From 40b35c571d3ddb98f8bfcc734c286ffd41a113a4 Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Thu, 15 Nov 2007 18:18:02 -0800 Subject: Fix "set policy access-list destination any". --- scripts/policy/vyatta-policy.pl | 23 ++++++++++++++++------ .../rule/node.tag/destination/any/node.def | 4 ++-- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/scripts/policy/vyatta-policy.pl b/scripts/policy/vyatta-policy.pl index ae04470f..00aa5fc5 100755 --- a/scripts/policy/vyatta-policy.pl +++ b/scripts/policy/vyatta-policy.pl @@ -103,14 +103,27 @@ sub update_as_path() { exit 0; } +sub is_access_list { + my $list = shift; + + my $count = `vtysh -c \"show ip access-list $list\" | grep $list | wc -l`; + if ($count > 0) { + return 1; + } else { + return 0; + } +} + sub update_access_list() { my $list = shift; my $config = new VyattaConfig; my @rules = (); my $rule; - # remove the old rule - system ("$VTYSH -c \"configure terminal\" -c \"no access-list $list\" "); + # remove the old rule if it already exists + if (is_access_list($list)) { + system ("$VTYSH -c \"configure terminal\" -c \"no access-list $list\" "); + } $config->setLevel("policy access-list $list rule"); @rules = $config->listNodes(); @@ -136,8 +149,7 @@ sub update_access_list() { $srcmsk = $config->returnValue("$rule source inverse-mask"); } else { - $src = $config->returnValue("$rule source any"); - if ("$src" eq "true") { $src = "any"; } + if ($config->exists("$rule source any")) { $src = "any"; } else { print "error in source section of access-list $list rule $rule\n"; exit 1; @@ -157,8 +169,7 @@ sub update_access_list() { $dstmsk = $config->returnValue("$rule destination inverse-mask"); } else { - $dst = $config->returnValue("$rule destination any"); - if ("$dst" eq "true") { $dst = "any"; } + if ($config->exists("$rule destination any")) { $dst = "any"; } else { print "error in destination section of access-list $list rule $rule\n"; exit 1; diff --git a/templates/policy/access-list/node.tag/rule/node.tag/destination/any/node.def b/templates/policy/access-list/node.tag/rule/node.tag/destination/any/node.def index 999c4d21..96ab32c9 100644 --- a/templates/policy/access-list/node.tag/rule/node.tag/destination/any/node.def +++ b/templates/policy/access-list/node.tag/rule/node.tag/destination/any/node.def @@ -1,6 +1,6 @@ help: "Filter any IP address" -syntax: ($(../../@) >= 100 && $(../../@) <= 199) || ($(../../@) >= 2000) && $(../../@) <= 2699); " \ -To set destination filter parameters, the access-list rule number must be \n \ +syntax: ($(../../../@) >= 100 && $(../../../@) <= 199) || ($(../../../@) >= 2000 && $(../../../@) <= 2699); " \ +To set destination filter parameters, the access-list number must be \n \ <100-199> IP extended access list \n \ <2000-2699> IP extended access list (expanded range) \n" commit: $(../../action/) != ""; "You must specify an action before committing" -- cgit v1.2.3