diff options
-rw-r--r-- | lib/Vyatta/Conntrack/RuleIgnore.pm | 37 | ||||
-rw-r--r-- | scripts/vyatta-conntrack-ignore.pl | 25 |
2 files changed, 47 insertions, 15 deletions
diff --git a/lib/Vyatta/Conntrack/RuleIgnore.pm b/lib/Vyatta/Conntrack/RuleIgnore.pm index 7c3f668..27ed237 100644 --- a/lib/Vyatta/Conntrack/RuleIgnore.pm +++ b/lib/Vyatta/Conntrack/RuleIgnore.pm @@ -22,14 +22,13 @@ my $DEBUG = 'false'; sub rule { my ( $self ) = @_; - my ($rule, $srcrule, $dstrule, $err_str); - my $tcp_and_udp = 0; + my ($rule1, $rule2, $srcrule, $dstrule, $err_str); # set CLI rule num as comment my @level_nodes = split (' ', $self->{_comment}); - $rule .= " -m comment --comment \"$level_nodes[2]-$level_nodes[4]\" "; + $rule1 .= " -m comment --comment \"$level_nodes[2]-$level_nodes[4]\" "; if (defined($self->{_interface})) { - $rule .= " -i $self->{_interface} "; + $rule1 .= " -i $self->{_interface} "; } ($srcrule, $err_str) = $src->rule(); if (defined($err_str)) { @@ -41,17 +40,33 @@ sub rule { Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: $err_str"); exit 1; } + if (defined($self->{_protocol})) { - if ($self->{_protocol} =~ m/^!/) { - my $protocol = substr($self->{_protocol}, 1); - $rule .= " ! -p $protocol"; + if ($self->{_protocol} eq 'tcp_udp') { + $rule2 = $rule1; + #break protcol as tcp and udp, two rules + if ($self->{_protocol} =~ m/^!/) { + $rule1 .= " ! -p tcp"; + $rule2 .= " ! -p udp"; + } else { + $rule1 .= " -p tcp "; + $rule2 .= " -p udp "; + } } else { - $rule .= " -p $self->{_protocol}"; + if ($self->{_protocol} =~ m/^!/) { + my $protocol = substr($self->{_protocol}, 1); + $rule1 .= " ! -p $protocol"; + } else { + $rule1 .= " -p $self->{_protocol}"; + } } } - - $rule .= " $srcrule $dstrule "; - return $rule; + + $rule1 .= " $srcrule $dstrule "; + if ($rule2) { + $rule2 .= " $srcrule $dstrule "; + } + return ($rule1, $rule2); } sub new { diff --git a/scripts/vyatta-conntrack-ignore.pl b/scripts/vyatta-conntrack-ignore.pl index 37a1534..80e745f 100644 --- a/scripts/vyatta-conntrack-ignore.pl +++ b/scripts/vyatta-conntrack-ignore.pl @@ -49,11 +49,18 @@ sub remove_ignore_policy { } sub apply_ignore_policy { - my ($rule_string, $rule, $num_rules) = @_; + my ($rule_string1, $rule_string2, $rule, $num_rules) = @_; # insert at num_rules + 1 as there are so many rules already. my $iptables_cmd1 = "iptables -I VYATTA_CT_IGNORE $num_rules -t raw $rule_string -j NOTRACK"; $num_rules +=1; my $iptables_cmd2 = "iptables -I VYATTA_CT_IGNORE $num_rules -t raw $rule_string -j RETURN"; + $num_rules +=1; + + if ($rule_string2) { + my $iptables_cmd3 = "iptables -I VYATTA_CT_IGNORE $num_rules -t raw $rule_string2 -j NOTRACK"; + $num_rules +=1; + my $iptables_cmd4 = "iptables -I VYATTA_CT_IGNORE $num_rules -t raw $rule_string2 -j RETURN"; + } run_cmd($iptables_cmd1); if ($? >> 8) { print "$CTERROR failed to run $iptables_cmd1\n"; @@ -64,17 +71,27 @@ sub apply_ignore_policy { print "$CTERROR failed to run $iptables_cmd2\n"; exit 1; } + run_cmd($iptables_cmd3); + if ($? >> 8) { + print "$CTERROR failed to run $iptables_cmd3\n"; + exit 1; + } + run_cmd($iptables_cmd4); + if ($? >> 8) { + print "$CTERROR failed to run $iptables_cmd4\n"; + exit 1; + } } sub handle_rule_creation { my ($rule, $num_rules) = @_; my $node = new Vyatta::Conntrack::RuleIgnore; - my ($rule_string); + my ($rule_string1, $rule_string2); do_minimalrule_check($rule); $node->setup("system conntrack ignore rule $rule"); - $rule_string = $node->rule(); - apply_ignore_policy($rule_string, $rule, $num_rules); + ($rule_string1, $rule_string2) = $node->rule(); + apply_ignore_policy($rule_string1, $rule_string2, $rule, $num_rules); } # mandate atleast inbound interface / source ip / dest ip or protocol per rule |