From 03f1937e7dcb01ce810c9c19eda15149245f4537 Mon Sep 17 00:00:00 2001 From: Marian Tudosoiu Date: Mon, 12 Mar 2018 12:34:35 +0200 Subject: Task T35 - add support for IPv6 firewall adddress and network groups --- templates/firewall/group/address-group/node.def | 6 +++++- templates/firewall/group/network-group/node.def | 6 +++++- .../firewall/ipv6-group/address-group/node.def | 25 ++++++++++++++++++++++ .../address-group/node.tag/address/node.def | 6 ++++++ .../address-group/node.tag/description/node.def | 2 ++ .../firewall/ipv6-group/network-group/node.def | 21 ++++++++++++++++++ .../network-group/node.tag/description/node.def | 2 ++ .../network-group/node.tag/network/node.def | 8 +++++++ templates/firewall/ipv6-group/node.def | 1 + .../destination/group/address-group/node.def | 9 ++++++++ .../destination/group/network-group/node.def | 8 +++++++ .../rule/node.tag/destination/group/node.def | 1 + .../node.tag/destination/group/port-group/node.def | 8 +++++++ .../node.tag/source/group/address-group/node.def | 8 +++++++ .../node.tag/source/group/network-group/node.def | 8 +++++++ .../node.tag/rule/node.tag/source/group/node.def | 1 + .../rule/node.tag/source/group/port-group/node.def | 8 +++++++ templates/firewall/node.def | 3 --- 18 files changed, 126 insertions(+), 5 deletions(-) create mode 100644 templates/firewall/ipv6-group/address-group/node.def create mode 100644 templates/firewall/ipv6-group/address-group/node.tag/address/node.def create mode 100644 templates/firewall/ipv6-group/address-group/node.tag/description/node.def create mode 100644 templates/firewall/ipv6-group/network-group/node.def create mode 100644 templates/firewall/ipv6-group/network-group/node.tag/description/node.def create mode 100644 templates/firewall/ipv6-group/network-group/node.tag/network/node.def create mode 100644 templates/firewall/ipv6-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def create mode 100644 templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def delete mode 100644 templates/firewall/node.def (limited to 'templates/firewall') diff --git a/templates/firewall/group/address-group/node.def b/templates/firewall/group/address-group/node.def index 13b2e72..d89233d 100644 --- a/templates/firewall/group/address-group/node.def +++ b/templates/firewall/group/address-group/node.def @@ -15,7 +15,11 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=address --set-family=inet"; \ + "Firewall group name already used as Ipv6 group address" + end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=address; then + --set-name="$VAR(@)" --set-type=address --set-family=inet; then ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group address-group $VAR(@)" fi diff --git a/templates/firewall/group/network-group/node.def b/templates/firewall/group/network-group/node.def index 263a772..ed9810d 100644 --- a/templates/firewall/group/network-group/node.def +++ b/templates/firewall/group/network-group/node.def @@ -15,8 +15,12 @@ syntax:expression: pattern $VAR(@) "^[^!]" ; \ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=address --set-family=inet"; \ + "Firewall group name already used as Ipv6 group address" + end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=network; then + --set-name="$VAR(@)" --set-type=network --set-family=inet; then ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group network-group $VAR(@)" fi diff --git a/templates/firewall/ipv6-group/address-group/node.def b/templates/firewall/ipv6-group/address-group/node.def new file mode 100644 index 0000000..b61f784 --- /dev/null +++ b/templates/firewall/ipv6-group/address-group/node.def @@ -0,0 +1,25 @@ +tag: +priority: 200 +type: txt +help: Firewall address-group + +syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ + "Firewall group name must be 31 characters or less" + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + +syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ + "Firewall group name cannot contain shell punctuation" + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=address --set-family=inet6"; \ + "Firewall group name already used as Ipv4 group address" + +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=address --set-family=inet6; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group address-group $VAR(@)" + fi diff --git a/templates/firewall/ipv6-group/address-group/node.tag/address/node.def