diff options
| author | Daniil Baturin <daniil.baturin@vyatta.com> | 2011-11-23 21:25:23 +0700 |
|---|---|---|
| committer | Daniil Baturin <daniil.baturin@vyatta.com> | 2011-11-23 21:25:23 +0700 |
| commit | fd1ffdcc7d692e1c2bebf4cd4d20c4688cfdca5a (patch) | |
| tree | d02006940fafa4653ea933dc1d8d2cc5c6e2ffa0 | |
| parent | 94e02c7f23d814c16f3854ec756e27ddcd0c4b27 (diff) | |
| parent | 993107b2d411024acc3491d22a8e6aa47adde66b (diff) | |
| download | vyatta-conntrack-fd1ffdcc7d692e1c2bebf4cd4d20c4688cfdca5a.tar.gz vyatta-conntrack-fd1ffdcc7d692e1c2bebf4cd4d20c4688cfdca5a.zip | |
Merge branch 'oxnard' of git.vyatta.com:/git/vyatta-conntrack into oxnard
Conflicts:
Makefile.am
32 files changed, 782 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am index eec3ae8..94c39d5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,11 +1,17 @@ cfgdir = $(datadir)/vyatta-cfg/templates +opdir = $(datadir)/vyatta-op/templates curverdir = $(sysconfdir)/config-migrate/current modprobedir = /etc/modprobe.d -checkparamsonrebootdir = $(bindir)/sudo-users/check-params-on-reboot.d +checkparamsonrebootdir = $(bindir)/sudo-users/check-params-on-reboot.d checkparamsonreboot_SCRIPTS = checkparamsonreboot_SCRIPTS += scripts/check-params-on-reboot.d/conntrack-hash-size +bin_sudo_usersdir = $(bindir)/sudo-users +bin_sudo_users_SCRIPTS = scripts/vyatta-show-conntrack.pl +bin_sudo_users_SCRIPTS += scripts/vyatta-delete-conntrack.pl + + curver_DATA = cfg-version/conntrack@1 modprobe_DATA = etc/modprobe.d/vyatta_nf_conntrack.conf @@ -16,3 +22,5 @@ cpiop = find . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \ install-exec-hook: mkdir -p $(DESTDIR)$(cfgdir) cd templates-cfg; $(cpiop) $(DESTDIR)$(cfgdir) + mkdir -p $(DESTDIR)$(opdir) + cd templates-op; $(cpiop) $(DESTDIR)$(opdir) diff --git a/debian/changelog b/debian/changelog index 3d71442..2230fd2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,53 @@ +vyatta-conntrack (0.11) unstable; urgency=low + + * bug 7411: IPv6 check added to show / delete + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Mon, 21 Nov 2011 15:04:09 -0800 + +vyatta-conntrack (0.10) unstable; urgency=low + + * bug 7411: IPv6 conntrack delete code, updated formatting + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Thu, 17 Nov 2011 17:08:03 -0800 + +vyatta-conntrack (0.9) unstable; urgency=low + + * bug ID 7411: added output format for IPv6 show command + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Thu, 17 Nov 2011 14:07:18 -0800 + +vyatta-conntrack (0.8) unstable; urgency=low + + * bug 7411:IPv6 show command: validation added + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Wed, 16 Nov 2011 17:00:43 -0800 + +vyatta-conntrack (0.7) unstable; urgency=low + + * bug 7411:IPv6 show command without port + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Wed, 16 Nov 2011 13:54:01 -0800 + +vyatta-conntrack (0.6) unstable; urgency=low + + * bug 7411:Added initial code for IPv6, templates and script + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Wed, 16 Nov 2011 11:50:11 -0800 + +vyatta-conntrack (0.5) unstable; urgency=low + + * Bug 7411: improving validations for IPv4 address / port combinations + for conntrack + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Tue, 15 Nov 2011 11:40:19 -0800 + +vyatta-conntrack (0.4) unstable; urgency=low + + * Bug 7411: Initial commit for conntrack entry deletion / show op mode + commands + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Mon, 14 Nov 2011 16:33:04 -0800 + vyatta-conntrack (0.3) unstable; urgency=low * Remove files mistakanly inherited from vyatta-cfg-system. diff --git a/scripts/vyatta-delete-conntrack.pl b/scripts/vyatta-delete-conntrack.pl new file mode 100755 index 0000000..ceccdd8 --- /dev/null +++ b/scripts/vyatta-delete-conntrack.pl @@ -0,0 +1,329 @@ +#!