1 files changed, 38 insertions, 10 deletions

diff --git a/scripts/vyos-update-nhrp.pl b/scripts/vyos-update-nhrp.pl
index 066b457..0b1ee43 100644
--- a/scripts/vyos-update-nhrp.pl
+++ b/scripts/vyos-update-nhrp.pl
@@ -34,7 +34,7 @@ use Vyatta::Interface;
 
 use strict;
 use warnings;
-
+my ($set_nhrp, $set_ipsec, $get_esp_gr_names, $get_ike_gr_names, $set_iptables, $del_iptables, $tun);
 my $conffile = '/etc/opennhrp/opennhrp.conf';
 my $ipsecfile = '/etc/opennhrp/opennhrp.ipsec';
 
@@ -420,25 +420,53 @@ sub ipsec_config {
 	return @conf_file;
 }
 
+sub create_nhrp_iptables {
+	my $config_tun = new Vyatta::Config;
+	
+	$config_tun->setLevel("interfaces tunnel");
+	
+	if ( $config_tun->exists("$tun local-ip")) {
+		my $local_ip = $config_tun->returnValue("$tun local-ip");
+
+		system ("sudo iptables -N VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!";
+		system ("sudo iptables -A VYOS_NHRP_${tun}_OUT_HOOK -p gre -s ${local_ip} -d 224.0.0.0/4 -j DROP") == 0 or die "System call failed: $!";
+		system ("sudo iptables -A VYOS_NHRP_${tun}_OUT_HOOK -j RETURN") == 0 or die "System call failed: $!";
+		system ("sudo iptables -I OUTPUT 2 -j VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!";
+	}
+}
+
+sub delete_nhrp_iptables {
+	my $config_tun = new Vyatta::Config;
+	
+	$config_tun->setLevel("interfaces tunnel");
+	
+	if ( $config_tun->exists("$tun local-ip")) {
+		system ("sudo iptables -D OUTPUT -j VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!";
+		system ("sudo iptables -D VYOS_NHRP_${tun}_OUT_HOOK 1") == 0 or die "System call failed: $!";
+		system ("sudo iptables -D VYOS_NHRP_${tun}_OUT_HOOK 1") == 0 or die "System call failed: $!";
+		system ("sudo iptables -X VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!";
+	}
+}
+
 #
 # main
 #
 
-my ($set_nhrp, $set_ipsec, $get_esp_gr_names, $get_ike_gr_names);
-
 GetOptions (
 	"set_ipsec"			=> \$set_ipsec,
 	"set_nhrp"			=> \$set_nhrp,
 	"get_esp_gr_names"	=> \$get_esp_gr_names,
 	"get_ike_gr_names"	=> \$get_ike_gr_names,
+	"set_iptables"		=> \$set_iptables,
+	"del_iptables"		=> \$del_iptables,
+    "tun=s"     		=> \$tun
 ) or usage ();
 
-my $rc = 1;
-$rc = print get_esp_groups() if $get_esp_gr_names;
-$rc = print get_ike_groups() if $get_ike_gr_names;
-$rc = configure_nhrp_ipsec() if $set_ipsec;
-$rc = configure_nhrp_tunnels() if $set_nhrp;
-
-exit $rc;
+print get_esp_groups() if $get_esp_gr_names;
+print get_ike_groups() if $get_ike_gr_names;
+configure_nhrp_ipsec() if $set_ipsec;
+configure_nhrp_tunnels() if $set_nhrp;
+create_nhrp_iptables() if $set_iptables;
+delete_nhrp_iptables() if $del_iptables;
 
 # end of file