From 9f0fff7d4afd0f1a7280dbf40fd9671d3576d196 Mon Sep 17 00:00:00 2001 From: Thomas Jepp Date: Wed, 16 Dec 2015 22:09:35 +0000 Subject: Fix build depends. --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 335bd13..6a0793e 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: vyatta-cfg-firewall Section: contrib/net Priority: extra Maintainer: VyOS Package Maintainers -Build-Depends: debhelper (>= 5), autotools-dev +Build-Depends: debhelper (>= 5), autotools-dev, autoconf, automake, cpio Standards-Version: 3.9.1 Package: vyatta-cfg-firewall -- cgit v1.2.3 From 2a9bc2c4ea3204b65e679c1ee16e1bb12a17a31f Mon Sep 17 00:00:00 2001 From: Thomas Jepp Date: Thu, 24 Dec 2015 16:00:15 +0000 Subject: Fix runtime depends. --- debian/control | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 6a0793e..f439a91 100644 --- a/debian/control +++ b/debian/control @@ -23,7 +23,8 @@ Depends: sed (>= 4.1.5), sudo, snmpd, ipset, - iptables + iptables, + libswitch-perl Replaces: vyatta-cfg-system, vyatta-openvpn, vyatta-wirelessmodem -- cgit v1.2.3 From a547effeb79ec1585b7bbbc17354855fffeb086e Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Sun, 24 Jan 2016 15:00:53 -0500 Subject: 0.14.0+vyos2+current1 --- debian/changelog | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/debian/changelog b/debian/changelog index 8529ed6..41c4994 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +vyatta-cfg-firewall (0.14.0+vyos2+current1) unstable; urgency=medium + + [ Thomas Jepp ] + * Fix build depends. + * Fix runtime depends. + + [ Kim Hagen ] + + -- Kim Hagen Sun, 24 Jan 2016 15:00:40 -0500 + vyatta-cfg-firewall (0.14.0+vyos2+lithium16) unstable; urgency=low [ Alex Harpin ] -- cgit v1.2.3 From 6e46ac599ac8351a72d227ae3b96f6e8ed9452f7 Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Fri, 20 May 2016 05:33:06 -0400 Subject: Revert "vyatta-cfg-firewall: update nfct commands to use the new syntax" Debian jessie version still uses older syntax This reverts commit 8c08408d1309b2664067b3a793d7df3b24d36cf3. --- scripts/firewall/firewall.init.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/firewall/firewall.init.in b/scripts/firewall/firewall.init.in index 30614bf..98ed54a 100644 --- a/scripts/firewall/firewall.init.in +++ b/scripts/firewall/firewall.init.in @@ -62,9 +62,9 @@ start () { # user space helpers chain, enables helpers using iptables --helper. # FTP, sip and h323 to use this chain later on. iptables -t raw -N VYATTA_CT_HELPER - /usr/sbin/nfct add helper rpc inet tcp - /usr/sbin/nfct add helper rpc inet udp - /usr/sbin/nfct add helper tns inet tcp + /usr/sbin/nfct helper add rpc inet tcp + /usr/sbin/nfct helper add rpc inet udp + /usr/sbin/nfct helper add tns inet tcp iptables -t raw -I VYATTA_CT_HELPER -p tcp --dport 111 -j CT --helper rpc iptables -t raw -I VYATTA_CT_HELPER -p udp --dport 111 -j CT --helper rpc iptables -t raw -I VYATTA_CT_HELPER -p tcp --dport 1521 -j CT --helper tns -- cgit v1.2.3 From c903db0a63b627e1cdfa91ded522c73abb3b0516 Mon Sep 17 00:00:00 2001 From: Kim Date: Thu, 27 Apr 2017 16:37:01 +0200 Subject: update the way status of snmpd is called --- scripts/firewall/vyatta-firewall-trap.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/firewall/vyatta-firewall-trap.pl b/scripts/firewall/vyatta-firewall-trap.pl index 5a19f7d..159feea 100755 --- a/scripts/firewall/vyatta-firewall-trap.pl +++ b/scripts/firewall/vyatta-firewall-trap.pl @@ -280,7 +280,7 @@ my $config = new Vyatta::Config; exit 0 if ! is_trap_enabled($config); # Detect system startup (i.e., no snmpd running) and just exit. -my $snmpd_service = `/usr/sbin/invoke-rc.d snmpd status 2> /dev/null`; +my $snmpd_service = `systemctl status snmpd.service 2> /dev/null`; exit 0 if (! $snmpd_service =~ m/snmpd is running/); # If no trap-targets configured just exit. -- cgit v1.2.3 From c48f11fa1b0d6a7b196f9750ef82625dea1aba58 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Thu, 14 Sep 2017 14:36:36 +0200 Subject: Revert "Added support for local PBR to gen-interface-policy-templates.pl" This reverts commit b30b5c66b7d6f4c12c37a642319dd39f8613f74a. --- gen-interface-policy-templates.pl | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/gen-interface-policy-templates.pl b/gen-interface-policy-templates.pl index afea8cf..a86c5d6 100755 --- a/gen-interface-policy-templates.pl +++ b/gen-interface-policy-templates.pl @@ -107,16 +107,12 @@ sub gen_firewall_template { # my %table_help_hash = ( "route" => "IPv4 policy route", - "local-route" => "IPv4 policy route of local traffic", "ipv6-route" => "IPv6 policy route", - "ipv6-local-route" => "IPv6 policy route of local traffic", ); my %config_association_hash = ( "route" => "\"policy route\"", - "local-route" => "\"policy local-route\"", "ipv6-route" => "\"policy ipv6-route\"", - "ipv6-local-route" => "\"policy ipv6-local-route\"", ); # Generate the template file at the leaf of the per-interface firewall tree. @@ -124,10 +120,10 @@ my %config_association_hash = ( # ruleset on an interface for a particular ruleset type and direction. # sub gen_template { - my ( $if_tree, $direction, $table, $if_name ) = @_; + my ( $if_tree, $table, $if_name ) = @_; if ($debug) { - print "debug: table=$table direction=$direction\n"; + print "debug: table=$table\n"; } my $template_dir = @@ -151,16 +147,16 @@ allowed: local -a params echo -n "\${params[@]}" create: ifname=$if_name sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\ - update \$ifname $direction \$VAR(@) $config_association_hash{$table} + update \$ifname in \$VAR(@) $config_association_hash{$table} update: ifname=$if_name sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\ - update \$ifname $direction \$VAR(@) $config_association_hash{$table} + update \$ifname in \$VAR(@) $config_association_hash{$table} delete: ifname=$if_name sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces \\ - delete \$ifname $direction \$VAR(@) $config_association_hash{$table} + delete \$ifname in \$VAR(@) $config_association_hash{$table} EOF close $tp @@ -177,10 +173,8 @@ foreach my $if_tree ( keys %interface_hash ) { } gen_firewall_template($if_tree); - gen_template( $if_tree, "in", "route", $if_name ); - gen_template( $if_tree, "out", "local-route", $if_name ); - gen_template( $if_tree, "in", "ipv6-route", $if_name ); - gen_template( $if_tree, "out", "ipv6-local-route", $if_name ); + gen_template( $if_tree, "route", $if_name ); + gen_template( $if_tree, "ipv6-route", $if_name ); } print "Done.\n"; -- cgit v1.2.3 From d1164b989295016436f20caa709603ec5d85a4d3 Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Mon, 19 Feb 2018 13:06:25 +0200 Subject: Bug #T171 fix Open Task T171 Unable to Delte Rule --- scripts/firewall/vyatta-firewall.pl | 6 ------ 1 file changed, 6 deletions(-) diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index c2727cc..f770719 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -553,12 +553,6 @@ sub update_rules { Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n"); exit 1; } - } elsif ("$test_rule_hash{$test_rule}" eq 'deleted') { - if (Vyatta::IpTables::Mgr::chain_referenced($table, $name, $iptables_cmd)) { - # Disallow deleting a chain if it's still referenced - Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: Cannot delete rule set \"$name\" (still in use)\n"); - exit 1; - } } } -- cgit v1.2.3 From bb15829e9b6864f46409faa30d79e66bbcbfc5b4 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Fri, 2 Mar 2018 05:20:56 +0100 Subject: Show uncommited groups and table in policy route rules completion (fixes T572). --- .../node.tag/rule/node.tag/destination/group/address-group/node.def | 2 +- .../node.tag/rule/node.tag/destination/group/network-group/node.def | 2 +- .../route/node.tag/rule/node.tag/destination/group/port-group/node.def | 2 +- templates/policy/route/node.tag/rule/node.tag/set/table/node.def | 1 + .../route/node.tag/rule/node.tag/source/group/address-group/node.def | 2 +- .../route/node.tag/rule/node.tag/source/group/network-group/node.def | 2 +- .../route/node.tag/rule/node.tag/source/group/port-group/node.def | 2 +- 7 files changed, 7 insertions(+), 6 deletions(-) diff --git a/templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def index 07e791c..272149b 100644 --- a/templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def @@ -6,4 +6,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --set-name=$VAR(@) \ --set-type=address;" -allowed: cli-shell-api listActiveNodes firewall group address-group +allowed: cli-shell-api listNodes firewall group address-group diff --git a/templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def index bf018a0..54604da 100644 --- a/templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=network;" -allowed: cli-shell-api listActiveNodes firewall group network-group +allowed: cli-shell-api listNodes firewall group network-group diff --git a/templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def b/templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def index 865d2c5..985302b 100644 --- a/templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=port;" -allowed: cli-shell-api listActiveNodes firewall group port-group +allowed: cli-shell-api listNodes firewall group port-group diff --git a/templates/policy/route/node.tag/rule/node.tag/set/table/node.def b/templates/policy/route/node.tag/rule/node.tag/set/table/node.def index bb97649..632ed54 100644 --- a/templates/policy/route/node.tag/rule/node.tag/set/table/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/set/table/node.def @@ -2,6 +2,7 @@ type: txt help: Routing table to forward packet with val_help: u32:1-200 ; Table number val_help: main ; Main table +allowed: echo main `cli-shell-api listNodes protocols static table` syntax:expression: exec " if [[ $VAR(@) =~ ^-?[0-9]+$ ]] ; then if [ $VAR(@) -lt 1 -o $VAR(@) -gt 200 ] ; then diff --git a/templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def index 97c748d..8506b28 100644 --- a/templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=address;" -allowed: cli-shell-api listActiveNodes firewall group address-group +allowed: cli-shell-api listNodes firewall group address-group diff --git a/templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def index bf018a0..54604da 100644 --- a/templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=network;" -allowed: cli-shell-api listActiveNodes firewall group network-group +allowed: cli-shell-api listNodes firewall group network-group diff --git a/templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def b/templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def index 865d2c5..985302b 100644 --- a/templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def +++ b/templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=port;" -allowed: cli-shell-api listActiveNodes firewall group port-group +allowed: cli-shell-api listNodes firewall group port-group -- cgit v1.2.3 From 03f1937e7dcb01ce810c9c19eda15149245f4537 Mon Sep 17 00:00:00 2001 From: Marian Tudosoiu Date: Mon, 12 Mar 2018 12:34:35 +0200 Subject: Task T35 - add support for IPv6 firewall adddress and network groups --- lib/Vyatta/IpTables/AddressFilter.pm | 36 +++++++++------------ lib/Vyatta/IpTables/IpSet.pm | 6 ++-- scripts/firewall/vyatta-ipset.pl | 37 +++++++++++++++++----- templates/firewall/group/address-group/node.def | 6 +++- templates/firewall/group/network-group/node.def | 6 +++- .../firewall/ipv6-group/address-group/node.def | 25 +++++++++++++++ .../address-group/node.tag/address/node.def | 6 ++++ .../address-group/node.tag/description/node.def | 2 ++ .../firewall/ipv6-group/network-group/node.def | 21 ++++++++++++ .../network-group/node.tag/description/node.def | 2 ++ .../network-group/node.tag/network/node.def | 8 +++++ templates/firewall/ipv6-group/node.def | 1 + .../destination/group/address-group/node.def | 9 ++++++ .../destination/group/network-group/node.def | 8 +++++ .../rule/node.tag/destination/group/node.def | 1 + .../node.tag/destination/group/port-group/node.def | 8 +++++ .../node.tag/source/group/address-group/node.def | 8 +++++ .../node.tag/source/group/network-group/node.def | 8 +++++ .../node.tag/rule/node.tag/source/group/node.def | 1 + .../rule/node.tag/source/group/port-group/node.def | 8 +++++ templates/firewall/node.def | 3 -- 21 files changed, 174 insertions(+), 36 deletions(-) create mode 100644 templates/firewall/ipv6-group/address-group/node.def create mode 100644 templates/firewall/ipv6-group/address-group/node.tag/address/node.def create mode 100644 templates/firewall/ipv6-group/address-group/node.tag/description/node.def create mode 100644 templates/firewall/ipv6-group/network-group/node.def create mode 100644 templates/firewall/ipv6-group/network-group/node.tag/description/node.def create mode 100644 templates/firewall/ipv6-group/network-group/node.tag/network/node.def create mode 100644 templates/firewall/ipv6-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def delete mode 100644 templates/firewall/node.def diff --git a/lib/Vyatta/IpTables/AddressFilter.pm b/lib/Vyatta/IpTables/AddressFilter.pm index 9100c24..9b3be53 100755 --- a/lib/Vyatta/IpTables/AddressFilter.pm +++ b/lib/Vyatta/IpTables/AddressFilter.pm @@ -238,31 +238,25 @@ sub rule { my ($port_str, $port_err)= getPortRuleString($self->{_port}, $can_use_port,($self->{_srcdst} eq "source") ? "s" : "d",$self->{_protocol}); return (undef, $port_err) if (!defined($port_str)); $rule .= $port_str; - # Handle groups last so we can check $group_ok - if ($self->{_ip_version} eq "ipv4") { - - # so far ipset only supports IPv4 - my %group_used = ('address' => 0, 'network' => 0); - foreach my $group_type ('address', 'network', 'port') { - my $var_name = '_' . $group_type . '_group'; - if (defined($self->{$var_name})) { - $group_used{$group_type} = 1; - my $name = $self->{$var_name}; - if (!$group_ok{$group_type}) { - return (undef, "Can't mix $self->{_srcdst} $group_type group [$name] and $group_type"); - } - my $group = new Vyatta::IpTables::IpSet($name, $group_type); - my ($set_rule, $err_str) = $group->rule($self->{_srcdst}); - return ($err_str,) if !defined $set_rule; - $rule .= $set_rule; + my %group_used = ('address' => 0, 'network' => 0); + foreach my $group_type ('address', 'network', 'port') { + my $var_name = '_' . $group_type . '_group'; + if (defined($self->{$var_name})) { + $group_used{$group_type} = 1; + my $name = $self->{$var_name}; + if (!$group_ok{$group_type}) { + return (undef, "Can't mix $self->{_srcdst} $group_type group [$name] and $group_type"); } - } - if ($group_used{address} and $group_used{network}) { - return (undef,"Can't combine network and address group for $self->{_srcdst}\n"); + my $group = new Vyatta::IpTables::IpSet($name, $group_type); + my ($set_rule, $err_str) = $group->rule($self->{_srcdst}); + return ($err_str,) if !defined $set_rule; + $rule .= $set_rule; } } - + if ($group_used{address} and $group_used{network}) { + return (undef,"Can't combine network and address group for $self->{_srcdst}\n"); + } return ($rule, undef); } diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm index ea9bc8d..e293240 100755 --- a/lib/Vyatta/IpTables/IpSet.pm +++ b/lib/Vyatta/IpTables/IpSet.pm @@ -35,6 +35,7 @@ use warnings; my %fields = ( _name => undef, _type => undef, # vyatta group type, not ipset type + _family => undef, _exists => undef, _negate => undef, _debug => undef, @@ -65,7 +66,7 @@ sub INT_handler { $SIG{'INT'} = 'INT_handler'; sub new { - my ($that, $name, $type) = @_; + my ($that, $name, $type, $family) = @_; my $class = ref($that) || $that; my $self = {%fields,}; @@ -75,6 +76,7 @@ sub new { } $self->{_name} = $name; $self->{_type} = $type; + $self->{_family} = $family; bless $self, $class; return $self; @@ -192,7 +194,7 @@ sub create { $ipset_param .