diff options
6 files changed, 74 insertions, 11 deletions
diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm index 6a743c7..5fec1b3 100644 --- a/lib/Vyatta/IpTables/Rule.pm +++ b/lib/Vyatta/IpTables/Rule.pm @@ -300,14 +300,22 @@ sub get_num_ipt_rules { my $self = shift; my $ipt_rules = 1; return 0 if defined $self->{_disable}; + my $protocol_tcpudp = 0; + if (defined $self->{_protocol} && $self->{_protocol} eq 'tcp_udp') { + $ipt_rules++; + $protocol_tcpudp = 1; + } + if (("$self->{_log}" eq "enable") && (("$self->{_action}" eq "drop") || ("$self->{_action}" eq "accept") || ("$self->{_action}" eq "reject") || ("$self->{_action}" eq "modify"))) { $ipt_rules += 1; + $ipt_rules++ if $protocol_tcpudp == 1; } if (defined($self->{_recent_time}) || defined($self->{_recent_cnt})) { $ipt_rules += 1; + $ipt_rules++ if $protocol_tcpudp == 1; } return $ipt_rules; } @@ -315,6 +323,7 @@ sub get_num_ipt_rules { sub rule { my ( $self ) = @_; my ($rule, $srcrule, $dstrule, $err_str); + my $tcp_and_udp = 0; # set CLI rule num as comment my @level_nodes = split (' ', $self->{_comment}); @@ -324,10 +333,14 @@ sub rule { if (defined($self->{_protocol})) { my $str = $self->{_protocol}; $str =~ s/^\!(.*)$/! $1/; - $rule .= "--protocol $str "; + if ($str eq 'tcp_udp') { + $tcp_and_udp = 1; + $rule .= " -p tcp "; # we'll add the '-p udp' to 2nd rule later + } else { + $rule .= " -p $str "; + } } - # set the session state if protocol tcp my $state_str = uc (get_state_str($self)); if ($state_str ne "") { $rule .= "-m state --state $state_str "; @@ -559,8 +572,21 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo $rule2 = $recent_rule; $recent_rule = undef; } + return (undef, undef) if defined $self->{_disable}; - return (undef, $rule, $rule2, $recent_rule, ); + + my ($udp_rule, $udp_rule2, $udp_recent_rule) = (undef, undef, undef); + if ($tcp_and_udp == 1) { + # create udp rules + $udp_rule = $rule; + $udp_rule2 = $rule2 if defined $rule2; + $udp_recent_rule = $recent_rule if defined $recent_rule; + foreach my $each_udprule ($udp_rule, $udp_rule2, $udp_recent_rule) { + $each_udprule =~ s/ \-p tcp / -p udp / if defined $each_udprule; + } + } + + return (undef, $rule, $rule2, $recent_rule, $udp_rule, $udp_rule2, $udp_recent_rule); } sub outputXmlElem { diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index a14ef19..95c0198 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -419,7 +419,7 @@ sub update_rules { } foreach (@rule_strs) { if (!defined) { - last; + next; } run_cmd("$iptables_cmd -t $table --insert $name $iptablesrule $_", @@ -461,7 +461,7 @@ sub update_rules { foreach (@rule_strs) { if (!defined) { - last; + next; } run_cmd("$iptables_cmd -t $table --insert $name $iptablesrule $_", 0, 0); diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def index d43ffdd..b8a0c55 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def @@ -7,6 +7,9 @@ syntax:expression: exec " if [ \"$param\" = \"icmpv6\" ]; then exit 0 fi + if [ \"$param\" = \"tcp_udp\" ]; then + exit 0 + fi /opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)' " ; "invalid protocol \"$VAR(@)\"" @@ -15,12 +18,13 @@ syntax:expression: exec " # values or protocol numbers allowed: protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'` - protos="all icmpv6 $protos" + protos="all icmpv6 $protos tcp_udp" echo -n $protos comp_help:Possible completions: <text> An IPv6 protocol name (e.g. "tcp" or "udp") <1-255> An IPv6 protocol number + tcp_udp Both TCP and UDP all All IPv6 protocols !<text> All IPv6 protocols except for the specified name - !<1-255> All IPv6 protocols except for the specified number
\ No newline at end of file + !<1-255> All IPv6 protocols except for the specified number diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def index d43ffdd..b8a0c55 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def @@ -7,6 +7,9 @@ syntax:expression: exec " if [ \"$param\" = \"icmpv6\" ]; then exit 0 fi + if [ \"$param\" = \"tcp_udp\" ]; then + exit 0 + fi /opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)' " ; "invalid protocol \"$VAR(@)\"" @@ -15,12 +18,13 @@ syntax:expression: exec " # values or protocol numbers allowed: protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'` - protos="all icmpv6 $protos" + protos="all icmpv6 $protos tcp_udp" echo -n $protos comp_help:Possible completions: <text> An IPv6 protocol name (e.g. "tcp" or "udp") <1-255> An IPv6 protocol number + tcp_udp Both TCP and UDP all All IPv6 protocols !<text> All IPv6 protocols except for the specified name - !<1-255> All IPv6 protocols except for the specified number
\ No newline at end of file + !<1-255> All IPv6 protocols except for the specified number diff --git a/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def index 3a912fb..b739bff 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def @@ -1,8 +1,22 @@ type: txt help: Set protocol to match (protocol name in /etc/protocols or protocol number or "all") -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'" ; "invalid protocol \"$VAR(@)\"" + comp_help:Possible completions: <text> An IP protocol name from /etc/protocols (e.g. "tcp" or "udp") <0-255> An IP protocol number + tcp_udp Both TCP and UDP all All IP protocols !<protocol> All IP protocols except for the specified name or number (negation) + +syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'`\" ] \ + && [ \"$VAR(@)\" != 'tcp_udp' ]; then \ + echo invalid protocol \"$VAR(@)\" ; \ + exit 1 ; \ + fi ; " + +# Provide some help for command completion. Doesn't return negated +# values or protocol numbers +allowed: + protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }' | grep -v 'v6'` + protos="all $protos tcp_udp" + echo -n $protos diff --git a/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def index 03ce8cf..21a58eb 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def @@ -1,8 +1,23 @@ type: txt + help: Set protocol to match (protocol name in /etc/protocols or protocol number or "all") -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'" ; "invalid protocol \"$VAR(@)\"" + comp_help:Possible completions: <text> An IP protocol name from /etc/protocols (e.g. "tcp" or "udp") <1-255> An IP protocol number + tcp_udp Both TCP and UDP all All IP protocols !<protocol> All IP protocols except for the specified name or number (negation) + +syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'`\" ] \ + && [ \"$VAR(@)\" != 'tcp_udp' ]; then \ + echo invalid protocol \"$VAR(@)\" ; \ + exit 1 ; \ + fi ; " + +# Provide some help for command completion. Doesn't return negated +# values or protocol numbers +allowed: + protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }' | grep -v 'v6'` + protos="all $protos tcp_udp" + echo -n $protos |