From 4a5a65f74a43ff33a0c4d54eec377502a6d05fdf Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Tue, 21 Sep 2010 17:35:37 -0700 Subject: * move count_iptables_rule to MISC module --- lib/Vyatta/Misc.pm | 13 ++++++++++++- lib/Vyatta/Zone.pm | 10 ---------- 2 files changed, 12 insertions(+), 11 deletions(-) (limited to 'lib/Vyatta') diff --git a/lib/Vyatta/Misc.pm b/lib/Vyatta/Misc.pm index 5373f7f..b774f72 100755 --- a/lib/Vyatta/Misc.pm +++ b/lib/Vyatta/Misc.pm @@ -26,7 +26,8 @@ require Exporter; our @ISA = qw(Exporter); our @EXPORT = qw(getInterfaces getIP getNetAddIP get_sysfs_value is_address_enabled is_dhcp_enabled - isIpAddress is_ip_v4_or_v6 interface_description); + isIpAddress is_ip_v4_or_v6 interface_description + count_iptables_rules); our @EXPORT_OK = qw(generate_dhclient_intf_files getInterfacesIPadresses getPortRuleString); @@ -417,4 +418,14 @@ sub interface_description { return $description; } +sub count_iptables_rules { + my ($command, $table, $chain) = @_; + my @lines = `sudo $command -t $table -L $chain -n --line`; + my $cnt = 0; + foreach my $line (@lines) { + $cnt++ if $line =~ /^\d/; + } + return $cnt; +} + 1; diff --git a/lib/Vyatta/Zone.pm b/lib/Vyatta/Zone.pm index 4b169b5..eccf8ab 100755 --- a/lib/Vyatta/Zone.pm +++ b/lib/Vyatta/Zone.pm @@ -121,16 +121,6 @@ sub get_zone_chain { return $chain; } -sub count_iptables_rules { - my ($command, $table, $chain) = @_; - my @lines = `sudo $command -t $table -L $chain -n --line`; - my $cnt = 0; - foreach my $line (@lines) { - $cnt++ if $line =~ /^\d/; - } - return $cnt; -} - sub validity_checks { my @all_zones = get_all_zones("listNodes"); my @all_interfaces = (); -- cgit v1.2.3 From 847b97e90a0ba2e5bd103a0d018592b05879d1c7 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Tue, 21 Sep 2010 21:13:06 -0700 Subject: * move count_iptables_rules to Iptables::Mgr module --- lib/Vyatta/Misc.pm | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) (limited to 'lib/Vyatta') diff --git a/lib/Vyatta/Misc.pm b/lib/Vyatta/Misc.pm index b774f72..5373f7f 100755 --- a/lib/Vyatta/Misc.pm +++ b/lib/Vyatta/Misc.pm @@ -26,8 +26,7 @@ require Exporter; our @ISA = qw(Exporter); our @EXPORT = qw(getInterfaces getIP getNetAddIP get_sysfs_value is_address_enabled is_dhcp_enabled - isIpAddress is_ip_v4_or_v6 interface_description - count_iptables_rules); + isIpAddress is_ip_v4_or_v6 interface_description); our @EXPORT_OK = qw(generate_dhclient_intf_files getInterfacesIPadresses getPortRuleString); @@ -418,14 +417,4 @@ sub interface_description { return $description; } -sub count_iptables_rules { - my ($command, $table, $chain) = @_; - my @lines = `sudo $command -t $table -L $chain -n --line`; - my $cnt = 0; - foreach my $line (@lines) { - $cnt++ if $line =~ /^\d/; - } - return $cnt; -} - 1; -- cgit v1.2.3 From c1a36bdbc0c01cf834b63e62d80e3eeefe33172f Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Fri, 1 Oct 2010 11:10:56 -0700 Subject: Fix Bug 6225 Unable to assign a pppoe interface to zone * change check for fw applied to an interface --- lib/Vyatta/Zone.pm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lib/Vyatta') diff --git a/lib/Vyatta/Zone.pm b/lib/Vyatta/Zone.pm index eccf8ab..0e4981f 100755 --- a/lib/Vyatta/Zone.pm +++ b/lib/Vyatta/Zone.pm @@ -176,7 +176,9 @@ sub validity_checks { if ($intf) { my $config = new Vyatta::Config; $config->setLevel($intf->path()); - if ($config->exists("firewall")) { + if ($config->exists("firewall in name") || + $config->exists("firewall out name") || + $config->exists("firewall local name")) { $returnstring = "interface $interface has firewall configured, " . "cannot be defined under a zone"; -- cgit v1.2.3 From 3ec8c3d238895ff09b329eb8d459a4efdc306a87 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Wed, 6 Oct 2010 16:22:06 -0700 Subject: * don't allow adding an interface to a zone that has content-inspection enabled --- lib/Vyatta/Zone.pm | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) (limited to 'lib/Vyatta') diff --git a/lib/Vyatta/Zone.pm b/lib/Vyatta/Zone.pm index 0e4981f..b23bc74 100755 --- a/lib/Vyatta/Zone.pm +++ b/lib/Vyatta/Zone.pm @@ -171,17 +171,33 @@ sub validity_checks { return($returnstring, ); } foreach my $interface (@zone_intfs) { - # make sure firewall is not applied to this interface + # make sure zone features are not being used on zone interface my $intf = new Vyatta::Interface($interface); if ($intf) { my $config = new Vyatta::Config; $config->setLevel($intf->path()); + # make sure firewall is not applied to this interface if ($config->exists("firewall in name") || $config->exists("firewall out name") || - $config->exists("firewall local name")) { - $returnstring = - "interface $interface has firewall configured, " . - "cannot be defined under a zone"; + $config->exists("firewall local name") || + $config->exists("firewall in ipv6-name") || + $config->exists("firewall out ipv6-name") || + $config->exists("firewall local ipv6-name")) { + $returnstring = + "interface $interface has firewall rule-set " . + "configured, cannot be defined under a zone"; + return($returnstring, ); + } + # make sure content-inspection is not applied to this interface + if ($config->exists("content-inspection in enable") || + $config->exists("content-inspection out enable") || + $config->exists("content-inspection local enable") || + $config->exists("content-inspection in ipv6-enable") || + $config->exists("content-inspection out ipv6-enable") || + $config->exists("content-inspection local ipv6-enable")) { + $returnstring = + "interface $interface has content-inspection " . + "configured, cannot be defined under a zone"; return($returnstring, ); } } -- cgit v1.2.3 From 30a5e2f7494b703fd3e69448f77104bd58193647 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Thu, 7 Oct 2010 19:14:39 -0700 Subject: moved code for zones to vyatta-zone package --- Makefile.am | 1 - lib/Vyatta/Zone.pm | 216 ----------------------------------------------------- 2 files changed, 217 deletions(-) delete mode 100755 lib/Vyatta/Zone.pm (limited to 'lib/Vyatta') diff --git a/Makefile.am b/Makefile.am index cef450f..c5d29b1 100644 --- a/Makefile.am +++ b/Makefile.am @@ -89,7 +89,6 @@ share_perl5_DATA += lib/Vyatta/TypeChecker.pm share_perl5_DATA += lib/Vyatta/ConfigOutput.pm share_perl5_DATA += lib/Vyatta/ConfigLoad.pm share_perl5_DATA += lib/Vyatta/Keepalived.pm -share_perl5_DATA += lib/Vyatta/Zone.pm enum_SCRIPTS = scripts/enumeration/existing-interfaces diff --git a/lib/Vyatta/Zone.pm b/lib/Vyatta/Zone.pm deleted file mode 100755 index b23bc74..0000000 --- a/lib/Vyatta/Zone.pm +++ /dev/null @@ -1,216 +0,0 @@ -# Module: Zone.pm -# -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2009 Vyatta, Inc. -# All Rights Reserved. -# -# Author: Mohit Mehta -# Date: 2009 -# Description: vyatta zone management -# -# **** End License **** -# - -package Vyatta::Zone; - -use Vyatta::Config; -use Vyatta::Misc; -use Vyatta::Interface; - -use strict; -use warnings; - -my $debug="false"; -my $syslog="false"; -my $logger = 'sudo logger -t zone.pm -p local0.warn --'; - -sub run_cmd { - my $cmd = shift; - my $error = system("$cmd"); - - if ($syslog eq "true") { - my $func = (caller(1))[3]; - system("$logger [$func] [$cmd] = [$error]"); - } - if ($debug eq "true") { - my $func = (caller(1))[3]; - print "[$func] [$cmd] = [$error]\n"; - } - return $error; -} - -sub is_fwruleset_active { - my ($value_func, $ruleset_type, $fw_ruleset) = @_; - my $config = new Vyatta::Config; - return $config->$value_func("firewall $ruleset_type $fw_ruleset"); -} - -sub get_all_zones { - my $value_func = shift; - my $config = new Vyatta::Config; - return $config->$value_func("zone-policy zone"); -} - -sub get_zone_interfaces { - my ($value_func, $zone_name) = @_; - my $config = new Vyatta::Config; - return $config->$value_func("zone-policy zone $zone_name interface"); -} - -sub get_from_zones { - my ($value_func, $zone_name) = @_; - my $config = new Vyatta::Config; - return $config->$value_func("zone-policy zone $zone_name from"); -} - -sub get_firewall_ruleset { - my ($value_func, $zone_name, $from_zone, $firewall_type) = @_; - my $config = new Vyatta::Config; - return $config->$value_func("zone-policy zone $zone_name from $from_zone - firewall $firewall_type"); -} - -sub is_local_zone { - my ($value_func, $zone_name) = @_; - my $config = new Vyatta::Config; - return $config->$value_func("zone-policy zone $zone_name local-zone"); -} - -sub get_zone_default_policy { - my ($value_func, $zone_name) = @_; - my $config = new Vyatta::Config; - return $config->$value_func("zone-policy zone $zone_name default-action"); -} - -sub rule_exists { - my ($command, $table, $chain_name, $target, $interface) = @_; - my $cmd = - "sudo $command -t $table -L " . - "$chain_name -v 2>/dev/null | grep \" $target \" "; - if (defined $interface) { - $cmd .= "| grep \" $interface \" "; - } - $cmd .= "| wc -l"; - my $result = `$cmd`; - return $result; -} - -sub get_zone_chain { - my ($value_func, $zone, $localout) = @_; - my $chain = "VZONE_$zone"; - if (defined(is_local_zone($value_func, $zone))) { - # local zone - if (defined $localout) { - # local zone out chain - $chain .= "_OUT"; - } else { - # local zone in chain - $chain .= "_IN"; - } - } - return $chain; -} - -sub validity_checks { - my @all_zones = get_all_zones("listNodes"); - my @all_interfaces = (); - my $num_local_zones = 0; - my $returnstring; - foreach my $zone (@all_zones) { - # get all from zones, see if they exist in config, if not display error - my @from_zones = get_from_zones("listNodes", $zone); - foreach my $from_zone (@from_zones) { - if (scalar(grep(/^$from_zone$/, @all_zones)) == 0) { - $returnstring = "$from_zone is a from zone under zone $zone\n" . - "It is either not defined or deleted from config"; - return ($returnstring, ); - } - } - my @zone_intfs = get_zone_interfaces("returnValues", $zone); - if (scalar(@zone_intfs) == 0) { - # no interfaces defined for this zone - if (!defined(is_local_zone("exists", $zone))) { - $returnstring = "Zone $zone has no interfaces defined " . - "and it's not a local-zone"; - return($returnstring, ); - } - # zone defined as a local-zone - my @zone_intfs_orig = get_zone_interfaces("returnOrigValues", $zone); - if (scalar(@zone_intfs_orig) != 0) { - # can't change change transit zone to local-zone on the fly - $returnstring = "Zone $zone is a transit zone. " . - "Cannot convert it to local-zone.