/usr/bin/perl +# +# Module: vyatta-delete-conntrack.pl +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Gaurav Sinha +# Date: Oct 2011 +# Description: Script to delete conntrack entries based on the input +# delete command. +# +# **** End License **** +# + +use Getopt::Long; +use warnings; +use strict; +use XML::Simple; +use Data::Dumper; +use POSIX; +use lib "/opt/vyatta/share/perl5"; +use Vyatta::Misc; +use Sys::Syslog qw(:standard :macros); +use Vyatta::TypeChecker; + +my $format = "%-10s %-22s %-22s %-12s\n"; +my $format_IPv6 = "%-10s %-40s %-40s %-12s\n"; + +sub add_xml_root { + my $xml = shift; + + $xml = "<data>\n" . $xml . '</data>'; + return $xml; +} + +sub print_data_from_xml { + my ($data, $cache, $family) = @_; + + my $flow = 0; + + my %flowh; + my $tcount = 0; + print "Deleting following Conntrack entries\n\n"; + if ($family eq 'ipv6') { + printf($format_IPv6, 'CONN ID', 'Source', 'Destination', 'Protocol'); + } else { + printf($format, 'CONN ID', 'Source', 'Destination', 'Protocol'); + } + #open syslog + openlog($0, "", LOG_USER); + while (1) { + my $meta = 0; + last if ! defined $data->{flow}[$flow]; + my $flow_ref = $data->{flow}[$flow]; + my $flow_type = $flow_ref->{type}; + my (%src, %dst, %sport, %dport, %proto, %protonum, $timeout_ref, $connection_id_ref, + $state_connection_ref); + while (1) { + my $meta_ref = $flow_ref->{meta}[$meta]; + last if ! defined $meta_ref; + my $dir = $meta_ref->{direction}; + if ($dir eq 'original' or $dir eq 'reply') { + my $l3_ref = $meta_ref->{layer3}[0]; + my $l4_ref = $meta_ref->{layer4}[0]; + if (defined $l3_ref) { + $src{$dir} = $l3_ref->{src}[0]; + $dst{$dir} = $l3_ref->{dst}[0]; + if (defined $l4_ref) { + $sport{$dir} = $l4_ref->{sport}[0]; + $dport{$dir} = $l4_ref->{dport}[0]; + $proto{$dir} = $l4_ref->{protoname}; + $protonum{$dir} = $l4_ref->{protonum}; + } + } + } elsif ($dir eq 'independent') { + $timeout_ref = $meta_ref->{timeout}[0]; + $connection_id_ref = $meta_ref->{id}[0]; + $state_connection_ref = $meta_ref->{state}[0]; + } + $meta++; + } + my ($proto, $protonum, $in_src, $in_dst, $out_src, $out_dst, $connection_id, + $timeout, $state_connection); + $proto = $proto{original}; + $protonum = $protonum{original}; + $in_src = "$src{original}"; + $in_src .= ":$sport{original}" if defined $sport{original}; + $in_dst = "$dst{original}"; + $in_dst .= ":$dport{original}" if defined $dport{original}; + $connection_id = "$connection_id_ref"; + $timeout = "$timeout_ref"; + + if ($state_connection_ref) { + $state_connection = "$state_connection_ref"; + } + + # not using these for now + $out_src = "|$dst{reply}|"; + $out_src .= ":$dport{reply}" if defined $dport{reply}; + $out_dst = "|$src{reply}|"; + $out_dst .= ":$sport{reply}" if defined $sport{reply}; + + my $protocol = $proto . ' [' . $protonum . ']'; + if ($family eq 'ipv6') { + #IPv6 Addresses can be 39 chars long, so chose the format as per family + printf($format_IPv6, $connection_id ,$in_src, $in_dst, $protocol); + } else { + printf($format, $connection_id ,$in_src, $in_dst, $protocol); + } + syslog("info", "Deleting Conntrack entry:conn-id $connection_id, src. IP $in_src, dest. IP $in_dst, protocol $protocol"); + $flow++; + } + #close syslog + closelog(); + return $flow; +} + +# +# main +# + +my ($sourceIP, $destIP, $family, $connection_ID); + +GetOptions("source_IP=s" => \$sourceIP, + "dest_IP=s" => \$destIP, + "family=s" => \$family, + "id=i" => \$connection_ID, +); + +my $xs = XML::Simple->new(ForceArray => 1, KeepRoot => 0); +my ($xml1, $xml2, $data); + +my $command_prefix = "sudo conntrack -D"; +my ($command, $sourcePort, $destPort); + +if ($family) { + $command .= " --family $family"; +} + +if (defined($connection_ID)) { + $command .= " -i $connection_ID"; +} + +if ($family eq "ipv4") { + if ((defined $sourceIP) and $sourceIP =~ m/:/) { + #IP address and port entered, are of the form IP:port + my @address = split(/:/, $sourceIP); + $sourceIP = $address[0]; + $sourcePort = $address[1]; + + #Validate the entered IP and port + my( $success, $err ) = isValidPortNumber($sourcePort); + if (!(isIpAddress($sourceIP))and !($sourceIP eq "0.0.0.0")) { + if(!defined($success)) { + #both IP and port are invalid + die "Please enter a valid source IPv4 address and port \n"; + } else { + #only IP is invalid + die "Please enter a valid source IPv4 address\n"; + } + } + if(!defined($success)) { + #port is invalid + die "Please enter a valid source port \n"; + } + $command .