Forward Firewall: Bugfix: When having more than 1 ICMP rule in a group, the rule...
authorAlexander Marx <amarx@ipfire.org>
Mon, 4 Mar 2013 19:56:20 +0000 (20:56 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 9 Aug 2013 12:11:54 +0000 (14:11 +0200)
Also changed (INPUT) to (Input) in firewall-options

config/forwardfw/rules.pl
langs/de/cgi-bin/de.pl

index 0ff153d6175f5487d4d3364d389a2c2e5ff4ec49..d4006846d589dcf99bd1994c051df0e7d38228e5 100755 (executable)
@@ -120,7 +120,6 @@ if($param eq 'flush'){
                                        system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
                                }
                        }
-                       
                        &p2pblock;
                        system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
                        system ("/usr/sbin/firewall-policy");
@@ -230,10 +229,20 @@ sub buildrules
                                                        if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
                                                                if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
                                                                        if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
-                                                                       if ($$hash{$key}[17] eq 'ON'){
-                                                                               print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+                                                                       if(substr($DPORT, 2, 4) eq 'icmp'){
+                                                                               my @icmprule= split(",",substr($DPORT, 12,));
+                                                                               foreach (@icmprule){
+                                                                                       if ($$hash{$key}[17] eq 'ON'){
+                                                                                               print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
+                                                                                       }
+                                                                                       print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; 
+                                                                               }
+                                                                       }else{
+                                                                               if ($$hash{$key}[17] eq 'ON'){
+                                                                                       print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+                                                                               }
+                                                                               print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; 
                                                                        }
-                                                                       print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; 
                                                                }                               
                                                        }
                                                }
@@ -250,10 +259,20 @@ sub buildrules
                                                        if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
                                                                if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
                                                                        if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
-                                                                       if ($$hash{$key}[17] eq 'ON'){
-                                                                               system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
+                                                                       if(substr($DPORT, 2, 4) eq 'icmp'){
+                                                                               my @icmprule= split(",",substr($DPORT, 12,));
+                                                                               foreach (@icmprule){
+                                                                                       if ($$hash{$key}[17] eq 'ON'){
+                                                                                               system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
+                                                                                       }
+                                                                                       system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); 
+                                                                               }
+                                                                       }else{
+                                                                               if ($$hash{$key}[17] eq 'ON'){
+                                                                                       system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
+                                                                               }
+                                                                               system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); 
                                                                        }
-                                                                       system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); 
                                                                }                               
                                                        }
                                                }
index 4c430770e1e80cc2fb6b1aba7b95d1eaed2b82e7..1c66d49aca593b03f049e2831d986b4c068eadd3 100644 (file)
 'driver' => 'Treiber',
 'drop action' => 'Standardverhalten der (Forward) Firewall in Modus "Blocked"',
 'drop action1' => 'Standardverhalten der (Outgoing) Firewall in Modus "Blocked"',
-'drop action2' => 'Standardverhalten der (INPUT) Firewall',
+'drop action2' => 'Standardverhalten der (Input) Firewall',
 'drop input' => 'Verworfene Input Pakete loggen',
 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen',
 'drop forward' => 'Verworfene (Forward) Firewall-Pakete loggen',