summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMohit Mehta <mohit.mehta@vyatta.com>2009-04-24 18:18:40 -0700
committerMohit Mehta <mohit.mehta@vyatta.com>2009-04-24 18:18:40 -0700
commitec65a5a95718314f1b0da036f0395c14b60d172a (patch)
tree4cf0db3235063df070f2bbcdc8552e00905a0aa0
parent1fc94205234401e347613b9996d71698f98f1dd1 (diff)
downloadvyatta-cfg-system-ec65a5a95718314f1b0da036f0395c14b60d172a.tar.gz
vyatta-cfg-system-ec65a5a95718314f1b0da036f0395c14b60d172a.zip
* add jump to local-zone-out chain in OUTPUT chain for both [ip and ip6] tables
when traffic from local-zone filtered with firewall to a transit zone * fix case where `ls` spits out error when a firewall type is not set
-rwxr-xr-xscripts/zone-mgmt/vyatta-zone.pl80
-rw-r--r--templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def4
-rw-r--r--templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def4
3 files changed, 53 insertions, 35 deletions
diff --git a/scripts/zone-mgmt/vyatta-zone.pl b/scripts/zone-mgmt/vyatta-zone.pl
index f826244b..b4fc7ad3 100755
--- a/scripts/zone-mgmt/vyatta-zone.pl
+++ b/scripts/zone-mgmt/vyatta-zone.pl
@@ -188,23 +188,6 @@ sub add_fromlocalzone_ruleset {
$ruleset_type, $ruleset, '-o', $zone_chain);
return ($error, ) if $error;
- # if jump to localzoneout chain not inserted, then insert rule
- my $rule_cnt = Vyatta::Zone::count_iptables_rules($cmd_hash{$ruleset_type},
- $table_hash{$ruleset_type}, "OUTPUT");
- my $insert_at_rule_num=1;
- if ( $rule_cnt > 1 ) {
- $insert_at_rule_num=$rule_cnt;
- }
- my $result = Vyatta::Zone::rule_exists ($cmd_hash{$ruleset_type},
- $table_hash{$ruleset_type}, "OUTPUT", $zone_chain);
- if ($result < 1) {
- my $cmd = "sudo $cmd_hash{$ruleset_type} -t $table_hash{$ruleset_type} " .
- "-I OUTPUT $insert_at_rule_num -j $zone_chain";
- $error = Vyatta::Zone::run_cmd($cmd);
- return "Error: call to add jump rule for local zone out
-$zone_chain chain failed [$error]" if $error;
- }
-
return;
}
@@ -260,16 +243,6 @@ sub delete_fromlocalzone_ruleset {
$ruleset_type, $ruleset, '-o', $zone_chain);
return ($error, ) if $error;
- # if only drop rule in $zone_chain, then delete jump from OUTPUT chain
- my $rule_cnt = Vyatta::Zone::count_iptables_rules($cmd_hash{$ruleset_type},
- $table_hash{$ruleset_type}, $zone_chain);
- if ($rule_cnt < 2) {
- $cmd = "sudo $cmd_hash{$ruleset_type} -t $table_hash{$ruleset_type} " .
- "-D OUTPUT -j $zone_chain";
- $error = Vyatta::Zone::run_cmd($cmd);
- return "Error: call to delete jump rule for local zone out
-$zone_chain chain failed [$error]" if $error;
- }
return;
}
@@ -547,7 +520,7 @@ sub delete_zone_interface {
sub add_fromzone_fw {
my ($zone, $from_zone, $ruleset_type, $ruleset_name) = @_;
- my $error;
+ my ($cmd, $error);
# for all interfaces in from zone apply ruleset to filter traffic
# from this zone to specified zone (i.e. $zone)
@@ -570,14 +543,37 @@ sub add_fromzone_fw {
return "Error: $error" if $error;
}
}
- }
+
+ my $zone_chain=Vyatta::Zone::get_zone_chain("exists",
+ $from_zone, 'localout');
+ # add jump to local-zone-out chain in OUTPUT chains for [ip and ip6]tables
+ foreach my $tree (keys %cmd_hash) {
+ # if jump to localzoneout chain not inserted, then insert rule
+ my $rule_cnt = Vyatta::Zone::count_iptables_rules($cmd_hash{$tree},
+ $table_hash{$tree}, "OUTPUT");
+ my $insert_at_rule_num=1;
+ if ( $rule_cnt > 1 ) {
+ $insert_at_rule_num=$rule_cnt;
+ }
+ my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree},
+ $table_hash{$tree}, "OUTPUT", $zone_chain);
+ if ($result < 1) {
+ my $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " .
+ "-I OUTPUT $insert_at_rule_num -j $zone_chain";
+ $error = Vyatta::Zone::run_cmd($cmd);
+ return "Error: call to add jump rule for local zone out
+$zone_chain chain failed [$error]" if $error;
+ }
+ }
+
+ } # end of else
return;
}
sub delete_fromzone_fw {
my ($zone, $from_zone, $ruleset_type, $ruleset_name) = @_;
- my $error;
+ my ($cmd, $error);
# for all interfaces in from zone remove ruleset to filter traffic
# from this zone to specified zone (i.e. $zone)
@@ -600,7 +596,29 @@ sub delete_fromzone_fw {
return "Error: $error" if $error;
}
}
- }
+
+ my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig",
+ $from_zone, 'localout');
+ # if only drop rule in $zone_chain in both [ip and ip6]tables
+ # then delete jump from OUTPUT chain in both
+ foreach my $tree (keys %cmd_hash) {
+ my $rule_cnt = Vyatta::Zone::count_iptables_rules($cmd_hash{$tree},
+ $table_hash{$tree}, $zone_chain);
+ if ($rule_cnt > 1) {
+ # atleast one of [ip or ip6]tables has local-zone as a from zone
+ return;
+ }
+ }
+
+ foreach my $tree (keys %cmd_hash) {
+ $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " .
+ "-D OUTPUT -j $zone_chain";
+ $error = Vyatta::Zone::run_cmd($cmd);
+ return "Error: call to delete jump rule for local zone out
+$zone_chain chain failed [$error]" if $error;
+ }
+
+ } # end of else
return;
}
diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def
index 1283f55c..e34cf8c4 100644
--- a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def
+++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def
@@ -7,7 +7,7 @@ allowed:
echo -n ${params[@]##*/}
create:
- params=( `ls /opt/vyatta/config/active/firewall/ipv6-name` )
+ params=( `ls /opt/vyatta/config/active/firewall/ipv6-name 2>/dev/null` )
array_len=${#params[*]}
i=0
found=0
@@ -31,7 +31,7 @@ create:
--ruleset-name="$VAR(@)"
update:
- params=( `ls /opt/vyatta/config/active/firewall/ipv6-name` )
+ params=( `ls /opt/vyatta/config/active/firewall/ipv6-name 2>/dev/null` )
array_len=${#params[*]}
i=0
found=0
diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def
index 8fc557c5..20dd913e 100644
--- a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def
+++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def
@@ -7,7 +7,7 @@ allowed:
echo -n ${params[@]##*/}
create:
- params=( `ls /opt/vyatta/config/active/firewall/name` )
+ params=( `ls /opt/vyatta/config/active/firewall/name 2>/dev/null` )
array_len=${#params[*]}
i=0
found=0
@@ -31,7 +31,7 @@ create:
--ruleset-name="$VAR(@)"
update:
- params=( `ls /opt/vyatta/config/active/firewall/name` )
+ params=( `ls /opt/vyatta/config/active/firewall/name 2>/dev/null` )
array_len=${#params[*]}
i=0
found=0