From 03f1937e7dcb01ce810c9c19eda15149245f4537 Mon Sep 17 00:00:00 2001 From: Marian Tudosoiu Date: Mon, 12 Mar 2018 12:34:35 +0200 Subject: Task T35 - add support for IPv6 firewall adddress and network groups --- .../rule/node.tag/destination/group/address-group/node.def | 9 +++++++++ .../rule/node.tag/destination/group/network-group/node.def | 8 ++++++++ .../ipv6-name/node.tag/rule/node.tag/destination/group/node.def | 1 + .../node.tag/rule/node.tag/destination/group/port-group/node.def | 8 ++++++++ .../node.tag/rule/node.tag/source/group/address-group/node.def | 8 ++++++++ .../node.tag/rule/node.tag/source/group/network-group/node.def | 8 ++++++++ .../ipv6-name/node.tag/rule/node.tag/source/group/node.def | 1 + .../node.tag/rule/node.tag/source/group/port-group/node.def | 8 ++++++++ 8 files changed, 51 insertions(+) create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def (limited to 'templates/firewall/ipv6-name') diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def new file mode 100644 index 0000000..71a4326 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def @@ -0,0 +1,9 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" + +allowed: cli-shell-api listNodes firewall ipv6-group address-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def new file mode 100644 index 0000000..b3e2718 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listNodes firewall ipv6-group network-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def new file mode 100644 index 0000000..bb11dae --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def @@ -0,0 +1 @@ +help: Destination group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def new file mode 100644 index 0000000..985302b --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listNodes firewall group port-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def new file mode 100644 index 0000000..63f0540 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" +allowed: cli-shell-api listNodes firewall ipv6-group address-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def new file mode 100644 index 0000000..b3e2718 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listNodes firewall ipv6-group network-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def new file mode 100644 index 0000000..7b36071 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def @@ -0,0 +1 @@ +help: Source group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def new file mode 100644 index 0000000..985302b --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listNodes firewall group port-group -- cgit v1.2.3 From a17ae5f48dfa1007df6fdd19f267b25f965df143 Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Wed, 14 Mar 2018 11:06:11 +0200 Subject: Task T35 place ipv6 groups under group config tree --- .../node.tag/rule/node.tag/destination/group/address-group/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'templates/firewall/ipv6-name') diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def index 71a4326..961663c 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def @@ -6,4 +6,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --set-name=$VAR(@) \ --set-type=address;" -allowed: cli-shell-api listNodes firewall ipv6-group address-group +allowed: cli-shell-api listNodes firewall group ipv6-address-group -- cgit v1.2.3 From 0de8ac70a62573de2975ff14dd9e776ea942821b Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Wed, 14 Mar 2018 11:06:41 +0200 Subject: Task T35 place ipv6 groups under group config tree --- .../node.tag/rule/node.tag/destination/group/network-group/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'templates/firewall/ipv6-name') diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def index b3e2718..262c4dd 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=network;" -allowed: cli-shell-api listNodes firewall ipv6-group network-group +allowed: cli-shell-api listNodes firewall group ipv6-network-group -- cgit v1.2.3 From 5d918bf6b1a0457a8a1f202ab99f6252e97bcb4a Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Wed, 14 Mar 2018 11:07:11 +0200 Subject: Task T35 place ipv6 groups under group config tree --- .../node.tag/rule/node.tag/source/group/address-group/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'templates/firewall/ipv6-name') diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def index 63f0540..9323938 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=address;" -allowed: cli-shell-api listNodes firewall ipv6-group address-group +allowed: cli-shell-api listNodes firewall group ipv6-address-group -- cgit v1.2.3 From 1fa169f72c2196a62d1f5fb3d0bce3bcf55a87be Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Wed, 14 Mar 2018 11:07:42 +0200 Subject: Task T35 place ipv6 groups under group config tree --- .../node.tag/rule/node.tag/source/group/network-group/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'templates/firewall/ipv6-name') diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def index b3e2718..262c4dd 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=network;" -allowed: cli-shell-api listNodes firewall ipv6-group network-group +allowed: cli-shell-api listNodes firewall group ipv6-network-group -- cgit v1.2.3 From 7272364a23c9f00f17f719c1efee756d960e8984 Mon Sep 17 00:00:00 2001 From: Marian Tudosoiu Date: Thu, 19 Apr 2018 10:57:25 +0300 Subject: Task T35 - enable prune-deleted-sets for inet6 family firewall templates --- scripts/firewall/vyatta-ipset.pl | 1 - templates/firewall/ipv6-name/node.def | 10 +++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) (limited to 'templates/firewall/ipv6-name') diff --git a/scripts/firewall/vyatta-ipset.pl b/scripts/firewall/vyatta-ipset.pl index e5b2fd1..65e0325 100755 --- a/scripts/firewall/vyatta-ipset.pl +++ b/scripts/firewall/vyatta-ipset.pl @@ -352,7 +352,6 @@ sub prune_deleted_sets { my $type = $group->get_type(); my $family = $group->get_family(); ($family eq 'inet') ? $cfg->setLevel("firewall group $type-group") : $cfg->setLevel("firewall group ipv6-$type-group"); - $cfg->setLevel("firewall group $type-group"); next if ($cfg->isEffective($set)); # don't prune if still in config my $rc; $rc = ipset_delete($set); diff --git a/templates/firewall/ipv6-name/node.def b/templates/firewall/ipv6-name/node.def index e7e1167..2e20b9a 100644 --- a/templates/firewall/ipv6-name/node.def +++ b/templates/firewall/ipv6-name/node.def @@ -14,17 +14,21 @@ syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "firewall ipv6-name" "$VAR(@)" ; then - if [ ${COMMIT_ACTION} = 'DELETE' ] ; + if [ ${COMMIT_ACTION} = 'DELETE' ] ; then if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "firewall ipv6-name" ; then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall ipv6-name" + if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall ipv6-name"; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-name $VAR(@)" + fi fi + else + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-name $VAR(@)" fi else exit 1; fi - ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-name $VAR(@)" + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables "firewall ipv6-name" -- cgit v1.2.3