diff options
| author | Robert Bays <robert@vyatta.com> | 2012-09-05 10:55:36 -0700 |
|---|---|---|
| committer | Robert Bays <robert@vyatta.com> | 2012-09-05 10:55:36 -0700 |
| commit | 91eb3ef4cb9d4cb62d1b56b8daf17bd3845976cb (patch) | |
| tree | 80234a54041ff4d619daa5d4ad26794d6aaf2ac8 | |
| parent | c353904cdb9faf701973d32aaa6748ea97a2f797 (diff) | |
| download | vyatta-cfg-firewall-91eb3ef4cb9d4cb62d1b56b8daf17bd3845976cb.tar.gz vyatta-cfg-firewall-91eb3ef4cb9d4cb62d1b56b8daf17bd3845976cb.zip | |
add support for main table
| -rwxr-xr-x | lib/Vyatta/IpTables/Rule.pm | 3 | ||||
| -rwxr-xr-x | scripts/firewall/vyatta-firewall.pl | 22 | ||||
| -rwxr-xr-x[-rw-r--r--] | templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def | 17 | ||||
| -rwxr-xr-x[-rw-r--r--] | templates/policy/route/node.tag/rule/node.tag/set/table/node.def | 17 |
4 files changed, 42 insertions, 17 deletions
diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm index 215ce82..b78c2c2 100755 --- a/lib/Vyatta/IpTables/Rule.pm +++ b/lib/Vyatta/IpTables/Rule.pm @@ -174,6 +174,9 @@ sub setup_base { $self->{_icmpv6_type} = $config->$val_func("icmpv6 type"); $self->{_mod_mark} = $config->$val_func("set mark"); $self->{_mod_table} = $config->$val_func("set table"); + if ($self->{_mod_table} eq 'main') { + $self->{_mod_table} = 254; + } $self->{_mod_dscp} = $config->$val_func("set dscp"); $self->{_mod_tcpmss} = $config->$val_func("set tcp-mss"); $self->{_ipsec} = $config->$exists_func("ipsec match-ipsec"); diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index 52816b7..b29ded9 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -130,7 +130,7 @@ if ($#updateints == 4) { my @zone_interfaces = Vyatta::Zone::get_zone_interfaces("returnValues", $zone); if (scalar(grep(/^$int_name$/, @zone_interfaces)) > 0) { - print STDERR 'Firewall config error: ' . + print STDERR 'Configuration error: ' . "interface $int_name is defined under zone $zone\n" . "Cannot use per interface firewall for a zone interface\n"; exit 1; @@ -141,7 +141,7 @@ if ($#updateints == 4) { # make sure chain exists if (!defined($tree2)) { # require chain to be configured in "firewall" first - print STDERR 'Firewall config error: ' . + print STDERR 'Configuration error: ' . "Rule set \"$chain\" is not configured\n"; exit 1; } @@ -331,7 +331,7 @@ sub add_route_table { my $table_count = -1; my @newlines = (); my @lines = read_refcnt_file($policy_ref_file); - + log_msg("add_route_table: $rule, $table"); foreach my $line (@lines) { my @tokens = split(/ /, $line); @@ -498,7 +498,7 @@ sub update_rules { my $ctree = chain_configured(2, $name, $tree); if (defined($ctree)) { # chain name must be unique in both trees - Vyatta::Config::outputError(["firewall",$tree,$name], 'Firewall config error: ' + Vyatta::Config::outputError([$tree,$name], 'Configuration error: ' . "Rule set name \"$name\" already used in \"$ctree\"\n"); exit 1; } @@ -506,7 +506,7 @@ sub update_rules { if (($policy_log) and (length ($name) > 19)) { my $action_char = uc(substr($policy, 0, 1)); my $chain_tr = substr($name, 0, 19); - printf STDERR 'Firewall config warning: ' + printf STDERR 'Configuration warning: ' . "default logging prefix will be truncated to \"[$chain_tr-DEFLT-$action_char]\" \n"; } setup_chain($table, "$name", $iptables_cmd, $policy, $policy_log); @@ -524,7 +524,7 @@ sub update_rules { # delete the chain if (Vyatta::IpTables::Mgr::chain_referenced($table, $name, $iptables_cmd)) { # disallow deleting a