b/templates/firewall/ipv6-group/address-group/node.tag/address/node.def new file mode 100644 index 0000000..ba944e6 --- /dev/null +++ b/templates/firewall/ipv6-group/address-group/node.tag/address/node.def @@ -0,0 +1,6 @@ +multi: +type: txt +help: Address-group member +val_help: ipv6; IPv6 address to match + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/ipv6-group/address-group/node.tag/description/node.def b/templates/firewall/ipv6-group/address-group/node.tag/description/node.def new file mode 100644 index 0000000..032553a --- /dev/null +++ b/templates/firewall/ipv6-group/address-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: IPv6 Address-group description diff --git a/templates/firewall/ipv6-group/network-group/node.def b/templates/firewall/ipv6-group/network-group/node.def new file mode 100644 index 0000000..90383c2 --- /dev/null +++ b/templates/firewall/ipv6-group/network-group/node.def @@ -0,0 +1,21 @@ +tag: +priority: 200 +type: txt +help: Firewall network-group + +syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ + "Firewall group name must be 31 characters or less" + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + +syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ + "Firewall group name cannot contain shell punctuation" + +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=network --set-family=inet6; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-group network-group $VAR(@)" + fi diff --git a/templates/firewall/ipv6-group/network-group/node.tag/description/node.def b/templates/firewall/ipv6-group/network-group/node.tag/description/node.def new file mode 100644 index 0000000..52bb8e4 --- /dev/null +++ b/templates/firewall/ipv6-group/network-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Network-group description diff --git a/templates/firewall/ipv6-group/network-group/node.tag/network/node.def b/templates/firewall/ipv6-group/network-group/node.tag/network/node.def new file mode 100644 index 0000000..879a164 --- /dev/null +++ b/templates/firewall/ipv6-group/network-group/node.tag/network/node.def @@ -0,0 +1,8 @@ +multi: +type: ipv6net +help: Network-group member +val_help: ipv6net; IPv6 Subnet to match + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" + +syntax:expression: exec "/opt/vyatta/sbin/check_prefix_boundary $VAR(@)" diff --git a/templates/firewall/ipv6-group/node.def b/templates/firewall/ipv6-group/node.def new file mode 100644 index 0000000..3c87f34 --- /dev/null +++ b/templates/firewall/ipv6-group/node.def @@ -0,0 +1 @@ +help: IPv6 Firewall group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def new file mode 100644 index 0000000..71a4326 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def @@ -0,0 +1,9 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" + +allowed: cli-shell-api listNodes firewall ipv6-group address-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def new file mode 100644 index 0000000..b3e2718 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listNodes firewall ipv6-group network-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def new file mode 100644 index 0000000..bb11dae --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def @@ -0,0 +1 @@ +help: Destination group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def new file mode 100644 index 0000000..985302b --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listNodes firewall group port-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def new file mode 100644 index 0000000..63f0540 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of addresses + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=address;" +allowed: cli-shell-api listNodes firewall ipv6-group address-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def new file mode 100644 index 0000000..b3e2718 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of networks + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=network;" +allowed: cli-shell-api listNodes firewall ipv6-group network-group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def new file mode 100644 index 0000000..7b36071 --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def @@ -0,0 +1 @@ +help: Source group diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def new file mode 100644 index 0000000..985302b --- /dev/null +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def @@ -0,0 +1,8 @@ +type: txt +help: Group of ports + +commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ + --action=check-set-type \ + --set-name=$VAR(@) \ + --set-type=port;" +allowed: cli-shell-api listNodes firewall group port-group diff --git a/templates/firewall/node.def b/templates/firewall/node.def deleted file mode 100644 index ef135d6..0000000 --- a/templates/firewall/node.def +++ /dev/null @@ -1,3 +0,0 @@ -priority: 199 -help: Firewall -end: ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="$VAR(@)" \ No newline at end of file -- cgit v1.2.3 From 4e3ea201d7902d9a0641bbecf42d7e837595e01b Mon Sep 17 00:00:00 2001 From: Marian Tudosoiu Date: Mon, 12 Mar 2018 12:58:25 +0200 Subject: Task T35 add generation of SNMP traps on firewall config changes --- templates/firewall/node.def | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 templates/firewall/node.def (limited to 'templates/firewall') diff --git a/templates/firewall/node.def b/templates/firewall/node.def new file mode 100644 index 0000000..ef135d6 --- /dev/null +++ b/templates/firewall/node.def @@ -0,0 +1,3 @@ +priority: 199 +help: Firewall +end: ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="$VAR(@)" \ No newline at end of file -- cgit v1.2.3 From 65410961b33a072addf91dce7879f6a734aa2187 Mon Sep 17 00:00:00 2001 From: Marian Tudosoiu Date: Wed, 14 Mar 2018 10:27:25 +0200 Subject: Task T35 change to place ipv6 address-groups and network groups under group config tree --- scripts/firewall/vyatta-ipset.pl | 4 ++-- .../firewall/group/ipv6-address-group/node.def | 25 ++++++++++++++++++++++ .../ipv6-address-group/node.tag/address/node.def | 6 ++++++ .../node.tag/description/node.def | 2 ++ .../firewall/group/ipv6-network-group/node.def | 25 ++++++++++++++++++++++ .../node.tag/description/node.def | 2 ++ .../ipv6-network-group/node.tag/network/node.def | 8 +++++++ .../firewall/ipv6-group/address-group/node.def | 25 ---------------------- .../address-group/node.tag/address/node.def | 6 ------ .../address-group/node.tag/description/node.def | 2 -- .../firewall/ipv6-group/network-group/node.def | 21 ------------------ .../network-group/node.tag/description/node.def | 2 -- .../network-group/node.tag/network/node.def | 8 ------- templates/firewall/ipv6-group/node.def | 1 - 14 files changed, 70 insertions(+), 67 deletions(-) create mode 100644 templates/firewall/group/ipv6-address-group/node.def create mode 100644 templates/firewall/group/ipv6-address-group/node.tag/address/node.def create mode 100644 templates/firewall/group/ipv6-address-group/node.tag/description/node.def create mode 100644 templates/firewall/group/ipv6-network-group/node.def create mode 100644 templates/firewall/group/ipv6-network-group/node.tag/description/node.def create mode 100644 templates/firewall/group/ipv6-network-group/node.tag/network/node.def delete mode 100644 templates/firewall/ipv6-group/address-group/node.def delete mode 100644 templates/firewall/ipv6-group/address-group/node.tag/address/node.def delete mode 100644 templates/firewall/ipv6-group/address-group/node.tag/description/node.def delete mode 100644 templates/firewall/ipv6-group/network-group/node.def delete mode 100644 templates/firewall/ipv6-group/network-group/node.tag/description/node.def delete mode 100644 templates/firewall/ipv6-group/network-group/node.tag/network/node.def delete mode 100644 templates/firewall/ipv6-group/node.def (limited to 'templates/firewall') diff --git a/scripts/firewall/vyatta-ipset.pl b/scripts/firewall/vyatta-ipset.pl index f18237d..0f7f731 100755 --- a/scripts/firewall/vyatta-ipset.pl +++ b/scripts/firewall/vyatta-ipset.pl @@ -252,7 +252,7 @@ sub ipset_is_group_defined { die "Error: undefined set_type\n" if ! defined $set_type; die "Error: undefined set_family\n" if ! defined $set_family; - my $gpath = ($set_family eq 'inet') ? "firewall ipv6-group $set_type-group" : "firewall group $set_type-group"; + my $gpath = ($set_family eq 'inet') ? "firewall group ipv6-$set_type-group" : "firewall group $set_type-group"; my @groups = $cfg->listOrigNodes($gpath); my $group; foreach $group (@groups) { @@ -267,7 +267,7 @@ sub update_set { my ($set_name, $set_type, $set_family) = @_; my $cfg = new Vyatta::Config; my ($rc, $newset); - my $cpath = ($set_family eq 'inet') ? "firewall group $set_type-group $set_name" : "firewall ipv6-group $set_type-group $set_name"; + my $cpath = ($set_family eq 'inet') ? "firewall group $set_type-group $set_name" : "firewall group ipv6-$set_type-group $set_name"; if ($cfg->existsOrig($cpath)) { if (!