summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Bays <robert@vyatta.com>2012-07-06 17:05:07 -0700
committerRobert Bays <robert@vyatta.com>2012-09-03 10:20:25 -0700
commitc353904cdb9faf701973d32aaa6748ea97a2f797 (patch)
tree38bc271af0956dfaa51c18394bacddc3b4beef72
parent0532b78f0f0b58f75714145642ab7e8dd2a2117b (diff)
downloadvyatta-cfg-firewall-c353904cdb9faf701973d32aaa6748ea97a2f797.tar.gz
vyatta-cfg-firewall-c353904cdb9faf701973d32aaa6748ea97a2f797.zip
populate firewall policy tables based on refcount
-rwxr-xr-xscripts/firewall/vyatta-firewall.pl38
1 files changed, 15 insertions, 23 deletions
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl
index ee4d209..52816b7 100755
--- a/scripts/firewall/vyatta-firewall.pl
+++ b/scripts/firewall/vyatta-firewall.pl
@@ -363,6 +363,9 @@ sub add_route_table {
if ($table_count < 1) {
my $mark = 0x7FFFFFFF + $table;
system("ip rule add pref $table fwmark $mark table $table");
+ run_cmd("iptables -t mangle -N VYATTA_PBR_$table", 1);
+ run_cmd("iptables -t mangle -I VYATTA_PBR_$table 1 -j MARK --set-mark $mark", 1);
+ run_cmd("iptables -t mangle -I VYATTA_PBR_$table 2 -j ACCEPT", 1);
}
write_refcnt_file($policy_ref_file, @newlines);
@@ -374,7 +377,7 @@ sub remove_route_table {
my @newlines = ();
my @lines = read_refcnt_file($policy_ref_file);
- log_msg("add_route_table: $rule, $table");
+ log_msg("remove_route_table: $rule, $table");
foreach my $line (@lines) {
my @tokens = split(/ /, $line);
if ($tokens[0] =~ m/$table:(\d+)/) {
@@ -391,6 +394,10 @@ sub remove_route_table {
if ($ref < 1) {
my $mark = 0x7FFFFFFF + $table;
system("ip rule del pref $table fwmark $mark table $table");
+ run_cmd("iptables -t mangle -D VYATTA_PBR_$table 2", 1);
+ run_cmd("iptables -t mangle -D VYATTA_PBR_$table 1", 1);
+ run_cmd("iptables -t mangle -F VYATTA_PBR_$table", 1);
+ run_cmd("iptables -t mangle -X VYATTA_PBR_$table", 1);
}
}
@@ -430,9 +437,15 @@ sub flush_route_table {
if ($tref < 1) {
my $mark = 0x7FFFFFFF + $table;
system("ip rule del pref $table fwmark $mark table $table");
+ run_cmd("iptables -t mangle -D VYATTA_PBR_$table 2", 1);
+ run_cmd("iptables -t mangle -D VYATTA_PBR_$table 1", 1);
+ run_cmd("iptables -t mangle -F VYATTA_PBR_$table", 1);
+ run_cmd("iptables -t mangle -X VYATTA_PBR_$table", 1);
}
- push(@newlines, join(" ", @tokens));
+ if ($tref > 0) {
+ push(@newlines, join(" ", @tokens));
+ }
}
write_refcnt_file($policy_ref_file, @newlines);
@@ -849,17 +862,6 @@ sub teardown_iptables {
run_cmd("$iptables_cmd -t $table -X $FW_LOCAL_HOOK", 1);
}
}
-
- # remove policy routing sub rules
- if ($table eq 'mangle') {
- for (my $i = 1; $i <= 250; $i++) {
- run_cmd("$iptables_cmd -t $table -D VYATTA_PBR_$i 2", 1);
- run_cmd("$iptables_cmd -t $table -D VYATTA_PBR_$i 1", 1);
- run_cmd("$iptables_cmd -t $table -F VYATTA_PBR_$i", 1);
- run_cmd("$iptables_cmd -t $table -X VYATTA_PBR_$i", 1);
- }
- }
-
}
sub setup_iptables {
@@ -895,16 +897,6 @@ sub setup_iptables {
log_msg "FW_CONNTRACK exists $cnt";
}
- # setup policy routing sub rules
- if ($table eq 'mangle') {
- for (my $i = 1; $i <= 250; $i++) {
- my $mark = $i + 0x7FFFFFFF;
- run_cmd("$iptables_cmd -t $table -N VYATTA_PBR_$i", 1);
- run_cmd("$iptables_cmd -t $table -I VYATTA_PBR_$i 1 -j MARK --set-mark $mark", 1);
- run_cmd("$iptables_cmd -t $table -I VYATTA_PBR_$i 2 -j ACCEPT", 1);
- }
- }
-
return 0;
}