diff options
Diffstat (limited to 'templates')
25 files changed, 147 insertions, 12 deletions
diff --git a/templates/firewall/group/address-group/node.def b/templates/firewall/group/address-group/node.def index 13b2e72..d89233d 100644 --- a/templates/firewall/group/address-group/node.def +++ b/templates/firewall/group/address-group/node.def @@ -15,7 +15,11 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=address --set-family=inet"; \ + "Firewall group name already used as Ipv6 group address" + end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=address; then + --set-name="$VAR(@)" --set-type=address --set-family=inet; then ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group address-group $VAR(@)" fi diff --git a/templates/firewall/group/ipv6-address-group/node.def b/templates/firewall/group/ipv6-address-group/node.def new file mode 100644 index 0000000..20e4430 --- /dev/null +++ b/templates/firewall/group/ipv6-address-group/node.def @@ -0,0 +1,25 @@ +tag: +priority: 200 +type: txt +help: Firewall ipv6-address-group + +syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ + "Firewall group name must be 31 characters or less" + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + +syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ + "Firewall group name cannot contain shell punctuation" + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=address --set-family=inet6"; \ + "Firewall group name already used as Ipv4 group address" + +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=address --set-family=inet6; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group ipv6-address-group $VAR(@)" + fi diff --git a/templates/firewall/group/ipv6-address-group/node.tag/address/node.def b/templates/firewall/group/ipv6-address-group/node.tag/address/node.def new file mode 100644 index 0000000..5bd948b --- /dev/null +++ b/templates/firewall/group/ipv6-address-group/node.tag/address/node.def @@ -0,0 +1,9 @@ +multi: +type: txt +help: Address-group member +val_help: ipv6; IPv6 address to match + +syntax:expression: pattern $VAR(@) "^[^|;&$<>/]*$" ; \ + "Error [$VAR(@)] isn't valid IPv6 host address" + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/group/ipv6-address-group/node.tag/description/node.def b/templates/firewall/group/ipv6-address-group/node.tag/description/node.def new file mode 100644 index 0000000..f630483 --- /dev/null +++ b/templates/firewall/group/ipv6-address-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: IPv6 Address-group description
\ No newline at end of file diff --git a/templates/firewall/group/ipv6-network-group/node.def b/templates/firewall/group/ipv6-network-group/node.def new file mode 100644 index 0000000..084fdb0 --- /dev/null +++ b/templates/firewall/group/ipv6-network-group/node.def @@ -0,0 +1,25 @@ +tag: +priority: 200 +type: txt +help: Firewall ipv6-network-group + +syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ + "Firewall group name must be 31 characters or less" + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + +syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ + "Firewall group name cannot contain shell punctuation" + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=network --set-family=inet6"; \ + "Firewall group name already used as Ipv4 group address" + +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=network --set-family=inet6; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group ipv6-network-group $VAR(@)" + fi diff --git a/templates/firewall/group/ipv6-network-group/node.tag/description/node.def b/templates/firewall/group/ipv6-network-group/node.tag/description/node.def new file mode 100644 index 0000000..cc905df --- /dev/null +++ b/templates/firewall/group/ipv6-network-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: IPv6-network-group description diff --git a/templates/firewall/group/ipv6-network-group/node.tag/network/node.def b/templates/firewall/group/ipv6-network-group/node.tag/network/node.def new file mode 100644 index 0000000..879a164 --- /dev/null +++ b/templates/firewall/group/ipv6-network-group/node.tag/network/node.def @@ -0,0 +1,8 @@ +multi: +type: ipv6net +help: Network-group member +val_help: ipv6net; IPv6 Subnet to match + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" + +syntax:expression: exec "/opt/vyatta/sbin/check_prefix_boundary $VAR(@)" diff --git a/templates/firewall/group/network-group/node.def b/templates/firewall/group/network-group/node.def index 263a772..14b8366 100644 --- a/templates/firewall/group/network-group/node.def +++ b/templates/firewall/group/network-group/node.def @@ -15,8 +15,12 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=network --set-family=inet"; \ + "Firewall group name already used as Ipv6 group address" + end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=network; then + --set-name="$VAR(@)" --set-type=network --set-family=inet; then ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group network-group $VAR(@)" fi diff --git a/templates/firewall/group/port-group/node.def b/templates/firewall/group/port-group/node.def index 1484be2..729165f 100644 --- a/templates/firewall/group/port-group/node.def +++ b/templates/firewall/group/port-group/node.def @@ -16,6 +16,6 @@ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=port; then + --set-name="$VAR(@)" --set-type=port --set-family=inet; then ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group port-group $VAR(@)" fi diff --git a/templates/firewall/ipv6-name/node.def b/templates/firewall/ipv6-name/node.def index e7e1167..2e20b9a 100644 --- a/templates/firewall/ipv6-name/node.def +++ b/templates/firewall/ipv6-name/node.def @@ -14,17 +14,21 @@ syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "firewall ipv6-name" "$VAR(@)" ; then - if [ ${COMMIT_ACTION} = 'DELETE' ] ; + if [ ${COMMIT_ACTION} = 'DELETE' ] ; then if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "firewall ipv6-name" ; then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall ipv6-name" + if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall ipv6-name"; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-name $VAR(@)" + fi fi + else + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-name $VAR(@)" fi else exit 1; fi - ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-name $VAR(@)" + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables "firewall ipv6-name" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def new file mode 100644 index 0000000..961663c --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def @@ -0,0 +1,9 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" + +allowed: cli-shell-api listNodes firewall group ipv6-address-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def new file mode 100644 index 0000000..262c4dd --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listNodes firewall group ipv6-network-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def new file mode 100644 index 0000000..bb11dae --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def @@ -0,0 +1 @@ +help: Destination group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def new file mode 100644 index 0000000..985302b --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listNodes firewall group port-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def new file mode 100644 index 0000000..9323938 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" +allowed: cli-shell-api listNodes firewall group ipv6-address-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def new file mode 100644 index 0000000..262c4dd --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listNodes firewall group ipv6-network-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def new file mode 100644 index 0000000..7b36071 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def @@ -0,0 +1 @@ +help: Source group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def new file mode 100644 index 0000000..985302b --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listNodes firewall group port-group diff --git a/templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def index 07e791c..272149b 100644 --- a/templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def @@ -6,4 +6,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --set-name=$VAR(@) \ --set-type=address;" -allowed: cli-shell-api listActiveNodes firewall group address-group +allowed: cli-shell-api listNodes firewall group address-group diff --git a/templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def index bf018a0..54604da 100644 --- a/templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=network;" -allowed: cli-shell-api listActiveNodes firewall group network-group +allowed: cli-shell-api listNodes firewall group network-group diff --git a/templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def index 865d2c5..985302b 100644 --- a/templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=port;" -allowed: cli-shell-api listActiveNodes firewall group port-group +allowed: cli-shell-api listNodes firewall group port-group diff --git a/templates/policy/route/node.tag/rule/node.tag/set/table/node.def b/templates/policy/route/node.tag/rule/node.tag/set/table/node.def index bb97649..632ed54 100644 --- a/templates/policy/route/node.tag/rule/node.tag/set/table/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/set/table/node.def @@ -2,6 +2,7 @@ type: txt help: Routing table to forward packet with val_help: u32:1-200 ; Table number val_help: main ; Main table +allowed: echo main `cli-shell-api listNodes protocols static table` syntax:expression: exec " if [[ $VAR(@) =~ ^-?[0-9]+$ ]] ; then if [ $VAR(@) -lt 1 -o $VAR(@) -gt 200 ] ; then diff --git a/templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def index 97c748d..8506b28 100644 --- a/templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=address;" -allowed: cli-shell-api listActiveNodes firewall group address-group +allowed: cli-shell-api listNodes firewall group address-group diff --git a/templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def index bf018a0..54604da 100644 --- a/templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=network;" -allowed: cli-shell-api listActiveNodes firewall group network-group +allowed: cli-shell-api listNodes firewall group network-group diff --git a/templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def index 865d2c5..985302b 100644 --- a/templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=port;" -allowed: cli-shell-api listActiveNodes firewall group port-group +allowed: cli-shell-api listNodes firewall group port-group |