diff options
author | Mohit Mehta <mohit@vyatta.com> | 2011-06-16 12:46:06 -0700 |
---|---|---|
committer | Mohit Mehta <mohit@vyatta.com> | 2011-06-16 12:46:06 -0700 |
commit | dfa0b5ee3b2578ddc62b19c00b7be1711b89f47e (patch) | |
tree | f00f09d39f67f9c7efc480f4ba02b0ca940037fe /scripts/vyatta-zone-ips.pl | |
parent | b669522658191e14f134fe922b21315d7854c043 (diff) | |
download | vyatta-zone-dfa0b5ee3b2578ddc62b19c00b7be1711b89f47e.tar.gz vyatta-zone-dfa0b5ee3b2578ddc62b19c00b7be1711b89f47e.zip |
Bug 7154 Priority inversion error when deleting zone policy
* Inverted Zone priorities to comply with new commit implementation.
Previously, Zone priorities were:
245 zone-policy/zone/node.tag/from # after firewall, content-inspection
250 zone-policy # after zone-policy/zone/node.tag/from/
Now, Zone priorities look like this:
250 zone-policy # after firewall, content-inspection
251 zone-policy/zone/node.tag/from # after zone-policy
This required an in-depth look at all zone-policy templates and all of Zone FW
and IPS code to make sure that all of the different combinations of actions
under zone-policy still work right. The combination of actions that needed
most attention are the ones where actions in one priority are executed in
the same commit as actions in other priority. Example "deleting the only
interface in a zone and also, modifying firewall ruleset from that zone to
another zone and deleting content-inspection from that zone to another zone"
vyatta@vDUT-5# compare
[edit zone-policy zone dmz]
-interface eth0
[edit zone-policy zone lan from dmz]
-content-inspection {
- enable
-}
[edit zone-policy zone lan from dmz firewall]
>name allow_all_another
[edit]
Diffstat (limited to 'scripts/vyatta-zone-ips.pl')
-rw-r--r-- | scripts/vyatta-zone-ips.pl | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/scripts/vyatta-zone-ips.pl b/scripts/vyatta-zone-ips.pl index 760f82a..90d3c0a 100644 --- a/scripts/vyatta-zone-ips.pl +++ b/scripts/vyatta-zone-ips.pl @@ -54,15 +54,17 @@ sub setup_default_policy { # If there's a return all rule at rule_cnt - 1 then remove that. # In IPS zone chain a return all target can only be for default policy if ($rule_cnt > 1) { - my $in_intf = '$6'; + my $intf = '$6'; + $intf = '$7' if defined $localoutchain; # set IPv6 params if using ip6tables if ($cmd_hash{$tree} =~ '6') { - $in_intf = '$5'; + $intf = '$5'; + $intf = '$6' if defined $localoutchain; } my $penultimate_rule_num=$rule_cnt-1; $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . "-L $zone_chain $penultimate_rule_num -v " . - "| awk {'print \$3\" \"$in_intf'}"; + "| awk {'print \$3\" \"$intf'}"; my $target=`$cmd`; chomp $target; if (defined $target && ($target eq 'RETURN any')) { @@ -148,7 +150,7 @@ sub delete_from_rule { $ruleset_name=$ruleset; } else { # called from undo_ips_interface_zone() $ruleset_name = 'VYATTA_SNORT_all_HOOK' if defined - Vyatta::Zone::is_ips_enabled("exists", + Vyatta::Zone::is_ips_enabled("existsOrig", $zone_name, $from_zone, $ruleset_type); } |