summaryrefslogtreecommitdiff
path: root/scripts/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/firewall')
-rwxr-xr-xscripts/firewall/vyatta-firewall-trap.pl6
-rwxr-xr-xscripts/firewall/vyatta-firewall.pl70
-rwxr-xr-xscripts/firewall/vyatta-fw-global-state-policy.pl36
-rwxr-xr-xscripts/firewall/vyatta-ipset.pl50
4 files changed, 81 insertions, 81 deletions
diff --git a/scripts/firewall/vyatta-firewall-trap.pl b/scripts/firewall/vyatta-firewall-trap.pl
index 159feea..0be4e4c 100755
--- a/scripts/firewall/vyatta-firewall-trap.pl
+++ b/scripts/firewall/vyatta-firewall-trap.pl
@@ -46,9 +46,9 @@ my $syslog_flag = 1;
my $cfglevel;
-GetOptions("level=s" => \$cfglevel,
- "debug" => \$debug_flag,
- "syslog" => \$syslog_flag
+GetOptions("level=s" => \$cfglevel,
+ "debug" => \$debug_flag,
+ "syslog" => \$syslog_flag
);
openlog("firewall-trap", "pid", "user") if $syslog_flag;
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl
index e6fa85a..1264962 100755
--- a/scripts/firewall/vyatta-firewall.pl
+++ b/scripts/firewall/vyatta-firewall.pl
@@ -22,8 +22,8 @@ my $fw_stateful_file = '/var/run/vyatta_fw_stateful';
my $fw_tree_file = '/var/run/vyatta_fw_trees';
my $policy_ref_file = '/var/run/vyatta_policy_ref';
-my $FW_IN_HOOK = 'VYATTA_FW_IN_HOOK';
-my $FW_OUT_HOOK = 'VYATTA_FW_OUT_HOOK';
+my $FW_IN_HOOK = 'VYATTA_FW_IN_HOOK';
+my $FW_OUT_HOOK = 'VYATTA_FW_OUT_HOOK';
my $FW_LOCAL_HOOK = 'VYATTA_FW_LOCAL_HOOK';
# FW_LOCALOUT_HOOK is only used in mangle table for PBR of locally initiated traffic
@@ -34,23 +34,23 @@ my (@setup, @updateints, @updaterules);
my ($teardown, $teardown_ok);
GetOptions(
- "setup=s{2}" => \@setup,
- "teardown=s" => \$teardown,
- "teardown-ok=s" => \$teardown_ok,
- "update-rules=s{2}" => \@updaterules,
+ "setup=s{2}" => \@setup,
+ "teardown=s" => \$teardown,
+ "teardown-ok=s" => \$teardown_ok,
+ "update-rules=s{2}" => \@updaterules,
"update-interfaces=s{5}" => \@updateints,
- "debug" => \$debug_flag,
- "syslog" => \$syslog_flag
+ "debug" => \$debug_flag,
+ "syslog" => \$syslog_flag
);
# mapping from config node to iptables/ip6tables table
my %table_hash = (
- 'firewall name' => 'filter',
- 'firewall ipv6-name' => 'filter',
- 'policy route' => 'mangle',
- 'policy local-route' => 'mangle',
- 'policy ipv6-route' => 'mangle',
- 'policy ipv6-local-route' => 'mangle'
+ 'firewall name' => 'filter',
+ 'firewall ipv6-name' => 'filter',
+ 'policy route' => 'mangle',
+ 'policy local-route' => 'mangle',
+ 'policy ipv6-route' => 'mangle',
+ 'policy ipv6-local-route' => 'mangle'
);
# mapping from config node to iptables command. Note that this table
@@ -58,22 +58,22 @@ my %table_hash = (
# keys of %table_hash can use the same keys to find the value associated
# with the key in this table.
my %cmd_hash = (
- 'firewall name' => 'iptables',
- 'firewall ipv6-name' => 'ip6tables',
- 'policy route' => 'iptables',
- 'policy local-route' => 'iptables',
- 'policy ipv6-route' => 'ip6tables',
- 'policy ipv6-local-route' => 'ip6tables'
+ 'firewall name' => 'iptables',
+ 'firewall ipv6-name' => 'ip6tables',
+ 'policy route' => 'iptables',
+ 'policy local-route' => 'iptables',
+ 'policy ipv6-route' => 'ip6tables',
+ 'policy ipv6-local-route' => 'ip6tables'
);
