table_hash) { + if ($other_tree ne $tree) { + update_ints('delete', $int_name, $direction, $chain, + $table_hash{$other_tree}, $cmd_hash{$other_tree}); + } + } # do update action. - update_ints(@updateints, $table); + update_ints(@updateints, $table, $iptables_cmd); } else { # delete if (defined($tree)) { - update_ints(@updateints, $table); + update_ints(@updateints, $table, $iptables_cmd); } else { - # chain not configured. try both tables. + # chain not configured. try all tables. foreach (keys %table_hash) { - update_ints(@updateints, $table_hash{$_}); + update_ints(@updateints, $table_hash{$_}, $cmd_hash{$_}); } } } @@ -77,7 +103,7 @@ if ($#updateints == 3) { if (defined $teardown) { foreach (keys %table_hash) { $update_zero_count += 1; - teardown_iptables($table_hash{$_}); + teardown_iptables($table_hash{$_}, $cmd_hash{$_}); } exit 0; } @@ -95,29 +121,73 @@ sub help() { print "\n"; } +sub run_cmd($$$) { + my ($cmd_to_run, $redirect_flag, $logger_flag) = @_; + + my $cmd_extras; + + if ($debug_flag) { + print "DEBUG: Running: $cmd_to_run \n"; + } + + if ($syslog_flag) { + system("$logger DEBUG: Running: $cmd_to_run"); + } + + if ($redirect_flag) { + $cmd_extras = ' 2>&1'; + } + + if ($logger_flag) { + $cmd_extras = "$cmd_extras | $logger"; + } + + system("$cmd_to_run $cmd_extras"); +} + +sub log_msg($) { + my $message = shift; + + if ($debug_flag) { + print "DEBUG: $message"; + } + + if ($syslog_flag) { + system("$logger DEBUG: $message"); + } +} + sub update_rules($) { - my $tree = shift; - my $table = $table_hash{$tree}; + my $tree = shift; # name, modify, ipv6-name or ipv6-modify + my $table = $table_hash{$tree}; # "filter" or "mangle" + my $iptables_cmd = $cmd_hash{$tree}; # "iptables" or "ip6tables" my $config = new Vyatta::Config; my $name = undef; my %nodes = (); - system ("$logger Executing update_rules."); + log_msg "update_rules: $tree $table $iptables_cmd\n"; $config->setLevel("firewall $tree"); %nodes = $config->listNodeStatus(); if ((scalar (keys %nodes)) == 0) { + + log_msg "update_rules: no nodes at this level \n"; + # no names. teardown the user chains and return. $update_zero_count += 1; - teardown_iptables($table); + teardown_iptables($table, $iptables_cmd); return; } # by default, nothing needs to be tracked. my $stateful = 0; + # Iterate through ruleset names under "name" or "modify" for $name (keys %nodes) { + + log_msg "update_rules: status of node $name is $nodes{$name} \n"; + if ($nodes{$name} eq "static") { # not changed. check if stateful. $config->setLevel("firewall $tree $name rule"); @@ -132,6 +202,7 @@ sub update_rules($) { } next; } elsif ($nodes{$name} eq "added") { + # create the chain my $ctree = chain_configured(2, $name, $tree); if (defined($ctree)) { @@ -140,17 +211,20 @@ sub update_rules($) { . "Rule set name \"$name\" already used in \"$ctree\"\n"; exit 1; } - setup_chain($table, "$name"); + setup_chain($table, "$name", $iptables_cmd); # handle the rules below. } elsif ($nodes{$name} eq "deleted") { + + log_msg "node $name is $nodes{$name} \n"; + # delete the chain - if (chain_referenced($table, $name)) { + if (chain_referenced($table, $name, $iptables_cmd)) { # disallow deleting a chain if it's still referenced print STDERR 'Firewall config error: ' . "Cannot delete rule set \"$name\" (still in use)\n"; exit 1; } - delete_chain($table, "$name"); + delete_chain($table, "$name", $iptables_cmd); next; } elsif ($nodes{$name} eq "changed") { # handle the rules below. @@ -166,9 +240,10 @@ sub update_rules($) { # no rules. flush the user rules. # note that this clears the counters on the default DROP rule. # we could delete rule one by one if those are important. - system("$logger Running: iptables -F $name"); - system("iptables -t $table -F $name 2>&1 | $logger"); - add_default_drop_rule($table, $name); +# system("$logger Running: $iptables_cmd -F $name"); +# system("$iptables_cmd -t $table -F $name 2>&1 | $logger"); + run_cmd("$iptables_cmd -t $table -F $name", 1, 1); + add_default_drop_rule($table, $name, $iptables_cmd); next; } @@ -199,9 +274,12 @@ sub update_rules($) { if (!defined) { last; } - system ("$logger Insert iptables $table $name $iptablesrule $_"); - system ("iptables -t $table --insert $name $iptablesrule $_"); - die "iptables error: $! - $_" if ($? >> 8); + + # system ("$logger Insert $iptables_cmd $table $name $iptablesrule $_"); + # system ("$iptables_cmd -t $table --insert $name $iptablesrule $_"); + run_cmd("$iptables_cmd -t $table --insert $name $iptablesrule $_", + 0, 0); + die "$iptables_cmd error: $! - $_" if ($? >> 8); $iptablesrule++; } } elsif ("$rulehash{$rule}" eq "changed") { @@ -222,18 +300,22 @@ sub update_rules($) { my $ipt_rules = $oldnode->get_num_ipt_rules(); for (1 .. $ipt_rules) { - system ("$logger Delete iptables $table $name $iptablesrule"); - system ("iptables -t $table --delete $name $iptablesrule"); - die "iptables error: $! - $rule" if ($? >> 8); + # system ("$logger Delete $iptables_cmd $table $name $iptablesrule"); + # system ("$iptables_cmd -t $table --delete $name $iptablesrule"); + run_cmd("$iptables_cmd -t $table --delete $name $iptablesrule", 0, + 0); + die "$iptables_cmd error: $! - $rule" if ($? >> 8); } foreach (@rule_strs) { if (!defined) { last; } - system ("$logger Insert iptables $table $name $iptablesrule $_"); - system ("iptables -t $table --insert $name $iptablesrule $_"); - die "iptables error: $! - $rule_str" if ($? >> 8); + # system ("$logger Insert $iptables_cmd $table $name $iptablesrule $_"); + # system ("$iptables_cmd -t $table --insert $name $iptablesrule $_"); + run_cmd("$iptables_cmd -t $table --insert $name $iptablesrule $_", + 0, 0); + die "$iptables_cmd error: $! - $rule_str" if ($? >> 8); $iptablesrule++; } } elsif ("$rulehash{$rule}" eq "deleted") { @@ -242,17 +324,20 @@ sub update_rules($) { my $ipt_rules = $node->get_num_ipt_rules(); for (1 .. $ipt_rules) { - system ("$logger Delete iptables $table $name $iptablesrule"); - system ("iptables -t $table --delete $name $iptablesrule"); - die "iptables error: $! - $rule" if ($? >> 8); + # system ("$logger Delete $iptables_cmd $table $name $iptablesrule"); + # system ("$iptables_cmd -t $table --delete $name $iptablesrule"); + run_cmd("$iptables_cmd -t $table --delete $name $iptablesrule", + 0, 0); + die "$iptables_cmd error: $! - $rule" if ($? >> 8); } } } } + if ($stateful) { - enable_fw_conntrack(); + enable_fw_conntrack($iptables_cmd); } else { - disable_fw_conntrack(); + disable_fw_conntrack($iptables_cmd); } } @@ -282,11 +367,13 @@ sub chain_configured($$$) { } sub update_ints() { - my ($action, $int_name, $direction, $chain, $table) = @_; + my ($action, $int_name, $direction, $chain, $table, $iptables_cmd) = @_; my $interface = undef; + log_msg "update_ints: @_ \n"; + if (! defined $action || ! defined $int_name || ! defined $direction - || ! defined $chain || ! defined $table) { + || ! defined $chain || ! defined $table || ! defined $iptables_cmd) { return -1; } @@ -321,14 +408,32 @@ sub update_ints() { }; } + # In the update case, we want to see if the new rule will replace one + # that is already in the table. In the delete case, we need to find + # the rule in the table that we need to delete. Either way, we + # start by listing the rules rules already in the table. my $grep = "egrep ^[0-9] | grep $int_name"; my @lines - = `iptables -t $table -L $direction -n -v --line-numbers | $grep`; + = `$iptables_cmd -t $table -L $direction -n -v --line-numbers | $grep`; my ($cmd, $num, $oldchain, $in, $out, $ignore) = (undef, undef, undef, undef, undef, undef); + foreach (@lines) { - ($num, $ignore, $ignore, $oldchain, $ignore, $ignore, $in, $out, - $ignore, $ignore) = split /\s+/; + # Parse the line representing one rule in the table. Note that + # there is a slight difference in output format between the "iptables" + # and "ip6tables" comands. The "iptables" command displays "--" in + # the "opt" column, while the "ip6tables" command leaves that + # column blank. + if ($iptables_cmd eq "iptables") { + ($num, $ignore, $ignore, $oldchain, $ignore, $ignore, $in, $out, + $ignore, $ignore) = split /\s+/; + } else { + ($num, $ignore, $ignore, $oldchain, $ignore, $in, $out, + $ignore, $ignore) = split /\s+/; + + } + + # Look for a matching rule... if (($dir_str eq 'in' && $in eq $int_name) || ($dir_str eq 'out' && $out eq $int_name) || ($dir_str eq 'local' && $in eq $int_name)) { @@ -344,6 +449,7 @@ sub update_ints() { last; } } + if (!defined($cmd)) { # no matching rule if ($action eq 'update') { @@ -359,37 +465,43 @@ sub update_ints() { # no match. do nothing. return 0 if (!defined($cmd)); - system ("$logger Running: iptables -t $table $cmd"); - system("iptables -t $table $cmd"); + # system ("$logger Running: $iptables_cmd -t $table $cmd"); + # system("$iptables_cmd -t $table $cmd"); + run_cmd("$iptables_cmd -t $table $cmd", 0, 0); exit 1 if ($? >> 8); # the following delete_chain is probably no longer necessary since we # now disallow deleting a chain when it's still referenced if ($action eq 'replace' || $action eq 'delete') { if (!defined(chain_configured(2, $oldchain, undef))) { - if (!chain_referenced($table, $oldchain)) { - delete_chain($table, $oldchain); + if (!chain_referenced($table, $oldchain, $iptables_cmd)) { + delete_chain($table, $oldchain, $iptables_cmd); } } } return 0; } -sub enable_fw_conntrack { +sub enable_fw_conntrack($) { # potentially we can add rules in the FW_CONNTRACK chain to provide # finer-grained control over which packets are tracked. - system("$logger Running: iptables -t raw -R FW_CONNTRACK 1 -J ACCEPT"); - system("iptables -t raw -R FW_CONNTRACK 1 -j ACCEPT 2>&1 | $logger"); + my $iptables_cmd = shift; + # system("$logger Running: $iptables_cmd -t raw -R FW_CONNTRACK 1 -J ACCEPT"); + # system("$iptables_cmd -t raw -R FW_CONNTRACK 1 -j ACCEPT 2>&1 | $logger"); + run_cmd("$iptables_cmd -t raw -R FW_CONNTRACK 1 -j ACCEPT", 1, 1); } -sub disable_fw_conntrack { - system("$logger Running: iptables -t raw -R FW_CONNTRACK 1 -j RETURN"); - system("iptables -t raw -R FW_CONNTRACK 1 -j RETURN 2>&1 | $logger"); +sub disable_fw_conntrack($) { + my $iptables_cmd = shift; + # system("$logger Running: $iptables_cmd -t raw -R FW_CONNTRACK 1 -j RETURN"); + # system("$iptables_cmd -t raw -R FW_CONNTRACK 1 -j RETURN 2>&1 | $logger"); + run_cmd("$iptables_cmd -t raw -R FW_CONNTRACK 1 -j RETURN", 1, 1); } -sub teardown_iptables($) { - my $table = shift; - my @chains = `iptables -L -n -t $table`; +sub teardown_iptables($$) { + my ($table, $iptables_cmd) = @_; + log_msg "teardown_iptables executing: $iptables_cmd -L -n -t $table\n"; + my @chains = `$iptables_cmd -L -n -t $table`; my $chain; # $chain is going to look like this... @@ -402,7 +514,7 @@ sub teardown_iptables($) { if (($chain =~ /references/) && !($chain =~ /VYATTA_\w+_HOOK/)) { ($chain) = split /\(/, $chain; $chain =~ s/\s//g; - delete_chain($table, "$chain"); + delete_chain($table, "$chain", $iptables_cmd); } } } @@ -410,53 +522,69 @@ sub teardown_iptables($) { # remove the conntrack setup. return if ($update_zero_count != scalar(keys %table_hash)); my @lines - = `iptables -t raw -L PREROUTING -vn --line-numbers | egrep ^[0-9]`; + = `$iptables_cmd -t raw -L PREROUTING -vn --line-numbers | egrep ^[0-9]`; foreach (@lines) { my ($num, $ignore, $ignore, $chain, $ignore, $ignore, $in, $out, $ignore, $ignore) = split /\s+/; if ($chain eq "FW_CONNTRACK") { - system("iptables -t raw -D PREROUTING $num 2>&1 | $logger"); - system("iptables -t raw -D OUTPUT $num 2>&1 | $logger"); - system("iptables -t raw -F FW_CONNTRACK 2>&1 | $logger"); - system("iptables -t raw -X FW_CONNTRACK 2>&1 | $logger"); + # system("$iptables_cmd -t raw -D PREROUTING $num 2>&1 | $logger"); + run_cmd("$iptables_cmd -t raw -D PREROUTING", 1, 1); + # system("$iptables_cmd -t raw -D OUTPUT $num 2>&1 | $logger"); + run_cmd("$iptables_cmd -t raw -D OUTPUT $num", 1, 1); + # system("$iptables_cmd -t raw -F FW_CONNTRACK 2>&1 | $logger"); + run_cmd("$iptables_cmd -t raw -F FW_CONNTRACK", 1, 1); + # system("$iptables_cmd -t raw -X FW_CONNTRACK 2>&1 | $logger"); + run_cmd("$iptables_cmd -t raw -X FW_CONNTRACK", 1, 1); last; } } } -sub setup_iptables() { - foreach (keys %table_hash) { +sub setup_iptables($) { + my $iptables_cmd = shift; + foreach $table (filter, mangle) { $update_zero_count += 1; - teardown_iptables($table_hash{$_}); + teardown_iptables($table, $iptables_cmd); } + # by default, nothing is tracked (the last rule in raw/PREROUTING). - system("iptables -t raw -N FW_CONNTRACK 2>&1 | $logger"); - system("iptables -t raw -A FW_CONNTRACK -j RETURN 2>&1 | $logger"); - system("iptables -t raw -I PREROUTING 1 -j FW_CONNTRACK 2>&1 | $logger"); - system("iptables -t raw -I OUTPUT 1 -j FW_CONNTRACK 2>&1 | $logger"); + # system("$iptables_cmd -t raw -N FW_CONNTRACK 2>&1 | $logger"); + run_cmd("$iptables_cmd -t raw -N FW_CONNTRACK", 1 , 1); + # system("$iptables_cmd -t raw -A FW_CONNTRACK -j RETURN 2>&1 | $logger"); + run_cmd("$iptables_cmd -t raw -A