diff options
author | Stig Thormodsrud <stig@io.vyatta.com> | 2009-02-02 19:50:21 -0800 |
---|---|---|
committer | Stig Thormodsrud <stig@io.vyatta.com> | 2009-02-02 19:50:21 -0800 |
commit | 299adf5bb38fa7e026ccd3604fc05ba812520700 (patch) | |
tree | 1df602c721dafae568a14b79d4af9b58e6c0e4b3 /templates/firewall | |
parent | 3ea4540b14ad999386c4b359a963bf362d545ee2 (diff) | |
download | vyatta-cfg-firewall-299adf5bb38fa7e026ccd3604fc05ba812520700.tar.gz vyatta-cfg-firewall-299adf5bb38fa7e026ccd3604fc05ba812520700.zip |
Add 1st pass of firewall group support (ipset netfilter module
integration).
Diffstat (limited to 'templates/firewall')
18 files changed, 149 insertions, 0 deletions
diff --git a/templates/firewall/group/address-group/node.def b/templates/firewall/group/address-group/node.def new file mode 100644 index 0000000..bc4fb68 --- /dev/null +++ b/templates/firewall/group/address-group/node.def @@ -0,0 +1,24 @@ +tag: +type: txt +help: Set a firewall address-group + +syntax:expression: exec " \ + if [ `echo $VAR(@) | wc -c` -gt 31 ]; then \ + echo group name must be 31 characters or less;\ + exit 1 ; \ + fi ; " + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=create-set \ + --set-type=address \ + --set-name="$VAR(@)" + + +delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=delete-set \ + --set-name="$VAR(@)" + +comp_help: Enter the name of the firewall address-group diff --git a/templates/firewall/group/address-group/node.tag/address/node.def b/templates/firewall/group/address-group/node.tag/address/node.def new file mode 100644 index 0000000..e0f8026 --- /dev/null +++ b/templates/firewall/group/address-group/node.tag/address/node.def @@ -0,0 +1,17 @@ +multi: +type: ipv4 +help: Set a address-group member + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-member \ + --set-name=$VAR(../@) \ + --set-type=address \ + --member=\"$VAR(@)\"; " + +create: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \ + --set-name=$VAR(../@) \ + --member="$VAR(@) " + +delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ + --set-name=$VAR(../@) \ + --member="$VAR(@) " diff --git a/templates/firewall/group/address-group/node.tag/description/node.def b/templates/firewall/group/address-group/node.tag/description/node.def new file mode 100644 index 0000000..05f7e51 --- /dev/null +++ b/templates/firewall/group/address-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set address-group description diff --git a/templates/firewall/group/network-group/node.def b/templates/firewall/group/network-group/node.def new file mode 100644 index 0000000..2d8bf60 --- /dev/null +++ b/templates/firewall/group/network-group/node.def @@ -0,0 +1,24 @@ +tag: +type: txt +help: Set a firewall network-group + +syntax:expression: exec " \ + if [ `echo $VAR(@) | wc -c` -gt 31 ]; then \ + echo group name must be 31 characters or less;\ + exit 1 ; \ + fi ; " + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=create-set \ + --set-type=network \ + --set-name="$VAR(@)" + + +delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=delete-set \ + --set-name="$VAR(@)" + +comp_help: Enter the name of the firewall network-group diff --git a/templates/firewall/group/network-group/node.tag/description/node.def b/templates/firewall/group/network-group/node.tag/description/node.def new file mode 100644 index 0000000..3c50208 --- /dev/null +++ b/templates/firewall/group/network-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set network-group description diff --git a/templates/firewall/group/network-group/node.tag/network/node.def b/templates/firewall/group/network-group/node.tag/network/node.def new file mode 100644 index 0000000..1f33ba9 --- /dev/null +++ b/templates/firewall/group/network-group/node.tag/network/node.def @@ -0,0 +1,20 @@ +multi: +type: ipv4net +help: Set a network-group member + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-member \ + --set-name=$VAR(../@) \ + --set-type=network \ + --member=\"$VAR(@)\"; " + +syntax:expression: exec " \ + /opt/vyatta/sbin/check_prefix_boundary $VAR(@)" \ + +create: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \ + --set-name=$VAR(../@) \ + --member="$VAR(@) " + +delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ + --set-name=$VAR(../@) \ + --member="$VAR(@) " diff --git a/templates/firewall/group/node.def b/templates/firewall/group/node.def new file mode 100644 index 0000000..d45d3d9 --- /dev/null +++ b/templates/firewall/group/node.def @@ -0,0 +1,3 @@ +help: Set a firewall group + +comp_help: Enter the name of the firewall group diff --git a/templates/firewall/group/port-group/node.def b/templates/firewall/group/port-group/node.def new file mode 100644 index 0000000..0ec803f --- /dev/null +++ b/templates/firewall/group/port-group/node.def @@ -0,0 +1,24 @@ +tag: +type: txt +help: Set a firewall port-group + +syntax:expression: exec " \ + if [ `echo $VAR(@) | wc -c` -gt 31 ]; then \ + echo group name must be 31 characters or less;\ + exit 1 ; \ + fi ; " + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=create-set \ + --set-type=port \ + --set-name="$VAR(@)" + + +delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=delete-set \ + --set-name="$VAR(@)" + +comp_help: Enter the name of the firewall port-group diff --git a/templates/firewall/group/port-group/node.tag/description/node.def b/templates/firewall/group/port-group/node.tag/description/node.def new file mode 100644 index 0000000..90124a9 --- /dev/null +++ b/templates/firewall/group/port-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set port-group description diff --git a/templates/firewall/group/port-group/node.tag/port/node.def b/templates/firewall/group/port-group/node.tag/port/node.def new file mode 100644 index 0000000..3f9c530 --- /dev/null +++ b/templates/firewall/group/port-group/node.tag/port/node.def @@ -0,0 +1,17 @@ +multi: +type: txt +help: Set a port-group member + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-member \ + --set-name=$VAR(../@) \ + --set-type=port \ + --member=\"$VAR(@)\"; " + +create: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \ + --set-name=$VAR(../@) \ + --member="$VAR(@) " + +delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ + --set-name=$VAR(../@) \ + --member="$VAR(@) " diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/group/address-group/node.def new file mode 100644 index 0000000..51953bb --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/group/address-group/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set group of addresses diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/group/network-group/node.def new file mode 100644 index 0000000..cd91233 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/group/network-group/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set group of networks diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/group/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/group/node.def new file mode 100644 index 0000000..f3d9347 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/group/node.def @@ -0,0 +1 @@ +help: Set group to match diff --git a/templates/firewall/name/node.tag/rule/node.tag/destination/group/port-group/node.def b/templates/firewall/name/node.tag/rule/node.tag/destination/group/port-group/node.def new file mode 100644 index 0000000..c9ec6ac --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/destination/group/port-group/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set group of ports diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/group/address-group/node.def new file mode 100644 index 0000000..51953bb --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/source/group/address-group/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set group of addresses diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/group/network-group/node.def new file mode 100644 index 0000000..cd91233 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/source/group/network-group/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set group of networks diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/group/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/group/node.def new file mode 100644 index 0000000..f3d9347 --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/source/group/node.def @@ -0,0 +1 @@ +help: Set group to match diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/group/port-group/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/group/port-group/node.def new file mode 100644 index 0000000..c9ec6ac --- /dev/null +++ b/templates/firewall/name/node.tag/rule/node.tag/source/group/port-group/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set group of ports |