= " --orig-port-src $sourcePort"; + } + + if ((defined $destIP) and $destIP =~ m/:/) { + my @address = split(/:/, $destIP); + $destIP = $address[0]; + $destPort = $address[1]; + + #Validate the entered IP and port + my( $success, $err ) = isValidPortNumber($destPort); + if (!(isIpAddress($destIP))and !($destIP eq "0.0.0.0")) { + if(!defined($success)) { + #both IP and port are invalid + die "Please enter a valid destination IPv4 address and port \n"; + } else { + #only IP is invalid + die "Please enter a valid destination IPv4 address\n"; + } + } + if(!defined($success)) { + #port is invalid + die "Please enter a valid destination port \n"; + } + $command .= " --orig-port-dst $destPort"; + } + + if ((defined $sourceIP) and !($sourceIP eq "0.0.0.0")) { + # Check if IP address is a valid IPv4 address + if (!(isIpAddress($sourceIP))) { + die "Please enter a valid source IPv4 address\n"; + } + #If IP is any, do not add anything to command. + $command .= " -s $sourceIP"; + } + + if ((defined $destIP) and !($destIP eq "0.0.0.0")) { + # Check if IP address is a valid IPv4 address + if (!(isIpAddress($destIP))) { + die "Please enter a valid destination IPv4 address\n"; + } + $command .= " -d $destIP"; + } +} else { + #IPv6 code. + if ((defined $sourceIP) and ($sourceIP ne "0:0:0:0:0:0:0:0")) { + if ((($sourceIP =~ m/^\[/) and (!($sourceIP =~ m/]/))) or + (!($sourceIP =~ m/^\[/) and (($sourceIP =~ m/]/)))) { + die "Please use prescribed format for source IP: [IPv6-address]:port \n"; + } + if (($sourceIP =~ m/^\[/) and ($sourceIP =~ m/]/)) { + # [IPv6-address]:port + my @address = split(/]/, $sourceIP); + if (@address) { + if(!$address[0] or !$address[1]) { + die "Please use prescribed format for source IP: [IPv6-address]:port \n"; + } + $sourceIP = substr($address[0], 1); + $sourcePort = substr($address[1], 1); + my( $success, $err ) = isValidPortNumber($sourcePort); + if (validateType('ipv6', $sourceIP, 'quiet')) { + if ($sourceIP =~ m/[^ABCDEFabcdef0123456789:\[\]]/) { + die "Please enter a valid source IPv6 address\n"; + } + } else { + if(!defined($success)) { + die "Please enter a valid source IPv6 address and port \n"; + } + } + if(!defined($success)) { + die "Please enter a valid source port \n"; + } + $command .= " --orig-port-src $sourcePort"; + } + } else { + #IPv6-address without port + if (validateType('ipv6', $sourceIP, 'quiet')) { + if ($sourceIP =~ m/[^ABCDEFabcdef0123456789:\[\]]/) { + die "Please enter a valid source IPv6 address\n"; + } + } else { + die "Please enter a valid source IPv6 address\n"; + } + } + } + if ((defined $destIP) and ($destIP ne "0:0:0:0:0:0:0:0")) { + if ((($destIP =~ m/^\[/) and (!($destIP =~ m/]/))) or + (!($destIP =~ m/^\[/) and (($destIP =~ m/]/)))) { + die "Please use prescribed format for destination IP: [IPv6-address]:port \n"; + } + if (($destIP =~ m/^\[/) and ($destIP =~ m/]/)) { + my @address = split(/]/, $destIP); + if (@address) { + $destIP = substr($address[0], 1); + $destPort = substr($address[1], 1); + my( $success, $err ) = isValidPortNumber($destPort); + if (validateType('ipv6', $destIP, 'quiet')) { + if ($destIP =~ m/[^ABCDEFabcdef0123456789:\[\]]/) { + die "Please enter a valid destination IPv6 address\n"; + } + } else { + if(!defined($success)) { + die "Please enter a valid destination IPv6 address and port \n"; + } + } + if(!defined($success)) { + die "Please enter a valid destination port \n"; + } + #$command .= " --orig-port-dst $destPort"; + } + } else { + #IPv6-address without port + if (validateType('ipv6', $destIP, 'quiet')) { + if ($destIP =~ m/[^ABCDEFabcdef0123456789:\[\]]/) { + die "Please enter a valid destination IPv6 address\n"; + } + } else { + die "Please enter a valid destination IPv6 address\n"; + } + } + } + if (($sourceIP) and ($sourceIP ne "0:0:0:0:0:0:0:0")) { + $command .= " -s $sourceIP"; + } + if (($destIP) and ($destIP ne "0:0:0:0:0:0:0:0")) { + $command .= " -d $destIP"; + } +} + +$command .= " -o xml"; +if ((defined($destPort)) or (defined($sourcePort))) { + my $command_final = $command_prefix." -p tcp".$command; + $xml1 = `$command_final 2> /dev/null`; + + #Execute the command for UDP as well. + $command_final = $command_prefix." -p udp".$command; + $xml2 = `$command_final 2> /dev/null`; +} else { + my $command_final = $command_prefix.