diff options
| -rwxr-xr-x | scripts/firewall/vyatta-firewall.pl | 58 | ||||
| -rw-r--r-- | templates/firewall/name/node.tag/default-policy/node.def | 12 |
2 files changed, 62 insertions, 8 deletions
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index 4c39156..3b5fa2a 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -51,6 +51,10 @@ my %ip_version_hash = ( 'name' => 'ipv4', 'modify' => 'ipv4', 'ipv6-modify' => 'ipv6'); +# mapping from vyatta 'default-policy' to iptables jump target +my %policy_hash = ( 'drop' => 'DROP', + 'accept' => 'VYATTA_POST_FW_HOOK', + 'continue' => 'RETURN'); # not implemented yet sub other_table { my $this = shift; @@ -191,8 +195,10 @@ sub update_rules { # Iterate through ruleset names under "name" or "modify" for my $name (keys %nodes) { - - log_msg "update_rules: status of node $name is $nodes{$name} \n"; + $config->setLevel("firewall $tree $name"); + my $policy = $config->returnValue("default-policy"); + my $old_policy = $config->returnOrigValue("default-policy"); + log_msg "update_rules: status of node $name is $nodes{$name} [$policy]\n"; if ($nodes{$name} eq "static") { # not changed. check if stateful. @@ -218,7 +224,7 @@ sub update_rules { . "Rule set name \"$name\" already used in \"$ctree\"\n"; exit 1; } - setup_chain($table, "$name", $iptables_cmd); + setup_chain($table, "$name", $iptables_cmd, $policy); # handle the rules below. } elsif ($nodes{$name} eq "deleted") { @@ -248,7 +254,6 @@ sub update_rules { # note that this clears the counters on the default DROP rule. # we could delete rule one by one if those are important. run_cmd("$iptables_cmd -t $table -F $name", 1, 1); - add_default_drop_rule($table, $name, $iptables_cmd); next; } @@ -333,8 +338,14 @@ sub update_rules { die "$iptables_cmd error: $! - $rule" if ($? >> 8); } } + + } # foreach rule + + if (defined $old_policy and $policy ne $old_policy) { + change_default_policy($table, $name, $iptables_cmd, $policy); } - } + + } # foreach name if ($stateful) { enable_fw_conntrack($iptables_cmd); @@ -549,11 +560,42 @@ sub setup_iptables { sub add_default_drop_rule { my ($table, $chain, $iptables_cmd) = @_; - run_cmd("$iptables_cmd -t $table -A $chain -m comment --comment \"$chain-1025\" -j DROP", 1, 1); + my $comment = "-m comment --comment \"$chain-1025\""; + run_cmd("$iptables_cmd -t $table -A $chain $comment -j DROP", 1, 1); } -sub setup_chain { +sub set_default_policy { + my ($table, $chain, $iptables_cmd, $policy) = @_; + + $policy = 'drop' if ! defined $policy; + my $target = $policy_hash{$policy}; + my $comment = "-m comment --comment \"$chain-1025\""; + run_cmd("$iptables_cmd -t $table -A $chain $comment -j $target", 1, 1); +} + +sub count_iptables_rules { my ($table, $chain, $iptables_cmd) = @_; + my @lines = `$iptables_cmd -t $table -L $chain -n --line`; + my $cnt = 0; + foreach my $line (@lines) { + $cnt++ if $line =~ /^\d/; + } + return $cnt; +} + +sub change_default_policy { + my ($table, $chain, $iptables_cmd, $policy) = @_; + + $policy = 'drop' if ! defined $policy; + my $target = $policy_hash{$policy}; + my $comment = "-m comment --comment \"$chain-1025\""; + my $default_rule = count_iptables_rules($table, $chain, $iptables_cmd); + run_cmd("$iptables_cmd -t $table -A $chain $comment -j $target", 1, 1); + run_cmd("$iptables_cmd -t $table -D $chain $default_rule", 1, 1); +} + +sub setup_chain { + my ($table, $chain, $iptables_cmd, $policy) = @_; my $configured = `$iptables_cmd -t $table -n -L $chain 2>&1 | head -1`; @@ -561,7 +603,7 @@ sub setup_chain { if (!/^Chain $chain/) { run_cmd("$iptables_cmd -t $table --new-chain $chain", 0, 0); die "iptables error: $table $chain --new-chain: $!" if ($? >> 8); - add_default_drop_rule($table, $chain, $iptables_cmd); + set_default_policy($table, $chain, $iptables_cmd, $policy); } } diff --git a/templates/firewall/name/node.tag/default-policy/node.def b/templates/firewall/name/node.tag/default-policy/node.def new file mode 100644 index 0000000..a02a288 --- /dev/null +++ b/templates/firewall/name/node.tag/default-policy/node.def @@ -0,0 +1,12 @@ +type: txt + +help: Set firewall default-policy + +default: "drop" + +syntax:expression: $VAR(@) in "drop", "accept"; + "default-policy must be either drop or accept" + +comp_help: possible completions: + drop Drop if no prior rules are hit + accept Accept if no prior rules are hit |