diff options
| author | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-04-27 17:13:59 -0700 |
|---|---|---|
| committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-04-27 17:13:59 -0700 |
| commit | f27b7aa32850ddb690297621b24bb31a10655416 (patch) | |
| tree | f5a6adafce6ae9c529f8be003c1bf63d40bfebe6 /scripts | |
| parent | 06a5b7230f0acae67a992e254b434c85217bb350 (diff) | |
| download | vyatta-cfg-firewall-f27b7aa32850ddb690297621b24bb31a10655416.tar.gz vyatta-cfg-firewall-f27b7aa32850ddb690297621b24bb31a10655416.zip | |
outlaw applying firewall to an interface that is defined under a zone
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/firewall/vyatta-firewall.pl | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index f3ccb41..b021663 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -8,6 +8,7 @@ use Vyatta::Config; use Vyatta::IpTables::Rule; use Vyatta::IpTables::AddressFilter; use Getopt::Long; +use Vyatta::Zone; # Send output of shell commands to syslog for debugging and so that # the user is not confused by it. Log at debug level, which is supressed @@ -107,6 +108,19 @@ if ($#updateints == 4) { $iptables_cmd = $cmd_hash{$tree}; if ($action eq "update") { + # make sure interface is not being used in a zone + my @all_zones = Vyatta::Zone::get_all_zones("listNodes"); + foreach my $zone (@all_zones) { + my @zone_interfaces = + Vyatta::Zone::get_zone_interfaces("returnValues", $zone); + if (scalar(grep(/^$int_name$/, @zone_interfaces)) > 0) { + print STDERR 'Firewall config error: ' . + "interface $int_name is defined under zone $zone\n" . + "Cannot use per interface firewall for a zone interface\n"; + exit 1; + } + } + # make sure chain exists if (!defined($tree2)) { # require chain to be configured in "firewall" first |