summaryrefslogtreecommitdiff
path: root/templates/firewall
diff options
context:
space:
mode:
authorStig Thormodsrud <stig@vyatta.com>2010-10-30 13:19:31 -0700
committerStig Thormodsrud <stig@vyatta.com>2010-10-30 13:19:31 -0700
commit2ad550ffeaf214e167677fc9be57f4c3b1a61be0 (patch)
tree5ad360c8d6675e47e149183b2fb6087039fec4a7 /templates/firewall
parent2dac8cbc810c4d3b743b684ef596bc713af4204b (diff)
downloadvyatta-cfg-firewall-2ad550ffeaf214e167677fc9be57f4c3b1a61be0.tar.gz
vyatta-cfg-firewall-2ad550ffeaf214e167677fc9be57f4c3b1a61be0.zip
Fix 5247: Firewall groups CLI becomes out of sync with ipset when sets and deletes are contained within a single commit
Diffstat (limited to 'templates/firewall')
-rw-r--r--templates/firewall/group/address-group/node.tag/address/node.def44
-rw-r--r--templates/firewall/group/port-group/node.tag/port/node.def41
2 files changed, 79 insertions, 6 deletions
diff --git a/templates/firewall/group/address-group/node.tag/address/node.def b/templates/firewall/group/address-group/node.tag/address/node.def
index b0bd955..a04dd5b 100644
--- a/templates/firewall/group/address-group/node.tag/address/node.def
+++ b/templates/firewall/group/address-group/node.tag/address/node.def
@@ -20,22 +20,28 @@ create: tmpgrp=$VAR(../@)-$PPID
fi
tmpfile="/tmp/$tmpgrp";
+ # echo create $VAR(@) $tmpgrp $COMMIT_SIBLING_POSITION
+
if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || \
[ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \
--set-name=$VAR(../@)
if [ $? != 0 ]; then
+ # echo create $tmpfile;
touch $tmpfile;
fi;
sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=copy-set \
--set-name=$VAR(../@) --set-type=address --set-copy=$tmpgrp
+ # echo create $tmpgrp
fi;
sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \
--set-name="$tmpgrp" --member="$VAR(@)" --alias=$VAR(../@)
if [ $? != 0 ]; then
+ # echo error adding, destroy $tmpgrp
sudo ipset --destroy $tmpgrp;
if [ -e $tmpfile ]; then
+ # echo destroy $VAR(../@)
sudo ipset --destroy $VAR(../@);
rm $tmpfile;
fi;
@@ -44,12 +50,38 @@ create: tmpgrp=$VAR(../@)-$PPID
if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || \
[ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
+ # echo swap and destroy $tmpgrp
sudo ipset --swap $tmpgrp "$VAR(../@)";
sudo ipset --destroy $tmpgrp;
rm -f $tmpfile;
fi;
-delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \
+delete: tmpgrp=$VAR(../@)-$PPID
+ len=${#tmpgrp}
+ if [ "$len" -gt 31 ]; then
+ tmpgrp=${tmpgrp: -31};
+ if [[ "$tmpgrp" =~ ^- ]]; then
+ tmpgrp=${tmpgrp/-/Z};
+ fi
+ fi
+ tmpfile="/tmp/$tmpgrp";
+
+ # echo delete $VAR(@) $tmpgrp $COMMIT_SIBLING_POSITION
+
+ if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || \
+ [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
+ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \
+ --set-name=$VAR(../@)
+ if [ $? != 0 ]; then
+ # echo create $tmpfile;
+ touch $tmpfile;
+ fi;
+ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=copy-set \
+ --set-name=$VAR(../@) --set-type=address --set-copy=$tmpgrp
+ # echo create $tmpgrp
+ fi;
+
+ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \
--set-name=$VAR(../@) --set-type=address;
if [ $? == 0 ] ; then
sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-used \
@@ -61,5 +93,13 @@ delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \
fi
sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \
- --set-name=$VAR(../@) \
+ --set-name=$tmpgrp \
--member="$VAR(@)"
+
+ if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || \
+ [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
+ # echo swap and destroy $tmpgrp
+ sudo ipset --swap $tmpgrp "$VAR(../@)";
+ sudo ipset --destroy $tmpgrp;
+ rm -f $tmpfile;
+ fi;
diff --git a/templates/firewall/group/port-group/node.tag/port/node.def b/templates/firewall/group/port-group/node.tag/port/node.def
index f0ab759..6e657c4 100644
--- a/templates/firewall/group/port-group/node.tag/port/node.def
+++ b/templates/firewall/group/port-group/node.tag/port/node.def
@@ -51,8 +51,33 @@ create: tmpgrp=$VAR(../@)-$PPID
rm -f $tmpfile;
fi;
-delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \
- --set-name=$VAR(../@) --set-type=port;
+delete: tmpgrp=$VAR(../@)-$PPID
+ len=${#tmpgrp}
+ if [ "$len" -gt 31 ]; then
+ tmpgrp=${tmpgrp: -31};
+ if [[ "$tmpgrp" =~ ^- ]]; then
+ tmpgrp=${tmpgrp/-/Z};
+ fi
+ fi
+ tmpfile="/tmp/$tmpgrp";
+
+ # echo delete $VAR(@) $tmpgrp $COMMIT_SIBLING_POSITION
+
+ if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || \
+ [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
+ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \
+ --set-name=$VAR(../@)
+ if [ $? != 0 ]; then
+ # echo create $tmpfile;
+ touch $tmpfile;
+ fi;
+ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=copy-set \
+ --set-name=$VAR(../@) --set-type=port --set-copy=$tmpgrp
+ # echo create $tmpgrp
+ fi;
+
+ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \
+ --set-name=$VAR(../@) --set-type=port;
if [ $? == 0 ] ; then
sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-used \
--set-name=$VAR(../@) --set-type=port
@@ -61,7 +86,15 @@ delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \
exit 1;
fi
fi
-
+
sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \
- --set-name=$VAR(../@) \
+ --set-name=$tmpgrp \
--member="$VAR(@)"
+
+ if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || \
+ [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
+ # echo swap and destroy $tmpgrp
+ sudo ipset --swap $tmpgrp "$VAR(../@)";
+ sudo ipset --destroy $tmpgrp;
+ rm -f $tmpfile;
+ fi;