summaryrefslogtreecommitdiff
path: root/scripts/vyatta-zone-ips.pl
diff options
context:
space:
mode:
authorMohit Mehta <mohit@vyatta.com>2011-06-16 12:46:06 -0700
committerMohit Mehta <mohit@vyatta.com>2011-06-16 12:46:06 -0700
commitdfa0b5ee3b2578ddc62b19c00b7be1711b89f47e (patch)
treef00f09d39f67f9c7efc480f4ba02b0ca940037fe /scripts/vyatta-zone-ips.pl
parentb669522658191e14f134fe922b21315d7854c043 (diff)
downloadvyatta-zone-dfa0b5ee3b2578ddc62b19c00b7be1711b89f47e.tar.gz
vyatta-zone-dfa0b5ee3b2578ddc62b19c00b7be1711b89f47e.zip
Bug 7154 Priority inversion error when deleting zone policy
* Inverted Zone priorities to comply with new commit implementation. Previously, Zone priorities were: 245 zone-policy/zone/node.tag/from # after firewall, content-inspection 250 zone-policy # after zone-policy/zone/node.tag/from/ Now, Zone priorities look like this: 250 zone-policy # after firewall, content-inspection 251 zone-policy/zone/node.tag/from # after zone-policy This required an in-depth look at all zone-policy templates and all of Zone FW and IPS code to make sure that all of the different combinations of actions under zone-policy still work right. The combination of actions that needed most attention are the ones where actions in one priority are executed in the same commit as actions in other priority. Example "deleting the only interface in a zone and also, modifying firewall ruleset from that zone to another zone and deleting content-inspection from that zone to another zone" vyatta@vDUT-5# compare [edit zone-policy zone dmz] -interface eth0 [edit zone-policy zone lan from dmz] -content-inspection { - enable -} [edit zone-policy zone lan from dmz firewall] >name allow_all_another [edit]
Diffstat (limited to 'scripts/vyatta-zone-ips.pl')
-rw-r--r--scripts/vyatta-zone-ips.pl10
1 files changed, 6 insertions, 4 deletions
diff --git a/scripts/vyatta-zone-ips.pl b/scripts/vyatta-zone-ips.pl
index 760f82a..90d3c0a 100644
--- a/scripts/vyatta-zone-ips.pl
+++ b/scripts/vyatta-zone-ips.pl
@@ -54,15 +54,17 @@ sub setup_default_policy {
# If there's a return all rule at rule_cnt - 1 then remove that.
# In IPS zone chain a return all target can only be for default policy
if ($rule_cnt > 1) {
- my $in_intf = '$6';
+ my $intf = '$6';
+ $intf = '$7' if defined $localoutchain;
# set IPv6 params if using ip6tables
if ($cmd_hash{$tree} =~ '6') {
- $in_intf = '$5';
+ $intf = '$5';
+ $intf = '$6' if defined $localoutchain;
}
my $penultimate_rule_num=$rule_cnt-1;
$cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " .
"-L $zone_chain $penultimate_rule_num -v " .
- "| awk {'print \$3\" \"$in_intf'}";
+ "| awk {'print \$3\" \"$intf'}";
my $target=`$cmd`;
chomp $target;
if (defined $target && ($target eq 'RETURN any')) {
@@ -148,7 +150,7 @@ sub delete_from_rule {
$ruleset_name=$ruleset;
} else { # called from undo_ips_interface_zone()
$ruleset_name = 'VYATTA_SNORT_all_HOOK' if defined
- Vyatta::Zone::is_ips_enabled("exists",
+ Vyatta::Zone::is_ips_enabled("existsOrig",
$zone_name, $from_zone, $ruleset_type);
}