add support for disabling a NAT rule

5 files changed, 18 insertions, 1 deletions

diff --git a/lib/Vyatta/NatRule.pm b/lib/Vyatta/NatRule.pm
index cadff9c..c3631ae 100644
--- a/lib/Vyatta/NatRule.pm
+++ b/lib/Vyatta/NatRule.pm
@@ -18,6 +18,7 @@ my %fields = (
   _outbound_if  => undef,
   _proto        => undef,
   _exclude      => undef,
+  _disable      => undef,
   _log          => undef,
   _inside_addr  => {
                     _addr => undef,
@@ -61,6 +62,7 @@ sub setup {
   $self->{_outbound_if} = $config->returnValue("outbound-interface");
   $self->{_proto} = $config->returnValue("protocol");
   $self->{_exclude} = $config->exists("exclude");
+  $self->{_disable} = $config->exists("disable");
   $self->{_log} = $config->returnValue("log");
   
   $self->{_inside_addr}->{_addr}
@@ -108,6 +110,7 @@ sub setupOrig {
   $self->{_outbound_if} = $config->returnOrigValue("outbound-interface");
   $self->{_proto} = $config->returnOrigValue("protocol");
   $self->{_exclude} = $config->existsOrig("exclude");
+  $self->{_disable} = $config->existsOrig("disable");
   $self->{_log} = $config->returnOrigValue("log");
   
   $self->{_inside_addr}->{_addr}
@@ -142,8 +145,15 @@ sub setupOrig {
   return 0;
 }
 
+sub is_disabled {
+  my $self = shift;
+  return 1 if defined $self->{_disable};
+  return 0;
+}
+
 sub get_num_ipt_rules {
   my $self = shift;
+  return 0 if defined $self->{_disable};
   my $ipt_rules = 1;
   if ("$self->{_log}" eq 'enable') {
       $ipt_rules++;
@@ -179,7 +189,7 @@ sub rule_str {
   my $jump_target = '';
   my $jump_param  = '';
   my $use_netmap = 0;
-
+  
   if (!defined($self->{_proto}) ||
       (($self->{_proto} ne "tcp") && ($self->{_proto} ne "6")
        && ($self->{_proto} ne "udp") && ($self->{_proto} ne "17"))) {
@@ -462,6 +472,8 @@ sub rule_str {
     }
   }
 
+  return (undef, undef) if defined $self->{_disable};
+  
   $rule_str .= " $src_str $dst_str";
   if ("$self->{_log}" eq "enable") {
     my $log_rule   = $rule_str;
diff --git a/scripts/vyatta-show-nat-rules.pl b/scripts/vyatta-show-nat-rules.pl
index 206d409..a7b83da 100755
--- a/scripts/vyatta-show-nat-rules.pl
+++ b/scripts/vyatta-show-nat-rules.pl
@@ -172,6 +172,7 @@ for $rule (@rules) {
   my $dst = new Vyatta::IpTables::AddressFilter;
   
   $nrule->setupOrig("service nat rule $rule");
+  next if defined $nrule->{_disable};
   $rulenum = "X" . $rule if defined $nrule->{_exclude};
   $type = $nat_type{$nrule->{_type}};
   $protocol = $nrule->{_proto} if defined $nrule->{_proto};
diff --git a/scripts/vyatta-show-nat.pl b/scripts/vyatta-show-nat.pl
index c933e05..574c995 100755
--- a/scripts/vyatta-show-nat.pl
+++ b/scripts/vyatta-show-nat.pl
@@ -53,6 +53,7 @@ my @rules = sort numerically @rules_pre;
 for $rule (@rules) {
   my $nrule = new Vyatta::NatRule;
   $nrule->setupOrig("service nat rule $rule");
+  next if defined $nrule->{_disable};
   my $ntype = $nrule->orig_type(); 
   print RENDER "  <row>\n";
   print RENDER "    <rule_num>$rule</rule_num>\n";
diff --git a/scripts/vyatta-update-nat.pl b/scripts/vyatta-update-nat.pl
index 6eeb924..bbbd4ff 100755
--- a/scripts/vyatta-update-nat.pl
+++ b/scripts/vyatta-update-nat.pl
@@ -126,6 +126,7 @@ for $rule (@rule_keys) {
       exit 6;
     }
     foreach my $rule_str (@rule_strs) {
+      next if !defined $rule_str;
       $cmd = "iptables -t nat -I $chain_name{$ntype} $ipt_rulenum{$ntype} " .
           "$rule_str";
       print OUT "$cmd\n";
@@ -156,6 +157,7 @@ for $rule (@rule_keys) {
 
     # add the new rule(s)
     foreach my $rule_str (@rule_strs) {
+      next if !defined $rule_str;
       $cmd = "iptables -t nat -I $chain_name{$ntype} $ipt_rulenum{$ntype} " .
           "$rule_str";
       print OUT "$cmd\n";
diff --git a/templates-cfg/service/nat/rule/node.tag/disable/node.def b/templates-cfg/service/nat/rule/node.tag/disable/node.def
new file mode 100644
index 0000000..c23fc5a
--- /dev/null
+++ b/templates-cfg/service/nat/rule/node.tag/disable/node.def
@@ -0,0 +1 @@
+help: Disable NAT rule