diff options
author | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-07-02 12:14:37 -0700 |
---|---|---|
committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-07-02 12:22:27 -0700 |
commit | d9c64f2c8e4daaec06ae63235563191d1e03c966 (patch) | |
tree | cab00218d2910ae991e7eeb31a5dd7515a13d897 | |
parent | 85f6cdd06a22a20757c3c144716b0f67f20dc6c5 (diff) | |
download | vyatta-cfg-system-d9c64f2c8e4daaec06ae63235563191d1e03c966.tar.gz vyatta-cfg-system-d9c64f2c8e4daaec06ae63235563191d1e03c966.zip |
Fix Bug 4554 check for existing firewall ruleset fails when applying it to a zone during boot
* use isActive to check if firewall ruleset has been succesfully committed
* fix templates to fail inside an action field when a command fails
8 files changed, 119 insertions, 94 deletions
diff --git a/scripts/zone-mgmt/vyatta-zone.pl b/scripts/zone-mgmt/vyatta-zone.pl index 7d2206cb..8760b6a6 100755 --- a/scripts/zone-mgmt/vyatta-zone.pl +++ b/scripts/zone-mgmt/vyatta-zone.pl @@ -689,6 +689,14 @@ sub check_zones_validity { return; } +sub check_fwruleset_isActive { + my ($ruleset_type, $ruleset_name) = @_; + my $error = Vyatta::Zone::is_fwruleset_active('isActive', + $ruleset_type, $ruleset_name); + return "Invalid firewall ruleset $ruleset_type $ruleset_name" if $error; + return; +} + # # main # @@ -739,6 +747,9 @@ my ($error, $warning); ($error, $warning) = set_default_policy($zone_name, $default_policy) if $action eq 'set-default-policy'; +($error, $warning) = check_fwruleset_isActive($ruleset_type, $ruleset_name) + if $action eq 'is-fwruleset-active'; + if (defined $warning) { print "$warning\n"; } diff --git a/templates/zone-policy/zone/node.def b/templates/zone-policy/zone/node.def index 1f8f2ffd..80e4f4e2 100644 --- a/templates/zone-policy/zone/node.def +++ b/templates/zone-policy/zone/node.def @@ -12,10 +12,16 @@ syntax:expression: pattern $VAR(@) "^[^-]" ; "Zone name cannot start with \"-\"" syntax:expression: pattern $VAR(@) "^[^;]*$" ; "Zone name cannot contain ';'" -create: /opt/vyatta/sbin/vyatta-zone.pl \ +create: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ --action=add-zone \ - --zone-name="$VAR(@)" + --zone-name="$VAR(@)"; then + exit 1 + fi -delete: /opt/vyatta/sbin/vyatta-zone.pl \ +delete: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ --action=delete-zone \ - --zone-name="$VAR(@)" + --zone-name="$VAR(@)"; then + exit 1 + fi diff --git a/templates/zone-policy/zone/node.tag/default-action/node.def b/templates/zone-policy/zone/node.tag/default-action/node.def index 01714098..82a5a595 100644 --- a/templates/zone-policy/zone/node.tag/default-action/node.def +++ b/templates/zone-policy/zone/node.tag/default-action/node.def @@ -11,12 +11,18 @@ comp_help: possible completions: drop Drop silently (default) reject Drop and notify source -create: /opt/vyatta/sbin/vyatta-zone.pl \ +create: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ --action=set-default-policy \ --zone-name="$VAR(../@)" \ - --default-policy="$VAR(@)" + --default-policy="$VAR(@)"; then + exit 1 + fi -update: /opt/vyatta/sbin/vyatta-zone.pl \ +update: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ --action=set-default-policy \ --zone-name="$VAR(../@)" \ - --default-policy="$VAR(@)" + --default-policy="$VAR(@)"; then + exit 1 + fi diff --git a/templates/zone-policy/zone/node.tag/from/node.def b/templates/zone-policy/zone/node.tag/from/node.def index 5e37f9f1..4b664769 100644 --- a/templates/zone-policy/zone/node.tag/from/node.def +++ b/templates/zone-policy/zone/node.tag/from/node.def @@ -32,6 +32,10 @@ create: echo Undefined from zone [$VAR(@)] under zone $parent_zone exit 1 else - /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$parent_zone" - /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$VAR(@)" + if ! /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$parent_zone"; then + exit 1 + fi + if ! /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$VAR(@)"; then + exit 1 + fi fi diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def index e34cf8c4..b1ca94bc 100644 --- a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def +++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def @@ -7,66 +7,58 @@ allowed: echo -n ${params[@]##*/} create: - params=( `ls /opt/vyatta/config/active/firewall/ipv6-name 2>/dev/null` ) - array_len=${#params[*]} - i=0 - found=0 - while [ $i -lt $array_len ]; do - if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then - - found=1 - fi - let i++ - done - if [ $found -eq 0 ]; then - echo Invalid IPv6 firewall ruleset [$VAR(@)] - exit 1 - fi + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=is-fwruleset-active \ + --zone-name="$VAR(../../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name="$VAR(@)"; then + exit 1 + fi - /opt/vyatta/sbin/vyatta-zone.pl \ + if ! /opt/vyatta/sbin/vyatta-zone.pl \ --action=add-fromzone-fw \ --zone-name="$VAR(../../../@)" \ --from-zone="$VAR(../../@)" \ --ruleset-type=ipv6-name \ - --ruleset-name="$VAR(@)" + --ruleset-name="$VAR(@)"; then + exit 1 + fi update: - params=( `ls /opt/vyatta/config/active/firewall/ipv6-name 2>/dev/null` ) - array_len=${#params[*]} - i=0 - found=0 - while [ $i -lt $array_len ]; do - echo comparing ${params[$i]} with $VAR(@) - if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then - found=1 - fi - let i++ - done - if [ $found -eq 0 ]; then - echo Invalid IPv6 firewall ruleset [$VAR(@)] - exit 1 + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=is-fwruleset-active \ + --zone-name="$VAR(../../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name="$VAR(@)"; then + exit 1 fi # need to undo previous ruleset here first - old_ruleset=`cat /opt/vyatta/config/active/zone-policy/zone/$VAR(../../../@)/from/$VAR(../../@)/firewall/ipv6-name/node.val` - /opt/vyatta/sbin/vyatta-zone.pl \ + old_ruleset=`cat /opt/vyatta/config/active/zone-policy/zone/$VAR(../../../@)/from/$VAR(../../@)/firewall/ipv6-name/node.val` + if ! /opt/vyatta/sbin/vyatta-zone.pl \ --action=delete-fromzone-fw \ --zone-name="$VAR(../../../@)" \ --from-zone="$VAR(../../@)" \ --ruleset-type=ipv6-name \ - --ruleset-name="$old_ruleset" + --ruleset-name="$old_ruleset"; then + exit 1 + fi - /opt/vyatta/sbin/vyatta-zone.pl \ + if ! /opt/vyatta/sbin/vyatta-zone.pl \ --action=add-fromzone-fw \ --zone-name="$VAR(../../../@)" \ --from-zone="$VAR(../../@)" \ - --ruleset-type=ipv6-name \ - --ruleset-name="$VAR(@)" + --ruleset-type=ipv6-name \ + --ruleset-name="$VAR(@)"; then + exit 1 + fi delete: - /opt/vyatta/sbin/vyatta-zone.pl \ + if ! /opt/vyatta/sbin/vyatta-zone.pl \ --action=delete-fromzone-fw \ --zone-name="$VAR(../../../@)" \ --from-zone="$VAR(../../@)" \ --ruleset-type=ipv6-name \ - --ruleset-name="$VAR(@)" + --ruleset-name="$VAR(@)"; then + exit 1 + fi diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def index 56df6a19..46328f0f 100644 --- a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def +++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def @@ -7,65 +7,59 @@ allowed: echo -n ${params[@]##*/} create: - params=( `ls /opt/vyatta/config/active/firewall/name 2>/dev/null` ) - array_len=${#params[*]} - i=0 - found=0 - while [ $i -lt $array_len ]; do - if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then - - found=1 - fi - let i++ - done - if [ $found -eq 0 ]; then - echo