diff options
| author | Gaurav Sinha <gaurav.sinha@vyatta.com> | 2012-08-06 16:57:51 -0700 |
|---|---|---|
| committer | Gaurav Sinha <gaurav.sinha@vyatta.com> | 2012-08-06 16:57:51 -0700 |
| commit | 66971a32b157e1dfe4491843ab28857aa5495a4f (patch) | |
| tree | 66c35f722bc98f69b70d624e539ae568f34c8d70 /lib/Vyatta/Conntrack | |
| parent | f1315989a14f89e1629180bc16e36f21ddef2285 (diff) | |
| download | vyatta-conntrack-66971a32b157e1dfe4491843ab28857aa5495a4f.tar.gz vyatta-conntrack-66971a32b157e1dfe4491843ab28857aa5495a4f.zip | |
Initial conntrack-ignore rule handling script.
Diffstat (limited to 'lib/Vyatta/Conntrack')
| -rw-r--r-- | lib/Vyatta/Conntrack/RuleIgnore.pm | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/lib/Vyatta/Conntrack/RuleIgnore.pm b/lib/Vyatta/Conntrack/RuleIgnore.pm new file mode 100644 index 0000000..fd10e09 --- /dev/null +++ b/lib/Vyatta/Conntrack/RuleIgnore.pm @@ -0,0 +1,119 @@ +# +# The timeouts are implemented using nfct-timeout policies that are +# later applied to the corresponding iptables rules. The rules and +# policies are distinguished based on the rule number. + +package Vyatta::Conntrack::RuleIgnore; + +use strict; +use Vyatta::Config; +require Vyatta::IpTables::AddressFilter; + +my $src = new Vyatta::IpTables::AddressFilter; +my $dst = new Vyatta::IpTables::AddressFilter; +my %fields = ( + _rule_number => undef, + _protocol => undef, + _comment => undef, +); + +my %dummy_rule = ( + _rule_number => 10000, + _protocol => undef, + _comment => undef, +); + +my $DEBUG = 'false'; + +sub rule { + my ( $self ) = @_; + my ($rule, $srcrule, $dstrule, $err_str); + my $tcp_and_udp = 0; + # set CLI rule num as comment + my @level_nodes = split (' ', $self->{_comment}); + print "level nodes is @level_nodes\n"; + $rule .= "-m comment --comment \"$level_nodes[2]-$level_nodes[5]\" "; + ($srcrule, $err_str) = $src->rule(); + if (defined($err_str)) { + Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: $err_str"); + exit 1; + } + ($dstrule, $err_str) = $dst->rule(); + if (defined($err_str)) { + Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: $err_str"); + exit 1; + } + if (defined($self->{_protocol})) { + $rule .= " -p $self->{_protocol}"; + } + $rule .= " $srcrule $dstrule "; + print "rule is $rule\n"; + return $rule; +} + +sub new { + my $that = shift; + my $class = ref ($that) || $that; + my $self = { + %fields, + }; + + bless $self, $class; + return $self; +} + +sub setup_base { + my ($self, $level, $val_func, $exists_func, $addr_setup) = @_; + my $config = new Vyatta::Config; + + $config->setLevel("$level"); + $self->{_comment} = $level; + $self->{_rule_number} = $config->returnParent(".."); + + $src->$addr_setup("$level source"); + $src->{_protocol} = $self->{_protocol};#needed to use address filter + if (($src->{_protocol}) and (($src->{_protocol} ne 'tcp') or ($src->{_protocol} ne 'udp')) and (defined($src->{_port})) ) { + die "Error: Cannot specify port with protocol $src->{_protocol}\n"; + } + $dst->$addr_setup("$level destination"); + $dst->{_protocol} = $self->{_protocol};#needed to use address filter + if (($dst->{_protocol}) and (($dst->{_protocol} ne 'tcp') or ($dst->{_protocol} ne 'udp')) and (defined($dst->{_port})) ) { + die "Error: Cannot specify port with protocol $dst->{_protocol}\n"; + } + + return 0; +} + +sub setup { + my ($self, $level) = @_; + + $self->setup_base($level, 'returnValue', 'exists', 'setup'); + return 0; +} + +sub setupOrig { + my ($self, $level) = @_; + $self->setup_base($level, 'returnOrigValue', 'existsOrig', 'setupOrig'); + return 0; +} + +sub print { + my ( $self ) = @_; + + print "rulenum: $self->{_rule_number}\n" if defined $self->{_rule_number}; + print "protocol: $self->{_protocol}\n" if defined $self->{_protocol}; + print "inbound interface: $self->{_interface}\n" if defined $self->{_interface}; + $src->print(); + $dst->print(); +} + + + + +1; + +# Local Variables: +# mode: perl +# indent-tabs-mode: nil +# perl-indent-level: 2 +# End: |