= ' --from 1 --to 65535'; } - my $cmd = "ipset -N $self->{_name} $ipset_param"; + my $cmd = "ipset -N $self->{_name} $ipset_param family $self->{_family}"; my $rc = $self->run_cmd($cmd); return "Error: call to ipset failed [$rc]" if $rc; return; # undef diff --git a/scripts/firewall/vyatta-ipset.pl b/scripts/firewall/vyatta-ipset.pl index b3fd806..f18237d 100755 --- a/scripts/firewall/vyatta-ipset.pl +++ b/scripts/firewall/vyatta-ipset.pl @@ -67,9 +67,9 @@ sub ipset_reset { } sub ipset_create { - my ($set_name, $set_type) = @_; + my ($set_name, $set_type, $set_family) = @_; - my $group = new Vyatta::IpTables::IpSet($set_name, $set_type); + my $group = new Vyatta::IpTables::IpSet($set_name, $set_type, $set_family); return $group->create(); } @@ -244,11 +244,30 @@ sub ipset_is_group_used { exit 1; } +sub ipset_is_group_defined { + my ($set_name, $set_type, $set_family) = @_; + my $cfg = new Vyatta::Config; + + die "Error: undefined set_name\n" if ! defined $set_name; + die "Error: undefined set_type\n" if ! defined $set_type; + die "Error: undefined set_family\n" if ! defined $set_family; + + my $gpath = ($set_family eq 'inet') ? "firewall ipv6-group $set_type-group" : "firewall group $set_type-group"; + my @groups = $cfg->listOrigNodes($gpath); + my $group; + foreach $group (@groups) { + if ($set_name eq $group) { + exit 1; + } + } + exit 0; +} + sub update_set { - my ($set_name, $set_type) = @_; + my ($set_name, $set_type, $set_family) = @_; my $cfg = new Vyatta::Config; my ($rc, $newset); - my $cpath = "firewall group $set_type-group $set_name"; + my $cpath = ($set_family eq 'inet') ? "firewall group $set_type-group $set_name" : "firewall ipv6-group $set_type-group $set_name"; if ($cfg->existsOrig($cpath)) { if (!$cfg->exists($cpath)) { # deleted @@ -258,7 +277,7 @@ sub update_set { } else { if ($cfg->exists($cpath)) { # added - return $rc if (($rc = ipset_create($set_name, $set_type))); + return $rc if (($rc = ipset_create($set_name, $set_type, $set_family))); $newset = 1; } else { # doesn't exist! should not happen @@ -367,11 +386,12 @@ sub show_port_groups { # # main # -my ($action, $set_name, $set_type, $member, $set_copy, $alias); +my ($action, $set_name, $set_type, $set_family, $member, $set_copy, $alias); GetOptions("action=s" => \$action, "set-name=s" => \$set_name, "set-type=s" => \$set_type, + "set-family=s" => \$set_family, "member=s" => \$member, "alias=s" => \$alias, "set-copy=s" => \$set_copy, @@ -386,7 +406,7 @@ show_network_groups() if $action eq 'show-network-groups'; $rc = ipset_reset($set_name, $set_type) if $action eq 'reset-set'; -$rc = ipset_create($set_name, $set_type) if $action eq 'create-set'; +$rc = ipset_create($set_name, $set_type, $set_family) if $action eq 'create-set'; $rc = ipset_delete($set_name) if $action eq 'delete-set'; @@ -411,8 +431,9 @@ $rc = ipset_is_group_deleted($set_name, $set_type) if $action eq 'is-group-deleted'; $rc = ipset_is_group_used($set_name, $set_type) if $action eq 'is-group-used'; +$rc = ipset_is_group_defined($set_name, $set_type, $set_family) if $action eq 'is-group-defined'; -$rc = update_set($set_name, $set_type) if $action eq 'update-set'; +$rc = update_set($set_name, $set_type, $set_family) if $action eq 'update-set'; $rc = prune_deleted_sets() if $action eq 'prune-deleted-sets'; if (defined $rc) { diff --git a/templates/firewall/group/address-group/node.def b/templates/firewall/group/address-group/node.def index 13b2e72..d89233d 100644 --- a/templates/firewall/group/address-group/node.def +++ b/templates/firewall/group/address-group/node.def @@ -15,7 +15,11 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=address --set-family=inet"; \ + "Firewall group name already used as Ipv6 group address" + end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=address; then + --set-name="$VAR(@)" --set-type=address --set-family=inet; then ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group address-group $VAR(@)" fi diff --git a/templates/firewall/group/network-group/node.def b/templates/firewall/group/network-group/node.def index 263a772..ed9810d 100644 --- a/templates/firewall/group/network-group/node.def +++ b/templates/firewall/group/network-group/node.def @@ -15,8 +15,12 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=address --set-family=inet"; \ + "Firewall group name already used as Ipv6 group address" + end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=network; then + --set-name="$VAR(@)" --set-type=network --set-family=inet; then ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group network-group $VAR(@)" fi diff --git a/templates/firewall/ipv6-group/address-group/node.def b/templates/firewall/ipv6-group/address-group/node.def new file mode 100644 index 0000000..b61f784 --- /dev/null +++ b/templates/firewall/ipv6-group/address-group/node.def @@ -0,0 +1,25 @@ +tag: +priority: 200 +type: txt +help: Firewall address-group + +syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ + "Firewall group name must be 31 characters or less" + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + +syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ + "Firewall group name cannot contain shell punctuation" + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=address --set-family=inet6"; \ + "Firewall group name already used as Ipv4 group address" + +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=address --set-family=inet6; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group address-group $VAR(@)" + fi diff --git a/templates/firewall/ipv6-group/address-group/node.tag/address/node.def b/templates/firewall/ipv6-group/address-group/node.tag/address/node.def new file mode 100644 index 0000000..ba944e6 --- /dev/null +++ b/templates/firewall/ipv6-group/address-group/node.tag/address/node.def @@ -0,0 +1,6 @@ +multi: +type: txt +help: Address-group member +val_help: ipv6; IPv6 address to match + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/ipv6-group/address-group/node.tag/description/node.def b/templates/firewall/ipv6-group/address-group/node.tag/description/node.def new file mode 100644 index 0000000..032553a --- /dev/null +++ b/templates/firewall/ipv6-group/address-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: IPv6 Address-group description diff --git a/templates/firewall/ipv6-group/network-group/node.def b/templates/firewall/ipv6-group/network-group/node.def new file mode 100644 index 0000000..90383c2 --- /dev/null +++ b/templates/firewall/ipv6-group/network-group/node.def @@ -0,0 +1,21 @@ +tag: +priority: 200 +type: txt +help: Firewall network-group + +syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ + "Firewall group name must be 31 characters or less" + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + +syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ + "Firewall group name cannot contain shell punctuation" + +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=network --set-family=inet6; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-group network-group $VAR(@)" + fi diff --git a/templates/firewall/ipv6-group/network-group/node.tag/description/node.def b/templates/firewall/ipv6-group/network-group/node.tag/description/node.def new file mode 100644 index 0000000..52bb8e4 --- /dev/null +++ b/templates/firewall/ipv6-group/network-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Network-group description diff --git a/templates/firewall/ipv6-group/network-group/node.tag/network/node.def b/templates/firewall/ipv6-group/network-group/node.tag/network/node.def new file mode 100644 index 0000000..879a164 --- /dev/null +++ b/templates/firewall/ipv6-group/network-group/node.tag/network/node.def @@ -0,0 +1,8 @@ +multi: +type: ipv6net +help: Network-group member +val_help: ipv6net; IPv6 Subnet to match + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" + +syntax:expression: exec "/opt/vyatta/sbin/check_prefix_boundary $VAR(@)" diff --git a/templates/firewall/ipv6-group/node.def b/templates/firewall/ipv6-group/node.def new file mode 100644 index 0000000..3c87f34 --- /dev/null +++ b/templates/firewall/ipv6-group/node.def @@ -0,0 +1 @@ +help: IPv6 Firewall group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def new file mode 100644 index 0000000..71a4326 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def @@ -0,0 +1,9 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" + +allowed: cli-shell-api listNodes firewall ipv6-group address-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def new file mode 100644 index 0000000..b3e2718 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listNodes firewall ipv6-group network-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def new file mode 100644 index 0000000..bb11dae --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def @@ -0,0 +1 @@ +help: Destination group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def new file mode 100644 index 0000000..985302b --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listNodes firewall group port-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def new file mode 100644 index 0000000..63f0540 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" +allowed: cli-shell-api listNodes firewall ipv6-group address-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def new file mode 100644 index 0000000..b3e2718 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listNodes firewall ipv6-group network-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def new file mode 100644 index 0000000..7b36071 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def @@ -0,0 +1 @@ +help: Source group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def new file mode 100644 index 0000000..985302b --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listNodes firewall group port-group diff --git a/templates/firewall/node.def b/templates/firewall/node.def deleted file mode 100644 index ef135d6..0000000 --- a/templates/firewall/node.def +++ /dev/null @@ -1,3 +0,0 @@ -priority: 199 -help: Firewall -end: ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="$VAR(@)" \ No newline at end of file -- cgit v1.2.3 From 4e3ea201d7902d9a0641bbecf42d7e837595e01b Mon Sep 17 00:00:00 2001 From: Marian Tudosoiu Date: Mon, 12 Mar 2018 12:58:25 +0200 Subject: Task T35 add generation of SNMP traps on firewall config changes --- templates/firewall/node.def | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 templates/firewall/node.def diff --git a/templates/firewall/node.def b/templates/firewall/node.def new file mode 100644 index 0000000..ef135d6 --- /dev/null +++ b/templates/firewall/node.def @@ -0,0 +1,3 @@ +priority: 199 +help: Firewall +end: ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="$VAR(@)" \ No newline at end of file -- cgit v1.2.3 From 65410961b33a072addf91dce7879f6a734aa2187 Mon Sep 17 00:00:00 2001 From: Marian Tudosoiu Date: Wed, 14 Mar 2018 10:27:25 +0200 Subject: Task T35 change to place ipv6 address-groups and network groups under group config tree --- scripts/firewall/vyatta-ipset.pl | 4 ++-- .../firewall/group/ipv6-address-group/node.def | 25 ++++++++++++++++++++++ .../ipv6-address-group/node.tag/address/node.def | 6 ++++++ .../node.tag/description/node.def | 2 ++ .../firewall/group/ipv6-network-group/node.def | 25 ++++++++++++++++++++++ .../node.tag/description/node.def | 2 ++ .../ipv6-network-group/node.tag/network/node.def | 8 +++++++ .../firewall/ipv6-group/address-group/node.def | 25 ---------------------- .../address-group/node.tag/address/node.def | 6 ------ .../address-group/node.tag/description/node.def | 2 -- .../firewall/ipv6-group/network-group/node.def | 21 ------------------ .../network-group/node.tag/description/node.def | 2 -- .../network-group/node.tag/network/node.def | 8 ------- templates/firewall/ipv6-group/node.def | 1 - 14 files changed, 70 insertions(+), 67 deletions(-) create mode 100644 templates/firewall/group/ipv6-address-group/node.def create mode 100644 templates/firewall/group/ipv6-address-group/node.tag/address/node.def create mode 100644 templates/firewall/group/ipv6-address-group/node.tag/description/node.def create mode 100644 templates/firewall/group/ipv6-network-group/node.def create mode 100644 templates/firewall/group/ipv6-network-group/node.tag/description/node.def create mode 100644 templates/firewall/group/ipv6-network-group/node.tag/network/node.def delete mode 100644 templates/firewall/ipv6-group/address-group/node.def delete mode 100644 templates/firewall/ipv6-group/address-group/node.tag/address/node.def delete mode 100644 templates/firewall/ipv6-group/address-group/node.tag/description/node.def delete mode 100644 templates/firewall/ipv6-group/network-group/node.def delete mode 100644 templates/firewall/ipv6-group/network-group/node.tag/description/node.def delete mode 100644 templates/firewall/ipv6-group/network-group/node.tag/network/node.def delete mode 100644 templates/firewall/ipv6-group/node.def diff --git a/scripts/firewall/vyatta-ipset.pl b/scripts/firewall/vyatta-ipset.pl index f18237d..0f7f731 100755 --- a/scripts/firewall/vyatta-ipset.pl +++ b/scripts/firewall/vyatta-ipset.pl @@ -252,7 +252,7 @@ sub ipset_is_group_defined { die "Error: undefined set_type\n" if ! defined $set_type; die "Error: undefined set_family\n" if ! defined $set_family; - my $gpath = ($set_family eq 'inet') ? "firewall ipv6-group $set_type-group" : "firewall group $set_type-group"; + my $gpath = ($set_family eq 'inet') ? "firewall group ipv6-$set_type-group" : "firewall group $set_type-group"; my @groups = $cfg->listOrigNodes($gpath); my $group; foreach $group (@groups) { @@ -267,7 +267,7 @@ sub update_set { my ($set_name, $set_type, $set_family) = @_; my $cfg = new Vyatta::Config; my ($rc, $newset); - my $cpath = ($set_family eq 'inet') ? "firewall group $set_type-group $set_name" : "firewall ipv6-group $set_type-group $set_name"; + my $cpath = ($set_family eq 'inet') ? "firewall group $set_type-group $set_name" : "firewall group ipv6-$set_type-group $set_name"; if ($cfg->existsOrig($cpath)) { if (!$cfg->exists($cpath)) { # deleted diff --git a/templates/firewall/group/ipv6-address-group/node.def b/templates/firewall/group/ipv6-address-group/node.def new file mode 100644 index 0000000..7ce50d2 --- /dev/null +++ b/templates/firewall/group/ipv6-address-group/node.def @@ -0,0 +1,25 @@ +tag: +priority: 200 +type: txt +help: Firewall address-group + +syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ + "Firewall group name must be 31 characters or less" + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + +syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ + "Firewall group name cannot contain shell punctuation" + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=address --set-family=inet6"; \ + "Firewall group name already used as Ipv4 group address" + +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=address --set-family=inet6; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group ipv6-address-group $VAR(@)" + fi diff --git a/templates/firewall/group/ipv6-address-group/node.tag/address/node.def b/templates/firewall/group/ipv6-address-group/node.tag/address/node.def new file mode 100644 index 0000000..ba944e6 --- /dev/null +++ b/templates/firewall/group/ipv6-address-group/node.tag/address/node.def @@ -0,0 +1,6 @@ +multi: +type: txt +help: Address-group member +val_help: ipv6; IPv6 address to match + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/group/ipv6-address-group/node.tag/description/node.def b/templates/firewall/group/ipv6-address-group/node.tag/description/node.def new file mode 100644 index 0000000..f630483 --- /dev/null +++ b/templates/firewall/group/ipv6-address-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: IPv6 Address-group description \ No newline at end of file diff --git a/templates/firewall/group/ipv6-network-group/node.def b/templates/firewall/group/ipv6-network-group/node.def new file mode 100644 index 0000000..299b8cc --- /dev/null +++ b/templates/firewall/group/ipv6-network-group/node.def @@ -0,0 +1,25 @@ +tag: +priority: 200 +type: txt +help: Firewall network-group + +syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ + "Firewall group name must be 31 characters or less" + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + +syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ + "Firewall group name cannot contain shell punctuation" + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=network --set-family=inet6"; \ + "Firewall group name already used as Ipv6 group address" + +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=network --set-family=inet6; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group ipv6-network-group $VAR(@)" + fi diff --git a/templates/firewall/group/ipv6-network-group/node.tag/description/node.def b/templates/firewall/group/ipv6-network-group/node.tag/description/node.def new file mode 100644 index 0000000..cc905df --- /dev/null +++ b/templates/firewall/group/ipv6-network-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: IPv6-network-group description diff --git a/templates/firewall/group/ipv6-network-group/node.tag/network/node.def b/templates/firewall/group/ipv6-network-group/node.tag/network/node.def new file mode 100644 index 0000000..879a164 --- /dev/null +++ b/templates/firewall/group/ipv6-network-group/node.tag/network/node.def @@ -0,0 +1,8 @@ +multi: +type: ipv6net +help: Network-group member +val_help: ipv6net; IPv6 Subnet to match + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" + +syntax:expression: exec "/opt/vyatta/sbin/check_prefix_boundary $VAR(@)" diff --git a/templates/firewall/ipv6-group/address-group/node.def b/templates/firewall/ipv6-group/address-group/node.def deleted file mode 100644 index b61f784..0000000 --- a/templates/firewall/ipv6-group/address-group/node.def +++ /dev/null @@ -1,25 +0,0 @@ -tag: -priority: 200 -type: txt -help: Firewall address-group - -syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ - "Firewall group name must be 31 characters or less" - -syntax:expression: pattern $VAR(@) "^[^-]" ; \ - "Firewall group name cannot start with \"-\"" - -syntax:expression: pattern $VAR(@) "^[^!]" ; \ - "Firewall group name cannot start with \"!\"" - -syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ - "Firewall group name cannot contain shell punctuation" - -syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ - --set-type=address --set-family=inet6"; \ - "Firewall group name already used as Ipv4 group address" - -end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=address --set-family=inet6; then - ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group address-group $VAR(@)" - fi diff --git a/templates/firewall/ipv6-group/address-group/node.tag/address/node.def b/templates/firewall/ipv6-group/address-group/node.tag/address/node.def deleted file mode 100644 index ba944e6..0000000 --- a/templates/firewall/ipv6-group/address-group/node.tag/address/node.def +++ /dev/null @@ -1,6 +0,0 @@ -multi: -type: txt -help: Address-group member -val_help: ipv6; IPv6 address to match - -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/ipv6-group/address-group/node.tag/description/node.def b/templates/firewall/ipv6-group/address-group/node.tag/description/node.def deleted file mode 100644 index 032553a..0000000 --- a/templates/firewall/ipv6-group/address-group/node.tag/description/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: txt -help: IPv6 Address-group description diff --git a/templates/firewall/ipv6-group/network-group/node.def b/templates/firewall/ipv6-group/network-group/node.def deleted file mode 100644 index 90383c2..0000000 --- a/templates/firewall/ipv6-group/network-group/node.def +++ /dev/null @@ -1,21 +0,0 @@ -tag: -priority: 200 -type: txt -help: Firewall network-group - -syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ - "Firewall group name must be 31 characters or less" - -syntax:expression: pattern $VAR(@) "^[^-]" ; \ - "Firewall group name cannot start with \"-\"" - -syntax:expression: pattern $VAR(@) "^[^!]" ; \ - "Firewall group name cannot start with \"!\"" - -syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ - "Firewall group name cannot contain shell punctuation" - -end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=network --set-family=inet6; then - ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-group network-group $VAR(@)" - fi diff --git a/templates/firewall/ipv6-group/network-group/node.tag/description/node.def b/templates/firewall/ipv6-group/network-group/node.tag/description/node.def deleted file mode 100644 index 52bb8e4..0000000 --- a/templates/firewall/ipv6-group/network-group/node.tag/description/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: txt -help: Network-group description diff --git a/templates/firewall/ipv6-group/network-group/node.tag/network/node.def b/templates/firewall/ipv6-group/network-group/node.tag/network/node.def deleted file mode 100644 index 879a164..0000000 --- a/templates/firewall/ipv6-group/network-group/node.tag/network/node.def +++ /dev/null @@ -1,8 +0,0 @@ -multi: -type: ipv6net -help: Network-group member -val_help: ipv6net; IPv6 Subnet to match - -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" - -syntax:expression: exec "/opt/vyatta/sbin/check_prefix_boundary $VAR(@)" diff --git a/templates/firewall/ipv6-group/node.def b/templates/firewall/ipv6-group/node.def deleted file mode 100644 index 3c87f34..0000000 --- a/templates/firewall/ipv6-group/node.def +++ /dev/null @@ -1 +0,0 @@ -help: IPv6 Firewall group -- cgit v1.2.3 From b831173966f0df13c1e916e85005a8e79ec93fe8 Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Wed, 14 Mar 2018 10:32:41 +0200 Subject: Task T35 place ipv6 groups under group config tree --- lib/Vyatta/IpTables/IpSet.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm index e293240..cee7935 100755 --- a/lib/Vyatta/IpTables/IpSet.pm +++ b/lib/Vyatta/IpTables/IpSet.pm @@ -471,7 +471,7 @@ sub get_firewall_references { my @fw_refs = (); return @fw_refs if !$self->exists(); my $config = new Vyatta::Config; - foreach my $tree ('name', 'modify') { + foreach my $tree ('name', 'ipv6-name', 'modify') { my $path = "firewall $tree "; $config->setLevel($path); my @names = $config->$lfunc(); -- cgit v1.2.3 From 6a5ef5fbfa2d1f399bf3584710c5e1a7f9380b30 Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Wed, 14 Mar 2018 11:06:05 +0200 Subject: Task T35 place ipv6 groups under group config tree --- templates/firewall/group/ipv6-address-group/node.tag/address/node.def | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/firewall/group/ipv6-address-group/node.tag/address/node.def b/templates/firewall/group/ipv6-address-group/node.tag/address/node.def index ba944e6..5bd948b 100644 --- a/templates/firewall/group/ipv6-address-group/node.tag/address/node.def +++ b/templates/firewall/group/ipv6-address-group/node.tag/address/node.def @@ -3,4 +3,7 @@ type: txt help: Address-group member val_help: ipv6; IPv6 address to match +syntax:expression: pattern $VAR(@) "^[^|;&$<>/]*$" ; \ + "Error [$VAR(@)] isn't valid IPv6 host address" + syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" -- cgit v1.2.3 From a17ae5f48dfa1007df6fdd19f267b25f965df143 Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Wed, 14 Mar 2018 11:06:11 +0200 Subject: Task T35 place ipv6 groups under group config tree --- .../node.tag/rule/node.tag/destination/group/address-group/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def index 71a4326..961663c 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def @@ -6,4 +6,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --set-name=$VAR(@) \ --set-type=address;" -allowed: cli-shell-api listNodes firewall ipv6-group address-group +allowed: cli-shell-api listNodes firewall group ipv6-address-group -- cgit v1.2.3 From 0de8ac70a62573de2975ff14dd9e776ea942821b Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Wed, 14 Mar 2018 11:06:41 +0200 Subject: Task T35 place ipv6 groups under group config tree --- .../node.tag/rule/node.tag/destination/group/network-group/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def index b3e2718..262c4dd 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=network;" -allowed: cli-shell-api listNodes firewall ipv6-group network-group +allowed: cli-shell-api listNodes firewall group