Bug 6063 ENH: Provide option(s) to globally allow stateful return traffic

* add code to set global policy for established, related, invalid states
author: Mohit Mehta <mohit@vyatta.com> 2011-12-01 05:33:44 -0800
committer: Mohit Mehta <mohit@vyatta.com> 2011-12-01 05:33:44 -0800
commit: 25364db4c400b2a05bbfca65e98f8b27271f962f (patch)
tree: 7408500e09cbc06d7909ae301611f4e198a8e05a /templates/firewall
parent: d5d88ed8f5323361f938a8f0b7454a8c73dd6c12 (diff)
download: vyatta-cfg-firewall-25364db4c400b2a05bbfca65e98f8b27271f962f.tar.gz
vyatta-cfg-firewall-25364db4c400b2a05bbfca65e98f8b27271f962f.zip
17 files changed, 83 insertions, 8 deletions
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def
index ba0e74b..891cbcf 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/log/node.def
@@ -1,3 +1,3 @@
-type: txt; "firwall logging must be enable or disable"
+type: txt; "firewall logging must be enable or disable"
 help: Option to log packets matching rule
-syntax:expression: $VAR(@) in "enable", "disable"; "firwall logging must be enable or disable"
+syntax:expression: $VAR(@) in "enable", "disable"; "firewall logging must be enable or disable"
diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/log/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/log/node.def
index ba0e74b..891cbcf 100644
--- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/log/node.def
+++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/log/node.def
@@ -1,3 +1,3 @@
-type: txt; "firwall logging must be enable or disable"
+type: txt; "firewall logging must be enable or disable"
 help: Option to log packets matching rule
-syntax:expression: $VAR(@) in "enable", "disable"; "firwall logging must be enable or disable"
+syntax:expression: $VAR(@) in "enable", "disable"; "firewall logging must be enable or disable"
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/log/node.def b/templates/firewall/modify/node.tag/rule/node.tag/log/node.def
index ba0e74b..891cbcf 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/log/node.def
+++ b/templates/firewall/modify/node.tag/rule/node.tag/log/node.def
@@ -1,3 +1,3 @@
-type: txt; "firwall logging must be enable or disable"
+type: txt; "firewall logging must be enable or disable"
 help: Option to log packets matching rule
-syntax:expression: $VAR(@) in "enable", "disable"; "firwall logging must be enable or disable"
+syntax:expression: $VAR(@) in "enable", "disable"; "firewall logging must be enable or disable"
diff --git a/templates/firewall/name/node.tag/rule/node.tag/log/node.def b/templates/firewall/name/node.tag/rule/node.tag/log/node.def
index ba0e74b..891cbcf 100644
--- a/templates/firewall/name/node.tag/rule/node.tag/log/node.def
+++ b/templates/firewall/name/node.tag/rule/node.tag/log/node.def
@@ -1,3 +1,3 @@
-type: txt; "firwall logging must be enable or disable"
+type: txt; "firewall logging must be enable or disable"
 help: Option to log packets matching rule
-syntax:expression: $VAR(@) in "enable", "disable"; "firwall logging must be enable or disable"
+syntax:expression: $VAR(@) in "enable", "disable"; "firewall logging must be enable or disable"
diff --git a/templates/firewall/state-policy/established/action/node.def b/templates/firewall/state-policy/established/action/node.def
new file mode 100644
index 0000000..136814f
--- /dev/null
+++ b/templates/firewall/state-policy/established/action/node.def
@@ -0,0 +1,12 @@
+type:  txt
+
+help: Action for packets part of an established connection
+
+syntax:expression: $VAR(@) in "accept", "drop", "reject";
+                   "action must be one of accept, drop, or reject"
+
+allowed: echo "accept drop reject"
+
+val_help: accept   ; Action to accept
+val_help: drop     ; Action to drop
+val_help: reject   ; Action to reject
diff --git a/templates/firewall/state-policy/established/log/enable/node.def b/templates/firewall/state-policy/established/log/enable/node.def
new file mode 100644
index 0000000..406ca0d
--- /dev/null
+++ b/templates/firewall/state-policy/established/log/enable/node.def
@@ -0,0 +1 @@
+help: Enable logging of packets part of an established connection
diff --git a/templates/firewall/state-policy/established/log/node.def b/templates/firewall/state-policy/established/log/node.def
new file mode 100644
index 0000000..78125ae
--- /dev/null
+++ b/templates/firewall/state-policy/established/log/node.def
@@ -0,0 +1 @@
+help: Option to log packets part of an established connection
diff --git a/templates/firewall/state-policy/established/node.def b/templates/firewall/state-policy/established/node.def
new file mode 100644
index 0000000..8a199e2
--- /dev/null
+++ b/templates/firewall/state-policy/established/node.def
@@ -0,0 +1 @@
+help: Global firewall policy for packets part of an established connection
