diff options
author | Mohit Mehta <mohit.mehta@vyatta.com> | 2010-03-24 15:22:41 -0700 |
---|---|---|
committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2010-03-24 15:22:41 -0700 |
commit | 6f1a6a7e8dd8bd5315a0faa128db9eafced5cff2 (patch) | |
tree | 7d71a4f812badd924207c9a204de2f84000c23f7 /scripts | |
parent | c90ed03225e252fd029c752496f4bf4d850b0194 (diff) | |
download | vyatta-cfg-system-6f1a6a7e8dd8bd5315a0faa128db9eafced5cff2.tar.gz vyatta-cfg-system-6f1a6a7e8dd8bd5315a0faa128db9eafced5cff2.zip |
Fix Bug 5487 http redirect url address placed on the router gets blocked by
local-zone's firewall when using Zone Based Firewall
* changed local zones INPUT and OUTPUT chain rules to allow all local-zone
traffic on the loopback interface rather than using address 127.0.0.1 which
was too restrictive and blocked certain traffic initiated from and going to
local-zone itself. This is compliant with the Zone Concept and similar to
what's done for other transient zones as well where rules are interface based
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/zone-mgmt/vyatta-zone.pl | 57 |
1 files changed, 43 insertions, 14 deletions
diff --git a/scripts/zone-mgmt/vyatta-zone.pl b/scripts/zone-mgmt/vyatta-zone.pl index 8760b6a6..b0d7286f 100755 --- a/scripts/zone-mgmt/vyatta-zone.pl +++ b/scripts/zone-mgmt/vyatta-zone.pl @@ -469,25 +469,54 @@ sub add_zone { 'localout'); foreach my $tree (keys %cmd_hash) { - my $loopback_addr = '127.0.0.1'; - my $source_addr = '$8'; - my $dest_addr = '$9'; - # set IPv6 params if using ip6tables - if ($cmd_hash{$tree} =~ '6') { - $loopback_addr = '::1/128'; - $source_addr = '$7'; - $dest_addr = '$8'; - } foreach my $chain (@localchains) { - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -L $chain -vn " . - "| awk {'print \$3 \" \" $source_addr \" \" $dest_addr'} " . - "| grep 'RETURN $loopback_addr $loopback_addr' | wc -l"; + my $loopback_intf = ''; + if ($chain =~ m/_IN/) { + + # if the chain is INPUT chain + $loopback_intf = '$6'; + + # set IPv6 params if using ip6tables + if ($cmd_hash{$tree} =~ '6') { + $loopback_intf = '$5'; + } + + } else { + + # if the chain is OUTPUT chain + $loopback_intf = '$7'; + + # set IPv6 params if using ip6tables + if ($cmd_hash{$tree} =~ '6') { + $loopback_intf = '$6'; + } + + } + + $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -L $chain 1 -vn " . + "| awk {'print \$3 \" \" $loopback_intf'} ". + "| grep 'RETURN lo\$' | wc -l"; + my $result=`$cmd`; if ($result < 1) { - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I $chain " . - "-s $loopback_addr -d $loopback_addr -j RETURN"; + + $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I $chain "; + + if ($chain =~ m/_IN/) { + + # rule for INPUT chain + $cmd .= "-i lo -j RETURN"; + + } else { + + # rule for OUTPUT chain + $cmd .= "-o lo -j RETURN"; + + } + $error = Vyatta::Zone::run_cmd($cmd); return "Error: adding rule to allow localhost traffic failed [$error]" if $error; + } } } |