From 1fc94205234401e347613b9996d71698f98f1dd1 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Fri, 24 Apr 2009 13:01:24 -0700 Subject: 0.15.29 --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index 18bafeae..c0cfc100 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +vyatta-cfg-system (0.15.29) unstable; urgency=low + + * Add support for virtual-ethernet + * New tacacs+ configuration templates + + -- Stephen Hemminger Fri, 24 Apr 2009 13:01:24 -0700 + vyatta-cfg-system (0.15.28) unstable; urgency=low [ Justin Fletcher ] -- cgit v1.2.3 From ec65a5a95718314f1b0da036f0395c14b60d172a Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Fri, 24 Apr 2009 18:18:40 -0700 Subject: * add jump to local-zone-out chain in OUTPUT chain for both [ip and ip6] tables when traffic from local-zone filtered with firewall to a transit zone * fix case where `ls` spits out error when a firewall type is not set --- scripts/zone-mgmt/vyatta-zone.pl | 80 +++++++++++++--------- .../from/node.tag/firewall/ipv6-name/node.def | 4 +- .../node.tag/from/node.tag/firewall/name/node.def | 4 +- 3 files changed, 53 insertions(+), 35 deletions(-) diff --git a/scripts/zone-mgmt/vyatta-zone.pl b/scripts/zone-mgmt/vyatta-zone.pl index f826244b..b4fc7ad3 100755 --- a/scripts/zone-mgmt/vyatta-zone.pl +++ b/scripts/zone-mgmt/vyatta-zone.pl @@ -188,23 +188,6 @@ sub add_fromlocalzone_ruleset { $ruleset_type, $ruleset, '-o', $zone_chain); return ($error, ) if $error; - # if jump to localzoneout chain not inserted, then insert rule - my $rule_cnt = Vyatta::Zone::count_iptables_rules($cmd_hash{$ruleset_type}, - $table_hash{$ruleset_type}, "OUTPUT"); - my $insert_at_rule_num=1; - if ( $rule_cnt > 1 ) { - $insert_at_rule_num=$rule_cnt; - } - my $result = Vyatta::Zone::rule_exists ($cmd_hash{$ruleset_type}, - $table_hash{$ruleset_type}, "OUTPUT", $zone_chain); - if ($result < 1) { - my $cmd = "sudo $cmd_hash{$ruleset_type} -t $table_hash{$ruleset_type} " . - "-I OUTPUT $insert_at_rule_num -j $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: call to add jump rule for local zone out -$zone_chain chain failed [$error]" if $error; - } - return; } @@ -260,16 +243,6 @@ sub delete_fromlocalzone_ruleset { $ruleset_type, $ruleset, '-o', $zone_chain); return ($error, ) if $error; - # if only drop rule in $zone_chain, then delete jump from OUTPUT chain - my $rule_cnt = Vyatta::Zone::count_iptables_rules($cmd_hash{$ruleset_type}, - $table_hash{$ruleset_type}, $zone_chain); - if ($rule_cnt < 2) { - $cmd = "sudo $cmd_hash{$ruleset_type} -t $table_hash{$ruleset_type} " . - "-D OUTPUT -j $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: call to delete jump rule for local zone out -$zone_chain chain failed [$error]" if $error; - } return; } @@ -547,7 +520,7 @@ sub delete_zone_interface { sub add_fromzone_fw { my ($zone, $from_zone, $ruleset_type, $ruleset_name) = @_; - my $error; + my ($cmd, $error); # for all interfaces in from zone apply ruleset to filter traffic # from this zone to specified zone (i.e. $zone) @@ -570,14 +543,37 @@ sub add_fromzone_fw { return "Error: $error" if $error; } } - } + + my $zone_chain=Vyatta::Zone::get_zone_chain("exists", + $from_zone, 'localout'); + # add jump to local-zone-out chain in OUTPUT chains for [ip and ip6]tables + foreach my $tree (keys %cmd_hash) { + # if jump to localzoneout chain not inserted, then insert rule + my $rule_cnt = Vyatta::Zone::count_iptables_rules($cmd_hash{$tree}, + $table_hash{$tree}, "OUTPUT"); + my $insert_at_rule_num=1; + if ( $rule_cnt > 1 ) { + $insert_at_rule_num=$rule_cnt; + } + my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree}, + $table_hash{$tree}, "OUTPUT", $zone_chain); + if ($result < 1) { + my $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . + "-I OUTPUT $insert_at_rule_num -j $zone_chain"; + $error = Vyatta::Zone::run_cmd($cmd); + return "Error: call to add jump rule for local zone out +$zone_chain chain failed [$error]" if $error; + } + } + + } # end of else return; } sub delete_fromzone_fw { my ($zone, $from_zone, $ruleset_type, $ruleset_name) = @_; - my $error; + my ($cmd, $error); # for all interfaces in from zone remove ruleset to filter traffic # from this zone to specified zone (i.e. $zone) @@ -600,7 +596,29 @@ sub delete_fromzone_fw { return "Error: $error" if $error; } } - } + + my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig", + $from_zone, 'localout'); + # if only drop rule in $zone_chain in both [ip and ip6]tables + # then delete jump from OUTPUT chain in both + foreach my $tree (keys %cmd_hash) { + my $rule_cnt = Vyatta::Zone::count_iptables_rules($cmd_hash{$tree}, + $table_hash{$tree}, $zone_chain); + if ($rule_cnt > 1) { + # atleast one of [ip or ip6]tables has local-zone as a from zone + return; + } + } + + foreach my $tree (keys %cmd_hash) { + $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . + "-D OUTPUT -j $zone_chain"; + $error = Vyatta::Zone::run_cmd($cmd); + return "Error: call to delete jump rule for local zone out +$zone_chain chain failed [$error]" if $error; + } + + } # end of else return; } diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def index 1283f55c..e34cf8c4 100644 --- a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def +++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def @@ -7,7 +7,7 @@ allowed: echo -n ${params[@]##*/} create: - params=( `ls /opt/vyatta/config/active/firewall/ipv6-name` ) + params=( `ls /opt/vyatta/config/active/firewall/ipv6-name 2>/dev/null` ) array_len=${#params[*]} i=0 found=0 @@ -31,7 +31,7 @@ create: --ruleset-name="$VAR(@)" update: - params=( `ls /opt/vyatta/config/active/firewall/ipv6-name` ) + params=( `ls /opt/vyatta/config/active/firewall/ipv6-name 2>/dev/null` ) array_len=${#params[*]} i=0 found=0 diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def index 8fc557c5..20dd913e 100644 --- a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def +++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def @@ -7,7 +7,7 @@ allowed: echo -n ${params[@]##*/} create: - params=( `ls /opt/vyatta/config/active/firewall/name` ) + params=( `ls /opt/vyatta/config/active/firewall/name 2>/dev/null` ) array_len=${#params[*]} i=0 found=0 @@ -31,7 +31,7 @@ create: --ruleset-name="$VAR(@)" update: - params=( `ls /opt/vyatta/config/active/firewall/name` ) + params=( `ls /opt/vyatta/config/active/firewall/name 2>/dev/null` ) array_len=${#params[*]} i=0 found=0 -- cgit v1.2.3 From 3b197aad9c49e569addf98147a0ed0c04bc8fbae Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Fri, 24 Apr 2009 18:31:58 -0700 Subject: 0.15.30 --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index c0cfc100..82c12f32 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +vyatta-cfg-system (0.15.30) unstable; urgency=low + + * * add jump to local-zone-out chain in OUTPUT chain for both [ip and + ip6] tables + + -- Mohit Mehta Fri, 24 Apr 2009 18:31:57 -0700 + vyatta-cfg-system (0.15.29) unstable; urgency=low * Add support for virtual-ethernet -- cgit v1.2.3 From f8e69a9cd0110168e270a1b95813ce0b4adfe283 Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Sun, 26 Apr 2009 18:51:04 -0700 Subject: Add configurable login banners. --- Makefile.am | 1 + debian/vyatta-cfg-system.postinst.in | 3 + scripts/vyatta-banner.pl | 130 ++++++++++++++++++++++ templates/system/login/banner/node.def | 1 + templates/system/login/banner/post-login/node.def | 12 ++ templates/system/login/banner/pre-login/node.def | 13 +++ 6 files changed, 160 insertions(+) create mode 100644 scripts/vyatta-banner.pl create mode 100644 templates/system/login/banner/node.def create mode 100644 templates/system/login/banner/post-login/node.def create mode 100644 templates/system/login/banner/pre-login/node.def diff --git a/Makefile.am b/Makefile.am index 4cbed0c2..4107298d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -41,6 +41,7 @@ sbin_SCRIPTS += scripts/vyatta-bonding.pl sbin_SCRIPTS += scripts/vyatta-raid-event sbin_SCRIPTS += scripts/vyatta-update-arp-params sbin_SCRIPTS += scripts/zone-mgmt/vyatta-zone.pl +sbin_SCRIPTS += scripts/vyatta-banner.pl noinst_DATA = test_bootfile diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 59b43d13..b49576d9 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -32,6 +32,9 @@ if [ "$sysconfdir" != "/etc" ]; then touch /etc/sudoers cp -p /etc/sudoers /etc/sudoers.bak + # enable ssh banner + sed -i 's/^#Banner/Banner/' /etc/ssh/sshd_config + # for "admin" level sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then diff --git a/scripts/vyatta-banner.pl b/scripts/vyatta-banner.pl new file mode 100644 index 00000000..5daeb482 --- /dev/null +++ b/scripts/vyatta-banner.pl @@ -0,0 +1,130 @@ +#!