diff options
21 files changed, 174 insertions, 36 deletions
diff --git a/lib/Vyatta/IpTables/AddressFilter.pm b/lib/Vyatta/IpTables/AddressFilter.pm index 9100c24..9b3be53 100755 --- a/lib/Vyatta/IpTables/AddressFilter.pm +++ b/lib/Vyatta/IpTables/AddressFilter.pm @@ -238,31 +238,25 @@ sub rule { my ($port_str, $port_err)= getPortRuleString($self->{_port}, $can_use_port,($self->{_srcdst} eq "source") ? "s" : "d",$self->{_protocol}); return (undef, $port_err) if (!defined($port_str)); $rule .= $port_str; - # Handle groups last so we can check $group_ok - if ($self->{_ip_version} eq "ipv4") { - - # so far ipset only supports IPv4 - my %group_used = ('address' => 0, 'network' => 0); - foreach my $group_type ('address', 'network', 'port') { - my $var_name = '_' . $group_type . '_group'; - if (defined($self->{$var_name})) { - $group_used{$group_type} = 1; - my $name = $self->{$var_name}; - if (!$group_ok{$group_type}) { - return (undef, "Can't mix $self->{_srcdst} $group_type group [$name] and $group_type"); - } - my $group = new Vyatta::IpTables::IpSet($name, $group_type); - my ($set_rule, $err_str) = $group->rule($self->{_srcdst}); - return ($err_str,) if !defined $set_rule; - $rule .= $set_rule; + my %group_used = ('address' => 0, 'network' => 0); + foreach my $group_type ('address', 'network', 'port') { + my $var_name = '_' . $group_type . '_group'; + if (defined($self->{$var_name})) { + $group_used{$group_type} = 1; + my $name = $self->{$var_name}; + if (!$group_ok{$group_type}) { + return (undef, "Can't mix $self->{_srcdst} $group_type group [$name] and $group_type"); } - } - if ($group_used{address} and $group_used{network}) { - return (undef,"Can't combine network and address group for $self->{_srcdst}\n"); + my $group = new Vyatta::IpTables::IpSet($name, $group_type); + my ($set_rule, $err_str) = $group->rule($self->{_srcdst}); + return ($err_str,) if !defined $set_rule; + $rule .= $set_rule; } } - + if ($group_used{address} and $group_used{network}) { + return (undef,"Can't combine network and address group for $self->{_srcdst}\n"); + } return ($rule, undef); } diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm index ea9bc8d..e293240 100755 --- a/lib/Vyatta/IpTables/IpSet.pm +++ b/lib/Vyatta/IpTables/IpSet.pm @@ -35,6 +35,7 @@ use warnings; my %fields = ( _name => undef, _type => undef, # vyatta group type, not ipset type + _family => undef, _exists => undef, _negate => undef, _debug => undef, @@ -65,7 +66,7 @@ sub INT_handler { $SIG{'INT'} = 'INT_handler'; sub new { - my ($that, $name, $type) = @_; + my ($that, $name, $type, $family) = @_; my $class = ref($that) || $that; my $self = {%fields,}; @@ -75,6 +76,7 @@ sub new { } $self->{_name} = $name; $self->{_type} = $type; + $self->{_family} = $family; bless $self, $class; return $self; @@ -192,7 +194,7 @@ sub create { $ipset_param .= ' --from 1 --to 65535'; } - my $cmd = "ipset -N $self->{_name} $ipset_param"; + my $cmd = "ipset -N $self->{_name} $ipset_param family $self->{_family}"; my $rc = $self->run_cmd($cmd); return "Error: call to ipset failed [$rc]" if $rc; return; # undef diff --git a/scripts/firewall/vyatta-ipset.pl b/scripts/firewall/vyatta-ipset.pl index b3fd806..f18237d 100755 --- a/scripts/firewall/vyatta-ipset.pl +++ b/scripts/firewall/vyatta-ipset.pl @@ -67,9 +67,9 @@ sub ipset_reset { } sub ipset_create { - my ($set_name, $set_type) = @_; + my ($set_name, $set_type, $set_family) = @_; - my $group = new Vyatta::IpTables::IpSet($set_name, $set_type); + my $group = new Vyatta::IpTables::IpSet($set_name, $set_type, $set_family); return $group->create(); } @@ -244,11 +244,30 @@ sub ipset_is_group_used { exit 1; } +sub ipset_is_group_defined { + my ($set_name, $set_type, $set_family) = @_; + my $cfg = new Vyatta::Config; + + die "Error: undefined set_name\n" if ! defined $set_name; + die "Error: undefined set_type\n" if ! defined $set_type; + die "Error: undefined set_family\n" if ! defined $set_family; + + my $gpath = ($set_family eq 'inet') ? "firewall ipv6-group $set_type-group" : "firewall group $set_type-group"; + my @groups = $cfg->listOrigNodes($gpath); + my $group; + foreach $group (@groups) { + if ($set_name eq $group) { + exit 1; + } + } + exit 0; +} + sub update_set { - my ($set_name, $set_type) = @_; + my ($set_name, $set_type, $set_family) = @_; my $cfg = new Vyatta::Config; my ($rc, $newset); - my $cpath = "firewall group $set_type-group $set_name"; + my $cpath = ($set_family eq 'inet') ? "firewall group $set_type-group $set_name" : "firewall ipv6-group $set_type-group $set_name"; if ($cfg->existsOrig($cpath)) { if (!