From 9e223d59f58be5be60f2443c44d5386c88c89930 Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Mon, 14 Nov 2011 16:30:41 -0800 Subject: Bug 7411: Initial commit for conntrack entry deletion / show op mode commands --- scripts/vyatta-delete-conntrack.pl | 211 ++++++++++++++++++++++++++++++++++ scripts/vyatta-show-conntrack.pl | 224 +++++++++++++++++++++++++++++++++++++ 2 files changed, 435 insertions(+) create mode 100755 scripts/vyatta-delete-conntrack.pl create mode 100755 scripts/vyatta-show-conntrack.pl (limited to 'scripts') diff --git a/scripts/vyatta-delete-conntrack.pl b/scripts/vyatta-delete-conntrack.pl new file mode 100755 index 0000000..516635f --- /dev/null +++ b/scripts/vyatta-delete-conntrack.pl @@ -0,0 +1,211 @@ +#!/usr/bin/perl +# +# Module: vyatta-delete-conntrack.pl +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Gaurav Sinha +# Date: Oct 2011 +# Description: Script to delete conntrack entries based on the input +# delete command. +# +# **** End License **** +# + +use Getopt::Long; +use warnings; +use strict; +use XML::Simple; +use Data::Dumper; +use POSIX; +use lib "/opt/vyatta/share/perl5"; +use Vyatta::Misc; +use Sys::Syslog qw(:standard :macros); + +my $format = "Connection ID %-10s Source IP %-22s Destination IP %-22s Protocol %-12s\n"; + +sub add_xml_root { + my $xml = shift; + + $xml = "\n" . $xml . ''; + return $xml; +} + +sub print_data_from_xml { + my ($data, $cache) = @_; + + my $flow = 0; + + my %flowh; + my $tcount = 0; + print "Deleting following Conntrack entries\n\n"; + #open syslog + openlog($0, "", LOG_USER); + while (1) { + my $meta = 0; + last if ! defined $data->{flow}[$flow]; + my $flow_ref = $data->{flow}[$flow]; + my $flow_type = $flow_ref->{type}; + my (%src, %dst, %sport, %dport, %proto, %protonum, $timeout_ref, $connection_id_ref, + $state_connection_ref); + while (1) { + my $meta_ref = $flow_ref->{meta}[$meta]; + last if ! defined $meta_ref; + my $dir = $meta_ref->{direction}; + if ($dir eq 'original' or $dir eq 'reply') { + my $l3_ref = $meta_ref->{layer3}[0]; + my $l4_ref = $meta_ref->{layer4}[0]; + if (defined $l3_ref) { + $src{$dir} = $l3_ref->{src}[0]; + $dst{$dir} = $l3_ref->{dst}[0]; + if (defined $l4_ref) { + $sport{$dir} = $l4_ref->{sport}[0]; + $dport{$dir} = $l4_ref->{dport}[0]; + $proto{$dir} = $l4_ref->{protoname}; + $protonum{$dir} = $l4_ref->{protonum}; + } + } + } elsif ($dir eq 'independent') { + $timeout_ref = $meta_ref->{timeout}[0]; + $connection_id_ref = $meta_ref->{id}[0]; + $state_connection_ref = $meta_ref->{state}[0]; + } + $meta++; + } + my ($proto, $protonum, $in_src, $in_dst, $out_src, $out_dst, $connection_id, + $timeout, $state_connection); + $proto = $proto{original}; + $protonum = $protonum{original}; + $in_src = "$src{original}"; + $in_src .= ":$sport{original}" if defined $sport{original}; + $in_dst = "$dst{original}"; + $in_dst .= ":$dport{original}" if defined $dport{original}; + $connection_id = "$connection_id_ref"; + $timeout = "$timeout_ref"; + + if ($state_connection_ref) { + $state_connection = "$state_connection_ref"; + } + + # not using these for now + $out_src = "|$dst{reply}|"; + $out_src .= ":$dport{reply}" if defined $dport{reply}; + $out_dst = "|$src{reply}|"; + $out_dst .= ":$sport{reply}" if defined $sport{reply}; + + my $protocol = $proto . ' [' . $protonum . ']'; + printf($format, $connection_id ,$in_src, $in_dst, $protocol); + syslog("info", "Deleting Conntrack entry:conn-id $connection_id, src. IP $in_src, dest. IP $in_dst, protocol $protocol"); + $flow++; + } + #close syslog + closelog(); + return $flow; +} + +# +# main +# + +my ($sourceIP, $destIP, $family, $connection_ID); + +GetOptions("source_IP=s" => \$sourceIP, + "dest_IP=s" => \$destIP, + "family=s" => \$family, + "id=i" => \$connection_ID, +); + +my $xs = XML::Simple->new(ForceArray => 1, KeepRoot => 0); +my ($xml1, $xml2, $data); + +my $command_prefix = "sudo conntrack -D"; +my ($command, $sourcePort, $destPort); + +if ($family) { + $command .= " --family $family"; +} + +if (defined($connection_ID)) { + $command .= " -i $connection_ID"; +} + +if ($family eq "ipv4") { + if ((defined $sourceIP) and $sourceIP =~ m/:/) { + #IP address and port entered, are of the form IP:port + my @address = split(/:/, $sourceIP); + $sourceIP = $address[0]; + $sourcePort = $address[1]; + my( $success, $err ) = isValidPortNumber($sourcePort); + if(!defined($success)) { + die "Please enter a valid source port number\n"; + } + $command .= " --orig-port-src $sourcePort"; + } + + if ((defined $destIP) and $destIP =~ m/:/) { + my @address = split(/:/, $destIP); + $destIP = $address[0]; + $destPort = $address[1]; + my( $success, $err ) = isValidPortNumber($destPort); + if(!defined($success)) { + die "Please enter a valid destination port number\n"; + } + $command .= " --orig-port-dst $destPort"; + } + + if ((defined $sourceIP) and !($sourceIP eq "0.0.0.0")) { + # Check if IP address is a valid IPv4 address + if (!(isIpAddress($sourceIP))) { + die "Please enter a valid source IPv4 address\n"; + } + #If IP is any, do not add anything to command. + $command .= " -s $sourceIP"; + } + + if ((defined $destIP) and !($destIP eq "0.0.0.0")) { + # Check if IP address is a valid IPv4 address + if (!(isIpAddress($destIP))) { + die "Please enter a valid destination IPv4 address\n"; + } + $command .= " -d $destIP"; + } +} else { + #family IPv6 not supported, placeholder for v6 code. +} + +$command .= " -o xml"; +if ((defined($destPort)) or (defined($sourcePort))) { + my $command_final = $command_prefix." -p tcp".