diff options
| author | Stig Thormodsrud <stig@vyatta.com> | 2010-06-10 15:00:51 -0700 |
|---|---|---|
| committer | Stig Thormodsrud <stig@vyatta.com> | 2010-06-10 15:00:51 -0700 |
| commit | 4d6d91dc02492043d31304179038e394227f36d9 (patch) | |
| tree | 7063239fca7de5d9aa5480240f44c686c1e80638 /scripts/firewall | |
| parent | af5dd4743f19fc979ebdea361f7759f12cb61b0f (diff) | |
| download | vyatta-cfg-firewall-4d6d91dc02492043d31304179038e394227f36d9.tar.gz vyatta-cfg-firewall-4d6d91dc02492043d31304179038e394227f36d9.zip | |
Infrastruction needed for bug 5583.
Diffstat (limited to 'scripts/firewall')
| -rw-r--r-- | scripts/firewall/firewall.init.in | 16 | ||||
| -rwxr-xr-x | scripts/firewall/vyatta-firewall.pl | 24 |
2 files changed, 20 insertions, 20 deletions
diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in index 22f48fd..040078b 100644 --- a/scripts/firewall/firewall.init.in +++ b/scripts/firewall/firewall.init.in @@ -51,13 +51,25 @@ start () { # set up notrack chains/rules for IPv4 # by default, nothing is tracked. + iptables -t raw -N VYATTA_PRE_CT_PREROUTING_HOOK + iptables -t raw -A VYATTA_PRE_CT_PREROUTING_HOOK -j RETURN + iptables -t raw -A PREROUTING -j VYATTA_PRE_CT_PREROUTING_HOOK iptables -t raw -A PREROUTING -j NOTRACK + iptables -t raw -N VYATTA_PRE_CT_OUTPUT_HOOK + iptables -t raw -A VYATTA_PRE_CT_OUTPUT_HOOK -j RETURN + iptables -t raw -A OUTPUT -j VYATTA_PRE_CT_OUTPUT_HOOK iptables -t raw -A OUTPUT -j NOTRACK if [ -d /proc/sys/net/ipv6 ] ; then # set up notrack chains/rules for IPv6 - ip6tables -t raw -A PREROUTING -j NOTRACK - ip6tables -t raw -A OUTPUT -j NOTRACK + ip6tables -t raw -N VYATTA_PRE_CT_PREROUTING_HOOK + ip6tables -t raw -A VYATTA_PRE_CT_PREROUTING_HOOK -j RETURN + ip6tables -t raw -A PREROUTING -j VYATTA_PRE_CT_PREROUTING_HOOK + ip6tables -t raw -A PREROUTING -j NOTRACK + ip6tables -t raw -N VYATTA_PRE_CT_OUTPUT_HOOK + ip6tables -t raw -A VYATTA_PRE_CT_OUTPUT_HOOK -j RETURN + ip6tables -t raw -A OUTPUT -j VYATTA_PRE_CT_OUTPUT_HOOK + ip6tables -t raw -A OUTPUT -j NOTRACK # set up post-firewall hook for IPv6 ip6tables -N VYATTA_POST_FW_HOOK diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index 1961541..925162c 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -7,9 +7,11 @@ use strict; use Vyatta::Config; use Vyatta::IpTables::Rule; use Vyatta::IpTables::AddressFilter; +use Vyatta::IpTables::Mgr; use Getopt::Long; use Vyatta::Zone; + # Send output of shell commands to syslog for debugging and so that # the user is not confused by it. Log at debug level, which is supressed # by default, so that we don't unnecessarily fill up the syslog file. @@ -178,15 +180,7 @@ if (defined $teardown) { teardown_iptables($table, $iptables_cmd); # remove the conntrack setup. - my $num; - foreach my $label ('PREROUTING', 'OUTPUT') { - $num = find_chain_rule($iptables_cmd, 'raw', $label, 'FW_CONNTRACK'); - if (defined $num and ! is_tree_in_use($other_tree{$teardown})) { - run_cmd("$iptables_cmd -t raw -D $label $num", 1, 1); - } - } - run_cmd("$iptables_cmd -t raw -F FW_CONNTRACK", 1, 1); - run_cmd("$iptables_cmd -t raw -X FW_CONNTRACK", 1, 1); + ipt_disable_conntrack($iptables_cmd, 'FW_CONNTRACK'); exit 0; } @@ -691,15 +685,9 @@ sub setup_iptables { } # by default, nothing is tracked (the last rule in raw/PREROUTING). - my $cnt = count_iptables_rules('raw', 'FW_CONNTRACK', $iptables_cmd); - if ($cnt == 0) { - run_cmd("$iptables_cmd -t raw -N FW_CONNTRACK", 1 , 1); - run_cmd("$iptables_cmd -t raw -A FW_CONNTRACK -j RETURN", 1, 1); - run_cmd("$iptables_cmd -t raw -I PREROUTING 1 -j FW_CONNTRACK", 1, 1); - run_cmd("$iptables_cmd -t raw -I OUTPUT 1 -j FW_CONNTRACK", 1, 1); - } else { - log_msg "FW_CONNTRACK exists $cnt\n"; - } + ipt_enable_conntrack($iptables_cmd, 'FW_CONNTRACK'); + disable_fw_conntrack($iptables_cmd); + return 0; } |