summaryrefslogtreecommitdiff
path: root/lib/Vyatta/IpTables
diff options
context:
space:
mode:
authorAn-Cheng Huang <ancheng@vyatta.com>2011-05-03 17:28:08 +0800
committerAn-Cheng Huang <ancheng@vyatta.com>2011-05-03 17:28:08 +0800
commit22d37f427054b52bd724c17d9656bca6dee7d3c5 (patch)
tree656383e504a44572561e93a93898f31409886423 /lib/Vyatta/IpTables
parent6ce1a694e899ee9b99fd3ab55a6a156b6d76b91b (diff)
downloadvyatta-cfg-firewall-22d37f427054b52bd724c17d9656bca6dee7d3c5.tar.gz
vyatta-cfg-firewall-22d37f427054b52bd724c17d9656bca6dee7d3c5.zip
modify firewall groups to work with new commitnapa-dev
Diffstat (limited to 'lib/Vyatta/IpTables')
-rwxr-xr-xlib/Vyatta/IpTables/IpSet.pm37
1 files changed, 28 insertions, 9 deletions
diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm
index 703a3ac..607333c 100755
--- a/lib/Vyatta/IpTables/IpSet.pm
+++ b/lib/Vyatta/IpTables/IpSet.pm
@@ -40,7 +40,7 @@ my %fields = (
_debug => undef,
);
-my %grouptype_hash = (
+our %grouptype_hash = (
'address' => 'hash:ip',
'network' => 'hash:net',
'port' => 'bitmap:port'
@@ -175,8 +175,8 @@ sub create {
return "Error: undefined group name" if ! defined $self->{_name};
return "Error: undefined group type" if ! defined $self->{_type};
- return "Error: group [$self->{_name}] already exists" if $self->exists();
-
+ return if $self->exists(); # treat as nop if already exists
+
my $ipset_param = $grouptype_hash{$self->{_type}};
return "Error: invalid group type\n" if ! defined $ipset_param;
@@ -203,6 +203,14 @@ sub references {
return 0;
}
+sub flush {
+ my ($self) = @_;
+ my $cmd = "ipset flush $self->{_name}";
+ my $rc = $self->run_cmd($cmd);
+ return "Error: call to ipset failed [$rc]" if $rc;
+ return;
+}
+
sub delete {
my ($self) = @_;
@@ -210,7 +218,15 @@ sub delete {
return "Error: group [$self->{_name}] doesn't exists\n" if !$self->exists();
my $refs = $self->references();
- return "Error: group [$self->{_name}] still in use.\n" if $refs != 0;
+ if ($refs > 0) {
+ # still in use
+ if (scalar($self->get_firewall_references(1)) > 0) {
+ # still referenced by config
+ return "Error: group [$self->{_name}] still in use.\n";
+ }
+ # not referenced by config => simultaneous deletes. just do flush.
+ return $self->flush();
+ }
my $cmd = "ipset -X $self->{_name}";
my $rc = $self->run_cmd($cmd);
@@ -391,25 +407,28 @@ sub get_description {
}
sub get_firewall_references {
- my ($self) = @_;
-
+ my ($self, $working) = @_;
+ my ($lfunc, $vfunc) = qw(listOrigNodes returnOrigValue);
+ if ($working) {
+ ($lfunc, $vfunc) = qw(listNodes returnValue);
+ }
my @fw_refs = ();
return @fw_refs if ! $self->exists();
my $config = new Vyatta::Config;
foreach my $tree ('name', 'modify') {
my $path = "firewall $tree ";
$config->setLevel($path);
- my @names = $config->listOrigNodes();
+ my @names = $config->$lfunc();
foreach my $name (@names) {
my $name_path = "$path $name rule ";
$config->setLevel($name_path);
- my @rules = $config->listOrigNodes();
+ my @rules = $config->$lfunc();
foreach my $rule (@rules) {
foreach my $dir ('source', 'destination') {
my $rule_path = "$name_path $rule $dir group";
$config->setLevel($rule_path);
my $group_type = "$self->{_type}-group";
- my $value = $config->returnOrigValue($group_type);
+ my $value = $config->$vfunc($group_type);
$value =~ s/^!(.*)$/$1/ if defined $value;
if (defined $value and $self->{_name} eq $value) {
push @fw_refs, "$name-$rule-$dir";