$command; + $xml1 = `$command_final 2> /dev/null`; + + #Execute the command for UDP as well. + $command_final = $command_prefix." -p udp".$command; + $xml2 = `$command_final 2> /dev/null`; +} else { + my $command_final = $command_prefix.$command; + $xml1 = `$command_final 2> /dev/null`; +} +# print data received from conntrack command as xml. +if ($xml1) { + $xml1 = add_xml_root($xml1); + $data = $xs->XMLin($xml1); + print_data_from_xml($data); +} +if ($xml2) { + $xml2 = add_xml_root($xml2); + $data = $xs->XMLin($xml2); + print_data_from_xml($data); +} +# end of file diff --git a/scripts/vyatta-show-conntrack.pl b/scripts/vyatta-show-conntrack.pl new file mode 100755 index 0000000..6a461f8 --- /dev/null +++ b/scripts/vyatta-show-conntrack.pl @@ -0,0 +1,224 @@ +#!/usr/bin/perl +# +# Module: vyatta-show-conntrack.pl +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Gaurav Sinha +# Date: Oct 2011 +# Description: Script to show conntrack entries based on the input +# show command. +# +# **** End License **** +# +use Getopt::Long; +use XML::Simple; +use Data::Dumper; +use POSIX; +use lib "/opt/vyatta/share/perl5"; +use Vyatta::Misc; +use warnings; +use strict; +use Switch; + +my $format = "%-10s %-22s %-22s %-12s %-20s\n"; + +sub print_xml { + my ($data, $cache) = @_; + + my $flow = 0; + + my %flowh; + my $tcount = 0; + while (1) { + my $meta = 0; + last if ! defined $data->{flow}[$flow]; + my $flow_ref = $data->{flow}[$flow]; + my $flow_type = $flow_ref->{type}; + my (%src, %dst, %sport, %dport, %proto, %protonum, $timeout_ref, $connection_id_ref, + $state_connection_ref); + while (1) { + my $meta_ref = $flow_ref->{meta}[$meta]; + last if ! defined $meta_ref; + my $dir = $meta_ref->{direction}; + if ($dir eq 'original' or $dir eq 'reply') { + my $l3_ref = $meta_ref->{layer3}[0]; + my $l4_ref = $meta_ref->{layer4}[0]; + if (defined $l3_ref) { + $src{$dir} = $l3_ref->{src}[0]; + $dst{$dir} = $l3_ref->{dst}[0]; + if (defined $l4_ref) { + $sport{$dir} = $l4_ref->{sport}[0]; + $dport{$dir} = $l4_ref->{dport}[0]; + $proto{$dir} = $l4_ref->{protoname}; + $protonum{$dir} = $l4_ref->{protonum}; + } + } + } elsif ($dir eq 'independent') { + $timeout_ref = $meta_ref->{timeout}[0]; + $connection_id_ref = $meta_ref->{id}[0]; + $state_connection_ref = $meta_ref->{state}[0]; + } + $meta++; + } + my ($proto, $protonum, $in_src, $in_dst, $out_src, $out_dst, $connection_id, + $timeout, $state_connection); + $proto = $proto{original}; + $protonum = $protonum{original}; + $in_src = "$src{original}"; + $in_src .= ":$sport{original}" if defined $sport{original}; + $in_dst = "$dst{original}"; + $in_dst .= ":$dport{original}" if defined $dport{original}; + $connection_id = "$connection_id_ref"; + $timeout = "$timeout_ref"; + + if ($state_connection_ref) { + $state_connection = "$state_connection_ref"; + } + + # not using these for now + $out_src = "|$dst{reply}|"; + $out_src .= ":$dport{reply}" if defined $dport{reply}; + $out_dst = "|$src{reply}|"; + $out_dst .= ":$sport{reply}" if defined $sport{reply}; + + my $protocol = $proto . ' [' . $protonum . ']'; + if ($state_connection) { + switch($state_connection) { + case ("ESTABLISHED") { + $protocol .= " ES"; + } + case ("SYN_SENT") { + $protocol .= " SS"; + } + case ("SYN_RECV") { + $protocol .= " SR"; + } + case ("FIN_WAIT") { + $protocol .= " FW"; + } + case ("CLOSE_WAIT") { + $protocol .= " CW"; + } + case ("LAST_ACK") { + $protocol .= " LA"; + } + case ("TIME_WAIT") { + $protocol .= " TW"; + } + case ("CLOSED") { + $protocol .= " CL"; + } + case ("LISTEN") { + $protocol .= " LI"; + } + } + } + printf($format, $connection_id ,$in_src, $in_dst, $protocol, $timeout); + $flow++; + } + return $flow; +} + +# +# main +# + +my ($sourceIP, $destIP, $family); + +GetOptions("source_IP=s" => \$sourceIP, + "dest_IP=s" => \$destIP, + "family=s" => \$family, +); + +my $xs = XML::Simple->new(ForceArray => 1, KeepRoot => 0); +my ($xml1, $xml2, $data); + +#build command string using . +my $command_prefix = "sudo conntrack -L"; +my $command = " --family $family"; + +my ($sourcePort, $destPort); +if ($family eq "ipv4") { + if ((defined $sourceIP) and $sourceIP =~ m/:/) { + #IP address and port entered, are of the form IP:port + my @address = split(/:/, $sourceIP); + $sourceIP = $address[0]; + $sourcePort = $address[1]; + my( $success, $err ) = isValidPortNumber($sourcePort); + if(!defined($success)) { + die "Please enter a valid source port number\n"; + } + $command .= " --orig-port-src $sourcePort"; + } + + if ((defined $destIP) and $destIP =~ m/:/) { + my @address = split(/:/, $destIP); + $destIP = $address[0]; + $destPort = $address[1]; + my( $success, $err ) = isValidPortNumber($destPort); + if(!defined($success)) { + die "Please enter a valid destination port number\n"; + } + $command .= " --orig-port-dst $destPort"; + } + + if ((defined $sourceIP) and !($sourceIP eq "0.0.0.0")) { + # Check if IP address is a valid IPv4 address + if (!(isIpAddress($sourceIP))) { + die "Please enter a valid source IPv4 address\n"; + } + #If IP is any, do not add anything to command. + $command .= " -s $sourceIP"; + } + + if ((defined $destIP) and !($destIP eq "0.0.0.0")) { + # Check if IP address is a valid IPv4 address + if (!(isIpAddress($destIP))) { + die "Please enter a valid destination IPv4 address\n"; + } + $command .= " -d $destIP"; + } +} else { + #family IPv6 not supported, placeholder for v6 code. +} + +$command .