diff options
| author | Mohit Mehta <mohit@vyatta.com> | 2010-10-13 17:38:39 -0700 |
|---|---|---|
| committer | Mohit Mehta <mohit@vyatta.com> | 2010-10-13 17:38:39 -0700 |
| commit | 4830952dc7a88a3732e4c269b65b01596bb7c413 (patch) | |
| tree | 16def42aba630db22c8eb24e593d3485b52d1bd8 | |
| parent | dfa0a30c575f92575e43608b9c50d43ff02bcb20 (diff) | |
| download | vyatta-zone-4830952dc7a88a3732e4c269b65b01596bb7c413.tar.gz vyatta-zone-4830952dc7a88a3732e4c269b65b01596bb7c413.zip | |
move common hashes and create/delete zone chain functions to zone library
| -rwxr-xr-x | lib/Vyatta/Zone.pm | 64 | ||||
| -rw-r--r-- | scripts/vyatta-zone-ips.pl | 71 | ||||
| -rwxr-xr-x | scripts/vyatta-zone.pl | 67 |
3 files changed, 81 insertions, 121 deletions
diff --git a/lib/Vyatta/Zone.pm b/lib/Vyatta/Zone.pm index 0559753..251b325 100755 --- a/lib/Vyatta/Zone.pm +++ b/lib/Vyatta/Zone.pm @@ -30,6 +30,28 @@ use Vyatta::Interface; use strict; use warnings; +use base 'Exporter'; + +# mapping from config node to iptables command +our %cmd_hash = ( 'name' => '/sbin/iptables', + 'ipv6-name' => '/sbin/ip6tables'); + +# mapping from config node to iptables/ip6tables table +our %table_hash = ( 'name' => 'filter', + 'ipv6-name' => 'filter'); + +# mapping from zone default action to iptables jump target +our %policy_hash = ( 'drop' => 'DROP', + 'reject' => 'REJECT', + 'accept' => 'RETURN'); + +our @EXPORT_OK = qw(%cmd_hash %table_hash %policy_hash); + +my %get_zone_chain_hash = ( + get_zone_chain => \&get_zone_chain, + get_ips_zone_chain => \&get_ips_zone_chain, +); + my $debug="false"; my $syslog="false"; my $logger = 'sudo logger -t zone.pm -p local0.warn --'; @@ -250,4 +272,46 @@ sub validity_checks { return; } +sub create_zone_chain { + my ($feature_func, $zone_name, $localoutchain) = @_; + my ($cmd, $error); + my $zone_chain=$get_zone_chain_hash{$feature_func}->("exists", + $zone_name, $localoutchain); + + # create zone chains in filter, ip6filter tables + foreach my $tree (keys %cmd_hash) { + $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . + "-L $zone_chain >&/dev/null"; + $error = run_cmd($cmd); + if ($error) { + # chain does not exist, go ahead create it + $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -N $zone_chain"; + $error = run_cmd($cmd); + return "Error: create $zone_name chain with failed [$error]" if $error; + } + } + + return; +} + +sub delete_zone_chain { + my ($feature_func, $zone_name, $localoutchain) = @_; + my ($cmd, $error); + my $zone_chain=$get_zone_chain_hash{$feature_func}->("existsOrig", + $zone_name, $localoutchain); + # delete zone chains from filter, ip6filter tables + foreach my $tree (keys %cmd_hash) { + # flush all rules from zone chain + $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -F $zone_chain"; + $error = run_cmd($cmd); + return "Error: flush all rules in $zone_name chain failed [$error]" if $error; + + # delete zone chain + $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -X $zone_chain"; + $error = run_cmd($cmd); + return "Error: delete $zone_name chain failed [$error]" if $error; + } + return; +} + 1; diff --git a/scripts/vyatta-zone-ips.pl b/scripts/vyatta-zone-ips.pl index 0c8e3d1..7007a84 100644 --- a/scripts/vyatta-zone-ips.pl +++ b/scripts/vyatta-zone-ips.pl @@ -1,6 +1,6 @@ #!/usr/bin/perl # -# Module: vyatta-zone.pl +# Module: vyatta-zone-ips.pl # # **** License **** # This program is free software; you can redistribute it and/or modify @@ -27,25 +27,12 @@ use Getopt::Long; use POSIX; use lib "/opt/vyatta/share/perl5"; -use Vyatta::Zone; use Vyatta::IpTables::Mgr; +use Vyatta::Zone qw(%cmd_hash %table_hash %policy_hash); use warnings; use strict; -# IPS mapping from config node to iptables command. Similar to FW. -my %cmd_hash = ( 'name' => '/sbin/iptables', - 'ipv6-name' => '/sbin/ip6tables'); - -# IPS mapping from config node to iptables/ip6tables table -my %table_hash = ( 'name' => 'filter', - 'ipv6-name' => 'filter'); - -# mapping from vyatta 'default-policy' to iptables jump target -my %policy_hash = ( 'drop' => 'DROP', - 'reject' => 'REJECT', - 'accept' => 'RETURN'); - sub setup_default_policy { my ($zone_name, $default_policy, $localoutchain) = @_; my ($cmd, $error); @@ -90,48 +77,6 @@ in $zone_name chain failed [$error]" if $error; return; } -sub create_zone_chain { - my ($zone_name, $localoutchain) = @_; - my ($cmd, $error); - my $zone_chain=Vyatta::Zone::get_ips_zone_chain("exists", - $zone_name, $localoutchain); - - # create zone chains in filter, ip6filter tables - foreach my $tree (keys %cmd_hash) { - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . - "-L $zone_chain >&/dev/null"; - $error = Vyatta::Zone::run_cmd($cmd); - if ($error) { - # chain does not exist, go ahead create it - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -N $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: create $zone_name chain with failed [$error]" if $error; - } - } - - return; -} - -sub delete_zone_chain { - my ($zone_name, $localoutchain) = @_; - my ($cmd, $error); - my $zone_chain=Vyatta::Zone::get_ips_zone_chain("existsOrig", - $zone_name, $localoutchain); - # delete zone chains from filter, ip6filter tables - foreach my $tree (keys %cmd_hash) { - # flush all rules from zone chain - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -F $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: flush all rules in $zone_name chain failed [$error]" if $error; - - # delete zone chain - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -X $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: delete $zone_name chain failed [$error]" if $error; - } - return; -} - sub insert_from_rule { my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset, $direction, $zone_chain) = @_; @@ -454,12 +399,14 @@ $zone_chain chain failed [$error]" if $error; sub add_zone { my $zone_name = shift; # perform IPS related actions for this zone - my $error = create_zone_chain ($zone_name); + my $error = Vyatta::Zone::create_zone_chain("get_ips_zone_chain", + $zone_name); return ($error, ) if $error; if (defined(Vyatta::Zone::is_local_zone("exists", $zone_name))) { # make local out chain as well - $error = create_zone_chain ($zone_name, "localout"); + $error = Vyatta::Zone::create_zone_chain("get_ips_zone_chain", + $zone_name, "localout"); return ($error, ) if $error; # allow traffic sourced from and destined to localhost @@ -536,11 +483,13 @@ sub add_zone { sub delete_zone { my $zone_name = shift; # undo IPS related actions for this zone - my $error = delete_zone_chain ($zone_name); + my $error = Vyatta::Zone::delete_zone_chain("get_ips_zone_chain", + $zone_name); return ($error, ) if $error; if (defined(Vyatta::Zone::is_local_zone("existsOrig", $zone_name))) { # delete local out chain as well - $error = delete_zone_chain ($zone_name, "localout"); + $error = Vyatta::Zone::delete_zone_chain("get_ips_zone_chain", + $zone_name, "localout"); return ($error, ) if $error; } return; diff --git a/scripts/vyatta-zone.pl b/scripts/vyatta-zone.pl index 0c05842..75de074 100755 --- a/scripts/vyatta-zone.pl +++ b/scripts/vyatta-zone.pl @@ -27,25 +27,12 @@ use Getopt::Long; use POSIX; use lib "/opt/vyatta/share/perl5"; -use Vyatta::Zone; use Vyatta::IpTables::Mgr; +use Vyatta::Zone qw(%cmd_hash %table_hash %policy_hash); use warnings; use strict; -# for future ease, when we add modify, these hashes will just be extended -# firewall mapping from config node to iptables command. -my %cmd_hash = ( 'name' => '/sbin/iptables', - 'ipv6-name' => '/sbin/ip6tables'); - -# firewall mapping from config node to iptables/ip6tables table -my %table_hash = ( 'name' => 'filter', - 'ipv6-name' => 'filter'); - -# mapping from vyatta 'default-policy' to iptables jump target -my %policy_hash = ( 'drop' => 'DROP', - 'reject' => 'REJECT' ); - sub setup_default_policy { my ($zone_name, $default_policy, $localoutchain) = @_; my ($cmd, $error); @@ -84,48 +71,6 @@ in $zone_name chain failed [$error]" if $error; return; } -sub create_zone_chain { - my ($zone_name, $localoutchain) = @_; - my ($cmd, $error); - my $zone_chain=Vyatta::Zone::get_zone_chain("exists", - $zone_name, $localoutchain); - - # create zone chains in filter, ip6filter tables - foreach my $tree (keys %cmd_hash) { - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . - "-L $zone_chain >&/dev/null"; - $error = Vyatta::Zone::run_cmd($cmd); - if ($error) { - # chain does not exist, go ahead create it - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -N $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: create $zone_name chain with failed [$error]" if $error; - } - } - - return; -} - -sub delete_zone_chain { - my ($zone_name, $localoutchain) = @_; - my ($cmd, $error); - my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig", - $zone_name, $localoutchain); - # delete zone chains from filter, ip6filter tables - foreach my $tree (keys %cmd_hash) { - # flush all rules from zone chain - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -F $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: flush all rules in $zone_name chain failed [$error]" if $error; - - # delete zone chain - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -X $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: delete $zone_name chain failed [$error]" if $error; - } - return; -} - sub insert_from_rule { my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset, $direction, $zone_chain) = @_; @@ -460,12 +405,13 @@ $zone_chain chain failed [$error]" if $error; sub add_zone { my $zone_name = shift; # perform firewall related actions for this zone - my $error = create_zone_chain ($zone_name); + my $error = Vyatta::Zone::create_zone_chain("get_zone_chain", $zone_name); return ($error, ) if $error; if (defined(Vyatta::Zone::is_local_zone("exists", $zone_name))) { # make local out chain as well - $error = create_zone_chain ($zone_name, "localout"); + $error = Vyatta::Zone::create_zone_chain ("get_zone_chain", + $zone_name, "localout"); return ($error, ) if $error; # allow traffic sourced from and destined to localhost @@ -541,11 +487,12 @@ sub add_zone { sub delete_zone { my $zone_name = shift; # undo firewall related actions for this zone - my $error = delete_zone_chain ($zone_name); + my $error = Vyatta::Zone::delete_zone_chain("get_zone_chain", $zone_name); return ($error, ) if $error; if (defined(Vyatta::Zone::is_local_zone("existsOrig", $zone_name))) { # delete local out chain as well - $error = delete_zone_chain ($zone_name, "localout"); + $error = Vyatta::Zone::delete_zone_chain("get_zone_chain", + $zone_name, "localout"); return ($error, ) if $error; } return; |