From d2e2b6bbec89e741b5e6c3e5c3129534170a2146 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Tue, 7 Apr 2009 18:27:37 -0700 Subject: Add 1st pass of zone based firewall support (transit zones only for now) --- templates/zone-policy/node.def | 5 ++ templates/zone-policy/zone/node.def | 21 +++++++ .../zone-policy/zone/node.tag/description/node.def | 2 + templates/zone-policy/zone/node.tag/from/node.def | 32 ++++++++++ .../from/node.tag/firewall/ipv6-name/node.def | 72 ++++++++++++++++++++++ .../node.tag/from/node.tag/firewall/name/node.def | 71 +++++++++++++++++++++ .../zone/node.tag/from/node.tag/firewall/node.def | 1 + .../zone-policy/zone/node.tag/interface/node.def | 16 +++++ .../zone-policy/zone/node.tag/local-zone/node.def | 1 + 9 files changed, 221 insertions(+) create mode 100644 templates/zone-policy/node.def create mode 100644 templates/zone-policy/zone/node.def create mode 100644 templates/zone-policy/zone/node.tag/description/node.def create mode 100644 templates/zone-policy/zone/node.tag/from/node.def create mode 100644 templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def create mode 100644 templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def create mode 100644 templates/zone-policy/zone/node.tag/from/node.tag/firewall/node.def create mode 100644 templates/zone-policy/zone/node.tag/interface/node.def create mode 100644 templates/zone-policy/zone/node.tag/local-zone/node.def (limited to 'templates') diff --git a/templates/zone-policy/node.def b/templates/zone-policy/node.def new file mode 100644 index 00000000..2633101e --- /dev/null +++ b/templates/zone-policy/node.def @@ -0,0 +1,5 @@ +help: Configure zone-policy +begin: +if ! /opt/vyatta/sbin/vyatta-zone.pl --action=validity-checks --zone-name=none; then + exit 1 +fi diff --git a/templates/zone-policy/zone/node.def b/templates/zone-policy/zone/node.def new file mode 100644 index 00000000..5fd8dc6e --- /dev/null +++ b/templates/zone-policy/zone/node.def @@ -0,0 +1,21 @@ +tag: +type: txt +help: Set zone name + +syntax:expression: exec " \ + if [ `echo -n '$VAR(@)' | wc -c` -gt 24 ]; then \ + echo Zone name must be 24 characters or less; \ + exit 1 ; \ + fi ; " + +syntax:expression: pattern $VAR(@) "^[^-]" ; "Zone name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^;]*$" ; "Zone name cannot contain ';'" + +create: /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-zone \ + --zone-name="$VAR(@)" + +delete: /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-zone \ + --zone-name="$VAR(@)" diff --git a/templates/zone-policy/zone/node.tag/description/node.def b/templates/zone-policy/zone/node.tag/description/node.def new file mode 100644 index 00000000..eab0fc80 --- /dev/null +++ b/templates/zone-policy/zone/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set zone description diff --git a/templates/zone-policy/zone/node.tag/from/node.def b/templates/zone-policy/zone/node.tag/from/node.def new file mode 100644 index 00000000..5273519a --- /dev/null +++ b/templates/zone-policy/zone/node.tag/from/node.def @@ -0,0 +1,32 @@ +tag: +type: txt +help: Set zone from which to filter traffic + +allowed: + local -a zones ; + zones=( /opt/vyatta/config/active/zone-policy/zone/* ) + echo -n ${zones[@]##*/} + +create: + parent_zone=$VAR(../@) + zones=($VAR(../@@)) + num_zones=${#zones[*]} + i=0 + found=0 + while [ $i -lt $num_zones ]; do + if [ "${zones[$i]}" == "$VAR(@)" ] ; then + if [ "$parent_zone" == "$VAR(@)" ]; then + echo from zone same as zone [$parent_zone] itself + exit 1 + fi + found=1 + fi + let i++ + done + if [ $found -eq 0 ]; then + echo Undefined from zone [$VAR(@)] under zone $parent_zone + exit 1 + else + /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$parent_zone" + /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$VAR(@)" + fi diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def new file mode 100644 index 00000000..1283f55c --- /dev/null +++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def @@ -0,0 +1,72 @@ +type: txt +help: Set IPv6 firewall ruleset + +allowed: + local -a params ; + params=( /opt/vyatta/config/active/firewall/ipv6-name/* ) + echo -n ${params[@]##*/} + +create: + params=( `ls /opt/vyatta/config/active/firewall/ipv6-name` ) + array_len=${#params[*]} + i=0 + found=0 + while [ $i -lt $array_len ]; do + if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then + + found=1 + fi + let i++ + done + if [ $found -eq 0 ]; then + echo Invalid IPv6 firewall ruleset [$VAR(@)] + exit 1 + fi + + /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name="$VAR(@)" + +update: + params=( `ls /opt/vyatta/config/active/firewall/ipv6-name` ) + array_len=${#params[*]} + i=0 + found=0 + while [ $i -lt $array_len ]; do + echo comparing ${params[$i]} with $VAR(@) + if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then + found=1 + fi + let i++ + done + if [ $found -eq 0 ]; then + echo Invalid IPv6 firewall ruleset [$VAR(@)] + exit 1 + fi + + # need to undo previous ruleset here first + old_ruleset=`cat /opt/vyatta/config/active/zone-policy/zone/$VAR(../../../@)/from/$VAR(../../@)/firewall/ipv6-name/node.val` + /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name="$old_ruleset" + + /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name="$VAR(@)" + +delete: + /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name="$VAR(@)" diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def new file mode 100644 index 00000000..8fc557c5 --- /dev/null +++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def @@ -0,0 +1,71 @@ +type: txt +help: Set IPv4 firewall ruleset + +allowed: + local -a params ; + params=( /opt/vyatta/config/active/firewall/name/* ) + echo -n ${params[@]##*/} + +create: + params=( `ls /opt/vyatta/config/active/firewall/name` ) + array_len=${#params[*]} + i=0 + found=0 + while [ $i -lt $array_len ]; do + if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then + + found=1 + fi + let i++ + done + if [ $found -eq 0 ]; then + echo Invalid IPv4 firewall ruleset [$VAR(@)] + exit 1 + fi + + /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=name \ + --ruleset-name="$VAR(@)" + +update: + params=( `ls /opt/vyatta/config/active/firewall/name` ) + array_len=${#params[*]} + i=0 + found=0 + while [ $i -lt $array_len ]; do + if [ \"${params[$i]}\" == \"$VAR(@)\" ] ; then + found=1 + fi + let i++ + done + if [ $found -eq 0 ]; then + echo Invalid IPv4 firewall ruleset [$VAR(@)] + exit 1 + fi + + # need to undo previous ruleset here first + old_ruleset=`cat /opt/vyatta/config/active/zone-policy/zone/$VAR(../../../@)/from/$VAR(../../@)/firewall/name/node.val` + /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=name \ + --ruleset-name="$old_ruleset" + + /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=name \ + --ruleset-name="$VAR(@)" + +delete: + /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=name \ + --ruleset-name="$VAR(@)" diff --git a/templates/zone-policy/zone/node.tag/from/node.tag/firewall/node.def b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/node.def new file mode 100644 index 00000000..11748d20 --- /dev/null +++ b/templates/zone-policy/zone/node.tag/from/node.tag/firewall/node.def @@ -0,0 +1 @@ +help: Set firewall options diff --git a/templates/zone-policy/zone/node.tag/interface/node.def b/templates/zone-policy/zone/node.tag/interface/node.def new file mode 100644 index 00000000..ca482eca --- /dev/null +++ b/templates/zone-policy/zone/node.tag/interface/node.def @@ -0,0 +1,16 @@ +multi: +type: txt +help: Set interface associated with zone +allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=all + +create: /opt/vyatta/sbin/vyatta-interfaces.pl --dev=$VAR(@) --warn + +create: /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-zone-interface \ + --zone-name="$VAR(../@)" \ + --interface="$VAR(@)" + +delete: /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-zone-interface \ + --zone-name="$VAR(../@)" \ + --interface="$VAR(@)" diff --git a/templates/zone-policy/zone/node.tag/local-zone/node.def b/templates/zone-policy/zone/node.tag/local-zone/node.def new file mode 100644 index 00000000..b82ee438 --- /dev/null +++ b/templates/zone-policy/zone/node.tag/local-zone/node.def @@ -0,0 +1 @@ +help: Set zone to be local-zone -- cgit v1.2.3