= " -o xml"; +print "TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED,\n"; +print " FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK,\n"; +print " TW - TIME WAIT, CL - CLOSE, LI - LISTEN\n\n"; + +printf($format, 'CONN ID', 'Source', 'Destination', 'Protocol', 'TIMEOUT'); +if ((defined($destPort)) or (defined($sourcePort))) { + my $command_final = $command_prefix." -p tcp".$command; + $xml1 = `$command_final 2> /dev/null`; + + #Execute the command for UDP as well. + $command_final = $command_prefix." -p udp".$command; + $xml2 = `$command_final 2> /dev/null`; +} else { + my $command_final = $command_prefix.$command; + $xml1 = `$command_final 2> /dev/null`; +} + +if ($xml1) { + $data = $xs->XMLin($xml1); + print_xml($data); +} +if ($xml2) { + $data = $xs->XMLin($xml2); + print_xml($data); +} +# end of file -- cgit v1.2.3 From 03abd03326370e9b900bc0927452ae1bee841e80 Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Tue, 15 Nov 2011 11:39:40 -0800 Subject: Bug 7411: improving validations for IPv4 address / port combinations for conntrack --- scripts/vyatta-delete-conntrack.pl | 28 ++++++++++++++++++++++++++-- scripts/vyatta-show-conntrack.pl | 26 ++++++++++++++++++++++++-- 2 files changed, 50 insertions(+), 4 deletions(-) (limited to 'scripts') diff --git a/scripts/vyatta-delete-conntrack.pl b/scripts/vyatta-delete-conntrack.pl index 516635f..a465c11 100755 --- a/scripts/vyatta-delete-conntrack.pl +++ b/scripts/vyatta-delete-conntrack.pl @@ -147,9 +147,21 @@ if ($family eq "ipv4") { my @address = split(/:/, $sourceIP); $sourceIP = $address[0]; $sourcePort = $address[1]; + + #Validate the entered IP and port my( $success, $err ) = isValidPortNumber($sourcePort); + if (!(isIpAddress($sourceIP))and !($sourceIP eq "0.0.0.0")) { + if(!defined($success)) { + #both IP and port are invalid + die "Please enter a valid source IPv4 address and port \n"; + } else { + #only IP is invalid + die "Please enter a valid source IPv4 address\n"; + } + } if(!defined($success)) { - die "Please enter a valid source port number\n"; + #port is invalid + die "Please enter a valid source port \n"; } $command .= " --orig-port-src $sourcePort"; } @@ -158,9 +170,21 @@ if ($family eq "ipv4") { my @address = split(/:/, $destIP); $destIP = $address[0]; $destPort = $address[1]; + + #Validate the entered IP and port my( $success, $err ) = isValidPortNumber($destPort); + if (!(isIpAddress($destIP))and !($destIP eq "0.0.0.0")) { + if(!defined($success)) { + #both IP and port are invalid + die "Please enter a valid destination IPv4 address and port \n"; + } else { + #only IP is invalid + die "Please enter a valid destination IPv4 address\n"; + } + } if(!defined($success)) { - die "Please enter a valid destination port number\n"; + #port is invalid + die "Please enter a valid destination port \n"; } $command .= " --orig-port-dst $destPort"; } diff --git a/scripts/vyatta-show-conntrack.pl b/scripts/vyatta-show-conntrack.pl index 6a461f8..7dfa196 100755 --- a/scripts/vyatta-show-conntrack.pl +++ b/scripts/vyatta-show-conntrack.pl @@ -157,9 +157,21 @@ if ($family eq "ipv4") { my @address = split(/:/, $sourceIP); $sourceIP = $address[0]; $sourcePort = $address[1]; + + # Check if IP address is a valid IPv4 address my( $success, $err ) = isValidPortNumber($sourcePort); + if (!(isIpAddress($sourceIP))and !($sourceIP eq "0.0.0.0")) { + if(!defined($success)) { + #both IP and port are invalid + die "Please enter a valid source IPv4 address and port \n"; + } else { + #only IP is invalid + die "Please enter a valid source IPv4 address\n"; + } + } if(!defined($success)) { - die "Please enter a valid source port number\n"; + #port is invalid + die "Please enter a valid source port \n"; } $command .= " --orig-port-src $sourcePort"; } @@ -169,8 +181,18 @@ if ($family eq "ipv4") { $destIP = $address[0]; $destPort = $address[1]; my( $success, $err ) = isValidPortNumber($destPort); + if (!(isIpAddress($destIP))and !($destIP eq "0.0.0.0")) { + if(!defined($success)) { + #both IP and port are invalid + die "Please enter a valid destination IPv4 address and port \n"; + } else { + #only IP is invalid + die "Please enter a valid destination IPv4 address\n"; + } + } if(!defined($success)) { - die "Please enter a valid destination port number\n"; + #port is invalid + die "Please enter a valid destination port \n"; } $command .= " --orig-port-dst $destPort"; } -- cgit v1.2.3 From 7e81c147324fc173e01edfbe1f09f28af6fc71dc Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Wed, 16 Nov 2011 11:49:20 -0800 Subject: bug 7411:Added initial code for IPv6, templates and script --- scripts/vyatta-delete-conntrack.pl | 1 + scripts/vyatta-show-conntrack.pl | 48 +++++++++++++++++++++- .../delete/conntrack/table/ipv6/conn-id/node.def | 1 + .../conntrack/table/ipv6/conn-id/node.tag/node.def | 3 ++ templates-op/delete/conntrack/table/ipv6/node.def | 1 + .../delete/conntrack/table/ipv6/source/node.def | 1 + .../ipv6/source/node.tag/destination/node.def | 1 + .../source/node.tag/destination/node.tag/node.def | 3 ++ .../conntrack/table/ipv6/source/node.tag/node.def | 3 ++ .../ipv4/source/node.tag/destination/node.def | 2 +- templates-op/show/conntrack/table/ipv6/node.def | 2 + .../show/conntrack/table/ipv6/source/node.def | 1 + .../ipv6/source/node.tag/destination/node.def | 3 ++ .../source/node.tag/destination/node.tag/node.def | 3 ++ .../conntrack/table/ipv6/source/node.tag/node.def | 3 ++ 15 files changed, 74 insertions(+), 2 deletions(-) create mode 100644 templates-op/delete/conntrack/table/ipv6/conn-id/node.def create mode 100644 templates-op/delete/conntrack/table/ipv6/conn-id/node.tag/node.def