diff options
| author | rbalocca <rbalocca@vyatta.com> | 2008-04-21 16:31:27 -0700 |
|---|---|---|
| committer | rbalocca <rbalocca@vyatta.com> | 2008-04-21 16:31:27 -0700 |
| commit | 2e5c8068ba4d4868c8527d68699b958bdd83e91e (patch) | |
| tree | d2fb56b7647a2fa1fd40eb471e8d2fe13b8ef159 | |
| parent | 83a366af37994c074a8cb2b296db34085b3c8cb0 (diff) | |
| parent | 633d7559cc9acef41ebbf8ac2b49c2fb522fdce2 (diff) | |
| download | vyatta-cfg-firewall-2e5c8068ba4d4868c8527d68699b958bdd83e91e.tar.gz vyatta-cfg-firewall-2e5c8068ba4d4868c8527d68699b958bdd83e91e.zip | |
Merge branch 'glendale' into hollywood
| -rw-r--r-- | debian/changelog | 28 | ||||
| -rw-r--r-- | scripts/firewall/VyattaIpTablesRule.pm | 6 | ||||
| -rwxr-xr-x | scripts/firewall/vyatta-firewall.pl | 27 |
3 files changed, 49 insertions, 12 deletions
diff --git a/debian/changelog b/debian/changelog index 32c601d..c06f47c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,31 @@ +vyatta-cfg-firewall (0.6) unstable; urgency=low + + VC4.0.2 + [ Mark O'Brien ] + + + [ An-Cheng Huang ] + * fix for bug 3167: get the actual return status from iptables. + * fix for bug 3167: disallow multiport specification if both source + and + + [ Mark O'Brien ] + + -- Mark O'Brien <mobrien@vyatta.com> Sat, 19 Apr 2008 11:55:56 -0700 + +vyatta-cfg-firewall (0.5) unstable; urgency=low + + VC4.0.2 release candidate + [ Mark O'Brien ] + + + [ An-Cheng Huang ] + * fix for bug 3127: look for an exact match to replace/delete. + + [ Mark O'Brien ] + + -- Mark O'Brien <mobrien@vyatta.com> Wed, 16 Apr 2008 09:49:51 -0700 + vyatta-cfg-firewall (0.4) unstable; urgency=low 3.0.2 diff --git a/scripts/firewall/VyattaIpTablesRule.pm b/scripts/firewall/VyattaIpTablesRule.pm index c2174c4..a4ec902 100644 --- a/scripts/firewall/VyattaIpTablesRule.pm +++ b/scripts/firewall/VyattaIpTablesRule.pm @@ -210,6 +210,12 @@ sub rule { return ($err_str, ) if (!defined($srcrule)); ($dstrule, $err_str) = $dst->rule(); return ($err_str, ) if (!defined($dstrule)); + if ((grep /multiport/, $srcrule) || (grep /multiport/, $dstrule)) { + if ((grep /sport/, $srcrule) && (grep /dport/, $dstrule)) { + return ('Cannot specify multiple ports when both ' + . 'source and destination ports are specified', ); + } + } $rule .= " $srcrule $dstrule "; my $chain = $self->{_name}; diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index 299a1e1..e01f30c 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -141,8 +141,8 @@ sub update_rules() { last; } system ("$logger Running: iptables --insert $name $iptablesrule $_"); - system ("iptables --insert $name $iptablesrule $_ 2>&1 | $logger") == 0 - || die "iptables error: $? - $_\n"; + system ("iptables --insert $name $iptablesrule $_"); + die "iptables error: $! - $_" if ($? >> 8); $iptablesrule++; } } elsif ("$rulehash{$rule}" eq "changed") { @@ -164,8 +164,8 @@ sub update_rules() { my $ipt_rules = $oldnode->get_num_ipt_rules(); for (1 .. $ipt_rules) { system ("$logger Running: iptables --delete $name $iptablesrule"); - system ("iptables --delete $name $iptablesrule 2>&1 | $logger") == 0 - || die "iptables error: $? - $rule\n"; + system ("iptables --delete $name $iptablesrule"); + die "iptables error: $! - $rule" if ($? >> 8); } foreach (@rule_strs) { @@ -173,8 +173,8 @@ sub update_rules() { last; } system ("$logger Running: iptables --insert $name $iptablesrule $_"); - system ("iptables --insert $name $iptablesrule $_ 2>&1 | $logger") == 0 - || die "iptables error: $? - $rule_str\n"; + system ("iptables --insert $name $iptablesrule $_"); + die "iptables error: $! - $rule_str" if ($? >> 8); $iptablesrule++; } } elsif ("$rulehash{$rule}" eq "deleted") { @@ -184,8 +184,8 @@ sub update_rules() { my $ipt_rules = $node->get_num_ipt_rules(); for (1 .. $ipt_rules) { system ("$logger Running: iptables --delete $name $iptablesrule"); - system ("iptables --delete $name $iptablesrule 2>&1 | $logger") == 0 - || die "iptables error: $? - $rule\n"; + system ("iptables --delete $name $iptablesrule"); + die "iptables error: $! - $rule" if ($? >> 8); } } } @@ -285,7 +285,7 @@ sub update_ints() { } system ("$logger Running: iptables $cmd"); - system("iptables $cmd 2>&1 | $logger"); + system("iptables $cmd"); exit 1 if ($? >> 8); if ($action eq 'replace' || $action eq 'delete') { @@ -366,7 +366,8 @@ sub setup_chain($) { $_ = $configured; if (!/^Chain $chain/) { - system("iptables --new-chain $chain 2>&1 | $logger") == 0 || die "iptables error: $chain --new-chain: $?\n"; + system("iptables --new-chain $chain"); + die "iptables error: $chain --new-chain: $!" if ($? >> 8); add_default_drop_rule($chain); } } @@ -387,9 +388,11 @@ sub delete_chain($) { my $configured = `iptables -n -L $chain 2>&1 | head -1`; if ($configured =~ /^Chain $chain/) { - system("iptables --flush $chain 2>&1 | $logger") == 0 || die "iptables error: $chain --flush: $?\n"; + system("iptables --flush $chain"); + die "iptables error: $chain --flush: $!" if ($? >> 8); if (!chain_referenced($chain)) { - system("iptables --delete-chain $chain 2>&1 | $logger") == 0 || die "iptables error: $chain --delete-chain: $?\n"; + system("iptables --delete-chain $chain"); + die "iptables error: $chain --delete-chain: $!" if ($? >> 8); } else { add_default_drop_rule($chain); } |