common functions to add/delete interface to/from v4 and v6 feature zone chains

author: Mohit Mehta <mohit@vyatta.com> 2010-10-15 16:19:19 -0700
committer: Mohit Mehta <mohit@vyatta.com> 2010-10-15 16:19:19 -0700
commit: b905f6fa462eb5d7af783ceaf3e51e0fd155c0c9 (patch)
tree: a826264ac76ce357b0ef2609d642d828e49eb31e
parent: 83b12f568d981c013302b0ccc92d9e280e96bb71 (diff)
download: vyatta-zone-b905f6fa462eb5d7af783ceaf3e51e0fd155c0c9.tar.gz
vyatta-zone-b905f6fa462eb5d7af783ceaf3e51e0fd155c0c9.zip
3 files changed, 89 insertions, 109 deletions
diff --git a/lib/Vyatta/Zone.pm b/lib/Vyatta/Zone.pm
index 251b325..7f471b0 100755
--- a/lib/Vyatta/Zone.pm
+++ b/lib/Vyatta/Zone.pm
@@ -26,6 +26,7 @@ package Vyatta::Zone;
 use Vyatta::Config;
 use Vyatta::Misc;
 use Vyatta::Interface;
+use Vyatta::IpTables::Mgr;
 
 use strict;
 use warnings;
@@ -287,7 +288,7 @@ sub create_zone_chain {
        # chain does not exist, go ahead create it
        $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -N $zone_chain";
        $error = run_cmd($cmd);
-       return "Error: create $zone_name chain with failed [$error]" if $error;
+       return "create $zone_name chain with failed [$error]" if $error;
      }
     }
 
@@ -304,14 +305,79 @@ sub delete_zone_chain {
      # flush all rules from zone chain
      $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -F $zone_chain";
      $error = run_cmd($cmd);
-     return "Error: flush all rules in $zone_name chain failed [$error]" if $error;
+     return "flush all rules in $zone_name chain failed [$error]" if $error;
 
      # delete zone chain
      $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -X $zone_chain";
      $error = run_cmd($cmd);
-     return "Error: delete $zone_name chain failed [$error]" if $error;
+     return "delete $zone_name chain failed [$error]" if $error;
     }
     return;
 }
 
+sub add_intf_to_zonechain {
+    my ($zone_chain_func, $zone_name, $interface, $feature_chain) = @_;
+    my $zone_chain=
+	$get_zone_chain_hash{$zone_chain_func}->("exists", $zone_name);
+    my ($cmd, $error);
+    foreach my $tree (keys %cmd_hash) {
+
+     my $result = rule_exists ($cmd_hash{$tree}, $table_hash{$tree},
+                                "$zone_chain", "RETURN", $interface);
+     if ($result < 1) {
+      # add rule to allow same zone to same zone traffic
+      $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I $zone_chain " .
+        "-i $interface -j RETURN";
+      $error = run_cmd($cmd);
+      return "call to add $interface to its zone-chain $zone_chain
+failed [$error]" if $error;
+     }
+
+     # add jump rule to zone chain for this interface before last rule
+     my $rule_cnt =
+	Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree},
+				$table_hash{$tree}, "$feature_chain");
+     my $insert_at_rule_num=1;
+     if ( $rule_cnt > 1 ) {
+        $insert_at_rule_num=$rule_cnt;
+     }
+     $result = rule_exists ($cmd_hash{$tree}, $table_hash{$tree},
+                "$feature_chain", "$zone_chain", $interface);
+     if ($result < 1) {
+      $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I " .
+	"$feature_chain $insert_at_rule_num -o $interface -j $zone_chain";
+      $error = run_cmd($cmd);
+      return "call to add jump rule for outgoing interface $interface
+to its $zone_chain chain failed [$error]" if $error;
+     }
+    }
+
+    # success
+    return;
+}
+
+sub delete_intf_from_zonechain {
+    my ($zone_chain_func, $zone_name, $interface, $feature_chain) = @_;
+    my $zone_chain=
+	$get_zone_chain_hash{$zone_chain_func}->("existsOrig", $zone_name);
+    my ($cmd, $error);
+
+    foreach my $tree (keys %cmd_hash) {
+
+     # delete rule to jump to zone chain for this interface
+     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D $feature_chain " .
+        "-o $interface -j $zone_chain";
+     $error = run_cmd($cmd);
+     return "Error: call to delete jump rule for outgoing interface $interface
+to $zone_chain chain failed [$error]" if $error;
+
+     # delete rule to allow same zone to same zone traffic
+     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D $zone_chain " .
+	"-i $interface -j RETURN";
+     $error = run_cmd($cmd);
+     return "Error: call to delete interface $interface from zone-chain
+$zone_chain with failed [$error]" if $error;
+    }
+}
+
 1;
diff --git a/scripts/vyatta-zone-ips.pl b/scripts/vyatta-zone-ips.pl
index 7007a84..03e95cd 100644
--- a/scripts/vyatta-zone-ips.pl
+++ b/scripts/vyatta-zone-ips.pl
@@ -188,38 +188,10 @@ sub delete_fromlocalzone_ruleset {
 
