diff options
| author | An-Cheng Huang <ancheng@vyatta.com> | 2008-04-08 11:09:31 -0700 |
|---|---|---|
| committer | An-Cheng Huang <ancheng@vyatta.com> | 2008-04-08 11:09:31 -0700 |
| commit | 00cbb4749430199b3f864194bc1e908ddd2dc153 (patch) | |
| tree | 96714d21236ce43401d85093a8495b7fc2acdcca | |
| parent | 1a300b59f4518c04e7380017f8d58ab8b9284f00 (diff) | |
| download | vyatta-cfg-firewall-00cbb4749430199b3f864194bc1e908ddd2dc153.tar.gz vyatta-cfg-firewall-00cbb4749430199b3f864194bc1e908ddd2dc153.zip | |
fix for bug 3127: look for an exact match to replace/delete.
| -rwxr-xr-x | scripts/firewall/vyatta-firewall.pl | 55 |
1 files changed, 35 insertions, 20 deletions
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index 6d7af05..374ef3c 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -250,29 +250,44 @@ sub update_ints() { } my $grep = "| grep $int_name"; - my $line = `iptables -L $direction -n -v --line-numbers | egrep ^[0-9] $grep`; - my ($num, $ignore, $ignore, $oldchain, $ignore, $ignore, $in, $out, $ignore, $ignore) = split /\s+/, $line; - - if ("$action" eq "update") { - if (($num =~ /.+/) && (($dir_str eq "in" && $in eq $int_name) - || ($dir_str eq "out" && $out eq $int_name) - || ($dir_str eq "local"))) { - $action = "replace"; - $rule = "--replace $direction $num $interface --jump $chain"; - } else { - $rule = "--append $direction $interface --jump $chain"; + my @lines + = `iptables -L $direction -n -v --line-numbers | egrep ^[0-9] $grep`; + my ($cmd, $num, $oldchain, $in, $out, $ignore) + = (undef, undef, undef, undef, undef, undef); + foreach (@lines) { + ($num, $ignore, $ignore, $oldchain, $ignore, $ignore, $in, $out, + $ignore, $ignore) = split /\s+/; + if (($dir_str eq 'in' && $in eq $int_name) + || ($dir_str eq 'out' && $out eq $int_name) + || ($dir_str eq 'local' && $in eq $int_name)) { + # found a matching rule + if ($action eq 'update') { + # replace old rule + $action = 'replace'; + $cmd = "--replace $direction $num $interface --jump $chain"; + } else { + # delete old rule + $cmd = "--delete $direction $num"; + } + last; } } - else { - $rule = "--$action $direction $num"; - } - - system ("$logger Running: iptables $rule"); - $ret = system("iptables $rule 2>&1 | $logger"); - if ($ret >> 8) { - exit 1; + if (!defined($cmd)) { + # no matching rule + if ($action eq 'update') { + # add new rule + $cmd = "--append $direction $interface --jump $chain"; + } else { + # delete non-existent rule! + die 'Error updating interfaces: no matching rule to delete'; + } } - if ($action eq "replace" || $action eq "delete") { + + system ("$logger Running: iptables $cmd"); + system("iptables $cmd 2>&1 | $logger"); + exit 1 if ($? >> 8); + + if ($action eq 'replace' || $action eq 'delete') { if (!chain_configured($oldchain)) { if (!chain_referenced($oldchain)) { delete_chain($oldchain); |