diff options
| -rw-r--r-- | scripts/vyatta-zone-ips.pl | 10 | ||||
| -rwxr-xr-x | scripts/vyatta-zone.pl | 14 | ||||
| -rw-r--r-- | templates-cfg/zone-policy/node.def | 2 | ||||
| -rw-r--r-- | templates-cfg/zone-policy/zone/node.tag/from/node.def | 32 |
4 files changed, 24 insertions, 34 deletions
diff --git a/scripts/vyatta-zone-ips.pl b/scripts/vyatta-zone-ips.pl index 760f82a..90d3c0a 100644 --- a/scripts/vyatta-zone-ips.pl +++ b/scripts/vyatta-zone-ips.pl @@ -54,15 +54,17 @@ sub setup_default_policy { # If there's a return all rule at rule_cnt - 1 then remove that. # In IPS zone chain a return all target can only be for default policy if ($rule_cnt > 1) { - my $in_intf = '$6'; + my $intf = '$6'; + $intf = '$7' if defined $localoutchain; # set IPv6 params if using ip6tables if ($cmd_hash{$tree} =~ '6') { - $in_intf = '$5'; + $intf = '$5'; + $intf = '$6' if defined $localoutchain; } my $penultimate_rule_num=$rule_cnt-1; $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . "-L $zone_chain $penultimate_rule_num -v " . - "| awk {'print \$3\" \"$in_intf'}"; + "| awk {'print \$3\" \"$intf'}"; my $target=`$cmd`; chomp $target; if (defined $target && ($target eq 'RETURN any')) { @@ -148,7 +150,7 @@ sub delete_from_rule { $ruleset_name=$ruleset; } else { # called from undo_ips_interface_zone() $ruleset_name = 'VYATTA_SNORT_all_HOOK' if defined - Vyatta::Zone::is_ips_enabled("exists", + Vyatta::Zone::is_ips_enabled("existsOrig", $zone_name, $from_zone, $ruleset_type); } diff --git a/scripts/vyatta-zone.pl b/scripts/vyatta-zone.pl index a04ca0b..80c76be 100755 --- a/scripts/vyatta-zone.pl +++ b/scripts/vyatta-zone.pl @@ -142,13 +142,25 @@ sub delete_from_rule { my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset, $direction, $zone_chain) = @_; my ($cmd, $error); - my $ruleset_name; + my ($ruleset_name, $new_ruleset_name); if (defined $ruleset) { # called from node.def $ruleset_name=$ruleset; } else { # called from undo_firewall_interface_zone() $ruleset_name=Vyatta::Zone::get_firewall_ruleset("returnOrigValue", $zone_name, $from_zone, $ruleset_type); + $new_ruleset_name=Vyatta::Zone::get_firewall_ruleset("returnValue", + $zone_name, $from_zone, $ruleset_type); + + if (defined $ruleset_name) { + if (defined $new_ruleset_name) { + # if ruleset modified, call from node.def will take care of this + $ruleset_name=undef if $ruleset_name ne $new_ruleset_name; + } else { + # if ruleset deleted, call from node.def will take care of this + $ruleset_name=undef; + } + } } if (defined $ruleset_name) { diff --git a/templates-cfg/zone-policy/node.def b/templates-cfg/zone-policy/node.def index 52a6b68..d5ca5cb 100644 --- a/templates-cfg/zone-policy/node.def +++ b/templates-cfg/zone-policy/node.def @@ -1,4 +1,4 @@ -priority: 250 # after zone-policy/zone/node.tag/from/ +priority: 250 # after firewall, content-inspection help: Configure zone-policy diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.def index 62cd3cb..7691fba 100644 --- a/templates-cfg/zone-policy/zone/node.tag/from/node.def +++ b/templates-cfg/zone-policy/zone/node.tag/from/node.def @@ -1,5 +1,5 @@ tag: -priority: 245 # after firewall, content-inspection +priority: 251 # after zone-policy type: txt help: Zone from which to filter traffic @@ -9,9 +9,9 @@ allowed: echo -n "${zones[@]}" begin: -if ! /opt/vyatta/sbin/vyatta-zone.pl \ - --action=validity-checks \ - --zone-name=none \ +if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=validity-checks \ + --zone-name=none \ --silent-validate=true; then exit 1 fi @@ -35,28 +35,4 @@ create: if [ $found -eq 0 ]; then echo Undefined from zone [$VAR(@)] under zone $parent_zone exit 1 - else - # fw zone actions - if ! /opt/vyatta/sbin/vyatta-zone.pl \ - --action=add-zone \ - --zone-name="$parent_zone"; then - exit 1 - fi - if ! /opt/vyatta/sbin/vyatta-zone.pl \ - --action=add-zone \ - --zone-name="$VAR(@)"; then - exit 1 - fi - - # ips zone actions - if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ - --action=add-zone \ - --zone-name="$parent_zone"; then - exit 1 - fi - if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ - --action=add-zone \ - --zone-name="$VAR(@)"; then - exit 1 - fi fi |