summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStig Thormodsrud <stig@vyatta.com>2009-03-27 17:09:50 -0700
committerStig Thormodsrud <stig@vyatta.com>2009-03-27 17:09:50 -0700
commit108ef51e412a379905a6a8d354e7e21d10e9d1cc (patch)
treeb4196933eb21d51b1a47a89193799d2eea752e15
parent754d0f4d855a59020afa20ad8867218708b5c978 (diff)
downloadvyatta-cfg-firewall-108ef51e412a379905a6a8d354e7e21d10e9d1cc.tar.gz
vyatta-cfg-firewall-108ef51e412a379905a6a8d354e7e21d10e9d1cc.zip
Revert "Allow user configurable default-policy on firewall."
Further test identified a problem. The patch is broken if a packet must do both an in & out filter. This reverts commit 754d0f4d855a59020afa20ad8867218708b5c978.
-rwxr-xr-xscripts/firewall/vyatta-firewall.pl58
-rw-r--r--templates/firewall/name/node.tag/default-policy/node.def12
2 files changed, 8 insertions, 62 deletions
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl
index 3b5fa2a..4c39156 100755
--- a/scripts/firewall/vyatta-firewall.pl
+++ b/scripts/firewall/vyatta-firewall.pl
@@ -51,10 +51,6 @@ my %ip_version_hash = ( 'name' => 'ipv4',
'modify' => 'ipv4',
'ipv6-modify' => 'ipv6');
-# mapping from vyatta 'default-policy' to iptables jump target
-my %policy_hash = ( 'drop' => 'DROP',
- 'accept' => 'VYATTA_POST_FW_HOOK',
- 'continue' => 'RETURN'); # not implemented yet
sub other_table {
my $this = shift;
@@ -195,10 +191,8 @@ sub update_rules {
# Iterate through ruleset names under "name" or "modify"
for my $name (keys %nodes) {
- $config->setLevel("firewall $tree $name");
- my $policy = $config->returnValue("default-policy");
- my $old_policy = $config->returnOrigValue("default-policy");
- log_msg "update_rules: status of node $name is $nodes{$name} [$policy]\n";
+
+ log_msg "update_rules: status of node $name is $nodes{$name} \n";
if ($nodes{$name} eq "static") {
# not changed. check if stateful.
@@ -224,7 +218,7 @@ sub update_rules {
. "Rule set name \"$name\" already used in \"$ctree\"\n";
exit 1;
}
- setup_chain($table, "$name", $iptables_cmd, $policy);
+ setup_chain($table, "$name", $iptables_cmd);
# handle the rules below.
} elsif ($nodes{$name} eq "deleted") {
@@ -254,6 +248,7 @@ sub update_rules {
# note that this clears the counters on the default DROP rule.
# we could delete rule one by one if those are important.
run_cmd("$iptables_cmd -t $table -F $name", 1, 1);
+ add_default_drop_rule($table, $name, $iptables_cmd);
next;
}
@@ -338,14 +333,8 @@ sub update_rules {
die "$iptables_cmd error: $! - $rule" if ($? >> 8);
}
}
-
- } # foreach rule
-
- if (defined $old_policy and $policy ne $old_policy) {
- change_default_policy($table, $name, $iptables_cmd, $policy);
}
-
- } # foreach name
+ }
if ($stateful) {
enable_fw_conntrack($iptables_cmd);
@@ -560,42 +549,11 @@ sub setup_iptables {
sub add_default_drop_rule {
my ($table, $chain, $iptables_cmd) = @_;
- my $comment = "-m comment --comment \"$chain-1025\"";
- run_cmd("$iptables_cmd -t $table -A $chain $comment -j DROP", 1, 1);
-}
-
-sub set_default_policy {
- my ($table, $chain, $iptables_cmd, $policy) = @_;
-
- $policy = 'drop' if ! defined $policy;
- my $target = $policy_hash{$policy};
- my $comment = "-m comment --comment \"$chain-1025\"";
- run_cmd("$iptables_cmd -t $table -A $chain $comment -j $target", 1, 1);
-}
-
-sub count_iptables_rules {
- my ($table, $chain, $iptables_cmd) = @_;
- my @lines = `$iptables_cmd -t $table -L $chain -n --line`;
- my $cnt = 0;
- foreach my $line (@lines) {
- $cnt++ if $line =~ /^\d/;
- }
- return $cnt;
-}
-
-sub change_default_policy {
- my ($table, $chain, $iptables_cmd, $policy) = @_;
-
- $policy = 'drop' if ! defined $policy;
- my $target = $policy_hash{$policy};
- my $comment = "-m comment --comment \"$chain-1025\"";
- my $default_rule = count_iptables_rules($table, $chain, $iptables_cmd);
- run_cmd("$iptables_cmd -t $table -A $chain $comment -j $target", 1, 1);
- run_cmd("$iptables_cmd -t $table -D $chain $default_rule", 1, 1);
+ run_cmd("$iptables_cmd -t $table -A $chain -m comment --comment \"$chain-1025\" -j DROP", 1, 1);
}
sub setup_chain {
- my ($table, $chain, $iptables_cmd, $policy) = @_;
+ my ($table, $chain, $iptables_cmd) = @_;
my $configured = `$iptables_cmd -t $table -n -L $chain 2>&1 | head -1`;
@@ -603,7 +561,7 @@ sub setup_chain {
if (!/^Chain $chain/) {
run_cmd("$iptables_cmd -t $table --new-chain $chain", 0, 0);
die "iptables error: $table $chain --new-chain: $!" if ($? >> 8);
- set_default_policy($table, $chain, $iptables_cmd, $policy);
+ add_default_drop_rule($table, $chain, $iptables_cmd);
}
}
diff --git a/templates/firewall/name/node.tag/default-policy/node.def b/templates/firewall/name/node.tag/default-policy/node.def
deleted file mode 100644
index a02a288..0000000
--- a/templates/firewall/name/node.tag/default-policy/node.def
+++ /dev/null
@@ -1,12 +0,0 @@
-type: txt
-
-help: Set firewall default-policy
-
-default: "drop"
-
-syntax:expression: $VAR(@) in "drop", "accept";
- "default-policy must be either drop or accept"
-
-comp_help: possible completions:
- drop Drop if no prior rules are hit
- accept Accept if no prior rules are hit