diff options
author | Stig Thormodsrud <stig@vyatta.com> | 2010-10-14 14:10:11 -0700 |
---|---|---|
committer | Stig Thormodsrud <stig@vyatta.com> | 2010-10-14 14:10:11 -0700 |
commit | 97a8e6281bdd0ccdd243fc7e5a8f8104c5c36975 (patch) | |
tree | ec6df7625c56c1bad09bf47f26ddd61d8d797d61 | |
parent | 3053d2ccf0099b122105759fd0cdb82357e25984 (diff) | |
download | vyatta-cfg-firewall-97a8e6281bdd0ccdd243fc7e5a8f8104c5c36975.tar.gz vyatta-cfg-firewall-97a8e6281bdd0ccdd243fc7e5a8f8104c5c36975.zip |
Add Iptables::Mgr route to get queue target.
-rwxr-xr-x | lib/Vyatta/IpTables/Mgr.pm | 14 | ||||
-rwxr-xr-x | lib/Vyatta/IpTables/Rule.pm | 5 |
2 files changed, 17 insertions, 2 deletions
diff --git a/lib/Vyatta/IpTables/Mgr.pm b/lib/Vyatta/IpTables/Mgr.pm index 678fb39..6452540 100755 --- a/lib/Vyatta/IpTables/Mgr.pm +++ b/lib/Vyatta/IpTables/Mgr.pm @@ -30,7 +30,7 @@ use warnings; use base 'Exporter'; our @EXPORT = qw(ipt_find_chain_rule ipt_enable_conntrack ipt_disable_conntrack count_iptables_rules - chain_referenced); + chain_referenced ipt_get_queue_target); sub ipt_find_chain_rule { @@ -105,6 +105,18 @@ sub ipt_disable_conntrack { return 0; } +my %queue_target_hash = + ('SNORT' => 'NFQUEUE --queue-num 0', + 'VG_HTTPS' => 'NFQUEUE --queue-num 1', + ); + +sub ipt_get_queue_target { + my ($app) = @_; + + my $target = $queue_target_hash{$app}; + return $target; +} + sub count_iptables_rules { my ($command, $table, $chain) = @_; my @lines = `sudo $command -t $table -L $chain -n --line`; diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm index 7b6c82b..e190a46 100755 --- a/lib/Vyatta/IpTables/Rule.pm +++ b/lib/Vyatta/IpTables/Rule.pm @@ -2,6 +2,7 @@ package Vyatta::IpTables::Rule; use strict; use Vyatta::Config; +use Vyatta::IpTables::Mgr; require Vyatta::IpTables::AddressFilter; my $src = new Vyatta::IpTables::AddressFilter; @@ -570,7 +571,9 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo } elsif ("$self->{_action}" eq "reject") { $rule .= "-j REJECT "; } elsif ("$self->{_action}" eq 'inspect') { - $rule .= "-j QUEUE "; + my $target = ipt_get_queue_target('SNORT'); + return ('Undefined target for inspect', ) if ! defined $target; + $rule .= "-j $target "; } elsif ("$self->{_action}" eq 'modify') { # mangle actions my $count = 0; |