diff options
| -rwxr-xr-x | lib/Vyatta/IpTables/IpSet.pm | 10 | ||||
| -rw-r--r-- | templates/firewall/group/address-group/node.def | 3 | ||||
| -rw-r--r-- | templates/firewall/group/network-group/node.def | 3 | ||||
| -rw-r--r-- | templates/firewall/group/port-group/node.def | 3 |
4 files changed, 18 insertions, 1 deletions
diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm index 60ec2f2..a0038c2 100755 --- a/lib/Vyatta/IpTables/IpSet.pm +++ b/lib/Vyatta/IpTables/IpSet.pm @@ -37,6 +37,7 @@ my %fields = ( _name => undef, _type => undef, # vyatta group type, not ipset type _exists => undef, + _negate => undef, _debug => undef, ); @@ -61,6 +62,10 @@ sub new { my $self = { %fields, }; + if ($name =~ m/^!/) { + $self->{_negate} = 1; + $name =~ s/^!(.*)$/$1/; + } $self->{_name} = $name; $self->{_type} = $type; @@ -402,6 +407,7 @@ sub get_firewall_references { $config->setLevel($rule_path); my $group_type = "$self->{_type}-group"; my $value = $config->returnOrigValue($group_type); + $value =~ s/^!(.*)$/$1/ if defined $value; if (defined $value and $self->{_name} eq $value) { push @fw_refs, "$name-$rule-$dir"; } @@ -427,7 +433,9 @@ sub rule { $srcdst = 'dst' if $direction eq 'destination'; return (undef, "Invalid direction [$direction]") if ! defined $srcdst; - return (" -m set --set $grp $srcdst ", ); + my $opt = ''; + $opt = '!' if $self->{_negate}; + return (" -m set $opt --set $grp $srcdst ", ); } 1; diff --git a/templates/firewall/group/address-group/node.def b/templates/firewall/group/address-group/node.def index f594074..9a60731 100644 --- a/templates/firewall/group/address-group/node.def +++ b/templates/firewall/group/address-group/node.def @@ -11,6 +11,9 @@ syntax:expression: exec " \ syntax:expression: pattern $VAR(@) "^[^-]" ; \ "Firewall group name cannot start with \"-\"" +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=create-set \ --set-type=address \ diff --git a/templates/firewall/group/network-group/node.def b/templates/firewall/group/network-group/node.def index 3419b6a..0f7e2d5 100644 --- a/templates/firewall/group/network-group/node.def +++ b/templates/firewall/group/network-group/node.def @@ -11,6 +11,9 @@ syntax:expression: exec " \ syntax:expression: pattern $VAR(@) "^[^-]" ; \ "Firewall group name cannot start with \"-\"" +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=create-set \ --set-type=network \ diff --git a/templates/firewall/group/port-group/node.def b/templates/firewall/group/port-group/node.def index 6a9e192..e34c960 100644 --- a/templates/firewall/group/port-group/node.def +++ b/templates/firewall/group/port-group/node.def @@ -11,6 +11,9 @@ syntax:expression: exec " \ syntax:expression: pattern $VAR(@) "^[^-]" ; \ "Firewall group name cannot start with \"-\"" +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=create-set \ --set-type=port \ |