summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--scripts/vyos-update-nhrp.pl48
-rw-r--r--templates-cfg/protocols/nhrp/tunnel/node.def7
2 files changed, 43 insertions, 12 deletions
diff --git a/scripts/vyos-update-nhrp.pl b/scripts/vyos-update-nhrp.pl
index 066b457..0b1ee43 100644
--- a/scripts/vyos-update-nhrp.pl
+++ b/scripts/vyos-update-nhrp.pl
@@ -34,7 +34,7 @@ use Vyatta::Interface;
use strict;
use warnings;
-
+my ($set_nhrp, $set_ipsec, $get_esp_gr_names, $get_ike_gr_names, $set_iptables, $del_iptables, $tun);
my $conffile = '/etc/opennhrp/opennhrp.conf';
my $ipsecfile = '/etc/opennhrp/opennhrp.ipsec';
@@ -420,25 +420,53 @@ sub ipsec_config {
return @conf_file;
}
+sub create_nhrp_iptables {
+ my $config_tun = new Vyatta::Config;
+
+ $config_tun->setLevel("interfaces tunnel");
+
+ if ( $config_tun->exists("$tun local-ip")) {
+ my $local_ip = $config_tun->returnValue("$tun local-ip");
+
+ system ("sudo iptables -N VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!";
+ system ("sudo iptables -A VYOS_NHRP_${tun}_OUT_HOOK -p gre -s ${local_ip} -d 224.0.0.0/4 -j DROP") == 0 or die "System call failed: $!";
+ system ("sudo iptables -A VYOS_NHRP_${tun}_OUT_HOOK -j RETURN") == 0 or die "System call failed: $!";
+ system ("sudo iptables -I OUTPUT 2 -j VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!";
+ }
+}
+
+sub delete_nhrp_iptables {
+ my $config_tun = new Vyatta::Config;
+
+ $config_tun->setLevel("interfaces tunnel");
+
+ if ( $config_tun->exists("$tun local-ip")) {
+ system ("sudo iptables -D OUTPUT -j VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!";
+ system ("sudo iptables -D VYOS_NHRP_${tun}_OUT_HOOK 1") == 0 or die "System call failed: $!";
+ system ("sudo iptables -D VYOS_NHRP_${tun}_OUT_HOOK 1") == 0 or die "System call failed: $!";
+ system ("sudo iptables -X VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!";
+ }
+}
+
#
# main
#
-my ($set_nhrp, $set_ipsec, $get_esp_gr_names, $get_ike_gr_names);
-
GetOptions (
"set_ipsec" => \$set_ipsec,
"set_nhrp" => \$set_nhrp,
"get_esp_gr_names" => \$get_esp_gr_names,
"get_ike_gr_names" => \$get_ike_gr_names,
+ "set_iptables" => \$set_iptables,
+ "del_iptables" => \$del_iptables,
+ "tun=s" => \$tun
) or usage ();
-my $rc = 1;
-$rc = print get_esp_groups() if $get_esp_gr_names;
-$rc = print get_ike_groups() if $get_ike_gr_names;
-$rc = configure_nhrp_ipsec() if $set_ipsec;
-$rc = configure_nhrp_tunnels() if $set_nhrp;
-
-exit $rc;
+print get_esp_groups() if $get_esp_gr_names;
+print get_ike_groups() if $get_ike_gr_names;
+configure_nhrp_ipsec() if $set_ipsec;
+configure_nhrp_tunnels() if $set_nhrp;
+create_nhrp_iptables() if $set_iptables;
+delete_nhrp_iptables() if $del_iptables;
# end of file
diff --git a/templates-cfg/protocols/nhrp/tunnel/node.def b/templates-cfg/protocols/nhrp/tunnel/node.def
index f7109c5..65c22ad 100644
--- a/templates-cfg/protocols/nhrp/tunnel/node.def
+++ b/templates-cfg/protocols/nhrp/tunnel/node.def
@@ -1,9 +1,12 @@
tag:
-
type: txt
-
help: Tunnel for nhrp [REQUIRED]
allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show tunnel
val_help: <tun> ; Tunnel for nhrp
+
+create: sudo /opt/vyatta/sbin/vyos-update-nhrp.pl --tun "$VAR(@)" --set_iptables
+
+delete: sudo /opt/vyatta/sbin/vyos-update-nhrp.pl --tun "$VAR(@)" --del_iptables
+