summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/Vyatta/Conntrack/RuleCT.pm1
-rw-r--r--scripts/vyatta-conntrack-timeouts.pl70
2 files changed, 64 insertions, 7 deletions
diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm
index d75c85e..9953291 100644
--- a/lib/Vyatta/Conntrack/RuleCT.pm
+++ b/lib/Vyatta/Conntrack/RuleCT.pm
@@ -11,7 +11,6 @@ require Vyatta::IpTables::AddressFilter;
my $src = new Vyatta::IpTables::AddressFilter;
my $dst = new Vyatta::IpTables::AddressFilter;
-my $CTERROR = "Conntrack Timeout Error:";
my %fields = (
_rule_number => undef,
_protocol => undef,
diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl
index a98de86..61830ab 100644
--- a/scripts/vyatta-conntrack-timeouts.pl
+++ b/scripts/vyatta-conntrack-timeouts.pl
@@ -14,9 +14,14 @@ use Sys::Syslog qw(:standard :macros);
#for future use when v6 timeouts need to be set
my %cmd_hash = ( 'ipv4' => 'iptables',
'ipv6' => 'ip6tables');
+# Enable printing debug output to stdout.
+my $debug_flag = 0;
-my ($create, $delete, $update);
+# Enable sending debug output to syslog.
+my $syslog_flag = 0;
+my ($create, $delete, $update);
+my $CTERROR = "Conntrack timeout error:";
GetOptions("create=s" => \$create,
"delete=s" => \$delete,
"update=s" => \$update,
@@ -24,6 +29,40 @@ GetOptions("create=s" => \$create,
update_config();
+openlog("vyatta-conntrack", "pid", "local0");
+
+sub log_msg {
+ my $message = shift;
+
+ print "DEBUG: $message\n" if $debug_flag;
+ syslog(LOG_DEBUG, "%s", $message) if $syslog_flag;
+}
+# Run command and capture output
+# run_cmd("$iptables_cmd -t $table -F $name", 1);
+# if command fails, then send output to syslog
+sub run_cmd {
+ my ($cmd_to_run, $redirect) = @_;
+
+ log_msg("Running: $cmd_to_run");
+ print "$cmd_to_run\n";
+
+ if ($redirect) {
+ open (my $out, '-|', $cmd_to_run . ' 2>&1')
+ or die "Can't run command \"$cmd_to_run\": $!";
+ my @cmd_out = <$out>;
+
+ # if command suceeds to do nothing.
+ return if (close ($out));
+
+ foreach my $line (@cmd_out) {
+ chomp $line;
+ syslog(LOG_INFO, "%s", $line);
+ }
+ } else {
+ system($cmd_to_run);
+ }
+}
+
sub remove_timeout_policy {
my ($rule_string, $timeout_policy) = @_;
my @tokens = split (' ', $timeout_policy);
@@ -31,8 +70,18 @@ sub remove_timeout_policy {
my $iptables_cmd1 = "iptables -D PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]";
my $iptables_cmd2 = "iptables -D OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]";
my $nfct_timeout_cmd = "nfct-timeout remove $timeout_policy";
- print "$iptables_cmd1\n$iptables_cmd2\n";
- print "$nfct_timeout_cmd\n";
+ run_cmd($iptables_cmd2);
+ if ($? >> 8) {
+ print "$CTERROR failed to run $iptables_cmd2\n";
+ }
+ run_cmd($iptables_cmd1);
+ if ($? >> 8) {
+ print "$CTERROR failed to run $iptables_cmd1\n";
+ }
+ run_cmd($nfct_timeout_cmd);
+ if ($? >> 8) {
+ print "$CTERROR failed to run $nfct_timeout_cmd\n";
+ }
}
# nfct-timeout create policy1 tcp established 1200 close-wait 100 fin-wait 10
@@ -43,9 +92,18 @@ sub apply_timeout_policy {
my @tokens = split (' ', $timeout_policy);
my $iptables_cmd1 = "iptables -I PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]";
my $iptables_cmd2 = "iptables -I OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]";
-
- print "$nfct_timeout_cmd\n";
- print "$iptables_cmd1\n$iptables_cmd2\n";
+ run_cmd($nfct_timeout_cmd);
+ if ($? >> 8) {
+ print "$CTERROR failed to run $nfct_timeout_cmd\n";
+ }
+ run_cmd($iptables_cmd1);
+ if ($? >> 8) {
+ print "$CTERROR failed to run $iptables_cmd1\n";
+ }
+ run_cmd($iptables_cmd2);
+ if ($? >> 8) {
+ print "$CTERROR failed to run $iptables_cmd2\n";
+ }
}