diff options
| author | James Davidson <james.davidson@vyatta.com> | 2013-05-21 17:57:25 -0700 |
|---|---|---|
| committer | James Davidson <james.davidson@vyatta.com> | 2013-05-22 16:47:05 -0700 |
| commit | 9339770e2f8a874c4f9befa05613c842f2b9b3a9 (patch) | |
| tree | d9680ebc8316ed6e714b3997a83a8d0364739105 | |
| parent | ebd75fd25ddede4a6797ebe5a9f4c0195d1dce17 (diff) | |
| download | vyatta-cfg-firewall-9339770e2f8a874c4f9befa05613c842f2b9b3a9.tar.gz vyatta-cfg-firewall-9339770e2f8a874c4f9befa05613c842f2b9b3a9.zip | |
Enable generation of SNMP traps on firewall config changes
Adds call to vyatta-firewall-trap.pl to end action of firewall
nodes.
| -rwxr-xr-x | gen-interface-templates.pl | 32 | ||||
| -rw-r--r-- | templates/firewall/group/address-group/node.def | 6 | ||||
| -rw-r--r-- | templates/firewall/group/network-group/node.def | 6 | ||||
| -rw-r--r-- | templates/firewall/group/port-group/node.def | 6 | ||||
| -rw-r--r-- | templates/firewall/ipv6-name/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/name/node.def | 6 | ||||
| -rw-r--r-- | templates/firewall/node.def | 1 | ||||
| -rw-r--r-- | templates/firewall/state-policy/node.def | 1 |
8 files changed, 52 insertions, 7 deletions
diff --git a/gen-interface-templates.pl b/gen-interface-templates.pl index 817aa4d..d22ab8a 100755 --- a/gen-interface-templates.pl +++ b/gen-interface-templates.pl @@ -71,6 +71,35 @@ my %interface_hash = ( 'wirelessmodem/node.tag' => '$VAR(../../../@)', ); +# Firewall node hashes +my %firewall_hash = ( + 'adsl/node.tag/pvc/node.tag/bridged-ethernet' => 'adsl $VAR(../../../@) pvc $VAR(../../@) bridged-ethernet', + 'adsl/node.tag/pvc/node.tag/classical-ipoa' => 'adsl $VAR(../../../@) pvc $VAR(../../@) classical-ipoa', + 'adsl/node.tag/pvc/node.tag/pppoa/node.tag' => 'adsl $VAR(../../../@) pvc $VAR(../../@) pppoa $VAR(../@)', + 'adsl/node.tag/pvc/node.tag/pppoe/node.tag' => 'adsl $VAR(../../../@) pvc $VAR(../../@) pppoe $VAR(../@)', + 'bonding/node.tag' => 'bonding $VAR(../@)', + 'bonding/node.tag/vif/node.tag' => 'bonding $VAR(../../../@) vif $VAR(../@)', + 'bridge/node.tag' => 'bridge $VAR(../@)', + 'ethernet/node.tag' => 'ethernet $VAR(../@)', + 'ethernet/node.tag/pppoa/node.tag' => 'ethernet $VAR(../../@) pppoa $VAR(../@)', + 'ethernet/node.tag/pppoe/node.tag' => 'ethernet $VAR(../../@) pppoe $VAR(../@)', + 'ethernet/node.tag/vif/node.tag' => 'ethernet $VAR(../../../@) vif $VAR(../@)', + 'ethernet/node.tag/vif/node.tag/pppoe/node.tag' => 'ethernet $VAR(../../../../@) vif $VAR(../../@) pppoe $VAR(../@)', + 'input/node.tag' => 'input $VAR(../@)', + 'multilink/node.tag/vif/node.tag' => 'multilink $VAR(../../../@) vif $VAR(../@)', + 'openvpn/node.tag' => 'openvpn $VAR(../@)', + 'pseudo-ethernet/node.tag' => 'pseudo-ethernet $VAR(../@)', + 'pseudo-ethernet/node.tag/vif/node.tag' => 'pseudo-ethernet $VAR(../../../@) vif $VAR(../@)', + 'serial/node.tag/cisco-hdlc/vif/node.tag' => 'serial $VAR(../../../@) cisco-hdlc vif $VAR(../@)', + 'serial/node.tag/frame-relay/vif/node.tag' => 'serial $VAR(../../../@) frame-relay vif $VAR(../@)', + 'serial/node.tag/ppp/vif/node.tag' => 'serial $VAR(../../../@) ppp vif $VAR(../@)', + 'tunnel/node.tag' => 'tunnel $VAR(../@)', + 'vti/node.tag' => 'vti $VAR(../@)', + 'wireless/node.tag' => 'wireless $VAR(../@)', + 'wireless/node.tag/vif/node.tag' => 'wireless $VAR(../../../@) vif $VAR(../@)', + 'wirelessmodem/node.tag' => 'wirelessmodem $VAR(../@)', +); + # Hash table to check if the priority needs to set @ root # of the node.def which is generated. my %interface_prio = ( @@ -113,6 +142,9 @@ sub gen_firewall_template { print $tp "priority: $interface_prio{ $if_tree }\n"; } print $tp "help: Firewall options\n"; + die "ERROR: No firewall hash for ${if_tree}" unless $firewall_hash{"${if_tree}"}; + print $tp 'end: ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="interfaces '; + print $tp $firewall_hash{"${if_tree}"} . ' firewall"' . "\n"; close $tp or die "Can't write $path/$node_file: $!"; } diff --git a/templates/firewall/group/address-group/node.def b/templates/firewall/group/address-group/node.def index 5b2e510..13b2e72 100644 --- a/templates/firewall/group/address-group/node.def +++ b/templates/firewall/group/address-group/node.def @@ -15,5 +15,7 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" -end: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=address +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=address; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group address-group $VAR(@)" + fi diff --git a/templates/firewall/group/network-group/node.def b/templates/firewall/group/network-group/node.def index 8e50b7d..263a772 100644 --- a/templates/firewall/group/network-group/node.def +++ b/templates/firewall/group/network-group/node.def @@ -15,6 +15,8 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" -end: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=network +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=network; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group network-group $VAR(@)" + fi diff --git a/templates/firewall/group/port-group/node.def b/templates/firewall/group/port-group/node.def index 949403e..1484be2 100644 --- a/templates/firewall/group/port-group/node.def +++ b/templates/firewall/group/port-group/node.def @@ -15,5 +15,7 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" -end: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=port +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=port; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group port-group $VAR(@)" + fi diff --git a/templates/firewall/ipv6-name/node.def b/templates/firewall/ipv6-name/node.def index 3501d9b..e7e1167 100644 --- a/templates/firewall/ipv6-name/node.def +++ b/templates/firewall/ipv6-name/node.def @@ -24,6 +24,7 @@ end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "firewall ipv6-n else exit 1; fi + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-name $VAR(@)" create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables "firewall ipv6-name" diff --git a/templates/firewall/name/node.def b/templates/firewall/name/node.def index 0c3c096..c48eb6d 100644 --- a/templates/firewall/name/node.def +++ b/templates/firewall/name/node.def @@ -18,8 +18,12 @@ end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "firewall name" then if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "firewall name" ; then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall name" + if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall name"; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall name $VAR(@)" + fi fi + else + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall name $VAR(@)" fi else exit 1; diff --git a/templates/firewall/node.def b/templates/firewall/node.def index c71966b..ef135d6 100644 --- a/templates/firewall/node.def +++ b/templates/firewall/node.def @@ -1,2 +1,3 @@ priority: 199 help: Firewall +end: ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="$VAR(@)"
\ No newline at end of file diff --git a/templates/firewall/state-policy/node.def b/templates/firewall/state-policy/node.def index 230f090..3843f7c 100644 --- a/templates/firewall/state-policy/node.def +++ b/templates/firewall/state-policy/node.def @@ -32,3 +32,4 @@ end: --action=enable-disable-conntrack; then \ exit 1 fi + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall state-policy $VAR(@)" |