 sub do_ips_interface_zone {
     my ($zone_name, $interface) = @_;
-    my $zone_chain=Vyatta::Zone::get_ips_zone_chain("exists", $zone_name);
     my ($cmd, $error);
-    foreach my $tree (keys %cmd_hash) {
-
-     my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree}, 
-	$table_hash{$tree}, "$zone_chain", "RETURN", $interface);
-     if ($result < 1) {
-      # add rule to allow same zone to same zone traffic
-      $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I $zone_chain " .
-	"-i $interface -j RETURN";
-      $error = Vyatta::Zone::run_cmd($cmd);
-      return "Error: call to add $interface to its zone-chain $zone_chain 
-failed [$error]" if $error;
-     }
-
-     # need to do this as an append before ACCEPT rule at the end
-     my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree}, 
-		$table_hash{$tree}, "VYATTA_POST_FW_FWD_HOOK");
-     my $insert_at_rule_num=1;
-     if ( $rule_cnt > 1 ) {
-        $insert_at_rule_num=$rule_cnt;
-     }
-     $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree}, $table_hash{$tree}, 
-		"VYATTA_POST_FW_FWD_HOOK", "$zone_chain", $interface);
-     if ($result < 1) {
-      $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I VYATTA_POST_FW_FWD_HOOK " . 
-	"$insert_at_rule_num -o $interface -j $zone_chain";
-      $error = Vyatta::Zone::run_cmd($cmd);
-      return "Error: call to add jump rule for outgoing interface $interface 
-to its $zone_chain chain failed [$error]" if $error;
-     }
-    }
+    $error = Vyatta::Zone::add_intf_to_zonechain('get_ips_zone_chain',
+		$zone_name, $interface, 'VYATTA_POST_FW_FWD_HOOK');
+    return "Error: $error" if $error;
     
     # get all zones in which this zone is being used as a from zone
     # then in chains for those zones, add rules for this incoming interface
@@ -258,24 +230,9 @@ to its $zone_chain chain failed [$error]" if $error;
 sub undo_ips_interface_zone {
     my ($zone_name, $interface) = @_;
     my ($cmd, $error);
-    my $zone_chain=Vyatta::Zone::get_ips_zone_chain("existsOrig", $zone_name);
-
-    foreach my $tree (keys %cmd_hash) {
-
-     # delete rule to allow same zone to same zone traffic
-     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D VYATTA_POST_FW_FWD_HOOK " .
-	"-o $interface -j $zone_chain";
-     $error = Vyatta::Zone::run_cmd($cmd);
-     return "Error: call to delete jump rule for outgoing interface $interface 
-to $zone_chain chain failed [$error]" if $error;
-
-     # delete ruleset jump for this in interface
-     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D $zone_chain " .
-	"-i $interface -j RETURN";
-     $error = Vyatta::Zone::run_cmd($cmd);
-     return "Error: call to delete interface $interface from zone-chain 
-$zone_chain with failed [$error]" if $error;
-    }
+    $error = Vyatta::Zone::delete_intf_from_zonechain('get_ips_zone_chain',
+                $zone_name, $interface, 'VYATTA_POST_FW_FWD_HOOK');
+    return "Error: $error" if $error;
 
     # delete rules for this intf where this zone is being used as a from zone
     my @all_zones = Vyatta::Zone::get_all_zones("listOrigNodes");
@@ -401,13 +358,13 @@ sub add_zone {
     # perform IPS related actions for this zone
     my $error = Vyatta::Zone::create_zone_chain("get_ips_zone_chain",
 							$zone_name);
-    return ($error, ) if $error;
+    return ("Error: $error", ) if $error;
 
     if (defined(Vyatta::Zone::is_local_zone("exists", $zone_name))) {
       # make local out chain as well
       $error = Vyatta::Zone::create_zone_chain("get_ips_zone_chain",
 					$zone_name, "localout");
-      return ($error, ) if $error;
+      return ("Error: $error", ) if $error;
 
       # allow traffic sourced from and destined to localhost
       my $cmd;
@@ -485,12 +442,12 @@ sub delete_zone {
     # undo IPS related actions for this zone
     my $error = Vyatta::Zone::delete_zone_chain("get_ips_zone_chain",
 							$zone_name);
-    return ($error, ) if $error;
+    return ("Error: $error", ) if $error;
     if (defined(Vyatta::Zone::is_local_zone("existsOrig", $zone_name))) {
       # delete local out chain as well
       $error =  Vyatta::Zone::delete_zone_chain("get_ips_zone_chain",
 					$zone_name, "localout");
-      return ($error, ) if $error;
+      return ("Error: $error", ) if $error;
     }
     return;    
 }
diff --git a/scripts/vyatta-zone.pl b/scripts/vyatta-zone.pl
index 75de074..e86df2e 100755
--- a/scripts/vyatta-zone.pl
+++ b/scripts/vyatta-zone.pl
@@ -194,38 +194,10 @@ sub delete_fromlocalzone_ruleset {
 
