Forward Firewall: Minor changes...

1) improved convert-outgoingfw. source was wrong when tun+ interface
2) target had always a ":" in ruletable
3) convert-outgoingfw bugfix: ports where not cleared for next rule

diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index 0d75853211035cfb3758f2ffbf6787c59f5c4bf1..28129e46ecc9747e8f588e1801f15fe5096e9c2f 100644 (file)
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -64,14 +64,12 @@ elsif ($ARGV[0] eq 'restore') {
   system("cd / && tar -xvz -p -f /tmp/restore.ipf");
   #Here some converter scripts to correct old Backups (before core 65)
   system("/usr/sbin/ovpn-ccd-convert");
-  system("/usr/sbin/convert-xtaccess");
-  system("/usr/sbin/convert-outgoingfw");
-  
-  #clean up system, if an old backup was restored
   if( -d "/var/ipfire/outgoing"){
+         system("/usr/sbin/convert-outgoingfw");
          rmtree("/var/ipfire/outgoing");
   }
   if( -d "/var/ipfire/xtaccess"){
+         system("/usr/sbin/convert-xtaccess");
          rmtree("/var/ipfire/xtaccess");
   }
  }

diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw
index cef4f0c1cd826c0f8d681f52efedbee39fe66549..e94692abe7c378a50b94a046c41dff6348863409 100644 (file)
--- a/config/forwardfw/convert-outgoingfw
+++ b/config/forwardfw/convert-outgoingfw
@@ -182,10 +182,12 @@ sub new_hostgrp
                                $groups{$grpkey}[4]     = 0;
                        }
                }
+               @hostarray=();
        }
        &General::writehasharray($confighosts,\%hosts);
        &General::writehasharray($configgroups,\%groups);
        &General::writehasharray($confignets,\%nets);
+       
 }
 sub check_host
 {
@@ -251,8 +253,10 @@ sub process_rules
        foreach my $rule (@lines)
        {
                chomp($rule);
+               $port='';
                print LOG "processing: $rule\n";
-               my @configline = split( /\;/, $rule );
+               my @configline=();
+               @configline = split( /\;/, $rule );
                my @prot=();
                if($configline[0] eq $type){
                        #some variables we can use from old config
@@ -262,7 +266,6 @@ sub process_rules
                                push(@prot,"udp");
                                $useport='ON';
                                $grp3='TGT_PORT';
-                               
                        }else{
                                push(@prot,$configline[3]);
                                $useport='ON';
@@ -270,7 +273,6 @@ sub process_rules
                        }
                        if($configline[4] ne ''){ $remark=$configline[4];}else{$remark='';}
                        if($configline[9] eq 'aktiv'){ $log='ON';}else{$log='';}
-                       
                        if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){
                                if($configline[17] eq '00:00' && $configline[18] eq '00:00'){
                                        $time='';
@@ -307,7 +309,9 @@ sub process_rules
                                print LOG "-> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n";
                                next;
                        }elsif ($configline[2] eq 'ovpn') {
-                               &build_ovpn_grp;                                
+                               &build_ovpn_grp;                
+                               $grp1='cust_grp_src';
+                               $source='ovpn'          
                        }elsif ($configline[2] eq 'ip') {
                                my $z=&check_ip($configline[5]);
                                if($z){
@@ -385,9 +389,11 @@ sub process_rules
                                                        next;
                                                } 
                                         }
+                                        
                                 }
                                $port=join("|",@values);
                                @values=();
+                               @parts=();
                        }
                }else{
                        print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n";

diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
index 9b4ca0d2acafe6253293825f13d104c18b0a319d..4391f12288777e621102c78a90b2a709ef278697 100755 (executable)
--- a/html/cgi-bin/forwardfw.cgi
+++ b/html/cgi-bin/forwardfw.cgi
@@ -1654,7 +1654,6 @@ sub gettgtport
        my $key=shift;
        my $service;
        my $prot;
-
        if($hash{$key}[11] eq 'ON' && $hash{$key}[12] ne 'ICMP'){
                if($hash{$key}[14] eq 'cust_srv'){
                        &General::readhasharray("$configsrv", \%customservice);
@@ -1669,8 +1668,9 @@ sub gettgtport
                        $hash{$key}[15]=~ s/\|/,/g;
                        $service=$hash{$key}[15];
                }
-               
-               print": $service";
+               if($service){
+                       print": $service";
+               }
        }elsif($hash{$key}[11] eq 'ON' && $hash{$key}[12] eq 'ICMP'){
                print":<br>$hash{$key}[13]";
        }

diff --git a/lfs/configroot b/lfs/configroot
index e0babd2359d1172e718aad5d00044a17e18a6535..4c039977b50def6f33a9aac3c6927b6b7f86f826 100644 (file)
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -123,6 +123,9 @@ $(TARGET) :
        # set rules.pl executable
        chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl
                
+       # set converters executable
+       chmod 755 /usr/sbin/convert-*
+       
        # Modify variables in header.pl
        sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \
            -e "s+VERSION+$(VERSION)+g" \