From 03f1937e7dcb01ce810c9c19eda15149245f4537 Mon Sep 17 00:00:00 2001 From: Marian Tudosoiu Date: Mon, 12 Mar 2018 12:34:35 +0200 Subject: Task T35 - add support for IPv6 firewall adddress and network groups --- templates/firewall/group/address-group/node.def | 6 +++++- templates/firewall/group/network-group/node.def | 6 +++++- .../firewall/ipv6-group/address-group/node.def | 25 ++++++++++++++++++++++ .../address-group/node.tag/address/node.def | 6 ++++++ .../address-group/node.tag/description/node.def | 2 ++ .../firewall/ipv6-group/network-group/node.def | 21 ++++++++++++++++++ .../network-group/node.tag/description/node.def | 2 ++ .../network-group/node.tag/network/node.def | 8 +++++++ templates/firewall/ipv6-group/node.def | 1 + .../destination/group/address-group/node.def | 9 ++++++++ .../destination/group/network-group/node.def | 8 +++++++ .../rule/node.tag/destination/group/node.def | 1 + .../node.tag/destination/group/port-group/node.def | 8 +++++++ .../node.tag/source/group/address-group/node.def | 8 +++++++ .../node.tag/source/group/network-group/node.def | 8 +++++++ .../node.tag/rule/node.tag/source/group/node.def | 1 + .../rule/node.tag/source/group/port-group/node.def | 8 +++++++ templates/firewall/node.def | 3 --- 18 files changed, 126 insertions(+), 5 deletions(-) create mode 100644 templates/firewall/ipv6-group/address-group/node.def create mode 100644 templates/firewall/ipv6-group/address-group/node.tag/address/node.def create mode 100644 templates/firewall/ipv6-group/address-group/node.tag/description/node.def create mode 100644 templates/firewall/ipv6-group/network-group/node.def create mode 100644 templates/firewall/ipv6-group/network-group/node.tag/description/node.def create mode 100644 templates/firewall/ipv6-group/network-group/node.tag/network/node.def create mode 100644 templates/firewall/ipv6-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def delete mode 100644 templates/firewall/node.def (limited to 'templates/firewall') diff --git a/templates/firewall/group/address-group/node.def b/templates/firewall/group/address-group/node.def index 13b2e72..d89233d 100644 --- a/templates/firewall/group/address-group/node.def +++ b/templates/firewall/group/address-group/node.def @@ -15,7 +15,11 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=address --set-family=inet"; \ + "Firewall group name already used as Ipv6 group address" + end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=address; then + --set-name="$VAR(@)" --set-type=address --set-family=inet; then ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group address-group $VAR(@)" fi diff --git a/templates/firewall/group/network-group/node.def b/templates/firewall/group/network-group/node.def index 263a772..ed9810d 100644 --- a/templates/firewall/group/network-group/node.def +++ b/templates/firewall/group/network-group/node.def @@ -15,8 +15,12 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=address --set-family=inet"; \ + "Firewall group name already used as Ipv6 group address" + end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=network; then + --set-name="$VAR(@)" --set-type=network --set-family=inet; then ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group network-group $VAR(@)" fi diff --git a/templates/firewall/ipv6-group/address-group/node.def b/templates/firewall/ipv6-group/address-group/node.def new file mode 100644 index 0000000..b61f784 --- /dev/null +++ b/templates/firewall/ipv6-group/address-group/node.def @@ -0,0 +1,25 @@ +tag: +priority: 200 +type: txt +help: Firewall address-group + +syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ + "Firewall group name must be 31 characters or less" + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + +syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ + "Firewall group name cannot contain shell punctuation" + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=address --set-family=inet6"; \ + "Firewall group name already used as Ipv4 group address" + +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=address --set-family=inet6; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group address-group $VAR(@)" + fi diff --git a/templates/firewall/ipv6-group/address-group/node.tag/address/node.def b/templates/firewall/ipv6-group/address-group/node.tag/address/node.def new file mode 100644 index 0000000..ba944e6 --- /dev/null +++ b/templates/firewall/ipv6-group/address-group/node.tag/address/node.def @@ -0,0 +1,6 @@ +multi: +type: txt +help: Address-group member +val_help: ipv6; IPv6 address to match + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/ipv6-group/address-group/node.tag/description/node.def b/templates/firewall/ipv6-group/address-group/node.tag/description/node.def new file mode 100644 index 0000000..032553a --- /dev/null +++ b/templates/firewall/ipv6-group/address-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: IPv6 Address-group description diff --git a/templates/firewall/ipv6-group/network-group/node.def b/templates/firewall/ipv6-group/network-group/node.def new file mode 100644 index 0000000..90383c2 --- /dev/null +++ b/templates/firewall/ipv6-group/network-group/node.def @@ -0,0 +1,21 @@ +tag: +priority: 200 +type: txt +help: Firewall network-group + +syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ + "Firewall group name must be 31 characters or less" + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + +syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ + "Firewall group name cannot contain shell punctuation" + +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=network --set-family=inet6; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-group network-group $VAR(@)" + fi diff --git a/templates/firewall/ipv6-group/network-group/node.tag/description/node.def b/templates/firewall/ipv6-group/network-group/node.tag/description/node.def new file mode 100644 index 0000000..52bb8e4 --- /dev/null +++ b/templates/firewall/ipv6-group/network-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Network-group description diff --git a/templates/firewall/ipv6-group/network-group/node.tag/network/node.def b/templates/firewall/ipv6-group/network-group/node.tag/network/node.def new file mode 100644 index 0000000..879a164 --- /dev/null +++ b/templates/firewall/ipv6-group/network-group/node.tag/network/node.def @@ -0,0 +1,8 @@ +multi: +type: ipv6net +help: Network-group member +val_help: ipv6net; IPv6 Subnet to match + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" + +syntax:expression: exec "/opt/vyatta/sbin/check_prefix_boundary $VAR(@)" diff --git a/templates/firewall/ipv6-group/node.def b/templates/firewall/ipv6-group/node.def new file mode 100644 index 0000000..3c87f34 --- /dev/null +++ b/templates/firewall/ipv6-group/node.def @@ -0,0 +1 @@ +help: IPv6 Firewall group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def new file mode 100644 index 0000000..71a4326 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def @@ -0,0 +1,9 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" + +allowed: cli-shell-api listNodes firewall ipv6-group address-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def new file mode 100644 index 0000000..b3e2718 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listNodes firewall ipv6-group network-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def new file mode 100644 index 0000000..bb11dae --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def @@ -0,0 +1 @@ +help: Destination group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def new file mode 100644 index 0000000..985302b --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listNodes firewall group port-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def new file mode 100644 index 0000000..63f0540 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" +allowed: cli-shell-api listNodes firewall ipv6-group address-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def new file mode 100644 index 0000000..b3e2718 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listNodes firewall ipv6-group network-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def new file mode 100644 index 0000000..7b36071 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def @@ -0,0 +1 @@ +help: Source group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def new file mode 100644 index 0000000..985302b --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listNodes firewall group port-group diff --git a/templates/firewall/node.def b/templates/firewall/node.def deleted file mode 100644 index ef135d6..0000000 --- a/templates/firewall/node.def +++ /dev/null @@ -1,3 +0,0 @@ -priority: 199 -help: Firewall -end: ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="$VAR(@)" \ No newline at end of file -- cgit v1.2.3