Navigation

← Previous Change
Next Change →

Firewall_update

Timestamp:

07/19/03 04:11:07 (9 years ago)

Author:

will

Message:

dev "menlo" branch patch, it's huge

Files:

5100R/branches/dev/ui/base-firewall.mod/glue/handlers/Firewall_update (modified) (9 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

5100R/branches/dev/ui/base-firewall.mod/glue/handlers/Firewall_update

r3	r201
2	2
3	3	# some constants:
4		my $ipchains_conf = "/etc/ipchains.conf";
5		my $ipchains_bin = "/sbin/ipchains";
	4	my $iptables = 0;
	5	$iptables = 1 if (-x "/usr/bin/iptables");
	6	my $fw_conf = "/etc/ipchains.conf";
	7	$fw_conf = "/etc/iptables.conf" if ($iptables);
	8	my $fwbin = "/sbin/ipchains";
	9	$fwbin = "/usr/bin/iptables" if ($iptables);
6	10
7	11	use lib qw( /usr/sausalito/perl );
…	…
11	15	my $cce = new CCE;
12	16	$cce->connectfd (\STDIN, \STDOUT);
13
14	17
15	18	# Okay, let's regenerate /etc/ipchains
…	…
27	30	validate_chains();
28	31
29		rewrite_~~ipchains~~_conf();
	32	rewrite_fw_conf();
30	33
31	34	restart_firewall();
…	…
96	99	use Data::Dumper;
97	100
98		# rewrite_~~ipchains~~_conf
99		sub rewrite_~~ipchains~~_conf
100		{
101		my @data = ( "\n" );
	101	# rewrite_fw_conf
	102	sub rewrite_fw_conf
	103	{
	104	my @data = ( "\n$fwbin -F\n" );
102	105
103	106	my $sysobj;
…	…
109	112
110	113	if (!$sysobj->{enabled}) {
111		$~~ipchains_bin = "# " . $ipchains_~~bin;
	114	$fwbin = "# " . $fwbin;
112	115	push (@data, "# Firewall currently not enabled.\n");
113	116	}
…	…
115	118	my ($name, $chain, $rule);
116	119	while (($name, $chain) = each %chains) {
117		print STDERR "dump $name: ",Dumper($chain_meta{$name}),"\n";
	120	# warn "dump $name: ",Dumper($chain_meta{$name}),"\n";
	121	my $default_policy = $chain_meta{$name}->{default};
	122	if ($iptables && ($default_policy eq 'DENY')) {
	123	$default_policy = 'DROP';
	124	}
	125
118	126	push (@data, "# $name chain:\n");
119	127	if ( ($name =~ m/^((input)\|(forward)\|(output))$/)
120		&& ~~($chain_meta{$name}->{default})~~ )
	128	&& $default_policy )
121	129	{
	130	if ($iptables)
	131	{
	132	$name =~ tr/[a-z]/[A-Z]/;
	133	}
122	134	# set the default policy:
123		push (@data, "$ipchains_bin -P $name "
124		.$chain_meta{$name}->{default}."\n");
	135	push (@data, "$fwbin -P $name $default_policy\n");
125	136	}
126	137	foreach $rule (@$chain) {
…	…
132	143	my $data = join("",@data);
133	144	Sauce::Util::replaceblock(
134		$~~ipchains~~_conf,
	145	$fw_conf,
135	146	"# start of auto-generated ipchains commands, do not edit below this line",
136	147	$data,
…	…
141	152	sub restart_firewall
142	153	{
143		system("/etc/rc.d/init.d/ipchains restart >& /tmp/ipchains.out");
	154	if($iptables)
	155	{
	156	system("/etc/rc.d/init.d/iptables restart >& /tmp/iptables.out");
	157	}
	158	else
	159	{
	160	system("/etc/rc.d/init.d/ipchains restart >& /tmp/ipchains.out");