$cfg->exists($cpath)) { # deleted @@ -258,7 +277,7 @@ sub update_set { } else { if ($cfg->exists($cpath)) { # added - return $rc if (($rc = ipset_create($set_name, $set_type))); + return $rc if (($rc = ipset_create($set_name, $set_type, $set_family))); $newset = 1; } else { # doesn't exist! should not happen @@ -367,11 +386,12 @@ sub show_port_groups { # # main # -my ($action, $set_name, $set_type, $member, $set_copy, $alias); +my ($action, $set_name, $set_type, $set_family, $member, $set_copy, $alias); GetOptions("action=s" => \$action, "set-name=s" => \$set_name, "set-type=s" => \$set_type, + "set-family=s" => \$set_family, "member=s" => \$member, "alias=s" => \$alias, "set-copy=s" => \$set_copy, @@ -386,7 +406,7 @@ show_network_groups() if $action eq 'show-network-groups'; $rc = ipset_reset($set_name, $set_type) if $action eq 'reset-set'; -$rc = ipset_create($set_name, $set_type) if $action eq 'create-set'; +$rc = ipset_create($set_name, $set_type, $set_family) if $action eq 'create-set'; $rc = ipset_delete($set_name) if $action eq 'delete-set'; @@ -411,8 +431,9 @@ $rc = ipset_is_group_deleted($set_name, $set_type) if $action eq 'is-group-deleted'; $rc = ipset_is_group_used($set_name, $set_type) if $action eq 'is-group-used'; +$rc = ipset_is_group_defined($set_name, $set_type, $set_family) if $action eq 'is-group-defined'; -$rc = update_set($set_name, $set_type) if $action eq 'update-set'; +$rc = update_set($set_name, $set_type, $set_family) if $action eq 'update-set'; $rc = prune_deleted_sets() if $action eq 'prune-deleted-sets'; if (defined $rc) { diff --git a/templates/firewall/group/address-group/node.def b/templates/firewall/group/address-group/node.def index 13b2e72..d89233d 100644 --- a/templates/firewall/group/address-group/node.def +++ b/templates/firewall/group/address-group/node.def @@ -15,7 +15,11 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=address --set-family=inet"; \ + "Firewall group name already used as Ipv6 group address" + end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=address; then + --set-name="$VAR(@)" --set-type=address --set-family=inet; then ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group address-group $VAR(@)" fi diff --git a/templates/firewall/group/network-group/node.def b/templates/firewall/group/network-group/node.def index 263a772..ed9810d 100644 --- a/templates/firewall/group/network-group/node.def +++ b/templates/firewall/group/network-group/node.def @@ -15,8 +15,12 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=address --set-family=inet"; \ + "Firewall group name already used as Ipv6 group address" + end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=network; then + --set-name="$VAR(@)" --set-type=network --set-family=inet; then ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group network-group $VAR(@)" fi diff --git a/templates/firewall/ipv6-group/address-group/node.def b/templates/firewall/ipv6-group/address-group/node.def new file mode 100644 index 0000000..b61f784 --- /dev/null +++ b/templates/firewall/ipv6-group/address-group/node.def @@ -0,0 +1,25 @@ +tag: +priority: 200 +type: txt +help: Firewall address-group + +syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ + "Firewall group name must be 31 characters or less" + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + +syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ + "Firewall group name cannot contain shell punctuation" + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=address --set-family=inet6"; \ + "Firewall group name already used as Ipv4 group address" + +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=address --set-family=inet6; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group address-group $VAR(@)" + fi diff --git a/templates/firewall/ipv6-group/address-group/node.tag/address/node.def b/templates/firewall/ipv6-group/address-group/node.tag/address/node.def new file mode 100644 index 0000000..ba944e6 --- /dev/null +++ b/templates/firewall/ipv6-group/address-group/node.tag/address/node.def @@ -0,0 +1,6 @@ +multi: +type: txt +help: Address-group member +val_help: ipv6; IPv6 address to match + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/ipv6-group/address-group/node.tag/description/node.def b/templates/firewall/ipv6-group/address-group/node.tag/description/node.def new file mode 100644 index 0000000..032553a --- /dev/null +++ b/templates/firewall/ipv6-group/address-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: IPv6 Address-group description diff --git a/templates/firewall/ipv6-group/network-group/node.def b/templates/firewall/ipv6-group/network-group/node.def new file mode 100644 index 0000000..90383c2 --- /dev/null +++ b/templates/firewall/ipv6-group/network-group/node.def @@ -0,0 +1,21 @@ +tag: +priority: 200 +type: txt +help: Firewall network-group + +syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ + "Firewall group name must be 31 characters or less" + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + +syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ + "Firewall group name cannot contain shell punctuation" + +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=network --set-family=inet6; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-group network-group $VAR(@)" + fi diff --git a/templates/firewall/ipv6-group/network-group/node.tag/description/node.def b/templates/firewall/ipv6-group/network-group/node.tag/description/node.def new file mode 100644 index 0000000..52bb8e4 --- /dev/null +++ b/templates/firewall/ipv6-group/network-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Network-group description diff --git a/templates/firewall/ipv6-group/network-group/node.tag/network/node.def b/templates/firewall/ipv6-group/network-group/node.tag/network/node.def new file mode 100644 index 0000000..879a164 --- /dev/null +++ b/templates/firewall/ipv6-group/network-group/node.tag/network/node.def @@ -0,0 +1,8 @@ +multi: +type: ipv6net +help: Network-group member +val_help: ipv6net; IPv6 Subnet to match + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" + +syntax:expression: exec "/opt/vyatta/sbin/check_prefix_boundary $VAR(@)" diff --git a/templates/firewall/ipv6-group/node.def b/templates/firewall/ipv6-group/node.def new file mode 100644 index 0000000..3c87f34 --- /dev/null +++ b/templates/firewall/ipv6-group/node.def @@ -0,0 +1 @@ +help: IPv6 Firewall group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def new file mode 100644 index 0000000..71a4326 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def @@ -0,0 +1,9 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" + +allowed: cli-shell-api listNodes firewall ipv6-group address-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def new file mode 100644 index 0000000..b3e2718 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listNodes firewall ipv6-group network-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def new file mode 100644 index 0000000..bb11dae --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def @@ -0,0 +1 @@ +help: Destination group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def new file mode 100644 index 0000000..985302b --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listNodes firewall group port-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def new file mode 100644 index 0000000..63f0540 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" +allowed: cli-shell-api listNodes firewall ipv6-group address-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def new file mode 100644 index 0000000..b3e2718 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listNodes firewall ipv6-group network-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def new file mode 100644 index 0000000..7b36071 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def @@ -0,0 +1 @@ +help: Source group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def new file mode 100644 index 0000000..985302b --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listNodes firewall group port-group diff --git a/templates/firewall/node.def b/templates/firewall/node.def deleted file mode 100644 index ef135d6..0000000 --- a/templates/firewall/node.def +++ /dev/null @@ -1,3 +0,0 @@ -priority: 199 -help: Firewall -end: ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="$VAR(@)"
\ No newline at end of file |