diff options
| author | Mohit Mehta <mohit@vyatta.com> | 2010-10-19 15:03:49 -0700 |
|---|---|---|
| committer | Mohit Mehta <mohit@vyatta.com> | 2010-10-19 15:03:49 -0700 |
| commit | 8a497269fa94e975fd202008003fc0e74a71d2bb (patch) | |
| tree | 5f2a69fb3089e3ee666bb530217a33aa23a0eb50 | |
| parent | cb7fabf43d60f122d5ed527d4bdfb3c40cbe6216 (diff) | |
| download | vyatta-zone-8a497269fa94e975fd202008003fc0e74a71d2bb.tar.gz vyatta-zone-8a497269fa94e975fd202008003fc0e74a71d2bb.zip | |
add common functions to add/remove jump to localin and localout feature chains
| -rwxr-xr-x | lib/Vyatta/Zone.pm | 122 | ||||
| -rw-r--r-- | scripts/vyatta-zone-ips.pl | 84 | ||||
| -rwxr-xr-x | scripts/vyatta-zone.pl | 84 |
3 files changed, 146 insertions, 144 deletions
diff --git a/lib/Vyatta/Zone.pm b/lib/Vyatta/Zone.pm index 7f471b0..a4c9d64 100755 --- a/lib/Vyatta/Zone.pm +++ b/lib/Vyatta/Zone.pm @@ -368,16 +368,134 @@ sub delete_intf_from_zonechain { $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D $feature_chain " . "-o $interface -j $zone_chain"; $error = run_cmd($cmd); - return "Error: call to delete jump rule for outgoing interface $interface + return "call to delete jump rule for outgoing interface $interface to $zone_chain chain failed [$error]" if $error; # delete rule to allow same zone to same zone traffic $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D $zone_chain " . "-i $interface -j RETURN"; $error = run_cmd($cmd); - return "Error: call to delete interface $interface from zone-chain + return "call to delete interface $interface from zone-chain $zone_chain with failed [$error]" if $error; } + + # success + return; +} + +sub add_jump_to_localin_zonechain { + my ($zone_chain_func, $zone_name, $feature_chain) = @_; + my ($cmd, $error); + my $zone_chain= + $get_zone_chain_hash{$zone_chain_func}->("exists", $zone_name); + + foreach my $tree (keys %cmd_hash) { + + my $rule_cnt = + Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree}, + $table_hash{$tree}, $feature_chain); + my $insert_at_rule_num=1; + if ( $rule_cnt > 1 ) { + $insert_at_rule_num=$rule_cnt; + } + my $result = rule_exists ($cmd_hash{$tree}, $table_hash{$tree}, + $feature_chain, $zone_chain); + + if ($result < 1) { + # insert rule to filter local traffic from interface per ruleset + $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I " . + "$feature_chain $insert_at_rule_num -j $zone_chain"; + $error = run_cmd($cmd); + return "call to add jump rule for local zone +$zone_chain chain failed [$error]" if $error; + } + } + + # success + return; +} + +sub remove_jump_to_localin_zonechain { + my ($zone_chain_func, $zone_name, $feature_chain) = @_; + my ($cmd, $error); + my $zone_chain= + $get_zone_chain_hash{$zone_chain_func}->("existsOrig", $zone_name); + + foreach my $tree (keys %cmd_hash) { + + # delete rule to filter traffic destined for system + $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D $feature_chain " . + "-j $zone_chain"; + $error = run_cmd($cmd); + return "call to delete local zone +$zone_chain chain failed [$error]" if $error; + + } + + # success + return; +} + +sub add_jump_to_localout_zonechain { + my ($zone_chain_func, $zone_name, $feature_chain) = @_; + my ($cmd, $error); + + my $zone_chain=$get_zone_chain_hash{$zone_chain_func}->("exists", + $zone_name, 'localout'); + # add jump to local-zone-out chain + foreach my $tree (keys %cmd_hash) { + # if jump to localzoneout chain not inserted, then insert rule + my $rule_cnt = + Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree}, + $table_hash{$tree}, $feature_chain); + my $insert_at_rule_num=1; + if ( $rule_cnt > 1 ) { + $insert_at_rule_num=$rule_cnt; + } + my $result = rule_exists ($cmd_hash{$tree}, $table_hash{$tree}, + $feature_chain, $zone_chain); + if ($result < 1) { + my $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . + "-I $feature_chain $insert_at_rule_num -j $zone_chain"; + $error = run_cmd($cmd); + return "call to add jump rule for local zone out +$zone_chain chain failed [$error]" if $error; + } + } + + # success + return; +} + +sub remove_jump_to_localout_zonechain { + my ($zone_chain_func, $zone_name, $feature_chain) = @_; + my ($cmd, $error); + + my $zone_chain= + $get_zone_chain_hash{$zone_chain_func}->("existsOrig", + $zone_name, 'localout'); + + # if only two rules then delete jump from OUTPUT chain in both + foreach my $tree (keys %cmd_hash) { + my $rule_cnt = + Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree}, + $table_hash{$tree}, $zone_chain); + if ($rule_cnt > 2) { + # atleast one of [ip or ip6]tables has local-zone as a from zone + return; + } + } + + foreach my $tree (keys %cmd_hash) { + $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . + "-D $feature_chain -j $zone_chain"; + $error = run_cmd($cmd); + return "call to delete jump rule for local zone out +$zone_chain chain failed [$error]" if $error; + } + + # success + return; } 1; diff --git a/scripts/vyatta-zone-ips.pl b/scripts/vyatta-zone-ips.pl index 03e95cd..760f82a 100644 --- a/scripts/vyatta-zone-ips.pl +++ b/scripts/vyatta-zone-ips.pl @@ -270,27 +270,10 @@ sub undo_ips_interface_zone { sub do_ips_localzone { my ($zone_name) = @_; my ($cmd, $error); - my $zone_chain=Vyatta::Zone::get_ips_zone_chain("exists", $zone_name); - foreach my $tree (keys %cmd_hash) { - - my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree}, - $table_hash{$tree}, "VYATTA_POST_FW_IN_HOOK"); - my $insert_at_rule_num=1; - if ( $rule_cnt > 1 ) { - $insert_at_rule_num=$rule_cnt; - } - my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree}, - $table_hash{$tree}, "VYATTA_POST_FW_IN_HOOK", $zone_chain); - if ($result < 1) { - # insert rule to filter local traffic from interface per ruleset - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I " . - "VYATTA_POST_FW_IN_HOOK $insert_at_rule_num -j $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: call to add jump rule for local zone -$zone_chain chain failed [$error]" if $error; - } - } + $error = Vyatta::Zone::add_jump_to_localin_zonechain('get_ips_zone_chain', + $zone_name, 'VYATTA_POST_FW_IN_HOOK'); + return "Error: $error" if $error; # get all zones in which local zone is being used as a from zone # filter traffic from local zone to those zones @@ -318,17 +301,10 @@ $zone_chain chain failed [$error]" if $error; sub undo_ips_localzone { my ($zone_name) = @_; my ($cmd, $error); - my $zone_chain=Vyatta::Zone::get_ips_zone_chain("existsOrig", $zone_name); - foreach my $tree (keys %cmd_hash) { - - # delete rule to filter traffic destined for system - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D " . - "VYATTA_POST_FW_IN_HOOK -j $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: call to delete local zone -$zone_chain chain failed [$error]" if $error; - } + $error = Vyatta::Zone::remove_jump_to_localin_zonechain('get_ips_zone_chain', + $zone_name, 'VYATTA_POST_FW_IN_HOOK'); + return "Error: $error" if $error; # get all zones in which local zone is being used as a from zone # remove filter for traffic from local zone to those zones @@ -515,27 +491,9 @@ sub add_fromzone_ips { } } - my $zone_chain=Vyatta::Zone::get_ips_zone_chain("exists", - $from_zone, 'localout'); - # add jump to local-zone-out chain in OUTPUT chains for [ip and ip6]tables - foreach my $tree (keys %cmd_hash) { - # if jump to localzoneout chain not inserted, then insert rule - my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree}, - $table_hash{$tree}, "VYATTA_POST_FW_OUT_HOOK"); - my $insert_at_rule_num=1; - if ( $rule_cnt > 1 ) { - $insert_at_rule_num=$rule_cnt; - } - my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree}, - $table_hash{$tree}, "VYATTA_POST_FW_OUT_HOOK", $zone_chain); - if ($result < 1) { - my $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . - "-I VYATTA_POST_FW_OUT_HOOK $insert_at_rule_num -j $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: call to add jump rule for local zone out -$zone_chain chain failed [$error]" if $error; - } - } + $error = Vyatta::Zone::add_jump_to_localout_zonechain( + 'get_ips_zone_chain', $from_zone, 'VYATTA_POST_FW_OUT_HOOK'); + return "Error: $error" if $error; } # end of else @@ -568,28 +526,12 @@ sub delete_fromzone_ips { } } - my $zone_chain=Vyatta::Zone::get_ips_zone_chain("existsOrig", - $from_zone, 'localout'); - # if only RETURN rule & localhost allow rule in $zone_chain in both - # [ip and ip6]tables then delete jump from OUTPUT chain in both - foreach my $tree (keys %cmd_hash) { - my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree}, - $table_hash{$tree}, $zone_chain); - if ($rule_cnt > 2) { - # atleast one of [ip or ip6]tables has local-zone as a from zone - return; - } - } - - foreach my $tree (keys %cmd_hash) { - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . - "-D