diff options
| author | Mohit Mehta <mohit.mehta@vyatta.com> | 2010-03-24 15:22:41 -0700 |
|---|---|---|
| committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2010-03-24 15:22:41 -0700 |
| commit | 6f1a6a7e8dd8bd5315a0faa128db9eafced5cff2 (patch) | |
| tree | 7d71a4f812badd924207c9a204de2f84000c23f7 | |
| parent | c90ed03225e252fd029c752496f4bf4d850b0194 (diff) | |
| download | vyatta-cfg-system-6f1a6a7e8dd8bd5315a0faa128db9eafced5cff2.tar.gz vyatta-cfg-system-6f1a6a7e8dd8bd5315a0faa128db9eafced5cff2.zip | |
Fix Bug 5487 http redirect url address placed on the router gets blocked by
local-zone's firewall when using Zone Based Firewall
* changed local zones INPUT and OUTPUT chain rules to allow all local-zone
traffic on the loopback interface rather than using address 127.0.0.1 which
was too restrictive and blocked certain traffic initiated from and going to
local-zone itself. This is compliant with the Zone Concept and similar to
what's done for other transient zones as well where rules are interface based
| -rwxr-xr-x | scripts/zone-mgmt/vyatta-zone.pl | 57 | ||||
| -rw-r--r-- | templates/zone-policy/zone/node.tag/interface/node.def | 2 |
2 files changed, 45 insertions, 14 deletions
diff --git a/scripts/zone-mgmt/vyatta-zone.pl b/scripts/zone-mgmt/vyatta-zone.pl index 8760b6a6..b0d7286f 100755 --- a/scripts/zone-mgmt/vyatta-zone.pl +++ b/scripts/zone-mgmt/vyatta-zone.pl @@ -469,25 +469,54 @@ sub add_zone { 'localout'); foreach my $tree (keys %cmd_hash) { - my $loopback_addr = '127.0.0.1'; - my $source_addr = '$8'; - my $dest_addr = '$9'; - # set IPv6 params if using ip6tables - if ($cmd_hash{$tree} =~ '6') { - $loopback_addr = '::1/128'; - $source_addr = '$7'; - $dest_addr = '$8'; - } foreach my $chain (@localchains) { - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -L $chain -vn " . - "| awk {'print \$3 \" \" $source_addr \" \" $dest_addr'} " . - "| grep 'RETURN $loopback_addr $loopback_addr' | wc -l"; + my $loopback_intf = ''; + if ($chain =~ m/_IN/) { + + # if the chain is INPUT chain + $loopback_intf = '$6'; + + # set IPv6 params if using ip6tables + if ($cmd_hash{$tree} =~ '6') { + $loopback_intf = '$5'; + } + + } else { + + # if the chain is OUTPUT chain + $loopback_intf = '$7'; + + # set IPv6 params if using ip6tables + if ($cmd_hash{$tree} =~ '6') { + $loopback_intf = '$6'; + } + + } + + $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -L $chain 1 -vn " . + "| awk {'print \$3 \" \" $loopback_intf'} ". + "| grep 'RETURN lo\$' | wc -l"; + my $result=`$cmd`; if ($result < 1) { - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I $chain " . - "-s $loopback_addr -d $loopback_addr -j RETURN"; + + $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I $chain "; + + if ($chain =~ m/_IN/) { + + # rule for INPUT chain + $cmd .= "-i lo -j RETURN"; + + } else { + + # rule for OUTPUT chain + $cmd .= "-o lo -j RETURN"; + + } + $error = Vyatta::Zone::run_cmd($cmd); return "Error: adding rule to allow localhost traffic failed [$error]" if $error; + } } } diff --git a/templates/zone-policy/zone/node.tag/interface/node.def b/templates/zone-policy/zone/node.tag/interface/node.def index 845a5e8c..64a3c2fc 100644 --- a/templates/zone-policy/zone/node.tag/interface/node.def +++ b/templates/zone-policy/zone/node.tag/interface/node.def @@ -3,6 +3,8 @@ type: txt help: Set interface associated with zone allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=all | sed -e s/'lo '// +syntax:expression: $VAR(@) != "lo" ; "Cannot assign loopback interface to a transit zone. It's part of local-zone" + create: /opt/vyatta/sbin/vyatta-interfaces.pl --dev=$VAR(@) --warn create: |