summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGaurav Sinha <gaurav.sinha@vyatta.com>2012-05-14 13:53:31 -0700
committerGaurav Sinha <gaurav.sinha@vyatta.com>2012-05-14 13:53:31 -0700
commit9c903ba22d8aae4ef42bbd989194e6bdf2780be1 (patch)
tree33ecf657df35c2a5a6297d9dc390d19a86ad57d4
parent1beb14e6dfb50c41b5b612b6696ab68e237d7ed3 (diff)
downloadvyatta-conntrack-9c903ba22d8aae4ef42bbd989194e6bdf2780be1.tar.gz
vyatta-conntrack-9c903ba22d8aae4ef42bbd989194e6bdf2780be1.zip
add vyatta-cthelper.pl, disable nodes, add/remove functions for chain
-rw-r--r--scripts/vyatta-cthelper.pl84
-rw-r--r--templates-cfg/system/conntrack/modules/nfs/disable/node.def7
-rw-r--r--templates-cfg/system/conntrack/modules/sqlnet/disable/node.def7
3 files changed, 98 insertions, 0 deletions
diff --git a/scripts/vyatta-cthelper.pl b/scripts/vyatta-cthelper.pl
new file mode 100644
index 0000000..f038037
--- /dev/null
+++ b/scripts/vyatta-cthelper.pl
@@ -0,0 +1,84 @@
+#!/usr/bin/perl
+
+use lib "/opt/vyatta/share/perl5";
+use warnings;
+use strict;
+
+use Vyatta::Config;
+use Vyatta::Conntrack::ConntrackUtil;
+use Vyatta::IpTables::Mgr;
+use Getopt::Long;
+use Sys::Syslog qw(:standard :macros);
+
+
+#for future
+my %cmd_hash = ( 'ipv4' => 'iptables',
+ 'ipv6' => 'ip6tables');
+
+my $nfct = "sudo /opt/vyatta/sbin/nfct";
+my ($enable_sqlnet, $disable_sqlnet, $enable_nfs, $disable_nfs);
+my $CTERROR = "Conntrack error:";
+
+GetOptions('enable_sqlnet=s' => \$enable_sqlnet,
+ 'disable_sqlnet=s' => \$disable_sqlnet,
+ 'disable_nfs=s' => \$disable_nfs,
+ 'enable_nfs=s' => \$enable_nfs,
+);
+
+# subroutine to add helper rule to VYATTA_CT_HELPER chain.
+sub
+add_helper_to_chain {
+ my ($module) = @_;
+ my $iptables_cmd = $cmd_hash {'ipv4'};
+ if ($module eq 'sqlnet') {
+# run_cmd (" $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper oracletns ");
+ print " $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper oracletns \n";
+# run_cmd (" $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper oracletns ");
+ print " $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper oracletns \n";
+ } elsif ($module eq 'nfs') {
+ print " $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper nfs \n";
+# run_cmd (" $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper nfs ");
+ }
+}
+
+# subroutine to delete helper rule from VYATTA_CT_HELPER chain.
+sub
+delete_helper_from_chain {
+ my ($module) = @_;
+ my $iptables_cmd = $cmd_hash {'ipv4'};
+ if ($module eq 'sqlnet') {
+# run_cmd (" $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper oracletns ");
+ print " $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper oracletns \n";
+# run_cmd (" $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper oracletns ");
+ print " $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper oracletns \n";
+ } elsif ($module eq 'nfs') {
+ print " $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper nfs \n";
+# run_cmd (" $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper nfs ");
+ }
+}
+
+# should disable the required helper module
+sub disable_helper_module {
+ my ($module) = @_;
+
+ print "disable $module\n";
+ delete_helper_from_chain($module);
+}
+
+# should enable the required helper module
+sub enable_helper_module {
+ my ($module) = @_;
+
+ print "enable $module\n";
+ add_helper_to_chain($module);
+}
+
+if (defined $enable_sqlnet){
+ enable_helper_module("sqlnet");
+} elsif (defined $disable_sqlnet) {
+ disable_helper_module("sqlnet");
+} elsif (defined $enable_nfs) {
+ enable_helper_module("nfs");
+} elsif (defined $disable_nfs) {
+ disable_helper_module("nfs");
+}
diff --git a/templates-cfg/system/conntrack/modules/nfs/disable/node.def b/templates-cfg/system/conntrack/modules/nfs/disable/node.def
new file mode 100644
index 0000000..90f9103
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/nfs/disable/node.def
@@ -0,0 +1,7 @@
+help: disable NFS protocol connection tracking helper
+
+end: if [ ${COMMIT_ACTION} = 'DELETE' ]; then
+ sudo /opt/vyatta/bin/sudo-users/vyatta-cthelper.pl --enable_nfs=nfs
+ else
+ sudo /opt/vyatta/bin/sudo-users/vyatta-cthelper.pl --disable_nfs=nfs
+ fi;
diff --git a/templates-cfg/system/conntrack/modules/sqlnet/disable/node.def b/templates-cfg/system/conntrack/modules/sqlnet/disable/node.def
new file mode 100644
index 0000000..aac316b
--- /dev/null
+++ b/templates-cfg/system/conntrack/modules/sqlnet/disable/node.def
@@ -0,0 +1,7 @@
+help: disable SQLnet protocol connection tracking helper
+
+end: if [ ${COMMIT_ACTION} = 'DELETE' ]; then
+ sudo /opt/vyatta/bin/sudo-users/vyatta-cthelper.pl --enable_sqlnet=sqlnet
+ else
+ sudo /opt/vyatta/bin/sudo-users/vyatta-cthelper.pl --disable_sqlnet=sqlnet
+ fi;