summaryrefslogtreecommitdiff
path: root/lib/Vyatta/IpTables
diff options
context:
space:
mode:
Diffstat (limited to 'lib/Vyatta/IpTables')
-rw-r--r--lib/Vyatta/IpTables/Mgr.pm101
1 files changed, 101 insertions, 0 deletions
diff --git a/lib/Vyatta/IpTables/Mgr.pm b/lib/Vyatta/IpTables/Mgr.pm
new file mode 100644
index 0000000..5381d34
--- /dev/null
+++ b/lib/Vyatta/IpTables/Mgr.pm
@@ -0,0 +1,101 @@
+#!/usr/bin/perl
+#
+# Module: Vyatta::IpTables::Mgr.pm
+#
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc.
+# All Rights Reserved.
+#
+# Author: Stig Thormodsrud
+# Date: June 2010
+# Description: common iptables routines
+#
+# **** End License ****
+#
+
+package Vyatta::IpTables::Mgr;
+
+use strict;
+use warnings;
+
+use base 'Exporter';
+our @EXPORT = qw(ipt_find_chain_rule ipt_enable_conntrack
+ ipt_disable_conntrack);
+
+
+sub ipt_find_chain_rule {
+ my ($iptables_cmd, $table, $chain, $search) = @_;
+
+ my ($num, $chain2) = (undef, undef);
+ my $cmd = "$iptables_cmd -t $table -L $chain -vn --line";
+ my @lines = `$cmd 2> /dev/null | egrep ^[0-9]`;
+ if (scalar(@lines) < 1) {
+ return;
+ }
+ foreach my $line (@lines) {
+ ($num, undef, undef, $chain2) = split /\s+/, $line;
+ last if $chain2 eq $search;
+ ($num, $chain2) = (undef, undef);
+ }
+
+ return $num if defined $num;
+ return;
+}
+
+my %conntrack_hook_hash =
+ ('PREROUTING' => 'VYATTA_PRE_CT_PREROUTING_HOOK',
+ 'OUTPUT' => 'VYATTA_PRE_CT_OUTPUT_HOOK',
+ );
+
+sub ipt_enable_conntrack {
+ my ($iptables_cmd, $chain) = @_;
+
+ system("$iptables_cmd -t raw -L $chain -n >& /dev/null");
+
+ if ($? >> 8) {
+ # chain does not exist yet. set up conntrack.
+ system("$iptables_cmd -t raw -N $chain");
+ system("$iptables_cmd -t raw -A $chain -j ACCEPT");
+
+ foreach my $label ('PREROUTING', 'OUTPUT') {
+ my $index;
+ my $conntrack_hook = $conntrack_hook_hash{$label};
+ $index = ipt_find_chain_rule($iptables_cmd, 'raw',
+ $label, $conntrack_hook);
+ if (! defined($index)) {
+ print "Error: unable to find [$label] [$conntrack_hook]\n";
+ return 1;
+ }
+ $index++;
+ system("$iptables_cmd -t raw -I $label $index -j $chain");
+ }
+ }
+}
+
+sub ipt_disable_conntrack {
+ my ($iptables_cmd, $chain) = @_;
+
+ my @lines;
+ foreach my $label ('PREROUTING', 'OUTPUT') {
+ my $index;
+ my $conntrack_hook = $conntrack_hook_hash{$label};
+ $index = ipt_find_chain_rule($iptables_cmd, 'raw',
+ $label, $conntrack_hook);
+ system("$iptables_cmd -t raw -D $label $index");
+ }
+
+ system("$iptables_cmd -t raw -F $chain >& /dev/null");
+ system("$iptables_cmd -t raw -X $chain >& /dev/null");
+}
+
+1;