VYATTA_POST_FW_OUT_HOOK -j $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: call to delete jump rule for local zone out -$zone_chain chain failed [$error]" if $error; - } + $error = Vyatta::Zone::remove_jump_to_localout_zonechain( + 'get_ips_zone_chain', $from_zone, 'VYATTA_POST_FW_OUT_HOOK'); + return "Error: $error" if $error; } # end of else + return; } diff --git a/scripts/vyatta-zone.pl b/scripts/vyatta-zone.pl index e86df2e..a04ca0b 100755 --- a/scripts/vyatta-zone.pl +++ b/scripts/vyatta-zone.pl @@ -276,27 +276,10 @@ sub undo_firewall_interface_zone { sub do_firewall_localzone { my ($zone_name) = @_; my ($cmd, $error); - my $zone_chain=Vyatta::Zone::get_zone_chain("exists", $zone_name); - foreach my $tree (keys %cmd_hash) { - - my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree}, - $table_hash{$tree}, "INPUT"); - my $insert_at_rule_num=1; - if ( $rule_cnt > 1 ) { - $insert_at_rule_num=$rule_cnt; - } - my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree}, - $table_hash{$tree}, "INPUT", $zone_chain); - if ($result < 1) { - # insert rule to filter local traffic from interface per ruleset - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I INPUT " . - "$insert_at_rule_num -j $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: call to add jump rule for local zone -$zone_chain chain failed [$error]" if $error; - } - } + $error = Vyatta::Zone::add_jump_to_localin_zonechain('get_zone_chain', + $zone_name, 'INPUT'); + return "Error: $error" if $error; # get all zones in which local zone is being used as a from zone # filter traffic from local zone to those zones @@ -324,17 +307,10 @@ $zone_chain chain failed [$error]" if $error; sub undo_firewall_localzone { my ($zone_name) = @_; my ($cmd, $error); - my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig", $zone_name); - foreach my $tree (keys %cmd_hash) { - - # delete rule to filter traffic destined for system - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D INPUT " . - "-j $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: call to delete local zone -$zone_chain chain failed [$error]" if $error; - } + $error = Vyatta::Zone::remove_jump_to_localin_zonechain('get_zone_chain', + $zone_name, 'INPUT'); + return "Error: $error" if $error; # get all zones in which local zone is being used as a from zone # remove filter for traffic from local zone to those zones @@ -518,27 +494,9 @@ sub add_fromzone_fw { } } - my $zone_chain=Vyatta::Zone::get_zone_chain("exists", - $from_zone, 'localout'); - # add jump to local-zone-out chain in OUTPUT chains for [ip and ip6]tables - foreach my $tree (keys %cmd_hash) { - # if jump to localzoneout chain not inserted, then insert rule - my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree}, - $table_hash{$tree}, "OUTPUT"); - my $insert_at_rule_num=1; - if ( $rule_cnt > 1 ) { - $insert_at_rule_num=$rule_cnt; - } - my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree}, - $table_hash{$tree}, "OUTPUT", $zone_chain); - if ($result < 1) { - my $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . - "-I OUTPUT $insert_at_rule_num -j $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: call to add jump rule for local zone out -$zone_chain chain failed [$error]" if $error; - } - } + $error = Vyatta::Zone::add_jump_to_localout_zonechain( + 'get_zone_chain', $from_zone, 'OUTPUT'); + return "Error: $error" if $error; } # end of else @@ -570,29 +528,13 @@ sub delete_fromzone_fw { return "Error: $error" if $error; } } - - my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig", - $from_zone, 'localout'); - # if only drop rule & localhost allow rule in $zone_chain in both - # [ip and ip6]tables then delete jump from OUTPUT chain in both - foreach my $tree (keys %cmd_hash) { - my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree}, - $table_hash{$tree}, $zone_chain); - if ($rule_cnt > 2) { - # atleast one of [ip or ip6]tables has local-zone as a from zone - return; - } - } - foreach my $tree (keys %cmd_hash) { - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . - "-D OUTPUT -j $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: call to delete jump rule for local zone out -$zone_chain chain failed [$error]" if $error; - } + $error = Vyatta::Zone::remove_jump_to_localout_zonechain( + 'get_zone_chain', $from_zone, 'OUTPUT'); + return "Error: $error" if $error; } # end of else + return; } |