FW_CONNTRACK -j RETURN", 1, 1); + # system("$iptables_cmd -t raw -I PREROUTING 1 -j FW_CONNTRACK 2>&1 | $logger"); + run_cmd("$iptables_cmd -t raw -I PREROUTING 1 -j FW_CONNTRACK", 1, 1); + # system("$iptables_cmd -t raw -I OUTPUT 1 -j FW_CONNTRACK 2>&1 | $logger"); + run_cmd("$iptables_cmd -t raw -I OUTPUT 1 -j FW_CONNTRACK", 1, 1); return 0; } -sub add_default_drop_rule($$) { - my ($table, $chain) = @_; - system("iptables -t $table -A $chain -j DROP 2>&1 | $logger"); +sub add_default_drop_rule($$$) { + my ($table, $chain, $iptables_cmd) = @_; + # system("$iptables_cmd -t $table -A $chain -j DROP 2>&1 | $logger"); + run_cmd("$iptables_cmd -t $table -A $chain -j DROP", 1, 1); } -sub setup_chain($$) { - my ($table, $chain) = @_; - my $configured = `iptables -t $table -n -L $chain 2>&1 | head -1`; +sub setup_chain($$$) { + my ($table, $chain, $iptables_cmd) = @_; + + my $configured = `$iptables_cmd -t $table -n -L $chain 2>&1 | head -1`; $_ = $configured; if (!/^Chain $chain/) { - system("iptables -t $table --new-chain $chain"); + # system("$iptables_cmd -t $table --new-chain $chain"); + run_cmd("$iptables_cmd -t $table --new-chain $chain", 0, 0); die "iptables error: $table $chain --new-chain: $!" if ($? >> 8); - add_default_drop_rule($table, $chain); + add_default_drop_rule($table, $chain, $iptables_cmd); } } -sub chain_referenced($$) { - my ($table, $chain) = @_; - my $line = `iptables -t $table -n -L $chain 2>/dev/null |head -n1`; +sub chain_referenced($$$) { + my ($table, $chain, $iptables_cmd) = @_; + + log_msg "chain_referenced executing: $iptables_cmd -t $table -n -L $chain \n"; + + my $line = `$iptables_cmd -t $table -n -L $chain 2>/dev/null |head -n1`; if ($line =~ m/^Chain $chain \((\d+) references\)$/) { if ($1 > 0) { return 1; @@ -465,20 +593,31 @@ sub chain_referenced($$) { return 0; } -sub delete_chain($$) { - my ($table, $chain) = @_; - my $configured = `iptables -t $table -n -L $chain 2>&1 | head -1`; +sub delete_chain($$$) { + my ($table, $chain, $iptables_cmd) = @_; + + log_msg "delete_chain executing: $iptables_cmd -t $table -n -L $chain \n"; + + my $configured = `$iptables_cmd -t $table -n -L $chain 2>&1 | head -1`; if ($configured =~ /^Chain $chain/) { - system("iptables -t $table --flush $chain"); - die "iptables error: $table $chain --flush: $!" if ($? >> 8); - if (!chain_referenced($table, $chain)) { - system("iptables -t $table --delete-chain $chain"); - die "iptables error: $table $chain --delete-chain: $!" if ($? >> 8); + # system("$iptables_cmd -t $table --flush $chain"); + run_cmd("$iptables_cmd -t $table --flush $chain", 0, 0); + die "$iptables_cmd error: $table $chain --flush: $!" if ($? >> 8); + if (!chain_referenced($table, $chain, $iptables_cmd)) { + # system("$iptables_cmd -t $table --delete-chain $chain"); + run_cmd("$iptables_cmd -t $table --delete-chain $chain", 0, 0); + die "$iptables_cmd error: $table $chain --delete-chain: $!" if ($? >> 8); } else { - add_default_drop_rule($table, $chain); + add_default_drop_rule($table, $chain, $iptables_cmd); } } } sub numerically { $a <=> $b; } + +# Local Variables: +# mode: perl +# indent-tabs-mode: nil +# perl-indent-level: 2 +# End: diff --git a/templates/firewall/ipv6-name/node.def b/templates/firewall/ipv6-name/node.def new file mode 100644 index 0000000..b82683d --- /dev/null +++ b/templates/firewall/ipv6-name/node.def @@ -0,0 +1,7 @@ +tag: + +type: txt + +syntax:expression: pattern $VAR(@) "^[^-]" ; "Firewall rule set name cannot start with \"-\"" + +help: Set firewall rule set name diff --git a/templates/firewall/ipv6-name/node.tag/description/node.def b/templates/firewall/ipv6-name/node.tag/description/node.def new file mode 100644 index 0000000..d181e33 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/description/node.def @@ -0,0 +1,3 @@ +type: txt + +help: Set firewall description diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.def new file mode 100644 index 0000000..c3c7b43 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.def @@ -0,0 +1,7 @@ +tag: + +type: u32 + +help: Set firewall rule number (1-1024) + +syntax:expression: $VAR(@) > 0 && $VAR(@) < 1025; "firewall rule number must be between 1 and 1024" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/action/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/action/node.def new file mode 