diff options
author | An-Cheng Huang <ancheng@vyatta.com> | 2008-08-21 09:35:43 -0700 |
---|---|---|
committer | An-Cheng Huang <ancheng@vyatta.com> | 2008-08-21 09:35:43 -0700 |
commit | 9dd0ef94bcafa777fa258f5bc96bd5b2ffda6ce6 (patch) | |
tree | 93bf29c218f030166ef8646eeb4421202f6afbd3 | |
parent | 9e5e9af8af7479eabd51dec7448d320e97497ecc (diff) | |
download | vyatta-cfg-firewall-9dd0ef94bcafa777fa258f5bc96bd5b2ffda6ce6.tar.gz vyatta-cfg-firewall-9dd0ef94bcafa777fa258f5bc96bd5b2ffda6ce6.zip |
fix for bug 3604: add fragment matching options
4 files changed, 19 insertions, 0 deletions
diff --git a/scripts/firewall/VyattaIpTablesRule.pm b/scripts/firewall/VyattaIpTablesRule.pm index df28872..9ccee2f 100644 --- a/scripts/firewall/VyattaIpTablesRule.pm +++ b/scripts/firewall/VyattaIpTablesRule.pm @@ -24,6 +24,8 @@ my %fields = ( _mod_dscp => undef, _ipsec => undef, _non_ipsec => undef, + _frag => undef, + _non_frag => undef, _recent_time => undef, _recent_cnt => undef, ); @@ -45,6 +47,8 @@ my %dummy_rule = ( _mod_dscp => undef, _ipsec => undef, _non_ipsec => undef, + _frag => undef, + _non_frag => undef, _recent_time => undef, _recent_cnt => undef, ); @@ -91,6 +95,8 @@ sub setup { $self->{_mod_dscp} = $config->returnValue("modify dscp"); $self->{_ipsec} = $config->exists("ipsec match-ipsec"); $self->{_non_ipsec} = $config->exists("ipsec match-none"); + $self->{_frag} = $config->exists("fragment match-frag"); + $self->{_non_frag} = $config->exists("fragment match-non-frag"); $self->{_recent_time} = $config->returnValue('recent time'); $self->{_recent_cnt} = $config->returnValue('recent count'); @@ -126,6 +132,8 @@ sub setupOrig { $self->{_mod_dscp} = $config->returnOrigValue("modify dscp"); $self->{_ipsec} = $config->existsOrig("ipsec match-ipsec"); $self->{_non_ipsec} = $config->existsOrig("ipsec match-none"); + $self->{_frag} = $config->existsOrig("fragment match-frag"); + $self->{_non_frag} = $config->existsOrig("fragment match-non-frag"); $self->{_recent_time} = $config->returnOrigValue('recent time'); $self->{_recent_cnt} = $config->returnOrigValue('recent count'); @@ -248,6 +256,14 @@ sub rule { } $rule .= " $srcrule $dstrule "; + return ('Cannot specify both "match-frag" and "match-non-frag"', ) + if (defined($self->{_frag}) && defined($self->{_non_frag})); + if (defined($self->{_frag})) { + $rule .= ' -f '; + } elsif (defined($self->{_non_frag})) { + $rule .= ' ! -f '; + } + # note: "out" is not valid in the INPUT chain. return ('Cannot specify both "match-ipsec" and "match-none"', ) if (defined($self->{_ipsec}) && defined($self->{_non_ipsec})); diff --git a/templates/firewall/name/node.tag/rule/node.tag/fragment/match-frag/node.def b/templates/firewall/name/node.tag/rule/node.tag/fragment/match-frag/node.def new file mode 100644 index 0000000..75338e3 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/fragment/match-frag/node.def @@ -0,0 +1 @@ +help: Match second and further fragments of fragmented packets diff --git a/templates/firewall/name/node.tag/rule/node.tag/fragment/match-non-frag/node.def b/templates/firewall/name/node.tag/rule/node.tag/fragment/match-non-frag/node.def new file mode 100644 index 0000000..3105271 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/fragment/match-non-frag/node.def @@ -0,0 +1 @@ +help: Match head fragments or unfragmented packets diff --git a/templates/firewall/name/node.tag/rule/node.tag/fragment/node.def b/templates/firewall/name/node.tag/rule/node.tag/fragment/node.def new file mode 100644 index 0000000..c532d49 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/fragment/node.def @@ -0,0 +1 @@ +help: Set IP fragment matching |