 sub do_firewall_interface_zone {
     my ($zone_name, $interface) = @_;
-    my $zone_chain=Vyatta::Zone::get_zone_chain("exists", $zone_name);
     my ($cmd, $error);
-    foreach my $tree (keys %cmd_hash) {
-
-     my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree}, 
-	$table_hash{$tree}, "$zone_chain", "RETURN", $interface);
-     if ($result < 1) {
-      # add rule to allow same zone to same zone traffic
-      $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I $zone_chain " .
-	"-i $interface -j RETURN";
-      $error = Vyatta::Zone::run_cmd($cmd);
-      return "Error: call to add $interface to its zone-chain $zone_chain 
-failed [$error]" if $error;
-     }
-
-     # need to do this as an append before VYATTA_POST_FW_*_HOOK
-     my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree}, 
-		$table_hash{$tree}, "FORWARD");
-     my $insert_at_rule_num=1;
-     if ( $rule_cnt > 1 ) {
-        $insert_at_rule_num=$rule_cnt;
-     }
-     $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree}, $table_hash{$tree}, 
-		"FORWARD", "$zone_chain", $interface);
-     if ($result < 1) {
-      $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I FORWARD " . 
-	"$insert_at_rule_num -o $interface -j $zone_chain";
-      $error = Vyatta::Zone::run_cmd($cmd);
-      return "Error: call to add jump rule for outgoing interface $interface 
-to its $zone_chain chain failed [$error]" if $error;
-     }
-    }
+    $error = Vyatta::Zone::add_intf_to_zonechain('get_zone_chain',
+				$zone_name, $interface, 'FORWARD');
+    return "Error: $error" if $error;
     
     # get all zones in which this zone is being used as a from zone
     # then in chains for those zones, add rules for this incoming interface
@@ -264,24 +236,9 @@ to its $zone_chain chain failed [$error]" if $error;
 sub undo_firewall_interface_zone {
     my ($zone_name, $interface) = @_;
     my ($cmd, $error);
-    my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig", $zone_name);
-
-    foreach my $tree (keys %cmd_hash) {
-
-     # delete rule to allow same zone to same zone traffic
-     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D FORWARD " .
-	"-o $interface -j $zone_chain";
-     $error = Vyatta::Zone::run_cmd($cmd);
-     return "Error: call to delete jump rule for outgoing interface $interface 
-to $zone_chain chain failed [$error]" if $error;
-
-     # delete ruleset jump for this in interface
-     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D $zone_chain " .
-	"-i $interface -j RETURN";
-     $error = Vyatta::Zone::run_cmd($cmd);
-     return "Error: call to delete interface $interface from zone-chain 
-$zone_chain with failed [$error]" if $error;
-    }
+    $error = Vyatta::Zone::delete_intf_from_zonechain('get_zone_chain',
+				$zone_name, $interface, 'FORWARD');
+    return "Error: $error" if $error;
 
     # delete rules for this intf where this zone is being used as a from zone
     my @all_zones = Vyatta::Zone::get_all_zones("listOrigNodes");
@@ -406,13 +363,13 @@ sub add_zone {
     my $zone_name = shift;
     # perform firewall related actions for this zone
     my $error = Vyatta::Zone::create_zone_chain("get_zone_chain", $zone_name);
-    return ($error, ) if $error;
+    return ("Error: $error", ) if $error;
 
     if (defined(Vyatta::Zone::is_local_zone("exists", $zone_name))) {
       # make local out chain as well
       $error = Vyatta::Zone::create_zone_chain ("get_zone_chain",
 					$zone_name, "localout");
-      return ($error, ) if $error;
+      return ("Error: $error", ) if $error;
 
       # allow traffic sourced from and destined to localhost
       my $cmd;
@@ -488,12 +445,12 @@ sub delete_zone {
     my $zone_name = shift;
     # undo firewall related actions for this zone
     my $error = Vyatta::Zone::delete_zone_chain("get_zone_chain", $zone_name);
-    return ($error, ) if $error;
+    return ("Error: $error", ) if $error;
     if (defined(Vyatta::Zone::is_local_zone("existsOrig", $zone_name))) {
       # delete local out chain as well
       $error = Vyatta::Zone::delete_zone_chain("get_zone_chain",
 					$zone_name, "localout");
-      return ($error, ) if $error;
+      return ("Error: $error", ) if $error;
     }
     return;    
 }
author	Mohit Mehta <mohit@vyatta.com>	2010-10-15 16:19:19 -0700
committer	Mohit Mehta <mohit@vyatta.com>	2010-10-15 16:19:19 -0700
commit	b905f6fa462eb5d7af783ceaf3e51e0fd155c0c9 (patch)
tree	a826264ac76ce357b0ef2609d642d828e49eb31e
parent	83b12f568d981c013302b0ccc92d9e280e96bb71 (diff)
download	vyatta-zone-b905f6fa462eb5d7af783ceaf3e51e0fd155c0c9.tar.gz vyatta-zone-b905f6fa462eb5d7af783ceaf3e51e0fd155c0c9.zip