From 4830952dc7a88a3732e4c269b65b01596bb7c413 Mon Sep 17 00:00:00 2001
From: Mohit Mehta <mohit@vyatta.com>
Date: Wed, 13 Oct 2010 17:38:39 -0700
Subject: move common hashes and create/delete zone chain functions to zone
 library

---
 lib/Vyatta/Zone.pm         | 64 +++++++++++++++++++++++++++++++++++++++++
 scripts/vyatta-zone-ips.pl | 71 +++++++---------------------------------------
 scripts/vyatta-zone.pl     | 67 +++++--------------------------------------
 3 files changed, 81 insertions(+), 121 deletions(-)

diff --git a/lib/Vyatta/Zone.pm b/lib/Vyatta/Zone.pm
index 0559753..251b325 100755
--- a/lib/Vyatta/Zone.pm
+++ b/lib/Vyatta/Zone.pm
@@ -30,6 +30,28 @@ use Vyatta::Interface;
 use strict;
 use warnings;
 
+use base 'Exporter';
+
+# mapping from config node to iptables command
+our %cmd_hash = ( 'name'        => '/sbin/iptables',
+                  'ipv6-name'   => '/sbin/ip6tables');
+
+# mapping from config node to iptables/ip6tables table
+our %table_hash = ( 'name'        => 'filter',
+                    'ipv6-name'   => 'filter');
+
+# mapping from zone default action to iptables jump target
+our %policy_hash = ( 'drop'    => 'DROP',
+                     'reject'  => 'REJECT',
+                     'accept'  => 'RETURN');
+
+our @EXPORT_OK = qw(%cmd_hash %table_hash %policy_hash);
+
+my %get_zone_chain_hash = (
+    get_zone_chain     => \&get_zone_chain,
+    get_ips_zone_chain => \&get_ips_zone_chain,
+);
+
 my $debug="false";
 my $syslog="false";
 my $logger = 'sudo logger -t zone.pm -p local0.warn --';
@@ -250,4 +272,46 @@ sub validity_checks {
     return;
 }
 
+sub create_zone_chain {
+    my ($feature_func, $zone_name, $localoutchain) = @_;
+    my ($cmd, $error);
+    my $zone_chain=$get_zone_chain_hash{$feature_func}->("exists",
+                        $zone_name, $localoutchain);
+
+    # create zone chains in filter, ip6filter tables
+    foreach my $tree (keys %cmd_hash) {
+     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " .
+                "-L $zone_chain >&/dev/null";
+     $error = run_cmd($cmd);
+     if ($error) {
+       # chain does not exist, go ahead create it
+       $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -N $zone_chain";
+       $error = run_cmd($cmd);
+       return "Error: create $zone_name chain with failed [$error]" if $error;
+     }
+    }
+
+    return;
+}
+
+sub delete_zone_chain {
+    my ($feature_func, $zone_name, $localoutchain) = @_;
+    my ($cmd, $error);
+    my $zone_chain=$get_zone_chain_hash{$feature_func}->("existsOrig",
+                        $zone_name, $localoutchain);
+    # delete zone chains from filter, ip6filter tables
+    foreach my $tree (keys %cmd_hash) {
+     # flush all rules from zone chain
+     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -F $zone_chain";
+     $error = run_cmd($cmd);
+     return "Error: flush all rules in $zone_name chain failed [$error]" if $error;
+
+     # delete zone chain
+     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -X $zone_chain";
+     $error = run_cmd($cmd);
+     return "Error: delete $zone_name chain failed [$error]" if $error;
+    }
+    return;
+}
+
 1;
diff --git a/scripts/vyatta-zone-ips.pl b/scripts/vyatta-zone-ips.pl
index 0c8e3d1..7007a84 100644
--- a/scripts/vyatta-zone-ips.pl
+++ b/scripts/vyatta-zone-ips.pl
@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-# Module: vyatta-zone.pl
+# Module: vyatta-zone-ips.pl
 # 
 # **** License ****
 # This program is free software; you can redistribute it and/or modify
@@ -27,25 +27,12 @@ use Getopt::Long;
 use POSIX;
 
 use lib "/opt/vyatta/share/perl5";
-use Vyatta::Zone;
 use Vyatta::IpTables::Mgr;
+use Vyatta::Zone qw(%cmd_hash %table_hash %policy_hash);
 
 use warnings;
 use strict;
 