create mode 100644 templates-op/delete/conntrack/table/ipv6/node.def create mode 100644 templates-op/delete/conntrack/table/ipv6/source/node.def create mode 100644 templates-op/delete/conntrack/table/ipv6/source/node.tag/destination/node.def create mode 100644 templates-op/delete/conntrack/table/ipv6/source/node.tag/destination/node.tag/node.def create mode 100644 templates-op/delete/conntrack/table/ipv6/source/node.tag/node.def create mode 100644 templates-op/show/conntrack/table/ipv6/node.def create mode 100644 templates-op/show/conntrack/table/ipv6/source/node.def create mode 100644 templates-op/show/conntrack/table/ipv6/source/node.tag/destination/node.def create mode 100644 templates-op/show/conntrack/table/ipv6/source/node.tag/destination/node.tag/node.def create mode 100644 templates-op/show/conntrack/table/ipv6/source/node.tag/node.def (limited to 'scripts') diff --git a/scripts/vyatta-delete-conntrack.pl b/scripts/vyatta-delete-conntrack.pl index a465c11..8ca4738 100755 --- a/scripts/vyatta-delete-conntrack.pl +++ b/scripts/vyatta-delete-conntrack.pl @@ -207,6 +207,7 @@ if ($family eq "ipv4") { } } else { #family IPv6 not supported, placeholder for v6 code. + die "IPv6 Conntrack commands are not supported yet\n"; } $command .= " -o xml"; diff --git a/scripts/vyatta-show-conntrack.pl b/scripts/vyatta-show-conntrack.pl index 7dfa196..cad954b 100755 --- a/scripts/vyatta-show-conntrack.pl +++ b/scripts/vyatta-show-conntrack.pl @@ -32,6 +32,7 @@ use Vyatta::Misc; use warnings; use strict; use Switch; +use Vyatta::TypeChecker; my $format = "%-10s %-22s %-22s %-12s %-20s\n"; @@ -214,7 +215,52 @@ if ($family eq "ipv4") { $command .= " -d $destIP"; } } else { - #family IPv6 not supported, placeholder for v6 code. + #placeholder for v6 code. + die "IPv6 Conntrack commands are not supported yet\n"; + if (defined $sourceIP) { + if (($sourceIP =~ m/]/)) { + my @address = split(/]/, $sourceIP); + if (@address) { + $sourceIP = substr($address[0], 1); + $sourcePort = substr($address[1], 1); + my( $success, $err ) = isValidPortNumber($sourcePort); + if (validateType('ipv6', $sourceIP)) { + #Valid ipv6 address. + } else { + if(!defined($success)) { + die "Please enter a valid source IPv6 address and port \n"; + } + } + if(!defined($success)) { + die "Please enter a valid source port \n"; + } + $command .= " -s $sourceIP --orig-port-src $sourcePort"; + print "IP $sourceIP port $sourcePort\n"; + } + } + } + if (defined $destIP) { + if (($destIP =~ m/]/)) { + my @address = split(/]/, $destIP); + if (@address) { + $destIP = substr($address[0], 1); + $destPort = substr($address[1], 1); + my( $success, $err ) = isValidPortNumber($destPort); + if (validateType('ipv6', $destIP)) { + #Valid ipv6 address. + } else { + if(!defined($success)) { + die "Please enter a valid destination IPv6 address and port \n"; + } + } + if(!defined($success)) { + die "Please enter a valid destination port \n"; + } + $command .= " -d $destIP --orig-port-dst $destPort"; + print "IP $sourceIP port $sourcePort\n"; + } + } + } } $command .= " -o xml"; diff --git a/templates-op/delete/conntrack/table/ipv6/conn-id/node.def b/templates-op/delete/conntrack/table/ipv6/conn-id/node.def new file mode 100644 index 0000000..679cae2 --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv6/conn-id/node.def @@ -0,0 +1 @@ +help: Delete Conntrack entry with connection ID diff --git a/templates-op/delete/conntrack/table/ipv6/conn-id/node.tag/node.def b/templates-op/delete/conntrack/table/ipv6/conn-id/node.tag/node.def new file mode 100644 index 0000000..d3f179e --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv6/conn-id/node.tag/node.def @@ -0,0 +1,3 @@ +help: Delete Conntrack entry with the connection ID +allowed: echo -n 'Connection ID' +run: sudo ${vyatta_bindir}/sudo-users/vyatta-delete-conntrack.pl -family $4 -id $6 diff --git a/templates-op/delete/conntrack/table/ipv6/node.def b/templates-op/delete/conntrack/table/ipv6/node.def new file mode 100644 index 0000000..58b08f5 --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv6/node.def @@ -0,0 +1 @@ +help: Delete Conntrack IPv6 entries diff --git a/templates-op/delete/conntrack/table/ipv6/source/node.def b/templates-op/delete/conntrack/table/ipv6/source/node.def new file mode 100644 index 0000000..10081cd --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv6/source/node.def @@ -0,0 +1 @@ +help: Delete all Conntrack entries with specified source IP address diff --git a/templates-op/delete/conntrack/table/ipv6/source/node.tag/destination/node.def b/templates-op/delete/conntrack/table/ipv6/source/node.tag/destination/node.def new file mode 100644 index 0000000..aee21aa --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv6/source/node.tag/destination/node.def @@ -0,0 +1 @@ +help: Delete all Conntrack entries with the specified destination IP address diff --git a/templates-op/delete/conntrack/table/ipv6/source/node.tag/destination/node.tag/node.def b/templates-op/delete/conntrack/table/ipv6/source/node.tag/destination/node.tag/node.def new file mode 100644 index 0000000..45fb74c --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv6/source/node.tag/destination/node.tag/node.def @@ -0,0 +1,3 @@ +help: Delete Conntrack entries with the specified destination IP +allowed: echo -n '' '<[IPv6-address]:port>' +run: sudo ${vyatta_bindir}/sudo-users/vyatta-delete-conntrack.pl -family $4 -source_IP $6 -dest_IP $8 diff --git a/templates-op/delete/conntrack/table/ipv6/source/node.tag/node.def