scripts/vyatta-cthelper.pl


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

#!/usr/bin/perl

use lib "/opt/vyatta/share/perl5";
use warnings;
use strict;

use Vyatta::Config;
use Vyatta::Conntrack::ConntrackUtil;
use Vyatta::IpTables::Mgr;
use Getopt::Long;
use Sys::Syslog qw(:standard :macros);


#for future 
my %cmd_hash = ( 'ipv4'        => 'iptables',
		 'ipv6'   => 'ip6tables');

my $nfct = "sudo /opt/vyatta/sbin/nfct";
my ($enable_sqlnet, $disable_sqlnet, $enable_nfs, $disable_nfs);
my $CTERROR = "Conntrack error:";

GetOptions('enable_sqlnet=s'        => \$enable_sqlnet,
           'disable_sqlnet=s'        => \$disable_sqlnet,
           'disable_nfs=s'        => \$disable_nfs,
           'enable_nfs=s'        => \$enable_nfs,
);

# subroutine to add helper rule to VYATTA_CT_HELPER chain.
sub 
add_helper_to_chain {
  my ($module) = @_;
  my $iptables_cmd = $cmd_hash {'ipv4'}; 
  if ($module eq 'sqlnet') {
#    run_cmd (" $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper oracletns ");
    print " $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper oracletns \n";
#    run_cmd (" $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper oracletns ");
    print " $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper oracletns \n";
  } elsif ($module eq 'nfs') {
    print " $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper nfs \n";
#   run_cmd (" $iptables_cmd -I VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper nfs ");
  }
}

# subroutine to delete helper rule from VYATTA_CT_HELPER chain.
sub 
delete_helper_from_chain {
  my ($module) = @_;
  my $iptables_cmd = $cmd_hash {'ipv4'}; 
  if ($module eq 'sqlnet') {
#    run_cmd (" $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper oracletns ");
    print " $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1521 -j CT --helper oracletns \n";
#    run_cmd (" $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper oracletns ");
    print " $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 1525 -j CT --helper oracletns \n";
  } elsif ($module eq 'nfs') {
    print " $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper nfs \n";
#   run_cmd (" $iptables_cmd -D VYATTA_CT_HELPER -t raw -p tcp --dport 111 -j CT --helper nfs ");
  }
}

# should disable the required helper module
sub disable_helper_module {
  my ($module) = @_;
 
  print "disable $module\n"; 
  delete_helper_from_chain($module);
}

# should enable the required helper module
sub enable_helper_module {
  my ($module) = @_;
 
  print "enable $module\n"; 
  add_helper_to_chain($module);
}

if (defined $enable_sqlnet){
  enable_helper_module("sqlnet"); 
} elsif (defined $disable_sqlnet) {
  disable_helper_module("sqlnet"); 
} elsif (defined $enable_nfs) {
  enable_helper_module("nfs"); 
} elsif (defined $disable_nfs) {
  disable_helper_module("nfs");
}