Merge branch 'jenner' of suva.vyatta.com:/git/vyatta-cfg-system into jenner

10 files changed, 261 insertions, 35 deletions

diff --git a/Makefile.am b/Makefile.am
index 4cbed0c2..4107298d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -41,6 +41,7 @@ sbin_SCRIPTS += scripts/vyatta-bonding.pl
 sbin_SCRIPTS += scripts/vyatta-raid-event
 sbin_SCRIPTS += scripts/vyatta-update-arp-params
 sbin_SCRIPTS += scripts/zone-mgmt/vyatta-zone.pl
+sbin_SCRIPTS += scripts/vyatta-banner.pl
 
 noinst_DATA = test_bootfile
 
diff --git a/debian/changelog b/debian/changelog
index 18bafeae..46a4d39d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,30 @@
+vyatta-cfg-system (0.15.32) unstable; urgency=low
+
+  * Using perl module for move() rather than system call.
+  * Avoid unnecessary writing of file if it's the same contents.
+
+ -- Stig Thormodsrud <stig@vyatta.com>  Mon, 27 Apr 2009 14:42:17 -0700
+
+vyatta-cfg-system (0.15.31) unstable; urgency=low
+
+  * Add configurable login banners.
+
+ -- Stig Thormodsrud <stig@vyatta.com>  Sun, 26 Apr 2009 18:53:02 -0700
+
+vyatta-cfg-system (0.15.30) unstable; urgency=low
+
+  * * add jump to local-zone-out chain in OUTPUT chain for both [ip and
+    ip6] tables
+
+ -- Mohit Mehta <mohit.mehta@vyatta.com>  Fri, 24 Apr 2009 18:31:57 -0700
+
+vyatta-cfg-system (0.15.29) unstable; urgency=low
+
+  * Add support for virtual-ethernet
+  * New tacacs+ configuration templates
+
+ -- Stephen Hemminger <stephen.hemminger@vyatta.com>  Fri, 24 Apr 2009 13:01:24 -0700
+
 vyatta-cfg-system (0.15.28) unstable; urgency=low
 
   [ Justin Fletcher ]
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 59b43d13..b49576d9 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -32,6 +32,9 @@ if [ "$sysconfdir" != "/etc" ]; then
     touch /etc/sudoers
     cp -p /etc/sudoers /etc/sudoers.bak
 
+    # enable ssh banner
+    sed -i 's/^#Banner/Banner/' /etc/ssh/sshd_config
+
     # for "admin" level
     sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers
     if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then
diff --git a/scripts/vyatta-banner.pl b/scripts/vyatta-banner.pl
new file mode 100644
index 00000000..7ae35edf
--- /dev/null
+++ b/scripts/vyatta-banner.pl
@@ -0,0 +1,151 @@
+#!/usr/bin/perl
+#
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# A copy of the GNU General Public License is available as
+# `/usr/share/common-licenses/GPL' in the Debian GNU/Linux distribution
+# or on the World Wide Web at `http://www.gnu.org/copyleft/gpl.html'.
+# You can also obtain it by writing to the Free Software Foundation,
+# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
+# MA 02110-1301, USA.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2009 Vyatta, Inc.
+# All Rights Reserved.
+#
+# Author: Stig Thormodsrud
+# Date: April 2009
+# Description: Script to setup login banner
+#
+# **** End License ****
+#
+
+use lib '/opt/vyatta/share/perl5/';
+use Vyatta::Config;
+
+use Getopt::Long;
+use File::Copy;
+use File::Compare;
+use strict;
+use warnings;
+
+my $prelogin_file      = '/etc/issue';
+my $prelogin_net_file  = '/etc/issue.net';
+my $postlogin_file     = '/etc/motd';
+
+
+sub save_orig_file {
+    my $file = shift;
+
+    move($file, "$file.old") if ! -e "$file.old";
+    return;
+}
+
+sub restore_orig_file {
+    my $file = shift;
+
+    move("$file.old", $file)if -e "$file.old"; 
+    return;
+}
+
+sub is_same_as_file {
+    my ($file, $value) = @_;
+
+    return if ! -e $file;
+
+    my $mem_file;
+    open my $MF, '+<', \$mem_file or die "couldn't open memfile $!\n";
+    print $MF $value;
+    seek($MF, 0, 0);
+    
+    my $rc = compare($file, $MF);
+    return 1 if $rc == 0;
+    return;
+}
+
+sub write_file_value {
+    my ($file, $value) = @_;
+
+    # Avoid unnecessary writes.  At boot the file will be the
+    # regenerated with the same content.
+    return if is_same_as_file($file, $value);
+
+    open my $F, '>', $file or die "Error: opening $file [$!]";
+    print $F "$value";
+    close $F;
+}
+
+sub get_banner {
+    my $banner_type = shift;
+
+    my $config = new Vyatta::Config;
+    $config->setLevel('system login banner');
+    my $text = $config->returnValue($banner_type);
+    $text =~ s|\\n|\n|g;
+    $text =~ s|\\t|\t|g;
+    return $text;
+}
+
+sub add_prelogin {
+    save_orig_file($prelogin_file);
+    save_orig_file($prelogin_net_file);
+    my $text = get_banner('pre-login');
+    write_file_value($prelogin_file, $text);    
+    write_file_value($prelogin_net_file, $text);    
+    return;
+}
+
+sub add_postlogin {
+    save_orig_file($postlogin_file);
+    my $text = get_banner('post-login');
+    write_file_value($postlogin_file, $text);
+    return;
+}
+
+
+#
+# main
+#
+my ($action, $banner_type);
+
+GetOptions("action=s"      => \$action,
+	   "banner-type=s" => \$banner_type,
+);
+
+die "Error: no action"      if ! defined $action;
+die "Error: no banner-type" if ! defined $banner_type;
+
+if ($action eq 'update') {
+    if ($banner_type eq 'pre-login') {
+	add_prelogin();
+	exit 0;
+    }
+    if ($banner_type eq 'post-login') {
+	add_postlogin();
+	exit 0;
+    }
+}
+
+if ($action eq 'delete') {
+    if ($banner_type eq 'pre-login') {
+	restore_orig_file($prelogin_file);
+	restore_orig_file($prelogin_net_file);
+	exit 0;
+    }
+    if ($banner_type eq 'post-login') {
+	restore_orig_file($postlogin_file);
+	exit 0;
+    }
+}
+
+exit 1;
+
+#end of file
diff --git a/scripts/zone-mgmt/vyatta-zone.pl b/scripts/zone-mgmt/vyatta-zone.pl
index f826244b..b4fc7ad3 100755
--- a/scripts/zone-mgmt/vyatta-zone.pl
+++ b/scripts/zone-mgmt/vyatta-zone.pl
@@ -188,23 +188,6 @@ sub add_fromlocalzone_ruleset {
                 $ruleset_type, $ruleset, '-o', $zone_chain);
     return ($error, ) if $error;
 
