summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAn-Cheng Huang <ancheng@vyatta.com>2008-08-21 09:35:43 -0700
committerAn-Cheng Huang <ancheng@vyatta.com>2008-08-21 09:35:43 -0700
commit9dd0ef94bcafa777fa258f5bc96bd5b2ffda6ce6 (patch)
tree93bf29c218f030166ef8646eeb4421202f6afbd3
parent9e5e9af8af7479eabd51dec7448d320e97497ecc (diff)
downloadvyatta-cfg-firewall-9dd0ef94bcafa777fa258f5bc96bd5b2ffda6ce6.tar.gz
vyatta-cfg-firewall-9dd0ef94bcafa777fa258f5bc96bd5b2ffda6ce6.zip
fix for bug 3604: add fragment matching options
-rw-r--r--scripts/firewall/VyattaIpTablesRule.pm16
-rw-r--r--templates/firewall/name/node.tag/rule/node.tag/fragment/match-frag/node.def1
-rw-r--r--templates/firewall/name/node.tag/rule/node.tag/fragment/match-non-frag/node.def1
-rw-r--r--templates/firewall/name/node.tag/rule/node.tag/fragment/node.def1
4 files changed, 19 insertions, 0 deletions
diff --git a/scripts/firewall/VyattaIpTablesRule.pm b/scripts/firewall/VyattaIpTablesRule.pm
index df28872..9ccee2f 100644
--- a/scripts/firewall/VyattaIpTablesRule.pm
+++ b/scripts/firewall/VyattaIpTablesRule.pm
@@ -24,6 +24,8 @@ my %fields = (
_mod_dscp => undef,
_ipsec => undef,
_non_ipsec => undef,
+ _frag => undef,
+ _non_frag => undef,
_recent_time => undef,
_recent_cnt => undef,
);
@@ -45,6 +47,8 @@ my %dummy_rule = (
_mod_dscp => undef,
_ipsec => undef,
_non_ipsec => undef,
+ _frag => undef,
+ _non_frag => undef,
_recent_time => undef,
_recent_cnt => undef,
);
@@ -91,6 +95,8 @@ sub setup {
$self->{_mod_dscp} = $config->returnValue("modify dscp");
$self->{_ipsec} = $config->exists("ipsec match-ipsec");
$self->{_non_ipsec} = $config->exists("ipsec match-none");
+ $self->{_frag} = $config->exists("fragment match-frag");
+ $self->{_non_frag} = $config->exists("fragment match-non-frag");
$self->{_recent_time} = $config->returnValue('recent time');
$self->{_recent_cnt} = $config->returnValue('recent count');
@@ -126,6 +132,8 @@ sub setupOrig {
$self->{_mod_dscp} = $config->returnOrigValue("modify dscp");
$self->{_ipsec} = $config->existsOrig("ipsec match-ipsec");
$self->{_non_ipsec} = $config->existsOrig("ipsec match-none");
+ $self->{_frag} = $config->existsOrig("fragment match-frag");
+ $self->{_non_frag} = $config->existsOrig("fragment match-non-frag");
$self->{_recent_time} = $config->returnOrigValue('recent time');
$self->{_recent_cnt} = $config->returnOrigValue('recent count');
@@ -248,6 +256,14 @@ sub rule {
}
$rule .= " $srcrule $dstrule ";
+ return ('Cannot specify both "match-frag" and "match-non-frag"', )
+ if (defined($self->{_frag}) && defined($self->{_non_frag}));
+ if (defined($self->{_frag})) {
+ $rule .= ' -f ';
+ } elsif (defined($self->{_non_frag})) {
+ $rule .= ' ! -f ';
+ }
+
# note: "out" is not valid in the INPUT chain.
return ('Cannot specify both "match-ipsec" and "match-none"', )
if (defined($self->{_ipsec}) && defined($self->{_non_ipsec}));
diff --git a/templates/firewall/name/node.tag/rule/node.tag/fragment/match-frag/node.def b/templates/firewall/name/node.tag/rule/node.tag/fragment/match-frag/node.def
new file mode 100644
index 0000000..75338e3
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/fragment/match-frag/node.def
@@ -0,0 +1 @@
+help: Match second and further fragments of fragmented packets
diff --git a/templates/firewall/name/node.tag/rule/node.tag/fragment/match-non-frag/node.def b/templates/firewall/name/node.tag/rule/node.tag/fragment/match-non-frag/node.def
new file mode 100644
index 0000000..3105271
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/fragment/match-non-frag/node.def
@@ -0,0 +1 @@
+help: Match head fragments or unfragmented packets
diff --git a/templates/firewall/name/node.tag/rule/node.tag/fragment/node.def b/templates/firewall/name/node.tag/rule/node.tag/fragment/node.def
new file mode 100644
index 0000000..c532d49
--- /dev/null
+++ b/templates/firewall/name/node.tag/rule/node.tag/fragment/node.def
@@ -0,0 +1 @@
+help: Set IP fragment matching