diff options
Diffstat (limited to 'templates-cfg')
8 files changed, 199 insertions, 31 deletions
diff --git a/templates-cfg/zone-policy/node.def b/templates-cfg/zone-policy/node.def index 440d397..52a6b68 100644 --- a/templates-cfg/zone-policy/node.def +++ b/templates-cfg/zone-policy/node.def @@ -1,6 +1,11 @@ priority: 250 # after zone-policy/zone/node.tag/from/ + help: Configure zone-policy -begin: -if ! /opt/vyatta/sbin/vyatta-zone.pl --action=validity-checks --zone-name=none --silent-validate=false; then - exit 1 + +begin: +if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=validity-checks \ + --zone-name=none \ + --silent-validate=false; then + exit 1 fi diff --git a/templates-cfg/zone-policy/zone/node.def b/templates-cfg/zone-policy/zone/node.def index eb8c3c8..56c09c2 100644 --- a/templates-cfg/zone-policy/zone/node.def +++ b/templates-cfg/zone-policy/zone/node.def @@ -10,15 +10,31 @@ syntax:expression: pattern $VAR(@) "^[^-]" ; "Zone name cannot start with \"-\"" syntax:expression: pattern $VAR(@) "^[^;]*$" ; "Zone name cannot contain ';'" create: - if ! /opt/vyatta/sbin/vyatta-zone.pl \ - --action=add-zone \ - --zone-name="$VAR(@)"; then - exit 1 - fi + # fw zone actions + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-zone \ + --zone-name="$VAR(@)"; then + exit 1 + fi + + # ips zone actions + if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ + --action=add-zone \ + --zone-name="$VAR(@)"; then + exit 1 + fi delete: - if ! /opt/vyatta/sbin/vyatta-zone.pl \ - --action=delete-zone \ - --zone-name="$VAR(@)"; then - exit 1 - fi + # fw zone actions + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-zone \ + --zone-name="$VAR(@)"; then + exit 1 + fi + + # ips zone actions + if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ + --action=delete-zone \ + --zone-name="$VAR(@)"; then + exit 1 + fi diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.def index 433f423..62cd3cb 100644 --- a/templates-cfg/zone-policy/zone/node.tag/from/node.def +++ b/templates-cfg/zone-policy/zone/node.tag/from/node.def @@ -9,8 +9,11 @@ allowed: echo -n "${zones[@]}" begin: -if ! /opt/vyatta/sbin/vyatta-zone.pl --action=validity-checks --zone-name=none --silent-validate=true; then - exit 1 +if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=validity-checks \ + --zone-name=none \ + --silent-validate=true; then + exit 1 fi create: @@ -33,10 +36,27 @@ create: echo Undefined from zone [$VAR(@)] under zone $parent_zone exit 1 else - if ! /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$parent_zone"; then + # fw zone actions + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-zone \ + --zone-name="$parent_zone"; then + exit 1 + fi + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-zone \ + --zone-name="$VAR(@)"; then + exit 1 + fi + + # ips zone actions + if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ + --action=add-zone \ + --zone-name="$parent_zone"; then exit 1 fi - if ! /opt/vyatta/sbin/vyatta-zone.pl --action=add-zone --zone-name="$VAR(@)"; then + if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ + --action=add-zone \ + --zone-name="$VAR(@)"; then exit 1 fi fi diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/.ipv6-enable/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/.ipv6-enable/node.def new file mode 100644 index 0000000..87a2ea1 --- /dev/null +++ b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/.ipv6-enable/node.def @@ -0,0 +1,46 @@ +help: Option to enable IPv6 content-inspection + +# check if traffic-filter is set +commit:expression: +exec " +if cli-shell-api existsEffective \ +content-inspection traffic-filter ipv6-preset; then \ + exit 0; \ +fi; \ +if cli-shell-api existsEffective \ +content-inspection traffic-filter ipv6-custom; then \ + exit 0; \ +fi; \ +echo IPv6 content-inspection traffic-filter not set; \ +exit 1" + +# make sure inspect-all is not enabled +commit:expression: +exec " +if ! cli-shell-api existsEffective \ +content-inspection inspect-all ipv6-enable; then \ + exit 0; \ +fi; \ +echo IPv6 content-inspection enabled for all traffic. Not \ +allowed to configure inspection on a per-zone basis.; \ +exit 1" + +create: + if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ + --action=add-fromzone-ips \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name=VYATTA_SNORT_all_HOOK; then + exit 1 + fi + +delete: + if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ + --action=delete-fromzone-ips \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=ipv6-name \ + --ruleset-name=VYATTA_SNORT_all_HOOK; then + exit 1 + fi diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/enable/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/enable/node.def new file mode 100644 index 0000000..484780a --- /dev/null +++ b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/enable/node.def @@ -0,0 +1,46 @@ +help: Option to enable IPv4 content-inspection + +# check if traffic-filter is set +commit:expression: +exec " +if cli-shell-api existsEffective \ +content-inspection traffic-filter preset; then \ + exit 0; \ +fi; \ +if cli-shell-api existsEffective \ +content-inspection traffic-filter custom; then \ + exit 0; \ +fi; \ +echo IPv4 content-inspection traffic-filter not set; \ +exit 1" + +# make sure inspect-all is not enabled +commit:expression: +exec " +if ! cli-shell-api existsEffective \ +content-inspection inspect-all enable; then \ + exit 0; \ +fi; \ +echo IPv4 content-inspection enabled for all traffic. Not \ +allowed to configure inspection on a per-zone basis.; \ +exit 1" + +create: + if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ + --action=add-fromzone-ips \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=name \ + --ruleset-name=VYATTA_SNORT_all_HOOK; then + exit 1 + fi + +delete: + if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ + --action=delete-fromzone-ips \ + --zone-name="$VAR(../../../@)" \ + --from-zone="$VAR(../../@)" \ + --ruleset-type=name \ + --ruleset-name=VYATTA_SNORT_all_HOOK; then + exit 1 + fi diff --git a/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/node.def b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/node.def new file mode 100644 index 0000000..9ba25ef --- /dev/null +++ b/templates-cfg/zone-policy/zone/node.tag/from/node.tag/content-inspection/node.def @@ -0,0 +1 @@ +help: Content-inspection options diff --git a/templates-cfg/zone-policy/zone/node.tag/interface/node.def b/templates-cfg/zone-policy/zone/node.tag/interface/node.def index 36ff3e2..c9137c4 100644 --- a/templates-cfg/zone-policy/zone/node.tag/interface/node.def +++ b/templates-cfg/zone-policy/zone/node.tag/interface/node.def @@ -8,17 +8,35 @@ syntax:expression: $VAR(@) != "lo" ; "Cannot assign loopback interface to a tran create: /opt/vyatta/sbin/vyatta-interfaces.pl --dev=$VAR(@) --warn create: - if ! /opt/vyatta/sbin/vyatta-zone.pl \ - --action=add-zone-interface \ - --zone-name="$VAR(../@)" \ - --interface="$VAR(@)"; then + # fw zone actions + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-zone-interface \ + --zone-name="$VAR(../@)" \ + --interface="$VAR(@)"; then + exit 1 + fi + + # ips zone actions + if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ + --action=add-zone-interface \ + --zone-name="$VAR(../@)" \ + --interface="$VAR(@)"; then exit 1 fi delete: - if ! /opt/vyatta/sbin/vyatta-zone.pl \ - --action=delete-zone-interface \ - --zone-name="$VAR(../@)" \ - --interface="$VAR(@)"; then + # fw zone actions + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-zone-interface \ + --zone-name="$VAR(../@)" \ + --interface="$VAR(@)"; then + exit 1 + fi + + # ips zone actions + if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ + --action=delete-zone-interface \ + --zone-name="$VAR(../@)" \ + --interface="$VAR(@)"; then exit 1 fi diff --git a/templates-cfg/zone-policy/zone/node.tag/local-zone/node.def b/templates-cfg/zone-policy/zone/node.tag/local-zone/node.def index 4db0f63..07c3d55 100644 --- a/templates-cfg/zone-policy/zone/node.tag/local-zone/node.def +++ b/templates-cfg/zone-policy/zone/node.tag/local-zone/node.def @@ -1,15 +1,31 @@ help: Zone to be local-zone create: - if ! /opt/vyatta/sbin/vyatta-zone.pl \ - --action=add-localzone \ - --zone-name="$VAR(../@)"; then + # fw zone actions + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=add-localzone \ + --zone-name="$VAR(../@)"; then + exit 1 + fi + + # ips zone actions + if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ + --action=add-localzone \ + --zone-name="$VAR(../@)"; then exit 1 fi delete: - if ! /opt/vyatta/sbin/vyatta-zone.pl \ - --action=delete-localzone \ - --zone-name="$VAR(../@)"; then + # fw zone actions + if ! /opt/vyatta/sbin/vyatta-zone.pl \ + --action=delete-localzone \ + --zone-name="$VAR(../@)"; then + exit 1 + fi + + # ips zone actions + if ! /opt/vyatta/sbin/vyatta-zone-ips.pl \ + --action=delete-localzone \ + --zone-name="$VAR(../@)"; then exit 1 fi |