-     # if jump to localzoneout chain not inserted, then insert rule
-     my $rule_cnt = Vyatta::Zone::count_iptables_rules($cmd_hash{$ruleset_type},
-                $table_hash{$ruleset_type}, "OUTPUT");
-     my $insert_at_rule_num=1;
-     if ( $rule_cnt > 1 ) {
-        $insert_at_rule_num=$rule_cnt;
-     }
-     my $result = Vyatta::Zone::rule_exists ($cmd_hash{$ruleset_type},
-        $table_hash{$ruleset_type}, "OUTPUT", $zone_chain);
-     if ($result < 1) {
-      my $cmd = "sudo $cmd_hash{$ruleset_type} -t $table_hash{$ruleset_type} " . 
-	"-I OUTPUT $insert_at_rule_num -j $zone_chain";
-      $error = Vyatta::Zone::run_cmd($cmd);
-      return "Error: call to add jump rule for local zone out
-$zone_chain chain failed [$error]" if $error;
-     }
-
     return;
 }
 
@@ -260,16 +243,6 @@ sub delete_fromlocalzone_ruleset {
 		$ruleset_type, $ruleset, '-o', $zone_chain);
     return ($error, ) if $error;
 
-    # if only drop rule in $zone_chain, then delete jump from OUTPUT chain
-    my $rule_cnt = Vyatta::Zone::count_iptables_rules($cmd_hash{$ruleset_type}, 
-	$table_hash{$ruleset_type}, $zone_chain);
-    if ($rule_cnt < 2) {
-      $cmd = "sudo $cmd_hash{$ruleset_type} -t $table_hash{$ruleset_type} " . 
-	"-D OUTPUT -j $zone_chain";
-      $error = Vyatta::Zone::run_cmd($cmd);
-      return "Error: call to delete jump rule for local zone out
-$zone_chain chain failed [$error]" if $error;
-     }
     return;
 }
 
@@ -547,7 +520,7 @@ sub delete_zone_interface {
 
 sub add_fromzone_fw {
     my ($zone, $from_zone, $ruleset_type, $ruleset_name) = @_;
-    my $error;
+    my ($cmd, $error);
 
     # for all interfaces in from zone apply ruleset to filter traffic
     # from this zone to specified zone (i.e. $zone)
@@ -570,14 +543,37 @@ sub add_fromzone_fw {
           return "Error: $error" if $error;        
         }
       }
-    }
+
+      my $zone_chain=Vyatta::Zone::get_zone_chain("exists",
+                        $from_zone, 'localout');
+      # add jump to local-zone-out chain in OUTPUT chains for [ip and ip6]tables
+      foreach my $tree (keys %cmd_hash) {
+        # if jump to localzoneout chain not inserted, then insert rule
+        my $rule_cnt = Vyatta::Zone::count_iptables_rules($cmd_hash{$tree},
+                $table_hash{$tree}, "OUTPUT");
+        my $insert_at_rule_num=1;
+        if ( $rule_cnt > 1 ) {
+          $insert_at_rule_num=$rule_cnt;
+        }
+        my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree},
+          $table_hash{$tree}, "OUTPUT", $zone_chain);
+        if ($result < 1) {
+          my $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " .
+             "-I OUTPUT $insert_at_rule_num -j $zone_chain";
+          $error = Vyatta::Zone::run_cmd($cmd);
+          return "Error: call to add jump rule for local zone out
+$zone_chain chain failed [$error]" if $error;
+        }
+      }
+
+    } # end of else
 
     return;
 }
 
 sub delete_fromzone_fw {
     my ($zone, $from_zone, $ruleset_type, $ruleset_name) = @_;
-    my $error;
+    my ($cmd, $error);
 