100644 index 0000000..9391bda --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/action/node.def @@ -0,0 +1,6 @@ +type: txt + +help: Set firewall rule action + +syntax:expression: $VAR(@) in "drop", "reject", "accept", "inspect"; + "action must be one of drop, reject, accept, or inspect" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/description/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/description/node.def new file mode 100644 index 0000000..b49b91e --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/description/node.def @@ -0,0 +1,3 @@ +type: txt + +help: Set rule description diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/address/node.def new file mode 100644 index 0000000..6aafb65 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/address/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Set source IPv6 address or prefix to match + +comp_help: Possible completions: + <x:x:x:x:x:x:x:x> IPv6 address to match + <x:x:x:x:x:x:x:x>/<n> IPv6 prefix to match + !<x:x:x:x:x:x:x:x> Everything except IPv6 address + !<x:x:x:x:x:x:x:x>/<n> Everything except IPv6 prefix + diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/node.def new file mode 100644 index 0000000..500e0bb --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/node.def @@ -0,0 +1 @@ +help: Set firewall destination parameters diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/port/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/port/node.def new file mode 100644 index 0000000..b292864 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/port/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Set destination port + +comp_help: Destination port(s) can be specified as a comma-separated list of: + <port name> Named port (any name in /etc/services, e.g., http) + <1-65535> Numbered port + <start>-<end> Numbered port range (e.g., 1001-1005) +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/disable/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/disable/node.def new file mode 100644 index 0000000..498a027 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/disable/node.def @@ -0,0 +1 @@ +help: Set firewall rule disabled
\ No newline at end of file diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/match-frag/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/match-frag/node.def new file mode 100644 index 0000000..75338e3 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/match-frag/node.def @@ -0,0 +1 @@ +help: Match second and further fragments of fragmented packets diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/match-non-frag/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/match-non-frag/node.def new file mode 100644 index 0000000..3105271 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/match-non-frag/node.def @@ -0,0 +1 @@ +help: Match head fragments or unfragmented packets diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/node.def new file mode 100644 index 0000000..c532d49 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/fragment/node.def @@ -0,0 +1 @@ +help: Set IP fragment matching diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/code/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/code/node.def new file mode 100644 index 0000000..8ff1c09 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/code/node.def @@ -0,0 +1,5 @@ +type: u32; "ICMP code must be between 0 and 255" + +help: Set ICMP code (0-255) + +syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP code must be between 0 and 255" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/node.def new file mode 100644 index 0000000..dcf9fcc --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/node.def @@ -0,0 +1 @@ +help: Set rule ICMP type and code information diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/type/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/type/node.def new file mode 100644 index 0000000..9cd72b3 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/icmp/type/node.def @@ -0,0 +1,5 @@ +type: u32; "ICMP type must be between 0 and 255" + +help: Set ICMP type (0-255) + +syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP type must be between 0 and 255" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/ipsec/match-ipsec/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/ipsec/match-ipsec/node.def