Allow IPv6 firewall rulesets to be configured on an interface independent of IPv4.

Replaced the hand-coded config templates under each type of interface with script-generated
templates. This should be easier to maintain as we add new types of interfaces.  Added
sub-trees for "modify", "ipv6-name" and "ipv6-modify" under "in", "out" and
"local" for all interfaces.  Added command-completion for ruleset names being
configured on an interface.

3 files changed, 182 insertions, 11 deletions

diff --git a/Makefile.am b/Makefile.am
index c771b11..a140082 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -15,9 +15,17 @@ share_perl5_DATA += lib/Vyatta/IpTables/AddressFilter.pm
 share_perl5_DATA += lib/Vyatta/IpTables/IpSet.pm
 
 cpiop = find  . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \
-  cpio -0pd
+  cpio -0pdu
+
+
+all-local:
+	./gen-interface-templates.pl
+
+clean-local:
+	rm -rf generated-templates
 
 install-exec-hook:
 	mkdir -p $(DESTDIR)$(cfgdir)
-	cd templates; $(cpiop) $(DESTDIR)$(cfgdir)
+	cd templates; $(cpiop) $(DESTDIR)$(cfgdir); cd ..
+	cd generated-templates; $(cpiop) $(DESTDIR)$(cfgdir); cd ..
 
diff --git a/gen-interface-templates.pl b/gen-interface-templates.pl
new file mode 100755
index 0000000..87f1151
--- /dev/null
+++ b/gen-interface-templates.pl
@@ -0,0 +1,160 @@
+#!/usr/bin/perl
+
+my $debug = 0;
+
+my %interface_hash = ( 
+    'adsl/node.tag/pvc/node.tag/bridged-ethernet' => 
+	'adsl$VAR(../../../../../@)', 
+    'adsl/node.tag/pvc/node.tag/classical_ipoa' =>
+	'adsl$VAR(../../../../../@)', 
+    'adsl/node.tag/pvc/node.tag/pppoa/node.tag' => 'pppoa$VAR(../../../@)',
+    'adsl/node.tag/pvc/node.tag/pppoe/node.tag' => 'pppoe$VAR(../../../@)',
+
+    'bonding/node.tag' => '$VAR(../../../@)',
+    'bonding/node.tag/vif/node.tag' => 
+	'$VAR(../../../../@).$VAR(../../../../@)',
+
+    'ethernet/node.tag' => '$VAR(../../../@)',
+    'ethernet/node.tag/pppoe/node.tag' => 'pppoe$VAR(../../../@)',
+    'ethernet/node.tag/vif/node.tag' =>
+	'$VAR(../../../../@).$VAR(../../../../@)',
+    'ethernet/node.tag/vif/node.tag/pppoe/node.tag' => 
+	'pppoe$VAR(../../../@)',
+
+    'tunnel/node.tag'  => '$VAR(../../../@)',
+);    
+
+my $template_subdir="generated-templates/interfaces";
+my $firewall_subdir="firewall";
+my $node_file="node.def";
+
+sub gen_firewall_template {
+    my ($if_tree) = @_;
+
+    system ("mkdir -p ${template_subdir}/${if_tree}/${firewall_subdir}");
+
+    open (TP, ">${template_subdir}/${if_tree}/${firewall_subdir}/${node_file}");
+
+    my $date=`date`;
+    print TP "# Template generated at: $date";
+    print TP "\n";
+    print TP "help: Set firewall options\n";
+    close(TP);
+}
+
+
+my %direction_help_hash = (
+    "in" => "forwarded packets on inbound interface",
+    "out" => "forwarded packets on outbound interface",
+    "local" => "packets destined for this router",
+    );
+
+
+sub gen_direction_template {
+    my ($if_tree, $direction) = @_;
+
+    system ("mkdir -p ${template_subdir}/${if_tree}/${firewall_subdir}/${direction}");
+
+    open (TP, ">${template_subdir}/${if_tree}/${firewall_subdir}/${direction}/${node_file}");
+
+    my $date=`date`;
+    print TP "# Template generated at: $date";
+    print TP "\n";
+    print TP "help: Set ruleset for $direction_help_hash{$direction}\n";
+    close(TP);
+}
+
+my %direction_term_hash = (
+    "in" => "inbound",
+    "out" => "outbound",
+    "local" => "local",
+    );
+
+my %table_help_hash = (
+    "name" => "IPv4 firewall",
+    "ipv6-name" => "IPv6 firewall",
+    "modify" => "IPv4 modify",
+    "ipv6-modify" => "IPv6 modify",
+    );
+
+
+sub gen_template {
+    my ($if_tree, $direction, $table, $if_name) = @_;
+
+    if ($debug) {
+	print "debug: table=$table direction=$direction\n";
+    }
+
+    my $template_dir="${template_subdir}/${if_tree}/${firewall_subdir}/${direction}/${table}";
+
+    if ($debug) {
+	print "debug: template_dir=$template_dir\n";
+    }
+
+    system ("mkdir -p $template_dir");
+    
+    open (TP, ">${template_dir}/${node_file}");
+
+    my $date=`date`;
+    print TP "# Template generated at: $date";
+    print TP "\n";
+
+    print TP "type: txt\n";
+    print TP "\n";
+
+    print TP "help: Set $direction_term_hash{$direction} $table_help_hash{$table} ruleset name for interface\n";
+    print TP "\n";
+
+    print TP "allowed:\n";
+    print TP "\tlocal -a params ;\n";
+    print TP "\tparams=( /opt/vyatta/config/active/firewall/${table}/* )\n";
+    print TP "\techo -n \${params[@]##*/}\n";
+    print TP "\n";
+
+    print TP "create:\n";
+    print TP "\tifname=$if_name\n";
+    print TP "\tsudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\\n";
+
+    print TP "\t\tupdate \$ifname $direction \$VAR(@) $table\n";
+    print TP "\n";
+    print TP "update:\n";
+    print TP "\tifname=$if_name\n";
+    print TP "\tsudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\\n";
+    print TP "\t\tupdate \$ifname $direction \$VAR(@) $table\n";
+    print TP "\n";
+
+    print TP "delete:\n";
+    print TP "\tifname=$if_name\n";
+    print TP "\tsudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\\n";
+    print TP "\t\tdelete \$ifname $direction \$VAR(@) $table\n";
+    
+    close(TP);
+}
+
+my @ruleset_tables = ("name", "modify", "ipv6-name", "ipv6-modify");
+my @ruleset_directions = ("in", "out", "local");
+
+print "Generating interface templates...\n";
+
+foreach my $if_tree (keys %interface_hash) {
+    my $if_name = $interface_hash{$if_tree};
+
+    if ($debug) {
+	print "debug: if_tree=$if_tree if_name=$if_name \n";
+    }
+
+    gen_firewall_template($if_tree);
+    for my $direction (@ruleset_directions) {
+	gen_direction_template($if_tree, $direction);
+	foreach my $table (@ruleset_tables) {
+	    gen_template($if_tree, $direction, $table, $if_name);
+	}
+    }
+}
+
+print "Done.\n";
+
+	
+
+    
+    
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl
index 7f3a91a..0f2e328 100755
--- a/scripts/firewall/vyatta-firewall.pl
+++ b/scripts/firewall/vyatta-firewall.pl
@@ -25,7 +25,7 @@ my ($setup, $teardown, $updaterules);
 GetOptions("setup"             => \$setup, 
            "teardown"          => \$teardown,
  	   "update-rules"      => \$updaterules,
-	   "update-interfaces=s{4}" => \@updateints,
+	   "update-interfaces=s{5}" => \@updateints,
            "debug"             => \$debug_flag,
            "syslog"            => \$syslog_flag
 );
@@ -72,10 +72,13 @@ if (defined $updaterules) {
   exit 0;
 }
 
