summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMohit Mehta <mohit.mehta@vyatta.com>2009-07-02 12:14:37 -0700
committerMohit Mehta <mohit.mehta@vyatta.com>2009-07-02 12:22:27 -0700
commitd9c64f2c8e4daaec06ae63235563191d1e03c966 (patch)
treecab00218d2910ae991e7eeb31a5dd7515a13d897
parent85f6cdd06a22a20757c3c144716b0f67f20dc6c5 (diff)
downloadvyatta-cfg-system-d9c64f2c8e4daaec06ae63235563191d1e03c966.tar.gz
vyatta-cfg-system-d9c64f2c8e4daaec06ae63235563191d1e03c966.zip
Fix Bug 4554 check for existing firewall ruleset fails when applying it to a zone during boot
* use isActive to check if firewall ruleset has been succesfully committed * fix templates to fail inside an action field when a command fails
-rwxr-xr-xscripts/zone-mgmt/vyatta-zone.pl11
-rw-r--r--templates/zone-policy/zone/node.def14
-rw-r--r--templates/zone-policy/zone/node.tag/default-action/node.def14
-rw-r--r--templates/zone-policy/zone/node.tag/from/node.def8
-rw-r--r--templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def70
-rw-r--r--templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def68
-rw-r--r--templates/zone-policy/zone/node.tag/interface/node.def14
-rw-r--r--templates/zone-policy/zone/node.tag/local-zone/node.def14
8 files changed, 119 insertions, 94 deletions
diff --git a/scripts/zone-mgmt/vyatta-zone.pl b/scripts/zone-mgmt/vyatta-zone.pl
index 7d2206cb..8760b6a6 100755
--- a/scripts/zone-mgmt/vyatta-zone.pl
+++ b/scripts/zone-mgmt/vyatta-zone.pl
@@ -689,6 +689,14 @@ sub check_zones_validity {
return;
}
+sub check_fwruleset_isActive {
+ my ($ruleset_type, $ruleset_name) = @_;
+ my $error = Vyatta::Zone::is_fwruleset_active('isActive',
+ $ruleset_type, $ruleset_name);
+ return "Invalid firewall ruleset $ruleset_type $ruleset_name" if $error;
+ return;
+}
+
#
# main
#
@@ -739,6 +747,9 @@ my ($error, $warning);
($error, $warning) = set_default_policy($zone_name, $default_policy)
if $action eq 'set-default-policy';
+($error, $warning) = check_fwruleset_isActive($ruleset_type, $ruleset_name)
+ if $action eq 'is-fwruleset-active';
+
if (defined $warning) {
print "$warning\n";
}
diff --git a/templates/zone-policy/zone/node.def b/templates/zone-policy/zone/node.def
index 1f8f2ffd..80e4f4e2 100644
--- a/templates/zone-policy/zone/node.def
+++ b/templates/zone-policy/zone/node.def
@@ -12,10 +12,16 @@ syntax:expression: pattern $VAR(@) "^[^-]" ; "Zone name cannot start with \"-\""
syntax:expression: pattern $VAR(@) "^[^;]*$" ; "Zone name cannot contain ';'"
-create: /opt/vyatta/sbin/vyatta-zone.pl \
+create:
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
--action=add-zone \
- --zone-name="$VAR(@)"
+ --zone-name="$VAR(@)"; then
+ exit 1
+ fi
-delete: /opt/vyatta/sbin/vyatta-zone.pl \
+delete:
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
--action=delete-zone \
- --zone-name="$VAR(@)"
+ --zone-name="$VAR(@)"; then
+ exit 1
+ fi
diff --git a/templates/zone-policy/zone/node.tag/default-action/node.def b/templates/zone-policy/zone/node.tag/default-action/node.def
index 01714098..82a5a595 100644
--- a/templates/zone-policy/zone/node.tag/default-action/node.def
+++ b/templates/zone-policy/zone/node.tag/default-action/node.def
@@ -11,12 +11,18 @@ comp_help: possible completions:
drop Drop silently (default)
reject Drop and notify source
-create: /opt/vyatta/sbin/vyatta-zone.pl \
+create:
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
--action=set-default-policy \
--zone-name="$VAR(../@)" \
- --default-policy="$VAR(@)"
+ --default-policy="$VAR(@)"; then
+ exit 1
+ fi
-update: /opt/vyatta/sbin/vyatta-zone.pl \
+update:
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
--action=set-default-policy \
--zone-name="$VAR(../@)" \
- --default-policy="$VAR(@)"
+ --default-policy="$VAR(@)"; then
+ exit 1
+ fi
diff --git a/templates/zone-policy/zone/node.tag/from/node.def b/templates/zone-policy/zone/node.tag/from/node.def
