diff options
Diffstat (limited to 'scripts/firewall')
| -rw-r--r-- | scripts/firewall/firewall.init.in | 6 | ||||
| -rwxr-xr-x | scripts/firewall/vyatta-firewall-trap.pl | 2 | ||||
| -rwxr-xr-x | scripts/firewall/vyatta-firewall.pl | 6 | ||||
| -rwxr-xr-x | scripts/firewall/vyatta-ipset.pl | 40 |
4 files changed, 35 insertions, 19 deletions
diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in index 30614bf..98ed54a 100644 --- a/scripts/firewall/firewall.init.in +++ b/scripts/firewall/firewall.init.in @@ -62,9 +62,9 @@ start () { # user space helpers chain, enables helpers using iptables --helper. # FTP, sip and h323 to use this chain later on. iptables -t raw -N VYATTA_CT_HELPER - /usr/sbin/nfct add helper rpc inet tcp - /usr/sbin/nfct add helper rpc inet udp - /usr/sbin/nfct add helper tns inet tcp + /usr/sbin/nfct helper add rpc inet tcp + /usr/sbin/nfct helper add rpc inet udp + /usr/sbin/nfct helper add tns inet tcp iptables -t raw -I VYATTA_CT_HELPER -p tcp --dport 111 -j CT --helper rpc iptables -t raw -I VYATTA_CT_HELPER -p udp --dport 111 -j CT --helper rpc iptables -t raw -I VYATTA_CT_HELPER -p tcp --dport 1521 -j CT --helper tns diff --git a/scripts/firewall/vyatta-firewall-trap.pl b/scripts/firewall/vyatta-firewall-trap.pl index 5a19f7d..159feea 100755 --- a/scripts/firewall/vyatta-firewall-trap.pl +++ b/scripts/firewall/vyatta-firewall-trap.pl @@ -280,7 +280,7 @@ my $config = new Vyatta::Config; exit 0 if ! is_trap_enabled($config); # Detect system startup (i.e., no snmpd running) and just exit. -my $snmpd_service = `/usr/sbin/invoke-rc.d snmpd status 2> /dev/null`; +my $snmpd_service = `systemctl status snmpd.service 2> /dev/null`; exit 0 if (! $snmpd_service =~ m/snmpd is running/); # If no trap-targets configured just exit. diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index c2727cc..f770719 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -553,12 +553,6 @@ sub update_rules { Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n"); exit 1; } - } elsif ("$test_rule_hash{$test_rule}" eq 'deleted') { - if (Vyatta::IpTables::Mgr::chain_referenced($table, $name, $iptables_cmd)) { - # Disallow deleting a chain if it's still referenced - Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: Cannot delete rule set \"$name\" (still in use)\n"); - exit 1; - } } } diff --git a/scripts/firewall/vyatta-ipset.pl b/scripts/firewall/vyatta-ipset.pl index 1fa432b..0b7b365 100755 --- a/scripts/firewall/vyatta-ipset.pl +++ b/scripts/firewall/vyatta-ipset.pl @@ -67,9 +67,9 @@ sub ipset_reset { } sub ipset_create { - my ($set_name, $set_type) = @_; + my ($set_name, $set_type, $set_family) = @_; - my $group = new Vyatta::IpTables::IpSet($set_name, $set_type); + my $group = new Vyatta::IpTables::IpSet($set_name, $set_type, $set_family); return $group->create(); } @@ -235,11 +235,30 @@ sub ipset_is_group_used { exit 1; } +sub ipset_is_group_defined { + my ($set_name, $set_type, $set_family) = @_; + my $cfg = new Vyatta::Config; + + die "Error: undefined set_name\n" if ! defined $set_name; + die "Error: undefined set_type\n" if ! defined $set_type; + die "Error: undefined set_family\n" if ! defined $set_family; + + my $gpath = ($set_family eq 'inet') ? "firewall group ipv6-$set_type-group" : "firewall group $set_type-group"; + my @groups = $cfg->listOrigNodes($gpath); + my $group; + foreach $group (@groups) { + if ($set_name eq $group) { + exit 1; + } + } + exit 0; +} + sub update_set { - my ($set_name, $set_type) = @_; + my ($set_name, $set_type, $set_family) = @_; my $cfg = new Vyatta::Config; my ($rc, $newset); - my $cpath = "firewall group $set_type-group $set_name"; + my $cpath = ($set_family eq 'inet') ? "firewall group $set_type-group $set_name" : "firewall group ipv6-$set_type-group $set_name"; if ($cfg->existsOrig($cpath)) { if (!$cfg->exists($cpath)) { # deleted @@ -249,7 +268,7 @@ sub update_set { } else { if ($cfg->exists($cpath)) { # added - return $rc if (($rc = ipset_create($set_name, $set_type))); + return $rc if (($rc = ipset_create($set_name, $set_type, $set_family))); $newset = 1; } else { # doesn't exist! should not happen @@ -322,7 +341,8 @@ sub prune_deleted_sets { # only try groups with no references if ($group->exists() && ($group->references() == 0)) { my $type = $group->get_type(); - $cfg->setLevel("firewall group $type-group"); + my $family = $group->get_family(); + ($family eq 'inet') ? $cfg->setLevel("firewall group $type-group") : $cfg->setLevel("firewall group ipv6-$type-group"); next if ($cfg->isEffective($set)); # don't prune if still in config my $rc; $rc = ipset_delete($set); @@ -358,11 +378,12 @@ sub show_port_groups { # # main # -my ($action, $set_name, $set_type, $member, $set_copy, $alias); +my ($action, $set_name, $set_type, $set_family, $member, $set_copy, $alias); GetOptions("action=s" => \$action, "set-name=s" => \$set_name, "set-type=s" => \$set_type, + "set-family=s" => \$set_family, "member=s" => \$member, "alias=s" => \$alias, "set-copy=s" => \$set_copy, @@ -377,7 +398,7 @@ show_network_groups() if $action eq 'show-network-groups'; $rc = ipset_reset($set_name, $set_type) if $action eq 'reset-set'; -$rc = ipset_create($set_name, $set_type) if $action eq 'create-set'; +$rc = ipset_create($set_name, $set_type, $set_family) if $action eq 'create-set'; $rc = ipset_delete($set_name) if $action eq 'delete-set'; @@ -399,8 +420,9 @@ $rc = ipset_is_group_deleted($set_name, $set_type) if $action eq 'is-group-deleted'; $rc = ipset_is_group_used($set_name, $set_type) if $action eq 'is-group-used'; +$rc = ipset_is_group_defined($set_name, $set_type, $set_family) if $action eq 'is-group-defined'; -$rc = update_set($set_name, $set_type) if $action eq 'update-set'; +$rc = update_set($set_name, $set_type, $set_family) if $action eq 'update-set'; $rc = prune_deleted_sets() if $action eq 'prune-deleted-sets'; if (defined $rc) { |