# mapping from config node to IP version string.
my %ip_version_hash = (
- 'firewall name' => 'ipv4',
- 'firewall ipv6-name' => 'ipv6',
- 'policy route' => 'ipv4',
- 'policy local-route' => 'ipv4',
- 'policy ipv6-route' => 'ipv6',
- 'policy ipv6-local-route' => 'ipv6'
+ 'firewall name' => 'ipv4',
+ 'firewall ipv6-name' => 'ipv6',
+ 'policy route' => 'ipv4',
+ 'policy local-route' => 'ipv4',
+ 'policy ipv6-route' => 'ipv6',
+ 'policy ipv6-local-route' => 'ipv6'
);
# mapping from firewall tree to builtin chain for input
@@ -102,12 +102,12 @@ my %policy_hash = (
);
my %other_tree = (
- 'firewall name' => 'policy route',
- 'firewall ipv6-name' => 'policy ipv6-route',
- 'policy route' => 'firewall name',
- 'policy local-route' => 'firewall name',
- 'policy ipv6-route' => 'firewall ipv6-name',
- 'policy ipv6-local-route' => 'firewall ipv6-name'
+ 'firewall name' => 'policy route',
+ 'firewall ipv6-name' => 'policy ipv6-route',
+ 'policy route' => 'firewall name',
+ 'policy local-route' => 'firewall name',
+ 'policy ipv6-route' => 'firewall ipv6-name',
+ 'policy ipv6-local-route' => 'firewall ipv6-name'
);
# Send output of shell commands to syslog for debugging and so that
@@ -496,9 +496,9 @@ sub flush_route_table {
}
sub update_rules {
- my ($tree, $name) = @_; # name, modify, ipv6-name or ipv6-modify
- my $table = $table_hash{$tree}; # "filter" or "mangle"
- my $iptables_cmd = $cmd_hash{$tree}; # "iptables" or "ip6tables"
+ my ($tree, $name) = @_; # name, modify, ipv6-name or ipv6-modify
+ my $table = $table_hash{$tree}; # "filter" or "mangle"
+ my $iptables_cmd = $cmd_hash{$tree}; # "iptables" or "ip6tables"
my $config = new Vyatta::Config;
my %nodes = ();
diff --git a/scripts/firewall/vyatta-fw-global-state-policy.pl b/scripts/firewall/vyatta-fw-global-state-policy.pl
index 526c1a1..859b810 100755
--- a/scripts/firewall/vyatta-fw-global-state-policy.pl
+++ b/scripts/firewall/vyatta-fw-global-state-policy.pl
@@ -33,12 +33,12 @@ use Getopt::Long;
use Sys::Syslog qw(:standard :macros);
# mapping from config node to iptables command
-our %cmd_hash = ( 'name' => '/sbin/iptables',
- 'ipv6-name' => '/sbin/ip6tables');
+our %cmd_hash = ( 'name' => '/sbin/iptables',
+ 'ipv6-name' => '/sbin/ip6tables');
# mapping from config node to iptables/ip6tables table
-our %table_hash = ( 'name' => 'filter',
- 'ipv6-name' => 'filter');
+our %table_hash = ( 'name' => 'filter',
+ 'ipv6-name' => 'filter');
# pre FW hooks in iptables' INPUT, OUTPUT and FORWARD chains
our %pre_fw_hooks_hash = ( 'INPUT' => 'VYATTA_PRE_FW_IN_HOOK',
@@ -56,15 +56,15 @@ our %state_policy_chains_hash = ( 'INPUT' => 'VYATTA_STATE_POLICY_IN_HOOK',
'OUTPUT' => 'VYATTA_STATE_POLICY_OUT_HOOK');
# state actions
-our %state_action_hash = ( 'drop' => 'DROP',
- 'reject' => 'REJECT',
- 'accept' => 'JUMP_TO_INDIVIDUAL_POST_FW_HOOK',
- 'log' => 'LOG');
+our %state_action_hash = ( 'drop' => 'DROP',
+ 'reject' => 'REJECT',
+ 'accept' => 'JUMP_TO_INDIVIDUAL_POST_FW_HOOK',
+ 'log' => 'LOG');
# state actions' log abbreviations
-our %state_log_abbr_hash = ( 'drop' => 'D',
- 'reject' => 'R',
- 'accept' => 'A');
+our %state_log_abbr_hash = ( 'drop' => 'D',
+ 'reject' => 'R',
+ 'accept' => 'A');
# imp to maintain order of this array since this is the
# order we want to insert rules into state-policy chains
@@ -271,22 +271,22 @@ sub state_policy_validity_checks {
my ($action, $state, $state_action);
-GetOptions("action=s" => \$action,
- "state=s" => \$state,
- "state-action=s" => \$state_action,
+GetOptions("action=s" => \$action,
+ "state=s" => \$state,
+ "state-action=s" => \$state_action,
);
die "undefined action" if ! defined $action;
my ($error, $warning);
-($error, $warning) = setup_state_policy() if $action eq 'setup-state-policy';
+($error, $warning) = setup_state_policy() if $action eq 'setup-state-policy';
-($error, $warning) = teardown_state_policy() if $action eq 'teardown-state-policy';
+($error, $warning) = teardown_state_policy() if $action eq 'teardown-state-policy';
