summaryrefslogtreecommitdiff
path: root/gen-interface-policy-templates.pl
diff options
context:
space:
mode:
Diffstat (limited to 'gen-interface-policy-templates.pl')
-rw-r--r--gen-interface-policy-templates.pl185
1 files changed, 185 insertions, 0 deletions
diff --git a/gen-interface-policy-templates.pl b/gen-interface-policy-templates.pl
new file mode 100644
index 0000000..9c7df42
--- /dev/null
+++ b/gen-interface-policy-templates.pl
@@ -0,0 +1,185 @@
+#!/usr/bin/perl
+#
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2009 Vyatta, Inc.
+# All Rights Reserved.
+#
+# Author: Bob Gilligan (gilligan@vyatta.com)
+# Date: March 2009
+# Description: Script to automatically generate per-interface firewall
+# templates.
+#
+# **** End License ****
+#
+use strict;
+use warnings;
+
+# Set to 1 to enable debug output.
+#
+my $debug = 0;
+
+# This hash maps the root of the tree of firewall templates for each interface
+# into the variable reference that each of the node.def files in that tree
+# will need to use to get the interface name. The keys of this hash are
+# the partial pathname under the config template tree "interfaces/".
+#
+my %interface_hash = (
+ 'adsl/node.tag/pvc/node.tag/bridged-ethernet' =>
+ '$VAR(../../../../@)',
+ 'adsl/node.tag/pvc/node.tag/classical-ipoa' => '$VAR(../../../../@)',
+ 'adsl/node.tag/pvc/node.tag/pppoa/node.tag' => 'pppoa$VAR(../../@)',
+ 'adsl/node.tag/pvc/node.tag/pppoe/node.tag' => 'pppoe$VAR(../../@)',
+
+ 'bonding/node.tag' => '$VAR(../../@)',
+ 'bonding/node.tag/vif/node.tag' => '$VAR(../../../@).$VAR(../../@)',
+
+ 'ethernet/node.tag' => '$VAR(../../@)',
+ 'ethernet/node.tag/pppoe/node.tag' => 'pppoe$VAR(../../@)',
+ 'ethernet/node.tag/vif/node.tag' => '$VAR(../../../@).$VAR(../../@)',
+ 'ethernet/node.tag/vif/node.tag/pppoe/node.tag' => 'pppoe$VAR(../../@)',
+ 'pseudo-ethernet/node.tag' => '$VAR(../../@)',
+ 'pseudo-ethernet/node.tag/vif/node.tag' => '$VAR(../../../@).$VAR(../../@)',
+
+ 'wireless/node.tag' => '$VAR(../../@)',
+ 'wireless/node.tag/vif/node.tag' => '$VAR(../../../@).$VAR(../../@)',
+
+ 'input/node.tag' => '$VAR(../../@)',
+ 'tunnel/node.tag' => '$VAR(../../@)',
+ 'bridge/node.tag' => '$VAR(../../@)',
+ 'openvpn/node.tag' => '$VAR(../../@)',
+
+ 'multilink/node.tag/vif/node.tag' => '$VAR(../../../@)',
+
+ 'serial/node.tag/cisco-hdlc/vif/node.tag' =>
+ '$VAR(../../../../@).$VAR(../../@)',
+ 'serial/node.tag/frame-relay/vif/node.tag' =>
+ '$VAR(../../../../@).$VAR(../../@)',
+ 'serial/node.tag/ppp/vif/node.tag' =>
+ '$VAR(../../../../@).$VAR(../../@)',
+
+ 'wirelessmodem/node.tag' => '$VAR(../../@)',
+);
+
+# The subdirectory where the generated templates will go
+my $template_subdir = "generated-templates/interfaces";
+
+# The name of the subdir under each interface holding the firewall tree
+my $firewall_subdir = "policy";
+
+# The name of the config file we will be writing.
+my $node_file = "node.def";
+
+sub mkdir_p {
+ my $path = shift;
+
+ return 1 if ( mkdir($path) );
+
+ my $pos = rindex( $path, "/" );
+ return unless $pos != -1;
+ return unless mkdir_p( substr( $path, 0, $pos ) );
+ return mkdir($path);
+}
+
+# Generate the template file located at the root of the firewall tree
+# under an interface. This template just provides a help message.
+#
+sub gen_firewall_template {
+ my ($if_tree) = @_;
+ my $path = "${template_subdir}/${if_tree}/${firewall_subdir}";
+
+ ( -d $path ) or mkdir_p($path)
+ or die "Can't make directory $path: $!";
+
+ open my $tp, '>', "$path/$node_file"
+ or die "Can't create $path/$node_file: $!";
+ print $tp "help: Policy route options\n";
+ close $tp
+ or die "Can't write $path/$node_file: $!";
+}
+
+# Map a firewall ruleset type into the string that we will use to describe
+# it in help messages.
+#
+my %table_help_hash = (
+ "route" => "IPv4 policy route",
+ "ipv6-route" => "IPv6 policy route",
+);
+
+my %config_association_hash = (
+ "route" => "\"policy route\"",
+ "ipv6-route" => "\"policy ipv6-route\"",
+);
+
+# Generate the template file at the leaf of the per-interface firewall tree.
+# This template contains all the code to activate or deactivate a firewall
+# ruleset on an interface for a particular ruleset type and direction.
+#
+sub gen_template {
+ my ( $if_tree, $table, $if_name ) = @_;
+
+ if ($debug) {
+ print "debug: table=$table\n";
+ }
+
+ my $template_dir =
+ "${template_subdir}/${if_tree}/${firewall_subdir}/${table}";
+
+ if ($debug) {
+ print "debug: template_dir=$template_dir\n";
+ }
+
+ ( -d $template_dir) or mkdir_p($template_dir)
+ or die "Can't make directory $template_dir: $!";
+
+ open my $tp, '>', "${template_dir}/${node_file}"
+ or die "Can't open ${template_dir}/${node_file}:$!";
+
+ print $tp <<EOF;
+type: txt
+help: $table_help_hash{$table} ruleset for interface
+allowed: local -a params
+ eval "params=(\$(cli-shell-api listActiveNodes policy $table))"
+ echo -n "\${params[@]}"
+create: ifname=$if_name
+ sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\
+ update \$ifname in \$VAR(@) $config_association_hash{$table}
+
+update: ifname=$if_name
+ sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\
+ update \$ifname in \$VAR(@) $config_association_hash{$table}
+
+
+delete: ifname=$if_name
+ sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\
+ delete \$ifname in \$VAR(@) $config_association_hash{$table}
+EOF
+
+ close $tp
+ or die "Can't write ${template_dir}/${node_file}:$!";
+}
+
+print "Generating policy templates...\n";
+
+foreach my $if_tree ( keys %interface_hash ) {
+ my $if_name = $interface_hash{$if_tree};
+
+ if ($debug) {
+ print "debug: if_tree=$if_tree if_name=$if_name \n";
+ }
+
+ gen_firewall_template($if_tree);
+ gen_template( $if_tree, "route", $if_name );
+ gen_template( $if_tree, "ipv6-route", $if_name );
+}
+
+print "Done.\n";