From: Alexander Marx Date: Tue, 21 Jan 2014 10:25:35 +0000 (+0100) Subject: Firewall: Bugfix - when using addressgroups with mac addresses in source, the mac... X-Git-Tag: v2.15-beta2~80 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d334d7cb47ad4b55a24d54ff7f7081e9bb60ed1c;p=ipfire-2.x.git Firewall: Bugfix - when using addressgroups with mac addresses in source, the mac rule was not correctly created. Further MAC issues: in target area, the manual ip field was target ip/mac address - changed to IP-Address Also implemented a plausicheck, if an addressgroup with mac addresses is used in target area, theres a hint saying that the rule will not be applied for mac hosts --- diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index d0a9e20b75..f26ae5f394 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -259,6 +259,8 @@ sub buildrules $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); foreach my $a (sort keys %sourcehash){ foreach my $b (sort keys %targethash){ + next if ($targethash{$b}[0] eq 'none'); + $STAG=''; if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ if($DPROT ne ''){ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} @@ -341,6 +343,8 @@ sub buildrules } foreach my $a (sort keys %sourcehash){ foreach my $b (sort keys %targethash){ + next if ($targethash{$b}[0] eq 'none'); + $STAG=''; if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ if($DPROT ne ''){ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index ee13033614..86cba60ccb 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -609,6 +609,19 @@ sub checktarget $errormessage.=$Lang::tr{'fwdfw err notgtip'}; return $errormessage; } + #check for mac in targetgroup + if ($fwdfwsettings{'grp2'} eq 'cust_grp_tgt'){ + &General::readhasharray("$configgrp", \%customgrp); + &General::readhasharray("$confighost", \%customhost); + foreach my $grpkey (sort keys %customgrp){ + foreach my $hostkey (sort keys %customhost){ + if ($customgrp{$grpkey}[2] eq $customhost{$hostkey}[0] && $customhost{$hostkey}[1] eq 'mac'){ + $hint=$Lang::tr{'fwdfw hint mac'}; + return $hint; + } + } + } + } #check empty fields if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgt'}."
";} #check tgt services @@ -1403,24 +1416,7 @@ sub hint print "$hint\n"; print " \n"; &Header::closebox(); - print"
"; - } -} -sub inc_counter -{ - my $config=shift; - my %hash=%{(shift)}; - my $val=shift; - my $pos; - - &General::readhasharray($config, \%hash); - foreach my $key (sort { uc($hash{$a}[0]) cmp uc($hash{$b}[0]) } keys %hash){ - if($hash{$key}[0] eq $val){ - $pos=$#{$hash{$key}}; - $hash{$key}[$pos] = $hash{$key}[$pos]+1; - } } - &General::writehasharray($config, \%hash); } sub newrule { diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index c93234bf39..6fa813a9ff 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -959,6 +959,7 @@ 'fwdfw from' => 'Von:', 'fwdfw hint ip1' => 'Die zuletzt erzeugte Regel mag eventuell niemals zutreffen, da sich Quelle und Ziel überlappen.', 'fwdfw hint ip2' => 'Bitte überprüfen Sie, ob diese Regel Sinn macht: ', +'fwdfw hint mac' => 'Sie nutzen MAC-Adressen in der Zielgruppe. Diese werden bei der Regelerstellung übersprungen.', 'fwdfw iface' => 'Interface', 'fwdfw ipsec network' => 'IPsec-Netzwerke:', 'fwdfw log' => 'Log', @@ -988,7 +989,7 @@ 'fwdfw sourceip' => 'Quelladresse (IP/MAC-Adresse oder Netzwerk):', 'fwdfw std network' => 'Standard Netzwerke:', 'fwdfw target' => 'Ziel', -'fwdfw targetip' => 'Zieladresse (IP/MAC-Adresse oder Netzwerk):', +'fwdfw targetip' => 'Zieladresse (IP-Adresse oder Netzwerk):', 'fwdfw till' => 'Bis:', 'fwdfw time' => 'Zeitrahmen', 'fwdfw timeframe' => 'Zeitrahmen hinzufügen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 67b5dd500a..173b8f0536 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -985,6 +985,7 @@ 'fwdfw from' => 'From:', 'fwdfw hint ip1' => 'The last generated rule may never match, because source and destination subnets may overlap.', 'fwdfw hint ip2' => 'Please double-check if this rule makes sense: ', +'fwdfw hint mac' => 'The destination group contains MAC addresses, which will be skipped during rule creation.', 'fwdfw iface' => 'Interface', 'fwdfw ipsec network' => 'IPsec networks:', 'fwdfw log' => 'Log', @@ -1014,7 +1015,7 @@ 'fwdfw sourceip' => 'Source address (MAC/IP address or network):', 'fwdfw std network' => 'Standard networks:', 'fwdfw target' => 'Destination', -'fwdfw targetip' => 'Destination address (MAC/IP address or network):', +'fwdfw targetip' => 'Destination address (IP address or network):', 'fwdfw till' => 'Until:', 'fwdfw time' => 'Time Constraints', 'fwdfw timeframe' => 'Use time constraints',