#!/usr/bin/perl # # Module: vyatta-update-src-nat.pl # # **** License **** # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # This code was originally developed by Vyatta, Inc. # Portions created by Vyatta are Copyright (C) 2009 Vyatta, Inc. # All Rights Reserved. # # Author: eng@vyatta.com # Date: 2011 # Description: Script to update iptables source NAT rules # # **** End License **** # use strict; use lib "/opt/vyatta/share/perl5/"; use Vyatta::Config; use Vyatta::NatRuleCommon; use Vyatta::SrcNatRule; use Vyatta::IpTables::Mgr; my $CONFIG_LEVEL = "nat source"; my $IPTABLES = "/sbin/iptables"; sub numerically { $a <=> $b; } sub raw_cleanup { # remove the conntrack setup. ipt_disable_conntrack('iptables', 'NAT_CONNTRACK'); } my $config = new Vyatta::Config; $config->setLevel($CONFIG_LEVEL." rule"); my %rules = $config->listNodeStatus(); my $rule; my $debug = 0; if ($debug) { open(OUT, ">>/tmp/nat") or exit 1; } else { open(OUT, ">>/dev/null") or exit 1; } my $ipt_rulenum = 2; my $chain_name = "POSTROUTING"; print OUT "========= src-nat list =========\n"; my @rule_keys = sort numerically keys %rules; if ($#rule_keys < 0) { raw_cleanup(); exit 0; } ## it seems that "multiport" does not like port range (p1:p2) if nobody has ## touched the nat table yet after reboot!? system("$IPTABLES -t nat -L -n >& /dev/null"); # we have some nat rule(s). make sure conntrack is enabled. ipt_enable_conntrack('iptables', 'NAT_CONNTRACK'); my $all_deleted = 1; for $rule (@rule_keys) { print OUT "$rule: $rules{$rule}\n"; my $tmp = `iptables -L -nv --line -t nat`; print OUT "iptables before:\n$tmp\n"; my $nrule = new Vyatta::SrcNatRule; $nrule->setup($CONFIG_LEVEL." rule $rule"); if ($rules{$rule} ne "deleted") { $all_deleted = 0; } my $cmd; if ($rules{$rule} eq "static") { my $ipt_rules = $nrule->get_num_ipt_rules(); $ipt_rulenum += $ipt_rules; next; } elsif ($rules{$rule} eq "deleted") { my $orule = new Vyatta::SrcNatRule; $orule->setupOrig($CONFIG_LEVEL." rule $rule"); my $ipt_rules = $orule->get_num_ipt_rules(); for (1 .. $ipt_rules) { $cmd = "$IPTABLES -t nat -D $chain_name $ipt_rulenum"; print OUT "$cmd\n"; if (system($cmd)) { exit 1; } } next; } my ($err, @rule_strs) = $nrule->rule_str(); if (defined $err) { # rule check failed => return error print OUT "NAT configuration error: $err\n"; print STDERR "NAT configuration error: $err\n"; exit 5; } if ($rules{$rule} eq "added") { foreach my $rule_str (@rule_strs) { next if !defined $rule_str; $cmd = "$IPTABLES -t nat -I $chain_name $ipt_rulenum " . "$rule_str"; print OUT "$cmd\n"; if (system($cmd)) { exit 1; } $ipt_rulenum++; } } elsif ($rules{$rule} eq "changed") { # delete the old rule(s) my $orule = new Vyatta::SrcNatRule; $orule->setupOrig($CONFIG_LEVEL." rule $rule"); my $ipt_rules = $orule->get_num_ipt_rules(); my $idx = $ipt_rulenum; for (1 .. $ipt_rules) { $cmd = "$IPTABLES -t nat -D $chain_name $idx"; print OUT "$cmd\n"; if (system($cmd)) { exit 1; } } # add the new rule(s) foreach my $rule_str (@rule_strs) { next if !defined $rule_str; $cmd = "$IPTABLES -t nat -I $chain_name $ipt_rulenum " . "$rule_str"; print OUT "$cmd\n"; if (system($cmd)) { exit 1; } $ipt_rulenum++; } } } if ($all_deleted) { raw_cleanup(); } close OUT; exit 0; # Local Variables: # mode: perl # indent-tabs-mode: nil # perl-indent-level: 2 # End: