diff options
author | Joshua McBeth <joshua.mcbeth@gmail.com> | 2017-12-03 21:43:25 -0500 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2019-02-08 18:42:29 +0100 |
commit | 2cd6280b90042efac7c37be4835f70ed06514504 (patch) | |
tree | ce25835c81b86f8566cea3c2f53eb5f31458f70b /scripts/firewall | |
parent | 5499f86a9b6702ce1e76d994402299fce3bbbc47 (diff) | |
download | vyatta-cfg-firewall-2cd6280b90042efac7c37be4835f70ed06514504.tar.gz vyatta-cfg-firewall-2cd6280b90042efac7c37be4835f70ed06514504.zip |
T484: Rules can't be deleted from firewall rule sets used in zone policies
Diffstat (limited to 'scripts/firewall')
-rwxr-xr-x | scripts/firewall/vyatta-firewall.pl | 70 |
1 files changed, 39 insertions, 31 deletions
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index c2727cc..dc7c702 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -526,42 +526,50 @@ sub update_rules { $config->setLevel("$tree $name rule"); my %test_rule_hash = $config->listNodeStatus(); + my $all_rules_deleted = 1; + foreach my $test_rule (sort numerically keys %test_rule_hash) { - if ("$test_rule_hash{$test_rule}" eq 'static') { - next; - } elsif ("$test_rule_hash{$test_rule}" eq 'added') { - my $test_node = new Vyatta::IpTables::Rule; - $test_node->setup("$tree $name rule $test_rule"); - $test_node->set_ip_version($ip_version_hash{$tree}); - my ($err_str, @rule_strs) = $test_node->rule(); - if (defined($err_str)) { - Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n"); - exit 1; - } - my $test_chain = chain_configured(2, $name, $tree); - if (defined($test_chain)) { - # Chain name must be unique in both trees - Vyatta::Config::outputError([$tree,$name], "Firewall configuration error: Rule set name \"$name\" already used in \"$test_chain\"\n"); - exit 1; - } - } elsif ("$test_rule_hash{$test_rule}" eq 'changed') { - my $test_node = new Vyatta::IpTables::Rule; - $test_node->setup("$tree $name rule $test_rule"); - $test_node->set_ip_version($ip_version_hash{$tree}); - my ($err_str, @rule_strs) = $test_node->rule(); - if (defined($err_str)) { - Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n"); - exit 1; - } - } elsif ("$test_rule_hash{$test_rule}" eq 'deleted') { - if (Vyatta::IpTables::Mgr::chain_referenced($table, $name, $iptables_cmd)) { - # Disallow deleting a chain if it's still referenced - Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: Cannot delete rule set \"$name\" (still in use)\n"); - exit 1; + if ("$test_rule_hash{$test_rule}" ne 'deleted') { + $all_rules_deleted = 0; + + if ("$test_rule_hash{$test_rule}" eq 'static') { + next; + } elsif ("$test_rule_hash{$test_rule}" eq 'added') { + my $test_node = new Vyatta::IpTables::Rule; + $test_node->setup("$tree $name rule $test_rule"); + $test_node->set_ip_version($ip_version_hash{$tree}); + my ($err_str, @rule_strs) = $test_node->rule(); + if (defined($err_str)) { + Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n"); + exit 1; + } + my $test_chain = chain_configured(2, $name, $tree); + if (defined($test_chain)) { + # Chain name must be unique in both trees + Vyatta::Config::outputError([$tree,$name], "Firewall configuration error: Rule set name \"$name\" already used in \"$test_chain\"\n"); + exit 1; + } + } elsif ("$test_rule_hash{$test_rule}" eq 'changed') { + my $test_node = new Vyatta::IpTables::Rule; + $test_node->setup("$tree $name rule $test_rule"); + $test_node->set_ip_version($ip_version_hash{$tree}); + my ($err_str, @rule_strs) = $test_node->rule(); + if (defined($err_str)) { + Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n"); + exit 1; + } } } } + + if ($all_rules_deleted and Vyatta::IpTables::Mgr::chain_referenced($table, $name, $iptables_cmd)) { + # Disallow deleting a chain if it's still referenced + Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: Cannot delete rule set \"$name\" (still in use)\n"); + exit 1; + } + + if ($nodes{$name} eq 'static') { # not changed. check if stateful. |