summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Bays <robert@vyatta.com>2012-07-06 10:33:24 -0700
committerRobert Bays <robert@vyatta.com>2012-09-03 10:20:04 -0700
commit0532b78f0f0b58f75714145642ab7e8dd2a2117b (patch)
tree00c2635b7364b49449abc63ad3e89fe0c3cf29d7
parent4976816fe6793debc42bab49af53320c242cc95b (diff)
downloadvyatta-cfg-firewall-0532b78f0f0b58f75714145642ab7e8dd2a2117b.tar.gz
vyatta-cfg-firewall-0532b78f0f0b58f75714145642ab7e8dd2a2117b.zip
changes to policy tables to add accept
updates to dscp node.def for better help text
-rwxr-xr-xlib/Vyatta/IpTables/Rule.pm51
-rwxr-xr-xscripts/firewall/vyatta-firewall.pl29
-rwxr-xr-x[-rw-r--r--]templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def1
-rwxr-xr-x[-rw-r--r--]templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def1
4 files changed, 52 insertions, 30 deletions
diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm
index 48d4d40..215ce82 100755
--- a/lib/Vyatta/IpTables/Rule.pm
+++ b/lib/Vyatta/IpTables/Rule.pm
@@ -182,7 +182,7 @@ sub setup_base {
$self->{_non_frag} = $config->$exists_func("fragment match-non-frag");
$self->{_recent_time} = $config->$val_func('recent time');
$self->{_recent_cnt} = $config->$val_func('recent count');
-
+
$self->{_p2p}->{_all} = $config->$exists_func("p2p all");
$self->{_p2p}->{_apple} = $config->$exists_func("p2p applejuice");
$self->{_p2p}->{_bit} = $config->$exists_func("p2p bittorrent");
@@ -215,14 +215,14 @@ sub setup_base {
sub setup {
my ($self, $level) = @_;
-
+
$self->setup_base($level, 'returnValue', 'exists', 'setup');
return 0;
}
sub setupOrig {
my ($self, $level) = @_;
-
+
$self->setup_base($level, 'returnOrigValue', 'existsOrig', 'setupOrig');
$self->{_ip_version} = "ipv4";
@@ -236,7 +236,7 @@ sub set_ip_version {
$src->set_ip_version($ip_version);
$dst->set_ip_version($ip_version);
}
-
+
sub print {
my ( $self ) = @_;
@@ -307,10 +307,10 @@ sub get_log_prefix {
# In iptables it allows a 29 character log_prefix, but we ideally
# want to include "[$chain-$rule_num-$action] " but that would require
- # 1 29 1 4 1 1 11 = 39
+ # 1 29 1 4 1 1 11 = 39
# so truncate the chain name so that it'll all fit.
my $action_char = uc(substr($action, 0, 1));
- if ( length($chain) > 19 ) {
+ if ( length($chain) > 19 ) {
$chain = substr($chain, 0, 19);
printf STDERR 'Firewall config warning: '
. "rule $rule_num logging prefix will be truncated to [$chain-$rule_num-$action_char]\n";
@@ -403,17 +403,17 @@ sub rule {
} elsif (defined $self->{_icmp_code}) {
return ("ICMP code can only be defined if ICMP type is defined", );
}
- } elsif (defined($self->{_icmp_type}) || defined($self->{_icmp_code})
+ } elsif (defined($self->{_icmp_type}) || defined($self->{_icmp_code})
|| defined($self->{_icmp_name})) {
return ("ICMP type/code or type-name can only be defined if protocol is ICMP", );
}
# Setup ICMPv6 rule if configured
- # ICMPv6 parameters are only valid if the rule is matching on the
+ # ICMPv6 parameters are only valid if the rule is matching on the
# ICMPv6 protocol ID.
- #
- if (($self->{_protocol} eq "icmpv6") ||
- ($self->{_protocol} eq "ipv6-icmp") ||
+ #
+ if (($self->{_protocol} eq "icmpv6") ||
+ ($self->{_protocol} eq "ipv6-icmp") ||
($self->{_protocol} eq "58")) {
if (defined($self->{_icmpv6_type})) {
$rule .= "-m icmpv6 --icmpv6-type $self->{_icmpv6_type}";
@@ -548,21 +548,21 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo
if (defined($self->{_recent_cnt})) {
$recent_rule1 .= " --hitcount $self->{_recent_cnt} ";
}
-
+
$recent_rule = $rule;
-
+
if ($rule =~ m/\-m\s+set\s+\-\-match\-set/) {
# firewall group being used in this rule. iptables complains if recent
# match condition is placed after group match conditions [see bug 5744]
# so instead of appending recent match place it before group match
my @split_rules = ();
-
+
@split_rules = split(/(\-m\s+set\s+\-\-match\-set)/, $rule, 2);
- $rule = $split_rules[0] . $recent_rule1 .
+ $rule = $split_rules[0] . $recent_rule1 .
$split_rules[1] . $split_rules[2];
-
+
@split_rules = split(/(\-m\s+set\s+\-\-match\-set)/, $recent_rule, 2);
- $recent_rule = $split_rules[0] . $recent_rule2 .
+ $recent_rule = $split_rules[0] . $recent_rule2 .