-# IPS mapping from config node to iptables command. Similar to FW.
-my %cmd_hash = ( 'name'        => '/sbin/iptables',
-                 'ipv6-name'   => '/sbin/ip6tables');
-
-# IPS mapping from config node to iptables/ip6tables table
-my %table_hash = ( 'name'        => 'filter',
-                   'ipv6-name'   => 'filter');
-
-# mapping from vyatta 'default-policy' to iptables jump target
-my %policy_hash = ( 'drop'    => 'DROP',
-                    'reject'  => 'REJECT',
-		    'accept'  => 'RETURN');
-
 sub setup_default_policy {
     my ($zone_name, $default_policy, $localoutchain) = @_;
     my ($cmd, $error);
@@ -90,48 +77,6 @@ in $zone_name chain failed [$error]" if $error;
     return;
 }
 
-sub create_zone_chain {
-    my ($zone_name, $localoutchain) = @_;
-    my ($cmd, $error);
-    my $zone_chain=Vyatta::Zone::get_ips_zone_chain("exists", 
-			$zone_name, $localoutchain);
-    
-    # create zone chains in filter, ip6filter tables
-    foreach my $tree (keys %cmd_hash) {
-     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . 
-		"-L $zone_chain >&/dev/null";
-     $error = Vyatta::Zone::run_cmd($cmd);
-     if ($error) { 
-       # chain does not exist, go ahead create it
-       $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -N $zone_chain";
-       $error = Vyatta::Zone::run_cmd($cmd);
-       return "Error: create $zone_name chain with failed [$error]" if $error;
-     }
-    }
-    
-    return;
-}
-
-sub delete_zone_chain {
-    my ($zone_name, $localoutchain) = @_;
-    my ($cmd, $error);
-    my $zone_chain=Vyatta::Zone::get_ips_zone_chain("existsOrig", 
-			$zone_name, $localoutchain);
-    # delete zone chains from filter, ip6filter tables
-    foreach my $tree (keys %cmd_hash) {
-     # flush all rules from zone chain
-     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -F $zone_chain";
-     $error = Vyatta::Zone::run_cmd($cmd);
-     return "Error: flush all rules in $zone_name chain failed [$error]" if $error;
-
-     # delete zone chain
-     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -X $zone_chain";
-     $error = Vyatta::Zone::run_cmd($cmd);
-     return "Error: delete $zone_name chain failed [$error]" if $error;
-    }
-    return;
-}
-
 sub insert_from_rule {
     my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset,
         $direction, $zone_chain) = @_;
@@ -454,12 +399,14 @@ $zone_chain chain failed [$error]" if $error;
 sub add_zone {
     my $zone_name = shift;
     # perform IPS related actions for this zone
-    my $error = create_zone_chain ($zone_name);
+    my $error = Vyatta::Zone::create_zone_chain("get_ips_zone_chain",
+							$zone_name);
     return ($error, ) if $error;
 
     if (defined(Vyatta::Zone::is_local_zone("exists", $zone_name))) {
       # make local out chain as well
-      $error = create_zone_chain ($zone_name, "localout");
+      $error = Vyatta::Zone::create_zone_chain("get_ips_zone_chain",
+					$zone_name, "localout");
       return ($error, ) if $error;
 
       # allow traffic sourced from and destined to localhost
@@ -536,11 +483,13 @@ sub add_zone {
 sub delete_zone {
     my $zone_name = shift;
     # undo IPS related actions for this zone
-    my $error = delete_zone_chain ($zone_name);
+    my $error = Vyatta::Zone::delete_zone_chain("get_ips_zone_chain",
+							$zone_name);
     return ($error, ) if $error;
     if (defined(Vyatta::Zone::is_local_zone("existsOrig", $zone_name))) {
       # delete local out chain as well
-      $error = delete_zone_chain ($zone_name, "localout");
+      $error =  Vyatta::Zone::delete_zone_chain("get_ips_zone_chain",
+					$zone_name, "localout");
       return ($error, ) if $error;
     }
     return;    
diff --git a/scripts/vyatta-zone.pl b/scripts/vyatta-zone.pl
index 0c05842..75de074 100755
--- a/scripts/vyatta-zone.pl
+++ b/scripts/vyatta-zone.pl
@@ -27,25 +27,12 @@ use Getopt::Long;
 use POSIX;
 
 use lib "/opt/vyatta/share/perl5";
-use Vyatta::Zone;
 use Vyatta::IpTables::Mgr;
+use Vyatta::Zone qw(%cmd_hash %table_hash %policy_hash);
 
 use warnings;
 use strict;
 
