summaryrefslogtreecommitdiff
path: root/templates
diff options
context:
space:
mode:
authorMohit Mehta <mohit.mehta@vyatta.com>2009-04-07 18:27:37 -0700
committerMohit Mehta <mohit.mehta@vyatta.com>2009-04-07 18:27:37 -0700
commitd2e2b6bbec89e741b5e6c3e5c3129534170a2146 (patch)
treedda92c758a92230cbf9c39d73ebe11dab2591d62 /templates
parent2dce0356cad163f17ca6c30b6f84727f2262e8e6 (diff)
downloadvyatta-cfg-system-d2e2b6bbec89e741b5e6c3e5c3129534170a2146.tar.gz
vyatta-cfg-system-d2e2b6bbec89e741b5e6c3e5c3129534170a2146.zip
Add 1st pass of zone based firewall support (transit zones only for now)
Diffstat (limited to 'templates')
-rw-r--r--templates/zone-policy/node.def5
-rw-r--r--templates/zone-policy/zone/node.def21
-rw-r--r--templates/zone-policy/zone/node.tag/description/node.def2
-rw-r--r--templates/zone-policy/zone/node.tag/from/node.def32
-rw-r--r--templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def72
-rw-r--r--templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def71
-rw-r--r--templates/zone-policy/zone/node.tag/from/node.tag/firewall/node.def1
-rw-r--r--templates/zone-policy/zone/node.tag/interface/node.def16
-rw-r--r--templates/zone-policy/zone/node.tag/local-zone/node.def1
9 files changed, 221 insertions, 0 deletions
diff --git a/templates/zone-policy/node.def b/templates/zone-policy/node.def
new file mode 100644
index 00000000..2633101e
--- /dev/null
+++ b/templates/zone-policy/node.def
@@ -0,0 +1,5 @@
+help: Configure zone-policy
+begin:
+if ! /opt/vyatta/sbin/vyatta-zone.pl --action=validity-checks --zone-name=none; then
+ exit 1
+fi
diff --git a/templates/zone-policy/zone/node.def b/templates/zone-policy/zone/node.def
new file mode 100644
index 00000000..5fd8dc6e
--- /dev/null
+++ b/templates/zone-policy/zone/node.def
@@ -0,0 +1,21 @@
+tag:
+type: txt
+help: Set zone name
+
+syntax:expression: exec " \
+ if [ `echo -n '$VAR(@)' | wc -c` -gt 24 ]; then \
+ echo Zone name must be 24 characters or less; \
+ exit 1 ; \
+ fi ; "
+
+syntax:expression: pattern $VAR(@) "^[^-]" ; "Zone name cannot start with \"-\""
+
+syntax:expression: pattern $VAR(@) "^[^;]*$" ; "Zone name cannot contain ';'"
+
+create: /opt/vyatta/sbin/vyatta-zone.pl \
+ --action=add-zone \
+ --zone-name="$VAR(@)"
+
+delete: /opt/vyatta/sbin/vyatta-zone.pl \
+ --action=delete-zone \
+ --zone-name="$VAR(@)"
diff --git a/templates/zone-policy/zone/node.tag/description/node.def b/templates/zone-policy/zone/node.tag/description/node.def
new file mode 100644
index 00000000..eab0fc80
--- /dev/null
+++ b/templates/zone-policy/zone/node.tag/description/node.def
@@ -0,0 +1,2 @@
+type: txt
+help: Set zone description
diff --git a/templates/zone-policy/zone/node.tag/from/node.def b/templates/zone-policy/zone/node.tag/from/node.def
new file mode 100644
index 00000000..5273519a
--- /dev/null
+++ b/templates/zone-policy/zone/node.tag/from/node.def
@@ -0,0 +1,32 @@
+tag:
+type: txt
+help: Set zone from which to filter traffic
+
+allowed:
+ local -a zones ;
+ zones=( /opt/vyatta/config/active/zone-policy/zone/* )
+ echo -n ${zones[@]##*/}
+
+create:
+ parent_zone=$VAR(../@)
+ zones=($VAR(../@@))
+ num_zones=${#zones[*]}
+ i=0
+ found=0
+ while [ $i -lt $num_zones ]; do
+ if [ "${zones[$i]}" == "$VAR(@)" ] ; then
+ if [ "$parent_zone" == "$VAR(@)" ]; then
+ echo from zone same as zone [$parent_zone] itself
+ exit 1
+ fi
+ found=1
+ fi
+ let i++
+ done
+ if [ $found -eq 0 ]; then
+ echo Undefined from zone [$VAR(@)] under zone $parent_zone
+ exit 1
+ else
+ /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$parent_zone"
+ /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$VAR(@)"
+ fi
diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def
new file mode 100644
index 00000000..1283f55c
--- /dev/null
+++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def
@@ -0,0 +1,72 @@
+type: txt
+help: Set IPv6 firewall ruleset
+
+allowed:
+ local -a params ;
+ params=( /opt/vyatta/config/active/firewall/ipv6-name/* )
+ echo -n ${params[@]##*/}
+
+create:
+ params=( `ls /opt/vyatta/config/active/firewall/ipv6-name` )
+ array_len=${#params[*]}
+ i=0
+ found=0
+ while [ $i -lt $array_len ]; do
+ if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then
+
+ found=1
+ fi
+ let i++
+ done
+ if [ $found -eq 0 ]; then
+ echo Invalid IPv6 firewall ruleset [$VAR(@)]
+ exit 1
+ fi
+
+ /opt/vyatta/sbin/vyatta-zone.pl \
+ --action=add-fromzone-fw \
+ --zone-name="$VAR(../../../@)" \