index 5e37f9f1..4b664769 100644
--- a/templates/zone-policy/zone/node.tag/from/node.def
+++ b/templates/zone-policy/zone/node.tag/from/node.def
@@ -32,6 +32,10 @@ create:
echo Undefined from zone [$VAR(@)] under zone $parent_zone
exit 1
else
- /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$parent_zone"
- /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$VAR(@)"
+ if ! /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$parent_zone"; then
+ exit 1
+ fi
+ if ! /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$VAR(@)"; then
+ exit 1
+ fi
fi
diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def
index e34cf8c4..b1ca94bc 100644
--- a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def
+++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def
@@ -7,66 +7,58 @@ allowed:
echo -n ${params[@]##*/}
create:
- params=( `ls /opt/vyatta/config/active/firewall/ipv6-name 2>/dev/null` )
- array_len=${#params[*]}
- i=0
- found=0
- while [ $i -lt $array_len ]; do
- if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then
-
- found=1
- fi
- let i++
- done
- if [ $found -eq 0 ]; then
- echo Invalid IPv6 firewall ruleset [$VAR(@)]
- exit 1
- fi
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
+ --action=is-fwruleset-active \
+ --zone-name="$VAR(../../../@)" \
+ --ruleset-type=ipv6-name \
+ --ruleset-name="$VAR(@)"; then
+ exit 1
+ fi
- /opt/vyatta/sbin/vyatta-zone.pl \
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
--action=add-fromzone-fw \
--zone-name="$VAR(../../../@)" \
--from-zone="$VAR(../../@)" \
--ruleset-type=ipv6-name \
- --ruleset-name="$VAR(@)"
+ --ruleset-name="$VAR(@)"; then
+ exit 1
+ fi
update:
- params=( `ls /opt/vyatta/config/active/firewall/ipv6-name 2>/dev/null` )
- array_len=${#params[*]}
- i=0
- found=0
- while [ $i -lt $array_len ]; do
- echo comparing ${params[$i]} with $VAR(@)
- if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then
- found=1
- fi
- let i++
- done
- if [ $found -eq 0 ]; then
- echo Invalid IPv6 firewall ruleset [$VAR(@)]
- exit 1
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
+ --action=is-fwruleset-active \
+ --zone-name="$VAR(../../../@)" \
+ --ruleset-type=ipv6-name \
+ --ruleset-name="$VAR(@)"; then
+ exit 1
fi
# need to undo previous ruleset here first
- old_ruleset=`cat /opt/vyatta/config/active/zone-policy/zone/$VAR(../../../@)/from/$VAR(../../@)/firewall/ipv6-name/node.val`
- /opt/vyatta/sbin/vyatta-zone.pl \
+ old_ruleset=`cat /opt/vyatta/config/active/zone-policy/zone/$VAR(../../../@)/from/$VAR(../../@)/firewall/ipv6-name/node.val`
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
--action=delete-fromzone-fw \
--zone-name="$VAR(../../../@)" \
--from-zone="$VAR(../../@)" \
--ruleset-type=ipv6-name \
- --ruleset-name="$old_ruleset"
+ --ruleset-name="$old_ruleset"; then
+ exit 1
+ fi
- /opt/vyatta/sbin/vyatta-zone.pl \
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
--action=add-fromzone-fw \
--zone-name="$VAR(../../../@)" \
--from-zone="$VAR(../../@)" \
- --ruleset-type=ipv6-name \
- --ruleset-name="$VAR(@)"
+ --ruleset-type=ipv6-name \
+ --ruleset-name="$VAR(@)"; then
+ exit 1
+ fi
delete:
- /opt/vyatta/sbin/vyatta-zone.pl \
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
--action=delete-fromzone-fw \
--zone-name="$VAR(../../../@)" \
--from-zone="$VAR(../../@)" \
--ruleset-type=ipv6-name \
- --ruleset-name="$VAR(@)"
+ --ruleset-name="$VAR(@)"; then
+ exit 1
+ fi
diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def
index 56df6a19..46328f0f 100644
--- a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def
+++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def
@@ -7,65 +7,59 @@ allowed:
echo -n ${params[@]##*/}
create:
- params=( `ls /opt/vyatta/config/active/firewall/name 2>/dev/null` )
- array_len=${#params[*]}
- i=0
- found=0
- while [ $i -lt $array_len ]; do
- if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then
-
- found=1
- fi
- let i++
- done
- if [ $found -eq 0 ]; then
- echo Invalid IPv4 firewall ruleset [$VAR(@)]
- #exit 1
- fi
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
+ --action=is-fwruleset-active \
+ --zone-name="$VAR(../../../@)" \
+ --ruleset-type=name \
+ --ruleset-name="$VAR(@)"; then
+ exit 1
+ fi
- /opt/vyatta/sbin/vyatta-zone.pl \
+
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
--action=add-fromzone-fw \
--zone-name="$VAR(../../../@)" \
--from-zone="$VAR(../../@)" \
--ruleset-type=name \
- --ruleset-name="$VAR(@)"
+ --ruleset-name="$VAR(@)"; then
+ exit 1
+ fi
update:
- params=( `ls /opt/vyatta/config/active/firewall/name 2>/dev/null` )
- array_len=${#params[*]}
- i=0
- found=0
- while [ $i -lt $array_len ]; do
- if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then
- found=1
- fi
- let i++
- done
- if [ $found -eq 0 ]; then
- echo Invalid IPv4 firewall ruleset [$VAR(@)]
- exit 1
- fi
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
+ --action=is-fwruleset-active \
+ --zone-name="$VAR(../../../@)" \
+ --ruleset-type=name \
+ --ruleset-name="$VAR(@)"; then
+ exit 1
+ fi
# need to undo previous ruleset here first
old_ruleset=`cat /opt/vyatta/config/active/zone-policy/zone/$VAR(../../../@)/from/$VAR(../../@)/firewall/name/node.val`
- /opt/vyatta/sbin/vyatta-zone.pl \
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
--action=delete-fromzone-fw \
--zone-name="$VAR(../../../@)" \
--from-zone="$VAR(../../@)" \
--ruleset-type=name \
- --ruleset-name="$old_ruleset"
+ --ruleset-name="$old_ruleset"; then
+ exit 1
+ fi
- /opt/vyatta/sbin/vyatta-zone.pl \
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
--action=add-fromzone-fw \
--zone-name="$VAR(../../../@)" \
--from-zone="$VAR(../../@)" \
--ruleset-type=name \
- --ruleset-name="$VAR(@)"
+ --ruleset-name="$VAR(@)"; then
+ exit 1
+ fi
delete:
- /opt/vyatta/sbin/vyatta-zone.pl \
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
--action=delete-fromzone-fw \
--zone-name="$VAR(../../../@)" \
--from-zone="$VAR(../../@)" \
--ruleset-type=name \
- --ruleset-name="$VAR(@)"
+ --ruleset-name="$VAR(@)"; then
+ exit 1
+ fi
diff --git a/templates/zone-policy/zone/node.tag/interface/node.def b/templates/zone-policy/zone/node.tag/interface/node.def
index 824d3cda..845a5e8c 100644
--- a/templates/zone-policy/zone/node.tag/interface/node.def
+++ b/templates/zone-policy/zone/node.tag/interface/node.def
@@ -5,12 +5,18 @@ allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=all | sed -e s/'lo '//
create: /opt/vyatta/sbin/vyatta-interfaces.pl --dev=$VAR(@) --warn
-create: /opt/vyatta/sbin/vyatta-zone.pl \
+create:
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
--action=add-zone-interface \
--zone-name="$VAR(../@)" \
- --interface="$VAR(@)"
+ --interface="$VAR(@)"; then
+ exit 1
+ fi
-delete: /opt/vyatta/sbin/vyatta-zone.pl \
+delete:
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
--action=delete-zone-interface \
--zone-name="$VAR(../@)" \
- --interface="$VAR(@)"
+ --interface="$VAR(@)"; then
+ exit 1
+ fi
diff --git a/templates/zone-policy/zone/node.tag/local-zone/node.def b/templates/zone-policy/zone/node.tag/local-zone/node.def
index 77a49771..4b045302 100644
--- a/templates/zone-policy/zone/node.tag/local-zone/node.def
+++ b/templates/zone-policy/zone/node.tag/local-zone/node.def
@@ -1,9 +1,15 @@
help: Set zone to be local-zone
-create: /opt/vyatta/sbin/vyatta-zone.pl \
+create:
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
--action=add-localzone \
- --zone-name="$VAR(../@)"
+ --zone-name="$VAR(../@)"; then
+ exit 1
+ fi
-delete: /opt/vyatta/sbin/vyatta-zone.pl \
+delete:
+ if ! /opt/vyatta/sbin/vyatta-zone.pl \
--action=delete-localzone \
- --zone-name="$VAR(../@)"
+ --zone-name="$VAR(../@)"; then
+ exit 1
+ fi