$command; + $xml1 = `$command_final 2> /dev/null`; +} +# print data received from conntrack command as xml. +if ($xml1) { + $xml1 = add_xml_root($xml1); + $data = $xs->XMLin($xml1); + print_data_from_xml($data, "", $family); +} +if ($xml2) { + $xml2 = add_xml_root($xml2); + $data = $xs->XMLin($xml2); + print_data_from_xml($data, "", $family); +} +# end of file diff --git a/scripts/vyatta-show-conntrack.pl b/scripts/vyatta-show-conntrack.pl new file mode 100755 index 0000000..17457b1 --- /dev/null +++ b/scripts/vyatta-show-conntrack.pl @@ -0,0 +1,340 @@ +#!/usr/bin/perl +# +# Module: vyatta-show-conntrack.pl +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Gaurav Sinha +# Date: Oct 2011 +# Description: Script to show conntrack entries based on the input +# show command. +# +# **** End License **** +# +use Getopt::Long; +use XML::Simple; +use Data::Dumper; +use POSIX; +use lib "/opt/vyatta/share/perl5"; +use Vyatta::Misc; +use warnings; +use strict; +use Switch; +use Vyatta::TypeChecker; + +my $format = "%-10s %-22s %-22s %-12s %-20s\n"; +my $format_IPv6 = "%-10s %-40s %-40s %-12s %-20s\n"; + +sub print_xml { + my ($data, $cache, $family) = @_; + my $flow = 0; + + my %flowh; + my $tcount = 0; + while (1) { + my $meta = 0; + last if ! defined $data->{flow}[$flow]; + my $flow_ref = $data->{flow}[$flow]; + my $flow_type = $flow_ref->{type}; + my (%src, %dst, %sport, %dport, %proto, %protonum, $timeout_ref, $connection_id_ref, + $state_connection_ref); + while (1) { + my $meta_ref = $flow_ref->{meta}[$meta]; + last if ! defined $meta_ref; + my $dir = $meta_ref->{direction}; + if ($dir eq 'original' or $dir eq 'reply') { + my $l3_ref = $meta_ref->{layer3}[0]; + my $l4_ref = $meta_ref->{layer4}[0]; + if (defined $l3_ref) { + $src{$dir} = $l3_ref->{src}[0]; + $dst{$dir} = $l3_ref->{dst}[0]; + if (defined $l4_ref) { + $sport{$dir} = $l4_ref->{sport}[0]; + $dport{$dir} = $l4_ref->{dport}[0]; + $proto{$dir} = $l4_ref->{protoname}; + $protonum{$dir} = $l4_ref->{protonum}; + } + } + } elsif ($dir eq 'independent') { + $timeout_ref = $meta_ref->{timeout}[0]; + $connection_id_ref = $meta_ref->{id}[0]; + $state_connection_ref = $meta_ref->{state}[0]; + } + $meta++; + } + my ($proto, $protonum, $in_src, $in_dst, $out_src, $out_dst, $connection_id, + $timeout, $state_connection); + $proto = $proto{original}; + $protonum = $protonum{original}; + $in_src = "$src{original}"; + $in_src .= ":$sport{original}" if defined $sport{original}; + $in_dst = "$dst{original}"; + $in_dst .= ":$dport{original}" if defined $dport{original}; + $connection_id = "$connection_id_ref"; + $timeout = "$timeout_ref"; + + if ($state_connection_ref) { + $state_connection = "$state_connection_ref"; + } + + # not using these for now + $out_src = "|$dst{reply}|"; + $out_src .= ":$dport{reply}" if defined $dport{reply}; + $out_dst = "|$src{reply}|"; + $out_dst .= ":$sport{reply}" if defined $sport{reply}; + + my $protocol = $proto . ' [' . $protonum . ']'; + if ($state_connection) { + switch($state_connection) { + case ("ESTABLISHED") { + $protocol .= " ES"; + } + case ("SYN_SENT") { + $protocol .= " SS"; + } + case ("SYN_RECV") { + $protocol .= " SR"; + } + case ("FIN_WAIT") { + $protocol .= " FW"; + } + case ("CLOSE_WAIT") { + $protocol .= " CW"; + } + case ("LAST_ACK") { + $protocol .= " LA"; + } + case ("TIME_WAIT") { + $protocol .= " TW"; + } + case ("CLOSED") { + $protocol .= " CL"; + } + case ("LISTEN") { + $protocol .= " LI"; + } + } + } + if ( $family eq 'ipv6') { + #IPv6 Addresses can be 39 chars long, so chose the format as per family + printf($format_IPv6, $connection_id ,$in_src, $in_dst, $protocol, $timeout); + } else { + printf($format, $connection_id ,$in_src, $in_dst, $protocol, $timeout); + } + $flow++; + } + return $flow; +} + +# +# main +# + +my ($sourceIP, $destIP, $family); + +GetOptions("source_IP=s" => \$sourceIP, + "dest_IP=s" => \$destIP, + "family=s" => \$family, +); + +my $xs = XML::Simple->new(ForceArray => 1, KeepRoot => 0); +my ($xml1, $xml2, $data); + +#build command string using <command_prefix><command>. +my $command_prefix = "sudo conntrack -L"; +my $command = " --family $family"; + +my ($sourcePort, $destPort); +if ($family eq "ipv4") { + if ((defined $sourceIP) and $sourceIP =~ m/:/) { + #IP address and port entered, are of the form IP:port + my @address = split(/:/, $sourceIP); + $sourceIP = $address[0]; + $sourcePort = $address[1]; + + # Check if IP address is a valid IPv4 address + my( $success, $err ) = isValidPortNumber($sourcePort); + if (!