summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/Vyatta/IpTables/Rule.pm32
-rwxr-xr-xscripts/firewall/vyatta-firewall.pl4
-rw-r--r--templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def8
-rw-r--r--templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def8
-rw-r--r--templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def16
-rw-r--r--templates/firewall/name/node.tag/rule/node.tag/protocol/node.def17
6 files changed, 74 insertions, 11 deletions
diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm
index 6a743c7..5fec1b3 100644
--- a/lib/Vyatta/IpTables/Rule.pm
+++ b/lib/Vyatta/IpTables/Rule.pm
@@ -300,14 +300,22 @@ sub get_num_ipt_rules {
my $self = shift;
my $ipt_rules = 1;
return 0 if defined $self->{_disable};
+ my $protocol_tcpudp = 0;
+ if (defined $self->{_protocol} && $self->{_protocol} eq 'tcp_udp') {
+ $ipt_rules++;
+ $protocol_tcpudp = 1;
+ }
+
if (("$self->{_log}" eq "enable") && (("$self->{_action}" eq "drop")
|| ("$self->{_action}" eq "accept")
|| ("$self->{_action}" eq "reject")
|| ("$self->{_action}" eq "modify"))) {
$ipt_rules += 1;
+ $ipt_rules++ if $protocol_tcpudp == 1;
}
if (defined($self->{_recent_time}) || defined($self->{_recent_cnt})) {
$ipt_rules += 1;
+ $ipt_rules++ if $protocol_tcpudp == 1;
}
return $ipt_rules;
}
@@ -315,6 +323,7 @@ sub get_num_ipt_rules {
sub rule {
my ( $self ) = @_;
my ($rule, $srcrule, $dstrule, $err_str);
+ my $tcp_and_udp = 0;
# set CLI rule num as comment
my @level_nodes = split (' ', $self->{_comment});
@@ -324,10 +333,14 @@ sub rule {
if (defined($self->{_protocol})) {
my $str = $self->{_protocol};
$str =~ s/^\!(.*)$/! $1/;
- $rule .= "--protocol $str ";
+ if ($str eq 'tcp_udp') {
+ $tcp_and_udp = 1;
+ $rule .= " -p tcp "; # we'll add the '-p udp' to 2nd rule later
+ } else {
+ $rule .= " -p $str ";
+ }
}
- # set the session state if protocol tcp
my $state_str = uc (get_state_str($self));
if ($state_str ne "") {
$rule .= "-m state --state $state_str ";
@@ -559,8 +572,21 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo
$rule2 = $recent_rule;
$recent_rule = undef;
}
+
return (undef, undef) if defined $self->{_disable};
- return (undef, $rule, $rule2, $recent_rule, );
+
+ my ($udp_rule, $udp_rule2, $udp_recent_rule) = (undef, undef, undef);
+ if ($tcp_and_udp == 1) {
+ # create udp rules
+ $udp_rule = $rule;
+ $udp_rule2 = $rule2 if defined $rule2;
+ $udp_recent_rule = $recent_rule if defined $recent_rule;
+ foreach my $each_udprule ($udp_rule, $udp_rule2, $udp_recent_rule) {
+ $each_udprule =~ s/ \-p tcp / -p udp / if defined $each_udprule;
+ }
+ }
+
+ return (undef, $rule, $rule2, $recent_rule, $udp_rule, $udp_rule2, $udp_recent_rule);
}
sub outputXmlElem {
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl
index a14ef19..95c0198 100755
--- a/scripts/firewall/vyatta-firewall.pl
+++ b/scripts/firewall/vyatta-firewall.pl
@@ -419,7 +419,7 @@ sub update_rules {
}
foreach (@rule_strs) {
if (!defined) {
- last;
+ next;
}
run_cmd("$iptables_cmd -t $table --insert $name $iptablesrule $_",
@@ -461,7 +461,7 @@ sub update_rules {
foreach (@rule_strs) {
if (!defined) {
- last;
+ next;
}
run_cmd("$iptables_cmd -t $table --insert $name $iptablesrule $_",
0, 0);
diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def
index d43ffdd..b8a0c55 100644
--- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def
+++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def
@@ -7,6 +7,9 @@ syntax:expression: exec "
if [ \"$param\" = \"icmpv6\" ]; then
exit 0
fi
+ if [ \"$param\" = \"tcp_udp\" ]; then
+ exit 0
+ fi
/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'
" ;
"invalid protocol \"$VAR(@)\""
@@ -15,12 +18,13 @@ syntax:expression: exec "
# values or protocol numbers
allowed:
protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'`
- protos="all icmpv6 $protos"
+ protos="all icmpv6 $protos tcp_udp"
echo -n $protos
comp_help:Possible completions:
<text> An IPv6 protocol name (e.g. "tcp" or "udp")
<1-255> An IPv6 protocol number
+ tcp_udp Both TCP and UDP
all All IPv6 protocols
!<text> All IPv6 protocols except for the specified name
- !<1-255> All IPv6 protocols except for the specified number \ No newline at end of file
+ !<1-255> All IPv6 protocols except for the specified number
diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def
index d43ffdd..b8a0c55 100644
--- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def
+++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def
@@ -7,6 +7,9 @@ syntax:expression: exec "
if [ \"$param\" = \"icmpv6\" ]; then
exit 0
fi
+ if [ \"$param\" = \"tcp_udp\" ]; then
+ exit 0
+ fi
/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'
" ;
"invalid protocol \"$VAR(@)\""
@@ -15,12 +18,13 @@ syntax:expression: exec "
# values or protocol numbers
allowed:
protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'`
- protos="all icmpv6 $protos"
+ protos="all icmpv6 $protos tcp_udp"
echo -n $protos
comp_help:Possible completions:
<text> An IPv6 protocol name (e.g. "tcp" or "udp")
<1-255> An IPv6 protocol number
+ tcp_udp Both TCP and UDP
all All IPv6 protocols
!<text> All IPv6 protocols except for the specified name
- !<1-255> All IPv6 protocols except for the specified number \ No newline at end of file
+ !<1-255> All IPv6 protocols except for the specified number
diff --git a/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def
index 3a912fb..b739bff 100644
--- a/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def
+++ b/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def
@@ -1,8 +1,22 @@
type: txt
help: Set protocol to match (protocol name in /etc/protocols or protocol number or "all")
-syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'" ; "invalid protocol \"$VAR(@)\""
+
comp_help:Possible completions:
<text> An IP protocol name from /etc/protocols (e.g. "tcp" or "udp")
<0-255> An IP protocol number
+ tcp_udp Both TCP and UDP
all All IP protocols
!<protocol> All IP protocols except for the specified name or number (negation)
+
+syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'`\" ] \
+ && [ \"$VAR(@)\" != 'tcp_udp' ]; then \
+ echo invalid protocol \"$VAR(@)\" ; \
+ exit 1 ; \
+ fi ; "
+
+# Provide some help for command completion. Doesn't return negated
+# values or protocol numbers
+allowed:
+ protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }' | grep -v 'v6'`
+ protos="all $protos tcp_udp"
+ echo -n $protos
diff --git a/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def
index 03ce8cf..21a58eb 100644
--- a/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def
+++ b/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def
@@ -1,8 +1,23 @@
type: txt
+
help: Set protocol to match (protocol name in /etc/protocols or protocol number or "all")
-syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'" ; "invalid protocol \"$VAR(@)\""
+
comp_help:Possible completions:
<text> An IP protocol name from /etc/protocols (e.g. "tcp" or "udp")
<1-255> An IP protocol number
+ tcp_udp Both TCP and UDP
all All IP protocols
!<protocol> All IP protocols except for the specified name or number (negation)
+
+syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'`\" ] \
+ && [ \"$VAR(@)\" != 'tcp_udp' ]; then \
+ echo invalid protocol \"$VAR(@)\" ; \
+ exit 1 ; \
+ fi ; "
+
+# Provide some help for command completion. Doesn't return negated
+# values or protocol numbers
+allowed:
+ protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }' | grep -v 'v6'`
+ protos="all $protos tcp_udp"
+ echo -n $protos