firewall: Fix MAC filter

Packets destined for the firewall coming in from the blue
device where accepted too early to be processed by the
firewall input chain rules.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 4ba1ace8cec12cee5aab07082e1c8d0cc107a053..cbba3b021a4eb93bd3609ea58edaaea3cbe1353f 100755 (executable)
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -60,6 +60,11 @@ HAVE_OPENVPN="true"
 # Allow access from GREEN
 iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
 
+# Allow access from BLUE
+if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
+       iptables -A POLICYIN -i "${BLUE_DEV}" -j ACCEPT
+fi
+
 # IPsec INPUT
 case "${HAVE_IPSEC},${POLICY}" in
        true,MODE1) ;;

diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c
index b2d37166234d9f5650d7089219d89ea056639edc..1e166eb3da160f0467641d82f49cd5e2a41d3373 100644 (file)
--- a/src/misc-progs/wirelessctrl.c
+++ b/src/misc-progs/wirelessctrl.c
@@ -126,21 +126,21 @@ int main(void) {
                if (strcmp(enabled, "on") == 0) {
                        /* both specified, added security */
                        if ((strlen(macaddress) == 17) && (VALID_IP_AND_MASK(ipaddress))) {
-                               snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
+                               snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
                                safe_system(command);
                                snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev);
                                safe_system(command);
                        } else {
                                /* correctly formed mac address is 17 chars */
                                if (strlen(macaddress) == 17) {
-                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
+                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
                                        safe_system(command);
                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev);
                                        safe_system(command);
                                }
 
                                if (VALID_IP_AND_MASK(ipaddress)) {
-                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
+                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSINPUT -s %s -i %s -j RETURN", ipaddress, blue_dev);
                                        safe_system(command);
                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables --wait -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev);
                                        safe_system(command);