diff options
| author | Stig Thormodsrud <stig@vyatta.com> | 2010-03-18 19:44:41 -0700 |
|---|---|---|
| committer | Stig Thormodsrud <stig@vyatta.com> | 2010-03-18 19:44:41 -0700 |
| commit | ce3389b3cafa928fd2468705c049ef958f5f4266 (patch) | |
| tree | ad90ec0f77c6d7c22416591ece600fbdf3f7794a | |
| parent | a3997491b17f5451f44ea77359e4a2f7c2fc3555 (diff) | |
| download | vyatta-cfg-firewall-ce3389b3cafa928fd2468705c049ef958f5f4266.tar.gz vyatta-cfg-firewall-ce3389b3cafa928fd2468705c049ef958f5f4266.zip | |
Fix firewall group parent delete while still referenced.
4 files changed, 78 insertions, 7 deletions
diff --git a/scripts/firewall/vyatta-ipset.pl b/scripts/firewall/vyatta-ipset.pl index 399c629..8614581 100755 --- a/scripts/firewall/vyatta-ipset.pl +++ b/scripts/firewall/vyatta-ipset.pl @@ -170,6 +170,35 @@ sub ipset_copy_set { } } +sub ipset_is_group_deleted { + my ($set_name, $set_type) = @_; + + die "Error: undefined set_name\n" if ! defined $set_name; + die "Error: undefined set_type\n" if ! defined $set_type; + + my $config = new Vyatta::Config; + $config->setLevel("firewall group $set_type-group"); + my %nodes = $config->listNodeStatus(); + + if ($nodes{$set_name} eq 'deleted') { + exit 0; + } else { + exit 1; + } +} + +sub ipset_is_group_used { + my ($set_name, $set_type) = @_; + + die "Error: undefined set_name\n" if ! defined $set_name; + die "Error: undefined set_type\n" if ! defined $set_type; + + my $group = new Vyatta::IpTables::IpSet($set_name); + my $refs = $group->references(); + exit 0 if $refs > 0; + exit 1; +} + # # main @@ -208,6 +237,11 @@ $rc = ipset_is_set_empty($set_name) if $action eq 'is-set-empty'; $rc = ipset_copy_set($set_name, $set_type, $set_copy) if $action eq 'copy-set'; +$rc = ipset_is_group_deleted($set_name, $set_type) + if $action eq 'is-group-deleted'; + +$rc = ipset_is_group_used($set_name, $set_type) if $action eq 'is-group-used'; + if (defined $rc) { print $rc; exit 1; diff --git a/templates/firewall/group/address-group/node.tag/address/node.def b/templates/firewall/group/address-group/node.tag/address/node.def index d5f85b0..ff743f9 100644 --- a/templates/firewall/group/address-group/node.tag/address/node.def +++ b/templates/firewall/group/address-group/node.tag/address/node.def @@ -11,7 +11,8 @@ syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ create: tmpgrp=$VAR(../@)-$PPID tmpfile="/tmp/$VAR(../@)-$PPID"; - if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then + if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || \ + [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \ --set-name=$VAR(../@) if [ $? != 0 ]; then @@ -32,13 +33,25 @@ create: tmpgrp=$VAR(../@)-$PPID exit 1; fi; - if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then + if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || \ + [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then sudo ipset --swap $tmpgrp "$VAR(../@)"; sudo ipset --destroy $tmpgrp; rm -f $tmpfile; fi; -delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ +delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \ + --set-name=$VAR(../@) --set-type=address; + if [ $? == 0 ] ; then + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-used \ + --set-name=$VAR(../@) --set-type=address + if [ $? == 0 ] ; then + echo "Error: group [$VAR(../@)] still in use." + exit 1; + fi + fi + + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ --set-name=$VAR(../@) \ --member="$VAR(@)" diff --git a/templates/firewall/group/network-group/node.tag/network/node.def b/templates/firewall/group/network-group/node.tag/network/node.def index 62ad56e..da09d0c 100644 --- a/templates/firewall/group/network-group/node.tag/network/node.def +++ b/templates/firewall/group/network-group/node.tag/network/node.def @@ -15,7 +15,18 @@ create: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \ --set-name=$VAR(../@) \ --member="$VAR(@)" -delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ +delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \ + --set-name=$VAR(../@) --set-type=network; + if [ $? == 0 ] ; then + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-used \ + --set-name=$VAR(../@) --set-type=network + if [ $? == 0 ] ; then + echo "Error: group [$VAR(../@)] still in use." + exit 1; + fi + fi + + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ --set-name=$VAR(../@) \ --member="$VAR(@)" diff --git a/templates/firewall/group/port-group/node.tag/port/node.def b/templates/firewall/group/port-group/node.tag/port/node.def index 2aa367c..3394325 100644 --- a/templates/firewall/group/port-group/node.tag/port/node.def +++ b/templates/firewall/group/port-group/node.tag/port/node.def @@ -11,7 +11,8 @@ syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ create: tmpgrp=$VAR(../@)-$PPID tmpfile="/tmp/$VAR(../@)-$PPID"; - if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then + if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || \ + [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \ --set-name=$VAR(../@) if [ $? != 0 ]; then @@ -32,13 +33,25 @@ create: tmpgrp=$VAR(../@)-$PPID exit 1; fi; - if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then + if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || \ + [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then sudo ipset --swap $tmpgrp "$VAR(../@)"; sudo ipset --destroy $tmpgrp; rm -f $tmpfile; fi; -delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ +delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \ + --set-name=$VAR(../@) --set-type=port; + if [ $? == 0 ] ; then + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-used \ + --set-name=$VAR(../@) --set-type=port + if [ $? == 0 ] ; then + echo "Error: group [$VAR(../@)] still in use." + exit 1; + fi + fi + + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ --set-name=$VAR(../@) \ --member="$VAR(@)" |