ipv6-network-group -- cgit v1.2.3 From 5d918bf6b1a0457a8a1f202ab99f6252e97bcb4a Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Wed, 14 Mar 2018 11:07:11 +0200 Subject: Task T35 place ipv6 groups under group config tree --- .../node.tag/rule/node.tag/source/group/address-group/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def index 63f0540..9323938 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=address;" -allowed: cli-shell-api listNodes firewall ipv6-group address-group +allowed: cli-shell-api listNodes firewall group ipv6-address-group -- cgit v1.2.3 From 1fa169f72c2196a62d1f5fb3d0bce3bcf55a87be Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Wed, 14 Mar 2018 11:07:42 +0200 Subject: Task T35 place ipv6 groups under group config tree --- .../node.tag/rule/node.tag/source/group/network-group/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def index b3e2718..262c4dd 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=network;" -allowed: cli-shell-api listNodes firewall ipv6-group network-group +allowed: cli-shell-api listNodes firewall group ipv6-network-group -- cgit v1.2.3 From 1d21300885e606ec9e8da2b9a9b7af898d896a24 Mon Sep 17 00:00:00 2001 From: Marian Tudosoiu Date: Wed, 14 Mar 2018 11:14:34 +0200 Subject: Task T35 place ipv6 groups under group config tree --- templates/firewall/group/ipv6-address-group/node.def | 2 +- templates/firewall/group/ipv6-network-group/node.def | 4 ++-- templates/firewall/group/network-group/node.def | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/firewall/group/ipv6-address-group/node.def b/templates/firewall/group/ipv6-address-group/node.def index 7ce50d2..20e4430 100644 --- a/templates/firewall/group/ipv6-address-group/node.def +++ b/templates/firewall/group/ipv6-address-group/node.def @@ -1,7 +1,7 @@ tag: priority: 200 type: txt -help: Firewall address-group +help: Firewall ipv6-address-group syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ "Firewall group name must be 31 characters or less" diff --git a/templates/firewall/group/ipv6-network-group/node.def b/templates/firewall/group/ipv6-network-group/node.def index 299b8cc..084fdb0 100644 --- a/templates/firewall/group/ipv6-network-group/node.def +++ b/templates/firewall/group/ipv6-network-group/node.def @@ -1,7 +1,7 @@ tag: priority: 200 type: txt -help: Firewall network-group +help: Firewall ipv6-network-group syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ "Firewall group name must be 31 characters or less" @@ -17,7 +17,7 @@ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ --set-type=network --set-family=inet6"; \ - "Firewall group name already used as Ipv6 group address" + "Firewall group name already used as Ipv4 group address" end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ --set-name="$VAR(@)" --set-type=network --set-family=inet6; then diff --git a/templates/firewall/group/network-group/node.def b/templates/firewall/group/network-group/node.def index ed9810d..14b8366 100644 --- a/templates/firewall/group/network-group/node.def +++ b/templates/firewall/group/network-group/node.def @@ -16,7 +16,7 @@ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ - --set-type=address --set-family=inet"; \ + --set-type=network --set-family=inet"; \ "Firewall group name already used as Ipv6 group address" end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ -- cgit v1.2.3 From 9e61589926f6801c318406d373d5b9d01922e12e Mon Sep 17 00:00:00 2001 From: Marian Tudosoiu Date: Fri, 23 Mar 2018 11:00:49 +0200 Subject: Task T35 change to solve port-group issue --- lib/Vyatta/IpTables/IpSet.pm | 4 +++- templates/firewall/group/port-group/node.def | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm index cee7935..5258773 100755 --- a/lib/Vyatta/IpTables/IpSet.pm +++ b/lib/Vyatta/IpTables/IpSet.pm @@ -190,11 +190,13 @@ sub create { my $ipset_param = $grouptype_hash{$self->{_type}}; return "Error: invalid group type\n" if !defined $ipset_param; + my $cmd = "ipset -N $self->{_name} $ipset_param family $self->{_family}"; + if ($self->{_type} eq 'port') { $ipset_param .= ' --from 1 --to 65535'; + my $cmd = "ipset -N $self->{_name} $ipset_param"; } - my $cmd = "ipset -N $self->{_name} $ipset_param family $self->{_family}"; my $rc = $self->run_cmd($cmd); return "Error: call to ipset failed [$rc]" if $rc; return; # undef diff --git a/templates/firewall/group/port-group/node.def b/templates/firewall/group/port-group/node.def index 1484be2..729165f 100644 --- a/templates/firewall/group/port-group/node.def +++ b/templates/firewall/group/port-group/node.def @@ -16,6 +16,6 @@ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=port; then + --set-name="$VAR(@)" --set-type=port --set-family=inet; then ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group port-group $VAR(@)" fi -- cgit v1.2.3 From fc5e3b8bb61690619ee739f11cac54abb689d5f2 Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Mon, 26 Mar 2018 09:04:35 +0300 Subject: Task T35 - fixing scoping rules --- lib/Vyatta/IpTables/IpSet.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm index 5258773..ba5e68d 100755 --- a/lib/Vyatta/IpTables/IpSet.pm +++ b/lib/Vyatta/IpTables/IpSet.pm @@ -194,7 +194,7 @@ sub create { if ($self->{_type} eq 'port') { $ipset_param .= ' --from 1 --to 65535'; - my $cmd = "ipset -N $self->{_name} $ipset_param"; + $cmd = "ipset -N $self->{_name} $ipset_param"; } my $rc = $self->run_cmd($cmd); -- cgit v1.2.3 From f6e4c60702f810cc06449782f64c7e5a7e20abb2 Mon Sep 17 00:00:00 2001 From: Marian Tudosoiu Date: Wed, 11 Apr 2018 11:13:14 +0300 Subject: Task T35 - fixing prune_deleted_sets for inet6 family --- lib/Vyatta/IpTables/IpSet.pm | 19 +++++++++++++++++++ scripts/firewall/vyatta-ipset.pl | 2 ++ 2 files changed, 21 insertions(+) diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm index ba5e68d..276b845 100755 --- a/lib/Vyatta/IpTables/IpSet.pm +++ b/lib/Vyatta/IpTables/IpSet.pm @@ -137,6 +137,25 @@ sub get_type { return $self->{_type}; } +sub get_family { + my ($self) = @_; + return $self->{_family} if defined $self->{_family}; + return if !$self->exists(); + my @lines = `ipset -L $self->{_name}`; + my $family; + foreach my $line (@lines) { + if ($line =~ /^Header: family (\w+) hashsize/) { + $family = $1; + $self->{_family} = $family; + last; + } elsif ($line =~ /^Type: bitmap:port$/){ + $self->{_family} = "inet"; + last; + } + } + return $self->{_family}; +} + sub alphanum_split { my ($str) = @_; my @list = split m/(?=(?<=\D)\d|(?<=\d)\D)/, $str; diff --git a/scripts/firewall/vyatta-ipset.pl b/scripts/firewall/vyatta-ipset.pl index 0f7f731..e5b2fd1 100755 --- a/scripts/firewall/vyatta-ipset.pl +++ b/scripts/firewall/vyatta-ipset.pl @@ -350,6 +350,8 @@ sub prune_deleted_sets { # only try groups with no references if ($group->exists() && ($group->references() == 0)) { my $type = $group->get_type(); + my $family = $group->get_family(); + ($family eq 'inet') ? $cfg->setLevel("firewall group $type-group") : $cfg->setLevel("firewall group ipv6-$type-group"); $cfg->setLevel("firewall group $type-group"); next if ($cfg->isEffective($set)); # don't prune if still in config my $rc; -- cgit v1.2.3 From 7272364a23c9f00f17f719c1efee756d960e8984 Mon Sep 17 00:00:00 2001 From: Marian Tudosoiu Date: Thu, 19 Apr 2018 10:57:25 +0300 Subject: Task T35 - enable prune-deleted-sets for inet6 family firewall templates --- scripts/firewall/vyatta-ipset.pl | 1 - templates/firewall/ipv6-name/node.def | 10 +++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/scripts/firewall/vyatta-ipset.pl b/scripts/firewall/vyatta-ipset.pl index e5b2fd1..65e0325 100755 --- a/scripts/firewall/vyatta-ipset.pl +++ b/scripts/firewall/vyatta-ipset.pl @@ -352,7 +352,6 @@ sub prune_deleted_sets { my $type = $group->get_type(); my $family = $group->get_family(); ($family eq 'inet') ? $cfg->setLevel("firewall group $type-group") : $cfg->setLevel("firewall group ipv6-$type-group"); - $cfg->setLevel("firewall group $type-group"); next if ($cfg->isEffective($set)); # don't prune if still in config my $rc; $rc = ipset_delete($set); diff --git a/templates/firewall/ipv6-name/node.def b/templates/firewall/ipv6-name/node.def index e7e1167..2e20b9a 100644 --- a/templates/firewall/ipv6-name/node.def +++ b/templates/firewall/ipv6-name/node.def @@ -14,17 +14,21 @@ syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "firewall ipv6-name" "$VAR(@)" ; then - if [ ${COMMIT_ACTION} = 'DELETE' ] ; + if [ ${COMMIT_ACTION} = 'DELETE' ] ; then if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "firewall ipv6-name" ; then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall ipv6-name" + if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall ipv6-name"; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-name $VAR(@)" + fi fi + else + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-name $VAR(@)" fi else exit 1; fi - ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-name $VAR(@)" + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables "firewall ipv6-name" -- cgit v1.2.3 From 96a8f5e74295e3a06bb8c2ca92e1b35597db9377 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Fri, 22 Jun 2018 00:28:25 +0200 Subject: T704: add libsnmp-perl to dependencies until the script is rewritten. --- debian/control | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/control b/debian/control index f439a91..7e6cadd 100644 --- a/debian/control +++ b/debian/control @@ -24,7 +24,8 @@ Depends: sed (>= 4.1.5), snmpd, ipset, iptables, - libswitch-perl + libswitch-perl, + libsnmp-perl Replaces: vyatta-cfg-system, vyatta-openvpn, vyatta-wirelessmodem -- cgit v1.2.3 From 1f010c0a0d4ae6e4f37d9f71d0e97df2fc44b999 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 24 Jun 2018 17:17:56 +0200 Subject: T710: remove dependency on vyatta-util. --- debian/control | 1 - 1 file changed, 1 deletion(-) diff --git a/debian/control b/debian/control index 7e6cadd..1b5f4d4 100644 --- a/debian/control +++ b/debian/control @@ -14,7 +14,6 @@ Depends: sed (>= 4.1.5), vyatta-cfg (>= 0.15.33), vyatta-cfg-system (>= 0.19.125), vyatta-bash | bash (>= 3.1), - vyatta-util, sysv-rc, ntp, rsyslog | system-log-daemon, -- cgit v1.2.3 From 2e322c7a839ceac87fe03fb75e180e882e0bc5f7 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Tue, 24 Jul 2018 09:36:35 +0200 Subject: T666: remove the firewall option from the old VRRP CLI. If left in place, it will create incorrect command definition tree when vyatta-vrrp is removed and cause config loading errors. --- gen-interface-policy-templates.pl | 1 - gen-interface-templates.pl | 2 -- 2 files changed, 3 deletions(-) diff --git a/gen-interface-policy-templates.pl b/gen-interface-policy-templates.pl index a86c5d6..ed5ff22 100755 --- a/gen-interface-policy-templates.pl +++ b/gen-interface-policy-templates.pl @@ -48,7 +48,6 @@ my %interface_hash = ( 'ethernet/node.tag/vif-s/node.tag/vif-c/node.tag' => '$VAR(../../../../@).$VAR(../../../@).$VAR(../../@)', 'ethernet/node.tag/vif/node.tag' => '$VAR(../../../@).$VAR(../../@)', 'ethernet/node.tag/vif/node.tag/pppoe/node.tag' => 'pppoe$VAR(../../@)', - 'ethernet/node.tag/vrrp/vrrp-group/node.tag' => '$VAR(../../../../@)v$VAR(../../@)', 'input/node.tag' => '$VAR(../../@)', 'l2tpv3/node.tag' => '$VAR(../../@)', 'multilink/node.tag/vif/node.tag' => '$VAR(../../../@)', diff --git a/gen-interface-templates.pl b/gen-interface-templates.pl index ceabc6e..4451998 100755 --- a/gen-interface-templates.pl +++ b/gen-interface-templates.pl @@ -48,7 +48,6 @@ my %interface_hash = ( 'ethernet/node.tag/vif-s/node.tag/vif-c/node.tag' => '$VAR(../../../../../@).$VAR(../../../../@).$VAR(../../../@)', 'ethernet/node.tag/vif/node.tag' => '$VAR(../../../../@).$VAR(../../../@)', 'ethernet/node.tag/vif/node.tag/pppoe/node.tag' => 'pppoe$VAR(../../../@)', - 'ethernet/node.tag/vrrp/vrrp-group/node.tag' => '$VAR(../../../../../@)v$VAR(../../../@)', 'input/node.tag' => '$VAR(../../../@)', 'l2tpv3/node.tag' => '$VAR(../../../@)', 'multilink/node.tag/vif/node.tag' => '$VAR(../../../../@)', @@ -79,7 +78,6 @@ my %firewall_hash = ( 'ethernet/node.tag/vif-s/node.tag/vif-c/node.tag' => 'ethernet $VAR(../../../../@) vif-s $VAR(../../@) vif-c $VAR(../@)', 'ethernet/node.tag/vif/node.tag' => 'ethernet $VAR(../../../@) vif $VAR(../@)', 'ethernet/node.tag/vif/node.tag/pppoe/node.tag' => 'ethernet $VAR(../../../../@) vif $VAR(../../@) pppoe $VAR(../@)', - 'ethernet/node.tag/vrrp/vrrp-group/node.tag' => 'ethernet $VAR(../../../@) vrrp vrrp-group $VAR(../@)', 'input/node.tag' => 'input $VAR(../@)', 'l2tpv3/node.tag' => 'l2tpv3 $VAR(../@)', 'multilink/node.tag/vif/node.tag' => 'multilink $VAR(../../../@) vif $VAR(../@)', -- cgit v1.2.3 From d4799d1715fc3177b84d66af406fa3028a95d254 Mon Sep 17 00:00:00 2001 From: hagbard Date: Fri, 26 Oct 2018 11:58:22 -0700 Subject: T59: Inspect action still exists in firewall and should be removed --- debian/changelog | 6 ++++++ .../firewall/ipv6-name/node.tag/rule/node.tag/action/node.def | 7 +++---- templates/firewall/name/node.tag/rule/node.tag/action/node.def | 7 +++---- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/debian/changelog b/debian/changelog index 41c4994..24f0ff3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-firewall (0.14.0+vyos2+current2) unstable; urgency=medium + + * T59: Inspect action still exists in firewall and should be removed + + -- hagbard Fri, 26 Oct 2018 11:54:38 -0700 + vyatta-cfg-firewall (0.14.0+vyos2+current1) unstable; urgency=medium [ Thomas Jepp ] diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/action/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/action/node.def index d4a0bd3..b97e320 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/action/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/action/node.def @@ -2,12 +2,11 @@ type: txt help: Rule action -syntax:expression: $VAR(@) in "drop", "reject", "accept", "inspect"; - "action must be one of drop, reject, accept, or inspect" +syntax:expression: $VAR(@) in "drop", "reject", "accept"; + "action must be one of drop, reject or accept" -allowed: echo "drop reject accept inspect" +allowed: echo "drop reject accept" val_help: drop; Rule action to drop val_help: reject; Rule action to reject val_help: accept; Rule action to accept -val_help: inspect; Rule action to inspect diff --git a/templates/firewall/name/node.tag/rule/node.tag/action/node.def b/templates/firewall/name/node.tag/rule/node.tag/action/node.def index 971b1a4..ada34de 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/action/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/action/node.def @@ -2,12 +2,11 @@ type: txt help: Rule action [REQUIRED] -syntax:expression: $VAR(@) in "drop", "reject", "accept", "inspect"; - "action must be one of drop, reject, accept, or inspect" +syntax:expression: $VAR(@) in "drop", "reject", "accept"; + "action must be one of drop, reject or accept" -allowed: echo "drop reject accept inspect" +allowed: echo "drop reject accept" val_help: drop ; Rule action to drop val_help: reject ; Rule action to reject val_help: accept ; Rule action to accept -val_help: inspect ; Rule action to inspect -- cgit v1.2.3 From 8b2ffad3c7a6ae4c65097ee562bb55beff16035a Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Tue, 13 Nov 2018 21:04:26 +0100 Subject: T1006: replace check_prefix_boundary with ipaddrcheck. --- templates/firewall/group/ipv6-network-group/node.tag/network/node.def | 2 +- templates/firewall/group/network-group/node.tag/network/node.def | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/firewall/group/ipv6-network-group/node.tag/network/node.def b/templates/firewall/group/ipv6-network-group/node.tag/network/node.def index 879a164..99c9ed5 100644 --- a/templates/firewall/group/ipv6-network-group/node.tag/network/node.def +++ b/templates/firewall/group/ipv6-network-group/node.tag/network/node.def @@ -5,4 +5,4 @@ val_help: ipv6net; IPv6 Subnet to match syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" -syntax:expression: exec "/opt/vyatta/sbin/check_prefix_boundary $VAR(@)" +syntax:expression: exec "ipaddrcheck --verbose --is-ipv6-net $VAR(@)" diff --git a/templates/firewall/group/network-group/node.tag/network/node.def b/templates/firewall/group/network-group/node.tag/network/node.def index d08b39d..f37428a 100644 --- a/templates/firewall/group/network-group/node.tag/network/node.def +++ b/templates/firewall/group/network-group/node.tag/network/node.def @@ -5,4 +5,4 @@ val_help: ipv4net; IPv4 Subnet to match syntax:expression: exec "/opt/vyatta/sbin/ipset-check-member network $VAR(@)" -syntax:expression: exec "/opt/vyatta/sbin/check_prefix_boundary $VAR(@)" +syntax:expression: exec "ipaddrcheck --verbose --is-ipv4-net $VAR(@)" -- cgit v1.2.3 From 152c7f8eefeea6d69b0b72ca1bb2e8345f66acd9 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 18 Nov 2018 19:11:57 +0100 Subject: T573: add support for matching IPv6 hop limit. Patch by Ray Patrick Soucy. --- lib/Vyatta/IpTables/Rule.pm | 29 ++++++++++++++++++++-- .../node.tag/rule/node.tag/hop-limit/eq/node.def | 5 ++++ .../node.tag/rule/node.tag/hop-limit/gt/node.def | 5 ++++ .../node.tag/rule/node.tag/hop-limit/lt/node.def | 5 ++++ .../node.tag/rule/node.tag/hop-limit/node.def | 1 + 5 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/eq/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/gt/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/lt/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/node.def diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm index 08772a1..5172011 100755 --- a/lib/Vyatta/IpTables/Rule.pm +++ b/lib/Vyatta/IpTables/Rule.pm @@ -59,7 +59,12 @@ my %fields = ( }, _disable => undef, _ip_version => undef, - _comment => undef + _comment => undef, + _hop_limit => { + _eq => undef, + _lt => undef, + _gt => undef, + } ); my %dummy_rule = ( @@ -112,7 +117,12 @@ my %dummy_rule = ( }, _disable => undef, _ip_version => undef, - _comment => undef + _comment => undef, + _hop_limit => { + _eq => undef, + _lt => undef, + _gt => undef, + } ); my $DEBUG = 'false'; @@ -206,6 +216,10 @@ sub setup_base { $self->{_disable} = $config->$exists_func("disable"); + $self->{_hop_limit}->{_eq} = $config->$val_func("hop-limit eq"); + $self->{_hop_limit}->{_lt} = $config->$val_func("hop-limit lt"); + $self->{_hop_limit}->{_gt} = $config->$val_func("hop-limit gt"); + # TODO: need $config->exists("$level source") in Vyatta::Config.pm $src->$addr_setup("$level source"); $dst->$addr_setup("$level destination"); @@ -255,6 +269,7 @@ sub print { print "mod table: $self->{_mod_table}\n" if defined $self->{_mod_table}; print "mod dscp: $self->{_mod_dscp}\n" if defined $self->{_mod_dscp}; print "mod tcp-mss: $self->{_mod_tcpmss}\n" if defined $self->{_mod_tcpmss}; + print "hop-limit: $self->{_hop_limit}\n" if defined $self->{_hop_limit}; $src->print(); $dst->print(); @@ -423,6 +438,16 @@ sub rule { } } + # Setup HL rule if configured + # + if ( defined($self->{_hop_limit}->{_eq}) ) { + $rule .= " -m hl --hl-eq $self->{_hop_limit}->{_eq}"; + } elsif ( defined($self->{_hop_limit}->{_lt}) ) { + $rule .= " -m hl --hl-lt $self->{_hop_limit}->{_lt}"; + } elsif ( defined($self->{_hop_limit}->{_gt}) ) { + $rule .= " -m hl --hl-gt $self->{_hop_limit}->{_gt}"; + } + # add the source and destination rules ($srcrule, $err_str) = $src->rule(); return ($err_str,) if (!defined($srcrule)); diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/eq/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/eq/node.def new file mode 100644 index 0000000..e4e6fef --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/eq/node.def @@ -0,0 +1,5 @@ +type: u32 +help: Value to match a hop limit equal to it +val_help: u32:0-255; Hop limit equal to value +syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "eq must be between 0 and 255" +commit:expression: ($VAR(../lt/) == "") && ($VAR(../gt/) == ""); "you may only define one comparison (eq|lt|gt)" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/gt/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/gt/node.def new file mode 100644 index 0000000..b3f442c --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/gt/node.def @@ -0,0 +1,5 @@ +type: u32 +help: Value to match a hop limit greater than or equal to it +val_help: u32:0-255; Hop limit greater than value +syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "gt must be between 0 and 255" +commit:expression: ($VAR(../lt/) == "") && ($VAR(../eq/) == ""); "you may only define one comparison (eq|lt|gt)" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/lt/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/lt/node.def new file mode 100644 index 0000000..c9b422d --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/lt/node.def @@ -0,0 +1,5 @@ +type: u32 +help: Value to match a hop limit less than or equal to it +val_help: u32:0-255; Hop limit less than value +syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "lt must be between 0 and 255" +commit:expression: ($VAR(../eq/) == "") && ($VAR(../gt/) == ""); "you may only define one comparison (eq|lt|gt)" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/node.def new file mode 100644 index 0000000..968f94b --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/node.def @@ -0,0 +1 @@ +help: Hop Limit -- cgit v1.2.3 From 019154add51bbaf79de41105d627741897d3b839 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 16 Dec 2018 15:48:25 +0100 Subject: T1087: add wireguard to interface template generators. --- debian/vyatta-cfg-firewall.install | 1 + gen-interface-policy-templates.pl | 1 + gen-interface-templates.pl | 2 ++ 3 files changed, 4 insertions(+) diff --git a/debian/vyatta-cfg-firewall.install b/debian/vyatta-cfg-firewall.install index 780f53c..8127e80 100644 --- a/debian/vyatta-cfg-firewall.install +++ b/debian/vyatta-cfg-firewall.install @@ -16,3 +16,4 @@ opt/vyatta/share/vyatta-cfg/templates/interfaces/wireless opt/vyatta/share/vyatta-cfg/templates/interfaces/wirelessmodem opt/vyatta/share/vyatta-cfg/templates/interfaces/l2tpv3 opt/vyatta/share/vyatta-cfg/templates/interfaces/vxlan +opt/vyatta/share/vyatta-cfg/templates/interfaces/wireguard diff --git a/gen-interface-policy-templates.pl b/gen-interface-policy-templates.pl index ed5ff22..e02e85d 100755 --- a/gen-interface-policy-templates.pl +++ b/gen-interface-policy-templates.pl @@ -62,6 +62,7 @@ my %interface_hash = ( 'wireless/node.tag' => '$VAR(../../@)', 'wireless/node.tag/vif/node.tag' => '$VAR(../../../@).$VAR(../../@)', 'wirelessmodem/node.tag' => '$VAR(../../@)', + 'wireguard/node.tag' => '$VAR(../../@)', ); # The subdirectory where the generated templates will go diff --git a/gen-interface-templates.pl b/gen-interface-templates.pl index 4451998..67a69c0 100755 --- a/gen-interface-templates.pl +++ b/gen-interface-templates.pl @@ -62,6 +62,7 @@ my %interface_hash = ( 'wireless/node.tag' => '$VAR(../../../@)', 'wireless/node.tag/vif/node.tag' => '$VAR(../../../../@).$VAR(../../../@)', 'wirelessmodem/node.tag' => '$VAR(../../../@)', + 'wireguard/node.tag' => '$VAR(../../../@)', ); # Firewall node hashes @@ -92,6 +93,7 @@ my %firewall_hash = ( 'wireless/node.tag' => 'wireless $VAR(../@)', 'wireless/node.tag/vif/node.tag' => 'wireless $VAR(../../../@) vif $VAR(../@)', 'wirelessmodem/node.tag' => 'wirelessmodem $VAR(../@)', + 'wireguard/node.tag' => 'wireless $VAR(../@)', ); # Hash table to check if the priority needs to set @ root -- cgit v1.2.3 From f9c89b30f7598e769837ff33dd9dfb2847e5053f Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Mon, 17 Dec 2018 22:47:54 +0100 Subject: T1111: use unique recent packet list names in rules. --- lib/Vyatta/IpTables/Rule.pm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm index 5172011..5f1e0a4 100755 --- a/lib/Vyatta/IpTables/Rule.pm +++ b/lib/Vyatta/IpTables/Rule.pm @@ -574,6 +574,9 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo $recent_rule1 .= " --hitcount $self->{_recent_cnt} "; } + $recent_rule1 .= " --name $self->{_name}-$self->{_rule_number} "; + $recent_rule2 .= " --name $self->{_name}-$self->{_rule_number} "; + $recent_rule = $rule; if ($rule =~ m/\-m\s+set\s+\-\-match\-set/) { -- cgit v1.2.3