summaryrefslogtreecommitdiff
path: root/templates/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'templates/firewall')
-rw-r--r--templates/firewall/group/address-group/node.def11
-rw-r--r--templates/firewall/group/address-group/node.tag/address/node.def93
-rw-r--r--templates/firewall/group/network-group/node.def10
-rw-r--r--templates/firewall/group/network-group/node.tag/network/node.def18
-rw-r--r--templates/firewall/group/port-group/node.def11
-rw-r--r--templates/firewall/group/port-group/node.tag/port/node.def87
-rw-r--r--templates/firewall/modify/node.def1
-rw-r--r--templates/firewall/name/node.def1
-rw-r--r--templates/firewall/node.def2
9 files changed, 9 insertions, 225 deletions
diff --git a/templates/firewall/group/address-group/node.def b/templates/firewall/group/address-group/node.def
index 40462fa..5b2e510 100644
--- a/templates/firewall/group/address-group/node.def
+++ b/templates/firewall/group/address-group/node.def
@@ -15,12 +15,5 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \
syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \
"Firewall group name cannot contain shell punctuation"
-create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \
- --action=create-set \
- --set-type=address \
- --set-name="$VAR(@)"
-
-
-delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl \
- --action=delete-set \
- --set-name="$VAR(@)"
+end: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \
+ --set-name="$VAR(@)" --set-type=address
diff --git a/templates/firewall/group/address-group/node.tag/address/node.def b/templates/firewall/group/address-group/node.tag/address/node.def
index a04dd5b..2629b9d 100644
--- a/templates/firewall/group/address-group/node.tag/address/node.def
+++ b/templates/firewall/group/address-group/node.tag/address/node.def
@@ -10,96 +10,3 @@ syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \
--set-type=address \
--member=\"$VAR(@)\"; "
-create: tmpgrp=$VAR(../@)-$PPID
- len=${#tmpgrp}
- if [ "$len" -gt 31 ]; then
- tmpgrp=${tmpgrp: -31};
- if [[ "$tmpgrp" =~ ^- ]]; then
- tmpgrp=${tmpgrp/-/Z};
- fi
- fi
- tmpfile="/tmp/$tmpgrp";
-
- # echo create $VAR(@) $tmpgrp $COMMIT_SIBLING_POSITION
-
- if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || \
- [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \
- --set-name=$VAR(../@)
- if [ $? != 0 ]; then
- # echo create $tmpfile;
- touch $tmpfile;
- fi;
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=copy-set \
- --set-name=$VAR(../@) --set-type=address --set-copy=$tmpgrp
- # echo create $tmpgrp
- fi;
-
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \
- --set-name="$tmpgrp" --member="$VAR(@)" --alias=$VAR(../@)
- if [ $? != 0 ]; then
- # echo error adding, destroy $tmpgrp
- sudo ipset --destroy $tmpgrp;
- if [ -e $tmpfile ]; then
- # echo destroy $VAR(../@)
- sudo ipset --destroy $VAR(../@);
- rm $tmpfile;
- fi;
- exit 1;
- fi;
-
- if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || \
- [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
- # echo swap and destroy $tmpgrp
- sudo ipset --swap $tmpgrp "$VAR(../@)";
- sudo ipset --destroy $tmpgrp;
- rm -f $tmpfile;
- fi;
-
-delete: tmpgrp=$VAR(../@)-$PPID
- len=${#tmpgrp}
- if [ "$len" -gt 31 ]; then
- tmpgrp=${tmpgrp: -31};
- if [[ "$tmpgrp" =~ ^- ]]; then
- tmpgrp=${tmpgrp/-/Z};
- fi
- fi
- tmpfile="/tmp/$tmpgrp";
-
- # echo delete $VAR(@) $tmpgrp $COMMIT_SIBLING_POSITION
-
- if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || \
- [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \
- --set-name=$VAR(../@)
- if [ $? != 0 ]; then
- # echo create $tmpfile;
- touch $tmpfile;
- fi;
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=copy-set \
- --set-name=$VAR(../@) --set-type=address --set-copy=$tmpgrp
- # echo create $tmpgrp
- fi;
-
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \
- --set-name=$VAR(../@) --set-type=address;
- if [ $? == 0 ] ; then
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-used \
- --set-name=$VAR(../@) --set-type=address
- if [ $? == 0 ] ; then
- echo "Error: group [$VAR(../@)] still in use."
- exit 1;
- fi
- fi
-
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \
- --set-name=$tmpgrp \
- --member="$VAR(@)"
-
- if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || \
- [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
- # echo swap and destroy $tmpgrp
- sudo ipset --swap $tmpgrp "$VAR(../@)";
- sudo ipset --destroy $tmpgrp;
- rm -f $tmpfile;
- fi;
diff --git a/templates/firewall/group/network-group/node.def b/templates/firewall/group/network-group/node.def
index e20b536..8e50b7d 100644
--- a/templates/firewall/group/network-group/node.def
+++ b/templates/firewall/group/network-group/node.def
@@ -15,12 +15,6 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \
syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \
"Firewall group name cannot contain shell punctuation"
-create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \
- --action=create-set \
- --set-type=network \
- --set-name="$VAR(@)"
+end: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \
+ --set-name="$VAR(@)" --set-type=network
-
-delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl \
- --action=delete-set \
- --set-name="$VAR(@)"
diff --git a/templates/firewall/group/network-group/node.tag/network/node.def b/templates/firewall/group/network-group/node.tag/network/node.def
index 4db4d49..7388561 100644
--- a/templates/firewall/group/network-group/node.tag/network/node.def
+++ b/templates/firewall/group/network-group/node.tag/network/node.def
@@ -12,21 +12,3 @@ syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \
syntax:expression: exec " \
/opt/vyatta/sbin/check_prefix_boundary $VAR(@)" \
-create: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \
- --set-name=$VAR(../@) \
- --member="$VAR(@)"
-
-delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \
- --set-name=$VAR(../@) --set-type=network;
- if [ $? == 0 ] ; then
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-used \
- --set-name=$VAR(../@) --set-type=network
- if [ $? == 0 ] ; then
- echo "Error: group [$VAR(../@)] still in use."
