summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xlib/Vyatta/Zone.pm122
-rw-r--r--scripts/vyatta-zone-ips.pl84
-rwxr-xr-xscripts/vyatta-zone.pl84
3 files changed, 146 insertions, 144 deletions
diff --git a/lib/Vyatta/Zone.pm b/lib/Vyatta/Zone.pm
index 7f471b0..a4c9d64 100755
--- a/lib/Vyatta/Zone.pm
+++ b/lib/Vyatta/Zone.pm
@@ -368,16 +368,134 @@ sub delete_intf_from_zonechain {
$cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D $feature_chain " .
"-o $interface -j $zone_chain";
$error = run_cmd($cmd);
- return "Error: call to delete jump rule for outgoing interface $interface
+ return "call to delete jump rule for outgoing interface $interface
to $zone_chain chain failed [$error]" if $error;
# delete rule to allow same zone to same zone traffic
$cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D $zone_chain " .
"-i $interface -j RETURN";
$error = run_cmd($cmd);
- return "Error: call to delete interface $interface from zone-chain
+ return "call to delete interface $interface from zone-chain
$zone_chain with failed [$error]" if $error;
}
+
+ # success
+ return;
+}
+
+sub add_jump_to_localin_zonechain {
+ my ($zone_chain_func, $zone_name, $feature_chain) = @_;
+ my ($cmd, $error);
+ my $zone_chain=
+ $get_zone_chain_hash{$zone_chain_func}->("exists", $zone_name);
+
+ foreach my $tree (keys %cmd_hash) {
+
+ my $rule_cnt =
+ Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree},
+ $table_hash{$tree}, $feature_chain);
+ my $insert_at_rule_num=1;
+ if ( $rule_cnt > 1 ) {
+ $insert_at_rule_num=$rule_cnt;
+ }
+ my $result = rule_exists ($cmd_hash{$tree}, $table_hash{$tree},
+ $feature_chain, $zone_chain);
+
+ if ($result < 1) {
+ # insert rule to filter local traffic from interface per ruleset
+ $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I " .
+ "$feature_chain $insert_at_rule_num -j $zone_chain";
+ $error = run_cmd($cmd);
+ return "call to add jump rule for local zone
+$zone_chain chain failed [$error]" if $error;
+ }
+ }
+
+ # success
+ return;
+}
+
+sub remove_jump_to_localin_zonechain {
+ my ($zone_chain_func, $zone_name, $feature_chain) = @_;
+ my ($cmd, $error);
+ my $zone_chain=
+ $get_zone_chain_hash{$zone_chain_func}->("existsOrig", $zone_name);
+
+ foreach my $tree (keys %cmd_hash) {
+
+ # delete rule to filter traffic destined for system
+ $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D $feature_chain " .
+ "-j $zone_chain";
+ $error = run_cmd($cmd);
+ return "call to delete local zone
+$zone_chain chain failed [$error]" if $error;
+
+ }
+
+ # success
+ return;
+}
+
+sub add_jump_to_localout_zonechain {
+ my ($zone_chain_func, $zone_name, $feature_chain) = @_;
+ my ($cmd, $error);
+
+ my $zone_chain=$get_zone_chain_hash{$zone_chain_func}->("exists",
+ $zone_name, 'localout');
+ # add jump to local-zone-out chain
+ foreach my $tree (keys %cmd_hash) {
+ # if jump to localzoneout chain not inserted, then insert rule
+ my $rule_cnt =
+ Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree},
+ $table_hash{$tree}, $feature_chain);
+ my $insert_at_rule_num=1;
+ if ( $rule_cnt > 1 ) {
+ $insert_at_rule_num=$rule_cnt;
+ }
+ my $result = rule_exists ($cmd_hash{$tree}, $table_hash{$tree},
+ $feature_chain, $zone_chain);
+ if ($result < 1) {
+ my $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " .
+ "-I $feature_chain $insert_at_rule_num -j $zone_chain";
+ $error = run_cmd($cmd);
+ return "call to add jump rule for local zone out
+$zone_chain chain failed [$error]" if $error;
+ }
+ }
+
+ # success
+ return;
+}
+
+sub remove_jump_to_localout_zonechain {
+ my ($zone_chain_func, $zone_name, $feature_chain) = @_;
+ my ($cmd, $error);
+
+ my $zone_chain=
+ $get_zone_chain_hash{$zone_chain_func}->("existsOrig",
+ $zone_name, 'localout');
+
+ # if only two rules then delete jump from OUTPUT chain in both
+ foreach my $tree (keys %cmd_hash) {
+ my $rule_cnt =
+ Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree},
+ $table_hash{$tree}, $zone_chain);
+ if ($rule_cnt > 2) {
+ # atleast one of [ip or ip6]tables has local-zone as a from zone
+ return;
+ }
+ }
+
+ foreach my $tree (keys %cmd_hash) {
+ $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " .
+ "-D $feature_chain -j $zone_chain";
+ $error = run_cmd($cmd);
+ return "call to delete jump rule for local zone out
+$zone_chain chain failed [$error]" if $error;
+ }
+
+ # success
+ return;
}
1;
diff --git a/scripts/vyatta-zone-ips.pl b/scripts/vyatta-zone-ips.pl
index 03e95cd..760f82a 100644
--- a/scripts/vyatta-zone-ips.pl
+++ b/scripts/vyatta-zone-ips.pl
@@ -270,27 +270,10 @@ sub undo_ips_interface_zone {
sub do_ips_localzone {
my ($zone_name) = @_;
my ($cmd, $error);
- my $zone_chain=Vyatta::Zone::get_ips_zone_chain("exists", $zone_name);
- foreach my $tree (keys %cmd_hash) {
-
- my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree},
- $table_hash{$tree}, "VYATTA_POST_FW_IN_HOOK");
- my $insert_at_rule_num=1;
- if ( $rule_cnt > 1 ) {
- $insert_at_rule_num=$rule_cnt;
- }
- my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree},
- $table_hash{$tree}, "VYATTA_POST_FW_IN_HOOK", $zone_chain);
- if ($result < 1) {
- # insert rule to filter local traffic from interface per ruleset
- $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I " .
- "VYATTA_POST_FW_IN_HOOK $insert_at_rule_num -j $zone_chain";
- $error = Vyatta::Zone::run_cmd($cmd);
- return "Error: call to add jump rule for local zone
-$zone_chain chain failed [$error]" if $error;
- }
- }
+ $error = Vyatta::Zone::add_jump_to_localin_zonechain('get_ips_zone_chain',
+ $zone_name, 'VYATTA_POST_FW_IN_HOOK');
+ return "Error: $error" if $error;
# get all zones in which local zone is being used as a from zone
# filter traffic from local zone to those zones
@@ -318,17 +301,10 @@ $zone_chain chain failed [$error]" if $error;
sub undo_ips_localzone {
my ($zone_name) = @_;
my ($cmd, $error);
- my $zone_chain=Vyatta::Zone::get_ips_zone_chain("existsOrig", $zone_name);
- foreach my $tree (keys %cmd_hash) {
-
- # delete rule to filter traffic destined for system
- $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D " .
- "VYATTA_POST_FW_IN_HOOK -j $zone_chain";
- $error = Vyatta::Zone::run_cmd($cmd);
- return "Error: call to delete local zone
-$zone_chain chain failed [$error]" if $error;
- }
+ $error = Vyatta::Zone::remove_jump_to_localin_zonechain('get_ips_zone_chain',
+ $zone_name, 'VYATTA_POST_FW_IN_HOOK');
+ return "Error: $error" if $error;
# get all zones in which local zone is being used as a from zone
# remove filter for traffic from local zone to those zones
@@ -515,27 +491,9 @@ sub add_fromzone_ips {
}
}
- my $zone_chain=Vyatta::Zone::get_ips_zone_chain("exists",
- $from_zone, 'localout');
- # add jump to local-zone-out chain in OUTPUT chains for [ip and ip6]tables
- foreach my $tree (keys %cmd_hash) {
- # if jump to localzoneout chain not inserted, then insert rule
- my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree},
- $table_hash{$tree}, "VYATTA_POST_FW_OUT_HOOK");
- my $insert_at_rule_num=1;
- if ( $rule_cnt > 1 ) {
- $insert_at_rule_num=$rule_cnt;
- }
- my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree},
- $table_hash{$tree}, "VYATTA_POST_FW_OUT_HOOK", $zone_chain);
- if ($result < 1) {
- my $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " .
- "-I VYATTA_POST_FW_OUT_HOOK $insert_at_rule_num -j $zone_chain";
- $error = Vyatta::Zone::run_cmd($cmd);
- return "Error: call to add jump rule for local zone out
-$zone_chain chain failed [$error]" if $error;
- }
- }
+ $error = Vyatta::Zone::add_jump_to_localout_zonechain(
+ 'get_ips_zone_chain', $from_zone, 'VYATTA_POST_FW_OUT_HOOK');
+ return "Error: $error" if $error;
} # end of else
@@ -568,28 +526,12 @@ sub delete_fromzone_ips {
}
}
- my $zone_chain=Vyatta::Zone::get_ips_zone_chain("existsOrig",
- $from_zone, 'localout');
- # if only RETURN rule & localhost allow rule in $zone_chain in both
- # [ip and ip6]tables then delete jump from OUTPUT chain in both
- foreach my $tree (keys %cmd_hash) {
- my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree},
- $table_hash{$tree}, $zone_chain);
- if ($rule_cnt > 2) {
- # atleast one of [ip or ip6]tables has local-zone as a from zone
- return;
- }
- }
-
- foreach my $tree (keys %cmd_hash) {
- $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " .
- "-D VYATTA_POST_FW_OUT_HOOK -j $zone_chain";
- $error = Vyatta::Zone::run_cmd($cmd);
- return "Error: call to delete jump rule for local zone out
-$zone_chain chain failed [$error]" if $error;
- }
+ $error = Vyatta::Zone::remove_jump_to_localout_zonechain(
+ 'get_ips_zone_chain', $from_zone, 'VYATTA_POST_FW_OUT_HOOK');
+ return "Error: $error" if $error;
} # end of else
+
return;
}
diff --git a/scripts/vyatta-zone.pl b/scripts/vyatta-zone.pl
index e86df2e..a04ca0b 100755
--- a/scripts/vyatta-zone.pl
+++ b/scripts/vyatta-zone.pl
@@ -276,27 +276,10 @@ sub undo_firewall_interface_zone {
sub do_firewall_localzone {
my ($zone_name) = @_;
my ($cmd, $error);
- my $zone_chain=Vyatta::Zone::get_zone_chain("exists", $zone_name);
- foreach my $tree (keys %cmd_hash) {
-
- my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree},
- $table_hash{$tree}, "INPUT");
- my $insert_at_rule_num=1;
- if ( $rule_cnt > 1 ) {
- $insert_at_rule_num=$rule_cnt;
- }
- my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree},
- $table_hash{$tree}, "INPUT", $zone_chain);
- if ($result < 1) {
- # insert rule to filter local traffic from interface per ruleset
- $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -I INPUT " .
- "$insert_at_rule_num -j $zone_chain";
- $error = Vyatta::Zone::run_cmd($cmd);
- return "Error: call to add jump rule for local zone
-$zone_chain chain failed [$error]" if $error;
- }
- }
+ $error = Vyatta::Zone::add_jump_to_localin_zonechain('get_zone_chain',
+ $zone_name, 'INPUT');
+ return "Error: $error" if $error;
# get all zones in which local zone is being used as a from zone
# filter traffic from local zone to those zones
@@ -324,17 +307,10 @@ $zone_chain chain failed [$error]" if $error;
sub undo_firewall_localzone {
my ($zone_name) = @_;
my ($cmd, $error);
- my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig", $zone_name);
- foreach my $tree (keys %cmd_hash) {
-
- # delete rule to filter traffic destined for system
- $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -D INPUT " .
- "-j $zone_chain";
- $error = Vyatta::Zone::run_cmd($cmd);
- return "Error: call to delete local zone
-$zone_chain chain failed [$error]" if $error;
- }
+ $error = Vyatta::Zone::remove_jump_to_localin_zonechain('get_zone_chain',
+ $zone_name, 'INPUT');
+ return "Error: $error" if $error;
# get all zones in which local zone is being used as a from zone
# remove filter for traffic from local zone to those zones
@@ -518,27 +494,9 @@ sub add_fromzone_fw {
}
}
- my $zone_chain=Vyatta::Zone::get_zone_chain("exists",
- $from_zone, 'localout');
- # add jump to local-zone-out chain in OUTPUT chains for [ip and ip6]tables
- foreach my $tree (keys %cmd_hash) {
- # if jump to localzoneout chain not inserted, then insert rule
- my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree},
- $table_hash{$tree}, "OUTPUT");
- my $insert_at_rule_num=1;
- if ( $rule_cnt > 1 ) {
- $insert_at_rule_num=$rule_cnt;
- }
- my $result = Vyatta::Zone::rule_exists ($cmd_hash{$tree},
- $table_hash{$tree}, "OUTPUT", $zone_chain);
- if ($result < 1) {
- my $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " .
- "-I OUTPUT $insert_at_rule_num -j $zone_chain";
- $error = Vyatta::Zone::run_cmd($cmd);
- return "Error: call to add jump rule for local zone out
-$zone_chain chain failed [$error]" if $error;
- }
- }
+ $error = Vyatta::Zone::add_jump_to_localout_zonechain(
+ 'get_zone_chain', $from_zone, 'OUTPUT');
+ return "Error: $error" if $error;
} # end of else
@@ -570,29 +528,13 @@ sub delete_fromzone_fw {
return "Error: $error" if $error;
}
}
-
- my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig",
- $from_zone, 'localout');
- # if only drop rule & localhost allow rule in $zone_chain in both
- # [ip and ip6]tables then delete jump from OUTPUT chain in both
- foreach my $tree (keys %cmd_hash) {
- my $rule_cnt = Vyatta::IpTables::Mgr::count_iptables_rules($cmd_hash{$tree},
- $table_hash{$tree}, $zone_chain);
- if ($rule_cnt > 2) {
- # atleast one of [ip or ip6]tables has local-zone as a from zone
- return;
- }
- }
- foreach my $tree (keys %cmd_hash) {
- $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " .
- "-D OUTPUT -j $zone_chain";
- $error = Vyatta::Zone::run_cmd($cmd);
- return "Error: call to delete jump rule for local zone out
-$zone_chain chain failed [$error]" if $error;
- }
+ $error = Vyatta::Zone::remove_jump_to_localout_zonechain(
+ 'get_zone_chain', $from_zone, 'OUTPUT');
+ return "Error: $error" if $error;
} # end of else
+
return;
}