diff options
| author | John Southworth <john.southworth@vyatta.com> | 2012-06-13 10:11:21 -0700 |
|---|---|---|
| committer | John Southworth <john.southworth@vyatta.com> | 2012-06-13 10:11:21 -0700 |
| commit | e6bd1a9a9a1c4bf0f6ac2ff5a6a2b38c8d8a0cec (patch) | |
| tree | 69fd49324d5ac486969710fc5a94081799655502 | |
| parent | 3d5657812eb1ec3d0aa7712be91b34b1b945a764 (diff) | |
| download | vyatta-zone-e6bd1a9a9a1c4bf0f6ac2ff5a6a2b38c8d8a0cec.tar.gz vyatta-zone-e6bd1a9a9a1c4bf0f6ac2ff5a6a2b38c8d8a0cec.zip | |
Remove IPS from zone
| -rw-r--r-- | Makefile.am | 1 | ||||
| -rw-r--r-- | debian/control | 3 | ||||
| -rwxr-xr-x | lib/Vyatta/Zone.pm | 37 | ||||
| -rw-r--r-- | scripts/vyatta-show-zone.pl | 28 | ||||
| -rw-r--r-- | scripts/vyatta-zone-ips.pl | 605 | ||||
| -rw-r--r-- | templates-cfg/zone-policy/zone/node.def | 14 | ||||
| -rw-r--r-- | templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/.ipv6-enable/node.def | 46 | ||||
| -rw-r--r-- | templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/enable/node.def | 46 | ||||
| -rw-r--r-- | templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/node.def | 1 | ||||
| -rw-r--r-- | templates-cfg/zone-policy/zone/node.tag/interface/node.def | 16 | ||||
| -rw-r--r-- | templates-cfg/zone-policy/zone/node.tag/local-zone/node.def | 14 |
11 files changed, 9 insertions, 802 deletions
diff --git a/Makefile.am b/Makefile.am index 0744079..7aabc67 100644 --- a/Makefile.am +++ b/Makefile.am @@ -9,7 +9,6 @@ curver_DATA = cfg-version/zone-policy@1 bin_SCRIPTS = scripts/vyatta-show-zone.pl sbin_SCRIPTS = scripts/vyatta-zone.pl -sbin_SCRIPTS += scripts/vyatta-zone-ips.pl share_perl5_DATA = lib/Vyatta/Zone.pm diff --git a/debian/control b/debian/control index 95ca4b5..ec535f5 100644 --- a/debian/control +++ b/debian/control @@ -11,8 +11,7 @@ Architecture: all Depends: perl (>= 5.8.8), vyatta-bash | bash (>= 3.1), vyatta-cfg, - vyatta-cfg-firewall, - vyatta-idp-snort + vyatta-cfg-firewall Replaces: vyatta-cfg, vyatta-cfg-system Description: The vyatta-zone package diff --git a/lib/Vyatta/Zone.pm b/lib/Vyatta/Zone.pm index 763be7a..9ba19f6 100755 --- a/lib/Vyatta/Zone.pm +++ b/lib/Vyatta/Zone.pm @@ -50,7 +50,6 @@ our @EXPORT_OK = qw(%cmd_hash %table_hash %policy_hash); my %get_zone_chain_hash = ( get_zone_chain => \&get_zone_chain, - get_ips_zone_chain => \&get_ips_zone_chain, ); my $debug="false"; @@ -58,8 +57,7 @@ my $syslog="false"; my $logger = 'sudo logger -t zone.pm -p local0.warn --'; my %script_to_feature_hash = ( - 'vyatta-zone.pl' => 'ZONE-FW', - 'vyatta-zone-ips.pl' => 'ZONE-IPS'); + 'vyatta-zone.pl' => 'ZONE-FW'); sub run_cmd { my $cmd = shift; @@ -121,25 +119,12 @@ sub is_local_zone { return $config->$value_func("zone-policy zone $zone_name local-zone"); } -sub is_ips_enabled { - my ($value_func, $zone_name, $from_zone, $ips_type) = @_; - $ips_type =~ s/name/enable/; - my $config = new Vyatta::Config; - return $config->$value_func("zone-policy zone $zone_name from $from_zone - content-inspection $ips_type") -} - sub get_zone_default_policy { my ($value_func, $zone_name) = @_; my $config = new Vyatta::Config; return $config->$value_func("zone-policy zone $zone_name default-action"); } -sub get_ips_zone_default_policy { - my ($value_func, $zone_name) = @_; - return 'accept'; -} - sub rule_exists { my ($command, $table, $chain_name, $target, $interface) = @_; my $cmd = @@ -159,12 +144,6 @@ sub get_zone_chain { return get_zone_chain_name($value_func, $zone, $localout, $chain_prefix); } -sub get_ips_zone_chain { - my ($value_func, $zone, $localout) = @_; - my $chain_prefix = "VZIPS_$zone"; # should be same length as zone_chain - return get_zone_chain_name($value_func, $zone, $localout, $chain_prefix); -} - sub get_zone_chain_name { my ($value_func, $zone, $localout, $chain_prefix) = @_; my $chain = $chain_prefix; @@ -248,18 +227,6 @@ sub validity_checks { "configured, cannot be defined under a zone"; return($returnstring, ); } - # make sure content-inspection is not applied to this interface - if ($config->exists("content-inspection in enable") || - $config->exists("content-inspection out enable") || - $config->exists("content-inspection local enable") || - $config->exists("content-inspection in ipv6-enable") || - $config->exists("content-inspection out ipv6-enable") || - $config->exists("content-inspection local ipv6-enable")) { - $returnstring = - "interface $interface has content-inspection " . - "configured, cannot be defined under a zone"; - return($returnstring, ); - } } # make sure an interface is not defined under two zones if (scalar(grep(/^$interface$/, @all_interfaces)) > 0) { @@ -509,8 +476,6 @@ sub get_zone_hash { get_firewall_ruleset("returnOrigValue", $zone, $from_zone, "name"); $zone_hash->{$zone}{'from'}->{$from_zone}{'firewall'}->{'ipv6'} = get_firewall_ruleset("returnOrigValue", $zone, $from_zone, "ipv6-name"); - $zone_hash->{$zone}{'from'}->{$from_zone}{'content-inspection'} = - is_ips_enabled("returnOrigValue", $zone, $from_zone, "enable"); } if (is_local_zone("existsOrig", $zone)){ $zone_hash->{$zone}{'interfaces'} = ['local-zone']; diff --git a/scripts/vyatta-show-zone.pl b/scripts/vyatta-show-zone.pl index 501e278..d151819 100644 --- a/scripts/vyatta-show-zone.pl +++ b/scripts/vyatta-show-zone.pl @@ -6,7 +6,7 @@ my $zone_in; GetOptions("zone=s" => \$zone_in); my $zone_hash = Vyatta::Zone::get_zone_hash(); -my $format = " %-20s%-35s%s\n"; +my $format = " %-40s%-40s\n"; for my $zone (sort(keys %{$zone_hash})) { if (defined $zone_in){ next unless $zone eq $zone_in; @@ -19,37 +19,23 @@ for my $zone (sort(keys %{$zone_hash})) { print "Interfaces: @{$zone_hash->{$zone}{'interfaces'}}\n"; print "\n"; print "From Zone:\n"; - printf($format, "name", "firewall", "content-inspection"); - printf($format, "----", "--------", "------------------"); + printf($format, "name", "firewall"); + printf($format, "----", "--------"); for my $from_zone (sort(keys(%{$zone_hash->{$zone}{'from'}}))){ my ($firewall, $ipv6_firewall, $ci); $firewall = $zone_hash->{$zone}{'from'}->{$from_zone}{'firewall'}->{'ipv4'} if (defined($zone_hash->{$zone}{'from'}->{$from_zone}{'firewall'}->{'ipv4'})); $ipv6_firewall = $zone_hash->{$zone}{'from'}->{$from_zone}{'firewall'}->{'ipv6'} if (defined($zone_hash->{$zone}{'from'}->{$from_zone}{'firewall'}->{'ipv6'})); - $ci = $zone_hash->{$zone}{'from'}->{$from_zone}{'content-inspection'} - if (defined($zone_hash->{$zone}{'from'}->{$from_zone}{'content-inspection'})); if (defined($firewall)){ - if (defined($ci)) { - printf($format, "$from_zone", "$firewall", "$ci"); - } else { - printf($format, "$from_zone", "$firewall", "disabled"); - } + printf($format, "$from_zone", "$firewall"); if (defined($ipv6_firewall)){ - printf($format, "", "$ipv6_firewall [v6]", ""); + printf($format, "", "$ipv6_firewall [v6]"); } } elsif (defined($ipv6_firewall)){ - if (defined($ci)) { - printf($format, "$from_zone", "$ipv6_firewall [v6]", "$ci"); - } else { - printf($format, "$from_zone", "$ipv6_firewall [v6]", "disabled"); - } + printf($format, "$from_zone", "$ipv6_firewall [v6]"); } else { - if (defined($ci)) { - printf($format, "$from_zone", "-", "$ci"); - } else { - printf($format, "$from_zone", "-", "disabled"); - } + printf($format, "$from_zone", "-"); } } print "\n"; diff --git a/scripts/vyatta-zone-ips.pl b/scripts/vyatta-zone-ips.pl deleted file mode 100644 index 90d3c0a..0000000 --- a/scripts/vyatta-zone-ips.pl +++ /dev/null @@ -1,605 +0,0 @@ -#!/usr/bin/perl -# -# Module: vyatta-zone-ips.pl -# -# **** License **** -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# This code was originally developed by Vyatta, Inc. -# Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. -# All Rights Reserved. -# -# Author: Mohit Mehta -# Date: October 2010 -# Description: Script for Zone Based IPS -# -# **** End License **** -# - -use Getopt::Long; -use POSIX; - -use lib "/opt/vyatta/share/perl5"; -use Vyatta::IpTables::Mgr; -use Vyatta::Zone qw(%cmd_hash %table_hash %policy_hash); - -use warnings; -use strict; - -sub setup_default_policy { - my ($zone_name, $default_policy, $localoutchain) = @_; - my ($cmd, $error); - my $zone_chain=Vyatta::Zone::get_ips_zone_chain("exists", - $zone_name, $localoutchain); - - # add default policy for zone chains in filter, ip6filter tables - foreach my $tree (keys %cmd_hash) { - - # set default policy for zone chain - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -A " . - "$zone_chain -j $policy_hash{$default_policy}"; - $error = Vyatta::Zone::run_cmd("$cmd"); - return "Error: set default policy $zone_chain failed [$error]" if $error; - - my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree}, - $table_hash{$tree}, $zone_chain); - - # If there's a return all rule at rule_cnt - 1 then remove that. - # In IPS zone chain a return all target can only be for default policy - if ($rule_cnt > 1) { - my $intf = '$6'; - $intf = '$7' if defined $localoutchain; - # set IPv6 params if using ip6tables - if ($cmd_hash{$tree} =~ '6') { - $intf = '$5'; - $intf = '$6' if defined $localoutchain; - } - my $penultimate_rule_num=$rule_cnt-1; - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . - "-L $zone_chain $penultimate_rule_num -v " . - "| awk {'print \$3\" \"$intf'}"; - my $target=`$cmd`; - chomp $target; - if (defined $target && ($target eq 'RETURN any')) { - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D " . - "$zone_chain $penultimate_rule_num"; - $error = Vyatta::Zone::run_cmd("$cmd"); - return "Error: delete rule $penultimate_rule_num with $target -in $zone_name chain failed [$error]" if $error; - } - } - } - return; -} - -sub insert_from_rule { - my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset, - $direction, $zone_chain) = @_; - my ($cmd, $error); - my $ruleset_name; - - if (defined $ruleset) { # called from node.def - $ruleset_name=$ruleset; - } else { # called from do_ips_interface_zone() - $ruleset_name = 'VYATTA_SNORT_all_HOOK' if defined - Vyatta::Zone::is_ips_enabled("exists", - $zone_name, $from_zone, $ruleset_type); - } - - if (defined $ruleset_name) { - # get number of rules in ruleset_name - my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$ruleset_type}, - $table_hash{$ruleset_type}, "$zone_chain"); - # append rule before last RETURN all rule - my $insert_at_rule_num=1; - if ( $rule_cnt > 1 ) { - $insert_at_rule_num=$rule_cnt; - } - my $result = Vyatta::Zone::rule_exists ($cmd_hash{$ruleset_type}, - $table_hash{$ruleset_type}, "$zone_chain", $ruleset_name, $interface); - if ($result < 1) { - # append rule before RETURN rule to jump to ruleset for in\out interface - $cmd = "sudo $cmd_hash{$ruleset_type} -t $table_hash{$ruleset_type} " . -"-I $zone_chain $insert_at_rule_num $direction $interface -j $ruleset_name"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: insert rule for $direction $interface into zone-chain -$zone_chain with target $ruleset_name failed [$error]" if $error; - - } - } - - return; -} - - -sub add_fromzone_intf_ruleset { - my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset) = @_; - my $zone_chain=Vyatta::Zone::get_ips_zone_chain("exists", $zone_name); - my $error = insert_from_rule ($zone_name, $from_zone, $interface, - $ruleset_type, $ruleset, '-i', $zone_chain); - return ($error, ) if $error; - return; -} - -sub add_fromlocalzone_ruleset { - my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset) = @_; - my $zone_chain=Vyatta::Zone::get_ips_zone_chain("exists", $from_zone, "localout"); - - my $error = insert_from_rule ($zone_name, $from_zone, $interface, - $ruleset_type, $ruleset, '-o', $zone_chain); - return ($error, ) if $error; - - return; -} - -sub delete_from_rule { - - my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset, - $direction, $zone_chain) = @_; - my ($cmd, $error); - my $ruleset_name; - - if (defined $ruleset) { # called from node.def - $ruleset_name=$ruleset; - } else { # called from undo_ips_interface_zone() - $ruleset_name = 'VYATTA_SNORT_all_HOOK' if defined - Vyatta::Zone::is_ips_enabled("existsOrig", - $zone_name, $from_zone, $ruleset_type); - } - - if (defined $ruleset_name) { - # delete rule to jump to ruleset for in|out interface in zone chain - $cmd = "sudo $cmd_hash{$ruleset_type} -t $table_hash{$ruleset_type} " . - "-D $zone_chain $direction $interface -j $ruleset_name"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: call to delete rule for $direction $interface -in zone chain $zone_chain with target $ruleset_name failed [$error]" if $error; - } - - return; -} - -sub delete_fromzone_intf_ruleset { - my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset) = @_; - my $zone_chain=Vyatta::Zone::get_ips_zone_chain("existsOrig", $zone_name); - my $error = delete_from_rule ($zone_name, $from_zone, $interface, - $ruleset_type, $ruleset, '-i', $zone_chain); - return ($error, ) if $error; - return; -} - -sub delete_fromlocalzone_ruleset { - my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset) = @_; - my $zone_chain=Vyatta::Zone::get_ips_zone_chain("existsOrig", - $from_zone, "localout"); - - my ($cmd, $error); - $error = delete_from_rule ($zone_name, $from_zone, $interface, - $ruleset_type, $ruleset, '-o', $zone_chain); - return ($error, ) if $error; - - return; -} - -sub do_ips_interface_zone { - my ($zone_name, $interface) = @_; - my ($cmd, $error); - $error = Vyatta::Zone::add_intf_to_zonechain('get_ips_zone_chain', - $zone_name, $interface, 'VYATTA_POST_FW_FWD_HOOK'); - return "Error: $error" if $error; - - # get all zones in which this zone is being used as a from zone - # then in chains for those zones, add rules for this incoming interface - my @all_zones = Vyatta::Zone::get_all_zones("listNodes"); - foreach my $zone (@all_zones) { - if (!($zone eq $zone_name)) { - my @from_zones = Vyatta::Zone::get_from_zones("listEffectiveNodes", - $zone); - if (scalar(grep(/^$zone_name$/, @from_zones)) > 0) { - foreach my $tree (keys %cmd_hash) { - # call function to append rules to $zone's chain - $error = add_fromzone_intf_ruleset($zone, $zone_name, - $interface, $tree); - return "Error: $error" if $error; - } - } - } - } - - # if this zone has a local from zone, add interface to local zone out chain - my @my_from_zones = Vyatta::Zone::get_from_zones("listEffectiveNodes", - $zone_name); - foreach my $fromzone (@my_from_zones) { - if (defined(Vyatta::Zone::is_local_zone("exists", $fromzone))) { - foreach my $tree (keys %cmd_hash) { - $error = add_fromlocalzone_ruleset($zone_name, $fromzone, - $interface, $tree); - return "Error: $error" if $error; - } - } - } - - return; -} - -sub undo_ips_interface_zone { - my ($zone_name, $interface) = @_; - my ($cmd, $error); - $error = Vyatta::Zone::delete_intf_from_zonechain('get_ips_zone_chain', - $zone_name, $interface, 'VYATTA_POST_FW_FWD_HOOK'); - return "Error: $error" if $error; - - # delete rules for this intf where this zone is being used as a from zone - my @all_zones = Vyatta::Zone::get_all_zones("listOrigNodes"); - foreach my $zone (@all_zones) { - if (!