Firewall: Bugfix: wrong counter when using selfdefinded services in a rule that could...
authorAlexander Marx <amarx@ipfire.org>
Fri, 27 Sep 2013 08:16:52 +0000 (10:16 +0200)
committerAlexander Marx <amarx@ipfire.org>
Fri, 27 Sep 2013 08:16:52 +0000 (10:16 +0200)
Bugfix: When using ICMP-ALL in a rule, the rule was not applied
Bugfix: When using selfdefined services (icmp) and group them together. Then when using these services/groups in a rule and afterwards changing the service, the edited service was not applied

config/forwardfw/rules.pl
html/cgi-bin/forwardfw.cgi
html/cgi-bin/fwhosts.cgi

index 370b7ecfb17d938848739a3fbc489c469741a03c..3f491f79465906cf08c30426e43f6f65e7206f86 100755 (executable)
@@ -146,8 +146,10 @@ sub buildrules
        my $nat;
        my $fwaccessdport;
        my $natchain;
+       my $icmptype;
        foreach my $key (sort {$a <=> $b} keys %$hash){
                next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
+               $command="iptables -A";
                if ($$hash{$key}[28] eq 'ON'){
                        $command='iptables -t nat -A';
                        $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
@@ -260,10 +262,15 @@ sub buildrules
                                                                        if(substr($DPORT, 2, 4) eq 'icmp'){
                                                                                my @icmprule= split(",",substr($DPORT, 12,));
                                                                                foreach (@icmprule){
+                                                                                       $icmptype="--icmp-type ";
+                                                                                       if ($_ eq "BLANK") {
+                                                                                                       $icmptype="";
+                                                                                                       $_="";
+                                                                                       }
                                                                                        if ($$hash{$key}[17] eq 'ON'){
-                                                                                               print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
+                                                                                               print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG\n";
                                                                                        }
-                                                                                       print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
+                                                                                               print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n";
                                                                                }
                                                                        }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
                                                                                $natchain='NAT_DESTINATION';
@@ -289,7 +296,7 @@ sub buildrules
                                                                                $natchain='NAT_SOURCE';
                                                                                print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
                                                                        }
-                                                                       if ($$hash{$key}[17] eq 'ON'){
+                                                                       if ($$hash{$key}[17] eq 'ON' ){
                                                                                        print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
                                                                        }
                                                                        if ($PROT ne '-p ICMP'){
@@ -315,10 +322,15 @@ sub buildrules
                                                                        if(substr($DPORT, 2, 4) eq 'icmp'){
                                                                                my @icmprule= split(",",substr($DPORT, 12,));
                                                                                foreach (@icmprule){
+                                                                                       $icmptype="--icmp-type ";
+                                                                                       if ($_ eq "BLANK") {
+                                                                                                       $icmptype="";
+                                                                                                       $_="";
+                                                                                       }
                                                                                        if ($$hash{$key}[17] eq 'ON'){
-                                                                                               system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
+                                                                                               system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
                                                                                        }
-                                                                                       system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
+                                                                                               system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
                                                                                }
                                                                        #PROCESS DNAT RULE (Portforward)
                                                                        }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
@@ -346,7 +358,7 @@ sub buildrules
                                                                                $natchain='NAT_SOURCE';
                                                                                system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
                                                                        }
-                                                                       if ($$hash{$key}[17] eq 'ON'){
+                                                                       if ($$hash{$key}[17] eq 'ON' && substr($DPORT, 2, 4) ne 'icmp'){
                                                                                system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
                                                                        }
