T484: Rules can't be deleted from firewall rule sets used in zone policies

author: Joshua McBeth <joshua.mcbeth@gmail.com> 2017-12-03 21:43:25 -0500
committer: Christian Poessinger <christian@poessinger.com> 2019-02-08 18:42:29 +0100
commit: 2cd6280b90042efac7c37be4835f70ed06514504 (patch)
tree: ce25835c81b86f8566cea3c2f53eb5f31458f70b
parent: 5499f86a9b6702ce1e76d994402299fce3bbbc47 (diff)
download: vyatta-cfg-firewall-2cd6280b90042efac7c37be4835f70ed06514504.tar.gz
vyatta-cfg-firewall-2cd6280b90042efac7c37be4835f70ed06514504.zip
1 files changed, 39 insertions, 31 deletions
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl
index c2727cc..dc7c702 100755
--- a/scripts/firewall/vyatta-firewall.pl
+++ b/scripts/firewall/vyatta-firewall.pl
@@ -526,42 +526,50 @@ sub update_rules {
     $config->setLevel("$tree $name rule");
     my %test_rule_hash = $config->listNodeStatus();
 
+    my $all_rules_deleted = 1;
+
     foreach my $test_rule (sort numerically keys %test_rule_hash) {
-        if ("$test_rule_hash{$test_rule}" eq 'static') {
-            next;
-        } elsif ("$test_rule_hash{$test_rule}" eq 'added') {
-            my $test_node = new Vyatta::IpTables::Rule;
-            $test_node->setup("$tree $name rule $test_rule");
-            $test_node->set_ip_version($ip_version_hash{$tree});
-            my ($err_str, @rule_strs) = $test_node->rule();
-            if (defined($err_str)) {
-                Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n");
-                exit 1;
-            }
-            my $test_chain = chain_configured(2, $name, $tree);
-            if (defined($test_chain)) {
-                # Chain name must be unique in both trees
-                Vyatta::Config::outputError([$tree,$name], "Firewall configuration error: Rule set name \"$name\" already used in \"$test_chain\"\n");
-                exit 1;
-            }
-        } elsif ("$test_rule_hash{$test_rule}" eq 'changed') {
-            my $test_node = new Vyatta::IpTables::Rule;
-            $test_node->setup("$tree $name rule $test_rule");
-            $test_node->set_ip_version($ip_version_hash{$tree});
-            my ($err_str, @rule_strs) = $test_node->rule();
-            if (defined($err_str)) {
-                Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n");
-                exit 1;
-            }
-        } elsif ("$test_rule_hash{$test_rule}" eq 'deleted') {
-            if (Vyatta::IpTables::Mgr::chain_referenced($table, $name, $iptables_cmd)) {
-                # Disallow deleting a chain if it's still referenced
-                Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: Cannot delete rule set \"$name\" (still in use)\n");
-                exit 1;
+        if ("$test_rule_hash{$test_rule}" ne 'deleted') {
+            $all_rules_deleted = 0;
+
+            if ("$test_rule_hash{$test_rule}" eq 'static') {
+                next;
+            } elsif ("$test_rule_hash{$test_rule}" eq 'added') {
+                my $test_node = new Vyatta::IpTables::Rule;
+                $test_node->setup("$tree $name rule $test_rule");
+                $test_node->set_ip_version($ip_version_hash{$tree});
+                my ($err_str, @rule_strs) = $test_node->rule();
+                if (defined($err_str)) {
+                    Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n");
+                    exit 1;
+                }
+                my $test_chain = chain_configured(2, $name, $tree);
+                if (defined($test_chain)) {
+                    # Chain name must be unique in both trees
+                    Vyatta::Config::outputError([$tree,$name], "Firewall configuration error: Rule set name \"$name\" already used in \"$test_chain\"\n");
+                    exit 1;
+                }
+            } elsif ("$test_rule_hash{$test_rule}" eq 'changed') {
+                my $test_node = new Vyatta::IpTables::Rule;
+                $test_node->setup("$tree $name rule $test_rule");
+                $test_node->set_ip_version($ip_version_hash{$tree});
+                my ($err_str, @rule_strs) = $test_node->rule();
+                if (defined($err_str)) {
+                    Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n");
+                    exit 1;
+                }
             }
         }
     }
 
+
+    if ($all_rules_deleted and Vyatta::IpTables::Mgr::chain_referenced($table, $name, $iptables_cmd)) {
+        # Disallow deleting a chain if it's still referenced
+        Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: Cannot delete rule set \"$name\" (still in use)\n");
+        exit 1;
+    }
+
+
     if ($nodes{$name} eq 'static') {
 
         # not changed. check if stateful.
author	Joshua McBeth <joshua.mcbeth@gmail.com>	2017-12-03 21:43:25 -0500
committer	Christian Poessinger <christian@poessinger.com>	2019-02-08 18:42:29 +0100
commit	2cd6280b90042efac7c37be4835f70ed06514504 (patch)
tree	ce25835c81b86f8566cea3c2f53eb5f31458f70b
parent	5499f86a9b6702ce1e76d994402299fce3bbbc47 (diff)
download	vyatta-cfg-firewall-2cd6280b90042efac7c37be4835f70ed06514504.tar.gz vyatta-cfg-firewall-2cd6280b90042efac7c37be4835f70ed06514504.zip