(isIpAddress($sourceIP))and !($sourceIP eq "0.0.0.0")) { + if(!defined($success)) { + #both IP and port are invalid + die "Please enter a valid source IPv4 address and port \n"; + } else { + #only IP is invalid + die "Please enter a valid source IPv4 address\n"; + } + } + if(!defined($success)) { + #port is invalid + die "Please enter a valid source port \n"; + } + $command .= " --orig-port-src $sourcePort"; + } + + if ((defined $destIP) and $destIP =~ m/:/) { + my @address = split(/:/, $destIP); + $destIP = $address[0]; + $destPort = $address[1]; + my( $success, $err ) = isValidPortNumber($destPort); + if (!(isIpAddress($destIP))and !($destIP eq "0.0.0.0")) { + if(!defined($success)) { + #both IP and port are invalid + die "Please enter a valid destination IPv4 address and port \n"; + } else { + #only IP is invalid + die "Please enter a valid destination IPv4 address\n"; + } + } + if(!defined($success)) { + #port is invalid + die "Please enter a valid destination port \n"; + } + $command .= " --orig-port-dst $destPort"; + } + + if ((defined $sourceIP) and !($sourceIP eq "0.0.0.0")) { + # Check if IP address is a valid IPv4 address + if (!(isIpAddress($sourceIP))) { + die "Please enter a valid source IPv4 address\n"; + } + #If IP is any, do not add anything to command. + $command .= " -s $sourceIP"; + } + + if ((defined $destIP) and !($destIP eq "0.0.0.0")) { + # Check if IP address is a valid IPv4 address + if (!(isIpAddress($destIP))) { + die "Please enter a valid destination IPv4 address\n"; + } + $command .= " -d $destIP"; + } +} else { + #IPv6 code. + if ((defined $sourceIP) and ($sourceIP ne "0:0:0:0:0:0:0:0")) { + if ((($sourceIP =~ m/^\[/) and (!($sourceIP =~ m/]/))) or + (!($sourceIP =~ m/^\[/) and (($sourceIP =~ m/]/)))) { + die "Please use prescribed format for source IP: [IPv6-address]:port \n"; + } + if (($sourceIP =~ m/^\[/) and ($sourceIP =~ m/]/)) { + # [IPv6-address]:port + my @address = split(/]/, $sourceIP); + if (@address) { + if(!$address[0] or !$address[1]) { + die "Please use prescribed format for source IP: [IPv6-address]:port \n"; + } + $sourceIP = substr($address[0], 1); + $sourcePort = substr($address[1], 1); + my( $success, $err ) = isValidPortNumber($sourcePort); + if (validateType('ipv6', $sourceIP, 'quiet')) { + if ($sourceIP =~ m/[^ABCDEFabcdef0123456789:\[\]]/) { + die "Please enter a valid source IPv6 address\n"; + } + } else { + if(!defined($success)) { + die "Please enter a valid source IPv6 address and port \n"; + } + } + if(!defined($success)) { + die "Please enter a valid source port \n"; + } + $command .= " --orig-port-src $sourcePort"; + } + } else { + #IPv6-address without port + if (validateType('ipv6', $sourceIP, 'quiet')) { + if ($sourceIP =~ m/[^ABCDEFabcdef0123456789:\[\]]/) { + die "Please enter a valid source IPv6 address\n"; + } + } else { + die "Please enter a valid source IPv6 address\n"; + } + } + } + if ((defined $destIP) and ($destIP ne "0:0:0:0:0:0:0:0")) { + if ((($destIP =~ m/^\[/) and (!($destIP =~ m/]/))) or + (!($destIP =~ m/^\[/) and (($destIP =~ m/]/)))) { + die "Please use prescribed format for destination IP: [IPv6-address]:port \n"; + } + if (($destIP =~ m/^\[/) and ($destIP =~ m/]/)) { + my @address = split(/]/, $destIP); + if (@address) { + $destIP = substr($address[0], 1); + $destPort = substr($address[1], 1); + my( $success, $err ) = isValidPortNumber($destPort); + if (validateType('ipv6', $destIP, 'quiet')) { + if ($destIP =~ m/[^ABCDEFabcdef0123456789:\[\]]/) { + die "Please enter a valid destination IPv6 address\n"; + } + } else { + if(!defined($success)) { + die "Please enter a valid destination IPv6 address and port \n"; + } + } + if(!defined($success)) { + die "Please enter a valid destination port \n"; + } + #$command .