From 82b837cff888157358cfbfbf1a29e3dce5956ca9 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 6 Dec 2013 08:47:11 +0100 Subject: [PATCH] Firewall: Added new feature: Now protocols can be added to servicegroups (GRE,AH,ESP,IPIP,IPV6) --- config/firewall/firewall-lib.pl | 5 +++- config/firewall/rules.pl | 6 ++++ html/cgi-bin/fwhosts.cgi | 52 +++++++++++++++++++++++++-------- 3 files changed, 50 insertions(+), 13 deletions(-) diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index 8cff76bb53..fc80555079 100755 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -90,7 +90,10 @@ sub get_srvgrp_prot $udp=1; }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){ $icmp=1; - } + }else{ + #Protocols used in servicegroups + push (@ips,$customservicegrp{$key}[2]); + } } } if ($tcp eq '1'){push (@ips,'TCP');} diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index c54a2eb82a..d0a9e20b75 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -252,6 +252,9 @@ sub buildrules #print rules to console foreach my $DPROT (@DPROT){ $DPORT = &get_port($hash,$key,$DPROT); + if ($DPROT ne 'TCP' && $DPROT ne 'UDP' && $DPROT ne 'ICMP' ){ + $DPORT=''; + } $PROT=$DPROT; $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); foreach my $a (sort keys %sourcehash){ @@ -333,6 +336,9 @@ sub buildrules $DPORT = &get_port($hash,$key,$DPROT); $PROT=$DPROT; $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); + if ($DPROT ne 'TCP' && $DPROT ne'UDP' && $DPROT ne 'ICMP' ){ + $DPORT=''; + } foreach my $a (sort keys %sourcehash){ foreach my $b (sort keys %targethash){ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index bc9ca85d4c..ed42404b38 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -769,8 +769,8 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp') &General::readhasharray("$configsrvgrp", \%customservicegrp ); &General::readhasharray("$configsrv", \%customservice ); $errormessage=&checkservicegroup; - #Check if we have more than 13 services from one Protocol in the group - #iptables can only handle 13 ports/portranges via multiport + #Check if we have more than 15 services from one Protocol in the group + #iptables can only handle 15 ports/portranges via multiport foreach my $key (keys %customservicegrp){ if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'}){ foreach my $key1 (keys %customservice){ @@ -1030,13 +1030,15 @@ if ($fwhostsettings{'ACTION'} eq 'delgrpservice') if($customservicegrp{$key}[0].",".$customservicegrp{$key}[1].",".$customservicegrp{$key}[2].",".$customservicegrp{$key}[3] eq $fwhostsettings{'delsrvfromgrp'}) { #decrease count from source service - foreach my $key1 (sort keys %customservice){ - if($customservice{$key1}[0] eq $customservicegrp{$key}[2]){ - $customservice{$key1}[4]--; - last; + if ($customservicegrp{$key}[2] eq 'TCP' || $customservicegrp{$key}[2] eq 'UDP'|| $customservicegrp{$key}[2] eq 'ICMP'){ + foreach my $key1 (sort keys %customservice){ + if($customservice{$key1}[0] eq $customservicegrp{$key}[2]){ + $customservice{$key1}[4]--; + last; + } } + &General::writehasharray("$configsrv", \%customservice); } - &General::writehasharray("$configsrv", \%customservice); $grpname=$customservicegrp{$key}[0]; $grpremark=$customservicegrp{$key}[1]; delete $customservicegrp{$key}; @@ -1116,6 +1118,9 @@ if ($fwhostsettings{'ACTION'} eq 'changesrvgrpremark') &General::writehasharray("$configsrvgrp", \%customservicegrp); $fwhostsettings{'updatesrvgrp'}='on'; $fwhostsettings{'SRVGRP_REMARK'}=$fwhostsettings{'newsrvrem'}; + }elsif($fwhostsettings{'oldsrvrem'} eq $fwhostsettings{'newsrvrem'}){ + &addservicegrp; + &viewtableservicegrp; }else{ $errormessage=$Lang::tr{'fwhost err remark'}; $fwhostsettings{'SRVGRP_REMARK'}=$fwhostsettings{'oldsrvrem'}; @@ -1410,13 +1415,24 @@ END if($fwhostsettings{'updatesrvgrp'} eq 'on'){ print< - @@ -1754,6 +1770,16 @@ sub viewtableservicegrp }else{ print""; } + #Set fields if we use protocols in servicegroups + if ($customservicegrp{$key}[2] ne 'TCP' || $customservicegrp{$key}[2] ne 'UDP' || $customservicegrp{$key}[2] ne 'ICMP'){ + $port='-'; + } + if ($customservicegrp{$key}[2] eq 'GRE'){$protocol='GRE';$customservicegrp{$key}[2]="$Lang::tr{'protocol'} GRE";} + if ($customservicegrp{$key}[2] eq 'ESP'){$protocol='ESP';$customservicegrp{$key}[2]="$Lang::tr{'protocol'} ESP";} + if ($customservicegrp{$key}[2] eq 'AH'){$protocol='AH';$customservicegrp{$key}[2]="$Lang::tr{'protocol'} AH";} + if ($customservicegrp{$key}[2] eq 'IGMP'){$protocol='IGMP';$customservicegrp{$key}[2]="$Lang::tr{'protocol'} IGMP";} + if ($customservicegrp{$key}[2] eq 'IPIP'){$protocol='IPIP';$customservicegrp{$key}[2]="$Lang::tr{'protocol'} IPIP";} + if ($customservicegrp{$key}[2] eq 'IPV6'){$protocol='IPV6';$customservicegrp{$key}[2]="$Lang::tr{'protocol'} IPv6 encapsulation";} print ""; foreach my $srv (sort keys %customservice){ if ($customservicegrp{$key}[2] eq $customservice{$srv}[0]){ @@ -1766,7 +1792,12 @@ sub viewtableservicegrp if ($delflag gt '1'){ print""; } - print""; + print""; + if($customservicegrp{$key}[2] eq 'TCP' || $customservicegrp{$key}[2] eq 'UDP' || $customservicegrp{$key}[2] eq 'ICMP'){ + print ""; + }else{ + print ""; + } $helper=$customservicegrp{$key}[0]; } print"
$Lang::tr{'fwhost cust service'}
$Lang::tr{'add'}


$customservicegrp{$key}[2]
"; @@ -1888,11 +1919,8 @@ sub deletefromgrp my %hash=(); &General::readhasharray("$config",\%hash); foreach my $key (keys %hash) { - $errormessage.="lese $hash{$key}[2] und $target
"; if($hash{$key}[2] eq $target){ - delete $hash{$key}; - $errormessage.="Habe $target aus Gruppe gelöscht!
"; } } &General::writehasharray("$config",\%hash); -- 2.39.5