diff options
author | Mohit Mehta <mohit@vyatta.com> | 2010-10-13 17:38:39 -0700 |
---|---|---|
committer | Mohit Mehta <mohit@vyatta.com> | 2010-10-13 17:38:39 -0700 |
commit | 4830952dc7a88a3732e4c269b65b01596bb7c413 (patch) | |
tree | 16def42aba630db22c8eb24e593d3485b52d1bd8 /scripts/vyatta-zone.pl | |
parent | dfa0a30c575f92575e43608b9c50d43ff02bcb20 (diff) | |
download | vyatta-zone-4830952dc7a88a3732e4c269b65b01596bb7c413.tar.gz vyatta-zone-4830952dc7a88a3732e4c269b65b01596bb7c413.zip |
move common hashes and create/delete zone chain functions to zone library
Diffstat (limited to 'scripts/vyatta-zone.pl')
-rwxr-xr-x | scripts/vyatta-zone.pl | 67 |
1 files changed, 7 insertions, 60 deletions
diff --git a/scripts/vyatta-zone.pl b/scripts/vyatta-zone.pl index 0c05842..75de074 100755 --- a/scripts/vyatta-zone.pl +++ b/scripts/vyatta-zone.pl @@ -27,25 +27,12 @@ use Getopt::Long; use POSIX; use lib "/opt/vyatta/share/perl5"; -use Vyatta::Zone; use Vyatta::IpTables::Mgr; +use Vyatta::Zone qw(%cmd_hash %table_hash %policy_hash); use warnings; use strict; -# for future ease, when we add modify, these hashes will just be extended -# firewall mapping from config node to iptables command. -my %cmd_hash = ( 'name' => '/sbin/iptables', - 'ipv6-name' => '/sbin/ip6tables'); - -# firewall mapping from config node to iptables/ip6tables table -my %table_hash = ( 'name' => 'filter', - 'ipv6-name' => 'filter'); - -# mapping from vyatta 'default-policy' to iptables jump target -my %policy_hash = ( 'drop' => 'DROP', - 'reject' => 'REJECT' ); - sub setup_default_policy { my ($zone_name, $default_policy, $localoutchain) = @_; my ($cmd, $error); @@ -84,48 +71,6 @@ in $zone_name chain failed [$error]" if $error; return; } -sub create_zone_chain { - my ($zone_name, $localoutchain) = @_; - my ($cmd, $error); - my $zone_chain=Vyatta::Zone::get_zone_chain("exists", - $zone_name, $localoutchain); - - # create zone chains in filter, ip6filter tables - foreach my $tree (keys %cmd_hash) { - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . - "-L $zone_chain >&/dev/null"; - $error = Vyatta::Zone::run_cmd($cmd); - if ($error) { - # chain does not exist, go ahead create it - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -N $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: create $zone_name chain with failed [$error]" if $error; - } - } - - return; -} - -sub delete_zone_chain { - my ($zone_name, $localoutchain) = @_; - my ($cmd, $error); - my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig", - $zone_name, $localoutchain); - # delete zone chains from filter, ip6filter tables - foreach my $tree (keys %cmd_hash) { - # flush all rules from zone chain - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -F $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: flush all rules in $zone_name chain failed [$error]" if $error; - - # delete zone chain - $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -X $zone_chain"; - $error = Vyatta::Zone::run_cmd($cmd); - return "Error: delete $zone_name chain failed [$error]" if $error; - } - return; -} - sub insert_from_rule { my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset, $direction, $zone_chain) = @_; @@ -460,12 +405,13 @@ $zone_chain chain failed [$error]" if $error; sub add_zone { my $zone_name = shift; # perform firewall related actions for this zone - my $error = create_zone_chain ($zone_name); + my $error = Vyatta::Zone::create_zone_chain("get_zone_chain", $zone_name); return ($error, ) if $error; if (defined(Vyatta::Zone::is_local_zone("exists", $zone_name))) { # make local out chain as well - $error = create_zone_chain ($zone_name, "localout"); + $error = Vyatta::Zone::create_zone_chain ("get_zone_chain", + $zone_name, "localout"); return ($error, ) if $error; # allow traffic sourced from and destined to localhost @@ -541,11 +487,12 @@ sub add_zone { sub delete_zone { my $zone_name = shift; # undo firewall related actions for this zone - my $error = delete_zone_chain ($zone_name); + my $error = Vyatta::Zone::delete_zone_chain("get_zone_chain", $zone_name); return ($error, ) if $error; if (defined(Vyatta::Zone::is_local_zone("existsOrig", $zone_name))) { # delete local out chain as well - $error = delete_zone_chain ($zone_name, "localout"); + $error = Vyatta::Zone::delete_zone_chain("get_zone_chain", + $zone_name, "localout"); return ($error, ) if $error; } return; |