/usr/bin/perl +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# A copy of the GNU General Public License is available as +# `/usr/share/common-licenses/GPL' in the Debian GNU/Linux distribution +# or on the World Wide Web at `http://www.gnu.org/copyleft/gpl.html'. +# You can also obtain it by writing to the Free Software Foundation, +# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, +# MA 02110-1301, USA. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2009 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Stig Thormodsrud +# Date: April 2009 +# Description: Script to setup login banner +# +# **** End License **** +# + +use lib '/opt/vyatta/share/perl5/'; +use Vyatta::Config; + +use Getopt::Long; +use strict; +use warnings; + +my $prelogin_file = '/etc/issue'; +my $prelogin_net_file = '/etc/issue.net'; +my $postlogin_file = '/etc/motd'; + + +sub save_orig_file { + my $file = shift; + + system "mv $file $file.old" if ! -e "$file.old"; + return; +} + +sub restore_orig_file { + my $file = shift; + + system "mv $file.old $file" if -e "$file.old"; + return; +} + +sub write_file_value { + my ($file, $value) = @_; + + open my $F, '>', $file or die "Error: opening $file [$!]"; + print $F "$value"; + close $F; +} + +sub get_banner { + my $banner_type = shift; + + my $config = new Vyatta::Config; + $config->setLevel('system login banner'); + my $text = $config->returnValue($banner_type); + $text =~ s|\\n|\n|g; + $text =~ s|\\t|\t|g; + return $text; +} + +sub add_prelogin { + save_orig_file($prelogin_file); + save_orig_file($prelogin_net_file); + my $text = get_banner('pre-login'); + write_file_value($prelogin_file, $text); + write_file_value($prelogin_net_file, $text); + return; +} + +sub add_postlogin { + save_orig_file($postlogin_file); + my $text = get_banner('post-login'); + write_file_value($postlogin_file, $text); + return; +} + + +# +# main +# +my ($action, $banner_type); + +GetOptions("action=s" => \$action, + "banner-type=s" => \$banner_type, +); + +die "Error: no action" if ! defined $action; +die "Error: no banner-type" if ! defined $banner_type; + +if ($action eq 'update') { + if ($banner_type eq 'pre-login') { + add_prelogin(); + exit 0; + } + if ($banner_type eq 'post-login') { + add_postlogin(); + exit 0; + } +} + +if ($action eq 'delete') { + if ($banner_type eq 'pre-login') { + restore_orig_file($prelogin_file); + restore_orig_file($prelogin_net_file); + exit 0; + } + if ($banner_type eq 'post-login') { + restore_orig_file($postlogin_file); + exit 0; + } +} + +exit 1; + +#end of file diff --git a/templates/system/login/banner/node.def b/templates/system/login/banner/node.def new file mode 100644 index 00000000..2aef97a4 --- /dev/null +++ b/templates/system/login/banner/node.def @@ -0,0 +1 @@ +help: Set system login banners diff --git a/templates/system/login/banner/post-login/node.def b/templates/system/login/banner/post-login/node.def new file mode 100644 index 00000000..98c139b8 --- /dev/null +++ b/templates/system/login/banner/post-login/node.def @@ -0,0 +1,12 @@ +help: Set system loging banner post-login +type: txt + +update: sudo /opt/vyatta/sbin/vyatta-banner.pl \ + --action=update --banner-type=post-login + +delete: sudo /opt/vyatta/sbin/vyatta-banner.pl \ + --action=delete --banner-type=post-login + +comp_help: possible completions: + Set login banner + (example: "\\n\\n\\tWelcome to Vyatta!\\n") diff --git a/templates/system/login/banner/pre-login/node.def b/templates/system/login/banner/pre-login/node.def new file mode 100644 index 00000000..7cb80380 --- /dev/null +++ b/templates/system/login/banner/pre-login/node.def @@ -0,0 +1,13 @@ +help: Set system loging banner pre-login +type: txt + +update: sudo /opt/vyatta/sbin/vyatta-banner.pl \ + --action=update --banner-type=pre-login + +delete: sudo /opt/vyatta/sbin/vyatta-banner.pl \ + --action=delete --banner-type=pre-login + +comp_help: possible completions: + Set login banner + (example: "\\n\\n\\tUNAUTHORIZED USE OF THIS SYSTEM\\nIS PROHIBITED!