From 645378fbb9f8540ace66bd3a9be70583b6e15a6f Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 5 Feb 2016 10:24:03 +0000 Subject: [PATCH] firewall: Fix MAC filter Packets destined for the firewall coming in from the blue device where accepted too early to be processed by the firewall input chain rules. Signed-off-by: Michael Tremer --- config/firewall/firewall-policy | 5 +++++ src/misc-progs/wirelessctrl.c | 6 +++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy index 4ba1ace8ce..cbba3b021a 100755 --- a/config/firewall/firewall-policy +++ b/config/firewall/firewall-policy @@ -60,6 +60,11 @@ HAVE_OPENVPN="true" # Allow access from GREEN iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT +# Allow access from BLUE +if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then + iptables -A POLICYIN -i "${BLUE_DEV}" -j ACCEPT +fi + # IPsec INPUT case "${HAVE_IPSEC},${POLICY}" in true,MODE1) ;; diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c index b2d3716623..1e166eb3da 100644 --- a/src/misc-progs/wirelessctrl.c +++ b/src/misc-progs/wirelessctrl.c @@ -126,21 +126,21 @@ int main(void) { if (strcmp(enabled, "on") == 0) { /* both specified, added security */ if ((strlen(macaddress) == 17) && (VALID_IP_AND_MASK(ipaddress))) { - snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev); safe_system(command); snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev); safe_system(command); } else { /* correctly formed mac address is 17 chars */ if (strlen(macaddress) == 17) { - snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev); safe_system(command); snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev); safe_system(command); } if (VALID_IP_AND_MASK(ipaddress)) { - snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev); + snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -s %s -i %s -j RETURN", ipaddress, blue_dev); safe_system(command); snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev); safe_system(command); -- 2.39.5