summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorMohit Mehta <mohit@vyatta.com>2010-10-07 19:14:39 -0700
committerMohit Mehta <mohit@vyatta.com>2010-10-07 19:14:39 -0700
commit30a5e2f7494b703fd3e69448f77104bd58193647 (patch)
treeaa212a52c18b2b83dd2c9270c531791e42a624bf /lib
parent54ef1e9a6691a206e80bc21d20b1b72bd7c44ccb (diff)
downloadvyatta-cfg-30a5e2f7494b703fd3e69448f77104bd58193647.tar.gz
vyatta-cfg-30a5e2f7494b703fd3e69448f77104bd58193647.zip
moved code for zones to vyatta-zone package
Diffstat (limited to 'lib')
-rwxr-xr-xlib/Vyatta/Zone.pm216
1 files changed, 0 insertions, 216 deletions
diff --git a/lib/Vyatta/Zone.pm b/lib/Vyatta/Zone.pm
deleted file mode 100755
index b23bc74..0000000
--- a/lib/Vyatta/Zone.pm
+++ /dev/null
@@ -1,216 +0,0 @@
-# Module: Zone.pm
-#
-# **** License ****
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details.
-#
-# This code was originally developed by Vyatta, Inc.
-# Portions created by Vyatta are Copyright (C) 2009 Vyatta, Inc.
-# All Rights Reserved.
-#
-# Author: Mohit Mehta
-# Date: 2009
-# Description: vyatta zone management
-#
-# **** End License ****
-#
-
-package Vyatta::Zone;
-
-use Vyatta::Config;
-use Vyatta::Misc;
-use Vyatta::Interface;
-
-use strict;
-use warnings;
-
-my $debug="false";
-my $syslog="false";
-my $logger = 'sudo logger -t zone.pm -p local0.warn --';
-
-sub run_cmd {
- my $cmd = shift;
- my $error = system("$cmd");
-
- if ($syslog eq "true") {
- my $func = (caller(1))[3];
- system("$logger [$func] [$cmd] = [$error]");
- }
- if ($debug eq "true") {
- my $func = (caller(1))[3];
- print "[$func] [$cmd] = [$error]\n";
- }
- return $error;
-}
-
-sub is_fwruleset_active {
- my ($value_func, $ruleset_type, $fw_ruleset) = @_;
- my $config = new Vyatta::Config;
- return $config->$value_func("firewall $ruleset_type $fw_ruleset");
-}
-
-sub get_all_zones {
- my $value_func = shift;
- my $config = new Vyatta::Config;
- return $config->$value_func("zone-policy zone");
-}
-
-sub get_zone_interfaces {
- my ($value_func, $zone_name) = @_;
- my $config = new Vyatta::Config;
- return $config->$value_func("zone-policy zone $zone_name interface");
-}
-
-sub get_from_zones {
- my ($value_func, $zone_name) = @_;
- my $config = new Vyatta::Config;
- return $config->$value_func("zone-policy zone $zone_name from");
-}
-
-sub get_firewall_ruleset {
- my ($value_func, $zone_name, $from_zone, $firewall_type) = @_;
- my $config = new Vyatta::Config;
- return $config->$value_func("zone-policy zone $zone_name from $from_zone
- firewall $firewall_type");
-}
-
-sub is_local_zone {
- my ($value_func, $zone_name) = @_;
- my $config = new Vyatta::Config;
- return $config->$value_func("zone-policy zone $zone_name local-zone");
-}
-
-sub get_zone_default_policy {
- my ($value_func, $zone_name) = @_;
- my $config = new Vyatta::Config;
- return $config->$value_func("zone-policy zone $zone_name default-action");
-}
-
-sub rule_exists {
- my ($command, $table, $chain_name, $target, $interface) = @_;
- my $cmd =
- "sudo $command -t $table -L " .
