diff options
author | Robert Bays <robert@vyatta.com> | 2012-07-06 10:33:24 -0700 |
---|---|---|
committer | Robert Bays <robert@vyatta.com> | 2012-09-03 10:20:04 -0700 |
commit | 0532b78f0f0b58f75714145642ab7e8dd2a2117b (patch) | |
tree | 00c2635b7364b49449abc63ad3e89fe0c3cf29d7 | |
parent | 4976816fe6793debc42bab49af53320c242cc95b (diff) | |
download | vyatta-cfg-firewall-0532b78f0f0b58f75714145642ab7e8dd2a2117b.tar.gz vyatta-cfg-firewall-0532b78f0f0b58f75714145642ab7e8dd2a2117b.zip |
changes to policy tables to add accept
updates to dscp node.def for better help text
-rwxr-xr-x | lib/Vyatta/IpTables/Rule.pm | 51 | ||||
-rwxr-xr-x | scripts/firewall/vyatta-firewall.pl | 29 | ||||
-rwxr-xr-x[-rw-r--r--] | templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def | 1 | ||||
-rwxr-xr-x[-rw-r--r--] | templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def | 1 |
4 files changed, 52 insertions, 30 deletions
diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm index 48d4d40..215ce82 100755 --- a/lib/Vyatta/IpTables/Rule.pm +++ b/lib/Vyatta/IpTables/Rule.pm @@ -182,7 +182,7 @@ sub setup_base { $self->{_non_frag} = $config->$exists_func("fragment match-non-frag"); $self->{_recent_time} = $config->$val_func('recent time'); $self->{_recent_cnt} = $config->$val_func('recent count'); - + $self->{_p2p}->{_all} = $config->$exists_func("p2p all"); $self->{_p2p}->{_apple} = $config->$exists_func("p2p applejuice"); $self->{_p2p}->{_bit} = $config->$exists_func("p2p bittorrent"); @@ -215,14 +215,14 @@ sub setup_base { sub setup { my ($self, $level) = @_; - + $self->setup_base($level, 'returnValue', 'exists', 'setup'); return 0; } sub setupOrig { my ($self, $level) = @_; - + $self->setup_base($level, 'returnOrigValue', 'existsOrig', 'setupOrig'); $self->{_ip_version} = "ipv4"; @@ -236,7 +236,7 @@ sub set_ip_version { $src->set_ip_version($ip_version); $dst->set_ip_version($ip_version); } - + sub print { my ( $self ) = @_; @@ -307,10 +307,10 @@ sub get_log_prefix { # In iptables it allows a 29 character log_prefix, but we ideally # want to include "[$chain-$rule_num-$action] " but that would require - # 1 29 1 4 1 1 11 = 39 + # 1 29 1 4 1 1 11 = 39 # so truncate the chain name so that it'll all fit. my $action_char = uc(substr($action, 0, 1)); - if ( length($chain) > 19 ) { + if ( length($chain) > 19 ) { $chain = substr($chain, 0, 19); printf STDERR 'Firewall config warning: ' . "rule $rule_num logging prefix will be truncated to [$chain-$rule_num-$action_char]\n"; @@ -403,17 +403,17 @@ sub rule { } elsif (defined $self->{_icmp_code}) { return ("ICMP code can only be defined if ICMP type is defined", ); } - } elsif (defined($self->{_icmp_type}) || defined($self->{_icmp_code}) + } elsif (defined($self->{_icmp_type}) || defined($self->{_icmp_code}) || defined($self->{_icmp_name})) { return ("ICMP type/code or type-name can only be defined if protocol is ICMP", ); } # Setup ICMPv6 rule if configured - # ICMPv6 parameters are only valid if the rule is matching on the + # ICMPv6 parameters are only valid if the rule is matching on the # ICMPv6 protocol ID. - # - if (($self->{_protocol} eq "icmpv6") || - ($self->{_protocol} eq "ipv6-icmp") || + # + if (($self->{_protocol} eq "icmpv6") || + ($self->{_protocol} eq "ipv6-icmp") || ($self->{_protocol} eq "58")) { if (defined($self->{_icmpv6_type})) { $rule .= "-m icmpv6 --icmpv6-type $self->{_icmpv6_type}"; @@ -548,21 +548,21 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo if (defined($self->{_recent_cnt})) { $recent_rule1 .= " --hitcount $self->{_recent_cnt} "; } - + $recent_rule = $rule; - + if ($rule =~ m/\-m\s+set\s+\-\-match\-set/) { # firewall group being used in this rule. iptables complains if recent # match condition is placed after group match conditions [see bug 5744] # so instead of appending recent match place it before group match my @split_rules = (); - + @split_rules = split(/(\-m\s+set\s+\-\-match\-set)/, $rule, 2); - $rule = $split_rules[0] . $recent_rule1 . + $rule = $split_rules[0] . $recent_rule1 . $split_rules[1] . $split_rules[2]; - + @split_rules = split(/(\-m\s+set\s+\-\-match\-set)/, $recent_rule, 2); - $recent_rule = $split_rules[0] . $recent_rule2 . + $recent_rule = $split_rules[0] . $recent_rule2 . $split_rules[1] . $split_rules[2]; } else { # append recent match conditions to the two rules needed for recent match @@ -600,8 +600,7 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo } if (defined($self->{_mod_table})) { # Route table - my $mark = 0x7FFFFFFF + $self->{_mod_table}; - $rule .