diff options
-rw-r--r-- | lib/Vyatta/Conntrack/RuleCT.pm | 1 | ||||
-rw-r--r-- | scripts/vyatta-conntrack-timeouts.pl | 70 |
2 files changed, 64 insertions, 7 deletions
diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm index d75c85e..9953291 100644 --- a/lib/Vyatta/Conntrack/RuleCT.pm +++ b/lib/Vyatta/Conntrack/RuleCT.pm @@ -11,7 +11,6 @@ require Vyatta::IpTables::AddressFilter; my $src = new Vyatta::IpTables::AddressFilter; my $dst = new Vyatta::IpTables::AddressFilter; -my $CTERROR = "Conntrack Timeout Error:"; my %fields = ( _rule_number => undef, _protocol => undef, diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index a98de86..61830ab 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -14,9 +14,14 @@ use Sys::Syslog qw(:standard :macros); #for future use when v6 timeouts need to be set my %cmd_hash = ( 'ipv4' => 'iptables', 'ipv6' => 'ip6tables'); +# Enable printing debug output to stdout. +my $debug_flag = 0; -my ($create, $delete, $update); +# Enable sending debug output to syslog. +my $syslog_flag = 0; +my ($create, $delete, $update); +my $CTERROR = "Conntrack timeout error:"; GetOptions("create=s" => \$create, "delete=s" => \$delete, "update=s" => \$update, @@ -24,6 +29,40 @@ GetOptions("create=s" => \$create, update_config(); +openlog("vyatta-conntrack", "pid", "local0"); + +sub log_msg { + my $message = shift; + + print "DEBUG: $message\n" if $debug_flag; + syslog(LOG_DEBUG, "%s", $message) if $syslog_flag; +} +# Run command and capture output +# run_cmd("$iptables_cmd -t $table -F $name", 1); +# if command fails, then send output to syslog +sub run_cmd { + my ($cmd_to_run, $redirect) = @_; + + log_msg("Running: $cmd_to_run"); + print "$cmd_to_run\n"; + + if ($redirect) { + open (my $out, '-|', $cmd_to_run . ' 2>&1') + or die "Can't run command \"$cmd_to_run\": $!"; + my @cmd_out = <$out>; + + # if command suceeds to do nothing. + return if (close ($out)); + + foreach my $line (@cmd_out) { + chomp $line; + syslog(LOG_INFO, "%s", $line); + } + } else { + system($cmd_to_run); + } +} + sub remove_timeout_policy { my ($rule_string, $timeout_policy) = @_; my @tokens = split (' ', $timeout_policy); @@ -31,8 +70,18 @@ sub remove_timeout_policy { my $iptables_cmd1 = "iptables -D PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]"; my $iptables_cmd2 = "iptables -D OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]"; my $nfct_timeout_cmd = "nfct-timeout remove $timeout_policy"; - print "$iptables_cmd1\n$iptables_cmd2\n"; - print "$nfct_timeout_cmd\n"; + run_cmd($iptables_cmd2); + if ($? >> 8) { + print "$CTERROR failed to run $iptables_cmd2\n"; + } + run_cmd($iptables_cmd1); + if ($? >> 8) { + print "$CTERROR failed to run $iptables_cmd1\n"; + } + run_cmd($nfct_timeout_cmd); + if ($? >> 8) { + print "$CTERROR failed to run $nfct_timeout_cmd\n"; + } } # nfct-timeout create policy1 tcp established 1200 close-wait 100 fin-wait 10 @@ -43,9 +92,18 @@ sub apply_timeout_policy { my @tokens = split (' ', $timeout_policy); my $iptables_cmd1 = "iptables -I PREROUTING -t raw $rule_string -j CT --timeout $tokens[0]"; my $iptables_cmd2 = "iptables -I OUTPUT -t raw $rule_string -j CT --timeout $tokens[0]"; - - print "$nfct_timeout_cmd\n"; - print "$iptables_cmd1\n$iptables_cmd2\n"; + run_cmd($nfct_timeout_cmd); + if ($? >> 8) { + print "$CTERROR failed to run $nfct_timeout_cmd\n"; + } + run_cmd($iptables_cmd1); + if ($? >> 8) { + print "$CTERROR failed to run $iptables_cmd1\n"; + } + run_cmd($iptables_cmd2); + if ($? >> 8) { + print "$CTERROR failed to run $iptables_cmd2\n"; + } } |