diff options
-rw-r--r-- | lib/Vyatta/Conntrack/RuleCT.pm | 16 | ||||
-rw-r--r-- | scripts/vyatta-conntrack-timeouts.pl | 2 |
2 files changed, 10 insertions, 8 deletions
diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index 5c59b93..ee52ce3 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -74,10 +74,14 @@ sub rule { Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: $err_str"); exit 1; } - if ($self->{_protocol} = "tcp") { + if ($self->{_protocol} eq "tcp") { $rule .= " -p tcp"; - } elsif ($self->{_protocol} = "udp") { + } elsif ($self->{_protocol} eq "udp") { $rule .= " -p udp"; + } elsif ($self->{_protocol} eq "icmp") { + $rule .= " -p icmp"; + } elsif ($self->{_protocol} eq "other") { + $rule .= " -p 255"; } $rule .= " $srcrule $dstrule "; return $rule; @@ -135,8 +139,6 @@ sub setup_base { $self->{_other} = $config->$val_func("protocol other"); } - #FIXME: AddressFilter.pm needs a change to accomodate other and - # icmp protocols as it does port checks unconditionally. $src->$addr_setup("$level source"); $src->{_protocol} = $self->{_protocol};#needed to use address filter if ( (($src->{_protocol} eq 'icmp') or ($src->{_protocol} eq 'other')) and (defined($src->{_port})) ) { @@ -216,15 +218,15 @@ sub get_policy_command { } elsif ($self->{_protocol} eq 'udp') { $command .= " udp"; if ($self->{_udp}->{_other}) { - $command .= " other $self->{_udp}->{_other}"; + $command .= " unreplied $self->{_udp}->{_other}"; } if ($self->{_udp}->{_stream}) { - $command .= " stream $self->{_udp}->{_stream}"; + $command .= " replied $self->{_udp}->{_stream}"; } } elsif ($self->{_protocol} eq 'icmp') { $command .= " icmp $self->{_icmp}"; } elsif ($self->{_protocol} eq 'other') { - $command .= " other $self->{_other}"; + $command .= " generic timeout $self->{_other}"; } return $command; } diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index 7d0295f..81e5fff 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -69,7 +69,7 @@ sub remove_timeout_policy { # First remove the iptables rules before removing policy. my $iptables_cmd1 = "iptables -D PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]"; my $iptables_cmd2 = "iptables -D OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]"; - my $nfct_timeout_cmd = "$nfct timeout remove $timeout_policy"; + my $nfct_timeout_cmd = "$nfct timeout delete $timeout_policy"; run_cmd($iptables_cmd2); if ($? >> 8) { # FIXME: as of now, dont print/handle/exit as these always fail in iptables. |