= " --orig-port-dst $destPort"; + } + } else { + #IPv6-address without port + if (validateType('ipv6', $destIP, 'quiet')) { + if ($destIP =~ m/[^ABCDEFabcdef0123456789:\[\]]/) { + die "Please enter a valid destination IPv6 address\n"; + } + } else { + die "Please enter a valid destination IPv6 address\n"; + } + } + } + if (($sourceIP) and ($sourceIP ne "0:0:0:0:0:0:0:0")) { + $command .= " -s $sourceIP"; + } + if (($destIP) and ($destIP ne "0:0:0:0:0:0:0:0")) { + $command .= " -d $destIP"; + } +} + +$command .= " -o xml"; +print "TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED,\n"; +print " FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK,\n"; +print " TW - TIME WAIT, CL - CLOSE, LI - LISTEN\n\n"; + +#IPv6 Addresses can be 39 chars long, so chose the format as per family +if ($family eq 'ipv4') { + printf($format, 'CONN ID', 'Source', 'Destination', 'Protocol', 'TIMEOUT'); +} else { + printf($format_IPv6, 'CONN ID', 'Source', 'Destination', 'Protocol', 'TIMEOUT'); +} + +if ((defined($destPort)) or (defined($sourcePort))) { + my $command_final = $command_prefix." -p tcp".$command; + $xml1 = `$command_final 2> /dev/null`; + + #Execute the command for UDP as well. + $command_final = $command_prefix." -p udp".$command; + $xml2 = `$command_final 2> /dev/null`; +} else { + my $command_final = $command_prefix.$command; + $xml1 = `$command_final 2> /dev/null`; +} + +if ($xml1) { + $data = $xs->XMLin($xml1); + print_xml($data, "", $family); +} +if ($xml2) { + $data = $xs->XMLin($xml2); + print_xml($data, "", $family); +} +# end of file diff --git a/templates-op/delete/conntrack/node.def b/templates-op/delete/conntrack/node.def new file mode 100644 index 0000000..842bdda --- /dev/null +++ b/templates-op/delete/conntrack/node.def @@ -0,0 +1 @@ +help: Delete Conntrack entries diff --git a/templates-op/delete/conntrack/table/ipv4/conn-id/node.def b/templates-op/delete/conntrack/table/ipv4/conn-id/node.def new file mode 100644 index 0000000..679cae2 --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv4/conn-id/node.def @@ -0,0 +1 @@ +help: Delete Conntrack entry with connection ID diff --git a/templates-op/delete/conntrack/table/ipv4/conn-id/node.tag/node.def b/templates-op/delete/conntrack/table/ipv4/conn-id/node.tag/node.def new file mode 100644 index 0000000..d3f179e --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv4/conn-id/node.tag/node.def @@ -0,0 +1,3 @@ +help: Delete Conntrack entry with the connection ID +allowed: echo -n 'Connection ID' +run: sudo ${vyatta_bindir}/sudo-users/vyatta-delete-conntrack.pl -family $4 -id $6 diff --git a/templates-op/delete/conntrack/table/ipv4/node.def b/templates-op/delete/conntrack/table/ipv4/node.def new file mode 100644 index 0000000..80ccc5d --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv4/node.def @@ -0,0 +1 @@ +help: Delete Conntrack IPv4 entries diff --git a/templates-op/delete/conntrack/table/ipv4/source/node.def b/templates-op/delete/conntrack/table/ipv4/source/node.def new file mode 100644 index 0000000..10081cd --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv4/source/node.def @@ -0,0 +1 @@ +help: Delete all Conntrack entries with specified source IP address diff --git a/templates-op/delete/conntrack/table/ipv4/source/node.tag/destination/node.def b/templates-op/delete/conntrack/table/ipv4/source/node.tag/destination/node.def new file mode 100644 index 0000000..aee21aa --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv4/source/node.tag/destination/node.def @@ -0,0 +1 @@ +help: Delete all Conntrack entries with the specified destination IP address diff --git a/templates-op/delete/conntrack/table/ipv4/source/node.tag/destination/node.tag/node.def b/templates-op/delete/conntrack/table/ipv4/source/node.tag/destination/node.tag/node.def new file mode 100644 index 0000000..25c67e9 --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv4/source/node.tag/destination/node.tag/node.def @@ -0,0 +1,3 @@ +help: Delete Conntrack entries with the specified destination IP +allowed: echo -n '<IP-address>' '<IP-address:port>' +run: sudo ${vyatta_bindir}/sudo-users/vyatta-delete-conntrack.pl -family $4 -source_IP $6 -dest_IP $8 diff --git a/templates-op/delete/conntrack/table/ipv4/source/node.tag/node.def