- "$chain_name -v 2>/dev/null | grep \" $target \" ";
- if (defined $interface) {
- $cmd .= "| grep \" $interface \" ";
- }
- $cmd .= "| wc -l";
- my $result = `$cmd`;
- return $result;
-}
-
-sub get_zone_chain {
- my ($value_func, $zone, $localout) = @_;
- my $chain = "VZONE_$zone";
- if (defined(is_local_zone($value_func, $zone))) {
- # local zone
- if (defined $localout) {
- # local zone out chain
- $chain .= "_OUT";
- } else {
- # local zone in chain
- $chain .= "_IN";
- }
- }
- return $chain;
-}
-
-sub validity_checks {
- my @all_zones = get_all_zones("listNodes");
- my @all_interfaces = ();
- my $num_local_zones = 0;
- my $returnstring;
- foreach my $zone (@all_zones) {
- # get all from zones, see if they exist in config, if not display error
- my @from_zones = get_from_zones("listNodes", $zone);
- foreach my $from_zone (@from_zones) {
- if (scalar(grep(/^$from_zone$/, @all_zones)) == 0) {
- $returnstring = "$from_zone is a from zone under zone $zone\n" .
- "It is either not defined or deleted from config";
- return ($returnstring, );
- }
- }
- my @zone_intfs = get_zone_interfaces("returnValues", $zone);
- if (scalar(@zone_intfs) == 0) {
- # no interfaces defined for this zone
- if (!defined(is_local_zone("exists", $zone))) {
- $returnstring = "Zone $zone has no interfaces defined " .
- "and it's not a local-zone";
- return($returnstring, );
- }
- # zone defined as a local-zone
- my @zone_intfs_orig = get_zone_interfaces("returnOrigValues", $zone);
- if (scalar(@zone_intfs_orig) != 0) {
- # can't change change transit zone to local-zone on the fly
- $returnstring = "Zone $zone is a transit zone. " .
- "Cannot convert it to local-zone.\n" .
- "Please define another zone to create local-zone";
- return($returnstring, );
- }
- $num_local_zones++;
- # make sure only one zone is a local-zone
- if ($num_local_zones > 1) {
- return ("Only one zone can be defined as a local-zone", );
- }
- } else {
- # zone has interfaces, make sure it is not set as a local-zone
- if (defined(is_local_zone("exists", $zone))) {
- $returnstring = "local-zone cannot have interfaces defined";
- return($returnstring, );
- }
- # make sure you're not converting local-zone to transit zone either
- if (defined(is_local_zone("existsOrig", $zone))) {
- $returnstring = "Cannot convert local-zone $zone to transit zone" .
- "\nPlease define another zone for it";
- return($returnstring, );
- }
- foreach my $interface (@zone_intfs) {
- # make sure zone features are not being used on zone interface
- my $intf = new Vyatta::Interface($interface);
- if ($intf) {
- my $config = new Vyatta::Config;
- $config->setLevel($intf->path());
- # make sure firewall is not applied to this interface
- if ($config->exists("firewall in name") ||
- $config->exists("firewall out name") ||
- $config->exists("firewall local name") ||
- $config->exists("firewall in ipv6-name") ||
- $config->exists("firewall out ipv6-name") ||
- $config->exists("firewall local ipv6-name")) {
- $returnstring =
- "interface $interface has firewall rule-set " .
- "configured, cannot be defined under a zone";
- return($returnstring, );
- }
- # make sure content-inspection is not applied to this interface
- if ($config->exists("content-inspection in enable") ||
- $config->exists("content-inspection out enable") ||
- $config->exists("content-inspection local enable") ||
- $config->exists("content-inspection in ipv6-enable") ||
- $config->exists("content-inspection out ipv6-enable") ||
- $config->exists("content-inspection local ipv6-enable")) {
- $returnstring =
- "interface $interface has content-inspection " .
- "configured, cannot be defined under a zone";
- return($returnstring, );
- }
- }
- # make sure an interface is not defined under two zones
- if (scalar(grep(/^$interface$/, @all_interfaces)) > 0) {
- return ("$interface defined under two zones", );
- } else {
- push(@all_interfaces, $interface);
- }
- }
- }
- }
- return;
-}
-
-1;