Fixing rule minimal checks, fixing tcp / udp checks

2 files changed, 25 insertions, 13 deletions

diff --git a/lib/Vyatta/Conntrack/RuleIgnore.pm b/lib/Vyatta/Conntrack/RuleIgnore.pm
index 9127fa2..7c3f668 100644
--- a/lib/Vyatta/Conntrack/RuleIgnore.pm
+++ b/lib/Vyatta/Conntrack/RuleIgnore.pm
@@ -27,7 +27,7 @@ sub rule {
   # set CLI rule num as comment
   my @level_nodes = split (' ', $self->{_comment});
   $rule .= " -m comment --comment \"$level_nodes[2]-$level_nodes[4]\" ";
-
+  
   if (defined($self->{_interface})) {
     $rule .= " -i $self->{_interface} ";
   }
@@ -49,6 +49,7 @@ sub rule {
       $rule .= " -p $self->{_protocol}";
     }
   }
+
   $rule .= " $srcrule $dstrule ";
   return $rule;
 }
@@ -76,15 +77,22 @@ sub setup_base {
 
   $src->$addr_setup("$level source");
   $src->{_protocol} = $self->{_protocol};#needed to use address filter
-  if (($src->{_protocol}) and (($src->{_protocol} ne 'tcp') or ($src->{_protocol} ne 'udp')) and (defined($src->{_port})) ) { 
-    die "Error: Cannot specify port with protocol $src->{_protocol}\n"; 
+
+  my $rule = $self->{_rule_number};
+  if (($src->{_port})) {
+    if (($src->{_protocol} ne 'udp') and ($src->{_protocol} ne 'tcp')) {
+      die "Error: port requires tcp / udp as protocol in rule $rule\n"; 
+    }
   }
+
   $dst->$addr_setup("$level destination");
   $dst->{_protocol} = $self->{_protocol};#needed to use address filter
-  if (($dst->{_protocol}) and (($dst->{_protocol} ne 'tcp') or ($dst->{_protocol} ne 'udp')) and (defined($dst->{_port})) ) { 
-    die "Error: Cannot specify port with protocol $dst->{_protocol}\n"; 
-  }
 
+  if (($dst->{_port})) {
+    if (($dst->{_protocol} ne 'udp') and ($dst->{_protocol} ne 'tcp')) {
+      die "Error: port requires tcp / udp as protocol in rule $rule\n"; 
+    }
+    }
   return 0;
 }
 
diff --git a/scripts/vyatta-conntrack-ignore.pl b/scripts/vyatta-conntrack-ignore.pl
index 701c8b8..37a1534 100644
--- a/scripts/vyatta-conntrack-ignore.pl
+++ b/scripts/vyatta-conntrack-ignore.pl
@@ -71,26 +71,30 @@ sub handle_rule_creation {
   my $node = new Vyatta::Conntrack::RuleIgnore;
   my ($rule_string);
 
-  do_interface_check($rule);
+  do_minimalrule_check($rule);
   $node->setup("system conntrack ignore rule $rule");
   $rule_string = $node->rule();
   apply_ignore_policy($rule_string, $rule, $num_rules);
 }
 
-# mandate only one interface configuration per rule
-sub do_interface_check {
+# mandate atleast inbound interface / source ip / dest ip or protocol per rule
+sub do_minimalrule_check {
   my ($rule) = @_;
   my $config = new Vyatta::Config;
-  my $intf_nos = $config->listNodes("system conntrack ignore rule $rule inbound-interface");
-  if (($intf_nos > 1)) {
-    Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: configure at most one inbound interface in rule $rule");
+  my $intf = $config->exists("system conntrack ignore rule $rule inbound-interface");
+  my $src = $config->exists("system conntrack ignore rule $rule source address");
+  my $dst = $config->exists("system conntrack ignore rule $rule destination address");
+  my $protocol = $config->exists("system conntrack ignore rule $rule protocol");
+
+  if ( (!$intf) and (!$src) and (!$dst) and (!$protocol)) {
+    Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: No inbound-interface, source / destination address, protocol found in rule @_ ");
     exit 1;
   }
 }
 
 sub handle_rule_modification {
   my ($rule, $num_rules) = @_;
-  do_interface_check($rule);
+  do_minimalrule_check($rule);
   handle_rule_deletion($rule);
   handle_rule_creation($rule, $num_rules);
 }