diff options
author | Mohit Mehta <mohit.mehta@vyatta.com> | 2010-07-13 18:49:55 -0700 |
---|---|---|
committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2010-07-13 18:49:55 -0700 |
commit | 76caaf8d611724e43d2de5e65a3ced27d33cbb7a (patch) | |
tree | ee11baa2506f3d75559f49b188632441dbc9695e /lib/Vyatta | |
parent | 2faab450f91fe7bb727bafdaeee98a09b11f01fb (diff) | |
download | vyatta-cfg-firewall-76caaf8d611724e43d2de5e65a3ced27d33cbb7a.tar.gz vyatta-cfg-firewall-76caaf8d611724e43d2de5e65a3ced27d33cbb7a.zip |
Fix Bug 5744 unable to use firewall group with recent match condition
* use --match-set instead of --set for ipset match
* re-arrange rules when ipset and recent match are used together. instead of
appending recent match conditions to the rule; place them before ipset
match conditions
* add debugging output to look at generated rules
Diffstat (limited to 'lib/Vyatta')
-rwxr-xr-x | lib/Vyatta/IpTables/IpSet.pm | 2 | ||||
-rwxr-xr-x | lib/Vyatta/IpTables/Rule.pm | 47 |
2 files changed, 42 insertions, 7 deletions
diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm index f53202c..a8c455e 100755 --- a/lib/Vyatta/IpTables/IpSet.pm +++ b/lib/Vyatta/IpTables/IpSet.pm @@ -439,7 +439,7 @@ sub rule { return (undef, "Invalid direction [$direction]") if ! defined $srcdst; my $opt = ''; $opt = '!' if $self->{_negate}; - return (" -m set $opt --set $grp $srcdst ", ); + return (" -m set $opt --match-set $grp $srcdst ", ); } 1; diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm index e6b6ca7..e62d198 100755 --- a/lib/Vyatta/IpTables/Rule.pm +++ b/lib/Vyatta/IpTables/Rule.pm @@ -110,6 +110,8 @@ my %dummy_rule = ( _comment => undef ); +my $DEBUG = 'false'; + sub new { my $that = shift; my $class = ref ($that) || $that; @@ -515,14 +517,36 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo # all options in $rule are copied to $recent_rule below my $recent_rule = undef; if (defined($self->{_recent_time}) || defined($self->{_recent_cnt})) { - $recent_rule = $rule; - $rule .= ' -m recent --update '; - $recent_rule .= ' -m recent --set '; + my $recent_rule1 = undef; + my $recent_rule2 = undef; + $recent_rule1 .= ' -m recent --update '; + $recent_rule2 .= ' -m recent --set '; if (defined($self->{_recent_time})) { - $rule .= " --seconds $self->{_recent_time} "; + $recent_rule1 .= " --seconds $self->{_recent_time} "; } if (defined($self->{_recent_cnt})) { - $rule .= " --hitcount $self->{_recent_cnt} "; + $recent_rule1 .= " --hitcount $self->{_recent_cnt} "; + } + + $recent_rule = $rule; + + if ($rule =~ m/\-m\s+set\s+\-\-match\-set/) { + # firewall group being used in this rule. iptables complains if recent + # match condition is placed after group match conditions [see bug 5744] + # so instead of appending recent match place it before group match + my @split_rules = (); + + @split_rules = split(/(\-m\s+set\s+\-\-match\-set)/, $rule, 2); + $rule = $split_rules[0] . $recent_rule1 . + $split_rules[1] . $split_rules[2]; + + @split_rules = split(/(\-m\s+set\s+\-\-match\-set)/, $recent_rule, 2); + $recent_rule = $split_rules[0] . $recent_rule2 . + $split_rules[1] . $split_rules[2]; + } else { + # append recent match conditions to the two rules needed for recent match + $rule .= $recent_rule1; + $recent_rule .= $recent_rule2; } } @@ -590,7 +614,18 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo $each_udprule =~ s/ \-p tcp / -p udp / if defined $each_udprule; } } - + + if ($DEBUG eq 'true') { + # print all potential iptables rules that could be formed for + # a single CLI rule. see get_num_ipt_rules to see exact count + print "rule :\n$rule\n" if defined $rule; + print "rule2 :\n$rule2\n" if defined $rule2; + print "recent rule :\n$recent_rule\n" if defined $recent_rule; + print "udp rule :\n$udp_rule\n" if defined $udp_rule; + print "udp rule2 :\n$udp_rule2\n" if defined $udp_rule2; + print "udp recent rule :\n$udp_recent_rule\n" if defined $udp_recent_rule; + } + return (undef, $rule, $rule2, $recent_rule, $udp_rule, $udp_rule2, $udp_recent_rule); } |