b/templates-op/delete/conntrack/table/ipv6/source/node.tag/node.def new file mode 100644 index 0000000..06b9af3 --- /dev/null +++ b/templates-op/delete/conntrack/table/ipv6/source/node.tag/node.def @@ -0,0 +1,3 @@ +help: Delete Conntrack entries with the specified source IP address +allowed: echo -n '' '<[IPv6-address]:port>' +run: sudo ${vyatta_bindir}/sudo-users/vyatta-delete-conntrack.pl -family $4 -source_IP $6 diff --git a/templates-op/show/conntrack/table/ipv4/source/node.tag/destination/node.def b/templates-op/show/conntrack/table/ipv4/source/node.tag/destination/node.def index 88b6eb1..85b1b36 100644 --- a/templates-op/show/conntrack/table/ipv4/source/node.tag/destination/node.def +++ b/templates-op/show/conntrack/table/ipv4/source/node.tag/destination/node.def @@ -1,3 +1,3 @@ help: Show Conntrack entries for the destination IP -allowed: echo " +allowed: echo -n '' '' diff --git a/templates-op/show/conntrack/table/ipv6/node.def b/templates-op/show/conntrack/table/ipv6/node.def new file mode 100644 index 0000000..ef40625 --- /dev/null +++ b/templates-op/show/conntrack/table/ipv6/node.def @@ -0,0 +1,2 @@ +help: Show Conntrack entries for IPv6 protocol +run: sudo ${vyatta_bindir}/sudo-users/vyatta-show-conntrack.pl -family $4 diff --git a/templates-op/show/conntrack/table/ipv6/source/node.def b/templates-op/show/conntrack/table/ipv6/source/node.def new file mode 100644 index 0000000..f3f6c84 --- /dev/null +++ b/templates-op/show/conntrack/table/ipv6/source/node.def @@ -0,0 +1 @@ +help: Show Conntrack entries for the source IP diff --git a/templates-op/show/conntrack/table/ipv6/source/node.tag/destination/node.def b/templates-op/show/conntrack/table/ipv6/source/node.tag/destination/node.def new file mode 100644 index 0000000..4813e87 --- /dev/null +++ b/templates-op/show/conntrack/table/ipv6/source/node.tag/destination/node.def @@ -0,0 +1,3 @@ +help: Show Conntrack entries for the destination IP +allowed: echo -n '' '<[IPv6-address]:port>' + diff --git a/templates-op/show/conntrack/table/ipv6/source/node.tag/destination/node.tag/node.def b/templates-op/show/conntrack/table/ipv6/source/node.tag/destination/node.tag/node.def new file mode 100644 index 0000000..49bb02b --- /dev/null +++ b/templates-op/show/conntrack/table/ipv6/source/node.tag/destination/node.tag/node.def @@ -0,0 +1,3 @@ +help: Show Conntrack entries for the destination IP +allowed: echo -n '' '<[IPv6-address]:port>' +run: sudo ${vyatta_bindir}/sudo-users/vyatta-show-conntrack.pl -family $4 -source_IP $6 -dest_IP $8 diff --git a/templates-op/show/conntrack/table/ipv6/source/node.tag/node.def b/templates-op/show/conntrack/table/ipv6/source/node.tag/node.def new file mode 100644 index 0000000..cf84af6 --- /dev/null +++ b/templates-op/show/conntrack/table/ipv6/source/node.tag/node.def @@ -0,0 +1,3 @@ +help: Show Conntrack entries for the source IP +allowed: echo -n '' '<[IPv6-address]:port>' +run: sudo ${vyatta_bindir}/sudo-users/vyatta-show-conntrack.pl -family $4 -source_IP $6 -- cgit v1.2.3 From 2f46daed416bcb38267da6f16879654b16b6a99e Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Wed, 16 Nov 2011 13:53:49 -0800 Subject: bug 7411:IPv6 show command without port --- scripts/vyatta-show-conntrack.pl | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'scripts') diff --git a/scripts/vyatta-show-conntrack.pl b/scripts/vyatta-show-conntrack.pl index cad954b..0d0cc95 100755 --- a/scripts/vyatta-show-conntrack.pl +++ b/scripts/vyatta-show-conntrack.pl @@ -216,9 +216,9 @@ if ($family eq "ipv4") { } } else { #placeholder for v6 code. - die "IPv6 Conntrack commands are not supported yet\n"; if (defined $sourceIP) { if (($sourceIP =~ m/]/)) { + # [IPv6-address]:port my @address = split(/]/, $sourceIP); if (@address) { $sourceIP = substr($address[0], 1); @@ -237,6 +237,14 @@ if ($family eq "ipv4") { $command .= " -s $sourceIP --orig-port-src $sourcePort"; print "IP $sourceIP port $sourcePort\n"; } + } else { + #IPv6-address without port + if (validateType('ipv6', $sourceIP)) { + #Valid ipv6 address. + $command .= " -s $sourceIP"; + } else { + die "Please enter a valid source IPv6 address\n"; + } } } if (defined $destIP) { @@ -259,6 +267,14 @@ if ($family eq "ipv4") { $command .= " -d $destIP --orig-port-dst $destPort"; print "IP $sourceIP port $sourcePort\n"; } + } else { + #IPv6-address without port + if (validateType('ipv6', $destIP)) { + #Valid ipv6 address. + $command .= " -d $destIP"; + } else { + die "Please enter a valid destination IPv6 address\n"; + } } } } -- cgit v1.2.3 From feba6d628a366c11af9f3fabc22ec535cfbc82ad Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Wed, 16 Nov 2011 17:00:31 -0800 Subject: bug 7411:IPv6 show command: validation added --- scripts/vyatta-show-conntrack.pl | 42 ++++++++++++++++++++++++++-------------- 1 file changed, 28 insertions(+), 14 deletions(-) (limited to 'scripts') diff --git a/scripts/vyatta-show-conntrack.pl b/scripts/vyatta-show-conntrack.pl index 0d0cc95..c10a6d3 100755 --- a/scripts/vyatta-show-conntrack.pl +++ b/scripts/vyatta-show-conntrack.pl @@ -216,15 +216,22 @@ if ($family eq "ipv4") { } } else { #placeholder for v6 code. - if (defined $sourceIP) { - if (($sourceIP =~ m/]/)) { + if ((defined $sourceIP) and ($sourceIP ne "0:0:0:0:0:0:0:0")) { + if ((($sourceIP =~ m/^\[/) and (!($sourceIP =~ m/]/))) or + (!($sourceIP =~ m/^\[/) and (($sourceIP =~ m/]/)))) { + die "Please use prescribed format for source IP: [IPv6-address]:port \n"; + } + if (($sourceIP =~ m/^\[/) and ($sourceIP =~ m/]/)) { # [IPv6-address]:port my @address = split(/]/, $sourceIP); if (@address) { + if(!