diff options
| author | Gaurav <gaurav.sinha@vyatta.com> | 2012-02-24 15:38:04 -0800 |
|---|---|---|
| committer | Gaurav Sinha <gaurav.sinha@vyatta.com> | 2012-03-16 16:45:38 -0700 |
| commit | 8d658062ead15365b40e144fe5c24a26a1d4a24c (patch) | |
| tree | ad7dff88d89e546e992450767ec6068b0b738951 /scripts | |
| parent | ad151e1acc2a432a5e6b1294a6713af045cce2e7 (diff) | |
| download | vyatta-conntrack-8d658062ead15365b40e144fe5c24a26a1d4a24c.tar.gz vyatta-conntrack-8d658062ead15365b40e144fe5c24a26a1d4a24c.zip | |
handle modification, disabled error handling for now as iptables does not support timeout target yet
(cherry picked from commit f2a6927d2a500142e71aa098491f9b72c802d418)
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/vyatta-conntrack-timeouts.pl | 40 |
1 files changed, 26 insertions, 14 deletions
diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index 4ea3a9f..ffc66d3 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -72,16 +72,19 @@ sub remove_timeout_policy { my $nfct_timeout_cmd = "nfct-timeout remove $timeout_policy"; run_cmd($iptables_cmd2); if ($? >> 8) { - print "$CTERROR failed to run $iptables_cmd2\n"; + # FIXME: as of now, dont print/handle/exit as these always fail in iptables. + #print "$CTERROR failed to run $iptables_cmd2\n"; #dont exit, try to clean as much. } run_cmd($iptables_cmd1); if ($? >> 8) { - print "$CTERROR failed to run $iptables_cmd1\n"; + # FIXME: as of now, dont print/handle/exit as these always fail in iptables. + #print "$CTERROR failed to run $iptables_cmd1\n"; } run_cmd($nfct_timeout_cmd); if ($? >> 8) { - print "$CTERROR failed to run $nfct_timeout_cmd\n"; + # FIXME: as of now, dont print/handle/exit as these always fail in iptables. + #print "$CTERROR failed to run $nfct_timeout_cmd\n"; } } @@ -95,22 +98,25 @@ sub apply_timeout_policy { my $iptables_cmd2 = "iptables -I OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]"; run_cmd($nfct_timeout_cmd); if ($? >> 8) { - print "$CTERROR failed to run $nfct_timeout_cmd\n"; - exit 1; + # FIXME: as of now, dont print/handle/exit as these always fail in iptables. +# print "$CTERROR failed to run $nfct_timeout_cmd\n"; +# exit 1; } run_cmd($iptables_cmd1); if ($? >> 8) { #cleanup the policy before exit. - run_cmd("nfct-timeout remove $timeout_policy"); - print "$CTERROR failed to run $iptables_cmd1\n"; - exit 1; + # FIXME: as of now, dont print/handle/exit as these always fail in iptables. +# run_cmd("nfct-timeout remove $timeout_policy"); +# print "$CTERROR failed to run $iptables_cmd1\n"; +# exit 1; } run_cmd($iptables_cmd2); if ($? >> 8) { - run_cmd("nfct-timeout remove $timeout_policy"); - run_cmd("iptables -D PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]"); - print "$CTERROR failed to run $iptables_cmd2\n"; - exit 1; + # FIXME: as of now, dont print/handle/exit as these always fail in iptables. +# run_cmd("nfct-timeout remove $timeout_policy"); +# run_cmd("iptables -D PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]"); +# print "$CTERROR failed to run $iptables_cmd2\n"; +# exit 1; } } @@ -124,6 +130,13 @@ sub handle_rule_creation { apply_timeout_policy($rule_string, $timeout_policy); } + +sub handle_rule_modification { + my ($rule) = @_; + handle_rule_deletion($rule); + handle_rule_creation($rule); +} + sub handle_rule_deletion { my ($rule) = @_; my $node = new Vyatta::Conntrack::RuleCT; @@ -146,8 +159,7 @@ sub update_config { } elsif ("$rules{$rule}" eq 'added') { handle_rule_creation($rule); } elsif ("$rules{$rule}" eq 'changed') { - my $node = new Vyatta::Conntrack::RuleCT; - $node->setup("system conntrack timeout custom rule $rule"); + handle_rule_modification($rule); } elsif ("$rules{$rule}" eq 'deleted') { handle_rule_deletion($rule); } |