diff options
author | Robert Bays <robert@vyatta.com> | 2012-07-06 17:05:07 -0700 |
---|---|---|
committer | Robert Bays <robert@vyatta.com> | 2012-09-03 10:20:25 -0700 |
commit | c353904cdb9faf701973d32aaa6748ea97a2f797 (patch) | |
tree | 38bc271af0956dfaa51c18394bacddc3b4beef72 | |
parent | 0532b78f0f0b58f75714145642ab7e8dd2a2117b (diff) | |
download | vyatta-cfg-firewall-c353904cdb9faf701973d32aaa6748ea97a2f797.tar.gz vyatta-cfg-firewall-c353904cdb9faf701973d32aaa6748ea97a2f797.zip |
populate firewall policy tables based on refcount
-rwxr-xr-x | scripts/firewall/vyatta-firewall.pl | 38 |
1 files changed, 15 insertions, 23 deletions
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index ee4d209..52816b7 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -363,6 +363,9 @@ sub add_route_table { if ($table_count < 1) { my $mark = 0x7FFFFFFF + $table; system("ip rule add pref $table fwmark $mark table $table"); + run_cmd("iptables -t mangle -N VYATTA_PBR_$table", 1); + run_cmd("iptables -t mangle -I VYATTA_PBR_$table 1 -j MARK --set-mark $mark", 1); + run_cmd("iptables -t mangle -I VYATTA_PBR_$table 2 -j ACCEPT", 1); } write_refcnt_file($policy_ref_file, @newlines); @@ -374,7 +377,7 @@ sub remove_route_table { my @newlines = (); my @lines = read_refcnt_file($policy_ref_file); - log_msg("add_route_table: $rule, $table"); + log_msg("remove_route_table: $rule, $table"); foreach my $line (@lines) { my @tokens = split(/ /, $line); if ($tokens[0] =~ m/$table:(\d+)/) { @@ -391,6 +394,10 @@ sub remove_route_table { if ($ref < 1) { my $mark = 0x7FFFFFFF + $table; system("ip rule del pref $table fwmark $mark table $table"); + run_cmd("iptables -t mangle -D VYATTA_PBR_$table 2", 1); + run_cmd("iptables -t mangle -D VYATTA_PBR_$table 1", 1); + run_cmd("iptables -t mangle -F VYATTA_PBR_$table", 1); + run_cmd("iptables -t mangle -X VYATTA_PBR_$table", 1); } } @@ -430,9 +437,15 @@ sub flush_route_table { if ($tref < 1) { my $mark = 0x7FFFFFFF + $table; system("ip rule del pref $table fwmark $mark table $table"); + run_cmd("iptables -t mangle -D VYATTA_PBR_$table 2", 1); + run_cmd("iptables -t mangle -D VYATTA_PBR_$table 1", 1); + run_cmd("iptables -t mangle -F VYATTA_PBR_$table", 1); + run_cmd("iptables -t mangle -X VYATTA_PBR_$table", 1); } - push(@newlines, join(" ", @tokens)); + if ($tref > 0) { + push(@newlines, join(" ", @tokens)); + } } write_refcnt_file($policy_ref_file, @newlines); @@ -849,17 +862,6 @@ sub teardown_iptables { run_cmd("$iptables_cmd -t $table -X $FW_LOCAL_HOOK", 1); } } - - # remove policy routing sub rules - if ($table eq 'mangle') { - for (my $i = 1; $i <= 250; $i++) { - run_cmd("$iptables_cmd -t $table -D VYATTA_PBR_$i 2", 1); - run_cmd("$iptables_cmd -t $table -D VYATTA_PBR_$i 1", 1); - run_cmd("$iptables_cmd -t $table -F VYATTA_PBR_$i", 1); - run_cmd("$iptables_cmd -t $table -X VYATTA_PBR_$i", 1); - } - } - } sub setup_iptables { @@ -895,16 +897,6 @@ sub setup_iptables { log_msg "FW_CONNTRACK exists $cnt"; } - # setup policy routing sub rules - if ($table eq 'mangle') { - for (my $i = 1; $i <= 250; $i++) { - my $mark = $i + 0x7FFFFFFF; - run_cmd("$iptables_cmd -t $table -N VYATTA_PBR_$i", 1); - run_cmd("$iptables_cmd -t $table -I VYATTA_PBR_$i 1 -j MARK --set-mark $mark", 1); - run_cmd("$iptables_cmd -t $table -I VYATTA_PBR_$i 2 -j ACCEPT", 1); - } - } - return 0; } |