$address[0] or !$address[1]) { + die "Please use prescribed format for source IP: [IPv6-address]:port \n"; + } $sourceIP = substr($address[0], 1); $sourcePort = substr($address[1], 1); my( $success, $err ) = isValidPortNumber($sourcePort); - if (validateType('ipv6', $sourceIP)) { + if (validateType('ipv6', $sourceIP, 'quiet')) { #Valid ipv6 address. } else { if(!defined($success)) { @@ -234,27 +241,29 @@ if ($family eq "ipv4") { if(!defined($success)) { die "Please enter a valid source port \n"; } - $command .= " -s $sourceIP --orig-port-src $sourcePort"; - print "IP $sourceIP port $sourcePort\n"; + $command .= " --orig-port-src $sourcePort"; } } else { #IPv6-address without port - if (validateType('ipv6', $sourceIP)) { + if (validateType('ipv6', $sourceIP, 'quiet')) { #Valid ipv6 address. - $command .= " -s $sourceIP"; } else { die "Please enter a valid source IPv6 address\n"; } } } - if (defined $destIP) { - if (($destIP =~ m/]/)) { + if ((defined $destIP) and ($destIP ne "0:0:0:0:0:0:0:0")) { + if ((($destIP =~ m/^\[/) and (!($destIP =~ m/]/))) or + (!($destIP =~ m/^\[/) and (($destIP =~ m/]/)))) { + die "Please use prescribed format for destination IP: [IPv6-address]:port \n"; + } + if (($destIP =~ m/^\[/) and ($destIP =~ m/]/)) { my @address = split(/]/, $destIP); if (@address) { $destIP = substr($address[0], 1); $destPort = substr($address[1], 1); my( $success, $err ) = isValidPortNumber($destPort); - if (validateType('ipv6', $destIP)) { + if (validateType('ipv6', $destIP, 'quiet')) { #Valid ipv6 address. } else { if(!defined($success)) { @@ -264,19 +273,24 @@ if ($family eq "ipv4") { if(!defined($success)) { die "Please enter a valid destination port \n"; } - $command .= " -d $destIP --orig-port-dst $destPort"; - print "IP $sourceIP port $sourcePort\n"; + #$command .= " --orig-port-dst $destPort"; } } else { #IPv6-address without port - if (validateType('ipv6', $destIP)) { + if (validateType('ipv6', $destIP, 'quiet')) { #Valid ipv6 address. - $command .= " -d $destIP"; + #$command .= " -d $destIP"; } else { die "Please enter a valid destination IPv6 address\n"; } } } + if (($sourceIP) and ($sourceIP ne "0:0:0:0:0:0:0:0")) { + $command .= " -s $sourceIP"; + } + if (($destIP) and ($destIP ne "0:0:0:0:0:0:0:0")) { + $command .= " -d $destIP"; + } } $command .= " -o xml"; -- cgit v1.2.3 From e5d7a43dcec144603011f981899430ebbf4bc368 Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Thu, 17 Nov 2011 14:06:43 -0800 Subject: bug ID 7411: added output format for IPv6 show command --- scripts/vyatta-show-conntrack.pl | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'scripts') diff --git a/scripts/vyatta-show-conntrack.pl b/scripts/vyatta-show-conntrack.pl index c10a6d3..efa6fa2 100755 --- a/scripts/vyatta-show-conntrack.pl +++ b/scripts/vyatta-show-conntrack.pl @@ -35,6 +35,7 @@ use Switch; use Vyatta::TypeChecker; my $format = "%-10s %-22s %-22s %-12s %-20s\n"; +my $format_IPv6 = "%-10s %-40s %-40s %-12s %-20s\n"; sub print_xml { my ($data, $cache) = @_; @@ -49,7 +50,7 @@ sub print_xml { my $flow_ref = $data->{flow}[$flow]; my $flow_type = $flow_ref->{type}; my (%src, %dst, %sport, %dport, %proto, %protonum, $timeout_ref, $connection_id_ref, - $state_connection_ref); + $state_connection_ref, %l3_protoname); while (1) { my $meta_ref = $flow_ref->{meta}[$meta]; last if ! defined $meta_ref; @@ -60,6 +61,7 @@ sub print_xml { if (defined $l3_ref) { $src{$dir} = $l3_ref->{src}[0]; $dst{$dir} = $l3_ref->{dst}[0]; + $l3_protoname{dir} = $l3_ref->{protoname}; if (defined $l4_ref) { $sport{$dir} = $l4_ref->{sport}[0]; $dport{$dir} = $l4_ref->{dport}[0]; @@ -75,7 +77,7 @@ sub print_xml { $meta++; } my ($proto, $protonum, $in_src, $in_dst, $out_src, $out_dst, $connection_id, - $timeout, $state_connection); + $timeout, $state_connection, $l3proto); $proto = $proto{original}; $protonum = $protonum{original}; $in_src = "$src{original}"; @@ -84,6 +86,7 @@ sub print_xml { $in_dst .= ":$dport{original}" if defined $dport{original}; $connection_id = "$connection_id_ref"; $timeout = "$timeout_ref"; + $l3proto = $l3_protoname{original}; if ($state_connection_ref) { $state_connection = "$state_connection_ref"; @@ -127,7 +130,11 @@ sub print_xml { } } } - printf($format, $connection_id ,$in_src, $in_dst, $protocol, $timeout); + if (defined(l3proto) and (l3proto eq 'ipv6')) { + printf($format_IPv6, $connection_id ,$in_src, $in_dst, $protocol, $timeout); + } else { + printf($format, $connection_id ,$in_src, $in_dst, $protocol, $timeout); + } $flow++; } return $flow; -- cgit v1.2.3 From bbb1fc94463690188d59aed96aacf6c69bd8cb5b Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Thu, 17 Nov 2011 17:07:49 -0800 Subject: bug 7411: IPv6 conntrack delete code, updated formatting --- scripts/vyatta-delete-conntrack.pl | 100 ++++++++++++++++++++++++++++++++++--- scripts/vyatta-show-conntrack.pl | 26 ++++++---- 2 files changed, 108 insertions(+), 18 deletions(-) (limited to 'scripts') diff --git a/scripts/vyatta-delete-conntrack.pl b/scripts/vyatta-delete-conntrack.pl index 8ca4738..4062a37 100755 --- a/scripts/vyatta-delete-conntrack.pl +++ b/scripts/vyatta-delete-conntrack.pl @@ -33,8 +33,10 @@ use POSIX; use lib "/opt/vyatta/share/perl5"; use Vyatta::Misc; use Sys::Syslog qw(:standard :macros); +use Vyatta::TypeChecker; -my $format = "Connection ID %-10s Source IP %-22s Destination IP %-22s Protocol %-12s\n"; +my $format = "%-10s %-22s %-22s %-12s\n"; +my $format_IPv6 = "%-10s %-40s %-40s %-12s\n"; sub add_xml_root { my $xml = shift; @@ -44,13 +46,18 @@ sub add_xml_root { } sub print_data_from_xml { - my ($data, $cache) = @_; + my ($data, $cache, $family) = @_; my $flow = 0; my %flowh; my $tcount = 0; print "Deleting following Conntrack entries\n\n"; + if ($family eq 'ipv6') { + printf($format_IPv6, 'CONN ID', 'Source', 'Destination', 'Protocol'); + } else { + printf($format, 'CONN ID', 'Source', 'Destination', 'Protocol'); + } #open syslog openlog($0, "", LOG_USER); while (1) { @@ -106,7 +113,12 @@ sub print_data_from_xml { $out_dst .