diff options
author | An-Cheng Huang <ancheng@vyatta.com> | 2011-05-03 17:28:08 +0800 |
---|---|---|
committer | An-Cheng Huang <ancheng@vyatta.com> | 2011-05-03 17:28:08 +0800 |
commit | 22d37f427054b52bd724c17d9656bca6dee7d3c5 (patch) | |
tree | 656383e504a44572561e93a93898f31409886423 /lib/Vyatta/IpTables | |
parent | 6ce1a694e899ee9b99fd3ab55a6a156b6d76b91b (diff) | |
download | vyatta-cfg-firewall-22d37f427054b52bd724c17d9656bca6dee7d3c5.tar.gz vyatta-cfg-firewall-22d37f427054b52bd724c17d9656bca6dee7d3c5.zip |
modify firewall groups to work with new commitnapa-dev
Diffstat (limited to 'lib/Vyatta/IpTables')
-rwxr-xr-x | lib/Vyatta/IpTables/IpSet.pm | 37 |
1 files changed, 28 insertions, 9 deletions
diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm index 703a3ac..607333c 100755 --- a/lib/Vyatta/IpTables/IpSet.pm +++ b/lib/Vyatta/IpTables/IpSet.pm @@ -40,7 +40,7 @@ my %fields = ( _debug => undef, ); -my %grouptype_hash = ( +our %grouptype_hash = ( 'address' => 'hash:ip', 'network' => 'hash:net', 'port' => 'bitmap:port' @@ -175,8 +175,8 @@ sub create { return "Error: undefined group name" if ! defined $self->{_name}; return "Error: undefined group type" if ! defined $self->{_type}; - return "Error: group [$self->{_name}] already exists" if $self->exists(); - + return if $self->exists(); # treat as nop if already exists + my $ipset_param = $grouptype_hash{$self->{_type}}; return "Error: invalid group type\n" if ! defined $ipset_param; @@ -203,6 +203,14 @@ sub references { return 0; } +sub flush { + my ($self) = @_; + my $cmd = "ipset flush $self->{_name}"; + my $rc = $self->run_cmd($cmd); + return "Error: call to ipset failed [$rc]" if $rc; + return; +} + sub delete { my ($self) = @_; @@ -210,7 +218,15 @@ sub delete { return "Error: group [$self->{_name}] doesn't exists\n" if !$self->exists(); my $refs = $self->references(); - return "Error: group [$self->{_name}] still in use.\n" if $refs != 0; + if ($refs > 0) { + # still in use + if (scalar($self->get_firewall_references(1)) > 0) { + # still referenced by config + return "Error: group [$self->{_name}] still in use.\n"; + } + # not referenced by config => simultaneous deletes. just do flush. + return $self->flush(); + } my $cmd = "ipset -X $self->{_name}"; my $rc = $self->run_cmd($cmd); @@ -391,25 +407,28 @@ sub get_description { } sub get_firewall_references { - my ($self) = @_; - + my ($self, $working) = @_; + my ($lfunc, $vfunc) = qw(listOrigNodes returnOrigValue); + if ($working) { + ($lfunc, $vfunc) = qw(listNodes returnValue); + } my @fw_refs = (); return @fw_refs if ! $self->exists(); my $config = new Vyatta::Config; foreach my $tree ('name', 'modify') { my $path = "firewall $tree "; $config->setLevel($path); - my @names = $config->listOrigNodes(); + my @names = $config->$lfunc(); foreach my $name (@names) { my $name_path = "$path $name rule "; $config->setLevel($name_path); - my @rules = $config->listOrigNodes(); + my @rules = $config->$lfunc(); foreach my $rule (@rules) { foreach my $dir ('source', 'destination') { my $rule_path = "$name_path $rule $dir group"; $config->setLevel($rule_path); my $group_type = "$self->{_type}-group"; - my $value = $config->returnOrigValue($group_type); + my $value = $config->$vfunc($group_type); $value =~ s/^!(.*)$/$1/ if defined $value; if (defined $value and $self->{_name} eq $value) { push @fw_refs, "$name-$rule-$dir"; |