diff --git a/templates/firewall/state-policy/invalid/action/node.def b/templates/firewall/state-policy/invalid/action/node.def
new file mode 100644
index 0000000..1d5b12f
--- /dev/null
+++ b/templates/firewall/state-policy/invalid/action/node.def
@@ -0,0 +1,12 @@
+type:  txt
+
+help: Action for packets part of an invalid connection
+
+syntax:expression: $VAR(@) in "accept", "drop", "reject";
+                   "action must be one of accept, drop, or reject"
+
+allowed: echo "accept drop reject"
+
+val_help: accept   ; Action to accept
+val_help: drop     ; Action to drop
+val_help: reject   ; Action to reject
diff --git a/templates/firewall/state-policy/invalid/log/enable/node.def b/templates/firewall/state-policy/invalid/log/enable/node.def
new file mode 100644
index 0000000..29e0907
--- /dev/null
+++ b/templates/firewall/state-policy/invalid/log/enable/node.def
@@ -0,0 +1 @@
+help: Enable logging of packets part of an invalid connection
diff --git a/templates/firewall/state-policy/invalid/log/node.def b/templates/firewall/state-policy/invalid/log/node.def
new file mode 100644
index 0000000..cfd56b3
--- /dev/null
+++ b/templates/firewall/state-policy/invalid/log/node.def
@@ -0,0 +1 @@
+help: Option to log packets part of an invalid connection
diff --git a/templates/firewall/state-policy/invalid/node.def b/templates/firewall/state-policy/invalid/node.def
new file mode 100644
index 0000000..71bbf20
--- /dev/null
+++ b/templates/firewall/state-policy/invalid/node.def
@@ -0,0 +1 @@
+help: Global firewall policy for packets part of an invalid connection
diff --git a/templates/firewall/state-policy/node.def b/templates/firewall/state-policy/node.def
new file mode 100644
index 0000000..a745c31
--- /dev/null
+++ b/templates/firewall/state-policy/node.def
@@ -0,0 +1,30 @@
+priority: 200
+help: Global firewall state-policy
+
+begin:
+        if ! /opt/vyatta/sbin/vyatta-fw-global-state-policy.pl  \
+          --action=state-policy-validity-checks; then           \
+          exit 1
+        fi
+
+create:
+        if ! /opt/vyatta/sbin/vyatta-fw-global-state-policy.pl  \
+          --action=setup-state-policy; then                     \
+          exit 1
+        fi
+
+delete:
+        if ! /opt/vyatta/sbin/vyatta-fw-global-state-policy.pl  \
+          --action=teardown-state-policy; then                  \
+          exit 1
+        fi
+
+end: 
+        if ! /opt/vyatta/sbin/vyatta-fw-global-state-policy.pl  \
+          --action=set-state-actions; then              \
+          exit 1
+        fi
+        if ! /opt/vyatta/sbin/vyatta-fw-global-state-policy.pl  \
+          --action=enable-disable-conntrack; then               \
+          exit 1
+        fi
diff --git a/templates/firewall/state-policy/related/action/node.def b/templates/firewall/state-policy/related/action/node.def
new file mode 100644
index 0000000..d14a09b
--- /dev/null
+++ b/templates/firewall/state-policy/related/action/node.def
@@ -0,0 +1,12 @@
+type:  txt
+
+help: Action for packets part of a related connection
+
+syntax:expression: $VAR(@) in "accept", "drop", "reject";
+                   "action must be one of accept, drop, or reject"
+
+allowed: echo "accept drop reject"
+
+val_help: accept   ; Action to accept
+val_help: drop     ; Action to drop
+val_help: reject   ; Action to reject
diff --git a/templates/firewall/state-policy/related/log/enable/node.def b/templates/firewall/state-policy/related/log/enable/node.def
new file mode 100644
index 0000000..8f64b77
--- /dev/null
+++ b/templates/firewall/state-policy/related/log/enable/node.def
@@ -0,0 +1 @@
+help: Enable logging of packets part of a related connection
diff --git a/templates/firewall/state-policy/related/log/node.def b/templates/firewall/state-policy/related/log/node.def
new file mode 100644
index 0000000..245928b
--- /dev/null
+++ b/templates/firewall/state-policy/related/log/node.def
@@ -0,0 +1 @@
+help: Option to log packets part of a related connection
diff --git a/templates/firewall/state-policy/related/node.def b/templates/firewall/state-policy/related/node.def
new file mode 100644
index 0000000..78125ae
--- /dev/null
+++ b/templates/firewall/state-policy/related/node.def
@@ -0,0 +1 @@
+help: Option to log packets part of an established connection
author	Mohit Mehta <mohit@vyatta.com>	2011-12-01 05:33:44 -0800
committer	Mohit Mehta <mohit@vyatta.com>	2011-12-01 05:33:44 -0800
commit	25364db4c400b2a05bbfca65e98f8b27271f962f (patch)
tree	7408500e09cbc06d7909ae301611f4e198a8e05a /templates/firewall
parent	d5d88ed8f5323361f938a8f0b7454a8c73dd6c12 (diff)
download	vyatta-cfg-firewall-25364db4c400b2a05bbfca65e98f8b27271f962f.tar.gz vyatta-cfg-firewall-25364db4c400b2a05bbfca65e98f8b27271f962f.zip