	161	}
144	162	}
145	163
146	164	sub rule_to_ipchains_command
147	165	{
	166	# /usr/bin/iptables -P INPUT ACCEPT
	167	# /usr/bin/iptables -A INPUT -p tcp -s 10.9.0.0/16 -d 10.9.28.128/32 --source-port 80 -j ACCEPT
	168	# /usr/bin/iptables -A INPUT -p tcp -s 10.9.0.0/16 -d 127.0.0.1/32 --source-port 80 -j ACCEPT
	169	# /usr/bin/iptables -t nat -A PREROUTING -s 10.9.0.0/16 -p tcp --destination-port 80 -j DNAT --to-destination 127.0.0.1:3128
	170
148	171	my ($chain,$rule) = (shift,shift);
	172	$chain =~ tr/[a-z]/[A-Z]/ if ($iptables);
	173
149	174	my @data = ();
150	175
…	…
169	194	foreach $srcnet (@source_nets) {
170	195	foreach $destnet (@dest_nets) {
171		push (@data,
172		"${ipchains_bin} -A $chain",
173		" -p ", $rule->{protocol},
174		" -s ", $srcnet, " ", $rule->{source_ports},
175		" -d ", $destnet, " ", $rule->{dest_ports});
176		if ($rule->{interface}) {
177		push (@data, " -i ", $rule->{interface});
	196	if ($iptables) {
	197	push (@data,
	198	"${fwbin} -A $chain",
	199	" -p ", $rule->{protocol},
	200	" -s ", $srcnet,
	201	" -d ", $destnet);
	202	if($rule->{source_ports}) {
	203	# $rule->{source_ports} =~ s/\:/\-/g;
	204	push(@data, " --source-port ".$rule->{source_ports});
	205	}
	206	if($rule->{dest_ports}) {
	207	# $rule->{dest_ports} =~ s/\:/\-/g;
	208	push(@data, " --destination-port ".$rule->{dest_ports});
	209	}
	210	if ($rule->{interface}) {
	211	push (@data, " -i ", $rule->{interface});
	212	}
	213	if ($rule->{policy} eq "JUMP") {
	214	push (@data, " -j ", $rule->{jump_target});
	215	} else {
	216	push (@data, " -j ", $rule->{policy});
	217	}
	218	if ($rule->{policy} eq "REDIRECT") {
	219	push (@data, ' --destination-port ', $rule->{redir_target});
	220	}
	221	push (@data,"\n");
	222	} else {
	223	push (@data,
	224	"${fwbin} -A $chain",
	225	" -p ", $rule->{protocol},
	226	" -s ", $srcnet, " ", $rule->{source_ports},
	227	" -d ", $destnet, " ", $rule->{dest_ports});
	228	if ($rule->{interface}) {
	229	push (@data, " -i ", $rule->{interface});
	230	}
	231	if ($rule->{policy} eq "JUMP") {
	232	push (@data, " -j ", $rule->{jump_target});
	233	} else {
	234	push (@data, " -j ", $rule->{policy});
	235	}
	236	if ($rule->{policy} eq "REDIRECT") {
	237	push (@data, " ", $rule->{redir_target});
	238	}
	239	push (@data,"\n");
178	240	}
179		~~if ($rule->{policy} eq "JUMP") {~~
180		~~push (@data, " -j ", $rule->{jump_target});~~
181		~~} else {~~
182		~~push (@data, " -j ", $rule->{policy});~~
183		}
184		~~if ($rule->{policy} eq "REDIRECT") {~~
185		~~push (@data, " ", $rule->{redir_target});~~
186		}
187		~~push (@data,"\n");~~
188	241	}
189	242	}

Navigation

Changeset 201 for 5100R/branches/dev/ui/base-firewall.mod/glue/handlers/Firewall_update

Legend:

5100R/branches/dev/ui/base-firewall.mod/glue/handlers/Firewall_update

Download in other formats: