diff options
author | Stig Thormodsrud <stig@vyatta.com> | 2009-03-27 17:09:50 -0700 |
---|---|---|
committer | Stig Thormodsrud <stig@vyatta.com> | 2009-03-27 17:09:50 -0700 |
commit | 108ef51e412a379905a6a8d354e7e21d10e9d1cc (patch) | |
tree | b4196933eb21d51b1a47a89193799d2eea752e15 | |
parent | 754d0f4d855a59020afa20ad8867218708b5c978 (diff) | |
download | vyatta-cfg-firewall-108ef51e412a379905a6a8d354e7e21d10e9d1cc.tar.gz vyatta-cfg-firewall-108ef51e412a379905a6a8d354e7e21d10e9d1cc.zip |
Revert "Allow user configurable default-policy on firewall."
Further test identified a problem.
The patch is broken if a packet must do both an in & out filter.
This reverts commit 754d0f4d855a59020afa20ad8867218708b5c978.
-rwxr-xr-x | scripts/firewall/vyatta-firewall.pl | 58 | ||||
-rw-r--r-- | templates/firewall/name/node.tag/default-policy/node.def | 12 |
2 files changed, 8 insertions, 62 deletions
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index 3b5fa2a..4c39156 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -51,10 +51,6 @@ my %ip_version_hash = ( 'name' => 'ipv4', 'modify' => 'ipv4', 'ipv6-modify' => 'ipv6'); -# mapping from vyatta 'default-policy' to iptables jump target -my %policy_hash = ( 'drop' => 'DROP', - 'accept' => 'VYATTA_POST_FW_HOOK', - 'continue' => 'RETURN'); # not implemented yet sub other_table { my $this = shift; @@ -195,10 +191,8 @@ sub update_rules { # Iterate through ruleset names under "name" or "modify" for my $name (keys %nodes) { - $config->setLevel("firewall $tree $name"); - my $policy = $config->returnValue("default-policy"); - my $old_policy = $config->returnOrigValue("default-policy"); - log_msg "update_rules: status of node $name is $nodes{$name} [$policy]\n"; + + log_msg "update_rules: status of node $name is $nodes{$name} \n"; if ($nodes{$name} eq "static") { # not changed. check if stateful. @@ -224,7 +218,7 @@ sub update_rules { . "Rule set name \"$name\" already used in \"$ctree\"\n"; exit 1; } - setup_chain($table, "$name", $iptables_cmd, $policy); + setup_chain($table, "$name", $iptables_cmd); # handle the rules below. } elsif ($nodes{$name} eq "deleted") { @@ -254,6 +248,7 @@ sub update_rules { # note that this clears the counters on the default DROP rule. # we could delete rule one by one if those are important. run_cmd("$iptables_cmd -t $table -F $name", 1, 1); + add_default_drop_rule($table, $name, $iptables_cmd); next; } @@ -338,14 +333,8 @@ sub update_rules { die "$iptables_cmd error: $! - $rule" if ($? >> 8); } } - - } # foreach rule - - if (defined $old_policy and $policy ne $old_policy) { - change_default_policy($table, $name, $iptables_cmd, $policy); } - - } # foreach name + } if ($stateful) { enable_fw_conntrack($iptables_cmd); @@ -560,42 +549,11 @@ sub setup_iptables { sub add_default_drop_rule { my ($table, $chain, $iptables_cmd) = @_; - my $comment = "-m comment --comment \"$chain-1025\""; - run_cmd("$iptables_cmd -t $table -A $chain $comment -j DROP", 1, 1); -} - -sub set_default_policy { - my ($table, $chain, $iptables_cmd, $policy) = @_; - - $policy = 'drop' if ! defined $policy; - my $target = $policy_hash{$policy}; - my $comment = "-m comment --comment \"$chain-1025\""; - run_cmd("$iptables_cmd -t $table -A $chain $comment -j $target", 1, 1); -} - -sub count_iptables_rules { - my ($table, $chain, $iptables_cmd) = @_; - my @lines = `$iptables_cmd -t $table -L $chain -n --line`; - my $cnt = 0; - foreach my $line (@lines) { - $cnt++ if $line =~ /^\d/; - } - return $cnt; -} - -sub change_default_policy { - my ($table, $chain, $iptables_cmd, $policy) = @_; - - $policy = 'drop' if ! defined $policy; - my $target = $policy_hash{$policy}; - my $comment = "-m comment --comment \"$chain-1025\""; - my $default_rule = count_iptables_rules($table, $chain, $iptables_cmd); - run_cmd("$iptables_cmd -t $table -A $chain $comment -j $target", 1, 1); - run_cmd("$iptables_cmd -t $table -D $chain $default_rule", 1, 1); + run_cmd("$iptables_cmd -t $table -A $chain -m comment --comment \"$chain-1025\" -j DROP", 1, 1); } sub setup_chain { - my ($table, $chain, $iptables_cmd, $policy) = @_; + my ($table, $chain, $iptables_cmd) = @_; my $configured = `$iptables_cmd -t $table -n -L $chain 2>&1 | head -1`; @@ -603,7 +561,7 @@ sub setup_chain { if (!/^Chain $chain/) { run_cmd("$iptables_cmd -t $table --new-chain $chain", 0, 0); die "iptables error: $table $chain --new-chain: $!" if ($? >> 8); - set_default_policy($table, $chain, $iptables_cmd, $policy); + add_default_drop_rule($table, $chain, $iptables_cmd); } } diff --git a/templates/firewall/name/node.tag/default-policy/node.def b/templates/firewall/name/node.tag/default-policy/node.def deleted file mode 100644 index a02a288..0000000 --- a/templates/firewall/name/node.tag/default-policy/node.def +++ /dev/null @@ -1,12 +0,0 @@ -type: txt - -help: Set firewall default-policy - -default: "drop" - -syntax:expression: $VAR(@) in "drop", "accept"; - "default-policy must be either drop or accept" - -comp_help: possible completions: - drop Drop if no prior rules are hit - accept Accept if no prior rules are hit |