diff options
| author | Marian Tudosoiu <marian.tudosoiu@1and1.ro> | 2018-03-12 12:34:35 +0200 |
|---|---|---|
| committer | Marian Tudosoiu <marian.tudosoiu@1and1.ro> | 2018-03-12 12:34:35 +0200 |
| commit | 03f1937e7dcb01ce810c9c19eda15149245f4537 (patch) | |
| tree | 2afe38d0afb048f0c16b2746b81f8e8660c3bd07 /lib | |
| parent | d1164b989295016436f20caa709603ec5d85a4d3 (diff) | |
| download | vyatta-cfg-firewall-03f1937e7dcb01ce810c9c19eda15149245f4537.tar.gz vyatta-cfg-firewall-03f1937e7dcb01ce810c9c19eda15149245f4537.zip | |
Task T35 - add support for IPv6 firewall adddress and network groups
Diffstat (limited to 'lib')
| -rwxr-xr-x | lib/Vyatta/IpTables/AddressFilter.pm | 36 | ||||
| -rwxr-xr-x | lib/Vyatta/IpTables/IpSet.pm | 6 |
2 files changed, 19 insertions, 23 deletions
diff --git a/lib/Vyatta/IpTables/AddressFilter.pm b/lib/Vyatta/IpTables/AddressFilter.pm index 9100c24..9b3be53 100755 --- a/lib/Vyatta/IpTables/AddressFilter.pm +++ b/lib/Vyatta/IpTables/AddressFilter.pm @@ -238,31 +238,25 @@ sub rule { my ($port_str, $port_err)= getPortRuleString($self->{_port}, $can_use_port,($self->{_srcdst} eq "source") ? "s" : "d",$self->{_protocol}); return (undef, $port_err) if (!defined($port_str)); $rule .= $port_str; - # Handle groups last so we can check $group_ok - if ($self->{_ip_version} eq "ipv4") { - - # so far ipset only supports IPv4 - my %group_used = ('address' => 0, 'network' => 0); - foreach my $group_type ('address', 'network', 'port') { - my $var_name = '_' . $group_type . '_group'; - if (defined($self->{$var_name})) { - $group_used{$group_type} = 1; - my $name = $self->{$var_name}; - if (!$group_ok{$group_type}) { - return (undef, "Can't mix $self->{_srcdst} $group_type group [$name] and $group_type"); - } - my $group = new Vyatta::IpTables::IpSet($name, $group_type); - my ($set_rule, $err_str) = $group->rule($self->{_srcdst}); - return ($err_str,) if !defined $set_rule; - $rule .= $set_rule; + my %group_used = ('address' => 0, 'network' => 0); + foreach my $group_type ('address', 'network', 'port') { + my $var_name = '_' . $group_type . '_group'; + if (defined($self->{$var_name})) { + $group_used{$group_type} = 1; + my $name = $self->{$var_name}; + if (!$group_ok{$group_type}) { + return (undef, "Can't mix $self->{_srcdst} $group_type group [$name] and $group_type"); } - } - if ($group_used{address} and $group_used{network}) { - return (undef,"Can't combine network and address group for $self->{_srcdst}\n"); + my $group = new Vyatta::IpTables::IpSet($name, $group_type); + my ($set_rule, $err_str) = $group->rule($self->{_srcdst}); + return ($err_str,) if !defined $set_rule; + $rule .= $set_rule; } } - + if ($group_used{address} and $group_used{network}) { + return (undef,"Can't combine network and address group for $self->{_srcdst}\n"); + } return ($rule, undef); } diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm index ea9bc8d..e293240 100755 --- a/lib/Vyatta/IpTables/IpSet.pm +++ b/lib/Vyatta/IpTables/IpSet.pm @@ -35,6 +35,7 @@ use warnings; my %fields = ( _name => undef, _type => undef, # vyatta group type, not ipset type + _family => undef, _exists => undef, _negate => undef, _debug => undef, @@ -65,7 +66,7 @@ sub INT_handler { $SIG{'INT'} = 'INT_handler'; sub new { - my ($that, $name, $type) = @_; + my ($that, $name, $type, $family) = @_; my $class = ref($that) || $that; my $self = {%fields,}; @@ -75,6 +76,7 @@ sub new { } $self->{_name} = $name; $self->{_type} = $type; + $self->{_family} = $family; bless $self, $class; return $self; @@ -192,7 +194,7 @@ sub create { $ipset_param .= ' --from 1 --to 65535'; } - my $cmd = "ipset -N $self->{_name} $ipset_param"; + my $cmd = "ipset -N $self->{_name} $ipset_param family $self->{_family}"; my $rc = $self->run_cmd($cmd); return "Error: call to ipset failed [$rc]" if $rc; return; # undef |