From 299adf5bb38fa7e026ccd3604fc05ba812520700 Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Mon, 2 Feb 2009 19:50:21 -0800 Subject: Add 1st pass of firewall group support (ipset netfilter module integration). --- templates/firewall/group/address-group/node.def | 24 ++++++++++++++++++++++ .../group/address-group/node.tag/address/node.def | 17 +++++++++++++++ .../address-group/node.tag/description/node.def | 2 ++ templates/firewall/group/network-group/node.def | 24 ++++++++++++++++++++++ .../network-group/node.tag/description/node.def | 2 ++ .../group/network-group/node.tag/network/node.def | 20 ++++++++++++++++++ templates/firewall/group/node.def | 3 +++ templates/firewall/group/port-group/node.def | 24 ++++++++++++++++++++++ .../group/port-group/node.tag/description/node.def | 2 ++ .../group/port-group/node.tag/port/node.def | 17 +++++++++++++++ 10 files changed, 135 insertions(+) create mode 100644 templates/firewall/group/address-group/node.def create mode 100644 templates/firewall/group/address-group/node.tag/address/node.def create mode 100644 templates/firewall/group/address-group/node.tag/description/node.def create mode 100644 templates/firewall/group/network-group/node.def create mode 100644 templates/firewall/group/network-group/node.tag/description/node.def create mode 100644 templates/firewall/group/network-group/node.tag/network/node.def create mode 100644 templates/firewall/group/node.def create mode 100644 templates/firewall/group/port-group/node.def create mode 100644 templates/firewall/group/port-group/node.tag/description/node.def create mode 100644 templates/firewall/group/port-group/node.tag/port/node.def (limited to 'templates/firewall/group') diff --git a/templates/firewall/group/address-group/node.def b/templates/firewall/group/address-group/node.def new file mode 100644 index 0000000..bc4fb68 --- /dev/null +++ b/templates/firewall/group/address-group/node.def @@ -0,0 +1,24 @@ +tag: +type: txt +help: Set a firewall address-group + +syntax:expression: exec " \ + if [ `echo $VAR(@) | wc -c` -gt 31 ]; then \ + echo group name must be 31 characters or less;\ + exit 1 ; \ + fi ; " + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=create-set \ + --set-type=address \ + --set-name="$VAR(@)" + + +delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=delete-set \ + --set-name="$VAR(@)" + +comp_help: Enter the name of the firewall address-group diff --git a/templates/firewall/group/address-group/node.tag/address/node.def b/templates/firewall/group/address-group/node.tag/address/node.def new file mode 100644 index 0000000..e0f8026 --- /dev/null +++ b/templates/firewall/group/address-group/node.tag/address/node.def @@ -0,0 +1,17 @@ +multi: +type: ipv4 +help: Set a address-group member + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-member \ + --set-name=$VAR(../@) \ + --set-type=address \ + --member=\"$VAR(@)\"; " + +create: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \ + --set-name=$VAR(../@) \ + --member="$VAR(@) " + +delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ + --set-name=$VAR(../@) \ + --member="$VAR(@) " diff --git a/templates/firewall/group/address-group/node.tag/description/node.def b/templates/firewall/group/address-group/node.tag/description/node.def new file mode 100644 index 0000000..05f7e51 --- /dev/null +++ b/templates/firewall/group/address-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set address-group description diff --git a/templates/firewall/group/network-group/node.def b/templates/firewall/group/network-group/node.def new file mode 100644 index 0000000..2d8bf60 --- /dev/null +++ b/templates/firewall/group/network-group/node.def @@ -0,0 +1,24 @@ +tag: +type: txt +help: Set a firewall network-group + +syntax:expression: exec " \ + if [ `echo $VAR(@) | wc -c` -gt 31 ]; then \ + echo group name must be 31 characters or less;\ + exit 1 ; \ + fi ; " + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=create-set \ + --set-type=network \ + --set-name="$VAR(@)" + + +delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=delete-set \ + --set-name="$VAR(@)" + +comp_help: Enter the name of the firewall network-group diff --git a/templates/firewall/group/network-group/node.tag/description/node.def b/templates/firewall/group/network-group/node.tag/description/node.def new file mode 100644 index 0000000..3c50208 --- /dev/null +++ b/templates/firewall/group/network-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set network-group description diff --git a/templates/firewall/group/network-group/node.tag/network/node.def b/templates/firewall/group/network-group/node.tag/network/node.def new file mode 100644 index 0000000..1f33ba9 --- /dev/null +++ b/templates/firewall/group/network-group/node.tag/network/node.def @@ -0,0 +1,20 @@ +multi: +type: ipv4net +help: Set a network-group member + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-member \ + --set-name=$VAR(../@) \ + --set-type=network \ + --member=\"$VAR(@)\"; " + +syntax:expression: exec " \ + /opt/vyatta/sbin/check_prefix_boundary $VAR(@)" \ + +create: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \ + --set-name=$VAR(../@) \ + --member="$VAR(@) " + +delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ + --set-name=$VAR(../@) \ + --member="$VAR(@) " diff --git a/templates/firewall/group/node.def b/templates/firewall/group/node.def new file mode 100644 index 0000000..d45d3d9 --- /dev/null +++ b/templates/firewall/group/node.def @@ -0,0 +1,3 @@ +help: Set a firewall group + +comp_help: Enter the name of the firewall group diff --git a/templates/firewall/group/port-group/node.def b/templates/firewall/group/port-group/node.def new file mode 100644 index 0000000..0ec803f --- /dev/null +++ b/templates/firewall/group/port-group/node.def @@ -0,0 +1,24 @@ +tag: +type: txt +help: Set a firewall port-group + +syntax:expression: exec " \ + if [ `echo $VAR(@) | wc -c` -gt 31 ]; then \ + echo group name must be 31 characters or less;\ + exit 1 ; \ + fi ; " + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +create: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=create-set \ + --set-type=port \ + --set-name="$VAR(@)" + + +delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=delete-set \ + --set-name="$VAR(@)" + +comp_help: Enter the name of the firewall port-group diff --git a/templates/firewall/group/port-group/node.tag/description/node.def b/templates/firewall/group/port-group/node.tag/description/node.def new file mode 100644 index 0000000..90124a9 --- /dev/null +++ b/templates/firewall/group/port-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set port-group description diff --git a/templates/firewall/group/port-group/node.tag/port/node.def b/templates/firewall/group/port-group/node.tag/port/node.def new file mode 100644 index 0000000..3f9c530 --- /dev/null +++ b/templates/firewall/group/port-group/node.tag/port/node.def @@ -0,0 +1,17 @@ +multi: +type: txt +help: Set a port-group member + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-member \ + --set-name=$VAR(../@) \ + --set-type=port \ + --member=\"$VAR(@)\"; " + +create: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=add-member \ + --set-name=$VAR(../@) \ + --member="$VAR(@) " + +delete: sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=delete-member \ + --set-name=$VAR(../@) \ + --member="$VAR(@) " -- cgit v1.2.3