-if ($#updateints == 3) {
-  my ($action, $int_name, $direction, $chain) = @updateints;
-  my $tree = chain_configured(0, $chain, undef);
+if ($#updateints == 4) {
+  my ($action, $int_name, $direction, $chain, $tree) = @updateints;
+
+  my $tree = chain_configured(1, $chain, $tree);
+
   my $table = $table_hash{$tree};
+
   my $iptables_cmd = $cmd_hash{$tree};
   if ($action eq "update") {
     # make sure chain exists
@@ -90,7 +93,7 @@ if ($#updateints == 3) {
     # from the "other" trees first.
     foreach my $other_tree (keys %table_hash) {
       if ($other_tree ne $tree) {
-        update_ints('delete', $int_name, $direction, $chain, 
+        update_ints('delete', $int_name, $direction, $chain, $tree,
                     $table_hash{$other_tree}, $cmd_hash{$other_tree});
       }
     }
@@ -219,7 +222,7 @@ sub update_rules {
       my $ctree = chain_configured(2, $name, $tree);
       if (defined($ctree)) {
         # chain name must be unique in both trees
-        print STDERR 'Firewall config error: '
+        printf STDERR 'Firewall config error: '
                      . "Rule set name \"$name\" already used in \"$ctree\"\n";
         exit 1;
       }
@@ -349,9 +352,9 @@ sub update_rules {
 }
 
 # returns the "tree" in which the chain is configured; undef if not configured.
-# mode: 0: check if the chain is configured in either tree.
+# mode: 0: check if the chain is configured in any tree.
 #       1: check if it is configured in the specified tree.
-#       2: check if it is configured in the "other" tree.
+#       2: check if it is configured in any "other" tree.
 sub chain_configured {
   my ($mode, $chain, $tree) = @_;
   
@@ -374,7 +377,7 @@ sub chain_configured {
 }
 
 sub update_ints {
-  my ($action, $int_name, $direction, $chain, $table, $iptables_cmd) = @_;
+  my ($action, $int_name, $direction, $chain, $tree, $table, $iptables_cmd) = @_;
   my $interface = undef;
  
   log_msg "update_ints: @_ \n";