$cfg->exists($cpath)) { # deleted diff --git a/templates/firewall/group/ipv6-address-group/node.def b/templates/firewall/group/ipv6-address-group/node.def new file mode 100644 index 0000000..7ce50d2 --- /dev/null +++ b/templates/firewall/group/ipv6-address-group/node.def @@ -0,0 +1,25 @@ +tag: +priority: 200 +type: txt +help: Firewall address-group + +syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ + "Firewall group name must be 31 characters or less" + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + +syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ + "Firewall group name cannot contain shell punctuation" + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=address --set-family=inet6"; \ + "Firewall group name already used as Ipv4 group address" + +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=address --set-family=inet6; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group ipv6-address-group $VAR(@)" + fi diff --git a/templates/firewall/group/ipv6-address-group/node.tag/address/node.def b/templates/firewall/group/ipv6-address-group/node.tag/address/node.def new file mode 100644 index 0000000..ba944e6 --- /dev/null +++ b/templates/firewall/group/ipv6-address-group/node.tag/address/node.def @@ -0,0 +1,6 @@ +multi: +type: txt +help: Address-group member +val_help: ipv6; IPv6 address to match + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/group/ipv6-address-group/node.tag/description/node.def b/templates/firewall/group/ipv6-address-group/node.tag/description/node.def new file mode 100644 index 0000000..f630483 --- /dev/null +++ b/templates/firewall/group/ipv6-address-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: IPv6 Address-group description \ No newline at end of file diff --git a/templates/firewall/group/ipv6-network-group/node.def b/templates/firewall/group/ipv6-network-group/node.def new file mode 100644 index 0000000..299b8cc --- /dev/null +++ b/templates/firewall/group/ipv6-network-group/node.def @@ -0,0 +1,25 @@ +tag: +priority: 200 +type: txt +help: Firewall network-group + +syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ + "Firewall group name must be 31 characters or less" + +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "Firewall group name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^!]" ; \ + "Firewall group name cannot start with \"!\"" + +syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ + "Firewall group name cannot contain shell punctuation" + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ + --set-type=network --set-family=inet6"; \ + "Firewall group name already used as Ipv6 group address" + +end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ + --set-name="$VAR(@)" --set-type=network --set-family=inet6; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group ipv6-network-group $VAR(@)" + fi diff --git a/templates/firewall/group/ipv6-network-group/node.tag/description/node.def b/templates/firewall/group/ipv6-network-group/node.tag/description/node.def new file mode 100644 index 0000000..cc905df --- /dev/null +++ b/templates/firewall/group/ipv6-network-group/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: IPv6-network-group description diff --git a/templates/firewall/group/ipv6-network-group/node.tag/network/node.def b/templates/firewall/group/ipv6-network-group/node.tag/network/node.def new file mode 100644 index 0000000..879a164 --- /dev/null +++ b/templates/firewall/group/ipv6-network-group/node.tag/network/node.def @@ -0,0 +1,8 @@ +multi: +type: ipv6net +help: Network-group member +val_help: ipv6net; IPv6 Subnet to match + +syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" + +syntax:expression: exec "/opt/vyatta/sbin/check_prefix_boundary $VAR(@)" diff --git a/templates/firewall/ipv6-group/address-group/node.def b/templates/firewall/ipv6-group/address-group/node.def deleted file mode 100644 index b61f784..0000000 --- a/templates/firewall/ipv6-group/address-group/node.def +++ /dev/null @@ -1,25 +0,0 @@ -tag: -priority: 200 -type: txt -help: Firewall address-group - -syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ - "Firewall group name must be 31 characters or less" - -syntax:expression: pattern $VAR(@) "^[^-]" ; \ - "Firewall group name cannot start with \"-\"" - -syntax:expression: pattern $VAR(@) "^[^!]" ; \ - "Firewall group name cannot start with \"!