diff options
| -rw-r--r-- | debian/changelog | 18 | ||||
| -rw-r--r-- | lib/Vyatta/Conntrack/ConntrackUtil.pm | 17 | ||||
| -rw-r--r-- | scripts/vyatta-conntrack-timeouts.pl | 12 | ||||
| -rwxr-xr-x | scripts/vyatta-show-conntrack.pl | 9 |
4 files changed, 47 insertions, 9 deletions
diff --git a/debian/changelog b/debian/changelog index 47e89da..007aaa1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,21 @@ +vyatta-conntrack (0.36) unstable; urgency=low + + * Fix nfct path as per new packaging due to cthelper + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Tue, 05 Jun 2012 22:05:11 -0700 + +vyatta-conntrack (0.35) unstable; urgency=low + + * fixing 7998 + + -- Gaurav Sinha <gaurav.sinha@vyatta.com> Mon, 16 Apr 2012 11:11:07 -0700 + +vyatta-conntrack (0.34) unstable; urgency=low + + * fixing bug 7861, resolve protocol name from /etc/protocols. + + -- Gaurav <gaurav.sinha@vyatta.com> Mon, 09 Apr 2012 18:07:47 -0700 + vyatta-conntrack (0.33) unstable; urgency=low * introducing CT_TIMEOUT chain with related fixes. diff --git a/lib/Vyatta/Conntrack/ConntrackUtil.pm b/lib/Vyatta/Conntrack/ConntrackUtil.pm index c256bd6..bdc4961 100644 --- a/lib/Vyatta/Conntrack/ConntrackUtil.pm +++ b/lib/Vyatta/Conntrack/ConntrackUtil.pm @@ -26,7 +26,22 @@ package Vyatta::Conntrack::ConntrackUtil; use Vyatta::IpTables::Mgr; use base qw(Exporter); -our @EXPORT = qw(check_for_conntrack_hooks, check_and_add_helpers); + +sub process_protocols { + my $proto = undef; + my %proto_hash = (); + my $PROTO_FILE = '/etc/protocols'; + # do nothing if can't open + return if (!open($proto, $PROTO_FILE)); + while (<$proto>) { + next if (/^\s*#/); + next if (!/^\S+\s+(\d+)\s+(\S+)\s/); + $proto_hash{$1} = $2; + } + close $proto; + return \%proto_hash; +} +our @EXPORT = qw(check_for_conntrack_hooks, process_protocols, check_and_add_helpers); #function to find if connection tracking is enabled. #looks in the iptables to see if any of the features introduced diff --git a/scripts/vyatta-conntrack-timeouts.pl b/scripts/vyatta-conntrack-timeouts.pl index bf36410..3ab96c2 100644 --- a/scripts/vyatta-conntrack-timeouts.pl +++ b/scripts/vyatta-conntrack-timeouts.pl @@ -19,7 +19,7 @@ my $debug_flag = 0; # Enable sending debug output to syslog. my $syslog_flag = 0; -my $nfct = "sudo /opt/vyatta/sbin/nfct"; +my $nfct = "sudo /usr/sbin/nfct"; my ($create, $delete, $update); my $CTERROR = "Conntrack timeout error:"; GetOptions("create=s" => \$create, @@ -67,8 +67,8 @@ sub remove_timeout_policy { my ($rule_string, $timeout_policy) = @_; my @tokens = split (' ', $timeout_policy); # First remove the iptables rules before removing policy. - my $iptables_cmd1 = "iptables -D CT_TIMEOUT -t raw $rule_string -j CT --timeout $tokens[0]"; - my $iptables_cmd2 = "iptables -D CT_TIMEOUT -t raw $rule_string -j RETURN"; + my $iptables_cmd1 = "iptables -D VYATTA_CT_TIMEOUT -t raw $rule_string -j CT --timeout $tokens[0]"; + my $iptables_cmd2 = "iptables -D VYATTA_CT_TIMEOUT -t raw $rule_string -j RETURN"; my $nfct_timeout_cmd = "$nfct timeout delete $timeout_policy"; run_cmd($iptables_cmd2); if ($? >> 8) { @@ -88,7 +88,7 @@ sub remove_timeout_policy { # nfct-timeout create policy1 tcp established 1200 close-wait 100 fin-wait 10 # iptables -I PREROUTING -t raw -s 1.1.1.1 -d 2.2.2.2 -j CT --timeout policy1 # -# we have a chain setup, i.e. CT_TIMEOUT chain. Insert rule with timeout policy +# we have a chain setup, i.e. VYATTA_CT_TIMEOUT chain. Insert rule with timeout policy # in the chain followed by another rule with matching 5 tuple to allow return # from the point CT target matched. CT is non terminating and we want to keep # behavior consistent with firewall, NAT etc. @@ -97,9 +97,9 @@ sub apply_timeout_policy { my $nfct_timeout_cmd = "$nfct timeout add $timeout_policy"; my @tokens = split (' ', $timeout_policy); # insert at num_rules + 1 as there are so many rules already. - my $iptables_cmd1 = "iptables -I CT_TIMEOUT $num_rules -t raw $rule_string -j CT --timeout $tokens[0]"; + my $iptables_cmd1 = "iptables -I VYATTA_CT_TIMEOUT $num_rules -t raw $rule_string -j CT --timeout $tokens[0]"; $num_rules +=1; - my $iptables_cmd2 = "iptables -I CT_TIMEOUT $num_rules -t raw $rule_string -j RETURN"; + my $iptables_cmd2 = "iptables -I VYATTA_CT_TIMEOUT $num_rules -t raw $rule_string -j RETURN"; run_cmd($nfct_timeout_cmd); if ($? >> 8) { print "$CTERROR failed to run $nfct_timeout_cmd\n"; diff --git a/scripts/vyatta-show-conntrack.pl b/scripts/vyatta-show-conntrack.pl index 57a9799..e5b2629 100755 --- a/scripts/vyatta-show-conntrack.pl +++ b/scripts/vyatta-show-conntrack.pl @@ -36,8 +36,9 @@ use strict; use Switch; use Vyatta::TypeChecker; -my $format = "%-10s %-22s %-22s %-12s %-20s\n"; -my $format_IPv6 = "%-10s %-40s %-40s %-12s %-20s\n"; +my $format = "%-10s %-22s %-22s %-16s %-20s\n"; +my $format_IPv6 = "%-10s %-40s %-40s %-16s %-20s\n"; +my $href; #reference to hash containing protocol-num to name key-value pairs sub print_xml { my ($data, $cache, $family) = @_; @@ -45,6 +46,7 @@ sub print_xml { my %flowh; my $tcount = 0; + $href = process_protocols(); while (1) { my $meta = 0; last if ! defined $data->{flow}[$flow]; @@ -67,6 +69,9 @@ sub print_xml { $dport{$dir} = $l4_ref->{dport}[0]; $proto{$dir} = $l4_ref->{protoname}; $protonum{$dir} = $l4_ref->{protonum}; + if (($proto{$dir} eq 'unknown') and (defined($protonum{$dir}))) { + $proto{$dir} = lc(${$href}{$protonum{$dir}}); + } } } } elsif ($dir eq 'independent') { |