-# for future ease, when we add modify, these hashes will just be extended
-# firewall mapping from config node to iptables command.
-my %cmd_hash = ( 'name'        => '/sbin/iptables',
-                 'ipv6-name'   => '/sbin/ip6tables');
-
-# firewall mapping from config node to iptables/ip6tables table
-my %table_hash = ( 'name'        => 'filter',
-                   'ipv6-name'   => 'filter');
-
-# mapping from vyatta 'default-policy' to iptables jump target
-my %policy_hash = ( 'drop'    => 'DROP',
-                    'reject'  => 'REJECT' );
-
 sub setup_default_policy {
     my ($zone_name, $default_policy, $localoutchain) = @_;
     my ($cmd, $error);
@@ -84,48 +71,6 @@ in $zone_name chain failed [$error]" if $error;
     return;
 }
 
-sub create_zone_chain {
-    my ($zone_name, $localoutchain) = @_;
-    my ($cmd, $error);
-    my $zone_chain=Vyatta::Zone::get_zone_chain("exists", 
-			$zone_name, $localoutchain);
-    
-    # create zone chains in filter, ip6filter tables
-    foreach my $tree (keys %cmd_hash) {
-     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} " . 
-		"-L $zone_chain >&/dev/null";
-     $error = Vyatta::Zone::run_cmd($cmd);
-     if ($error) { 
-       # chain does not exist, go ahead create it
-       $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -N $zone_chain";
-       $error = Vyatta::Zone::run_cmd($cmd);
-       return "Error: create $zone_name chain with failed [$error]" if $error;
-     }
-    }
-    
-    return;
-}
-
-sub delete_zone_chain {
-    my ($zone_name, $localoutchain) = @_;
-    my ($cmd, $error);
-    my $zone_chain=Vyatta::Zone::get_zone_chain("existsOrig", 
-			$zone_name, $localoutchain);
-    # delete zone chains from filter, ip6filter tables
-    foreach my $tree (keys %cmd_hash) {
-     # flush all rules from zone chain
-     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -F $zone_chain";
-     $error = Vyatta::Zone::run_cmd($cmd);
-     return "Error: flush all rules in $zone_name chain failed [$error]" if $error;
-
-     # delete zone chain
-     $cmd = "sudo $cmd_hash{$tree} -t $table_hash{$tree} -X $zone_chain";
-     $error = Vyatta::Zone::run_cmd($cmd);
-     return "Error: delete $zone_name chain failed [$error]" if $error;
-    }
-    return;
-}
-
 sub insert_from_rule {
     my ($zone_name, $from_zone, $interface, $ruleset_type, $ruleset,
         $direction, $zone_chain) = @_;
@@ -460,12 +405,13 @@ $zone_chain chain failed [$error]" if $error;
 sub add_zone {
     my $zone_name = shift;
     # perform firewall related actions for this zone
-    my $error = create_zone_chain ($zone_name);
+    my $error = Vyatta::Zone::create_zone_chain("get_zone_chain", $zone_name);
     return ($error, ) if $error;
 
     if (defined(Vyatta::Zone::is_local_zone("exists", $zone_name))) {
       # make local out chain as well
-      $error = create_zone_chain ($zone_name, "localout");
+      $error = Vyatta::Zone::create_zone_chain ("get_zone_chain",
+					$zone_name, "localout");
       return ($error, ) if $error;
 
       # allow traffic sourced from and destined to localhost
@@ -541,11 +487,12 @@ sub add_zone {
 sub delete_zone {
     my $zone_name = shift;
     # undo firewall related actions for this zone
-    my $error = delete_zone_chain ($zone_name);
+    my $error = Vyatta::Zone::delete_zone_chain("get_zone_chain", $zone_name);
     return ($error, ) if $error;
     if (defined(Vyatta::Zone::is_local_zone("existsOrig", $zone_name))) {
       # delete local out chain as well
-      $error = delete_zone_chain ($zone_name, "localout");
+      $error = Vyatta::Zone::delete_zone_chain("get_zone_chain",
+					$zone_name, "localout");
       return ($error, ) if $error;
     }
     return;    
-- 
cgit v1.2.3