new file mode 100644 index 0000000..8d4bf12 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/ipsec/match-ipsec/node.def @@ -0,0 +1 @@ +help: Match inbound IPsec packets diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/ipsec/match-none/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/ipsec/match-none/node.def new file mode 100644 index 0000000..cfcbc8a --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/ipsec/match-none/node.def @@ -0,0 +1 @@ +help: Match inbound non-IPsec packets diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/ipsec/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/ipsec/node.def new file mode 100644 index 0000000..c905e2d --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/ipsec/node.def @@ -0,0 +1 @@ +help: Set inbound IPsec packet matching diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/log/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/log/node.def new file mode 100644 index 0000000..5023547 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/log/node.def @@ -0,0 +1,3 @@ +type: txt; "firwall logging must be enable or disable" +help: Set firewall logging +syntax:expression: $VAR(@) in "enable", "disable"; "firwall logging must be enable or disable" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/all/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/all/node.def new file mode 100644 index 0000000..3359454 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/all/node.def @@ -0,0 +1 @@ +help: Match AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/applejuice/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/applejuice/node.def new file mode 100644 index 0000000..35c2182 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/applejuice/node.def @@ -0,0 +1 @@ +help: Match AppleJuice application packets diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/bittorrent/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/bittorrent/node.def new file mode 100644 index 0000000..a6330de --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/bittorrent/node.def @@ -0,0 +1 @@ +help: Match BitTorrent application packets diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/directconnect/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/directconnect/node.def new file mode 100644 index 0000000..ab11805 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/directconnect/node.def @@ -0,0 +1 @@ +help: Match Direct Connect application packets diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/edonkey/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/edonkey/node.def new file mode 100644 index 0000000..25a97e5 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/edonkey/node.def @@ -0,0 +1 @@ +help: Match eDonkey/eMule application packets diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/gnutella/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/gnutella/node.def new file mode 100644 index 0000000..52d9d6c --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/gnutella/node.def @@ -0,0 +1 @@ +help: Match Gnutella application packets diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/kazaa/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/kazaa/node.def new file mode 100644 index 0000000..a6eab48 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/kazaa/node.def @@ -0,0 +1 @@ +help: Match KaZaA application packets diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/node.def new file mode 100644 index 0000000..9013fe5 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/node.def @@ -0,0 +1 @@ +help: Set P2P application packet matching diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def new file mode 100644 index 0000000..03ce8cf --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def @@ -0,0 +1,8 @@ +type: txt +help: Set protocol to match (protocol name in /etc/protocols or protocol number or "all") +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'" ; "invalid protocol \"$VAR(@)\"" +comp_help:Possible completions: + <text> An IP protocol name from /etc/protocols (e.g. "tcp" or "udp") + <1-255> An IP protocol number + all All IP protocols + !<protocol> All IP protocols except for the specified name or number (negation) diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/count/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/count/node.def new file mode 100644 index 0000000..a07010f --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/count/node.def @@ -0,0 +1,2 @@ +type: u32 +help: Set to N to only match source addresses seen more than N times diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/node.def new file mode 100644 index 0000000..e1be0a3 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/node.def @@ -0,0 +1 @@ +help: Set parameters for matching recently seen sources diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/time/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/time/node.def new file mode 100644 index 0000000..b84a0b7 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/time/node.def @@ -0,0 +1,2 @@ +type: u32 +help: Set to N to only match source addresses seen in the last N seconds diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/address/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/address/node.def new file mode 100644 index 0000000..6aafb65 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/address/node.def @@ -0,0 +1,10 @@ +type: txt + +help: Set source IPv6 address or prefix to match + +comp_help: Possible completions: + <x:x:x:x:x:x:x:x> IPv6 address to match + <x:x:x:x:x:x:x:x>/<n> IPv6 prefix to match + !<x:x:x:x:x:x:x:x> Everything except IPv6 address + !<x:x:x:x:x:x:x:x>/<n> Everything except IPv6 prefix + diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/mac-address/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/mac-address/node.def new file mode 100644 index 0000000..fd10e26 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/mac-address/node.def @@ -0,0 +1,3 @@ +type: txt +help: Set source MAC address +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/node.def new file mode 100644 index 0000000..16ab3ad --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/node.def @@ -0,0 +1 @@ +help: Set firewall source parameters diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/port/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/port/node.def new file mode 100644 index 0000000..e65cbfd --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/port/node.def @@ -0,0 +1,8 @@ +type: txt +help: Set source port +comp_help: Source port(s) can be specified as a comma-separated list of: + <port name> Named port (any name in /etc/services, e.g., http) + <1-65535> Numbered port + <start>-<end> Numbered port range (e.g., 1001-1005) +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/state/established/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/state/established/node.def new file mode 100644 index 0000000..802e35d --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/state/established/node.def @@ -0,0 +1,3 @@ +type: txt +help: Set established state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/state/invalid/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/state/invalid/node.def new file mode 100644 index 0000000..ddba99f --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/state/invalid/node.def @@ -0,0 +1,3 @@ +type: txt +help: Set invalid state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/state/new/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/state/new/node.def new file mode 100644 index 0000000..23854e7 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/state/new/node.def @@ -0,0 +1,3 @@ +type: txt +help: Set new state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/state/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/state/node.def new file mode 100644 index 0000000..3b7b383 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/state/node.def @@ -0,0 +1 @@ +help: Set session state diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/state/related/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/state/related/node.def new file mode 100644 index 0000000..acddc3b --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/state/related/node.def @@ -0,0 +1,3 @@ +type: txt +help: Set related state +syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/monthdays/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/monthdays/node.def new file mode 100644 index 0000000..025a2a9 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/monthdays/node.def @@ -0,0 +1,8 @@ +type: txt +help: Set monthdays