From 8a08387990b286a67125317e500bc81a3838b454 Mon Sep 17 00:00:00 2001 From: John Southworth Date: Sat, 2 Jun 2012 21:05:15 -0700 Subject: Make firewall syntax checks use the vyatta-util library --- debian/control | 1 + templates/firewall/group/address-group/node.tag/address/node.def | 6 +----- templates/firewall/group/network-group/node.tag/network/node.def | 6 +----- templates/firewall/group/port-group/node.tag/port/node.def | 6 +----- .../ipv6-modify/node.tag/rule/node.tag/destination/address/node.def | 2 +- .../firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def | 2 +- .../ipv6-modify/node.tag/rule/node.tag/source/address/node.def | 2 +- .../ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def | 2 +- .../ipv6-name/node.tag/rule/node.tag/destination/address/node.def | 2 +- .../firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def | 2 +- .../ipv6-name/node.tag/rule/node.tag/source/address/node.def | 2 +- .../ipv6-name/node.tag/rule/node.tag/source/mac-address/node.def | 2 +- templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def | 2 +- .../modify/node.tag/rule/node.tag/source/mac-address/node.def | 2 +- templates/firewall/name/node.tag/rule/node.tag/protocol/node.def | 2 +- .../name/node.tag/rule/node.tag/source/mac-address/node.def | 2 +- 16 files changed, 16 insertions(+), 27 deletions(-) diff --git a/debian/control b/debian/control index 48ae901..542edff 100644 --- a/debian/control +++ b/debian/control @@ -14,6 +14,7 @@ Depends: sed (>= 4.1.5), vyatta-cfg (>= 0.15.33), vyatta-cfg-system (>= 0.19.125), vyatta-bash | bash (>= 3.1), + vyatta-util, sysv-rc, ntp, rsyslog | system-log-daemon, diff --git a/templates/firewall/group/address-group/node.tag/address/node.def b/templates/firewall/group/address-group/node.tag/address/node.def index 2629b9d..b5060ea 100644 --- a/templates/firewall/group/address-group/node.tag/address/node.def +++ b/templates/firewall/group/address-group/node.tag/address/node.def @@ -4,9 +4,5 @@ help: Address-group member val_help: ipv4; IPv4 address to match val_help: ipv4range; IPv4 range to match (e.g. 10.0.0.1-10.0.0.200) -syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-member \ - --set-name=$VAR(../@) \ - --set-type=address \ - --member=\"$VAR(@)\"; " +syntax:expression: exec "/opt/vyatta/sbin/ipset-check-member address $VAR(@)" diff --git a/templates/firewall/group/network-group/node.tag/network/node.def b/templates/firewall/group/network-group/node.tag/network/node.def index 7388561..b3e0c18 100644 --- a/templates/firewall/group/network-group/node.tag/network/node.def +++ b/templates/firewall/group/network-group/node.tag/network/node.def @@ -3,11 +3,7 @@ type: ipv4net help: Network-group member val_help: ipv4net; IPv4 Subnet to match -syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-member \ - --set-name=$VAR(../@) \ - --set-type=network \ - --member=\"$VAR(@)\"; " +syntax:expression: exec "/opt/vyatta/sbin/ipset-check-member network $VAR(@)" syntax:expression: exec " \ /opt/vyatta/sbin/check_prefix_boundary $VAR(@)" \ diff --git a/templates/firewall/group/port-group/node.tag/port/node.def b/templates/firewall/group/port-group/node.tag/port/node.def index 7a9b867..5f310c2 100644 --- a/templates/firewall/group/port-group/node.tag/port/node.def +++ b/templates/firewall/group/port-group/node.tag/port/node.def @@ -6,8 +6,4 @@ val_help: ; Named port (any name in /etc/services, e.g., http) val_help: u32:1-65535; Numbered port val_help: -; Numbered port range (e.g. 1001-1050) -syntax:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ - --action=check-member \ - --set-name=$VAR(../@) \ - --set-type=port \ - --member=\"$VAR(@)\"; " +syntax:expression: exec "sudo /opt/vyatta/sbin/ipset-check-member port $VAR(@)" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def index 4953885..2ace3b3 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/destination/address/node.def @@ -9,5 +9,5 @@ val_help: !ipv6; Match everything except the specified address val_help: !ipv6net; Match everything except the specified prefix val_help: !ipv6range; Match everything except the specified range -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv6_addr_param $VAR(@)" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def index ee3110f..5225eee 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/protocol/node.def @@ -10,7 +10,7 @@ syntax:expression: exec " if [ \"$param\" = \"tcp_udp\" ]; then exit 0 fi - /opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)' + /opt/vyatta/sbin/vyatta-validate-type protocol_negate '$VAR(@)' " ; "invalid protocol \"$VAR(@)\"" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def index 397c686..2fe8a42 