summaryrefslogtreecommitdiff
path: root/scripts/firewall
diff options
context:
space:
mode:
authorJoshua McBeth <joshua.mcbeth@gmail.com>2017-12-03 21:43:25 -0500
committerChristian Poessinger <christian@poessinger.com>2019-02-08 18:42:29 +0100
commit2cd6280b90042efac7c37be4835f70ed06514504 (patch)
treece25835c81b86f8566cea3c2f53eb5f31458f70b /scripts/firewall
parent5499f86a9b6702ce1e76d994402299fce3bbbc47 (diff)
downloadvyatta-cfg-firewall-2cd6280b90042efac7c37be4835f70ed06514504.tar.gz
vyatta-cfg-firewall-2cd6280b90042efac7c37be4835f70ed06514504.zip
T484: Rules can't be deleted from firewall rule sets used in zone policies
Diffstat (limited to 'scripts/firewall')
-rwxr-xr-xscripts/firewall/vyatta-firewall.pl70
1 files changed, 39 insertions, 31 deletions
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl
index c2727cc..dc7c702 100755
--- a/scripts/firewall/vyatta-firewall.pl
+++ b/scripts/firewall/vyatta-firewall.pl
@@ -526,42 +526,50 @@ sub update_rules {
$config->setLevel("$tree $name rule");
my %test_rule_hash = $config->listNodeStatus();
+ my $all_rules_deleted = 1;
+
foreach my $test_rule (sort numerically keys %test_rule_hash) {
- if ("$test_rule_hash{$test_rule}" eq 'static') {
- next;
- } elsif ("$test_rule_hash{$test_rule}" eq 'added') {
- my $test_node = new Vyatta::IpTables::Rule;
- $test_node->setup("$tree $name rule $test_rule");
- $test_node->set_ip_version($ip_version_hash{$tree});
- my ($err_str, @rule_strs) = $test_node->rule();
- if (defined($err_str)) {
- Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n");
- exit 1;
- }
- my $test_chain = chain_configured(2, $name, $tree);
- if (defined($test_chain)) {
- # Chain name must be unique in both trees
- Vyatta::Config::outputError([$tree,$name], "Firewall configuration error: Rule set name \"$name\" already used in \"$test_chain\"\n");
- exit 1;
- }
- } elsif ("$test_rule_hash{$test_rule}" eq 'changed') {
- my $test_node = new Vyatta::IpTables::Rule;
- $test_node->setup("$tree $name rule $test_rule");
- $test_node->set_ip_version($ip_version_hash{$tree});
- my ($err_str, @rule_strs) = $test_node->rule();
- if (defined($err_str)) {
- Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n");
- exit 1;
- }
- } elsif ("$test_rule_hash{$test_rule}" eq 'deleted') {
- if (Vyatta::IpTables::Mgr::chain_referenced($table, $name, $iptables_cmd)) {
- # Disallow deleting a chain if it's still referenced
- Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: Cannot delete rule set \"$name\" (still in use)\n");
- exit 1;
+ if ("$test_rule_hash{$test_rule}" ne 'deleted') {
+ $all_rules_deleted = 0;
+
+ if ("$test_rule_hash{$test_rule}" eq 'static') {
+ next;
+ } elsif ("$test_rule_hash{$test_rule}" eq 'added') {
+ my $test_node = new Vyatta::IpTables::Rule;
+ $test_node->setup("$tree $name rule $test_rule");
+ $test_node->set_ip_version($ip_version_hash{$tree});
+ my ($err_str, @rule_strs) = $test_node->rule();
+ if (defined($err_str)) {
+ Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n");
+ exit 1;
+ }
+ my $test_chain = chain_configured(2, $name, $tree);
+ if (defined($test_chain)) {
+ # Chain name must be unique in both trees
+ Vyatta::Config::outputError([$tree,$name], "Firewall configuration error: Rule set name \"$name\" already used in \"$test_chain\"\n");
+ exit 1;
+ }
+ } elsif ("$test_rule_hash{$test_rule}" eq 'changed') {
+ my $test_node = new Vyatta::IpTables::Rule;
+ $test_node->setup("$tree $name rule $test_rule");
+ $test_node->set_ip_version($ip_version_hash{$tree});
+ my ($err_str, @rule_strs) = $test_node->rule();
+ if (defined($err_str)) {
+ Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n");
+ exit 1;
+ }
}
}
}
+
+ if ($all_rules_deleted and Vyatta::IpTables::Mgr::chain_referenced($table, $name, $iptables_cmd)) {
+ # Disallow deleting a chain if it's still referenced
+ Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: Cannot delete rule set \"$name\" (still in use)\n");
+ exit 1;
+ }
+
+
if ($nodes{$name} eq 'static') {
# not changed. check if stateful.