diff options
| author | Gaurav Sinha <gaurav.sinha@vyatta.com> | 2012-08-07 11:39:33 -0700 |
|---|---|---|
| committer | Gaurav Sinha <gaurav.sinha@vyatta.com> | 2012-08-07 11:39:33 -0700 |
| commit | 058c232c602003198ff8f01439c349985ddf0fe5 (patch) | |
| tree | 299f3330153aff6e15b7642040175fb07faed834 | |
| parent | c5034d9090283e617193eb55c53427d4a773e4fa (diff) | |
| download | vyatta-conntrack-058c232c602003198ff8f01439c349985ddf0fe5.tar.gz vyatta-conntrack-058c232c602003198ff8f01439c349985ddf0fe5.zip | |
fix rule deletion and modification
| -rw-r--r-- | lib/Vyatta/Conntrack/RuleIgnore.pm | 7 | ||||
| -rw-r--r-- | scripts/vyatta-conntrack-ignore.pl | 60 |
2 files changed, 30 insertions, 37 deletions
diff --git a/lib/Vyatta/Conntrack/RuleIgnore.pm b/lib/Vyatta/Conntrack/RuleIgnore.pm index 3ff0211..fcb1c6b 100644 --- a/lib/Vyatta/Conntrack/RuleIgnore.pm +++ b/lib/Vyatta/Conntrack/RuleIgnore.pm @@ -1,8 +1,3 @@ -# -# The timeouts are implemented using nfct-timeout policies that are -# later applied to the corresponding iptables rules. The rules and -# policies are distinguished based on the rule number. - package Vyatta::Conntrack::RuleIgnore; use strict; @@ -50,7 +45,6 @@ sub rule { $rule .= " -p $self->{_protocol}"; } $rule .= " $srcrule $dstrule "; - print "rule is $rule\n"; return $rule; } @@ -72,6 +66,7 @@ sub setup_base { $config->setLevel("$level"); $self->{_comment} = $level; $self->{_rule_number} = $config->returnParent(".."); + $self->{_interface} = $config->$val_func("inbound-interface"); $src->$addr_setup("$level source"); $src->{_protocol} = $self->{_protocol};#needed to use address filter diff --git a/scripts/vyatta-conntrack-ignore.pl b/scripts/vyatta-conntrack-ignore.pl index a7bdd37..701c8b8 100644 --- a/scripts/vyatta-conntrack-ignore.pl +++ b/scripts/vyatta-conntrack-ignore.pl @@ -13,7 +13,7 @@ use Getopt::Long; use Vyatta::Zone; use Sys::Syslog qw(:standard :macros); -#for future use when v6 timeouts need to be set +#for future use when v6 ignore s need to be set my %cmd_hash = ( 'ipv4' => 'iptables', 'ipv6' => 'ip6tables'); # Enable printing debug output to stdout. @@ -23,7 +23,7 @@ my $debug_flag = 0; my $syslog_flag = 0; my $nfct = "sudo /usr/sbin/nfct"; my ($create, $delete, $update); -my $CTERROR = "Conntrack timeout error:"; +my $CTERROR = "Conntrack ignore error:"; GetOptions("create=s" => \$create, "delete=s" => \$delete, "update=s" => \$update, @@ -35,48 +35,46 @@ openlog("vyatta-conntrack", "pid", "local0"); sub remove_ignore_policy { my ($rule_string) = @_; -# my $iptables_cmd1 = "iptables -D VYATTA_CT_TIMEOUT -t raw $rule_string -j CT --timeout $tokens[0]"; - # my $iptables_cmd2 = "iptables -D VYATTA_CT_TIMEOUT -t raw $rule_string -j RETURN"; - # run_cmd($iptables_cmd2); - # if ($? >> 8) { - # print "$CTERROR failed to run $iptables_cmd2\n"; + my $iptables_cmd1 = "iptables -D VYATTA_CT_IGNORE -t raw $rule_string -j NOTRACK"; + my $iptables_cmd2 = "iptables -D VYATTA_CT_IGNORE -t raw $rule_string -j RETURN"; + run_cmd($iptables_cmd2); + if ($? >> 8) { + print "$CTERROR failed to run $iptables_cmd2\n"; #dont exit, try to clean as much. - # } - # run_cmd($iptables_cmd1); - # if ($? >> 8) { - # print "$CTERROR failed to run $iptables_cmd1\n"; - # } + } + run_cmd($iptables_cmd1); + if ($? >> 8) { + print "$CTERROR failed to run $iptables_cmd1\n"; + } } sub apply_ignore_policy { - # my ($rule_string, $timeout_policy, $rule, $num_rules) = @_; - # insert at num_rules + 1 as there are so many rules already. - # my $iptables_cmd1 = "iptables -I VYATTA_CT_TIMEOUT $num_rules -t raw $rule_string -j CT --timeout $tokens[0]"; - # $num_rules +=1; - # my $iptables_cmd2 = "iptables -I VYATTA_CT_TIMEOUT $num_rules -t raw $rule_string -j RETURN"; - # run_cmd($nfct_timeout_cmd); - # if ($? >> 8) { - # print "$CTERROR failed to run $nfct_timeout_cmd\n"; - # exit 1; - # } - # run_cmd($iptables_cmd1); - # if ($? >> 8) { - # #cleanup the policy before exit. - # run_cmd("nfct timeout delete policy_timeout_$rule"); - # print "$CTERROR failed to run $iptables_cmd1\n"; - # exit 1; - # } + my ($rule_string, $rule, $num_rules) = @_; + # insert at num_rules + 1 as there are so many rules already. + my $iptables_cmd1 = "iptables -I VYATTA_CT_IGNORE $num_rules -t raw $rule_string -j NOTRACK"; + $num_rules +=1; + my $iptables_cmd2 = "iptables -I VYATTA_CT_IGNORE $num_rules -t raw $rule_string -j RETURN"; + run_cmd($iptables_cmd1); + if ($? >> 8) { + print "$CTERROR failed to run $iptables_cmd1\n"; + exit 1; + } + run_cmd($iptables_cmd2); + if ($? >> 8) { + print "$CTERROR failed to run $iptables_cmd2\n"; + exit 1; + } } sub handle_rule_creation { my ($rule, $num_rules) = @_; my $node = new Vyatta::Conntrack::RuleIgnore; - my ($rule_string, $timeout_policy); + my ($rule_string); do_interface_check($rule); $node->setup("system conntrack ignore rule $rule"); $rule_string = $node->rule(); - #apply_ignore_policy($rule_string, $rule, $num_rules); + apply_ignore_policy($rule_string, $rule, $num_rules); } # mandate only one interface configuration per rule |