diff options
author | Kim Hagen <khagen@multi-development.com> | 2014-09-03 16:18:24 +0200 |
---|---|---|
committer | Kim Hagen <khagen@multi-development.com> | 2014-09-03 16:18:24 +0200 |
commit | 39be0418ff403d40f7f39d81c0dee41e754cdf4d (patch) | |
tree | fb82d05b03527554cd5396ce3e025435d694fd4e /scripts | |
parent | efb61c7d82a605f7ef5a7762a05a9591c42c2bc5 (diff) | |
download | vyos-nhrp-39be0418ff403d40f7f39d81c0dee41e754cdf4d.tar.gz vyos-nhrp-39be0418ff403d40f7f39d81c0dee41e754cdf4d.zip |
Cleanup script and add the settings of firewall rules
Diffstat (limited to 'scripts')
-rw-r--r-- | scripts/vyos-update-nhrp.pl | 48 |
1 files changed, 38 insertions, 10 deletions
diff --git a/scripts/vyos-update-nhrp.pl b/scripts/vyos-update-nhrp.pl index 066b457..0b1ee43 100644 --- a/scripts/vyos-update-nhrp.pl +++ b/scripts/vyos-update-nhrp.pl @@ -34,7 +34,7 @@ use Vyatta::Interface; use strict; use warnings; - +my ($set_nhrp, $set_ipsec, $get_esp_gr_names, $get_ike_gr_names, $set_iptables, $del_iptables, $tun); my $conffile = '/etc/opennhrp/opennhrp.conf'; my $ipsecfile = '/etc/opennhrp/opennhrp.ipsec'; @@ -420,25 +420,53 @@ sub ipsec_config { return @conf_file; } +sub create_nhrp_iptables { + my $config_tun = new Vyatta::Config; + + $config_tun->setLevel("interfaces tunnel"); + + if ( $config_tun->exists("$tun local-ip")) { + my $local_ip = $config_tun->returnValue("$tun local-ip"); + + system ("sudo iptables -N VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!"; + system ("sudo iptables -A VYOS_NHRP_${tun}_OUT_HOOK -p gre -s ${local_ip} -d 224.0.0.0/4 -j DROP") == 0 or die "System call failed: $!"; + system ("sudo iptables -A VYOS_NHRP_${tun}_OUT_HOOK -j RETURN") == 0 or die "System call failed: $!"; + system ("sudo iptables -I OUTPUT 2 -j VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!"; + } +} + +sub delete_nhrp_iptables { + my $config_tun = new Vyatta::Config; + + $config_tun->setLevel("interfaces tunnel"); + + if ( $config_tun->exists("$tun local-ip")) { + system ("sudo iptables -D OUTPUT -j VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!"; + system ("sudo iptables -D VYOS_NHRP_${tun}_OUT_HOOK 1") == 0 or die "System call failed: $!"; + system ("sudo iptables -D VYOS_NHRP_${tun}_OUT_HOOK 1") == 0 or die "System call failed: $!"; + system ("sudo iptables -X VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!"; + } +} + # # main # -my ($set_nhrp, $set_ipsec, $get_esp_gr_names, $get_ike_gr_names); - GetOptions ( "set_ipsec" => \$set_ipsec, "set_nhrp" => \$set_nhrp, "get_esp_gr_names" => \$get_esp_gr_names, "get_ike_gr_names" => \$get_ike_gr_names, + "set_iptables" => \$set_iptables, + "del_iptables" => \$del_iptables, + "tun=s" => \$tun ) or usage (); -my $rc = 1; -$rc = print get_esp_groups() if $get_esp_gr_names; -$rc = print get_ike_groups() if $get_ike_gr_names; -$rc = configure_nhrp_ipsec() if $set_ipsec; -$rc = configure_nhrp_tunnels() if $set_nhrp; - -exit $rc; +print get_esp_groups() if $get_esp_gr_names; +print get_ike_groups() if $get_ike_gr_names; +configure_nhrp_ipsec() if $set_ipsec; +configure_nhrp_tunnels() if $set_nhrp; +create_nhrp_iptables() if $set_iptables; +delete_nhrp_iptables() if $del_iptables; # end of file |