diff options
author | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-04-24 18:18:40 -0700 |
---|---|---|
committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-04-24 18:18:40 -0700 |
commit | ec65a5a95718314f1b0da036f0395c14b60d172a (patch) | |
tree | 4cf0db3235063df070f2bbcdc8552e00905a0aa0 | |
parent | 1fc94205234401e347613b9996d71698f98f1dd1 (diff) | |
download | vyatta-cfg-system-ec65a5a95718314f1b0da036f0395c14b60d172a.tar.gz vyatta-cfg-system-ec65a5a95718314f1b0da036f0395c14b60d172a.zip |
* add jump to local-zone-out chain in OUTPUT chain for both [ip and ip6] tables
when traffic from local-zone filtered with firewall to a transit zone
* fix case where `ls` spits out error when a firewall type is not set
3 files changed, 53 insertions, 35 deletions
diff --git a/scripts/zone-mgmt/vyatta-zone.pl b/scripts/zone-mgmt/vyatta-zone.pl index f826244b..b4fc7ad3 100755 --- a/scripts/zone-mgmt/vyatta-zone.pl +++ b/scripts/zone-mgmt/vyatta-zone.pl @@ -188,23 +188,6 @@ sub add_fromlocalzone_ruleset { $ruleset_type, $ruleset, '-o', $zone_chain); return ($error, ) if $error; - # if jump to localzoneout chain not inserted, then insert rule - my $rule_cnt = Vyatta::Zone::count_iptables_rules($cmd_hash{$ruleset_type}, - $table_hash{$ruleset_type}, "OUTPUT"); - my $insert_at_rule_num=1; - if ( $rule_cnt > 1 ) { - $insert_at_rule_num=$rule_cnt; - } - my $result = Vyatta::Zone::rule_exists ($cmd_hash{$ruleset_type}, - $table_hash{$ruleset_type}, "OUTPUT", $zone_chain); - if ($result < 1) { - my $cmd = "sudo $cmd_hash{$ruleset_type} -t $table_hash{$ruleset_type} " . - "-I OUTPUT $insert_at_rule_num -j $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: call to add jump rule for local zone out -$zone_chain chain failed [$error]" if $error; - } - return; } @@ -260,16 +243,6 @@ sub delete_fromlocalzone_ruleset { $ruleset_type, $ruleset, '-o', $zone_chain); return ($error, ) if $error; - # if only drop rule in $zone_chain, then delete jump from OUTPUT chain - my $rule_cnt = Vyatta::Zone::count_iptables_rules($cmd_hash{$ruleset_type}, - $table_hash{$ruleset_type}, $zone_chain); - if ($rule_cnt < 2) { - $cmd = "sudo $cmd_hash{$ruleset_type} -t $table_hash{$ruleset_type} " . - "-D OUTPUT -j $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: call to delete jump rule for local zone out -$zone_chain chain failed [$error]" if $error; - } return; } @@ -547,7 +520,7 @@ sub delete_zone_interface { sub add_fromzone_fw { my ($zone, $from_zone, $ruleset_type, $ruleset_name) = @_; - my $error; + my ($cmd, $error); # for all interfaces in from zone apply ruleset to filter traffic # from this zone to specified zone (i.e. $zone) @@ -570,14 +543,37 @@ sub add_fromzone_fw { return "Error: $error" if $error; } } - } + + my $zone_chain=Vyatta::Zone::get_zone_chain("exists", + $from_zone, 'localout'); + # add jump to local-zone-out chain in OUTPUT chains for [ip and ip6]tables + foreach my $tree (keys %cmd_hash) { + # if jump to localzoneout chain not inserted, then insert rule + my $rule_cnt = Vyatta::Zone::count_iptables_rules($cmd_hash{$tree}, + $table_hash{$tree}, "OUTPUT"); + my $insert_at_rule_num=1; + if ( $rule_cnt > 1 ) { + $insert_at_rule_num=$rule_cnt; + } + my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree}, + $table_hash{$tree}, "OUTPUT", $zone_chain); + if ($result < 1) { + my $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . + "-I OUTPUT $insert_at_rule_num -j $zone_chain"; + $error = Vyatta::Zone::run_cmd($cmd); + return "Error: call to add jump rule for local zone out +$zone_chain chain failed [$error]" if $error; + } + } + + } # end of else return; } sub delete_fromzone_fw { my ($zone, $from_zone, $ruleset_type, $ruleset_name) = @_; - my $error; + my ($cmd, $error); # for all interfaces in from zone remove ruleset to filter traffic # from this zone to specified zone (i.e. $zone) @@ -600,7 +596,29 @@ sub delete_fromzone_fw { return "Error: $error" if $error; } } - } + + my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig", + $from_zone, 'localout'); + # if only drop rule in $zone_chain in both [ip and ip6]tables + # then delete jump from OUTPUT chain in both + foreach my $tree (keys %cmd_hash) { + my $rule_cnt = Vyatta::Zone::count_iptables_rules($cmd_hash{$tree}, + $table_hash{$tree}, $zone_chain); + if ($rule_cnt > 1) { + # atleast one of [ip or ip6]tables has local-zone as a from zone + return; + } + } + + foreach my $tree (keys %cmd_hash) { + $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . + "-D OUTPUT -j $zone_chain"; + $error = Vyatta::Zone::run_cmd($cmd); + return "Error: call to delete jump rule for local zone out +$zone_chain chain failed [$error]" if $error; + } + + } # end of else return; } diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def index 1283f55c..e34cf8c4 100644 --- a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def +++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def @@ -7,7 +7,7 @@ allowed: echo -n ${params[@]##*/} create: - params=( `ls /opt/vyatta/config/active/firewall/ipv6-name` ) + params=( `ls /opt/vyatta/config/active/firewall/ipv6-name 2>/dev/null` ) array_len=${#params[*]} i=0 found=0 @@ -31,7 +31,7 @@ create: --ruleset-name="$VAR(@)" update: - params=( `ls /opt/vyatta/config/active/firewall/ipv6-name` ) + params=( `ls /opt/vyatta/config/active/firewall/ipv6-name 2>/dev/null` ) array_len=${#params[*]} i=0 found=0 diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def index 8fc557c5..20dd913e 100644 --- a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def +++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def @@ -7,7 +7,7 @@ allowed: echo -n ${params[@]##*/} create: - params=( `ls /opt/vyatta/config/active/firewall/name` ) + params=( `ls /opt/vyatta/config/active/firewall/name 2>/dev/null` ) array_len=${#params[*]} i=0 found=0 @@ -31,7 +31,7 @@ create: --ruleset-name="$VAR(@)" update: - params=( `ls /opt/vyatta/config/active/firewall/name` ) + params=( `ls /opt/vyatta/config/active/firewall/name 2>/dev/null` ) array_len=${#params[*]} i=0 found=0 |