From bc6bb477b5a09596d6e70df8f3667cb237b36edf Mon Sep 17 00:00:00 2001 | |
From: Joshua McBeth <[email protected]> | |
Date: Sun, 3 Dec 2017 21:43:25 -0500 | |
Subject: [PATCH] Fix T484 Rules can't be deleted from firewall rule sets used | |
in zone policies | |
--- | |
scripts/firewall/vyatta-firewall.pl | 70 +++++++++++++++++++++---------------- | |
1 file changed, 39 insertions(+), 31 deletions(-) | |
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl | |
index c2727cc..dc7c702 100755 | |
--- a/scripts/firewall/vyatta-firewall.pl | |
+++ b/scripts/firewall/vyatta-firewall.pl | |
@@ -526,42 +526,50 @@ sub update_rules { | |
$config->setLevel("$tree $name rule"); | |
my %test_rule_hash = $config->listNodeStatus(); | |
+ my $all_rules_deleted = 1; | |
+ | |
foreach my $test_rule (sort numerically keys %test_rule_hash) { | |
- if ("$test_rule_hash{$test_rule}" eq 'static') { | |
- next; | |
- } elsif ("$test_rule_hash{$test_rule}" eq 'added') { | |
- my $test_node = new Vyatta::IpTables::Rule; | |
- $test_node->setup("$tree $name rule $test_rule"); | |
- $test_node->set_ip_version($ip_version_hash{$tree}); | |
- my ($err_str, @rule_strs) = $test_node->rule(); | |
- if (defined($err_str)) { | |
- Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n"); | |
- exit 1; | |
- } | |
- my $test_chain = chain_configured(2, $name, $tree); | |
- if (defined($test_chain)) { | |
- # Chain name must be unique in both trees | |
- Vyatta::Config::outputError([$tree,$name], "Firewall configuration error: Rule set name \"$name\" already used in \"$test_chain\"\n"); | |
- exit 1; | |
- } | |
- } elsif ("$test_rule_hash{$test_rule}" eq 'changed') { | |
- my $test_node = new Vyatta::IpTables::Rule; | |
- $test_node->setup("$tree $name rule $test_rule"); | |
- $test_node->set_ip_version($ip_version_hash{$tree}); | |
- my ($err_str, @rule_strs) = $test_node->rule(); | |
- if (defined($err_str)) { | |
- Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n"); | |
- exit 1; | |
- } | |
- } elsif ("$test_rule_hash{$test_rule}" eq 'deleted') { | |
- if (Vyatta::IpTables::Mgr::chain_referenced($table, $name, $iptables_cmd)) { | |
- # Disallow deleting a chain if it's still referenced | |
- Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: Cannot delete rule set \"$name\" (still in use)\n"); | |
- exit 1; | |
+ if ("$test_rule_hash{$test_rule}" ne 'deleted') { | |
+ $all_rules_deleted = 0; | |
+ | |
+ if ("$test_rule_hash{$test_rule}" eq 'static') { | |
+ next; | |
+ } elsif ("$test_rule_hash{$test_rule}" eq 'added') { | |
+ my $test_node = new Vyatta::IpTables::Rule; | |
+ $test_node->setup("$tree $name rule $test_rule"); | |
+ $test_node->set_ip_version($ip_version_hash{$tree}); | |
+ my ($err_str, @rule_strs) = $test_node->rule(); | |
+ if (defined($err_str)) { | |
+ Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n"); | |
+ exit 1; | |
+ } | |
+ my $test_chain = chain_configured(2, $name, $tree); | |
+ if (defined($test_chain)) { | |
+ # Chain name must be unique in both trees | |
+ Vyatta::Config::outputError([$tree,$name], "Firewall configuration error: Rule set name \"$name\" already used in \"$test_chain\"\n"); | |
+ exit 1; | |
+ } | |
+ } elsif ("$test_rule_hash{$test_rule}" eq 'changed') { | |
+ my $test_node = new Vyatta::IpTables::Rule; | |
+ $test_node->setup("$tree $name rule $test_rule"); | |
+ $test_node->set_ip_version($ip_version_hash{$tree}); | |
+ my ($err_str, @rule_strs) = $test_node->rule(); | |
+ if (defined($err_str)) { | |
+ Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: $err_str\n"); | |
+ exit 1; | |
+ } | |
} | |
} | |
} | |
+ | |
+ if ($all_rules_deleted and Vyatta::IpTables::Mgr::chain_referenced($table, $name, $iptables_cmd)) { | |
+ # Disallow deleting a chain if it's still referenced | |
+ Vyatta::Config::outputError([$tree,$name],"Firewall configuration error: Cannot delete rule set \"$name\" (still in use)\n"); | |
+ exit 1; | |
+ } | |
+ | |
+ | |
if ($nodes{$name} eq 'static') { | |
# not changed. check if stateful. | |
-- | |
2.1.4 | |
File Metadata
File Metadata
- Mime Type
- text/x-diff
- Storage Engine
- amazon-s3
- Storage Format
- Raw Data
- Storage Handle
- phabricator/hv/me/pcgbai43jctkb5f4
- Default Alt Text
- 0001-Fix-T484-Rules-can-t-be-deleted-from-firewall-rule-s.patch (4 KB)