b/templates-op/delete/conntrack/table/ipv4/source/node.tag/node.def new file mode 100644 index 0000000..e0004a9 --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv4/source/node.tag/node.def @@ -0,0 +1,3 @@ +help: Delete Conntrack entries with the specified source IP address +allowed: echo -n '<IP-address>' '<IP-address:port>' +run: sudo ${vyatta_bindir}/sudo-users/vyatta-delete-conntrack.pl -family $4 -source_IP $6 diff --git a/templates-op/delete/conntrack/table/ipv6/conn-id/node.def b/templates-op/delete/conntrack/table/ipv6/conn-id/node.def new file mode 100644 index 0000000..679cae2 --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv6/conn-id/node.def @@ -0,0 +1 @@ +help: Delete Conntrack entry with connection ID diff --git a/templates-op/delete/conntrack/table/ipv6/conn-id/node.tag/node.def b/templates-op/delete/conntrack/table/ipv6/conn-id/node.tag/node.def new file mode 100644 index 0000000..d3f179e --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv6/conn-id/node.tag/node.def @@ -0,0 +1,3 @@ +help: Delete Conntrack entry with the connection ID +allowed: echo -n 'Connection ID' +run: sudo ${vyatta_bindir}/sudo-users/vyatta-delete-conntrack.pl -family $4 -id $6 diff --git a/templates-op/delete/conntrack/table/ipv6/node.def b/templates-op/delete/conntrack/table/ipv6/node.def new file mode 100644 index 0000000..58b08f5 --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv6/node.def @@ -0,0 +1 @@ +help: Delete Conntrack IPv6 entries diff --git a/templates-op/delete/conntrack/table/ipv6/source/node.def b/templates-op/delete/conntrack/table/ipv6/source/node.def new file mode 100644 index 0000000..10081cd --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv6/source/node.def @@ -0,0 +1 @@ +help: Delete all Conntrack entries with specified source IP address diff --git a/templates-op/delete/conntrack/table/ipv6/source/node.tag/destination/node.def b/templates-op/delete/conntrack/table/ipv6/source/node.tag/destination/node.def new file mode 100644 index 0000000..aee21aa --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv6/source/node.tag/destination/node.def @@ -0,0 +1 @@ +help: Delete all Conntrack entries with the specified destination IP address diff --git a/templates-op/delete/conntrack/table/ipv6/source/node.tag/destination/node.tag/node.def b/templates-op/delete/conntrack/table/ipv6/source/node.tag/destination/node.tag/node.def new file mode 100644 index 0000000..45fb74c --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv6/source/node.tag/destination/node.tag/node.def @@ -0,0 +1,3 @@ +help: Delete Conntrack entries with the specified destination IP +allowed: echo -n '<IPv6-address>' '<[IPv6-address]:port>' +run: sudo ${vyatta_bindir}/sudo-users/vyatta-delete-conntrack.pl -family $4 -source_IP $6 -dest_IP $8 diff --git a/templates-op/delete/conntrack/table/ipv6/source/node.tag/node.def b/templates-op/delete/conntrack/table/ipv6/source/node.tag/node.def new file mode 100644 index 0000000..06b9af3 --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv6/source/node.tag/node.def @@ -0,0 +1,3 @@ +help: Delete Conntrack entries with the specified source IP address +allowed: echo -n '<IPv6-address>' '<[IPv6-address]:port>' +run: sudo ${vyatta_bindir}/sudo-users/vyatta-delete-conntrack.pl -family $4 -source_IP $6 diff --git a/templates-op/delete/conntrack/table/node.def b/templates-op/delete/conntrack/table/node.def new file mode 100644 index 0000000..340bb72 --- /dev/null +++ b/templates-op/delete/conntrack/table/node.def @@ -0,0 +1 @@ +help: Delete entries from Conntrack table diff --git a/templates-op/show/conntrack/node.def b/templates-op/show/conntrack/node.def new file mode 100644 index 0000000..300bc83 --- /dev/null +++ b/templates-op/show/conntrack/node.def @@ -0,0 +1 @@ +help: Show conntrack entries in the conntrack table diff --git a/templates-op/show/conntrack/table/ipv4/node.def b/templates-op/show/conntrack/table/ipv4/node.def new file mode 100644 index 0000000..5509c14 --- /dev/null +++ b/templates-op/show/conntrack/table/ipv4/node.def @@ -0,0 +1,2 @@ +help: Show Conntrack entries for IPv4 protocol +run: sudo ${vyatta_bindir}/sudo-users/vyatta-show-conntrack.pl -family $4 diff --git