                                                                        #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
index e3bbe5900156c7a45a77eaf8949d9c960b9c5656..405a97dbc36df247d7ff279a9ac4db7884efd667 100755 (executable)
@@ -183,19 +183,21 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
                                $fwdfwsettings{'nosave2'} = 'on';
                        }
                }
-               &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
-               if ($fwdfwsettings{'nobase'} ne 'on'){
-                       &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
-               }
-               if($fwdfwsettings{'oldusesrv'} eq '' &&  $fwdfwsettings{'USESRV'} eq 'ON'){
-                       &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
-               }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
-                       &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0);
-               }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
-                       &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
-               }
-               if($fwdfwsettings{'nosave2'} ne 'on'){
-                       &saverule(\%configinputfw,$configinput);
+               if (!$errormessage){
+                       &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+                       if ($fwdfwsettings{'nobase'} ne 'on'){
+                               &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
+                       }
+                       if($fwdfwsettings{'oldusesrv'} eq '' &&  $fwdfwsettings{'USESRV'} eq 'ON'){
+                               &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+                       }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
+                               &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0);
+                       }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
+                               &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+                       }
+                       if($fwdfwsettings{'nosave2'} ne 'on'){
+                               &saverule(\%configinputfw,$configinput);
+                       }
                }
        }elsif($fwdfwsettings{'grp1'} eq 'ipfire_src' ){
        # OUTGOING PART
@@ -237,20 +239,22 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
                        }
                }
                #increase counters
-               &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
-               &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
-               if($fwdfwsettings{'oldusesrv'} eq '' &&  $fwdfwsettings{'USESRV'} eq 'ON'){
-                       &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
-               }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
-                       &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0);
-               }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
-                       &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
-               }
-               if ($fwdfwsettings{'nobase'} eq 'on'){
-                       &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
-               }
-               if ($fwdfwsettings{'nosave2'} ne 'on'){
-                       &saverule(\%configoutgoingfw,$configoutgoing);
+               if (!$errormessage){
+                &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+                &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
+                       if($fwdfwsettings{'oldusesrv'} eq '' &&  $fwdfwsettings{'USESRV'} eq 'ON'){
+                               &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+                       }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
+                               &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0);
+                       }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
+                               &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+                       }
+                       if ($fwdfwsettings{'nobase'} eq 'on'){
+                               &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+                       }
+                       if ($fwdfwsettings{'nosave2'} ne 'on'){
+                               &saverule(\%configoutgoingfw,$configoutgoing);
+                       }
                }
        }else{
                #FORWARD PART
@@ -292,21 +296,23 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
                        }
                }
                #increase counters
-               &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
-               &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
-               if($fwdfwsettings{'oldusesrv'} eq '' &&  $fwdfwsettings{'USESRV'} eq 'ON'){
-                       &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
-               }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
-                       &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0);
-               }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
-                       &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
-               }
-               if ($fwdfwsettings{'nobase'} eq 'on'){
-                       &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
-               }
-               if ($fwdfwsettings{'nosave2'} ne 'on'){
-                       &saverule(\%configfwdfw,$configfwdfw);
-               }       
+               if (!$errormessage){
+                       &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
+                       &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
+                       if($fwdfwsettings{'oldusesrv'} eq '' &&  $fwdfwsettings{'USESRV'} eq 'ON'){
+                               &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+                       }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') {
+                               &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0);
+                       }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
+                               &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+                       }
+                       if ($fwdfwsettings{'nobase'} eq 'on'){
+                               &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
+                       }
+                       if ($fwdfwsettings{'nosave2'} ne 'on'){
+                               &saverule(\%configfwdfw,$configfwdfw);
+                       }
+               }
        }
        if ($errormessage){
                &newrule;
index 7ed27c4f600d7adef21fb15d0a04a9ac591aef83..2d4c69f6a5d388ec8deb6d49234a7805d5748d6e 100755 (executable)
@@ -47,8 +47,7 @@ my %ipsecsettings=();
 my %fwfwd=();
 my %fwinp=();
 my %ovpnsettings=();
-my %ipsecconf=();
-my %ipsecsettings=();
+
 