($zone eq $zone_name)) { - my @from_zones = Vyatta::Zone::get_from_zones("listEffectiveNodes", - $zone); - if (scalar(grep(/^$zone_name$/, @from_zones)) > 0) { - foreach my $tree (keys %cmd_hash) { - # call function to delete rules from $zone's chain - $error = delete_fromzone_intf_ruleset($zone, $zone_name, - $interface, $tree); - return "Error: $error" if $error; - } - } - } - } - - # if you have local from zone, delete interface to local zone out chain - my @my_from_zones = Vyatta::Zone::get_from_zones("listEffectiveNodes", - $zone_name); - foreach my $fromzone (@my_from_zones) { - if (defined(Vyatta::Zone::is_local_zone("existsOrig", $fromzone))) { - foreach my $tree (keys %cmd_hash) { - $error = delete_fromlocalzone_ruleset($zone_name, $fromzone, - $interface, $tree); - return "Error: $error" if $error; - } - } - } - - return; -} - -sub do_ips_localzone { - my ($zone_name) = @_; - my ($cmd, $error); - - $error = Vyatta::Zone::add_jump_to_localin_zonechain('get_ips_zone_chain', - $zone_name, 'VYATTA_POST_FW_IN_HOOK'); - return "Error: $error" if $error; - - # get all zones in which local zone is being used as a from zone - # filter traffic from local zone to those zones - my @all_zones = Vyatta::Zone::get_all_zones("listNodes"); - foreach my $zone (@all_zones) { - if (!($zone eq $zone_name)) { - my @from_zones = Vyatta::Zone::get_from_zones("listEffectiveNodes", - $zone); - if (scalar(grep(/^$zone_name$/, @from_zones)) > 0) { - foreach my $tree (keys %cmd_hash) { - my @zone_interfaces = - Vyatta::Zone::get_zone_interfaces("returnValues", $zone); - foreach my $intf (@zone_interfaces) { - $error = add_fromlocalzone_ruleset($zone, $zone_name, - $intf, $tree); - return "Error: $error" if $error; - } - } - } - } - } - return; -} - -sub undo_ips_localzone { - my ($zone_name) = @_; - my ($cmd, $error); - - $error = Vyatta::Zone::remove_jump_to_localin_zonechain('get_ips_zone_chain', - $zone_name, 'VYATTA_POST_FW_IN_HOOK'); - return "Error: $error" if $error; - - # get all zones in which local zone is being used as a from zone - # remove filter for traffic from local zone to those zones - my @all_zones = Vyatta::Zone::get_all_zones("listOrigNodes"); - foreach my $zone (@all_zones) { - if (!($zone eq $zone_name)) { - my @from_zones = Vyatta::Zone::get_from_zones("listEffectiveNodes", - $zone); - if (scalar(grep(/^$zone_name$/, @from_zones)) > 0) { - foreach my $tree (keys %cmd_hash) { - my @zone_interfaces = - Vyatta::Zone::get_zone_interfaces("returnOrigValues", $zone); - foreach my $intf (@zone_interfaces) { - $error = delete_fromlocalzone_ruleset($zone, $zone_name, - $intf, $tree); - return "Error: $error" if $error; - } - } - } - } - } - return; -} - -sub add_zone { - my $zone_name = shift; - # perform IPS related actions for this zone - my $error = Vyatta::Zone::create_zone_chain("get_ips_zone_chain", - $zone_name); - return ("Error: $error", ) if $error; - - if (defined(Vyatta::Zone::is_local_zone("exists", $zone_name))) { - # make local out chain as well - $error = Vyatta::Zone::create_zone_chain("get_ips_zone_chain", - $zone_name, "localout"); - return ("Error: $error", ) if $error; - - # allow traffic sourced from and destined to localhost - my $cmd; - my @localchains=(); - $localchains[0] = Vyatta::Zone::get_ips_zone_chain("exists", $zone_name); - $localchains[1] = Vyatta::Zone::get_ips_zone_chain("exists", $zone_name, - 'localout'); - - foreach my $tree (keys %cmd_hash) { - foreach my $chain (@localchains) { - my $loopback_intf = ''; - if ($chain =~ m/_IN/) { - - # if the chain is INPUT chain - $loopback_intf = '$6'; - - # set IPv6 params if using ip6tables - if ($cmd_hash{$tree} =~ '6') { - $loopback_intf = '$5'; - } - - } else { - - # if the chain is OUTPUT chain - $loopback_intf = '$7'; - - # set IPv6 params if using ip6tables - if ($cmd_hash{$tree} =~ '6') { - $loopback_intf = '$6'; - } - - } - - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -L $chain 1 -vn " . - "| awk {'print \$3 \" \" $loopback_intf'} ". - "| grep 'RETURN lo\$' | wc -l"; - - my $result=`$cmd`; - if ($result < 1) { - - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I $chain "; - - if ($chain =~ m/_IN/) { - - # rule for INPUT chain - $cmd .