= ":$sport{reply}" if defined $sport{reply}; my $protocol = $proto . ' [' . $protonum . ']'; - printf($format, $connection_id ,$in_src, $in_dst, $protocol); + if ($family eq 'ipv6') { + #IPv6 Addresses can be 39 chars long, so chose the format as per family + printf($format_IPv6, $connection_id ,$in_src, $in_dst, $protocol); + } else { + printf($format, $connection_id ,$in_src, $in_dst, $protocol); + } syslog("info", "Deleting Conntrack entry:conn-id $connection_id, src. IP $in_src, dest. IP $in_dst, protocol $protocol"); $flow++; } @@ -206,8 +218,82 @@ if ($family eq "ipv4") { $command .= " -d $destIP"; } } else { - #family IPv6 not supported, placeholder for v6 code. - die "IPv6 Conntrack commands are not supported yet\n"; + #IPv6 code. + if ((defined $sourceIP) and ($sourceIP ne "0:0:0:0:0:0:0:0")) { + if ((($sourceIP =~ m/^\[/) and (!($sourceIP =~ m/]/))) or + (!($sourceIP =~ m/^\[/) and (($sourceIP =~ m/]/)))) { + die "Please use prescribed format for source IP: [IPv6-address]:port \n"; + } + if (($sourceIP =~ m/^\[/) and ($sourceIP =~ m/]/)) { + # [IPv6-address]:port + my @address = split(/]/, $sourceIP); + if (@address) { + if(!$address[0] or !$address[1]) { + die "Please use prescribed format for source IP: [IPv6-address]:port \n"; + } + $sourceIP = substr($address[0], 1); + $sourcePort = substr($address[1], 1); + my( $success, $err ) = isValidPortNumber($sourcePort); + if (validateType('ipv6', $sourceIP, 'quiet')) { + #Valid ipv6 address. + } else { + if(!defined($success)) { + die "Please enter a valid source IPv6 address and port \n"; + } + } + if(!defined($success)) { + die "Please enter a valid source port \n"; + } + $command .= " --orig-port-src $sourcePort"; + } + } else { + #IPv6-address without port + if (validateType('ipv6', $sourceIP, 'quiet')) { + #Valid ipv6 address. + } else { + die "Please enter a valid source IPv6 address\n"; + } + } + } + if ((defined $destIP) and ($destIP ne "0:0:0:0:0:0:0:0")) { + if ((($destIP =~ m/^\[/) and (!($destIP =~ m/]/))) or + (!($destIP =~ m/^\[/) and (($destIP =~ m/]/)))) { + die "Please use prescribed format for destination IP: [IPv6-address]:port \n"; + } + if (($destIP =~ m/^\[/) and ($destIP =~ m/]/)) { + my @address = split(/]/, $destIP); + if (@address) { + $destIP = substr($address[0], 1); + $destPort = substr($address[1], 1); + my( $success, $err ) = isValidPortNumber($destPort); + if (validateType('ipv6', $destIP, 'quiet')) { + #Valid ipv6 address. + } else { + if(!defined($success)) { + die "Please enter a valid destination IPv6 address and port \n"; + } + } + if(!defined($success)) { + die "Please enter a valid destination port \n"; + } + #$command .= " --orig-port-dst $destPort"; + } + } else { + #IPv6-address without port + if (validateType('ipv6', $destIP, 'quiet')) { + #Valid ipv6 address. + #$command .= " -d $destIP"; + } else { + die "Please enter a valid destination IPv6 address\n"; + } + } + } + if (($sourceIP) and ($sourceIP ne "0:0:0:0:0:0:0:0")) { + $command .= " -s $sourceIP"; + } + if (($destIP) and ($destIP ne "0:0:0:0:0:0:0:0")) { + $command .= " -d $destIP"; + } } $command .= " -o xml"; @@ -226,11 +312,11 @@ if ((defined($destPort)) or (defined($sourcePort))) { if ($xml1) { $xml1 = add_xml_root($xml1); $data = $xs->XMLin($xml1); - print_data_from_xml($data); + print_data_from_xml($data, "", $family); } if ($xml2) { $xml2 = add_xml_root($xml2); $data = $xs->XMLin($xml2); - print_data_from_xml($data); + print_data_from_xml($data, "", $family); } # end of file diff --git a/scripts/vyatta-show-conntrack.pl b/scripts/vyatta-show-conntrack.pl index efa6fa2..a55e1e7 100755 --- a/scripts/vyatta-show-conntrack.pl +++ b/scripts/vyatta-show-conntrack.pl @@ -38,8 +38,7 @@ my $format = "%-10s %-22s %-22s %-12s %-20s\n"; my $format_IPv6 = "%-10s %-40s %-40s %-12s %-20s\n"; sub print_xml { - my ($data, $cache) = @_; - + my ($data, $cache, $family) = @_; my $flow = 0; my %flowh; @@ -50,7 +49,7 @@ sub print_xml { my $flow_ref = $data->{flow}[$flow]; my $flow_type = $flow_ref->{type}; my (%src, %dst, %sport, %dport, %proto, %protonum, $timeout_ref, $connection_id_ref, - $state_connection_ref, %l3_protoname); + $state_connection_ref); while (1) { my $meta_ref = $flow_ref->{meta}[$meta]; last if ! defined $meta_ref; @@ -61,7 +60,6 @@ sub print_xml { if (defined $l3_ref) { $src{$dir} = $l3_ref->{src}[0]; $dst{$dir} = $l3_ref->{dst}[0]; - $l3_protoname{dir} = $l3_ref->{protoname}; if (defined $l4_ref) { $sport{$dir} = $l4_ref->{sport}[0]; $dport{$dir} = $l4_ref->{dport}[0]; @@ -77,7 +75,7 @@ sub print_xml { $meta++; } my ($proto, $protonum, $in_src, $in_dst, $out_src, $out_dst, $connection_id, - $timeout, $state_connection, $l3proto); + $timeout, $state_connection); $proto = $proto{original}; $protonum = $protonum{original}; $in_src = "$src{original}"; @@ -86,7 +84,6 @@ sub print_xml { $in_dst .