summaryrefslogtreecommitdiff
path: root/templates/firewall
diff options
context:
space:
mode:
authorStig Thormodsrud <stig@vyatta.com>2010-02-15 13:09:45 -0800
committerStig Thormodsrud <stig@vyatta.com>2010-02-15 13:09:45 -0800
commit1798758677bb5580efd7ba3799e9ff9ba97a7b88 (patch)
tree2f966cd5f4d071eb3039df98d80092007af2f733 /templates/firewall
parent4db871d983aed462c9c3967beeb6f797838019e8 (diff)
downloadvyatta-cfg-firewall-1798758677bb5580efd7ba3799e9ff9ba97a7b88.tar.gz
vyatta-cfg-firewall-1798758677bb5580efd7ba3799e9ff9ba97a7b88.zip
Fix 5227: firewall group config can get out of sync with ipset
Diffstat (limited to 'templates/firewall')
-rw-r--r--templates/firewall/group/address-group/node.tag/address/node.def32
-rw-r--r--templates/firewall/group/port-group/node.tag/port/node.def32
2 files changed, 58 insertions, 6 deletions
diff --git a/templates/firewall/group/address-group/node.tag/address/node.def b/templates/firewall/group/address-group/node.tag/address/node.def
index 26519c0..d5f85b0 100644
--- a/templates/firewall/group/address-group/node.tag/address/node.def
+++ b/templates/firewall/group/address-group/node.tag/address/node.def
@@ -8,9 +8,35 @@ syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \
--set-type=address \
--member=\"$VAR(@)\"; "
-create: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \
- --set-name=$VAR(../@) \
- --member="$VAR(@)"
+create: tmpgrp=$VAR(../@)-$PPID
+ tmpfile="/tmp/$VAR(../@)-$PPID";
+
+ if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
+ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \
+ --set-name=$VAR(../@)
+ if [ $? != 0 ]; then
+ touch $tmpfile;
+ fi;
+ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=copy-set \
+ --set-name=$VAR(../@) --set-type=address --set-copy=$tmpgrp
+ fi;
+
+ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \
+ --set-name="$tmpgrp" --member="$VAR(@)" --alias=$VAR(../@)
+ if [ $? != 0 ]; then
+ sudo ipset --destroy $tmpgrp;
+ if [ -e $tmpfile ]; then
+ sudo ipset --destroy $VAR(../@);
+ rm $tmpfile;
+ fi;
+ exit 1;
+ fi;
+
+ if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
+ sudo ipset --swap $tmpgrp "$VAR(../@)";
+ sudo ipset --destroy $tmpgrp;
+ rm -f $tmpfile;
+ fi;
delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \
--set-name=$VAR(../@) \
diff --git a/templates/firewall/group/port-group/node.tag/port/node.def b/templates/firewall/group/port-group/node.tag/port/node.def
index 5ce33b1..2aa367c 100644
--- a/templates/firewall/group/port-group/node.tag/port/node.def
+++ b/templates/firewall/group/port-group/node.tag/port/node.def
@@ -8,9 +8,35 @@ syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \
--set-type=port \
--member=\"$VAR(@)\"; "
-create: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \
- --set-name=$VAR(../@) \
- --member="$VAR(@)"
+create: tmpgrp=$VAR(../@)-$PPID
+ tmpfile="/tmp/$VAR(../@)-$PPID";
+
+ if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
+ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \
+ --set-name=$VAR(../@)
+ if [ $? != 0 ]; then
+ touch $tmpfile;
+ fi;
+ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=copy-set \
+ --set-name=$VAR(../@) --set-type=port --set-copy=$tmpgrp
+ fi;
+
+ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \
+ --set-name="$tmpgrp" --member="$VAR(@)" --alias=$VAR(../@)
+ if [ $? != 0 ]; then
+ sudo ipset --destroy $tmpgrp;
+ if [ -e $tmpfile ]; then
+ sudo ipset --destroy $VAR(../@);
+ rm $tmpfile;
+ fi;
+ exit 1;
+ fi;
+
+ if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
+ sudo ipset --swap $tmpgrp "$VAR(../@)";
+ sudo ipset --destroy $tmpgrp;
+ rm -f $tmpfile;
+ fi;
delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \
--set-name=$VAR(../@) \