= "-i lo -j RETURN"; - - } else { - - # rule for OUTPUT chain - $cmd .= "-o lo -j RETURN"; - - } - - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: adding rule to allow localhost traffic failed [$error]" if $error; - - } - } - } - - } - - # set default policy - my $default_policy = Vyatta::Zone::get_ips_zone_default_policy("returnValue", - $zone_name); - $error = set_default_policy($zone_name, $default_policy); - return $error if $error; - - return; -} - -sub delete_zone { - my $zone_name = shift; - # undo IPS related actions for this zone - my $error = Vyatta::Zone::delete_zone_chain("get_ips_zone_chain", - $zone_name); - return ("Error: $error", ) if $error; - if (defined(Vyatta::Zone::is_local_zone("existsOrig", $zone_name))) { - # delete local out chain as well - $error = Vyatta::Zone::delete_zone_chain("get_ips_zone_chain", - $zone_name, "localout"); - return ("Error: $error", ) if $error; - } - return; -} - -sub add_localzone { - my ($zone_name) = @_; - my $error; - # do IPS related stuff - $error = do_ips_localzone ($zone_name); - return ($error, ) if $error; - return; -} - -sub delete_localzone { - my ($zone_name) = @_; - my $error; - # undo IPS related stuff - $error = undo_ips_localzone ($zone_name); - return ($error, ) if $error; - return; -} - -sub add_zone_interface { - my ($zone_name, $interface) = @_; - return("Error: undefined interface", ) if ! defined $interface; - my $error; - # do IPS related stuff - $error = do_ips_interface_zone ($zone_name, $interface); - return ($error, ) if $error; - return; -} - -sub delete_zone_interface { - my ($zone_name, $interface) = @_; - return("Error: undefined interface", ) if ! defined $interface; - # undo IPS related stuff - my $error = undo_ips_interface_zone ($zone_name, $interface); - return ($error, ) if $error; - return; -} - -sub add_fromzone_ips { - my ($zone, $from_zone, $ruleset_type, $ruleset_name) = @_; - my ($cmd, $error); - - # for all interfaces in from zone apply ruleset to filter traffic - # from this zone to specified zone (i.e. $zone) - my @from_zone_interfaces = - Vyatta::Zone::get_zone_interfaces("returnValues", $from_zone); - if (scalar(@from_zone_interfaces) > 0) { - foreach my $intf (@from_zone_interfaces) { - $error = add_fromzone_intf_ruleset($zone, $from_zone, $intf, - $ruleset_type, $ruleset_name); - return "Error: $error" if $error; - } - } else { - if (defined(Vyatta::Zone::is_local_zone("exists", $from_zone))) { - # local from zone - my @zone_interfaces = - Vyatta::Zone::get_zone_interfaces("returnValues", $zone); - foreach my $intf (@zone_interfaces) { - $error = add_fromlocalzone_ruleset($zone, $from_zone, $intf, - $ruleset_type, $ruleset_name); - return "Error: $error" if $error; - } - } - - $error = Vyatta::Zone::add_jump_to_localout_zonechain( - 'get_ips_zone_chain', $from_zone, 'VYATTA_POST_FW_OUT_HOOK'); - return "Error: $error" if $error; - - } # end of else - - return; -} - -sub delete_fromzone_ips { - my ($zone, $from_zone, $ruleset_type, $ruleset_name) = @_; - my ($cmd, $error); - - # for all interfaces in from zone remove ruleset to filter traffic - # from this zone to specified zone (i.e. $zone) - my @from_zone_interfaces = - Vyatta::Zone::get_zone_interfaces("returnOrigValues", $from_zone); - if (scalar(@from_zone_interfaces) > 0) { - foreach my $intf (@from_zone_interfaces) { - $error = delete_fromzone_intf_ruleset($zone, $from_zone, $intf, - $ruleset_type, $ruleset_name); - return "Error: $error" if $error; - } - } else { - if (defined(Vyatta::Zone::is_local_zone("existsOrig", $from_zone))) { - # local from zone - my @zone_interfaces = - Vyatta::Zone::get_zone_interfaces("returnOrigValues", $zone); - foreach my $intf (@zone_interfaces) { - $error = delete_fromlocalzone_ruleset($zone, $from_zone, $intf, - $ruleset_type, $ruleset_name); - return "Error: $error" if $error; - } - } - - $error = Vyatta::Zone::remove_jump_to_localout_zonechain( - 'get_ips_zone_chain', $from_zone, 'VYATTA_POST_FW_OUT_HOOK'); - return "Error: $error" if $error; - - } # end of else - - return; -} - -sub set_default_policy { - my ($zone, $default_policy) = @_; - # setup default policy for zone - my $error = setup_default_policy ($zone, $default_policy); - return ($error, ) if $error; - if (defined(Vyatta::Zone::is_local_zone("exists", $zone))) { - # set default policy for local out chain as well - $error = setup_default_policy ($zone, $default_policy, "localout"); - return ($error, ) if $error; - } - return; -} - -# -# main -# - -my ($action, $zone_name, $interface, $from_zone, $ruleset_type, $ruleset_name); - -GetOptions("action=s" => \$action, - "zone-name=s" => \$zone_name, - "interface=s" => \$interface, - "from-zone=s" => \$from_zone, - "ruleset-type=s" => \$ruleset_type, - "ruleset-name=s" => \$ruleset_name, -); - -die "undefined action" if ! defined $action; -die "undefined zone" if ! defined $zone_name; - -my ($error, $warning); - -($error, $warning) = add_zone($zone_name) if $action eq 'add-zone'; - -($error, $warning) = delete_zone($zone_name) if $action eq 'delete-zone'; - -($error, $warning) = add_zone_interface($zone_name, $interface) - if $action eq 'add-zone-interface'; - -($error, $warning) = delete_zone_interface($zone_name, $interface) - if $action eq 'delete-zone-interface'; - -($error, $warning) = add_fromzone_ips($zone_name, $from_zone, $ruleset_type, - $ruleset_name) if $action eq 'add-fromzone-ips'; - -($error, $warning) = delete_fromzone_ips($zone_name, $from_zone, $ruleset_type, - $ruleset_name) if $action eq 'delete-fromzone-ips'; - -($error, $warning) = add_localzone($zone_name) - if $action eq 'add-localzone'; - -($error, $warning) = delete_localzone($zone_name) - if $action eq 'delete-localzone'; - -if (defined $warning) { - print "$warning\n"; -} - -if (defined $error) { - print "$error\n"; - exit 1; -} - -exit 0; - -# end of file diff --git a/templates-cfg/zone-policy/zone/node.def b/templates-cfg/zone-policy/zone/node.def index 4845c2f..1d10bb4 100644 --- a/templates-cfg/zone-policy/zone/node.def +++ b/templates-cfg/zone-policy/zone/node.def @@ -17,13 +17,6 @@ create: exit 1 fi - # ips zone actions - if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ - --action=add-zone \ - --zone-name="$VAR(@)"; then - exit 1 - fi - delete: # fw zone actions if ! /opt/vyatta/sbin/vyatta-zone.pl \ @@ -31,10 +24,3 @@ delete: --zone-name="$VAR(@)"; then exit 1 fi - - # ips zone actions - if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ - --action=delete-zone \ - --zone-name="$VAR(@)"; then - exit 1 - fi diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/.ipv6-enable/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/.ipv6-enable/node.def deleted file mode 100644 index 87a2ea1..0000000 --- a/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/.ipv6-enable/node.def +++ /dev/null @@ -1,46 +0,0 @@ -help: Option to enable IPv6 content-inspection - -# check if traffic-filter is set -commit:expression: -exec " -if cli-shell-api existsEffective \ -content-inspection traffic-filter ipv6-preset; then \ - exit 0; \ -fi; \ -if cli-shell-api existsEffective \ -content-inspection traffic-filter ipv6-custom; then \ - exit 0; \ -fi; \ -echo IPv6 content-inspection traffic-filter not set; \ -exit 1" - -# make sure inspect-all is not enabled -commit:expression: -exec " -if ! cli-shell-api existsEffective \ -content-inspection inspect-all ipv6-enable; then \ - exit 0; \ -fi; \ -echo IPv6 content-inspection enabled for all traffic. Not \ -allowed to configure inspection on a per-zone basis.; \ -exit 1" - -create: - if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ - --action=add-fromzone-ips \ - --zone-name="$VAR(../../../@)" \ - --from-zone="$VAR(../../@)" \ - --ruleset-type=ipv6-name \ - --ruleset-name=VYATTA_SNORT_all_HOOK; then - exit 1 - fi - -delete: - if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ - --action=delete-fromzone-ips \ - --zone-name="$VAR(../../../@)" \ - --from-zone="$VAR(../../@)" \ - --ruleset-type=ipv6-name \ - --ruleset-name=VYATTA_SNORT_all_HOOK; then - exit 1 - fi diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/enable/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/enable/node.def deleted file mode 100644 index 484780a..0000000 --- a/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/enable/node.def +++ /dev/null @@ -1,46 +0,0 @@ -help: Option to enable IPv4 content-inspection - -# check if traffic-filter is set -commit:expression: -exec " -if cli-shell-api existsEffective \ -content-inspection traffic-filter preset; then \ - exit 0; \ -fi; \ -if cli-shell-api existsEffective \ -content-inspection traffic-filter custom; then \ - exit 0; \ -fi; \ -echo IPv4 content-inspection traffic-filter not set; \ -exit 1" - -# make sure inspect-all is not enabled -commit:expression: -exec " -if ! cli-shell-api existsEffective \ -content-inspection inspect-all enable; then \ - exit 0; \ -fi; \ -echo IPv4 content-inspection enabled for all traffic. Not \ -allowed to configure inspection on a per-zone basis.; \ -exit 1" - -create: - if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ - --action=add-fromzone-ips \ - --zone-name="$VAR(../../../@)" \ - --from-zone="$VAR(../../@)" \ - --ruleset-type=name \ - --ruleset-name=VYATTA_SNORT_all_HOOK; then - exit 1 - fi - -delete: - if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ - --action=delete-fromzone-ips \ - --zone-name="$VAR(../../../@)" \ - --from-zone="$VAR(../../@)" \ - --ruleset-type=name \ - --ruleset-name=VYATTA_SNORT_all_HOOK; then - exit 1 - fi diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/node.def deleted file mode 100644 index 9ba25ef..0000000 --- a/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/node.def +++ /dev/null @@ -1 +0,0 @@ -help: Content-inspection options diff --git a/templates-cfg/zone-policy/zone/node.tag/interface/node.def b/templates-cfg/zone-policy/zone/node.tag/interface/node.def index c9137c4..ab16aa5 100644 --- a/templates-cfg/zone-policy/zone/node.tag/interface/node.def +++ b/templates-cfg/zone-policy/zone/node.tag/interface/node.def @@ -16,14 +16,6 @@ create: exit 1 fi - # ips zone actions - if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ - --action=add-zone-interface \ - --zone-name="$VAR(../@)" \ - --interface="$VAR(@)"; then - exit 1 - fi - delete: # fw zone actions if ! /opt/vyatta/sbin/vyatta-zone.pl \ @@ -32,11 +24,3 @@ delete: --interface="$VAR(@)"; then exit 1 fi - - # ips zone actions - if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ - --action=delete-zone-interface \ - --zone-name="$VAR(../@)" \ - --interface="$VAR(@)"; then - exit 1 - fi diff --git a/templates-cfg/zone-policy/zone/node.tag/local-zone/node.def b/templates-cfg/zone-policy/zone/node.tag/local-zone/node.def index 07c3d55..22be69b 100644 --- a/templates-cfg/zone-policy/zone/node.tag/local-zone/node.def +++ b/templates-cfg/zone-policy/zone/node.tag/local-zone/node.def @@ -8,13 +8,6 @@ create: exit 1 fi - # ips zone actions - if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ - --action=add-localzone \ - --zone-name="$VAR(../@)"; then - exit 1 - fi - delete: # fw zone actions if ! /opt/vyatta/sbin/vyatta-zone.pl \ @@ -22,10 +15,3 @@ delete: --zone-name="$VAR(../@)"; then exit 1 fi - - # ips zone actions - if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ - --action=delete-localzone \ - --zone-name="$VAR(../@)"; then - exit 1 - fi |