summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAn-Cheng Huang <ancheng@vyatta.com>2008-02-11 15:14:29 -0800
committerAn-Cheng Huang <ancheng@vyatta.com>2008-02-11 15:14:29 -0800
commitec188eedeb370b4433a0bdb5b958f72588894fc7 (patch)
treec129246d28cee90348afafd9ac95a818c5dc730c
parent462d78e99366f81dc95ab126c62ddc13b027631d (diff)
downloadvyatta-nat-ec188eedeb370b4433a0bdb5b958f72588894fc7.tar.gz
vyatta-nat-ec188eedeb370b4433a0bdb5b958f72588894fc7.zip
use common implementation of source/destination handling for NAT and firewall.
-rw-r--r--scripts/VyattaNatRule.pm126
-rw-r--r--templates-cfg/service/nat/rule/node.tag/destination/address/node.def9
-rw-r--r--templates-cfg/service/nat/rule/node.tag/source/address/node.def9
-rw-r--r--xsl/show_nat_rules.xsl16
4 files changed, 38 insertions, 122 deletions
diff --git a/scripts/VyattaNatRule.pm b/scripts/VyattaNatRule.pm
index 4d37716..a920f72 100644
--- a/scripts/VyattaNatRule.pm
+++ b/scripts/VyattaNatRule.pm
@@ -5,6 +5,10 @@ use lib "/opt/vyatta/share/perl5/";
use VyattaConfig;
use VyattaMisc;
use VyattaTypeChecker;
+use VyattaIpTablesAddressFilter;
+
+my $src = new VyattaIpTablesAddressFilter;
+my $dst = new VyattaIpTablesAddressFilter;
my %fields = (
_type => undef,
@@ -13,16 +17,6 @@ my %fields = (
_outbound_if => undef,
_proto => undef,
_exclude => undef,
- _source => {
- _addr => undef,
- _net => undef,
- _port => undef,
- },
- _destination => {
- _addr => undef,
- _net => undef,
- _port => undef,
- },
_inside_addr => {
_addr => undef,
_range => {
@@ -65,24 +59,6 @@ sub setup {
$self->{_proto} = $config->returnValue("protocol");
$self->{_exclude} = $config->exists("exclude");
- $self->{_source}->{_net} = undef;
- $self->{_source}->{_addr} = $config->returnValue("source address");
- if (defined($self->{_source}->{_addr})
- && ($self->{_source}->{_addr} =~ /\//)) {
- $self->{_source}->{_net} = $self->{_source}->{_addr};
- $self->{_source}->{_addr} = undef;
- }
- $self->{_source}->{_port} = $config->returnValue("source port");
-
- $self->{_destination}->{_net} = undef;
- $self->{_destination}->{_addr} = $config->returnValue("destination address");
- if (defined($self->{_destination}->{_addr})
- && ($self->{_destination}->{_addr} =~ /\//)) {
- $self->{_destination}->{_net} = $self->{_destination}->{_addr};
- $self->{_destination}->{_addr} = undef;
- }
- $self->{_destination}->{_port} = $config->returnValue("destination port");
-
$self->{_inside_addr}->{_addr}
= $config->returnValue("inside-address address");
$self->{_inside_addr}->{_range}->{_start} = undef;
@@ -109,6 +85,9 @@ sub setup {
$self->{_outside_addr}->{_port}
= $config->returnValue("outside-address port");
+ $src->setup("$level source");
+ $dst->setup("$level destination");
+
return 0;
}
@@ -125,26 +104,6 @@ sub setupOrig {
$self->{_proto} = $config->returnOrigValue("protocol");
$self->{_exclude} = $config->existsOrig("exclude");
- $self->{_source}->{_net} = undef;
- $self->{_source}->{_addr} = $config->returnOrigValue("source address");
- if (defined($self->{_source}->{_addr})
- && ($self->{_source}->{_addr} =~ /\//)) {
- $self->{_source}->{_net} = $self->{_source}->{_addr};
- $self->{_source}->{_addr} = undef;
- }
- $self->{_source}->{_port} = $config->returnOrigValue("source port");
-
- $self->{_destination}->{_net} = undef;
- $self->{_destination}->{_addr}
