1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
#
# The timeouts are implemented using nfct-timeout policies that are
# later applied to the corresponding iptables rules. The rules and
# policies are distinguished based on the rule number.
package Vyatta::Conntrack::RuleIgnore;
use strict;
use Vyatta::Config;
require Vyatta::IpTables::AddressFilter;
my $src = new Vyatta::IpTables::AddressFilter;
my $dst = new Vyatta::IpTables::AddressFilter;
my %fields = (
_rule_number => undef,
_protocol => undef,
_comment => undef,
);
my %dummy_rule = (
_rule_number => 10000,
_protocol => undef,
_comment => undef,
);
my $DEBUG = 'false';
sub rule {
my ( $self ) = @_;
my ($rule, $srcrule, $dstrule, $err_str);
my $tcp_and_udp = 0;
# set CLI rule num as comment
my @level_nodes = split (' ', $self->{_comment});
print "level nodes is @level_nodes\n";
$rule .= "-m comment --comment \"$level_nodes[2]-$level_nodes[5]\" ";
($srcrule, $err_str) = $src->rule();
if (defined($err_str)) {
Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: $err_str");
exit 1;
}
($dstrule, $err_str) = $dst->rule();
if (defined($err_str)) {
Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: $err_str");
exit 1;
}
if (defined($self->{_protocol})) {
$rule .= " -p $self->{_protocol}";
}
$rule .= " $srcrule $dstrule ";
print "rule is $rule\n";
return $rule;
}
sub new {
my $that = shift;
my $class = ref ($that) || $that;
my $self = {
%fields,
};
bless $self, $class;
return $self;
}
sub setup_base {
my ($self, $level, $val_func, $exists_func, $addr_setup) = @_;
my $config = new Vyatta::Config;
$config->setLevel("$level");
$self->{_comment} = $level;
$self->{_rule_number} = $config->returnParent("..");
$src->$addr_setup("$level source");
$src->{_protocol} = $self->{_protocol};#needed to use address filter
if (($src->{_protocol}) and (($src->{_protocol} ne 'tcp') or ($src->{_protocol} ne 'udp')) and (defined($src->{_port})) ) {
die "Error: Cannot specify port with protocol $src->{_protocol}\n";
}
$dst->$addr_setup("$level destination");
$dst->{_protocol} = $self->{_protocol};#needed to use address filter
if (($dst->{_protocol}) and (($dst->{_protocol} ne 'tcp') or ($dst->{_protocol} ne 'udp')) and (defined($dst->{_port})) ) {
die "Error: Cannot specify port with protocol $dst->{_protocol}\n";
}
return 0;
}
sub setup {
my ($self, $level) = @_;
$self->setup_base($level, 'returnValue', 'exists', 'setup');
return 0;
}
sub setupOrig {
my ($self, $level) = @_;
$self->setup_base($level, 'returnOrigValue', 'existsOrig', 'setupOrig');
return 0;
}
sub print {
my ( $self ) = @_;
print "rulenum: $self->{_rule_number}\n" if defined $self->{_rule_number};
print "protocol: $self->{_protocol}\n" if defined $self->{_protocol};
print "inbound interface: $self->{_interface}\n" if defined $self->{_interface};
$src->print();
$dst->print();
}
1;
# Local Variables:
# mode: perl
# indent-tabs-mode: nil
# perl-indent-level: 2
# End:
|