- exit 1;
- fi
- fi
-
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \
- --set-name=$VAR(../@) \
- --member="$VAR(@)"
diff --git a/templates/firewall/group/port-group/node.def b/templates/firewall/group/port-group/node.def
index 76fef9e..949403e 100644
--- a/templates/firewall/group/port-group/node.def
+++ b/templates/firewall/group/port-group/node.def
@@ -15,12 +15,5 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \
syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \
"Firewall group name cannot contain shell punctuation"
-create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \
- --action=create-set \
- --set-type=port \
- --set-name="$VAR(@)"
-
-
-delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl \
- --action=delete-set \
- --set-name="$VAR(@)"
+end: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \
+ --set-name="$VAR(@)" --set-type=port
diff --git a/templates/firewall/group/port-group/node.tag/port/node.def b/templates/firewall/group/port-group/node.tag/port/node.def
index 6e657c4..7a9b867 100644
--- a/templates/firewall/group/port-group/node.tag/port/node.def
+++ b/templates/firewall/group/port-group/node.tag/port/node.def
@@ -11,90 +11,3 @@ syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \
--set-name=$VAR(../@) \
--set-type=port \
--member=\"$VAR(@)\"; "
-
-create: tmpgrp=$VAR(../@)-$PPID
- len=${#tmpgrp}
- if [ "$len" -gt 31 ]; then
- tmpgrp=${tmpgrp: -31};
- if [[ "$tmpgrp" =~ ^- ]]; then
- tmpgrp=${tmpgrp/-/Z};
- fi
- fi
- tmpfile="/tmp/$tmpgrp";
-
- if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || \
- [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \
- --set-name=$VAR(../@)
- if [ $? != 0 ]; then
- touch $tmpfile;
- fi;
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=copy-set \
- --set-name=$VAR(../@) --set-type=port --set-copy=$tmpgrp
- fi;
-
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \
- --set-name="$tmpgrp" --member="$VAR(@)" --alias=$VAR(../@)
- if [ $? != 0 ]; then
- sudo ipset --destroy $tmpgrp;
- if [ -e $tmpfile ]; then
- sudo ipset --destroy $VAR(../@);
- rm $tmpfile;
- fi;
- exit 1;
- fi;
-
- if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || \
- [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
- sudo ipset --swap $tmpgrp "$VAR(../@)";
- sudo ipset --destroy $tmpgrp;
- rm -f $tmpfile;
- fi;
-
-delete: tmpgrp=$VAR(../@)-$PPID
- len=${#tmpgrp}
- if [ "$len" -gt 31 ]; then
- tmpgrp=${tmpgrp: -31};
- if [[ "$tmpgrp" =~ ^- ]]; then
- tmpgrp=${tmpgrp/-/Z};
- fi
- fi
- tmpfile="/tmp/$tmpgrp";
-
- # echo delete $VAR(@) $tmpgrp $COMMIT_SIBLING_POSITION
-
- if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || \
- [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \
- --set-name=$VAR(../@)
- if [ $? != 0 ]; then
- # echo create $tmpfile;
- touch $tmpfile;
- fi;
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=copy-set \
- --set-name=$VAR(../@) --set-type=port --set-copy=$tmpgrp
- # echo create $tmpgrp
- fi;
-
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \
- --set-name=$VAR(../@) --set-type=port;
- if [ $? == 0 ] ; then
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-used \
- --set-name=$VAR(../@) --set-type=port
- if [ $? == 0 ] ; then
- echo "Error: group [$VAR(../@)] still in use."
- exit 1;
- fi
- fi
-
- sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \
- --set-name=$tmpgrp \
- --member="$VAR(@)"
-
- if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || \
- [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then
- # echo swap and destroy $tmpgrp
- sudo ipset --swap $tmpgrp "$VAR(../@)";
- sudo ipset --destroy $tmpgrp;
- rm -f $tmpfile;
- fi;
diff --git a/templates/firewall/modify/node.def b/templates/firewall/modify/node.def
index e1f82f3..640a89c 100644
--- a/templates/firewall/modify/node.def
+++ b/templates/firewall/modify/node.def
@@ -24,6 +24,7 @@ end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules modify "$VAR(@)"
else
exit 1;
fi
+ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets
create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables modify
diff --git a/templates/firewall/name/node.def b/templates/firewall/name/node.def
index 7e9bc44..e8be1cd 100644
--- a/templates/firewall/name/node.def
+++ b/templates/firewall/name/node.def
@@ -24,6 +24,7 @@ end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules name "$VAR(@)" ;
else
exit 1;
fi
+ sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets
create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables name
diff --git a/templates/firewall/node.def b/templates/firewall/node.def
index 30b5330..6ee0386 100644
--- a/templates/firewall/node.def
+++ b/templates/firewall/node.def
@@ -1,4 +1,4 @@
-priority: 215
+priority: 199
help: Firewall
delete: # set conntrack table size to standard 16384 entries if fw disabled