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/address/node.def @@ -10,4 +10,4 @@ val_help: !ipv6; Match everything except the specified address val_help: !ipv6net; Match everything except the specified prefix val_help: !ipv6range; Match everything except the specified range -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv6_addr_param $VAR(@)" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def index ad07881..5519871 100644 --- a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/source/mac-address/node.def @@ -1,3 +1,3 @@ type: txt help: Source MAC address -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/address/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/address/node.def index 4953885..2ace3b3 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/address/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/address/node.def @@ -9,5 +9,5 @@ val_help: !ipv6; Match everything except the specified address val_help: !ipv6net; Match everything except the specified prefix val_help: !ipv6range; Match everything except the specified range -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv6_addr_param $VAR(@)" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def index ee3110f..5225eee 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def @@ -10,7 +10,7 @@ syntax:expression: exec " if [ \"$param\" = \"tcp_udp\" ]; then exit 0 fi - /opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)' + /opt/vyatta/sbin/vyatta-validate-type protocol_negate '$VAR(@)' " ; "invalid protocol \"$VAR(@)\"" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/address/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/address/node.def index b7a8d66..23ebb83 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/address/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/address/node.def @@ -10,4 +10,4 @@ val_help: !ipv6; Match everything except the specified address val_help: !ipv6net; Match everything except the specified prefix val_help: !ipv6range; Match everything except the specified range -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl ipv6_addr_param $VAR(@)" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/mac-address/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/mac-address/node.def index ad07881..5519871 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/mac-address/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/mac-address/node.def @@ -1,3 +1,3 @@ type: txt help: Source MAC address -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" diff --git a/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def index 5491708..c456f95 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/protocol/node.def @@ -7,7 +7,7 @@ val_help: tcp_udp; Both TCP and UDP val_help: all; All IP protocols val_help: !; All IP protocols except for the specified name or number -syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'`\" ] \ +syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type protocol_negate '$VAR(@)'`\" ] \ && [ \"$VAR(@)\" != 'tcp_udp' ]; then \ echo invalid protocol \"$VAR(@)\" ; \ exit 1 ; \ diff --git a/templates/firewall/modify/node.tag/rule/node.tag/source/mac-address/node.def b/templates/firewall/modify/node.tag/rule/node.tag/source/mac-address/node.def index ad07881..5519871 100644 --- a/templates/firewall/modify/node.tag/rule/node.tag/source/mac-address/node.def +++ b/templates/firewall/modify/node.tag/rule/node.tag/source/mac-address/node.def @@ -1,3 +1,3 @@ type: txt help: Source MAC address -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" diff --git a/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def b/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def index 1f235f7..6e0e9a6 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/protocol/node.def @@ -8,7 +8,7 @@ val_help: tcp_udp; Both TCP and UDP val_help: all; All IP protocols val_help: !; All IP protocols except for the specified name or number -syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'`\" ] \ +syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type protocol_negate '$VAR(@)'`\" ] \ && [ \"$VAR(@)\" != 'tcp_udp' ]; then \ echo invalid protocol \"$VAR(@)\" ; \ exit 1 ; \ diff --git a/templates/firewall/name/node.tag/rule/node.tag/source/mac-address/node.def b/templates/firewall/name/node.tag/rule/node.tag/source/mac-address/node.def index ad07881..5519871 100644 --- a/templates/firewall/name/node.tag/rule/node.tag/source/mac-address/node.def +++ b/templates/firewall/name/node.tag/rule/node.tag/source/mac-address/node.def @@ -1,3 +1,3 @@ type: txt help: Source MAC address -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" -- cgit v1.2.3