diff options
Diffstat (limited to 'templates/firewall')
-rw-r--r-- | templates/firewall/group/address-group/node.def | 11 | ||||
-rw-r--r-- | templates/firewall/group/address-group/node.tag/address/node.def | 93 | ||||
-rw-r--r-- | templates/firewall/group/network-group/node.def | 10 | ||||
-rw-r--r-- | templates/firewall/group/network-group/node.tag/network/node.def | 18 | ||||
-rw-r--r-- | templates/firewall/group/port-group/node.def | 11 | ||||
-rw-r--r-- | templates/firewall/group/port-group/node.tag/port/node.def | 87 | ||||
-rw-r--r-- | templates/firewall/modify/node.def | 1 | ||||
-rw-r--r-- | templates/firewall/name/node.def | 1 | ||||
-rw-r--r-- | templates/firewall/node.def | 2 |
9 files changed, 9 insertions, 225 deletions
diff --git a/templates/firewall/group/address-group/node.def b/templates/firewall/group/address-group/node.def index 40462fa..5b2e510 100644 --- a/templates/firewall/group/address-group/node.def +++ b/templates/firewall/group/address-group/node.def @@ -15,12 +15,5 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" -create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=create-set \ - --set-type=address \ - --set-name="$VAR(@)" - - -delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=delete-set \ - --set-name="$VAR(@)" +end: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=address diff --git a/templates/firewall/group/address-group/node.tag/address/node.def b/templates/firewall/group/address-group/node.tag/address/node.def index a04dd5b..2629b9d 100644 --- a/templates/firewall/group/address-group/node.tag/address/node.def +++ b/templates/firewall/group/address-group/node.tag/address/node.def @@ -10,96 +10,3 @@ syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --set-type=address \ --member=\"$VAR(@)\"; " -create: tmpgrp=$VAR(../@)-$PPID - len=${#tmpgrp} - if [ "$len" -gt 31 ]; then - tmpgrp=${tmpgrp: -31}; - if [[ "$tmpgrp" =~ ^- ]]; then - tmpgrp=${tmpgrp/-/Z}; - fi - fi - tmpfile="/tmp/$tmpgrp"; - - # echo create $VAR(@) $tmpgrp $COMMIT_SIBLING_POSITION - - if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || \ - [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \ - --set-name=$VAR(../@) - if [ $? != 0 ]; then - # echo create $tmpfile; - touch $tmpfile; - fi; - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=copy-set \ - --set-name=$VAR(../@) --set-type=address --set-copy=$tmpgrp - # echo create $tmpgrp - fi; - - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \ - --set-name="$tmpgrp" --member="$VAR(@)" --alias=$VAR(../@) - if [ $? != 0 ]; then - # echo error adding, destroy $tmpgrp - sudo ipset --destroy $tmpgrp; - if [ -e $tmpfile ]; then - # echo destroy $VAR(../@) - sudo ipset --destroy $VAR(../@); - rm $tmpfile; - fi; - exit 1; - fi; - - if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || \ - [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then - # echo swap and destroy $tmpgrp - sudo ipset --swap $tmpgrp "$VAR(../@)"; - sudo ipset --destroy $tmpgrp; - rm -f $tmpfile; - fi; - -delete: tmpgrp=$VAR(../@)-$PPID - len=${#tmpgrp} - if [ "$len" -gt 31 ]; then - tmpgrp=${tmpgrp: -31}; - if [[ "$tmpgrp" =~ ^- ]]; then - tmpgrp=${tmpgrp/-/Z}; - fi - fi - tmpfile="/tmp/$tmpgrp"; - - # echo delete $VAR(@) $tmpgrp $COMMIT_SIBLING_POSITION - - if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || \ - [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \ - --set-name=$VAR(../@) - if [ $? != 0 ]; then - # echo create $tmpfile; - touch $tmpfile; - fi; - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=copy-set \ - --set-name=$VAR(../@) --set-type=address --set-copy=$tmpgrp - # echo create $tmpgrp - fi; - - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \ - --set-name=$VAR(../@) --set-type=address; - if [ $? == 0 ] ; then - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-used \ - --set-name=$VAR(../@) --set-type=address - if [ $? == 0 ] ; then - echo "Error: group [$VAR(../@)] still in use." - exit 1; - fi - fi - - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ - --set-name=$tmpgrp \ - --member="$VAR(@)" - - if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || \ - [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then - # echo swap and destroy $tmpgrp - sudo ipset --swap $tmpgrp "$VAR(../@)"; - sudo ipset --destroy $tmpgrp; - rm -f $tmpfile; - fi; diff --git a/templates/firewall/group/network-group/node.def b/templates/firewall/group/network-group/node.def index e20b536..8e50b7d 100644 --- a/templates/firewall/group/network-group/node.def +++ b/templates/firewall/group/network-group/node.def @@ -15,12 +15,6 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" -create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=create-set \ - --set-type=network \ - --set-name="$VAR(@)" +end: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=network - -delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=delete-set \ - --set-name="$VAR(@)" diff --git a/templates/firewall/group/network-group/node.tag/network/node.def b/templates/firewall/group/network-group/node.tag/network/node.def index 4db4d49..7388561 100644 --- a/templates/firewall/group/network-group/node.tag/network/node.def +++ b/templates/firewall/group/network-group/node.tag/network/node.def @@ -12,21 +12,3 @@ syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ syntax:expression: exec " \ /opt/vyatta/sbin/check_prefix_boundary $VAR(@)" \ -create: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \ - --set-name=$VAR(../@) \ - --member="$VAR(@)" - -delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \ - --set-name=$VAR(../@) --set-type=network; - if [ $? == 0 ] ; then - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-used \ - --set-name=$VAR(../@) --set-type=network - if [ $? == 0 ] ; then - echo "Error: group [$VAR(../@)] still in use." - exit 1; - fi - fi - - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ - --set-name=$VAR(../@) \ - --member="$VAR(@)" diff --git a/templates/firewall/group/port-group/node.def b/templates/firewall/group/port-group/node.def index 76fef9e..949403e 100644 --- a/templates/firewall/group/port-group/node.def +++ b/templates/firewall/group/port-group/node.def @@ -15,12 +15,5 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" -create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=create-set \ - --set-type=port \ - --set-name="$VAR(@)" - - -delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=delete-set \ - --set-name="$VAR(@)" +end: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=port diff --git a/templates/firewall/group/port-group/node.tag/port/node.def b/templates/firewall/group/port-group/node.tag/port/node.def index 6e657c4..7a9b867 100644 --- a/templates/firewall/group/port-group/node.tag/port/node.def +++ b/templates/firewall/group/port-group/node.tag/port/node.def @@ -11,90 +11,3 @@ syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --set-name=$VAR(../@) \ --set-type=port \ --member=\"$VAR(@)\"; " - -create: tmpgrp=$VAR(../@)-$PPID - len=${#tmpgrp} - if [ "$len" -gt 31 ]; then - tmpgrp=${tmpgrp: -31}; - if [[ "$tmpgrp" =~ ^- ]]; then - tmpgrp=${tmpgrp/-/Z}; - fi - fi - tmpfile="/tmp/$tmpgrp"; - - if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || \ - [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \ - --set-name=$VAR(../@) - if [ $? != 0 ]; then - touch $tmpfile; - fi; - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=copy-set \ - --set-name=$VAR(../@) --set-type=port --set-copy=$tmpgrp - fi; - - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \ - --set-name="$tmpgrp" --member="$VAR(@)" --alias=$VAR(../@) - if [ $? != 0 ]; then - sudo ipset --destroy $tmpgrp; - if [ -e $tmpfile ]; then - sudo ipset --destroy $VAR(../@); - rm $tmpfile; - fi; - exit 1; - fi; - - if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || \ - [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then - sudo ipset --swap $tmpgrp "$VAR(../@)"; - sudo ipset --destroy $tmpgrp; - rm -f $tmpfile; - fi; - -delete: tmpgrp=$VAR(../@)-$PPID - len=${#tmpgrp} - if [ "$len" -gt 31 ]; then - tmpgrp=${tmpgrp: -31}; - if [[ "$tmpgrp" =~ ^- ]]; then - tmpgrp=${tmpgrp/-/Z}; - fi - fi - tmpfile="/tmp/$tmpgrp"; - - # echo delete $VAR(@) $tmpgrp $COMMIT_SIBLING_POSITION - - if [ "$COMMIT_SIBLING_POSITION" = "FIRST" ] || \ - [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-set-empty \ - --set-name=$VAR(../@) - if [ $? != 0 ]; then - # echo create $tmpfile; - touch $tmpfile; - fi; - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=copy-set \ - --set-name=$VAR(../@) --set-type=port --set-copy=$tmpgrp - # echo create $tmpgrp - fi; - - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-deleted \ - --set-name=$VAR(../@) --set-type=port; - if [ $? == 0 ] ; then - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-used \ - --set-name=$VAR(../@) --set-type=port - if [ $? == 0 ] ; then - echo "Error: group [$VAR(../@)] still in use." - exit 1; - fi - fi - - sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ - --set-name=$tmpgrp \ - --member="$VAR(@)" - - if [ "$COMMIT_SIBLING_POSITION" = "LAST" ] || \ - [ "$COMMIT_SIBLING_POSITION" = "FIRSTLAST" ] ; then - # echo swap and destroy $tmpgrp - sudo ipset --swap $tmpgrp "$VAR(../@)"; - sudo ipset --destroy $tmpgrp; - rm -f $tmpfile; - fi; diff --git a/templates/firewall/modify/node.def b/templates/firewall/modify/node.def index e1f82f3..640a89c 100644 --- a/templates/firewall/modify/node.def +++ b/templates/firewall/modify/node.def @@ -24,6 +24,7 @@ end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules modify "$VAR(@)" else exit 1; fi + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables modify diff --git a/templates/firewall/name/node.def b/templates/firewall/name/node.def index 7e9bc44..e8be1cd 100644 --- a/templates/firewall/name/node.def +++ b/templates/firewall/name/node.def @@ -24,6 +24,7 @@ end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules name "$VAR(@)" ; else exit 1; fi + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables name diff --git a/templates/firewall/node.def b/templates/firewall/node.def index 30b5330..6ee0386 100644 --- a/templates/firewall/node.def +++ b/templates/firewall/node.def @@ -1,4 +1,4 @@ -priority: 215 +priority: 199 help: Firewall delete: # set conntrack table size to standard 16384 entries if fw disabled |