summaryrefslogtreecommitdiff
path: root/scripts/vyatta-zone.pl
diff options
context:
space:
mode:
authorMohit Mehta <mohit@vyatta.com>2010-10-15 16:19:19 -0700
committerMohit Mehta <mohit@vyatta.com>2010-10-15 16:19:19 -0700
commitb905f6fa462eb5d7af783ceaf3e51e0fd155c0c9 (patch)
treea826264ac76ce357b0ef2609d642d828e49eb31e /scripts/vyatta-zone.pl
parent83b12f568d981c013302b0ccc92d9e280e96bb71 (diff)
downloadvyatta-zone-b905f6fa462eb5d7af783ceaf3e51e0fd155c0c9.tar.gz
vyatta-zone-b905f6fa462eb5d7af783ceaf3e51e0fd155c0c9.zip
common functions to add/delete interface to/from v4 and v6 feature zone chains
Diffstat (limited to 'scripts/vyatta-zone.pl')
-rwxr-xr-xscripts/vyatta-zone.pl63
1 files changed, 10 insertions, 53 deletions
diff --git a/scripts/vyatta-zone.pl b/scripts/vyatta-zone.pl
index 75de074..e86df2e 100755
--- a/scripts/vyatta-zone.pl
+++ b/scripts/vyatta-zone.pl
@@ -194,38 +194,10 @@ sub delete_fromlocalzone_ruleset {
sub do_firewall_interface_zone {
my ($zone_name, $interface) = @_;
- my $zone_chain=Vyatta::Zone::get_zone_chain("exists", $zone_name);
my ($cmd, $error);
- foreach my $tree (keys %cmd_hash) {
-
- my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree},
- $table_hash{$tree}, "$zone_chain", "RETURN", $interface);
- if ($result < 1) {
- # add rule to allow same zone to same zone traffic
- $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I $zone_chain " .
- "-i $interface -j RETURN";
- $error = Vyatta::Zone::run_cmd($cmd);
- return "Error: call to add $interface to its zone-chain $zone_chain
-failed [$error]" if $error;
- }
-
- # need to do this as an append before VYATTA_POST_FW_*_HOOK
- my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree},
- $table_hash{$tree}, "FORWARD");
- my $insert_at_rule_num=1;
- if ( $rule_cnt > 1 ) {
- $insert_at_rule_num=$rule_cnt;
- }
- $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree}, $table_hash{$tree},
- "FORWARD", "$zone_chain", $interface);
- if ($result < 1) {
- $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I FORWARD " .
- "$insert_at_rule_num -o $interface -j $zone_chain";
- $error = Vyatta::Zone::run_cmd($cmd);
- return "Error: call to add jump rule for outgoing interface $interface
-to its $zone_chain chain failed [$error]" if $error;
- }
- }
+ $error = Vyatta::Zone::add_intf_to_zonechain('get_zone_chain',
+ $zone_name, $interface, 'FORWARD');
+ return "Error: $error" if $error;
# get all zones in which this zone is being used as a from zone
# then in chains for those zones, add rules for this incoming interface
@@ -264,24 +236,9 @@ to its $zone_chain chain failed [$error]" if $error;
sub undo_firewall_interface_zone {
my ($zone_name, $interface) = @_;
my ($cmd, $error);
- my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig", $zone_name);
-
- foreach my $tree (keys %cmd_hash) {
-
- # delete rule to allow same zone to same zone traffic
- $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D FORWARD " .
- "-o $interface -j $zone_chain";
- $error = Vyatta::Zone::run_cmd($cmd);
- return "Error: call to delete jump rule for outgoing interface $interface
-to $zone_chain chain failed [$error]" if $error;
-
- # delete ruleset jump for this in interface
- $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D $zone_chain " .
- "-i $interface -j RETURN";
- $error = Vyatta::Zone::run_cmd($cmd);
- return "Error: call to delete interface $interface from zone-chain
-$zone_chain with failed [$error]" if $error;
- }
+ $error = Vyatta::Zone::delete_intf_from_zonechain('get_zone_chain',
+ $zone_name, $interface, 'FORWARD');
+ return "Error: $error" if $error;
# delete rules for this intf where this zone is being used as a from zone
my @all_zones = Vyatta::Zone::get_all_zones("listOrigNodes");
@@ -406,13 +363,13 @@ sub add_zone {
my $zone_name = shift;
# perform firewall related actions for this zone
my $error = Vyatta::Zone::create_zone_chain("get_zone_chain", $zone_name);
- return ($error, ) if $error;
+ return ("Error: $error", ) if $error;
if (defined(Vyatta::Zone::is_local_zone("exists", $zone_name))) {
# make local out chain as well
$error = Vyatta::Zone::create_zone_chain ("get_zone_chain",
$zone_name, "localout");
- return ($error, ) if $error;
+ return ("Error: $error", ) if $error;
# allow traffic sourced from and destined to localhost
my $cmd;
@@ -488,12 +445,12 @@ sub delete_zone {
my $zone_name = shift;
# undo firewall related actions for this zone
my $error = Vyatta::Zone::delete_zone_chain("get_zone_chain", $zone_name);
- return ($error, ) if $error;
+ return ("Error: $error", ) if $error;
if (defined(Vyatta::Zone::is_local_zone("existsOrig", $zone_name))) {
# delete local out chain as well
$error = Vyatta::Zone::delete_zone_chain("get_zone_chain",
$zone_name, "localout");
- return ($error, ) if $error;
+ return ("Error: $error", ) if $error;
}
return;
}