diff options
| author | Kim Hagen <khagen@multi-development.com> | 2014-09-03 16:18:24 +0200 |
|---|---|---|
| committer | Kim Hagen <khagen@multi-development.com> | 2014-09-03 16:18:24 +0200 |
| commit | 39be0418ff403d40f7f39d81c0dee41e754cdf4d (patch) | |
| tree | fb82d05b03527554cd5396ce3e025435d694fd4e | |
| parent | efb61c7d82a605f7ef5a7762a05a9591c42c2bc5 (diff) | |
| download | vyos-nhrp-39be0418ff403d40f7f39d81c0dee41e754cdf4d.tar.gz vyos-nhrp-39be0418ff403d40f7f39d81c0dee41e754cdf4d.zip | |
Cleanup script and add the settings of firewall rules
| -rw-r--r-- | scripts/vyos-update-nhrp.pl | 48 | ||||
| -rw-r--r-- | templates-cfg/protocols/nhrp/tunnel/node.def | 7 |
2 files changed, 43 insertions, 12 deletions
diff --git a/scripts/vyos-update-nhrp.pl b/scripts/vyos-update-nhrp.pl index 066b457..0b1ee43 100644 --- a/scripts/vyos-update-nhrp.pl +++ b/scripts/vyos-update-nhrp.pl @@ -34,7 +34,7 @@ use Vyatta::Interface; use strict; use warnings; - +my ($set_nhrp, $set_ipsec, $get_esp_gr_names, $get_ike_gr_names, $set_iptables, $del_iptables, $tun); my $conffile = '/etc/opennhrp/opennhrp.conf'; my $ipsecfile = '/etc/opennhrp/opennhrp.ipsec'; @@ -420,25 +420,53 @@ sub ipsec_config { return @conf_file; } +sub create_nhrp_iptables { + my $config_tun = new Vyatta::Config; + + $config_tun->setLevel("interfaces tunnel"); + + if ( $config_tun->exists("$tun local-ip")) { + my $local_ip = $config_tun->returnValue("$tun local-ip"); + + system ("sudo iptables -N VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!"; + system ("sudo iptables -A VYOS_NHRP_${tun}_OUT_HOOK -p gre -s ${local_ip} -d 224.0.0.0/4 -j DROP") == 0 or die "System call failed: $!"; + system ("sudo iptables -A VYOS_NHRP_${tun}_OUT_HOOK -j RETURN") == 0 or die "System call failed: $!"; + system ("sudo iptables -I OUTPUT 2 -j VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!"; + } +} + +sub delete_nhrp_iptables { + my $config_tun = new Vyatta::Config; + + $config_tun->setLevel("interfaces tunnel"); + + if ( $config_tun->exists("$tun local-ip")) { + system ("sudo iptables -D OUTPUT -j VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!"; + system ("sudo iptables -D VYOS_NHRP_${tun}_OUT_HOOK 1") == 0 or die "System call failed: $!"; + system ("sudo iptables -D VYOS_NHRP_${tun}_OUT_HOOK 1") == 0 or die "System call failed: $!"; + system ("sudo iptables -X VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!"; + } +} + # # main # -my ($set_nhrp, $set_ipsec, $get_esp_gr_names, $get_ike_gr_names); - GetOptions ( "set_ipsec" => \$set_ipsec, "set_nhrp" => \$set_nhrp, "get_esp_gr_names" => \$get_esp_gr_names, "get_ike_gr_names" => \$get_ike_gr_names, + "set_iptables" => \$set_iptables, + "del_iptables" => \$del_iptables, + "tun=s" => \$tun ) or usage (); -my $rc = 1; -$rc = print get_esp_groups() if $get_esp_gr_names; -$rc = print get_ike_groups() if $get_ike_gr_names; -$rc = configure_nhrp_ipsec() if $set_ipsec; -$rc = configure_nhrp_tunnels() if $set_nhrp; - -exit $rc; +print get_esp_groups() if $get_esp_gr_names; +print get_ike_groups() if $get_ike_gr_names; +configure_nhrp_ipsec() if $set_ipsec; +configure_nhrp_tunnels() if $set_nhrp; +create_nhrp_iptables() if $set_iptables; +delete_nhrp_iptables() if $del_iptables; # end of file diff --git a/templates-cfg/protocols/nhrp/tunnel/node.def b/templates-cfg/protocols/nhrp/tunnel/node.def index f7109c5..65c22ad 100644 --- a/templates-cfg/protocols/nhrp/tunnel/node.def +++ b/templates-cfg/protocols/nhrp/tunnel/node.def @@ -1,9 +1,12 @@ tag: - type: txt - help: Tunnel for nhrp [REQUIRED] allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show tunnel val_help: <tun> ; Tunnel for nhrp + +create: sudo /opt/vyatta/sbin/vyos-update-nhrp.pl --tun "$VAR(@)" --set_iptables + +delete: sudo /opt/vyatta/sbin/vyos-update-nhrp.pl --tun "$VAR(@)" --del_iptables + |