diff options
| author | Mohit Mehta <mohit@vyatta.com> | 2011-06-16 12:46:06 -0700 |
|---|---|---|
| committer | Mohit Mehta <mohit@vyatta.com> | 2011-06-16 12:46:06 -0700 |
| commit | dfa0b5ee3b2578ddc62b19c00b7be1711b89f47e (patch) | |
| tree | f00f09d39f67f9c7efc480f4ba02b0ca940037fe | |
| parent | b669522658191e14f134fe922b21315d7854c043 (diff) | |
| download | vyatta-zone-dfa0b5ee3b2578ddc62b19c00b7be1711b89f47e.tar.gz vyatta-zone-dfa0b5ee3b2578ddc62b19c00b7be1711b89f47e.zip | |
Bug 7154 Priority inversion error when deleting zone policy
* Inverted Zone priorities to comply with new commit implementation.
Previously, Zone priorities were:
245 zone-policy/zone/node.tag/from # after firewall, content-inspection
250 zone-policy # after zone-policy/zone/node.tag/from/
Now, Zone priorities look like this:
250 zone-policy # after firewall, content-inspection
251 zone-policy/zone/node.tag/from # after zone-policy
This required an in-depth look at all zone-policy templates and all of Zone FW
and IPS code to make sure that all of the different combinations of actions
under zone-policy still work right. The combination of actions that needed
most attention are the ones where actions in one priority are executed in
the same commit as actions in other priority. Example "deleting the only
interface in a zone and also, modifying firewall ruleset from that zone to
another zone and deleting content-inspection from that zone to another zone"
vyatta@vDUT-5# compare
[edit zone-policy zone dmz]
-interface eth0
[edit zone-policy zone lan from dmz]
-content-inspection {
- enable
-}
[edit zone-policy zone lan from dmz firewall]
>name allow_all_another
[edit]
| -rw-r--r-- | scripts/vyatta-zone-ips.pl | 10 | ||||
| -rwxr-xr-x | scripts/vyatta-zone.pl | 14 | ||||
| -rw-r--r-- | templates-cfg/zone-policy/node.def | 2 | ||||
| -rw-r--r-- | templates-cfg/zone-policy/zone/node.tag/from/node.def | 32 |
4 files changed, 24 insertions, 34 deletions
diff --git a/scripts/vyatta-zone-ips.pl b/scripts/vyatta-zone-ips.pl index 760f82a..90d3c0a 100644 --- a/scripts/vyatta-zone-ips.pl +++ b/scripts/vyatta-zone-ips.pl @@ -54,15 +54,17 @@ sub setup_default_policy { # If there's a return all rule at rule_cnt - 1 then remove that. # In IPS zone chain a return all target can only be for default policy if ($rule_cnt > 1) { - my $in_intf = '$6'; + my $intf = '$6'; + $intf = '$7' if defined $localoutchain; # set IPv6 params if using ip6tables if ($cmd_hash{$tree} =~ '6') { - $in_intf = '$5'; + $intf = '$5'; + $intf = '$6' if defined $localoutchain; } my $penultimate_rule_num=$rule_cnt-1; $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . "-L $zone_chain $penultimate_rule_num -v " . - "| awk {'print \$3\" \"$in_intf'}"; + "| awk {'print \$3\" \"$intf'}"; my $target=`$cmd`; chomp $target; if (defined $target && ($target eq 'RETURN any')) { @@ -148,7 +150,7 @@ sub delete_from_rule { $ruleset_name=$ruleset; } else { # called from undo_ips_interface_zone() $ruleset_name = 'VYATTA_SNORT_all_HOOK' if defined - Vyatta::Zone::is_ips_enabled("exists", + Vyatta::Zone::is_ips_enabled("existsOrig", $zone_name, $from_zone, $ruleset_type); } diff --git a/scripts/vyatta-zone.pl b/scripts/vyatta-zone.pl index a04ca0b..80c76be 100755 --- a/scripts/vyatta-zone.pl +++ b/scripts/vyatta-zone.pl @@ -142,13 +142,25 @@ sub delete_from_rule { my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset, $direction, $zone_chain) = @_; my ($cmd, $error); - my $ruleset_name; + my ($ruleset_name, $new_ruleset_name); if (defined $ruleset) { # called from node.def $ruleset_name=$ruleset; } else { # called from undo_firewall_interface_zone() $ruleset_name=Vyatta::Zone::get_firewall_ruleset("returnOrigValue", $zone_name, $from_zone, $ruleset_type); + $new_ruleset_name=Vyatta::Zone::get_firewall_ruleset("returnValue", + $zone_name, $from_zone, $ruleset_type); + + if (defined $ruleset_name) { + if (defined $new_ruleset_name) { + # if ruleset modified, call from node.def will take care of this + $ruleset_name=undef if $ruleset_name ne $new_ruleset_name; + } else { + # if ruleset deleted, call from node.def will take care of this + $ruleset_name=undef; + } + } } if (defined $ruleset_name) { diff --git a/templates-cfg/zone-policy/node.def b/templates-cfg/zone-policy/node.def index 52a6b68..d5ca5cb 100644 --- a/templates-cfg/zone-policy/node.def +++ b/templates-cfg/zone-policy/node.def @@ -1,4 +1,4 @@ -priority: 250 # after zone-policy/zone/node.tag/from/ +priority: 250 # after firewall, content-inspection help: Configure zone-policy diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.def index 62cd3cb..7691fba 100644 --- a/templates-cfg/zone-policy/zone/node.tag/from/node.def +++ b/templates-cfg/zone-policy/zone/node.tag/from/node.def @@ -1,5 +1,5 @@ tag: -priority: 245 # after firewall, content-inspection +priority: 251 # after zone-policy type: txt help: Zone from which to filter traffic @@ -9,9 +9,9 @@ allowed: echo -n "${zones[@]}" begin: -if ! /opt/vyatta/sbin/vyatta-zone.pl \ - --action=validity-checks \ - --zone-name=none \ +if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=validity-checks \ + --zone-name=none \ --silent-validate=true; then exit 1 fi @@ -35,28 +35,4 @@ create: if [ $found -eq 0 ]; then echo Undefined from zone [$VAR(@)] under zone $parent_zone exit 1 - else - # fw zone actions - if ! /opt/vyatta/sbin/vyatta-zone.pl \ - --action=add-zone \ - --zone-name="$parent_zone"; then - exit 1 - fi - if ! /opt/vyatta/sbin/vyatta-zone.pl \ - --action=add-zone \ - --zone-name="$VAR(@)"; then - exit 1 - fi - - # ips zone actions - if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ - --action=add-zone \ - --zone-name="$parent_zone"; then - exit 1 - fi - if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ - --action=add-zone \ - --zone-name="$VAR(@)"; then - exit 1 - fi fi |