$split_rules[1] . $split_rules[2];
} else {
# append recent match conditions to the two rules needed for recent match
@@ -600,8 +600,7 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo
}
if (defined($self->{_mod_table})) {
# Route table
- my $mark = 0x7FFFFFFF + $self->{_mod_table};
- $rule .= "-j MARK --set-mark $mark ";
+ $rule .= "-j VYATTA_PBR_$self->{_mod_table} ";
$count++;
}
if (defined($self->{_mod_dscp})) {
@@ -624,7 +623,7 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo
}
$count++;
}
-
+
# others
if ($count == 0) {
@@ -656,9 +655,9 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo
$each_udprule =~ s/ \-p tcp / -p udp / if defined $each_udprule;
}
}
-
+
if ($DEBUG eq 'true') {
- # print all potential iptables rules that could be formed for
+ # print all potential iptables rules that could be formed for
# a single CLI rule. see get_num_ipt_rules to see exact count
print "rule :\n$rule\n" if defined $rule;
print "rule2 :\n$rule2\n" if defined $rule2;
@@ -667,7 +666,7 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo
print "udp rule2 :\n$udp_rule2\n" if defined $udp_rule2;
print "udp recent rule :\n$udp_recent_rule\n" if defined $udp_recent_rule;
}
-
+
return (undef, $rule, $rule2, $recent_rule, $udp_rule, $udp_rule2, $udp_recent_rule);
}
@@ -692,9 +691,9 @@ sub outputXml {
outputXmlElem("log", $self->{_log}, $fh);
outputXmlElem("icmp_type", $self->{_icmp_type}, $fh);
outputXmlElem("icmp_code", $self->{_icmp_code}, $fh);
-
- $src->outputXml("src", $fh);
- $dst->outputXml("dst", $fh);
+
+ $src->outputXml("src", $fh);
+ $dst->outputXml("dst", $fh);
}
sub validate_timevalues {
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl
index ea0d676..ee4d209 100755
--- a/scripts/firewall/vyatta-firewall.pl
+++ b/scripts/firewall/vyatta-firewall.pl
@@ -224,10 +224,10 @@ sub run_cmd {
open (my $out, '-|', $cmd_to_run . ' 2>&1')
or die "Can't run command \"$cmd_to_run\": $!";
my @cmd_out = <$out>;
-
+
# if command suceeds to do nothing.
return if (close ($out));
-
+
foreach my $line (@cmd_out) {
chomp $line;
syslog(LOG_INFO, "%s", $line);
@@ -521,7 +521,7 @@ sub update_rules {
} elsif ($nodes{$name} eq 'changed') {
log_msg "$tree $name = changed";
#check for prefix length, iptables permits 29 as --log-prefix
- my $test = $config->exists('enable-default-log');
+ my $test = $config->exists('enable-default-log');
if (!($test)) {
if (($policy_log) and (length ($name) > 19)) {
my $action_char = uc(substr($policy, 0, 1));
@@ -712,7 +712,7 @@ sub update_ints {
print STDERR 'Firewall config error: ' .
"\"Modify\" rule set \"$chain\" cannot be used for " .
"\"local\"\n";
-
+
exit 1;
}
@@ -849,6 +849,17 @@ sub teardown_iptables {
run_cmd("$iptables_cmd -t $table -X $FW_LOCAL_HOOK", 1);
}
}
+
+ # remove policy routing sub rules
+ if ($table eq 'mangle') {
+ for (my $i = 1; $i <= 250; $i++) {
+ run_cmd("$iptables_cmd -t $table -D VYATTA_PBR_$i 2", 1);
+ run_cmd("$iptables_cmd -t $table -D VYATTA_PBR_$i 1", 1);
+ run_cmd("$iptables_cmd -t $table -F VYATTA_PBR_$i", 1);
+ run_cmd("$iptables_cmd -t $table -X VYATTA_PBR_$i", 1);
+ }
+ }
+
}
sub setup_iptables {
@@ -884,6 +895,16 @@ sub setup_iptables {
log_msg "FW_CONNTRACK exists $cnt";
}
+ # setup policy routing sub rules
+ if ($table eq 'mangle') {
+ for (my $i = 1; $i <= 250; $i++) {
+ my $mark = $i + 0x7FFFFFFF;
+ run_cmd("$iptables_cmd -t $table -N VYATTA_PBR_$i", 1);
+ run_cmd("$iptables_cmd -t $table -I VYATTA_PBR_$i 1 -j MARK --set-mark $mark", 1);
+ run_cmd("$iptables_cmd -t $table -I VYATTA_PBR_$i 2 -j ACCEPT", 1);
+ }
+ }
+
return 0;
}
diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def
index 3ed8f0d..dde50d5 100644..100755
--- a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def
+++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def
@@ -1,4 +1,5 @@
type: u32
+val_help: u32:0-63 ; DSCP number
help: Packet Differentiated Services Codepoint (DSCP)
syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64;
"DSCP must be between 0 and 63"
diff --git a/templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def b/templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def
index 3ed8f0d..dde50d5 100644..100755
--- a/templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def
+++ b/templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def
@@ -1,4 +1,5 @@
type: u32
+val_help: u32:0-63 ; DSCP number
help: Packet Differentiated Services Codepoint (DSCP)
syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64;
"DSCP must be between 0 and 63"