+ --from-zone="$VAR(../../@)" \
+ --ruleset-type=ipv6-name \
+ --ruleset-name="$VAR(@)"
+
+update:
+ params=( `ls /opt/vyatta/config/active/firewall/ipv6-name` )
+ array_len=${#params[*]}
+ i=0
+ found=0
+ while [ $i -lt $array_len ]; do
+ echo comparing ${params[$i]} with $VAR(@)
+ if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then
+ found=1
+ fi
+ let i++
+ done
+ if [ $found -eq 0 ]; then
+ echo Invalid IPv6 firewall ruleset [$VAR(@)]
+ exit 1
+ fi
+
+ # need to undo previous ruleset here first
+ old_ruleset=`cat /opt/vyatta/config/active/zone-policy/zone/$VAR(../../../@)/from/$VAR(../../@)/firewall/ipv6-name/node.val`
+ /opt/vyatta/sbin/vyatta-zone.pl \
+ --action=delete-fromzone-fw \
+ --zone-name="$VAR(../../../@)" \
+ --from-zone="$VAR(../../@)" \
+ --ruleset-type=ipv6-name \
+ --ruleset-name="$old_ruleset"
+
+ /opt/vyatta/sbin/vyatta-zone.pl \
+ --action=add-fromzone-fw \
+ --zone-name="$VAR(../../../@)" \
+ --from-zone="$VAR(../../@)" \
+ --ruleset-type=ipv6-name \
+ --ruleset-name="$VAR(@)"
+
+delete:
+ /opt/vyatta/sbin/vyatta-zone.pl \
+ --action=delete-fromzone-fw \
+ --zone-name="$VAR(../../../@)" \
+ --from-zone="$VAR(../../@)" \
+ --ruleset-type=ipv6-name \
+ --ruleset-name="$VAR(@)"
diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def
new file mode 100644
index 00000000..8fc557c5
--- /dev/null
+++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def
@@ -0,0 +1,71 @@
+type: txt
+help: Set IPv4 firewall ruleset
+
+allowed:
+ local -a params ;
+ params=( /opt/vyatta/config/active/firewall/name/* )
+ echo -n ${params[@]##*/}
+
+create:
+ params=( `ls /opt/vyatta/config/active/firewall/name` )
+ array_len=${#params[*]}
+ i=0
+ found=0
+ while [ $i -lt $array_len ]; do
+ if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then
+
+ found=1
+ fi
+ let i++
+ done
+ if [ $found -eq 0 ]; then
+ echo Invalid IPv4 firewall ruleset [$VAR(@)]
+ exit 1
+ fi
+
+ /opt/vyatta/sbin/vyatta-zone.pl \
+ --action=add-fromzone-fw \
+ --zone-name="$VAR(../../../@)" \
+ --from-zone="$VAR(../../@)" \
+ --ruleset-type=name \
+ --ruleset-name="$VAR(@)"
+
+update:
+ params=( `ls /opt/vyatta/config/active/firewall/name` )
+ array_len=${#params[*]}
+ i=0
+ found=0
+ while [ $i -lt $array_len ]; do
+ if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then
+ found=1
+ fi
+ let i++
+ done
+ if [ $found -eq 0 ]; then
+ echo Invalid IPv4 firewall ruleset [$VAR(@)]
+ exit 1
+ fi
+
+ # need to undo previous ruleset here first
+ old_ruleset=`cat /opt/vyatta/config/active/zone-policy/zone/$VAR(../../../@)/from/$VAR(../../@)/firewall/name/node.val`
+ /opt/vyatta/sbin/vyatta-zone.pl \
+ --action=delete-fromzone-fw \
+ --zone-name="$VAR(../../../@)" \
+ --from-zone="$VAR(../../@)" \
+ --ruleset-type=name \
+ --ruleset-name="$old_ruleset"
+
+ /opt/vyatta/sbin/vyatta-zone.pl \
+ --action=add-fromzone-fw \
+ --zone-name="$VAR(../../../@)" \
+ --from-zone="$VAR(../../@)" \
+ --ruleset-type=name \
+ --ruleset-name="$VAR(@)"
+
+delete:
+ /opt/vyatta/sbin/vyatta-zone.pl \
+ --action=delete-fromzone-fw \
+ --zone-name="$VAR(../../../@)" \
+ --from-zone="$VAR(../../@)" \
+ --ruleset-type=name \
+ --ruleset-name="$VAR(@)"
diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/node.def
new file mode 100644
index 00000000..11748d20
--- /dev/null
+++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/node.def
@@ -0,0 +1 @@
+help: Set firewall options
diff --git a/templates/zone-policy/zone/node.tag/interface/node.def b/templates/zone-policy/zone/node.tag/interface/node.def
new file mode 100644
index 00000000..ca482eca
--- /dev/null
+++ b/templates/zone-policy/zone/node.tag/interface/node.def
@@ -0,0 +1,16 @@
+multi:
+type: txt
+help: Set interface associated with zone
+allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=all
+
+create: /opt/vyatta/sbin/vyatta-interfaces.pl --dev=$VAR(@) --warn
+
+create: /opt/vyatta/sbin/vyatta-zone.pl \
+ --action=add-zone-interface \
+ --zone-name="$VAR(../@)" \
+ --interface="$VAR(@)"
+
+delete: /opt/vyatta/sbin/vyatta-zone.pl \
+ --action=delete-zone-interface \
+ --zone-name="$VAR(../@)" \
+ --interface="$VAR(@)"
diff --git a/templates/zone-policy/zone/node.tag/local-zone/node.def b/templates/zone-policy/zone/node.tag/local-zone/node.def
new file mode 100644
index 00000000..b82ee438
--- /dev/null
+++ b/templates/zone-policy/zone/node.tag/local-zone/node.def
@@ -0,0 +1 @@
+help: Set zone to be local-zone