on which to apply rule +syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ +"Incorrect value for monthdays. Monthdays should be specified as 2,12,21 +For negation, add ! in front eg. !2,12,21" + +comp_help: Format for monthdays - 2,12,21 +To negate add ! at the front eg. !2,12,21 diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/node.def new file mode 100644 index 0000000..8061ba6 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/node.def @@ -0,0 +1 @@ +help: Set time during which to apply rule diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/startdate/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/startdate/node.def new file mode 100644 index 0000000..a971375 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/startdate/node.def @@ -0,0 +1,11 @@ +type: txt +help: Set to apply rule starting from specified date +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ +"Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time +of date with startdate, append 'T' to date followed by time in 24 hour notation +hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to +21st January 2009 with time 13:30:00" + +comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append +'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate +value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00 diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/starttime/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/starttime/node.def new file mode 100644 index 0000000..46c68c2 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/starttime/node.def @@ -0,0 +1,7 @@ +type: txt +help: Set to apply rule starting from specified time +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ + "Incorrect value for starttime. Date should be entered using 24 hour notation - hh:mm:ss" + +comp_help: Enter time using using 24 hour notation - hh:mm:ss + diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/stopdate/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/stopdate/node.def new file mode 100644 index 0000000..c99dd7b --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/stopdate/node.def @@ -0,0 +1,11 @@ +type: txt +help: Set to apply rule till specified date +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ +"Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time +of date with stopdate, append 'T' to date followed by time in 24 hour notation +hh:mm:ss. For example stopdate value of 2009-01-31T13:30:00 refers to +31st Jan 2009 with time 13:30:00" + +comp_help: Format for date : yyyy-mm-dd. To specify time of date with stopdate, +append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg +stopdate value of 2009-01-31T13:30:00 refers to 31st Jan 2009 with time 13:30:00 diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/stoptime/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/stoptime/node.def new file mode 100644 index 0000000..0514e8b --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/stoptime/node.def @@ -0,0 +1,8 @@ +type: txt +help: Set to apply rule till specified time +syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ + "Incorrect value for stoptime. Date should be entered using 24 hour notation - hh:mm:ss" + +comp_help: Enter time using using 24 hour notation - hh:mm:ss + + diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/utc/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/utc/node.def new file mode 100644 index 0000000..68a0689 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/utc/node.def @@ -0,0 +1 @@ +help: Set to interpret the times given for startdate, stopdate, starttime and stoptime to be UTC diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/weekdays/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/weekdays/node.def new file mode 100644 index 0000000..aea3e22 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/time/weekdays/node.def @@ -0,0 +1,9 @@ +type: txt +help: Set weekdays on which to apply rules on +syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ +"Incorrect value for weekdays. Weekdays should be specified using the first +three characters of the day with the first character capitalized eg. Mon,Thu,Sat +For negation, add ! in front eg. !Mon,Thu,Sat" + +comp_help: Format for weekdays - Mon,Thu,Sat +To negate add ! at the front eg. !Mon,Thu,Sat |