\n" . - "Please define another zone to create local-zone"; - return($returnstring, ); - } - $num_local_zones++; - # make sure only one zone is a local-zone - if ($num_local_zones > 1) { - return ("Only one zone can be defined as a local-zone", ); - } - } else { - # zone has interfaces, make sure it is not set as a local-zone - if (defined(is_local_zone("exists", $zone))) { - $returnstring = "local-zone cannot have interfaces defined"; - return($returnstring, ); - } - # make sure you're not converting local-zone to transit zone either - if (defined(is_local_zone("existsOrig", $zone))) { - $returnstring = "Cannot convert local-zone $zone to transit zone" . - "\nPlease define another zone for it"; - return($returnstring, ); - } - foreach my $interface (@zone_intfs) { - # make sure zone features are not being used on zone interface - my $intf = new Vyatta::Interface($interface); - if ($intf) { - my $config = new Vyatta::Config; - $config->setLevel($intf->path()); - # make sure firewall is not applied to this interface - if ($config->exists("firewall in name") || - $config->exists("firewall out name") || - $config->exists("firewall local name") || - $config->exists("firewall in ipv6-name") || - $config->exists("firewall out ipv6-name") || - $config->exists("firewall local ipv6-name")) { - $returnstring = - "interface $interface has firewall rule-set " . - "configured, cannot be defined under a zone"; - return($returnstring, ); - } - # make sure content-inspection is not applied to this interface - if ($config->exists("content-inspection in enable") || - $config->exists("content-inspection out enable") || - $config->exists("content-inspection local enable") || - $config->exists("content-inspection in ipv6-enable") || - $config->exists("content-inspection out ipv6-enable") || - $config->exists("content-inspection local ipv6-enable")) { - $returnstring = - "interface $interface has content-inspection " . - "configured, cannot be defined under a zone"; - return($returnstring, ); - } - } - # make sure an interface is not defined under two zones - if (scalar(grep(/^$interface$/, @all_interfaces)) > 0) { - return ("$interface defined under two zones", ); - } else { - push(@all_interfaces, $interface); - } - } - } - } - return; -} - -1; -- cgit v1.2.3 From 92bd0daffbe0146f91ca0626b3a9b5c89bd4057b Mon Sep 17 00:00:00 2001 From: root Date: Fri, 8 Oct 2010 12:01:52 -0700 Subject: reference error location method in config module. --- lib/Vyatta/Config.pm | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'lib/Vyatta') diff --git a/lib/Vyatta/Config.pm b/lib/Vyatta/Config.pm index 6dfcc46..e30ba67 100755 --- a/lib/Vyatta/Config.pm +++ b/lib/Vyatta/Config.pm @@ -676,6 +676,16 @@ sub compareValueLists { return %comp_hash; } +sub outputError { + my ($self, $location, $msg) = @_; + print STDERR $msg . "\n"; + if (defined($ENV{VYATTA_OUTPUT_ERROR_LOCATION})) { + foreach my $elem (@$location) { + print STDERR "reference:[" . $elem . "]\n"; + } + } +} + ############################################################ # API functions that have not been converted ############################################################ -- cgit v1.2.3 From db4b7b3e30ae7f116bc09c8ed27c4cde00dc0c32 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 11 Oct 2010 15:48:06 -0700 Subject: change location tag for error from reference: to errloc: --- lib/Vyatta/Config.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/Vyatta') diff --git a/lib/Vyatta/Config.pm b/lib/Vyatta/Config.pm index e30ba67..1488c3d 100755 --- a/lib/Vyatta/Config.pm +++ b/lib/Vyatta/Config.pm @@ -681,7 +681,7 @@ sub outputError { print STDERR $msg . "\n"; if (defined($ENV{VYATTA_OUTPUT_ERROR_LOCATION})) { foreach my $elem (@$location) { - print STDERR "reference:[" . $elem . "]\n"; + print STDERR "errloc:[" . $elem . "]\n"; } } } -- cgit v1.2.3