- = $config->returnOrigValue("destination address");
- if (defined($self->{_destination}->{_addr})
- && ($self->{_destination}->{_addr} =~ /\//)) {
- $self->{_destination}->{_net} = $self->{_destination}->{_addr};
- $self->{_destination}->{_addr} = undef;
- }
- $self->{_destination}->{_port}
- = $config->returnOrigValue("destination port");
-
$self->{_inside_addr}->{_addr}
= $config->returnOrigValue("inside-address address");
$self->{_inside_addr}->{_range}->{_start} = undef;
@@ -171,6 +130,9 @@ sub setupOrig {
$self->{_outside_addr}->{_port}
= $config->returnOrigValue("outside-address port");
+ $src->setupOrig("$level source");
+ $dst->setupOrig("$level destination");
+
return 0;
}
@@ -319,49 +281,17 @@ sub rule_str {
}
}
- # source port(s)
- my ($port_str, $port_err)
- = VyattaMisc::getPortRuleString($self->{_source}->{_port},
- $can_use_port, "s", $self->{_proto});
- return (undef, $port_err) if (!defined($port_str));
- $rule_str .= $port_str;
+ # source rule string
+ my ($addr_str, $addr_err) = $src->rule();
+ return (undef, $addr_err) if (!defined($addr_str));
+ $rule_str .= " $addr_str";
- # destination port(s)
- ($port_str, $port_err)
- = VyattaMisc::getPortRuleString($self->{_destination}->{_port},
- $can_use_port, "d", $self->{_proto});
- return (undef, $port_err) if (!defined($port_str));
- $rule_str .= $port_str;
-
- if (defined($self->{_source}->{_addr})) {
- my $str = $self->{_source}->{_addr};
- return (undef, "\"$str\" is not a valid IP address")
- if (!VyattaTypeChecker::validateType('ipv4_negate', $str, 1));
- $str =~ s/^\!(.*)$/! $1/;
- $rule_str .= " -s $str";
- } elsif (defined($self->{_source}->{_net})) {
- my $str = $self->{_source}->{_net};
- return (undef, "\"$str\" is not a valid IP subnet")
- if (!VyattaTypeChecker::validateType('ipv4net_negate', $str, 1));
- $str =~ s/^\!(.*)$/! $1/;
- $rule_str .= " -s $str";
- }
-
- if (defined($self->{_destination}->{_addr})) {
- my $str = $self->{_destination}->{_addr};
- return (undef, "\"$str\" is not a valid IP address")
- if (!VyattaTypeChecker::validateType('ipv4_negate', $str, 1));
- $str =~ s/^\!(.*)$/! $1/;
- $rule_str .= " -d $str";
- } elsif (defined($self->{_destination}->{_net})) {
- my $str = $self->{_destination}->{_net};
- return (undef, "\"$str\" is not a valid IP subnet")
- if (!VyattaTypeChecker::validateType('ipv4net_negate', $str, 1));
- $str =~ s/^\!(.*)$/! $1/;
- $rule_str .= " -d $str";
- }
+ # destination rule string
+ ($addr_str, $addr_err) = $dst->rule();
+ return (undef, $addr_err) if (!defined($addr_str));
+ $rule_str .= " $addr_str";
- return ($rule_str, "");
+ return ($rule_str, undef);
}
sub orig_type {
@@ -381,11 +311,7 @@ sub print_str {
my $str =
"type[$self->{_type}] " .
"in_if[$self->{_inbound_if}] out_if[$self->{_outbound_if}] " .
- "proto[$self->{_proto}] saddr[$self->{_source}->{_addr}] ".
- "snet[$self->{_source}->{_net}] sp[@{$self->{_source}->{_port}}] ".
- "daddr[$self->{_destination}->{_addr}] " .
- "dnet[$self->{_destination}->{_net}] " .
- "dp[@{$self->{_destination}->{_port}}] " .
+ "proto[$self->{_proto}] " .
"inaddr[$self->{_inside_addr}->{_addr}] " .
"inrange[$self->{_inside_addr}->{_range}->{_start}-" .
"$self->{_inside_addr}->{_range}->{_stop}] " .
@@ -394,7 +320,7 @@ sub print_str {
"outrange[$self->{_outside_addr}->{_range}->{_start}-" .
"$self->{_outside_addr}->{_range}->{_stop}]" .
