diff options
| -rwxr-xr-x | gen-interface-policy-templates.pl | 20 | ||||
| -rwxr-xr-x | scripts/firewall/vyatta-firewall.pl | 40 |
2 files changed, 48 insertions, 12 deletions
diff --git a/gen-interface-policy-templates.pl b/gen-interface-policy-templates.pl index a86c5d6..afea8cf 100755 --- a/gen-interface-policy-templates.pl +++ b/gen-interface-policy-templates.pl @@ -107,12 +107,16 @@ sub gen_firewall_template { # my %table_help_hash = ( "route" => "IPv4 policy route", + "local-route" => "IPv4 policy route of local traffic", "ipv6-route" => "IPv6 policy route", + "ipv6-local-route" => "IPv6 policy route of local traffic", ); my %config_association_hash = ( "route" => "\"policy route\"", + "local-route" => "\"policy local-route\"", "ipv6-route" => "\"policy ipv6-route\"", + "ipv6-local-route" => "\"policy ipv6-local-route\"", ); # Generate the template file at the leaf of the per-interface firewall tree. @@ -120,10 +124,10 @@ my %config_association_hash = ( # ruleset on an interface for a particular ruleset type and direction. # sub gen_template { - my ( $if_tree, $table, $if_name ) = @_; + my ( $if_tree, $direction, $table, $if_name ) = @_; if ($debug) { - print "debug: table=$table\n"; + print "debug: table=$table direction=$direction\n"; } my $template_dir = @@ -147,16 +151,16 @@ allowed: local -a params echo -n "\${params[@]}" create: ifname=$if_name sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\ - update \$ifname in \$VAR(@) $config_association_hash{$table} + update \$ifname $direction \$VAR(@) $config_association_hash{$table} update: ifname=$if_name sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\ - update \$ifname in \$VAR(@) $config_association_hash{$table} + update \$ifname $direction \$VAR(@) $config_association_hash{$table} delete: ifname=$if_name sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\ - delete \$ifname in \$VAR(@) $config_association_hash{$table} + delete \$ifname $direction \$VAR(@) $config_association_hash{$table} EOF close $tp @@ -173,8 +177,10 @@ foreach my $if_tree ( keys %interface_hash ) { } gen_firewall_template($if_tree); - gen_template( $if_tree, "route", $if_name ); - gen_template( $if_tree, "ipv6-route", $if_name ); + gen_template( $if_tree, "in", "route", $if_name ); + gen_template( $if_tree, "out", "local-route", $if_name ); + gen_template( $if_tree, "in", "ipv6-route", $if_name ); + gen_template( $if_tree, "out", "ipv6-local-route", $if_name ); } print "Done.\n"; diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index d9fca19..e588ab7 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -25,6 +25,8 @@ my $policy_ref_file = '/var/run/vyatta_policy_ref'; my $FW_IN_HOOK = 'VYATTA_FW_IN_HOOK'; my $FW_OUT_HOOK = 'VYATTA_FW_OUT_HOOK'; my $FW_LOCAL_HOOK = 'VYATTA_FW_LOCAL_HOOK'; +# FW_LOCALOUT_HOOK is only used in mangle table for PBR of locally initiated traffic +my $FW_LOCALOUT_HOOK = 'VYATTA_FW_LOCALOUT_HOOK'; my $max_rule = 10000; my (@setup, @updateints, @updaterules); @@ -43,7 +45,9 @@ GetOptions("setup=s{2}" => \@setup, my %table_hash = ( 'firewall name' => 'filter', 'firewall ipv6-name' => 'filter', 'policy route' => 'mangle', - 'policy ipv6-route' => 'mangle' ); + 'policy local-route' => 'mangle', + 'policy ipv6-route' => 'mangle', + 'policy ipv6-local-route' => 'mangle'); # mapping from config node to iptables command. Note that this table # has the same keys as %table hash, so a loop iterating through the @@ -52,13 +56,17 @@ my %table_hash = ( 'firewall name' => 'filter', my %cmd_hash = ( 'firewall name' => 'iptables', 'firewall ipv6-name' => 'ip6tables', 'policy route' => 'iptables', - 'policy ipv6-route' => 'ip6tables'); + 'policy local-route' => 'iptables', + 'policy ipv6-route' => 'ip6tables', + 'policy ipv6-local-route' => 'ip6tables'); # mapping from config node to IP version string. my %ip_version_hash = ( 'firewall name' => 'ipv4', 'firewall ipv6-name' => 'ipv6', 'policy route' => 'ipv4', - 'policy ipv6-route' => 'ipv6'); + 'policy local-route' => 'ipv4', + 'policy ipv6-route' => 'ipv6', + 'policy ipv6-local-route' => 'ipv6'); # mapping from firewall tree to builtin chain for input my %inhook_hash = ( 'filter' => 'FORWARD', @@ -71,6 +79,9 @@ my %outhook_hash = ( 'filter' => 'FORWARD', # mapping from firewall tree to builtin chain for local my %localhook_hash = ( 'filter' => 'INPUT' ); +# mapping from firewall tree to builtin chain for localout +my %localouthook_hash = ( 'mangle' => 'OUTPUT' ); + # mapping from vyatta 'default-policy' to iptables jump target my %policy_hash = ( 'drop' => 'DROP', 'reject' => 'REJECT', @@ -79,7 +90,9 @@ my %policy_hash = ( 'drop' => 'DROP', my %other_tree = ( 'firewall name' => 'policy route', 'firewall ipv6-name' => 'policy ipv6-route', 'policy route' => 'firewall name', - 'policy ipv6-route' => 'firewall ipv6-name'); + 'policy local-route' => 'firewall name', + 'policy ipv6-route' => 'firewall ipv6-name', + 'policy ipv6-local-route' => 'firewall ipv6-name'); # Send output of shell commands to syslog for debugging and so that @@ -117,7 +130,15 @@ if ($#updateints == 4) { log_msg "updateints [$action][$int_name][$direction][$chain][$tree]"; my ($table, $iptables_cmd) = (undef, undef); - my $tree2 = chain_configured(1, $chain, $tree); + my $tree_temp = $tree; + if ($tree_temp eq "policy local-route") { + $tree_temp = "policy route"; + } + if ($tree_temp eq "policy ipv6-local-route") { + $tree_temp = "policy ipv6-route"; + } + + my $tree2 = chain_configured(1, $chain, $tree_temp); $table = $table_hash{$tree}; $iptables_cmd = $cmd_hash{$tree}; @@ -751,6 +772,9 @@ sub update_ints { /^out/ && do { $direction = $FW_OUT_HOOK; $interface = "--out-interface $int_name"; + if ($tree eq "policy local-route" || $tree eq "policy ipv6-local-route") { + $direction = $FW_LOCALOUT_HOOK; + } last CASE; }; @@ -895,6 +919,12 @@ sub setup_iptables { run_cmd("$iptables_cmd -t $table -N $FW_LOCAL_HOOK", 1); run_cmd("$iptables_cmd -t $table -I $lhook $insert_at -j $FW_LOCAL_HOOK", 1); } + # add VYATTA_FW_LOCALOUT_HOOK only in mangle table for PBR of locally initiated traffic + if ($table eq 'mangle') { + my $lohook = $localouthook_hash{$table}; + run_cmd("$iptables_cmd -t $table -N $FW_LOCALOUT_HOOK", 1); + run_cmd("$iptables_cmd -t $table -I $lohook $insert_at -j $FW_LOCALOUT_HOOK", 1); + } } # by default, nothing is tracked (the last rule in raw/PREROUTING). |