summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStig Thormodsrud <stig@vyatta.com>2010-06-10 15:03:34 -0700
committerStig Thormodsrud <stig@vyatta.com>2010-06-10 15:03:34 -0700
commit9ed3cbd74a9eb9290b7f6e44f4468499dbb0470f (patch)
tree12f4ad4df8a98f114a2ef6bc9ed6b26560a8d00a
parent063833e30795490b254308836a9ec4778240c24e (diff)
downloadvyatta-nat-9ed3cbd74a9eb9290b7f6e44f4468499dbb0470f.tar.gz
vyatta-nat-9ed3cbd74a9eb9290b7f6e44f4468499dbb0470f.zip
Change nat to use IpTables::Mgr to enable/disable conntrack.
-rwxr-xr-xscripts/vyatta-update-nat.pl29
1 files changed, 3 insertions, 26 deletions
diff --git a/scripts/vyatta-update-nat.pl b/scripts/vyatta-update-nat.pl
index 6e4deb5..d278b20 100755
--- a/scripts/vyatta-update-nat.pl
+++ b/scripts/vyatta-update-nat.pl
@@ -4,25 +4,13 @@ use strict;
use lib "/opt/vyatta/share/perl5/";
use Vyatta::Config;
use Vyatta::NatRule;
+use Vyatta::IpTables::Mgr;
sub numerically { $a <=> $b; }
sub raw_cleanup {
# remove the conntrack setup.
- my @lines;
- foreach my $label ('PREROUTING', 'OUTPUT') {
- @lines = `iptables -t raw -L $label -vn --line-numbers | egrep ^[0-9]`;
- foreach (@lines) {
- my ($num, $ignore, $ignore, $chain, $ignore, $ignore, $in, $out,
- $ignore, $ignore) = split /\s+/;
- if ($chain eq "NAT_CONNTRACK") {
- system("iptables -t raw -D $label $num");
- last;
- }
- }
- }
- system("iptables -t raw -F NAT_CONNTRACK");
- system("iptables -t raw -X NAT_CONNTRACK");
+ ipt_disable_conntrack('iptables', 'NAT_CONNTRACK');
}
my $config = new Vyatta::Config;
@@ -47,7 +35,6 @@ print OUT "========= nat list =========\n";
my @rule_keys = sort numerically keys %rules;
if ($#rule_keys < 0) {
raw_cleanup();
-
exit 0;
}
@@ -56,17 +43,7 @@ if ($#rule_keys < 0) {
system("iptables -t nat -L -n >& /dev/null");
# we have some nat rule(s). make sure conntrack is enabled.
-system("iptables -t raw -L NAT_CONNTRACK -n >& /dev/null");
-if ($? >> 8) {
- # NAT_CONNTRACK chain does not exist yet. set up conntrack.
- system("iptables -t raw -N NAT_CONNTRACK");
- # this enables conntrack for all packets. potentially we can add more rules
- # to the NAT_CONNTRACK chain for finer-grained control over which packets
- # are tracked.
- system("iptables -t raw -A NAT_CONNTRACK -j ACCEPT");
- system("iptables -t raw -I PREROUTING 1 -j NAT_CONNTRACK");
- system("iptables -t raw -I OUTPUT 1 -j NAT_CONNTRACK");
-}
+ipt_enable_conntrack('iptables', 'NAT_CONNTRACK');
my $all_deleted = 1;
for $rule (@rule_keys) {