diff options
| author | Gaurav Sinha <gaurav.sinha@vyatta.com> | 2012-05-14 13:53:31 -0700 |
|---|---|---|
| committer | Gaurav Sinha <gaurav.sinha@vyatta.com> | 2012-05-14 13:53:31 -0700 |
| commit | 9c903ba22d8aae4ef42bbd989194e6bdf2780be1 (patch) | |
| tree | 33ecf657df35c2a5a6297d9dc390d19a86ad57d4 | |
| parent | 1beb14e6dfb50c41b5b612b6696ab68e237d7ed3 (diff) | |
| download | vyatta-conntrack-9c903ba22d8aae4ef42bbd989194e6bdf2780be1.tar.gz vyatta-conntrack-9c903ba22d8aae4ef42bbd989194e6bdf2780be1.zip | |
add vyatta-cthelper.pl, disable nodes, add/remove functions for chain
| -rw-r--r-- | scripts/vyatta-cthelper.pl | 84 | ||||
| -rw-r--r-- | templates-cfg/system/conntrack/modules/nfs/disable/node.def | 7 | ||||
| -rw-r--r-- | templates-cfg/system/conntrack/modules/sqlnet/disable/node.def | 7 |
3 files changed, 98 insertions, 0 deletions
diff --git a/scripts/vyatta-cthelper.pl b/scripts/vyatta-cthelper.pl new file mode 100644 index 0000000..f038037 --- /dev/null +++ b/scripts/vyatta-cthelper.pl @@ -0,0 +1,84 @@ +#!/usr/bin/perl + +use lib "/opt/vyatta/share/perl5"; +use warnings; +use strict; + +use Vyatta::Config; +use Vyatta::Conntrack::ConntrackUtil; +use Vyatta::IpTables::Mgr; +use Getopt::Long; +use Sys::Syslog qw(:standard :macros); + + +#for future +my %cmd_hash = ( 'ipv4' => 'iptables', + 'ipv6' => 'ip6tables'); + +my $nfct = "sudo /opt/vyatta/sbin/nfct"; +my ($enable_sqlnet, $disable_sqlnet, $enable_nfs, $disable_nfs); +my $CTERROR = "Conntrack error:"; + +GetOptions('enable_sqlnet=s' => \$enable_sqlnet, + 'disable_sqlnet=s' => \$disable_sqlnet, + 'disable_nfs=s' => \$disable_nfs, + 'enable_nfs=s' => \$enable_nfs, +); + +# subroutine to add helper rule to VYATTA_CT_HELPER chain. +sub +add_helper_to_chain { + my ($module) = @_; + my $iptables_cmd = $cmd_hash {'ipv4'}; + if ($module eq 'sqlnet') { +# run_cmd (" $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper oracletns "); + print " $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper oracletns \n"; +# run_cmd (" $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper oracletns "); + print " $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper oracletns \n"; + } elsif ($module eq 'nfs') { + print " $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper nfs \n"; +# run_cmd (" $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper nfs "); + } +} + +# subroutine to delete helper rule from VYATTA_CT_HELPER chain. +sub +delete_helper_from_chain { + my ($module) = @_; + my $iptables_cmd = $cmd_hash {'ipv4'}; + if ($module eq 'sqlnet') { +# run_cmd (" $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper oracletns "); + print " $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper oracletns \n"; +# run_cmd (" $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper oracletns "); + print " $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper oracletns \n"; + } elsif ($module eq 'nfs') { + print " $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper nfs \n"; +# run_cmd (" $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper nfs "); + } +} + +# should disable the required helper module +sub disable_helper_module { + my ($module) = @_; + + print "disable $module\n"; + delete_helper_from_chain($module); +} + +# should enable the required helper module +sub enable_helper_module { + my ($module) = @_; + + print "enable $module\n"; + add_helper_to_chain($module); +} + +if (defined $enable_sqlnet){ + enable_helper_module("sqlnet"); +} elsif (defined $disable_sqlnet) { + disable_helper_module("sqlnet"); +} elsif (defined $enable_nfs) { + enable_helper_module("nfs"); +} elsif (defined $disable_nfs) { + disable_helper_module("nfs"); +} diff --git a/templates-cfg/system/conntrack/modules/nfs/disable/node.def b/templates-cfg/system/conntrack/modules/nfs/disable/node.def new file mode 100644 index 0000000..90f9103 --- /dev/null +++ b/templates-cfg/system/conntrack/modules/nfs/disable/node.def @@ -0,0 +1,7 @@ +help: disable NFS protocol connection tracking helper + +end: if [ ${COMMIT_ACTION} = 'DELETE' ]; then + sudo /opt/vyatta/bin/sudo-users/vyatta-cthelper.pl --enable_nfs=nfs + else + sudo /opt/vyatta/bin/sudo-users/vyatta-cthelper.pl --disable_nfs=nfs + fi; diff --git a/templates-cfg/system/conntrack/modules/sqlnet/disable/node.def b/templates-cfg/system/conntrack/modules/sqlnet/disable/node.def new file mode 100644 index 0000000..aac316b --- /dev/null +++ b/templates-cfg/system/conntrack/modules/sqlnet/disable/node.def @@ -0,0 +1,7 @@ +help: disable SQLnet protocol connection tracking helper + +end: if [ ${COMMIT_ACTION} = 'DELETE' ]; then + sudo /opt/vyatta/bin/sudo-users/vyatta-cthelper.pl --enable_sqlnet=sqlnet + else + sudo /opt/vyatta/bin/sudo-users/vyatta-cthelper.pl --disable_sqlnet=sqlnet + fi; |