From 39be0418ff403d40f7f39d81c0dee41e754cdf4d Mon Sep 17 00:00:00 2001 From: Kim Hagen Date: Wed, 3 Sep 2014 16:18:24 +0200 Subject: Cleanup script and add the settings of firewall rules --- scripts/vyos-update-nhrp.pl | 48 ++++++++++++++++++++++------ templates-cfg/protocols/nhrp/tunnel/node.def | 7 ++-- 2 files changed, 43 insertions(+), 12 deletions(-) diff --git a/scripts/vyos-update-nhrp.pl b/scripts/vyos-update-nhrp.pl index 066b457..0b1ee43 100644 --- a/scripts/vyos-update-nhrp.pl +++ b/scripts/vyos-update-nhrp.pl @@ -34,7 +34,7 @@ use Vyatta::Interface; use strict; use warnings; - +my ($set_nhrp, $set_ipsec, $get_esp_gr_names, $get_ike_gr_names, $set_iptables, $del_iptables, $tun); my $conffile = '/etc/opennhrp/opennhrp.conf'; my $ipsecfile = '/etc/opennhrp/opennhrp.ipsec'; @@ -420,25 +420,53 @@ sub ipsec_config { return @conf_file; } +sub create_nhrp_iptables { + my $config_tun = new Vyatta::Config; + + $config_tun->setLevel("interfaces tunnel"); + + if ( $config_tun->exists("$tun local-ip")) { + my $local_ip = $config_tun->returnValue("$tun local-ip"); + + system ("sudo iptables -N VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!"; + system ("sudo iptables -A VYOS_NHRP_${tun}_OUT_HOOK -p gre -s ${local_ip} -d 224.0.0.0/4 -j DROP") == 0 or die "System call failed: $!"; + system ("sudo iptables -A VYOS_NHRP_${tun}_OUT_HOOK -j RETURN") == 0 or die "System call failed: $!"; + system ("sudo iptables -I OUTPUT 2 -j VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!"; + } +} + +sub delete_nhrp_iptables { + my $config_tun = new Vyatta::Config; + + $config_tun->setLevel("interfaces tunnel"); + + if ( $config_tun->exists("$tun local-ip")) { + system ("sudo iptables -D OUTPUT -j VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!"; + system ("sudo iptables -D VYOS_NHRP_${tun}_OUT_HOOK 1") == 0 or die "System call failed: $!"; + system ("sudo iptables -D VYOS_NHRP_${tun}_OUT_HOOK 1") == 0 or die "System call failed: $!"; + system ("sudo iptables -X VYOS_NHRP_${tun}_OUT_HOOK") == 0 or die "System call failed: $!"; + } +} + # # main # -my ($set_nhrp, $set_ipsec, $get_esp_gr_names, $get_ike_gr_names); - GetOptions ( "set_ipsec" => \$set_ipsec, "set_nhrp" => \$set_nhrp, "get_esp_gr_names" => \$get_esp_gr_names, "get_ike_gr_names" => \$get_ike_gr_names, + "set_iptables" => \$set_iptables, + "del_iptables" => \$del_iptables, + "tun=s" => \$tun ) or usage (); -my $rc = 1; -$rc = print get_esp_groups() if $get_esp_gr_names; -$rc = print get_ike_groups() if $get_ike_gr_names; -$rc = configure_nhrp_ipsec() if $set_ipsec; -$rc = configure_nhrp_tunnels() if $set_nhrp; - -exit $rc; +print get_esp_groups() if $get_esp_gr_names; +print get_ike_groups() if $get_ike_gr_names; +configure_nhrp_ipsec() if $set_ipsec; +configure_nhrp_tunnels() if $set_nhrp; +create_nhrp_iptables() if $set_iptables; +delete_nhrp_iptables() if $del_iptables; # end of file diff --git a/templates-cfg/protocols/nhrp/tunnel/node.def b/templates-cfg/protocols/nhrp/tunnel/node.def index f7109c5..65c22ad 100644 --- a/templates-cfg/protocols/nhrp/tunnel/node.def +++ b/templates-cfg/protocols/nhrp/tunnel/node.def @@ -1,9 +1,12 @@ tag: - type: txt - help: Tunnel for nhrp [REQUIRED] allowed: /opt/vyatta/sbin/vyatta-interfaces.pl --show tunnel val_help: ; Tunnel for nhrp + +create: sudo /opt/vyatta/sbin/vyos-update-nhrp.pl --tun "$VAR(@)" --set_iptables + +delete: sudo /opt/vyatta/sbin/vyos-update-nhrp.pl --tun "$VAR(@)" --del_iptables + -- cgit v1.2.3