= "-j MARK --set-mark $mark "; + $rule .= "-j VYATTA_PBR_$self->{_mod_table} "; $count++; } if (defined($self->{_mod_dscp})) { @@ -624,7 +623,7 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo } $count++; } - + # others if ($count == 0) { @@ -656,9 +655,9 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo $each_udprule =~ s/ \-p tcp / -p udp / if defined $each_udprule; } } - + if ($DEBUG eq 'true') { - # print all potential iptables rules that could be formed for + # print all potential iptables rules that could be formed for # a single CLI rule. see get_num_ipt_rules to see exact count print "rule :\n$rule\n" if defined $rule; print "rule2 :\n$rule2\n" if defined $rule2; @@ -667,7 +666,7 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo print "udp rule2 :\n$udp_rule2\n" if defined $udp_rule2; print "udp recent rule :\n$udp_recent_rule\n" if defined $udp_recent_rule; } - + return (undef, $rule, $rule2, $recent_rule, $udp_rule, $udp_rule2, $udp_recent_rule); } @@ -692,9 +691,9 @@ sub outputXml { outputXmlElem("log", $self->{_log}, $fh); outputXmlElem("icmp_type", $self->{_icmp_type}, $fh); outputXmlElem("icmp_code", $self->{_icmp_code}, $fh); - - $src->outputXml("src", $fh); - $dst->outputXml("dst", $fh); + + $src->outputXml("src", $fh); + $dst->outputXml("dst", $fh); } sub validate_timevalues { diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index ea0d676..ee4d209 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -224,10 +224,10 @@ sub run_cmd { open (my $out, '-|', $cmd_to_run . ' 2>&1') or die "Can't run command \"$cmd_to_run\": $!"; my @cmd_out = <$out>; - + # if command suceeds to do nothing. return if (close ($out)); - + foreach my $line (@cmd_out) { chomp $line; syslog(LOG_INFO, "%s", $line); @@ -521,7 +521,7 @@ sub update_rules { } elsif ($nodes{$name} eq 'changed') { log_msg "$tree $name = changed"; #check for prefix length, iptables permits 29 as --log-prefix - my $test = $config->exists('enable-default-log'); + my $test = $config->exists('enable-default-log'); if (!($test)) { if (($policy_log) and (length ($name) > 19)) { my $action_char = uc(substr($policy, 0, 1)); @@ -712,7 +712,7 @@ sub update_ints { print STDERR 'Firewall config error: ' . "\"Modify\" rule set \"$chain\" cannot be used for " . "\"local\"\n"; - + exit 1; } @@ -849,6 +849,17 @@ sub teardown_iptables { run_cmd("$iptables_cmd -t $table -X $FW_LOCAL_HOOK", 1); } } + + # remove policy routing sub rules + if ($table eq 'mangle') { + for (my $i = 1; $i <= 250; $i++) { + run_cmd("$iptables_cmd -t $table -D VYATTA_PBR_$i 2", 1); + run_cmd("$iptables_cmd -t $table -D VYATTA_PBR_$i 1", 1); + run_cmd("$iptables_cmd -t $table -F VYATTA_PBR_$i", 1); + run_cmd("$iptables_cmd -t $table -X VYATTA_PBR_$i", 1); + } + } + } sub setup_iptables { @@ -884,6 +895,16 @@ sub setup_iptables { log_msg "FW_CONNTRACK exists $cnt"; } + # setup policy routing sub rules + if ($table eq 'mangle') { + for (my $i = 1; $i <= 250; $i++) { + my $mark = $i + 0x7FFFFFFF; + run_cmd("$iptables_cmd -t $table -N VYATTA_PBR_$i", 1); + run_cmd("$iptables_cmd -t $table -I VYATTA_PBR_$i 1 -j MARK --set-mark $mark", 1); + run_cmd("$iptables_cmd -t $table -I VYATTA_PBR_$i 2 -j ACCEPT", 1); + } + } + return 0; } diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def index 3ed8f0d..dde50d5 100644..100755 --- a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def @@ -1,4 +1,5 @@ type: u32 +val_help: u32:0-63 ; DSCP number help: Packet Differentiated Services Codepoint (DSCP) syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64; "DSCP must be between 0 and 63" diff --git a/templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def b/templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def index 3ed8f0d..dde50d5 100644..100755 --- a/templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def @@ -1,4 +1,5 @@ type: u32 +val_help: u32:0-63 ; DSCP number help: Packet Differentiated Services Codepoint (DSCP) syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64; "DSCP must be between 0 and 63" |