a/templates-op/show/conntrack/table/ipv4/source/node.def b/templates-op/show/conntrack/table/ipv4/source/node.def new file mode 100644 index 0000000..f3f6c84 --- /dev/null +++ b/templates-op/show/conntrack/table/ipv4/source/node.def @@ -0,0 +1 @@ +help: Show Conntrack entries for the source IP diff --git a/templates-op/show/conntrack/table/ipv4/source/node.tag/destination/node.def b/templates-op/show/conntrack/table/ipv4/source/node.tag/destination/node.def new file mode 100644 index 0000000..85b1b36 --- /dev/null +++ b/templates-op/show/conntrack/table/ipv4/source/node.tag/destination/node.def @@ -0,0 +1,3 @@ +help: Show Conntrack entries for the destination IP +allowed: echo -n '<IPv4-address>' '<IPv4-address:port>' + diff --git a/templates-op/show/conntrack/table/ipv4/source/node.tag/destination/node.tag/node.def b/templates-op/show/conntrack/table/ipv4/source/node.tag/destination/node.tag/node.def new file mode 100644 index 0000000..09bd8ef --- /dev/null +++ b/templates-op/show/conntrack/table/ipv4/source/node.tag/destination/node.tag/node.def @@ -0,0 +1,3 @@ +help: Show Conntrack entries for the destination IP +allowed: echo -n '<IPv4-address>' '<IPv4-address:port>' +run: sudo ${vyatta_bindir}/sudo-users/vyatta-show-conntrack.pl -family $4 -source_IP $6 -dest_IP $8 diff --git a/templates-op/show/conntrack/table/ipv4/source/node.tag/node.def b/templates-op/show/conntrack/table/ipv4/source/node.tag/node.def new file mode 100644 index 0000000..0d36700 --- /dev/null +++ b/templates-op/show/conntrack/table/ipv4/source/node.tag/node.def @@ -0,0 +1,3 @@ +help: Show Conntrack entries for the source IP +allowed: echo -n '<IPv4-address>' '<IPv4-address:port>' +run: sudo ${vyatta_bindir}/sudo-users/vyatta-show-conntrack.pl -family $4 -source_IP $6 diff --git a/templates-op/show/conntrack/table/ipv6/node.def b/templates-op/show/conntrack/table/ipv6/node.def new file mode 100644 index 0000000..ef40625 --- /dev/null +++ b/templates-op/show/conntrack/table/ipv6/node.def @@ -0,0 +1,2 @@ +help: Show Conntrack entries for IPv6 protocol +run: sudo ${vyatta_bindir}/sudo-users/vyatta-show-conntrack.pl -family $4 diff --git a/templates-op/show/conntrack/table/ipv6/source/node.def b/templates-op/show/conntrack/table/ipv6/source/node.def new file mode 100644 index 0000000..f3f6c84 --- /dev/null +++ b/templates-op/show/conntrack/table/ipv6/source/node.def @@ -0,0 +1 @@ +help: Show Conntrack entries for the source IP diff --git a/templates-op/show/conntrack/table/ipv6/source/node.tag/destination/node.def b/templates-op/show/conntrack/table/ipv6/source/node.tag/destination/node.def new file mode 100644 index 0000000..4813e87 --- /dev/null +++ b/templates-op/show/conntrack/table/ipv6/source/node.tag/destination/node.def @@ -0,0 +1,3 @@ +help: Show Conntrack entries for the destination IP +allowed: echo -n '<IPv6-address>' '<[IPv6-address]:port>' + diff --git a/templates-op/show/conntrack/table/ipv6/source/node.tag/destination/node.tag/node.def b/templates-op/show/conntrack/table/ipv6/source/node.tag/destination/node.tag/node.def new file mode 100644 index 0000000..49bb02b --- /dev/null +++ b/templates-op/show/conntrack/table/ipv6/source/node.tag/destination/node.tag/node.def @@ -0,0 +1,3 @@ +help: Show Conntrack entries for the destination IP +allowed: echo -n '<IPv6-address>' '<[IPv6-address]:port>' +run: sudo ${vyatta_bindir}/sudo-users/vyatta-show-conntrack.pl -family $4 -source_IP $6 -dest_IP $8 diff --git a/templates-op/show/conntrack/table/ipv6/source/node.tag/node.def b/templates-op/show/conntrack/table/ipv6/source/node.tag/node.def new file mode 100644 index 0000000..cf84af6 --- /dev/null +++ b/templates-op/show/conntrack/table/ipv6/source/node.tag/node.def @@ -0,0 +1,3 @@ +help: Show Conntrack entries for the source IP +allowed: echo -n '<IPv6-address>' '<[IPv6-address]:port>' +run: sudo ${vyatta_bindir}/sudo-users/vyatta-show-conntrack.pl -family $4 -source_IP $6 diff --git a/templates-op/show/conntrack/table/node.def b/templates-op/show/conntrack/table/node.def new file mode 100644 index 0000000..c4767bf --- /dev/null +++ b/templates-op/show/conntrack/table/node.def @@ -0,0 +1 @@ +help: Show conntrack entries for table |