changes to policy tables to add accept

updates to dscp node.def for better help text
author: Robert Bays <robert@vyatta.com> 2012-07-06 10:33:24 -0700
committer: Robert Bays <robert@vyatta.com> 2012-09-03 10:20:04 -0700
commit: 0532b78f0f0b58f75714145642ab7e8dd2a2117b (patch)
tree: 00c2635b7364b49449abc63ad3e89fe0c3cf29d7 /scripts/firewall
parent: 4976816fe6793debc42bab49af53320c242cc95b (diff)
download: vyatta-cfg-firewall-0532b78f0f0b58f75714145642ab7e8dd2a2117b.tar.gz
vyatta-cfg-firewall-0532b78f0f0b58f75714145642ab7e8dd2a2117b.zip
1 files changed, 25 insertions, 4 deletions
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl
index ea0d676..ee4d209 100755
--- a/scripts/firewall/vyatta-firewall.pl
+++ b/scripts/firewall/vyatta-firewall.pl
@@ -224,10 +224,10 @@ sub run_cmd {
     open (my $out, '-|',  $cmd_to_run . ' 2>&1')
         or die "Can't run command \"$cmd_to_run\": $!";
     my @cmd_out = <$out>;
-  
+
     # if command suceeds to do nothing.
     return if (close ($out));
-  
+
     foreach my $line (@cmd_out) {
       chomp $line;
       syslog(LOG_INFO, "%s", $line);
@@ -521,7 +521,7 @@ sub update_rules {
   } elsif ($nodes{$name} eq 'changed') {
     log_msg "$tree $name = changed";
     #check for prefix length, iptables permits 29 as --log-prefix
-    my $test = $config->exists('enable-default-log'); 
+    my $test = $config->exists('enable-default-log');
     if (!($test)) {
       if (($policy_log) and (length ($name) > 19)) {
         my $action_char = uc(substr($policy, 0, 1));
@@ -712,7 +712,7 @@ sub update_ints {
     print STDERR 'Firewall config error: ' .
                  "\"Modify\" rule set \"$chain\" cannot be used for " .
                  "\"local\"\n";
-    
+
     exit 1;
   }
 
@@ -849,6 +849,17 @@ sub teardown_iptables {
       run_cmd("$iptables_cmd -t $table -X $FW_LOCAL_HOOK", 1);
     }
   }
+
+  # remove policy routing sub rules
+  if ($table eq 'mangle') {
+    for (my $i = 1; $i <= 250; $i++) {
+      run_cmd("$iptables_cmd -t $table -D VYATTA_PBR_$i 2", 1);
+      run_cmd("$iptables_cmd -t $table -D VYATTA_PBR_$i 1", 1);
+      run_cmd("$iptables_cmd -t $table -F VYATTA_PBR_$i", 1);
+      run_cmd("$iptables_cmd -t $table -X VYATTA_PBR_$i", 1);
+    }
+  }
+
 }
 
 sub setup_iptables {
@@ -884,6 +895,16 @@ sub setup_iptables {
     log_msg "FW_CONNTRACK exists $cnt";
   }
 
+  # setup policy routing sub rules
+  if ($table eq 'mangle') {
+    for (my $i = 1; $i <= 250; $i++) {
+      my $mark = $i + 0x7FFFFFFF;
+      run_cmd("$iptables_cmd -t $table -N VYATTA_PBR_$i", 1);
+      run_cmd("$iptables_cmd -t $table -I VYATTA_PBR_$i 1 -j MARK --set-mark $mark", 1);
+      run_cmd("$iptables_cmd -t $table -I VYATTA_PBR_$i 2 -j ACCEPT", 1);
+    }
+  }
+
   return 0;
 }
author	Robert Bays <robert@vyatta.com>	2012-07-06 10:33:24 -0700
committer	Robert Bays <robert@vyatta.com>	2012-09-03 10:20:04 -0700
commit	0532b78f0f0b58f75714145642ab7e8dd2a2117b (patch)
tree	00c2635b7364b49449abc63ad3e89fe0c3cf29d7 /scripts/firewall
parent	4976816fe6793debc42bab49af53320c242cc95b (diff)
download	vyatta-cfg-firewall-0532b78f0f0b58f75714145642ab7e8dd2a2117b.tar.gz vyatta-cfg-firewall-0532b78f0f0b58f75714145642ab7e8dd2a2117b.zip