diff options
| author | Mohit Mehta <mohit.mehta@vyatta.com> | 2010-10-07 18:07:16 -0700 |
|---|---|---|
| committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2010-10-07 18:07:16 -0700 |
| commit | 1f7bba17f9d53aad7810718ea26d8bbad405b309 (patch) | |
| tree | 5b3cef11c97d0bf39e51da049c1f8a21bdbe1cfc /templates-cfg | |
| download | vyatta-zone-1f7bba17f9d53aad7810718ea26d8bbad405b309.tar.gz vyatta-zone-1f7bba17f9d53aad7810718ea26d8bbad405b309.zip | |
Initial releasedebian/0.1
Diffstat (limited to 'templates-cfg')
10 files changed, 271 insertions, 0 deletions
diff --git a/templates-cfg/zone-policy/node.def b/templates-cfg/zone-policy/node.def new file mode 100644 index 0000000..440d397 --- /dev/null +++ b/templates-cfg/zone-policy/node.def @@ -0,0 +1,6 @@ +priority: 250 # after zone-policy/zone/node.tag/from/ +help: Configure zone-policy +begin: +if ! /opt/vyatta/sbin/vyatta-zone.pl --action=validity-checks --zone-name=none --silent-validate=false; then + exit 1 +fi diff --git a/templates-cfg/zone-policy/zone/node.def b/templates-cfg/zone-policy/zone/node.def new file mode 100644 index 0000000..eb8c3c8 --- /dev/null +++ b/templates-cfg/zone-policy/zone/node.def @@ -0,0 +1,24 @@ +tag: +type: txt +help: Zone name + +syntax:expression: pattern $VAR(@) "^[[:print:]]{1,20}$" ; + "Zone name must be 20 characters or less" + +syntax:expression: pattern $VAR(@) "^[^-]" ; "Zone name cannot start with \"-\"" + +syntax:expression: pattern $VAR(@) "^[^;]*$" ; "Zone name cannot contain ';'" + +create: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-zone \ + --zone-name="$VAR(@)"; then + exit 1 + fi + +delete: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-zone \ + --zone-name="$VAR(@)"; then + exit 1 + fi diff --git a/templates-cfg/zone-policy/zone/node.tag/default-action/node.def b/templates-cfg/zone-policy/zone/node.tag/default-action/node.def new file mode 100644 index 0000000..61c8c78 --- /dev/null +++ b/templates-cfg/zone-policy/zone/node.tag/default-action/node.def @@ -0,0 +1,26 @@ +type: txt +help: Default-action for traffic coming into this zone +default: "drop" +allowed: echo drop reject + +syntax:expression: $VAR(@) in "drop", "reject"; + "default-action must be either drop or reject" + +val_help: drop; Drop silently (default) +val_help: reject; Drop and notify source + +create: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=set-default-policy \ + --zone-name="$VAR(../@)" \ + --default-policy="$VAR(@)"; then + exit 1 + fi + +update: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=set-default-policy \ + --zone-name="$VAR(../@)" \ + --default-policy="$VAR(@)"; then + exit 1 + fi diff --git a/templates-cfg/zone-policy/zone/node.tag/description/node.def b/templates-cfg/zone-policy/zone/node.tag/description/node.def new file mode 100644 index 0000000..7acb96d --- /dev/null +++ b/templates-cfg/zone-policy/zone/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Zone description diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.def new file mode 100644 index 0000000..433f423 --- /dev/null +++ b/templates-cfg/zone-policy/zone/node.tag/from/node.def @@ -0,0 +1,42 @@ +tag: +priority: 245 # after firewall, content-inspection +type: txt +help: Zone from which to filter traffic + +allowed: + local -a zones ; + eval "zones=($(cli-shell-api listActiveNodes zone-policy zone))" + echo -n "${zones[@]}" + +begin: +if ! /opt/vyatta/sbin/vyatta-zone.pl --action=validity-checks --zone-name=none --silent-validate=true; then + exit 1 +fi + +create: + parent_zone=$VAR(../@) + zones=($VAR(../@@)) + num_zones=${#zones[*]} + i=0 + found=0 + while [ $i -lt $num_zones ]; do + if [ "${zones[$i]}" == "$VAR(@)" ] ; then + if [ "$parent_zone" == "$VAR(@)" ]; then + echo from zone same as zone [$parent_zone] itself + exit 1 + fi + found=1 + fi + let i++ + done + if [ $found -eq 0 ]; then + echo Undefined from zone [$VAR(@)] under zone $parent_zone + exit 1 + else + if ! /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$parent_zone"; then + exit 1 + fi + if ! /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$VAR(@)"; then + exit 1 + fi + fi diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def new file mode 100644 index 0000000..391a66b --- /dev/null +++ b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/ipv6-name/node.def @@ -0,0 +1,65 @@ +type: txt +help: IPv6 firewall ruleset + +allowed: + local -a params ; + eval "params=($(cli-shell-api listActiveNodes firewall ipv6-name))" + echo -n "${params[@]}" + +create: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=is-fwruleset-active \ + --zone-name="$VAR(../../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name="$VAR(@)"; then + exit 1 + fi + + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name="$VAR(@)"; then + exit 1 + fi + +update: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=is-fwruleset-active \ + --zone-name="$VAR(../../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name="$VAR(@)"; then + exit 1 + fi + + # need to undo previous ruleset here first + old_ruleset=$(cli-shell-api returnActiveValue zone-policy zone \ + $VAR(../../../@) from $VAR(../../@) firewall ipv6-name) + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name="$old_ruleset"; then + exit 1 + fi + + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name="$VAR(@)"; then + exit 1 + fi + +delete: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name="$VAR(@)"; then + exit 1 + fi diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def new file mode 100644 index 0000000..605add4 --- /dev/null +++ b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/name/node.def @@ -0,0 +1,66 @@ +type: txt +help: IPv4 firewall ruleset + +allowed: + local -a params ; + eval "params=($(cli-shell-api listActiveNodes firewall name))" + echo -n "${params[@]}" + +create: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=is-fwruleset-active \ + --zone-name="$VAR(../../../@)" \ + --ruleset-type=name \ + --ruleset-name="$VAR(@)"; then + exit 1 + fi + + + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=name \ + --ruleset-name="$VAR(@)"; then + exit 1 + fi + +update: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=is-fwruleset-active \ + --zone-name="$VAR(../../../@)" \ + --ruleset-type=name \ + --ruleset-name="$VAR(@)"; then + exit 1 + fi + + # need to undo previous ruleset here first + old_ruleset=$(cli-shell-api returnActiveValue zone-policy zone \ + $VAR(../../../@) from $VAR(../../@) firewall name) + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=name \ + --ruleset-name="$old_ruleset"; then + exit 1 + fi + + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=name \ + --ruleset-name="$VAR(@)"; then + exit 1 + fi + +delete: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-fromzone-fw \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=name \ + --ruleset-name="$VAR(@)"; then + exit 1 + fi diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/node.def new file mode 100644 index 0000000..bb7fff5 --- /dev/null +++ b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/firewall/node.def @@ -0,0 +1 @@ +help: Firewall options diff --git a/templates-cfg/zone-policy/zone/node.tag/interface/node.def b/templates-cfg/zone-policy/zone/node.tag/interface/node.def new file mode 100644 index 0000000..36ff3e2 --- /dev/null +++ b/templates-cfg/zone-policy/zone/node.tag/interface/node.def @@ -0,0 +1,24 @@ +multi: +type: txt +help: Interface associated with zone +allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show=all | sed -e s/'lo '// + +syntax:expression: $VAR(@) != "lo" ; "Cannot assign loopback interface to a transit zone. It's part of local-zone" + +create: /opt/vyatta/sbin/vyatta-interfaces.pl --dev=$VAR(@) --warn + +create: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-zone-interface \ + --zone-name="$VAR(../@)" \ + --interface="$VAR(@)"; then + exit 1 + fi + +delete: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-zone-interface \ + --zone-name="$VAR(../@)" \ + --interface="$VAR(@)"; then + exit 1 + fi diff --git a/templates-cfg/zone-policy/zone/node.tag/local-zone/node.def b/templates-cfg/zone-policy/zone/node.tag/local-zone/node.def new file mode 100644 index 0000000..4db0f63 --- /dev/null +++ b/templates-cfg/zone-policy/zone/node.tag/local-zone/node.def @@ -0,0 +1,15 @@ +help: Zone to be local-zone + +create: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-localzone \ + --zone-name="$VAR(../@)"; then + exit 1 + fi + +delete: + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-localzone \ + --zone-name="$VAR(../@)"; then + exit 1 + fi |