summaryrefslogtreecommitdiff
path: root/lib/Vyatta/IpTables
diff options
context:
space:
mode:
authorStig Thormodsrud <stig@vyatta.com>2010-10-14 14:10:11 -0700
committerStig Thormodsrud <stig@vyatta.com>2010-10-14 14:10:11 -0700
commit97a8e6281bdd0ccdd243fc7e5a8f8104c5c36975 (patch)
treeec6df7625c56c1bad09bf47f26ddd61d8d797d61 /lib/Vyatta/IpTables
parent3053d2ccf0099b122105759fd0cdb82357e25984 (diff)
downloadvyatta-cfg-firewall-97a8e6281bdd0ccdd243fc7e5a8f8104c5c36975.tar.gz
vyatta-cfg-firewall-97a8e6281bdd0ccdd243fc7e5a8f8104c5c36975.zip
Add Iptables::Mgr route to get queue target.
Diffstat (limited to 'lib/Vyatta/IpTables')
-rwxr-xr-xlib/Vyatta/IpTables/Mgr.pm14
-rwxr-xr-xlib/Vyatta/IpTables/Rule.pm5
2 files changed, 17 insertions, 2 deletions
diff --git a/lib/Vyatta/IpTables/Mgr.pm b/lib/Vyatta/IpTables/Mgr.pm
index 678fb39..6452540 100755
--- a/lib/Vyatta/IpTables/Mgr.pm
+++ b/lib/Vyatta/IpTables/Mgr.pm
@@ -30,7 +30,7 @@ use warnings;
use base 'Exporter';
our @EXPORT = qw(ipt_find_chain_rule ipt_enable_conntrack
ipt_disable_conntrack count_iptables_rules
- chain_referenced);
+ chain_referenced ipt_get_queue_target);
sub ipt_find_chain_rule {
@@ -105,6 +105,18 @@ sub ipt_disable_conntrack {
return 0;
}
+my %queue_target_hash =
+ ('SNORT' => 'NFQUEUE --queue-num 0',
+ 'VG_HTTPS' => 'NFQUEUE --queue-num 1',
+ );
+
+sub ipt_get_queue_target {
+ my ($app) = @_;
+
+ my $target = $queue_target_hash{$app};
+ return $target;
+}
+
sub count_iptables_rules {
my ($command, $table, $chain) = @_;
my @lines = `sudo $command -t $table -L $chain -n --line`;
diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm
index 7b6c82b..e190a46 100755
--- a/lib/Vyatta/IpTables/Rule.pm
+++ b/lib/Vyatta/IpTables/Rule.pm
@@ -2,6 +2,7 @@ package Vyatta::IpTables::Rule;
use strict;
use Vyatta::Config;
+use Vyatta::IpTables::Mgr;
require Vyatta::IpTables::AddressFilter;
my $src = new Vyatta::IpTables::AddressFilter;
@@ -570,7 +571,9 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo
} elsif ("$self->{_action}" eq "reject") {
$rule .= "-j REJECT ";
} elsif ("$self->{_action}" eq 'inspect') {
- $rule .= "-j QUEUE ";
+ my $target = ipt_get_queue_target('SNORT');
+ return ('Undefined target for inspect', ) if ! defined $target;
+ $rule .= "-j $target ";
} elsif ("$self->{_action}" eq 'modify') {
# mangle actions
my $count = 0;