= ":$dport{original}" if defined $dport{original}; $connection_id = "$connection_id_ref"; $timeout = "$timeout_ref"; - $l3proto = $l3_protoname{original}; if ($state_connection_ref) { $state_connection = "$state_connection_ref"; @@ -130,7 +127,8 @@ sub print_xml { } } } - if (defined(l3proto) and (l3proto eq 'ipv6')) { + if ( $family eq 'ipv6') { + #IPv6 Addresses can be 39 chars long, so chose the format as per family printf($format_IPv6, $connection_id ,$in_src, $in_dst, $protocol, $timeout); } else { printf($format, $connection_id ,$in_src, $in_dst, $protocol, $timeout); @@ -222,7 +220,7 @@ if ($family eq "ipv4") { $command .= " -d $destIP"; } } else { - #placeholder for v6 code. + #IPv6 code. if ((defined $sourceIP) and ($sourceIP ne "0:0:0:0:0:0:0:0")) { if ((($sourceIP =~ m/^\[/) and (!($sourceIP =~ m/]/))) or (!($sourceIP =~ m/^\[/) and (($sourceIP =~ m/]/)))) { @@ -305,7 +303,13 @@ print "TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED,\n"; print " FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK,\n"; print " TW - TIME WAIT, CL - CLOSE, LI - LISTEN\n\n"; -printf($format, 'CONN ID', 'Source', 'Destination', 'Protocol', 'TIMEOUT'); +#IPv6 Addresses can be 39 chars long, so chose the format as per family +if ($family eq 'ipv4') { + printf($format, 'CONN ID', 'Source', 'Destination', 'Protocol', 'TIMEOUT'); +} else { + printf($format_IPv6, 'CONN ID', 'Source', 'Destination', 'Protocol', 'TIMEOUT'); +} + if ((defined($destPort)) or (defined($sourcePort))) { my $command_final = $command_prefix." -p tcp".$command; $xml1 = `$command_final 2> /dev/null`; @@ -320,10 +324,10 @@ if ((defined($destPort)) or (defined($sourcePort))) { if ($xml1) { $data = $xs->XMLin($xml1); - print_xml($data); + print_xml($data, "", $family); } if ($xml2) { $data = $xs->XMLin($xml2); - print_xml($data); + print_xml($data, "", $family); } # end of file -- cgit v1.2.3 From 6be89f24d462ff526378adb4073f6d1bf8f1860e Mon Sep 17 00:00:00 2001 From: Gaurav Sinha Date: Mon, 21 Nov 2011 15:03:47 -0800 Subject: bug 7411: IPv6 check added to show / delete --- scripts/vyatta-delete-conntrack.pl | 17 ++++++++++++----- scripts/vyatta-show-conntrack.pl | 17 ++++++++++++----- 2 files changed, 24 insertions(+), 10 deletions(-) (limited to 'scripts') diff --git a/scripts/vyatta-delete-conntrack.pl b/scripts/vyatta-delete-conntrack.pl index 4062a37..ceccdd8 100755 --- a/scripts/vyatta-delete-conntrack.pl +++ b/scripts/vyatta-delete-conntrack.pl @@ -235,7 +235,9 @@ if ($family eq "ipv4") { $sourcePort = substr($address[1], 1); my( $success, $err ) = isValidPortNumber($sourcePort); if (validateType('ipv6', $sourceIP, 'quiet')) { - #Valid ipv6 address. + if ($sourceIP =~ m/[^ABCDEFabcdef0123456789:\[\]]/) { + die "Please enter a valid source IPv6 address\n"; + } } else { if(!defined($success)) { die "Please enter a valid source IPv6 address and port \n"; @@ -249,7 +251,9 @@ if ($family eq "ipv4") { } else { #IPv6-address without port if (validateType('ipv6', $sourceIP, 'quiet')) { - #Valid ipv6 address. + if ($sourceIP =~ m/[^ABCDEFabcdef0123456789:\[\]]/) { + die "Please enter a valid source IPv6 address\n"; + } } else { die "Please enter a valid source IPv6 address\n"; } @@ -267,7 +271,9 @@ if ($family eq "ipv4") { $destPort = substr($address[1], 1); my( $success, $err ) = isValidPortNumber($destPort); if (validateType('ipv6', $destIP, 'quiet')) { - #Valid ipv6 address. + if ($destIP =~ m/[^ABCDEFabcdef0123456789:\[\]]/) { + die "Please enter a valid destination IPv6 address\n"; + } } else { if(!defined($success)) { die "Please enter a valid destination IPv6 address and port \n"; @@ -281,8 +287,9 @@ if ($family eq "ipv4") { } else { #IPv6-address without port if (validateType('ipv6', $destIP, 'quiet')) { - #Valid ipv6 address. - #$command .= " -d $destIP"; + if ($destIP =~ m/[^ABCDEFabcdef0123456789:\[\]]/) { + die "Please enter a valid destination IPv6 address\n"; + } } else { die "Please enter a valid destination IPv6 address\n"; } diff --git a/scripts/vyatta-show-conntrack.pl b/scripts/vyatta-show-conntrack.pl index a55e1e7..17457b1 100755 --- a/scripts/vyatta-show-conntrack.pl +++ b/scripts/vyatta-show-conntrack.pl @@ -237,7 +237,9 @@ if ($family eq "ipv4") { $sourcePort = substr($address[1], 1); my( $success, $err ) = isValidPortNumber($sourcePort); if (validateType('ipv6', $sourceIP, 'quiet')) { - #Valid ipv6 address. + if ($sourceIP =~ m/[^ABCDEFabcdef0123456789:\[\]]/) { + die "Please enter a valid source IPv6 address\n"; + } } else { if(!defined($success)) { die "Please enter a valid source IPv6 address and port \n"; @@ -251,7 +253,9 @@ if ($family eq "ipv4") { } else { #IPv6-address without port if (validateType('ipv6', $sourceIP, 'quiet')) { - #Valid ipv6 address. + if ($sourceIP =~ m/[^ABCDEFabcdef0123456789:\[\]]/) { + die "Please enter a valid source IPv6 address\n"; + } } else { die "Please enter a valid source IPv6 address\n"; } @@ -269,7 +273,9 @@ if ($family eq "ipv4") { $destPort = substr($address[1], 1); my( $success, $err ) = isValidPortNumber($destPort); if (validateType('ipv6', $destIP, 'quiet')) { - #Valid ipv6 address. + if ($destIP =~ m/[^ABCDEFabcdef0123456789:\[\]]/) { + die "Please enter a valid destination IPv6 address\n"; + } } else { if(!defined($success)) { die "Please enter a valid destination IPv6 address and port \n"; @@ -283,8 +289,9 @@ if ($family eq "ipv4") { } else { #IPv6-address without port if (validateType('ipv6', $destIP, 'quiet')) { - #Valid ipv6 address. - #$command .= " -d $destIP"; + if ($destIP =~ m/[^ABCDEFabcdef0123456789:\[\]]/) { + die "Please enter a valid destination IPv6 address\n"; + } } else { die "Please enter a valid destination IPv6 address\n"; } -- cgit v1.2.3