summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog13
-rwxr-xr-xscripts/zone-mgmt/vyatta-zone.pl25
-rw-r--r--templates/zone-policy/node.def2
-rw-r--r--templates/zone-policy/zone/node.tag/from/node.def5
4 files changed, 42 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog
index 6169cb4c..daf08a88 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+vyatta-cfg-system (0.15.37) unstable; urgency=low
+
+ * * do silent validity check when creating zone chains and adding from
+ zone rules
+
+ -- Mohit Mehta <mohit.mehta@vyatta.com> Wed, 06 May 2009 16:52:59 -0700
+
+vyatta-cfg-system (0.15.36) unstable; urgency=low
+
+ * Split up system login scripts
+
+ -- Stephen Hemminger <stephen.hemminger@vyatta.com> Tue, 05 May 2009 13:51:14 -0700
+
vyatta-cfg-system (0.15.35) unstable; urgency=low
* * restrict zone name to 20 characters
diff --git a/scripts/zone-mgmt/vyatta-zone.pl b/scripts/zone-mgmt/vyatta-zone.pl
index b4fc7ad3..37bab3cd 100755
--- a/scripts/zone-mgmt/vyatta-zone.pl
+++ b/scripts/zone-mgmt/vyatta-zone.pl
@@ -635,12 +635,32 @@ sub set_default_policy {
return;
}
+sub check_zones_validity {
+ my $silent = shift;
+ my $error;
+ $error = Vyatta::Zone::validity_checks();
+ if ($error) {
+ if ($silent eq 'true') {
+ # called from from/node.def which is a different transaction
+ # than everything else under zone-policy. We do not want to
+ # make chains or insert from rules into chains if we have a
+ # malfunctioning configuration. We fail in a silent way here
+ # so that when this function is called from zone-policy/node.def
+ # we will print the error and not repeat the same error twice
+ exit 1;
+ } else {
+ return ($error , );
+ }
+ }
+ return;
+}
+
#
# main
#
my ($action, $zone_name, $interface, $from_zone, $ruleset_type, $ruleset_name,
- $default_policy);
+ $default_policy, $silent_validate);
GetOptions("action=s" => \$action,
"zone-name=s" => \$zone_name,
@@ -649,6 +669,7 @@ GetOptions("action=s" => \$action,
"ruleset-type=s" => \$ruleset_type,
"ruleset-name=s" => \$ruleset_name,
"default-policy=s" => \$default_policy,
+ "silent-validate=s" => \$silent_validate,
);
die "undefined action" if ! defined $action;
@@ -672,7 +693,7 @@ my ($error, $warning);
($error, $warning) = delete_fromzone_fw($zone_name, $from_zone, $ruleset_type,
$ruleset_name) if $action eq 'delete-fromzone-fw';
-($error, $warning) = Vyatta::Zone::validity_checks()
+($error, $warning) = check_zones_validity($silent_validate)
if $action eq 'validity-checks';
($error, $warning) = add_localzone($zone_name)
diff --git a/templates/zone-policy/node.def b/templates/zone-policy/node.def
index 2633101e..c4b62433 100644
--- a/templates/zone-policy/node.def
+++ b/templates/zone-policy/node.def
@@ -1,5 +1,5 @@
help: Configure zone-policy
begin:
-if ! /opt/vyatta/sbin/vyatta-zone.pl --action=validity-checks --zone-name=none; then
+if ! /opt/vyatta/sbin/vyatta-zone.pl --action=validity-checks --zone-name=none --silent-validate=false; then
exit 1
fi
diff --git a/templates/zone-policy/zone/node.tag/from/node.def b/templates/zone-policy/zone/node.tag/from/node.def
index 5273519a..5e37f9f1 100644
--- a/templates/zone-policy/zone/node.tag/from/node.def
+++ b/templates/zone-policy/zone/node.tag/from/node.def
@@ -7,6 +7,11 @@ allowed:
zones=( /opt/vyatta/config/active/zone-policy/zone/* )
echo -n ${zones[@]##*/}
+begin:
+if ! /opt/vyatta/sbin/vyatta-zone.pl --action=validity-checks --zone-name=none --silent-validate=true; then
+ exit 1
+fi
+
create:
parent_zone=$VAR(../@)
zones=($VAR(../@@))