From 6f1a6a7e8dd8bd5315a0faa128db9eafced5cff2 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Wed, 24 Mar 2010 15:22:41 -0700 Subject: Fix Bug 5487 http redirect url address placed on the router gets blocked by local-zone's firewall when using Zone Based Firewall * changed local zones INPUT and OUTPUT chain rules to allow all local-zone traffic on the loopback interface rather than using address 127.0.0.1 which was too restrictive and blocked certain traffic initiated from and going to local-zone itself. This is compliant with the Zone Concept and similar to what's done for other transient zones as well where rules are interface based --- scripts/zone-mgmt/vyatta-zone.pl | 57 ++++++++++++++++------ .../zone-policy/zone/node.tag/interface/node.def | 2 + 2 files changed, 45 insertions(+), 14 deletions(-) diff --git a/scripts/zone-mgmt/vyatta-zone.pl b/scripts/zone-mgmt/vyatta-zone.pl index 8760b6a6..b0d7286f 100755 --- a/scripts/zone-mgmt/vyatta-zone.pl +++ b/scripts/zone-mgmt/vyatta-zone.pl @@ -469,25 +469,54 @@ sub add_zone { 'localout'); foreach my $tree (keys %cmd_hash) { - my $loopback_addr = '127.0.0.1'; - my $source_addr = '$8'; - my $dest_addr = '$9'; - # set IPv6 params if using ip6tables - if ($cmd_hash{$tree} =~ '6') { - $loopback_addr = '::1/128'; - $source_addr = '$7'; - $dest_addr = '$8'; - } foreach my $chain (@localchains) { - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -L $chain -vn " . - "| awk {'print \$3 \" \" $source_addr \" \" $dest_addr'} " . - "| grep 'RETURN $loopback_addr $loopback_addr' | wc -l"; + my $loopback_intf = ''; + if ($chain =~ m/_IN/) { + + # if the chain is INPUT chain + $loopback_intf = '$6'; + + # set IPv6 params if using ip6tables + if ($cmd_hash{$tree} =~ '6') { + $loopback_intf = '$5'; + } + + } else { + + # if the chain is OUTPUT chain + $loopback_intf = '$7'; + + # set IPv6 params if using ip6tables + if ($cmd_hash{$tree} =~ '6') { + $loopback_intf = '$6'; + } + + } + + $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -L $chain 1 -vn " . + "| awk {'print \$3 \" \" $loopback_intf'} ". + "| grep 'RETURN lo\$' | wc -l"; + my $result=`$cmd`; if ($result < 1) { - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I $chain " . - "-s $loopback_addr -d $loopback_addr -j RETURN"; + + $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I $chain "; + + if ($chain =~ m/_IN/) { + + # rule for INPUT chain + $cmd .= "-i lo -j RETURN"; + + } else { + + # rule for OUTPUT chain + $cmd .= "-o lo -j RETURN"; + + } + $error = Vyatta::Zone::run_cmd($cmd); return "Error: adding rule to allow localhost traffic failed [$error]" if $error; + } } } diff --git a/templates/zone-policy/zone/node.tag/interface/node.def b/templates/zone-policy/zone/node.tag/interface/node.def index 845a5e8c..64a3c2fc 100644 --- a/templates/zone-policy/zone/node.tag/interface/node.def +++ b/templates/zone-policy/zone/node.tag/interface/node.def @@ -3,6 +3,8 @@ type: txt help: Set interface associated with zone allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=all | sed -e s/'lo '// +syntax:expression: $VAR(@) != "lo" ; "Cannot assign loopback interface to a transit zone. It's part of local-zone" + create: /opt/vyatta/sbin/vyatta-interfaces.pl --dev=$VAR(@) --warn create: -- cgit v1.2.3