From 18145aee4e7666013c44afb4bc9078051aec41b8 Mon Sep 17 00:00:00 2001
From: Gaurav Sinha <gaurav.sinha@vyatta.com>
Date: Tue, 4 Sep 2012 13:31:48 -0700
Subject: tcp_udp support, initial changes

---
 scripts/vyatta-conntrack-ignore.pl | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

(limited to 'scripts')

diff --git a/scripts/vyatta-conntrack-ignore.pl b/scripts/vyatta-conntrack-ignore.pl
index 37a1534..80e745f 100644
--- a/scripts/vyatta-conntrack-ignore.pl
+++ b/scripts/vyatta-conntrack-ignore.pl
@@ -49,11 +49,18 @@ sub remove_ignore_policy {
 }
 
 sub apply_ignore_policy {
-   my ($rule_string, $rule, $num_rules) = @_;
+   my ($rule_string1, $rule_string2, $rule, $num_rules) = @_;
    # insert at num_rules + 1 as there are so many rules already. 
    my $iptables_cmd1 = "iptables -I VYATTA_CT_IGNORE $num_rules -t raw $rule_string -j NOTRACK";
    $num_rules +=1;
    my $iptables_cmd2 = "iptables -I VYATTA_CT_IGNORE $num_rules -t raw $rule_string -j RETURN";
+   $num_rules +=1;
+
+   if ($rule_string2) {
+     my $iptables_cmd3 = "iptables -I VYATTA_CT_IGNORE $num_rules -t raw $rule_string2 -j NOTRACK";
+     $num_rules +=1;
+     my $iptables_cmd4 = "iptables -I VYATTA_CT_IGNORE $num_rules -t raw $rule_string2 -j RETURN";
+   }
    run_cmd($iptables_cmd1);
     if ($? >> 8) {
      print "$CTERROR failed to run $iptables_cmd1\n";    
@@ -64,17 +71,27 @@ sub apply_ignore_policy {
      print "$CTERROR failed to run $iptables_cmd2\n";    
      exit 1; 
    }
+   run_cmd($iptables_cmd3);
+    if ($? >> 8) {
+     print "$CTERROR failed to run $iptables_cmd3\n";    
+     exit 1; 
+   }
+   run_cmd($iptables_cmd4);
+    if ($? >> 8) {
+     print "$CTERROR failed to run $iptables_cmd4\n";    
+     exit 1; 
+   }
 }
 
 sub handle_rule_creation {
   my ($rule, $num_rules) = @_;
   my $node = new Vyatta::Conntrack::RuleIgnore;
-  my ($rule_string);
+  my ($rule_string1, $rule_string2);
 
   do_minimalrule_check($rule);
   $node->setup("system conntrack ignore rule $rule");
-  $rule_string = $node->rule();
-  apply_ignore_policy($rule_string, $rule, $num_rules);
+  ($rule_string1, $rule_string2) = $node->rule();
+  apply_ignore_policy($rule_string1, $rule_string2, $rule, $num_rules);
 }
 
 # mandate atleast inbound interface / source ip / dest ip or protocol per rule
-- 
cgit v1.2.3