\\n") + -- cgit v1.2.3 From cf35ad57b07bfe03e4de9a2e79ca718f0a1c021f Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Sun, 26 Apr 2009 18:53:02 -0700 Subject: 0.15.31 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 82c12f32..c31e37cd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +vyatta-cfg-system (0.15.31) unstable; urgency=low + + * Add configurable login banners. + + -- Stig Thormodsrud Sun, 26 Apr 2009 18:53:02 -0700 + vyatta-cfg-system (0.15.30) unstable; urgency=low * * add jump to local-zone-out chain in OUTPUT chain for both [ip and -- cgit v1.2.3 From ad8e4618e5a517b22ef5180ad59b0c116e0aaaa1 Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Mon, 27 Apr 2009 11:23:25 -0700 Subject: Using perl module for move() rather than system call. --- scripts/vyatta-banner.pl | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/vyatta-banner.pl b/scripts/vyatta-banner.pl index 5daeb482..e1cd70a1 100644 --- a/scripts/vyatta-banner.pl +++ b/scripts/vyatta-banner.pl @@ -32,6 +32,7 @@ use lib '/opt/vyatta/share/perl5/'; use Vyatta::Config; use Getopt::Long; +use File::Copy; use strict; use warnings; @@ -43,14 +44,14 @@ my $postlogin_file = '/etc/motd'; sub save_orig_file { my $file = shift; - system "mv $file $file.old" if ! -e "$file.old"; + move($file, "$file.old") if ! -e "$file.old"; return; } sub restore_orig_file { my $file = shift; - system "mv $file.old $file" if -e "$file.old"; + move("$file.old", $file)if -e "$file.old"; return; } -- cgit v1.2.3 From 927622c3aa679293c7a380a4c7c5d129067c5c8a Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Mon, 27 Apr 2009 14:40:25 -0700 Subject: Avoid unnecessary writing of file if it's the same contents. --- scripts/vyatta-banner.pl | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/scripts/vyatta-banner.pl b/scripts/vyatta-banner.pl index e1cd70a1..8c3db846 100644 --- a/scripts/vyatta-banner.pl +++ b/scripts/vyatta-banner.pl @@ -33,6 +33,8 @@ use Vyatta::Config; use Getopt::Long; use File::Copy; +use Digest::MD5 qw(md5_hex); +use Digest::file qw(digest_file_hex); use strict; use warnings; @@ -55,9 +57,23 @@ sub restore_orig_file { return; } +sub is_same_as_file { + my ($file, $value) = @_; + + return if ! -e $file; + my $fdigest = digest_file_hex($file, "MD5"); + my $vdigest = md5_hex("$value"); + return 1 if $fdigest eq $vdigest; + return; +} + sub write_file_value { my ($file, $value) = @_; + # Avoid unnecessary writes. At boot the file will be the + # regenerated with the same content. + return if is_same_as_file($file, $value); + open my $F, '>', $file or die "Error: opening $file [$!]"; print $F "$value"; close $F; -- cgit v1.2.3 From 806a207b85dc4c7f9b94b3975f3b7eccb9ee20bf Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Mon, 27 Apr 2009 14:42:17 -0700 Subject: 0.15.32 --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index c31e37cd..46a4d39d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +vyatta-cfg-system (0.15.32) unstable; urgency=low + + * Using perl module for move() rather than system call. + * Avoid unnecessary writing of file if it's the same contents. + + -- Stig Thormodsrud Mon, 27 Apr 2009 14:42:17 -0700 + vyatta-cfg-system (0.15.31) unstable; urgency=low * Add configurable login banners. -- cgit v1.2.3 From 6098a862a26de6526354513295a911cb46f6f56b Mon Sep 17 00:00:00 2001 From: Stig Thormodsrud Date: Mon, 27 Apr 2009 18:03:50 -0700 Subject: Replace md5 compare with a (hopefully) lighter-weight file compare. --- scripts/vyatta-banner.pl | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/scripts/vyatta-banner.pl b/scripts/vyatta-banner.pl index 8c3db846..7ae35edf 100644 --- a/scripts/vyatta-banner.pl +++ b/scripts/vyatta-banner.pl @@ -33,8 +33,7 @@ use Vyatta::Config; use Getopt::Long; use File::Copy; -use Digest::MD5 qw(md5_hex); -use Digest::file qw(digest_file_hex); +use File::Compare; use strict; use warnings; @@ -61,9 +60,14 @@ sub is_same_as_file { my ($file, $value) = @_; return if ! -e $file; - my $fdigest = digest_file_hex($file, "MD5"); - my $vdigest = md5_hex("$value"); - return 1 if $fdigest eq $vdigest; + + my $mem_file; + open my $MF, '+<', \$mem_file or die "couldn't open memfile $!\n"; + print $MF $value; + seek($MF, 0, 0); + + my $rc = compare($file, $MF); + return 1 if $rc == 0; return; } -- cgit v1.2.3