"outp[$self->{_outside_addr}->{_port}] ";
-
+
return $str;
}
@@ -408,12 +334,6 @@ sub outputXml {
outputXmlElem("type", $self->{_type}, $fh);
outputXmlElem("in_interface", $self->{_inbound_if}, $fh);
outputXmlElem("out_interface", $self->{_outbound_if}, $fh);
- outputXmlElem("src_addr", $self->{_source}->{_addr}, $fh);
- outputXmlElem("src_network", $self->{_source}->{_net}, $fh);
- outputXmlElem("src_ports", $self->{_source}->{_port}, $fh);
- outputXmlElem("dst_addr", $self->{_destination}->{_addr}, $fh);
- outputXmlElem("dst_network", $self->{_destination}->{_net}, $fh);
- outputXmlElem("dst_ports", $self->{_destination}->{_port}, $fh);
outputXmlElem("in_addr", $self->{_inside_addr}->{_addr}, $fh);
outputXmlElem("in_addr_start", $self->{_inside_addr}->{_range}->{_start},
$fh);
@@ -426,7 +346,9 @@ sub outputXml {
outputXmlElem("out_addr_stop", $self->{_outside_addr}->{_range}->{_stop},
$fh);
outputXmlElem("out_port", $self->{_outside_addr}->{_port}, $fh);
-
+
+ $src->outputXml("src", $fh);
+ $dst->outputXml("dst", $fh);
# no proto? ($self->{_proto})
}
diff --git a/templates-cfg/service/nat/rule/node.tag/destination/address/node.def b/templates-cfg/service/nat/rule/node.tag/destination/address/node.def
index 48da82b..9c81afa 100644
--- a/templates-cfg/service/nat/rule/node.tag/destination/address/node.def
+++ b/templates-cfg/service/nat/rule/node.tag/destination/address/node.def
@@ -1,12 +1,9 @@
type: txt
-help: Destination address or subnet
-syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl \
- -q ipv4_negate '$VAR(@)' \
- || /opt/vyatta/sbin/vyatta-validate-type.pl \
- -q ipv4net_negate '$VAR(@)'" \
- ; "invalid destination address \"$VAR(@)\""
+help: Destination IP address, subnet, or range
comp_help: Possible completions:
<IP address> IP address to match
<IP address>/<prefix length> Subnet to match
+ <IP address>-<IP address> IP range to match
!<IP address> Match everything except the specified address
!<IP address>/<prefix length> Match everything except the specified subnet
+ !<IP address>-<IP address> Match everything except the specified range
diff --git a/templates-cfg/service/nat/rule/node.tag/source/address/node.def b/templates-cfg/service/nat/rule/node.tag/source/address/node.def
index a9dda73..ae18e02 100644
--- a/templates-cfg/service/nat/rule/node.tag/source/address/node.def
+++ b/templates-cfg/service/nat/rule/node.tag/source/address/node.def
@@ -1,12 +1,9 @@
type: txt
-help: Source address or subnet
-syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl \
- -q ipv4_negate '$VAR(@)' \
- || /opt/vyatta/sbin/vyatta-validate-type.pl \
- -q ipv4net_negate '$VAR(@)'" \
- ; "invalid source address \"$VAR(@)\""
+help: Source IP address, subnet, or range
comp_help: Possible completions:
<IP address> IP address to match
<IP address>/<prefix length> Subnet to match
+ <IP address>-<IP address> IP range to match
!<IP address> Match everything except the specified address
!<IP address>/<prefix length> Match everything except the specified subnet
+ !<IP address>-<IP address> Match everything except the specified range
diff --git a/xsl/show_nat_rules.xsl b/xsl/show_nat_rules.xsl
index 4df6065..7afa095 100644
--- a/xsl/show_nat_rules.xsl
+++ b/xsl/show_nat_rules.xsl
@@ -100,8 +100,8 @@
<xsl:choose>
<xsl:when test="src_addr=''">
- <xsl:value-of select="src_network"/>
- <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(src_network))"/>
+ <xsl:value-of select="src_net"/>
+ <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(src_net))"/>
</xsl:when>
<xsl:when test="src_addr!='0.0.0.0'">
@@ -110,15 +110,15 @@
</xsl:when>
<xsl:when test="src_addr='0.0.0.0'">
- <xsl:value-of select="src_network"/>
- <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(src_network))"/>
+ <xsl:value-of select="src_net"/>
+ <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(src_net))"/>
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="dst_addr=''">
- <xsl:value-of select="dst_network"/>
- <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(dst_network))"/>
+ <xsl:value-of select="dst_net"/>
+ <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(dst_net))"/>
</xsl:when>
<xsl:when test="dst_addr!='0.0.0.0'">
@@ -127,8 +127,8 @@
</xsl:when>
<xsl:when test="dst_addr='0.0.0.0'">
- <xsl:value-of select="dst_network"/>
- <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(dst_network))"/>
+ <xsl:value-of select="dst_net"/>
+ <xsl:value-of select="substring($pad20,1,$pad20_len - string-length(dst_net))"/>
</xsl:when>
</xsl:choose>