\"" - -syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ - "Firewall group name cannot contain shell punctuation" - -syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ - --set-type=address --set-family=inet6"; \ - "Firewall group name already used as Ipv4 group address" - -end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=address --set-family=inet6; then - ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group address-group $VAR(@)" - fi diff --git a/templates/firewall/ipv6-group/address-group/node.tag/address/node.def b/templates/firewall/ipv6-group/address-group/node.tag/address/node.def deleted file mode 100644 index ba944e6..0000000 --- a/templates/firewall/ipv6-group/address-group/node.tag/address/node.def +++ /dev/null @@ -1,6 +0,0 @@ -multi: -type: txt -help: Address-group member -val_help: ipv6; IPv6 address to match - -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" diff --git a/templates/firewall/ipv6-group/address-group/node.tag/description/node.def b/templates/firewall/ipv6-group/address-group/node.tag/description/node.def deleted file mode 100644 index 032553a..0000000 --- a/templates/firewall/ipv6-group/address-group/node.tag/description/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: txt -help: IPv6 Address-group description diff --git a/templates/firewall/ipv6-group/network-group/node.def b/templates/firewall/ipv6-group/network-group/node.def deleted file mode 100644 index 90383c2..0000000 --- a/templates/firewall/ipv6-group/network-group/node.def +++ /dev/null @@ -1,21 +0,0 @@ -tag: -priority: 200 -type: txt -help: Firewall network-group - -syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ - "Firewall group name must be 31 characters or less" - -syntax:expression: pattern $VAR(@) "^[^-]" ; \ - "Firewall group name cannot start with \"-\"" - -syntax:expression: pattern $VAR(@) "^[^!]" ; \ - "Firewall group name cannot start with \"!\"" - -syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ - "Firewall group name cannot contain shell punctuation" - -end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=network --set-family=inet6; then - ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-group network-group $VAR(@)" - fi diff --git a/templates/firewall/ipv6-group/network-group/node.tag/description/node.def b/templates/firewall/ipv6-group/network-group/node.tag/description/node.def deleted file mode 100644 index 52bb8e4..0000000 --- a/templates/firewall/ipv6-group/network-group/node.tag/description/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: txt -help: Network-group description diff --git a/templates/firewall/ipv6-group/network-group/node.tag/network/node.def b/templates/firewall/ipv6-group/network-group/node.tag/network/node.def deleted file mode 100644 index 879a164..0000000 --- a/templates/firewall/ipv6-group/network-group/node.tag/network/node.def +++ /dev/null @@ -1,8 +0,0 @@ -multi: -type: ipv6net -help: Network-group member -val_help: ipv6net; IPv6 Subnet to match - -syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" - -syntax:expression: exec "/opt/vyatta/sbin/check_prefix_boundary $VAR(@)" diff --git a/templates/firewall/ipv6-group/node.def b/templates/firewall/ipv6-group/node.def deleted file mode 100644 index 3c87f34..0000000 --- a/templates/firewall/ipv6-group/node.def +++ /dev/null @@ -1 +0,0 @@ -help: IPv6 Firewall group -- cgit v1.2.3 From 6a5ef5fbfa2d1f399bf3584710c5e1a7f9380b30 Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Wed, 14 Mar 2018 11:06:05 +0200 Subject: Task T35 place ipv6 groups under group config tree --- templates/firewall/group/ipv6-address-group/node.tag/address/node.def | 3 +++ 1 file changed, 3 insertions(+) (limited to 'templates/firewall') diff --git a/templates/firewall/group/ipv6-address-group/node.tag/address/node.def b/templates/firewall/group/ipv6-address-group/node.tag/address/node.def index ba944e6..5bd948b 100644 --- a/templates/firewall/group/ipv6-address-group/node.tag/address/node.def +++ b/templates/firewall/group/ipv6-address-group/node.tag/address/node.def @@ -3,4 +3,7 @@ type: txt help: Address-group member val_help: ipv6; IPv6 address to match +syntax:expression: pattern $VAR(@) "^[^|;&$<>/]*$" ; \ + "Error [$VAR(@)] isn't valid IPv6 host address" + syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" -- cgit v1.2.3 From a17ae5f48dfa1007df6fdd19f267b25f965df143 Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Wed, 14 Mar 2018 11:06:11 +0200 Subject: Task T35 place ipv6 groups under group config tree --- .../node.tag/rule/node.tag/destination/group/address-group/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'templates/firewall') diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def index 71a4326..961663c 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def @@ -6,4 +6,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --set-name=$VAR(@) \ --set-type=address;" -allowed: cli-shell-api listNodes firewall ipv6-group address-group +allowed: cli-shell-api listNodes firewall group ipv6-address-group -- cgit v1.2.3 From 0de8ac70a62573de2975ff14dd9e776ea942821b Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Wed, 14 Mar 2018 11:06:41 +0200 Subject: Task T35 place ipv6 groups under group config tree --- .../node.tag/rule/node.tag/destination/group/network-group/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'templates/firewall') diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def index b3e2718..262c4dd 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=network;" -allowed: cli-shell-api listNodes firewall ipv6-group network-group +allowed: cli-shell-api listNodes firewall group ipv6-network-group -- cgit v1.2.3 From 5d918bf6b1a0457a8a1f202ab99f6252e97bcb4a Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Wed, 14 Mar 2018 11:07:11 +0200 Subject: Task T35 place ipv6 groups under group config tree --- .../node.tag/rule/node.tag/source/group/address-group/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'templates/firewall') diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def index 63f0540..9323938 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=address;" -allowed: cli-shell-api listNodes firewall ipv6-group address-group +allowed: cli-shell-api listNodes firewall group ipv6-address-group -- cgit v1.2.3 From 1fa169f72c2196a62d1f5fb3d0bce3bcf55a87be Mon Sep 17 00:00:00 2001 From: mtudosoiu Date: Wed, 14 Mar 2018 11:07:42 +0200 Subject: Task T35 place ipv6 groups under group config tree --- .../node.tag/rule/node.tag/source/group/network-group/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'templates/firewall') diff --git a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def index b3e2718..262c4dd 100644 --- a/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def +++ b/templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def @@ -5,4 +5,4 @@ commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ --action=check-set-type \ --set-name=$VAR(@) \ --set-type=network;" -allowed: cli-shell-api listNodes firewall ipv6-group network-group +allowed: cli-shell-api listNodes firewall group ipv6-network-group -- cgit v1.2.3 From 1d21300885e606ec9e8da2b9a9b7af898d896a24 Mon Sep 17 00:00:00 2001 From: Marian Tudosoiu Date: Wed, 14 Mar 2018 11:14:34 +0200 Subject: Task T35 place ipv6 groups under group config tree --- templates/firewall/group/ipv6-address-group/node.def | 2 +- templates/firewall/group/ipv6-network-group/node.def | 4 ++-- templates/firewall/group/network-group/node.def | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) (limited to 'templates/firewall') diff --git a/templates/firewall/group/ipv6-address-group/node.def b/templates/firewall/group/ipv6-address-group/node.def index 7ce50d2..20e4430 100644 --- a/templates/firewall/group/ipv6-address-group/node.def +++ b/templates/firewall/group/ipv6-address-group/node.def @@ -1,7 +1,7 @@ tag: priority: 200 type: txt -help: Firewall address-group +help: Firewall ipv6-address-group syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ "Firewall group name must be 31 characters or less" diff --git a/templates/firewall/group/ipv6-network-group/node.def b/templates/firewall/group/ipv6-network-group/node.def index 299b8cc..084fdb0 100644 --- a/templates/firewall/group/ipv6-network-group/node.def +++ b/templates/firewall/group/ipv6-network-group/node.def @@ -1,7 +1,7 @@ tag: priority: 200 type: txt -help: Firewall network-group +help: Firewall ipv6-network-group syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ "Firewall group name must be 31 characters or less" @@ -17,7 +17,7 @@ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ --set-type=network --set-family=inet6"; \ - "Firewall group name already used as Ipv6 group address" + "Firewall group name already used as Ipv4 group address" end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ --set-name="$VAR(@)" --set-type=network --set-family=inet6; then diff --git a/templates/firewall/group/network-group/node.def b/templates/firewall/group/network-group/node.def index ed9810d..14b8366 100644 --- a/templates/firewall/group/network-group/node.def +++ b/templates/firewall/group/network-group/node.def @@ -16,7 +16,7 @@ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ - --set-type=address --set-family=inet"; \ + --set-type=network --set-family=inet"; \ "Firewall group name already used as Ipv6 group address" end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ -- cgit v1.2.3 From 9e61589926f6801c318406d373d5b9d01922e12e Mon Sep 17 00:00:00 2001 From: Marian Tudosoiu Date: Fri, 23 Mar 2018 11:00:49 +0200 Subject: Task T35 change to solve port-group issue --- lib/Vyatta/IpTables/IpSet.pm | 4 +++- templates/firewall/group/port-group/node.def | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'templates/firewall') diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm index cee7935..5258773 100755 --- a/lib/Vyatta/IpTables/IpSet.pm +++ b/lib/Vyatta/IpTables/IpSet.pm @@ -190,11 +190,13 @@ sub create { my $ipset_param = $grouptype_hash{$self->{_type}}; return "Error: invalid group type\n" if !defined $ipset_param; + my $cmd = "ipset -N $self->{_name} $ipset_param family $self->{_family}"; + if ($self->{_type} eq 'port') { $ipset_param .= ' --from 1 --to 65535'; + my $cmd = "ipset -N $self->{_name} $ipset_param"; } - my $cmd = "ipset -N $self->{_name} $ipset_param family $self->{_family}"; my $rc = $self->run_cmd($cmd); return "Error: call to ipset failed [$rc]" if $rc; return; # undef diff --git a/templates/firewall/group/port-group/node.def b/templates/firewall/group/port-group/node.def index 1484be2..729165f 100644 --- a/templates/firewall/group/port-group/node.def +++ b/templates/firewall/group/port-group/node.def @@ -16,6 +16,6 @@ syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ "Firewall group name cannot contain shell punctuation" end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ - --set-name="$VAR(@)" --set-type=port; then + --set-name="$VAR(@)" --set-type=port --set-family=inet; then ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group port-group $VAR(@)" fi -- cgit v1.2.3 From 7272364a23c9f00f17f719c1efee756d960e8984 Mon Sep 17 00:00:00 2001 From: Marian Tudosoiu Date: Thu, 19 Apr 2018 10:57:25 +0300 Subject: Task T35 - enable prune-deleted-sets for inet6 family firewall templates --- scripts/firewall/vyatta-ipset.pl | 1 - templates/firewall/ipv6-name/node.def | 10 +++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) (limited to 'templates/firewall') diff --git a/scripts/firewall/vyatta-ipset.pl b/scripts/firewall/vyatta-ipset.pl index e5b2fd1..65e0325 100755 --- a/scripts/firewall/vyatta-ipset.pl +++ b/scripts/firewall/vyatta-ipset.pl @@ -352,7 +352,6 @@ sub prune_deleted_sets { my $type = $group->get_type(); my $family = $group->get_family(); ($family eq 'inet') ? $cfg->setLevel("firewall group $type-group") : $cfg->setLevel("firewall group ipv6-$type-group"); - $cfg->setLevel("firewall group $type-group"); next if ($cfg->isEffective($set)); # don't prune if still in config my $rc; $rc = ipset_delete($set); diff --git a/templates/firewall/ipv6-name/node.def b/templates/firewall/ipv6-name/node.def index e7e1167..2e20b9a 100644 --- a/templates/firewall/ipv6-name/node.def +++ b/templates/firewall/ipv6-name/node.def @@ -14,17 +14,21 @@ syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "firewall ipv6-name" "$VAR(@)" ; then - if [ ${COMMIT_ACTION} = 'DELETE' ] ; + if [ ${COMMIT_ACTION} = 'DELETE' ] ; then if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "firewall ipv6-name" ; then - sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall ipv6-name" + if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall ipv6-name"; then + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-name $VAR(@)" + fi fi + else + ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-name $VAR(@)" fi else exit 1; fi - ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-name $VAR(@)" + sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables "firewall ipv6-name" -- cgit v1.2.3