diff options
author | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-04-07 18:27:37 -0700 |
---|---|---|
committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-04-07 18:27:37 -0700 |
commit | d2e2b6bbec89e741b5e6c3e5c3129534170a2146 (patch) | |
tree | dda92c758a92230cbf9c39d73ebe11dab2591d62 /templates/zone-policy/zone | |
parent | 2dce0356cad163f17ca6c30b6f84727f2262e8e6 (diff) | |
download | vyatta-cfg-system-d2e2b6bbec89e741b5e6c3e5c3129534170a2146.tar.gz vyatta-cfg-system-d2e2b6bbec89e741b5e6c3e5c3129534170a2146.zip |
Add 1st pass of zone based firewall support (transit zones only for now)
Diffstat (limited to 'templates/zone-policy/zone')
8 files changed, 216 insertions, 0 deletions
diff --git a/templates/zone-policy/zone/node.def b/templates/zone-policy/zone/node.def new file mode 100644 index 00000000..5fd8dc6e --- /dev/null +++ b/templates/zone-policy/zone/node.def @@ -0,0 +1,21 @@ +tag: +type: txt +help: Set zone name + +syntax:expression: exec " \ + if [ `echo -n '$VAR(@)' | wc -c` -gt 24 ]; then \ + echo Zone name must be 24 characters or less; \ + exit 1 ; \ + fi ; " + +syntax:expression: pattern $VAR(@) "^[^-]" ; "Zone name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^;]*$" ; "Zone name cannot contain ';'" + +create: /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-zone \ + --zone-name="$VAR(@)" + +delete: /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-zone \ + --zone-name="$VAR(@)" diff --git a/templates/zone-policy/zone/node.tag/description/node.def b/templates/zone-policy/zone/node.tag/description/node.def new file mode 100644 index 00000000..eab0fc80 --- /dev/null +++ b/templates/zone-policy/zone/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set zone description diff --git a/templates/zone-policy/zone/node.tag/from/node.def b/templates/zone-policy/zone/node.tag/from/node.def new file mode 100644 index 00000000..5273519a --- /dev/null +++ b/templates/zone-policy/zone/node.tag/from/node.def @@ -0,0 +1,32 @@ +tag: +type: txt +help: Set zone from which to filter traffic + +allowed: + local -a zones ; + zones=( /opt/vyatta/config/active/zone-policy/zone/* ) + echo -n ${zones[@]##*/} + +create: + parent_zone=$VAR(../@) + zones=($VAR(../@@)) + num_zones=${#zones[*]} + i=0 + found=0 + while [ $i -lt $num_zones ]; do + if [ "${zones[$i]}" == "$VAR(@)" ] ; then + if [ "$parent_zone" == "$VAR(@)" ]; then + echo from zone same as zone [$parent_zone] itself + exit 1 + fi + found=1 + fi + let i++ + done + if [ $found -eq 0 ]; then + echo Undefined from zone [$VAR(@)] under zone $parent_zone + exit 1 + else + /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$parent_zone" + /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$VAR(@)" + fi diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def new file mode 100644 index 00000000..1283f55c --- /dev/null +++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def @@ -0,0 +1,72 @@ +type: txt +help: Set IPv6 firewall ruleset + +allowed: + local -a params ; + params=( /opt/vyatta/config/active/firewall/ipv6-name/* ) + echo -n ${params[@]##*/} + +create: + params=( `ls /opt/vyatta/config/active/firewall/ipv6-name` ) + array_len=${#params[*]} + i=0 + found=0 + while [ $i -lt $array_len ]; do + if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then + + found=1 + fi + let i++ + done + if [ $found -eq 0 ]; then + echo Invalid IPv6 firewall ruleset [$VAR(@)] + exit 1 + fi + + /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name="$VAR(@)" + +update: + params=( `ls /opt/vyatta/config/active/firewall/ipv6-name` ) + array_len=${#params[*]} + i=0 + found=0 + while [ $i -lt $array_len ]; do + echo comparing ${params[$i]} with $VAR(@) + if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then + found=1 + fi + let i++ + done + if [ $found -eq 0 ]; then + echo Invalid IPv6 firewall ruleset [$VAR(@)] + exit 1 + fi + + # need to undo previous ruleset here first + old_ruleset=`cat /opt/vyatta/config/active/zone-policy/zone/$VAR(../../../@)/from/$VAR(../../@)/firewall/ipv6-name/node.val` + /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name="$old_ruleset" + + /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name="$VAR(@)" + +delete: + /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name="$VAR(@)" diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def new file mode 100644 index 00000000..8fc557c5 --- /dev/null +++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def @@ -0,0 +1,71 @@ +type: txt +help: Set IPv4 firewall ruleset + +allowed: + local -a params ; + params=( /opt/vyatta/config/active/firewall/name/* ) + echo -n ${params[@]##*/} + +create: + params=( `ls /opt/vyatta/config/active/firewall/name` ) + array_len=${#params[*]} + i=0 + found=0 + while [ $i -lt $array_len ]; do + if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then + + found=1 + fi + let i++ + done + if [ $found -eq 0 ]; then + echo Invalid IPv4 firewall ruleset [$VAR(@)] + exit 1 + fi + + /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=name \ + --ruleset-name="$VAR(@)" + +update: + params=( `ls /opt/vyatta/config/active/firewall/name` ) + array_len=${#params[*]} + i=0 + found=0 + while [ $i -lt $array_len ]; do + if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then + found=1 + fi + let i++ + done + if [ $found -eq 0 ]; then + echo Invalid IPv4 firewall ruleset [$VAR(@)] + exit 1 + fi + + # need to undo previous ruleset here first + old_ruleset=`cat /opt/vyatta/config/active/zone-policy/zone/$VAR(../../../@)/from/$VAR(../../@)/firewall/name/node.val` + /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=name \ + --ruleset-name="$old_ruleset" + + /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=name \ + --ruleset-name="$VAR(@)" + +delete: + /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=name \ + --ruleset-name="$VAR(@)" diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/node.def new file mode 100644 index 00000000..11748d20 --- /dev/null +++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/node.def @@ -0,0 +1 @@ +help: Set firewall options diff --git a/templates/zone-policy/zone/node.tag/interface/node.def b/templates/zone-policy/zone/node.tag/interface/node.def new file mode 100644 index 00000000..ca482eca --- /dev/null +++ b/templates/zone-policy/zone/node.tag/interface/node.def @@ -0,0 +1,16 @@ +multi: +type: txt +help: Set interface associated with zone +allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=all + +create: /opt/vyatta/sbin/vyatta-interfaces.pl --dev=$VAR(@) --warn + +create: /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-zone-interface \ + --zone-name="$VAR(../@)" \ + --interface="$VAR(@)" + +delete: /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-zone-interface \ + --zone-name="$VAR(../@)" \ + --interface="$VAR(@)" diff --git a/templates/zone-policy/zone/node.tag/local-zone/node.def b/templates/zone-policy/zone/node.tag/local-zone/node.def new file mode 100644 index 00000000..b82ee438 --- /dev/null +++ b/templates/zone-policy/zone/node.tag/local-zone/node.def @@ -0,0 +1 @@ +help: Set zone to be local-zone |