chain if it's still referenced - Vyatta::Config::outputError(["firewall",$tree,$name],'Firewall config error: ' + Vyatta::Config::outputError([$tree,$name],'Configuration error: ' . "Cannot delete rule set \"$name\" (still in use)\n"); exit 1; } @@ -539,7 +539,7 @@ sub update_rules { if (($policy_log) and (length ($name) > 19)) { my $action_char = uc(substr($policy, 0, 1)); my $chain_tr = substr($name, 0, 19); - printf STDERR 'Firewall config warning2: ' + printf STDERR 'Configuration warning2: ' . "default logging prefix will be truncated to \"[$chain_tr-DEFLT-$action_char]\" \n"; } } @@ -591,7 +591,7 @@ sub update_rules { delete_chain($table, "$name", $iptables_cmd); remove_refcnt($fw_tree_file, "$tree $name"); } - Vyatta::Config::outputError(["firewall",$tree,$name],"Firewall config error: $err_str\n"); + Vyatta::Config::outputError([$tree,$name],"Configuration error: $err_str\n"); exit 1; } foreach (@rule_strs) { @@ -624,7 +624,7 @@ sub update_rules { my ($err_str, @rule_strs) = $node->rule(); if (defined($err_str)) { - Vyatta::Config::outputError(["firewall",$tree,$name,"rule",$rule],"Firewall config error: $err_str\n"); + Vyatta::Config::outputError([$tree,$name,"rule",$rule],"Configuration error: $err_str\n"); exit 1; } @@ -722,7 +722,7 @@ sub update_ints { } if ($action ne 'delete' && $table eq 'mangle' && $direction =~ /^local/) { - print STDERR 'Firewall config error: ' . + print STDERR 'Configuration error: ' . "\"Modify\" rule set \"$chain\" cannot be used for " . "\"local\"\n"; @@ -961,7 +961,7 @@ sub setup_chain { die "iptables error: $table $chain --new-chain: $!" if ($? >> 8); set_default_policy($table, $chain, $iptables_cmd, $policy, $log); } else { - printf STDERR 'Firewall config error: ' + printf STDERR 'Configuration error: ' . "Chain \"$chain\" being used in system. Cannot use it as a ruleset name\n"; exit 1; } diff --git a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def index 07a0e91..b404ef9 100644..100755 --- a/templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def +++ b/templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def @@ -1,5 +1,16 @@ -type: u32 +type: txt help: Routing table to forward packet with val_help: u32:1-250 ; Table number -syntax:expression: $VAR(@) >= 1 && $VAR(@) <= 250; - "Table must be between 1 and 250" +val_help: main ; Main table +syntax:expression: exec " + if [[ $VAR(@) =~ ^-?[0-9]+$ ]] ; then + if [ $VAR(@) -lt 1 -o $VAR(@) -gt 250 ] ; then + echo Table must be between 1-250 or table main + exit 1 + fi + else + if [[ $VAR(@) != 'main' ]] ; then + echo Table must be between 1-250 or table main + exit 1 + fi + fi" diff --git a/templates/policy/route/node.tag/rule/node.tag/set/table/node.def b/templates/policy/route/node.tag/rule/node.tag/set/table/node.def index 07a0e91..b404ef9 100644..100755 --- a/templates/policy/route/node.tag/rule/node.tag/set/table/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/set/table/node.def @@ -1,5 +1,16 @@ -type: u32 +type: txt help: Routing table to forward packet with val_help: u32:1-250 ; Table number -syntax:expression: $VAR(@) >= 1 && $VAR(@) <= 250; - "Table must be between 1 and 250" +val_help: main ; Main table +syntax:expression: exec " + if [[ $VAR(@) =~ ^-?[0-9]+$ ]] ; then + if [ $VAR(@) -lt 1 -o $VAR(@) -gt 250 ] ; then + echo Table must be between 1-250 or table main + exit 1 + fi + else + if [[ $VAR(@) != 'main' ]] ; then + echo Table must be between 1-250 or table main + exit 1 + fi + fi" |