summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/Vyatta/Conntrack/RuleIgnore.pm37
-rw-r--r--scripts/vyatta-conntrack-ignore.pl25
2 files changed, 47 insertions, 15 deletions
diff --git a/lib/Vyatta/Conntrack/RuleIgnore.pm b/lib/Vyatta/Conntrack/RuleIgnore.pm
index 7c3f668..27ed237 100644
--- a/lib/Vyatta/Conntrack/RuleIgnore.pm
+++ b/lib/Vyatta/Conntrack/RuleIgnore.pm
@@ -22,14 +22,13 @@ my $DEBUG = 'false';
sub rule {
my ( $self ) = @_;
- my ($rule, $srcrule, $dstrule, $err_str);
- my $tcp_and_udp = 0;
+ my ($rule1, $rule2, $srcrule, $dstrule, $err_str);
# set CLI rule num as comment
my @level_nodes = split (' ', $self->{_comment});
- $rule .= " -m comment --comment \"$level_nodes[2]-$level_nodes[4]\" ";
+ $rule1 .= " -m comment --comment \"$level_nodes[2]-$level_nodes[4]\" ";
if (defined($self->{_interface})) {
- $rule .= " -i $self->{_interface} ";
+ $rule1 .= " -i $self->{_interface} ";
}
($srcrule, $err_str) = $src->rule();
if (defined($err_str)) {
@@ -41,17 +40,33 @@ sub rule {
Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: $err_str");
exit 1;
}
+
if (defined($self->{_protocol})) {
- if ($self->{_protocol} =~ m/^!/) {
- my $protocol = substr($self->{_protocol}, 1);
- $rule .= " ! -p $protocol";
+ if ($self->{_protocol} eq 'tcp_udp') {
+ $rule2 = $rule1;
+ #break protcol as tcp and udp, two rules
+ if ($self->{_protocol} =~ m/^!/) {
+ $rule1 .= " ! -p tcp";
+ $rule2 .= " ! -p udp";
+ } else {
+ $rule1 .= " -p tcp ";
+ $rule2 .= " -p udp ";
+ }
} else {
- $rule .= " -p $self->{_protocol}";
+ if ($self->{_protocol} =~ m/^!/) {
+ my $protocol = substr($self->{_protocol}, 1);
+ $rule1 .= " ! -p $protocol";
+ } else {
+ $rule1 .= " -p $self->{_protocol}";
+ }
}
}
-
- $rule .= " $srcrule $dstrule ";
- return $rule;
+
+ $rule1 .= " $srcrule $dstrule ";
+ if ($rule2) {
+ $rule2 .= " $srcrule $dstrule ";
+ }
+ return ($rule1, $rule2);
}
sub new {
diff --git a/scripts/vyatta-conntrack-ignore.pl b/scripts/vyatta-conntrack-ignore.pl
index 37a1534..80e745f 100644
--- a/scripts/vyatta-conntrack-ignore.pl
+++ b/scripts/vyatta-conntrack-ignore.pl
@@ -49,11 +49,18 @@ sub remove_ignore_policy {
}
sub apply_ignore_policy {
- my ($rule_string, $rule, $num_rules) = @_;
+ my ($rule_string1, $rule_string2, $rule, $num_rules) = @_;
# insert at num_rules + 1 as there are so many rules already.
my $iptables_cmd1 = "iptables -I VYATTA_CT_IGNORE $num_rules -t raw $rule_string -j NOTRACK";
$num_rules +=1;
my $iptables_cmd2 = "iptables -I VYATTA_CT_IGNORE $num_rules -t raw $rule_string -j RETURN";
+ $num_rules +=1;
+
+ if ($rule_string2) {
+ my $iptables_cmd3 = "iptables -I VYATTA_CT_IGNORE $num_rules -t raw $rule_string2 -j NOTRACK";
+ $num_rules +=1;
+ my $iptables_cmd4 = "iptables -I VYATTA_CT_IGNORE $num_rules -t raw $rule_string2 -j RETURN";
+ }
run_cmd($iptables_cmd1);
if ($? >> 8) {
print "$CTERROR failed to run $iptables_cmd1\n";
@@ -64,17 +71,27 @@ sub apply_ignore_policy {
print "$CTERROR failed to run $iptables_cmd2\n";
exit 1;
}
+ run_cmd($iptables_cmd3);
+ if ($? >> 8) {
+ print "$CTERROR failed to run $iptables_cmd3\n";
+ exit 1;
+ }
+ run_cmd($iptables_cmd4);
+ if ($? >> 8) {
+ print "$CTERROR failed to run $iptables_cmd4\n";
+ exit 1;
+ }
}
sub handle_rule_creation {
my ($rule, $num_rules) = @_;
my $node = new Vyatta::Conntrack::RuleIgnore;
- my ($rule_string);
+ my ($rule_string1, $rule_string2);
do_minimalrule_check($rule);
$node->setup("system conntrack ignore rule $rule");
- $rule_string = $node->rule();
- apply_ignore_policy($rule_string, $rule, $num_rules);
+ ($rule_string1, $rule_string2) = $node->rule();
+ apply_ignore_policy($rule_string1, $rule_string2, $rule, $num_rules);
}
# mandate atleast inbound interface / source ip / dest ip or protocol per rule