diff options
| author | An-Cheng Huang <ancheng@vyatta.com> | 2008-08-21 09:35:43 -0700 |
|---|---|---|
| committer | An-Cheng Huang <ancheng@vyatta.com> | 2008-08-21 09:35:43 -0700 |
| commit | 9dd0ef94bcafa777fa258f5bc96bd5b2ffda6ce6 (patch) | |
| tree | 93bf29c218f030166ef8646eeb4421202f6afbd3 /scripts | |
| parent | 9e5e9af8af7479eabd51dec7448d320e97497ecc (diff) | |
| download | vyatta-cfg-firewall-9dd0ef94bcafa777fa258f5bc96bd5b2ffda6ce6.tar.gz vyatta-cfg-firewall-9dd0ef94bcafa777fa258f5bc96bd5b2ffda6ce6.zip | |
fix for bug 3604: add fragment matching options
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/firewall/VyattaIpTablesRule.pm | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/scripts/firewall/VyattaIpTablesRule.pm b/scripts/firewall/VyattaIpTablesRule.pm index df28872..9ccee2f 100644 --- a/scripts/firewall/VyattaIpTablesRule.pm +++ b/scripts/firewall/VyattaIpTablesRule.pm @@ -24,6 +24,8 @@ my %fields = ( _mod_dscp => undef, _ipsec => undef, _non_ipsec => undef, + _frag => undef, + _non_frag => undef, _recent_time => undef, _recent_cnt => undef, ); @@ -45,6 +47,8 @@ my %dummy_rule = ( _mod_dscp => undef, _ipsec => undef, _non_ipsec => undef, + _frag => undef, + _non_frag => undef, _recent_time => undef, _recent_cnt => undef, ); @@ -91,6 +95,8 @@ sub setup { $self->{_mod_dscp} = $config->returnValue("modify dscp"); $self->{_ipsec} = $config->exists("ipsec match-ipsec"); $self->{_non_ipsec} = $config->exists("ipsec match-none"); + $self->{_frag} = $config->exists("fragment match-frag"); + $self->{_non_frag} = $config->exists("fragment match-non-frag"); $self->{_recent_time} = $config->returnValue('recent time'); $self->{_recent_cnt} = $config->returnValue('recent count'); @@ -126,6 +132,8 @@ sub setupOrig { $self->{_mod_dscp} = $config->returnOrigValue("modify dscp"); $self->{_ipsec} = $config->existsOrig("ipsec match-ipsec"); $self->{_non_ipsec} = $config->existsOrig("ipsec match-none"); + $self->{_frag} = $config->existsOrig("fragment match-frag"); + $self->{_non_frag} = $config->existsOrig("fragment match-non-frag"); $self->{_recent_time} = $config->returnOrigValue('recent time'); $self->{_recent_cnt} = $config->returnOrigValue('recent count'); @@ -248,6 +256,14 @@ sub rule { } $rule .= " $srcrule $dstrule "; + return ('Cannot specify both "match-frag" and "match-non-frag"', ) + if (defined($self->{_frag}) && defined($self->{_non_frag})); + if (defined($self->{_frag})) { + $rule .= ' -f '; + } elsif (defined($self->{_non_frag})) { + $rule .= ' ! -f '; + } + # note: "out" is not valid in the INPUT chain. return ('Cannot specify both "match-ipsec" and "match-none"', ) if (defined($self->{_ipsec}) && defined($self->{_non_ipsec})); |