]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/commitdiff
projects / people / pmueller / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 653a71b)
Forward Firewall: Bugfix: ICMP rules where applied double
authorAlexander Marx <amarx@ipfire.org>
Thu, 25 Jul 2013 08:36:36 +0000 (10:36 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 9 Aug 2013 12:49:35 +0000 (14:49 +0200)
config/forwardfw/rules.pl patch | blob | blame | history

diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
index 9f23c54e0a5b0fc47472919b9d2d34726f5fdbea..07f3abd1eaa6d02ebc915f97c3f61b198de1cfaa 100755 (executable)
--- a/config/forwardfw/rules.pl
+++ b/config/forwardfw/rules.pl
@@ -297,7 +297,9 @@ sub buildrules
                                                                        if ($$hash{$key}[17] eq 'ON'){
                                                                                        print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
                                                                        }
-                                                                       print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+                                                                       if ($PROT ne '-p ICMP'){
+                                                                               print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+                                                                       }
                                                                }                               
                                                        }
                                                }
@@ -314,6 +316,7 @@ sub buildrules
                                                        if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
                                                                if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
                                                                        if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
+                                                                       #Process ICMP RULE
                                                                        if(substr($DPORT, 2, 4) eq 'icmp'){
                                                                                my @icmprule= split(",",substr($DPORT, 12,));
                                                                                foreach (@icmprule){
@@ -322,6 +325,7 @@ sub buildrules
                                                                                        }
                                                                                        system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
                                                                                }
+                                                                       #PROCESS DNAT RULE (Portforward)
                                                                        }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
                                                                                $natchain='NAT_DESTINATION';
                                                                                if ($$hash{$key}[17] eq 'ON'){
@@ -342,6 +346,7 @@ sub buildrules
                                                                                }
                                                                                system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
                                                                                next;
+                                                                       #PROCESS SNAT RULE
                                                                        }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
                                                                                $natchain='NAT_SOURCE';
                                                                                system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
@@ -349,7 +354,10 @@ sub buildrules
                                                                        if ($$hash{$key}[17] eq 'ON'){
                                                                                system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
                                                                        }
-                                                                       system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+                                                                       #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
+                                                                       if ($PROT ne '-p ICMP'){
+                                                                               system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+                                                                       }
                                                                }                               
                                                        }
                                                }
Peter's tree of IPFire 2.x