     # for all interfaces in from zone remove ruleset to filter traffic
     # from this zone to specified zone (i.e. $zone)
@@ -600,7 +596,29 @@ sub delete_fromzone_fw {
           return "Error: $error" if $error;
         }
       }
-    }
+    
+      my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig",
+                        $from_zone, 'localout');
+      # if only drop rule in $zone_chain in both [ip and ip6]tables
+      # then delete jump from OUTPUT chain in both
+      foreach my $tree (keys %cmd_hash) {
+        my $rule_cnt = Vyatta::Zone::count_iptables_rules($cmd_hash{$tree},
+        $table_hash{$tree}, $zone_chain);
+        if ($rule_cnt > 1) {
+         # atleast one of [ip or ip6]tables has local-zone as a from zone
+         return;
+        }
+      }
+
+      foreach my $tree (keys %cmd_hash) {
+           $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " .
+           "-D OUTPUT -j $zone_chain";
+           $error = Vyatta::Zone::run_cmd($cmd);
+           return "Error: call to delete jump rule for local zone out
+$zone_chain chain failed [$error]" if $error;
+      }
+
+    } # end of else
     return;
 }
 
diff --git a/templates/system/login/banner/node.def b/templates/system/login/banner/node.def
new file mode 100644
index 00000000..2aef97a4
--- /dev/null
+++ b/templates/system/login/banner/node.def
@@ -0,0 +1 @@
+help: Set system login banners
diff --git a/templates/system/login/banner/post-login/node.def b/templates/system/login/banner/post-login/node.def
new file mode 100644
index 00000000..98c139b8
--- /dev/null
+++ b/templates/system/login/banner/post-login/node.def
@@ -0,0 +1,12 @@
+help: Set system loging banner post-login
+type: txt
+
+update: sudo /opt/vyatta/sbin/vyatta-banner.pl \
+             --action=update --banner-type=post-login
+
+delete: sudo /opt/vyatta/sbin/vyatta-banner.pl \
+             --action=delete --banner-type=post-login
+
+comp_help: possible completions:
+  <txt>   Set login banner 
+          (example: "\\n\\n\\tWelcome to Vyatta!\\n")
diff --git a/templates/system/login/banner/pre-login/node.def b/templates/system/login/banner/pre-login/node.def
new file mode 100644
index 00000000..7cb80380
--- /dev/null
+++ b/templates/system/login/banner/pre-login/node.def
@@ -0,0 +1,13 @@
+help: Set system loging banner pre-login
+type: txt
+
+update: sudo /opt/vyatta/sbin/vyatta-banner.pl \
+             --action=update --banner-type=pre-login
+
+delete: sudo /opt/vyatta/sbin/vyatta-banner.pl \
+             --action=delete --banner-type=pre-login
+
+comp_help: possible completions:
+  <txt>   Set login banner 
+          (example: "\\n\\n\\tUNAUTHORIZED USE OF THIS SYSTEM\\nIS PROHIBITED!\\n")
+
diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def
index 1283f55c..e34cf8c4 100644
--- a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def
+++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def
@@ -7,7 +7,7 @@ allowed:
         echo -n ${params[@]##*/}
 
 create:
-        params=( `ls /opt/vyatta/config/active/firewall/ipv6-name` )
+        params=( `ls /opt/vyatta/config/active/firewall/ipv6-name 2>/dev/null` )
         array_len=${#params[*]}
         i=0
         found=0
@@ -31,7 +31,7 @@ create:
           --ruleset-name="$VAR(@)"
 
 update:
-        params=( `ls /opt/vyatta/config/active/firewall/ipv6-name` )
+        params=( `ls /opt/vyatta/config/active/firewall/ipv6-name 2>/dev/null` )
         array_len=${#params[*]}
         i=0
         found=0
diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def
index 8fc557c5..20dd913e 100644
--- a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def
+++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def
@@ -7,7 +7,7 @@ allowed:
         echo -n ${params[@]##*/}
 
 create:
-        params=( `ls /opt/vyatta/config/active/firewall/name` )
+        params=( `ls /opt/vyatta/config/active/firewall/name 2>/dev/null` )
         array_len=${#params[*]}
         i=0
         found=0
@@ -31,7 +31,7 @@ create:
           --ruleset-name="$VAR(@)"
 
 update:
-        params=( `ls /opt/vyatta/config/active/firewall/name` )
+        params=( `ls /opt/vyatta/config/active/firewall/name 2>/dev/null` )
         array_len=${#params[*]}
         i=0
         found=0