diff options
| author | Bob Gilligan <gilligan@vyatta.com> | 2009-01-23 13:59:37 -0800 |
|---|---|---|
| committer | Bob Gilligan <gilligan@vyatta.com> | 2009-01-23 13:59:37 -0800 |
| commit | 1f1d31163c347ace7b8e288363235ea22651916f (patch) | |
| tree | 4584133fd8cce13f6c742a994812117f600056b9 /scripts | |
| parent | dd37fdecea527c8d7098e257bc83e620af1ff730 (diff) | |
| download | vyatta-cfg-firewall-1f1d31163c347ace7b8e288363235ea22651916f.tar.gz vyatta-cfg-firewall-1f1d31163c347ace7b8e288363235ea22651916f.zip | |
Bugfix 4062: Don't reference parameters outside the config tree.
The AddressFilter module was reaching up the config tree to find
a config parameter that was used to determine whether the address type
was IPv4 or IPv6. This breaks when the functions are called from some
locations in the config tree. I added explicity function calls to allow
the caller to to set the IP version, obviating the need to reference
a config parameter to determin the IP version.
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/firewall/vyatta-firewall.pl | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index 9625c43..058e9cf 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -41,6 +41,13 @@ my %cmd_hash = ( 'name' => 'iptables', 'modify' => 'iptables', 'ipv6-modify' => 'ip6tables'); +# mapping from config node to IP version string. +my %ip_version_hash = ( 'name' => 'ipv4', + 'ipv6-name' => 'ipv6', + 'modify' => 'ipv4', + 'ipv6-modify' => 'ipv6'); + + sub other_table { my $this = shift; return (($this eq 'filter') ? 'mangle' : 'filter'); @@ -195,6 +202,7 @@ sub update_rules($) { foreach (sort numerically @rules) { my $node = new Vyatta::IpTables::Rule; $node->setupOrig("firewall $tree $name rule $_"); + $node->set_ip_version($ip_version_hash{$tree}); if ($node->is_stateful()) { $stateful = 1; last; @@ -252,6 +260,7 @@ sub update_rules($) { if ("$rulehash{$rule}" eq "static") { my $node = new Vyatta::IpTables::Rule; $node->setupOrig("firewall $tree $name rule $rule"); + $node->set_ip_version($ip_version_hash{$tree}); if ($node->is_stateful()) { $stateful = 1; } @@ -261,6 +270,7 @@ sub update_rules($) { # create a new iptables object of the current rule my $node = new Vyatta::IpTables::Rule; $node->setup("firewall $tree $name rule $rule"); + $node->set_ip_version($ip_version_hash{$tree}); if ($node->is_stateful()) { $stateful = 1; } @@ -286,8 +296,10 @@ sub update_rules($) { # create a new iptables object of the current rule my $oldnode = new Vyatta::IpTables::Rule; $oldnode->setupOrig("firewall $tree $name rule $rule"); + $oldnode->set_ip_version($ip_version_hash{$tree}); my $node = new Vyatta::IpTables::Rule; $node->setup("firewall $tree $name rule $rule"); + $node->set_ip_version($ip_version_hash{$tree}); if ($node->is_stateful()) { $stateful = 1; } @@ -321,6 +333,7 @@ sub update_rules($) { } elsif ("$rulehash{$rule}" eq "deleted") { my $node = new Vyatta::IpTables::Rule; $node->setupOrig("firewall $tree $name rule $rule"); + $node->set_ip_version($ip_version_hash{$tree}); my $ipt_rules = $node->get_num_ipt_rules(); for (1 .. $ipt_rules) { |