-($error, $warning) = set_state_actions() if $action eq 'set-state-actions';
+($error, $warning) = set_state_actions() if $action eq 'set-state-actions';
-($error, $warning) = enable_disable_conntrack($state) if $action eq 'enable-disable-conntrack';
+($error, $warning) = enable_disable_conntrack($state) if $action eq 'enable-disable-conntrack';
($error, $warning) = state_policy_validity_checks($state) if $action eq 'state-policy-validity-checks';
diff --git a/scripts/firewall/vyatta-ipset.pl b/scripts/firewall/vyatta-ipset.pl
index 0a079f3..e206902 100755
--- a/scripts/firewall/vyatta-ipset.pl
+++ b/scripts/firewall/vyatta-ipset.pl
@@ -430,55 +430,55 @@ sub check_duplicates {
#
my ($action, $set_name, $set_type, $set_family, $member, $set_copy, $alias);
-GetOptions("action=s" => \$action,
- "set-name=s" => \$set_name,
- "set-type=s" => \$set_type,
+GetOptions("action=s" => \$action,
+ "set-name=s" => \$set_name,
+ "set-type=s" => \$set_type,
"set-family=s" => \$set_family,
- "member=s" => \$member,
- "alias=s" => \$alias,
- "set-copy=s" => \$set_copy,
+ "member=s" => \$member,
+ "alias=s" => \$alias,
+ "set-copy=s" => \$set_copy,
);
die "undefined action" if ! defined $action;
my $rc;
-show_port_groups() if $action eq 'show-port-groups';
+show_port_groups() if $action eq 'show-port-groups';
show_address_groups() if $action eq 'show-address-groups';
show_network_groups() if $action eq 'show-network-groups';
-$rc = ipset_reset($set_name, $set_type) if $action eq 'reset-set';
+$rc = ipset_reset($set_name, $set_type) if $action eq 'reset-set';
-$rc = ipset_create($set_name, $set_type, $set_family) if $action eq 'create-set';
+$rc = ipset_create($set_name, $set_type, $set_family) if $action eq 'create-set';
-$rc = ipset_delete($set_name) if $action eq 'delete-set';
+$rc = ipset_delete($set_name) if $action eq 'delete-set';
-$rc = ipset_check_member($set_name, $set_type, $member)
- if $action eq 'check-member';
+$rc = ipset_check_member($set_name, $set_type, $member) if $action eq 'check-member';
-$rc = ipset_add_member($set_name, $member, $alias, $set_type) if $action eq 'add-member';
+$rc = ipset_add_member($set_name, $member, $alias, $set_type) if $action eq 'add-member';
-$rc = ipset_delete_member($set_name, $member) if $action eq 'delete-member';
+$rc = ipset_delete_member($set_name, $member) if $action eq 'delete-member';
-$rc = ipset_check_set_type($set_name, $set_type) if $action eq 'check-set-type';
+$rc = ipset_check_set_type($set_name, $set_type) if $action eq 'check-set-type';
-$rc = ipset_show_members($set_name) if $action eq 'show-set-members';
+$rc = ipset_show_members($set_name) if $action eq 'show-set-members';
-$rc = ipset_show_sets() if $action eq 'show-sets';
+$rc = ipset_show_sets() if $action eq 'show-sets';
-$rc = ipset_is_set_empty($set_name) if $action eq 'is-set-empty';
+$rc = ipset_is_set_empty($set_name) if $action eq 'is-set-empty';
-$rc = ipset_copy_set($set_name, $set_type, $set_copy) if $action eq 'copy-set';
+$rc = ipset_copy_set($set_name, $set_type, $set_copy) if $action eq 'copy-set';
-$rc = ipset_is_group_deleted($set_name, $set_type)
- if $action eq 'is-group-deleted';
+$rc = ipset_is_group_deleted($set_name, $set_type) if $action eq 'is-group-deleted';
+
+$rc = ipset_is_group_used($set_name, $set_type) if $action eq 'is-group-used';
-$rc = ipset_is_group_used($set_name, $set_type) if $action eq 'is-group-used';
$rc = ipset_is_group_defined($set_name, $set_type, $set_family) if $action eq 'is-group-defined';
-$rc = update_set($set_name, $set_type, $set_family) if $action eq 'update-set';
-$rc = prune_deleted_sets() if $action eq 'prune-deleted-sets';
+$rc = update_set($set_name, $set_type, $set_family) if $action eq 'update-set';
+
+$rc = prune_deleted_sets() if $action eq 'prune-deleted-sets';
-$rc = check_duplicates($set_name, $set_type, $set_family) if $action eq 'check-duplicates';
+$rc = check_duplicates($set_name, $set_type, $set_family) if $action eq 'check-duplicates';
if (defined $rc) {
print $rc;