diff options
author | Stig Thormodsrud <stig@vyatta.com> | 2010-02-15 13:09:45 -0800 |
---|---|---|
committer | Stig Thormodsrud <stig@vyatta.com> | 2010-02-15 13:09:45 -0800 |
commit | 1798758677bb5580efd7ba3799e9ff9ba97a7b88 (patch) | |
tree | 2f966cd5f4d071eb3039df98d80092007af2f733 /templates/firewall | |
parent | 4db871d983aed462c9c3967beeb6f797838019e8 (diff) | |
download | vyatta-cfg-firewall-1798758677bb5580efd7ba3799e9ff9ba97a7b88.tar.gz vyatta-cfg-firewall-1798758677bb5580efd7ba3799e9ff9ba97a7b88.zip |
Fix 5227: firewall group config can get out of sync with ipset
Diffstat (limited to 'templates/firewall')
-rw-r--r-- | templates/firewall/group/address-group/node.tag/address/node.def | 32 | ||||
-rw-r--r-- | templates/firewall/group/port-group/node.tag/port/node.def | 32 |
2 files changed, 58 insertions, 6 deletions
diff --git a/templates/firewall/group/address-group/node.tag/address/node.def b/templates/firewall/group/address-group/node.tag/address/node.def index 26519c0..d5f85b0 100644 --- a/templates/firewall/group/address-group/node.tag/address/node.def +++ b/templates/firewall/group/address-group/node.tag/address/node.def @@ -8,9 +8,35 @@ syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --set-type=address \ --member=\"$VAR(@)\"; " -create: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \ - --set-name=$VAR(../@) \ - --member="$VAR(@)" +create: tmpgrp=$VAR(../@)-$PPID + tmpfile="/tmp/$VAR(../@)-$PPID"; + + if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \ + --set-name=$VAR(../@) + if [ $? != 0 ]; then + touch $tmpfile; + fi; + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=copy-set \ + --set-name=$VAR(../@) --set-type=address --set-copy=$tmpgrp + fi; + + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \ + --set-name="$tmpgrp" --member="$VAR(@)" --alias=$VAR(../@) + if [ $? != 0 ]; then + sudo ipset --destroy $tmpgrp; + if [ -e $tmpfile ]; then + sudo ipset --destroy $VAR(../@); + rm $tmpfile; + fi; + exit 1; + fi; + + if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then + sudo ipset --swap $tmpgrp "$VAR(../@)"; + sudo ipset --destroy $tmpgrp; + rm -f $tmpfile; + fi; delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ --set-name=$VAR(../@) \ diff --git a/templates/firewall/group/port-group/node.tag/port/node.def b/templates/firewall/group/port-group/node.tag/port/node.def index 5ce33b1..2aa367c 100644 --- a/templates/firewall/group/port-group/node.tag/port/node.def +++ b/templates/firewall/group/port-group/node.tag/port/node.def @@ -8,9 +8,35 @@ syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --set-type=port \ --member=\"$VAR(@)\"; " -create: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \ - --set-name=$VAR(../@) \ - --member="$VAR(@)" +create: tmpgrp=$VAR(../@)-$PPID + tmpfile="/tmp/$VAR(../@)-$PPID"; + + if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \ + --set-name=$VAR(../@) + if [ $? != 0 ]; then + touch $tmpfile; + fi; + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=copy-set \ + --set-name=$VAR(../@) --set-type=port --set-copy=$tmpgrp + fi; + + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \ + --set-name="$tmpgrp" --member="$VAR(@)" --alias=$VAR(../@) + if [ $? != 0 ]; then + sudo ipset --destroy $tmpgrp; + if [ -e $tmpfile ]; then + sudo ipset --destroy $VAR(../@); + rm $tmpfile; + fi; + exit 1; + fi; + + if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then + sudo ipset --swap $tmpgrp "$VAR(../@)"; + sudo ipset --destroy $tmpgrp; + rm -f $tmpfile; + fi; delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ --set-name=$VAR(../@) \ |