diff options
| author | Michael Larson <slioch@eng-140.vyatta.com> | 2008-03-20 09:54:56 -0700 |
|---|---|---|
| committer | Michael Larson <slioch@eng-140.vyatta.com> | 2008-03-20 09:54:56 -0700 |
| commit | db3ccf7834617fa5f278e512bb73b831acb407d3 (patch) | |
| tree | bcf07c7f52890a76070e08e6c59dbc7da7a1a4a9 | |
| parent | e1bc4714fd3049d928c8aa106ab698d51a5d315a (diff) | |
| download | vyatta-wanloadbalance-db3ccf7834617fa5f278e512bb73b831acb407d3.tar.gz vyatta-wanloadbalance-db3ccf7834617fa5f278e512bb73b831acb407d3.zip | |
modified configuration to mirror nat/firewall for port/address configuration. added port configuration support for common port
configuration validation. still needs additional validation for address configuration.
| -rw-r--r-- | scripts/vyatta-wanloadbalance.pl | 58 | ||||
| -rw-r--r-- | src/lbdata.cc | 2 | ||||
| -rw-r--r-- | src/lbdata.hh | 4 | ||||
| -rw-r--r-- | src/lbdatafactory.cc | 32 | ||||
| -rw-r--r-- | src/lbdecision.cc | 18 | ||||
| -rw-r--r-- | templates/load-balancing/wan/rule/node.tag/destination/address/node.def | 11 | ||||
| -rw-r--r-- | templates/load-balancing/wan/rule/node.tag/destination/port/node.def | 8 | ||||
| -rw-r--r-- | templates/load-balancing/wan/rule/node.tag/source/address/node.def | 11 | ||||
| -rw-r--r-- | templates/load-balancing/wan/rule/node.tag/source/port/node.def | 8 |
9 files changed, 84 insertions, 68 deletions
diff --git a/scripts/vyatta-wanloadbalance.pl b/scripts/vyatta-wanloadbalance.pl index 5069e29..ec361fa 100644 --- a/scripts/vyatta-wanloadbalance.pl +++ b/scripts/vyatta-wanloadbalance.pl @@ -88,25 +88,26 @@ sub write_rules { print FILE_LCK "\tdestination {\n"; my $daddr = $config->returnValue("$rule destination address"); if (defined $daddr) { - print FILE_LCK "\t\taddress " . $daddr . "\n"; - } - - my $dnet = $config->returnValue("$rule destination network"); - if (defined $dnet && !defined $daddr) { - print FILE_LCK "\t\tnetwork " . $dnet . "\n"; - } - elsif (defined $dnet && defined $daddr) { - print "Please specify either destination address or source network\n"; - exit 2; + print FILE_LCK "\t\taddress \"" . $daddr . "\"\n"; } my $option = $config->returnValue("$rule destination port"); if (defined $option) { - if ($protocol ne "tcp" && $protocol ne "udp") { - print "Please specify protocol tcp or udp when configuring ports\n"; - exit 2; + my $can_use_port; + my $port_str; + my $port_err; + + if ($protocol eq "tcp" || $protocol eq "udp") { + $can_use_port = "yes"; + } + ($port_str, $port_err) = VyattaMisc::getPortRuleString($option, $can_use_port, "d", $protocol); + if (defined $port_str) { + print FILE_LCK "\t\tport-ipt \"" . $port_str . "\"\n"; + } + else { + print $port_err; + exit 1; } - print FILE_LCK "\t\tport " . $option . "\n"; } print FILE_LCK "\t}\n"; @@ -118,25 +119,26 @@ sub write_rules { print FILE_LCK "\tsource {\n"; my $saddr = $config->returnValue("$rule source address"); if (defined $saddr) { - print FILE_LCK "\t\taddress " . $saddr . "\n"; - } - - my $snet = $config->returnValue("$rule source network"); - if (defined $snet && !defined $saddr) { - print FILE_LCK "\t\tnetwork " . $snet . "\n"; - } - elsif (defined $snet && defined $saddr) { - print "Please specify either source address or source network\n"; - exit 2; + print FILE_LCK "\t\taddress \"" . $saddr . "\"\n"; } $option = $config->returnValue("$rule source port"); if (defined $option) { - if ($protocol ne "tcp" && $protocol ne "udp") { - print "Please specify protocol tcp or udp when configuring ports\n"; - exit 2; + my $can_use_port; + my $port_str; + my $port_err; + + if ($protocol eq "tcp" || $protocol eq "udp") { + $can_use_port = "yes"; + } + ($port_str, $port_err) = VyattaMisc::getPortRuleString($option, $can_use_port, "d", $protocol); + if (defined $port_str) { + print FILE_LCK "\t\tport-ipt \"" . $port_str . "\"\n"; + } + else { + print $port_err; + exit 1; } - print FILE_LCK "\t\tport " . $option . "\n"; } print FILE_LCK "\t}\n"; diff --git a/src/lbdata.cc b/src/lbdata.cc index 7078912..470279a 100644 --- a/src/lbdata.cc +++ b/src/lbdata.cc @@ -144,11 +144,9 @@ LBData::dump() cout << " rule: " << r_iter->first << endl; cout << " " << r_iter->second._proto << endl; cout << " " << r_iter->second._s_addr << endl; - cout << " " << r_iter->second._s_net << endl; cout << " " << r_iter->second._s_port << endl; cout << " " << r_iter->second._d_addr << endl; - cout << " " << r_iter->second._d_net << endl; cout << " " << r_iter->second._d_port << endl; LBRule::InterfaceDistIter ri_iter = r_iter->second._iface_dist_coll.begin(); diff --git a/src/lbdata.hh b/src/lbdata.hh index 5072459..627507c 100644 --- a/src/lbdata.hh +++ b/src/lbdata.hh @@ -29,12 +29,12 @@ class LBRule { public: string _proto; string _s_addr; - string _s_net; string _s_port; + string _s_port_ipt; string _d_addr; - string _d_net; string _d_port; + string _d_port_ipt; InterfaceDistColl _iface_dist_coll; }; diff --git a/src/lbdatafactory.cc b/src/lbdatafactory.cc index 7f62a69..1cfcd34 100644 --- a/src/lbdatafactory.cc +++ b/src/lbdatafactory.cc @@ -46,11 +46,11 @@ LBDataFactory::load(const string &conf_file) //read line by line and populate vect char str[1025]; int depth(0); - vector<string> path(10); + vector<string> path(32); while (fgets(str, 1024, fp) != 0) { string line(str); - int pos = line.find("#"); + unsigned int pos = line.find("#"); line = line.substr(0,pos); string key,value; @@ -64,6 +64,10 @@ LBDataFactory::load(const string &conf_file) key = symbol; } else if (value.empty()) { + if ((pos = line.find("\"")) != string::npos) { + unsigned int end_pos = line.rfind("\""); + symbol = line.substr(pos+1,end_pos-pos-1); + } value = symbol; } path[depth] = key; @@ -78,7 +82,7 @@ LBDataFactory::load(const string &conf_file) if (tokens.size() != 0) { process(path,depth,key,value); } - if (depth > 9 || depth < 0) { + if (depth > 31 || depth < 0) { if (_debug) { cerr << "configuration error: malformed configuration file: brackets" << endl; } @@ -258,17 +262,10 @@ void LBDataFactory::process_rule_source(const string &key, const string &value) { if (key == "address") { - if (inet_addr(value.c_str()) == (unsigned)-1) { - if (_debug) { - cerr << "malformed ip address: " << key << ", " << value << endl; - } - syslog(LOG_ERR, "wan_lb, malformed ip address in configuration: %s,%s", key.c_str(),value.c_str()); - return; - } _rule_iter->second._s_addr = value; } - else if (key == "network") { - _rule_iter->second._s_net = value; + else if (key == "port-ipt") { + _rule_iter->second._s_port_ipt = value; } else if (key == "port") { _rule_iter->second._s_port = value; @@ -279,17 +276,10 @@ void LBDataFactory::process_rule_destination(const string &key, const string &value) { if (key == "address") { - if (inet_addr(value.c_str()) == (unsigned)-1) { - if (_debug) { - cerr << "malformed ip address: " << key << ", " << value << endl; - } - syslog(LOG_ERR, "wan_lb, malformed ip address in configuration: %s,%s", key.c_str(),value.c_str()); - return; - } _rule_iter->second._d_addr = value; } - else if (key == "network") { - _rule_iter->second._d_net = value; + else if (key == "port-ipt") { + _rule_iter->second._d_port_ipt = value; } else if (key == "port") { _rule_iter->second._d_port = value; diff --git a/src/lbdecision.cc b/src/lbdecision.cc index 4ff35b2..fb79994 100644 --- a/src/lbdecision.cc +++ b/src/lbdecision.cc @@ -283,25 +283,25 @@ LBDecision::get_application_cmd(LBRule &rule) if (rule._s_addr.empty() == false) { filter += "--source " + rule._s_addr + " "; } - else if (rule._s_net.empty() == false && rule._s_addr.empty() == true) { - filter += "--source " + rule._s_net + " "; - } if (rule._d_addr.empty() == false) { filter += "--destination " + rule._d_addr + " "; } - else if (rule._d_net.empty() == false && rule._d_addr.empty() == true) { - filter += "--destination " + rule._d_net + " "; - } - else if (rule._proto == "udp" || rule._proto == "tcp") { - if (rule._s_port.empty() == false) { + if (rule._proto == "udp" || rule._proto == "tcp") { + if (rule._s_port.empty() == false && rule._s_port_ipt.empty() == true) { filter += "-m multiport --source-port " + rule._s_port + " "; } + else if (rule._s_port_ipt.empty() == false) { + filter += rule._s_port_ipt + " "; + } - if (rule._d_port.empty() == false) { + if (rule._d_port.empty() == false && rule._d_port_ipt.empty() == true) { filter += "-m multiport --destination-port " + rule._d_port + " "; } + else if (rule._d_port_ipt.empty() == false) { + filter += rule._d_port_ipt + " "; + } } return filter; diff --git a/templates/load-balancing/wan/rule/node.tag/destination/address/node.def b/templates/load-balancing/wan/rule/node.tag/destination/address/node.def index 45b133b..ae18e02 100644 --- a/templates/load-balancing/wan/rule/node.tag/destination/address/node.def +++ b/templates/load-balancing/wan/rule/node.tag/destination/address/node.def @@ -1,2 +1,9 @@ -type: ipv4 -help: IPv4 address +type: txt +help: Source IP address, subnet, or range +comp_help: Possible completions: + <IP address> IP address to match + <IP address>/<prefix length> Subnet to match + <IP address>-<IP address> IP range to match + !<IP address> Match everything except the specified address + !<IP address>/<prefix length> Match everything except the specified subnet + !<IP address>-<IP address> Match everything except the specified range diff --git a/templates/load-balancing/wan/rule/node.tag/destination/port/node.def b/templates/load-balancing/wan/rule/node.tag/destination/port/node.def index fe064b0..e14959a 100644 --- a/templates/load-balancing/wan/rule/node.tag/destination/port/node.def +++ b/templates/load-balancing/wan/rule/node.tag/destination/port/node.def @@ -1,3 +1,9 @@ type: txt -help: ports +help: Configure source port +comp_help: Source port(s) can be specified as a comma-separated list of: + <port name> Named port (any name in /etc/services, e.g., http) + <port number> Numbered port (between 1 and 65535) + <start>-<end> Numbered port range (e.g., 1001-1005) +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' diff --git a/templates/load-balancing/wan/rule/node.tag/source/address/node.def b/templates/load-balancing/wan/rule/node.tag/source/address/node.def index 45b133b..ae18e02 100644 --- a/templates/load-balancing/wan/rule/node.tag/source/address/node.def +++ b/templates/load-balancing/wan/rule/node.tag/source/address/node.def @@ -1,2 +1,9 @@ -type: ipv4 -help: IPv4 address +type: txt +help: Source IP address, subnet, or range +comp_help: Possible completions: + <IP address> IP address to match + <IP address>/<prefix length> Subnet to match + <IP address>-<IP address> IP range to match + !<IP address> Match everything except the specified address + !<IP address>/<prefix length> Match everything except the specified subnet + !<IP address>-<IP address> Match everything except the specified range diff --git a/templates/load-balancing/wan/rule/node.tag/source/port/node.def b/templates/load-balancing/wan/rule/node.tag/source/port/node.def index db26231..1973f1c 100644 --- a/templates/load-balancing/wan/rule/node.tag/source/port/node.def +++ b/templates/load-balancing/wan/rule/node.tag/source/port/node.def @@ -1,2 +1,8 @@ type: txt -help: port name +help: Configure source port +comp_help: Source port(s) can be specified as a comma-separated list of: + <port name> Named port (any name in /etc/services, e.g., http) + <port number> Numbered port (between 1 and 65535) + <start>-<end> Numbered port range (e.g., 1001-1005) +The whole list can also be "negated" using '!'. For example: + '!22,telnet,http,123,1001-1005' |