Invalid IPv4 firewall ruleset [$VAR(@)] - #exit 1 - fi + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=is-fwruleset-active \ + --zone-name="$VAR(../../../@)" \ + --ruleset-type=name \ + --ruleset-name="$VAR(@)"; then + exit 1 + fi - /opt/vyatta/sbin/vyatta-zone.pl \ + + if ! /opt/vyatta/sbin/vyatta-zone.pl \ --action=add-fromzone-fw \ --zone-name="$VAR(../../../@)" \ --from-zone="$VAR(../../@)" \ --ruleset-type=name \ - --ruleset-name="$VAR(@)" + --ruleset-name="$VAR(@)"; then + exit 1 + fi update: - params=( `ls /opt/vyatta/config/active/firewall/name 2>/dev/null` ) - array_len=${#params[*]} - i=0 - found=0 - while [ $i -lt $array_len ]; do - if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then - found=1 - fi - let i++ - done - if [ $found -eq 0 ]; then - echo Invalid IPv4 firewall ruleset [$VAR(@)] - exit 1 - fi + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=is-fwruleset-active \ + --zone-name="$VAR(../../../@)" \ + --ruleset-type=name \ + --ruleset-name="$VAR(@)"; then + exit 1 + fi # need to undo previous ruleset here first old_ruleset=`cat /opt/vyatta/config/active/zone-policy/zone/$VAR(../../../@)/from/$VAR(../../@)/firewall/name/node.val` - /opt/vyatta/sbin/vyatta-zone.pl \ + if ! /opt/vyatta/sbin/vyatta-zone.pl \ --action=delete-fromzone-fw \ --zone-name="$VAR(../../../@)" \ --from-zone="$VAR(../../@)" \ --ruleset-type=name \ - --ruleset-name="$old_ruleset" + --ruleset-name="$old_ruleset"; then + exit 1 + fi - /opt/vyatta/sbin/vyatta-zone.pl \ + if ! /opt/vyatta/sbin/vyatta-zone.pl \ --action=add-fromzone-fw \ --zone-name="$VAR(../../../@)" \ --from-zone="$VAR(../../@)" \ --ruleset-type=name \ - --ruleset-name="$VAR(@)" + --ruleset-name="$VAR(@)"; then + exit 1 + fi delete: - /opt/vyatta/sbin/vyatta-zone.pl \ + if ! /opt/vyatta/sbin/vyatta-zone.pl \ --action=delete-fromzone-fw \ --zone-name="$VAR(../../../@)" \ --from-zone="$VAR(../../@)" \ --ruleset-type=name \ - --ruleset-name="$VAR(@)" + --ruleset-name="$VAR(@)"; then + exit 1 + fi diff --git a/templates/zone-policy/zone/node.tag/interface/node.def b/templates/zone-policy/zone/node.tag/interface/node.def index 824d3cda..845a5e8c 100644 --- a/templates/zone-policy/zone/node.tag/interface/node.def +++ b/templates/zone-policy/zone/node.tag/interface/node.def @@ -5,12 +5,18 @@ allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=all | sed -e s/'lo '// create: /opt/vyatta/sbin/vyatta-interfaces.pl --dev=$VAR(@) --warn -create: /opt/vyatta/sbin/vyatta-zone.pl \ +create: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ --action=add-zone-interface \ --zone-name="$VAR(../@)" \ - --interface="$VAR(@)" + --interface="$VAR(@)"; then + exit 1 + fi -delete: /opt/vyatta/sbin/vyatta-zone.pl \ +delete: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ --action=delete-zone-interface \ --zone-name="$VAR(../@)" \ - --interface="$VAR(@)" + --interface="$VAR(@)"; then + exit 1 + fi diff --git a/templates/zone-policy/zone/node.tag/local-zone/node.def b/templates/zone-policy/zone/node.tag/local-zone/node.def index 77a49771..4b045302 100644 --- a/templates/zone-policy/zone/node.tag/local-zone/node.def +++ b/templates/zone-policy/zone/node.tag/local-zone/node.def @@ -1,9 +1,15 @@ help: Set zone to be local-zone -create: /opt/vyatta/sbin/vyatta-zone.pl \ +create: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ --action=add-localzone \ - --zone-name="$VAR(../@)" + --zone-name="$VAR(../@)"; then + exit 1 + fi -delete: /opt/vyatta/sbin/vyatta-zone.pl \ +delete: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ --action=delete-localzone \ - --zone-name="$VAR(../@)" + --zone-name="$VAR(../@)"; then + exit 1 + fi |