 my $errormessage;
 my $hint;
@@ -65,7 +64,6 @@ my $fwconfigfwd               = "${General::swroot}/forward/config";
 my $fwconfiginp                = "${General::swroot}/forward/input";
 my $configovpn         = "${General::swroot}/ovpn/settings";
 my $tdcolor='';
-my $configipsec                = "${General::swroot}/vpn/config";
 my $configipsecrw      = "${General::swroot}/vpn/settings";
 
 unless (-e $confignet)    { system("touch $confignet"); }
@@ -179,6 +177,13 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice')
                        $fwhostsettings{'ICMP_TYPES'}='BLANK';
                }
                my $key1 = &General::findhasharraykey(\%customservice);
+               #find out short ICMP-TYPE
+               &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
+               foreach my $key (keys %icmptypes){
+                       if ("$icmptypes{$key}[0] ($icmptypes{$key}[1])" eq $fwhostsettings{'ICMP_TYPES'}){
+                                       $fwhostsettings{'ICMP_TYPES'}=$icmptypes{$key}[0];
+                       }
+               }
                foreach my $i (0 .. 4) { $customservice{$key1}[$i] = "";}
                $customservice{$key1}[0] = $fwhostsettings{'SRV_NAME'};
                $customservice{$key1}[1] = $fwhostsettings{'SRV_PORT'};
@@ -222,15 +227,22 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice')
                if($count gt 0 && $fwhostsettings{'oldsrvprot'} ne $fwhostsettings{'PROT'} ){
                        $needrules='on';
                }
+               if($count gt 0 && $fwhostsettings{'oldsrvicmp'} ne $fwhostsettings{'ICMP'} ){
+                       $needrules='on';
+               }
                $fwhostsettings{'SRV_NAME'}     = '';
                $fwhostsettings{'SRV_PORT'}     = '';
                $fwhostsettings{'PROT'}         = '';
+               $fwhostsettings{'ICMP'}         = '';
+               $fwhostsettings{'oldsrvicmp'} = '';
        }else{
                $fwhostsettings{'SRV_NAME'}     = $fwhostsettings{'oldsrvname'};
                $fwhostsettings{'SRV_PORT'}     = $fwhostsettings{'oldsrvport'};
                $fwhostsettings{'PROT'}         = $fwhostsettings{'oldsrvprot'};
+               $fwhostsettings{'ICMP'}         = $fwhostsettings{'oldsrvicmp'};
                $fwhostsettings{'updatesrv'}= 'on';
        }
+       $fwhostsettings{'updatesrv'} = '';
        if($needrules eq 'on'){
                &rules;
        }
@@ -1289,6 +1301,7 @@ sub addservice
                $fwhostsettings{'oldsrvname'} = $fwhostsettings{'SRV_NAME'};
                $fwhostsettings{'oldsrvport'} = $fwhostsettings{'SRV_PORT'};
                $fwhostsettings{'oldsrvprot'} = $fwhostsettings{'PROT'};
+               $fwhostsettings{'oldsrvicmp'} = $fwhostsettings{'ICMP'};
        }
        print<<END;
        <table width='100%' border='0'><form method='post'>
@@ -1311,9 +1324,12 @@ END
        &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
        print"<option>All ICMP-Types</option>";
        foreach my $key (sort { ncmp($icmptypes{$a}[0],$icmptypes{$b}[0]) }keys %icmptypes){
-               print"<option>$icmptypes{$key}[0] ($icmptypes{$key}[1])</option>";
+               if ($icmptypes{$key}[0] eq $fwhostsettings{'oldsrvicmp'}){
+                       print"<option selected>$icmptypes{$key}[0] ($icmptypes{$key}[1])</option>";
+               }else{
+                       print"<option>$icmptypes{$key}[0] ($icmptypes{$key}[1])</option>";
+               }
        }
-       
        print<<END;
        </select></td></tr>
        <tr><td width='10%'>$Lang::tr{'fwhost port'}:</td><td><input type='text' name='SRV_PORT' value='$fwhostsettings{'SRV_PORT'}' maxlength='11' size='24'></td></tr>
@@ -1327,7 +1343,9 @@ END
                <input type='hidden' name='ACTION' value='updateservice'>
                <input type='hidden' name='oldsrvname' value='$fwhostsettings{'oldsrvname'}'>
                <input type='hidden' name='oldsrvport' value='$fwhostsettings{'oldsrvport'}'>
-               <input type='hidden' name='oldsrvprot' value='$fwhostsettings{'oldsrvprot'}'></form>
+               <input type='hidden' name='oldsrvprot' value='$fwhostsettings{'oldsrvprot'}'>
+               <input type='hidden' name='oldsrvicmp' value='$fwhostsettings{'oldsrvicmp'}'>
+               </form>
 END
                
        }else{  
@@ -1647,7 +1665,8 @@ END
                        <td width='1%'><form method='post'><input type='image' src='/images/edit.gif' align='middle' alt=$Lang::tr{'edit'} title=$Lang::tr{'edit'} /><input type='hidden' name='ACTION' value='editservice' />
                        <input type='hidden' name='SRV_NAME' value='$customservice{$key}[0]' />
                        <input type='hidden' name='SRV_PORT' value='$customservice{$key}[1]' />
-                       <input type='hidden' name='PROT' value='$customservice{$key}[2]' /></form></td>
+                       <input type='hidden' name='PROT' value='$customservice{$key}[2]' />
+                       <input type='hidden' name='ICMP' value='$customservice{$key}[3]' /></form></td>
 END
                        if ($customservice{$key}[4] eq '0')
                        {