Forward Firewall: delete old portforwarding from system and fix for wlan-firewall...
authorAlexander Marx <amarx@ipfire.org>
Tue, 19 Mar 2013 04:15:20 +0000 (05:15 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 9 Aug 2013 12:11:56 +0000 (14:11 +0200)
config/rootfiles/common/misc-progs
html/cgi-bin/portfw.cgi [deleted file]
lfs/initscripts
src/initscripts/init.d/firewall
src/misc-progs/Makefile
src/misc-progs/setportfw.c [deleted file]
src/misc-progs/wirelessctrl.c

index 5102d8931461606f9c6c0b36938374d27d507f7a..2463ba2aa9e9622e3a837f4389d0372a4dc7dae8 100644 (file)
@@ -24,7 +24,6 @@ usr/local/bin/rebuildroutes
 usr/local/bin/redctrl
 #usr/local/bin/sambactrl
 usr/local/bin/setaliases
-usr/local/bin/setportfw
 usr/local/bin/smartctrl
 usr/local/bin/snortctrl
 usr/local/bin/squidctrl
diff --git a/html/cgi-bin/portfw.cgi b/html/cgi-bin/portfw.cgi
deleted file mode 100644 (file)
index 199682f..0000000
+++ /dev/null
@@ -1,1177 +0,0 @@
-#!/usr/bin/perl
-###############################################################################
-#                                                                             #
-# IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007  Michael Tremer & Christian Schmidt                      #
-#                                                                             #
-# This program is free software: you can redistribute it and/or modify        #
-# it under the terms of the GNU General Public License as published by        #
-# the Free Software Foundation, either version 3 of the License, or           #
-# (at your option) any later version.                                         #
-#                                                                             #
-# This program is distributed in the hope that it will be useful,             #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
-# GNU General Public License for more details.                                #
-#                                                                             #
-# You should have received a copy of the GNU General Public License           #
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
-#                                                                             #
-###############################################################################
-
-use strict;
-
-# enable only the following on debugging purpose
-#use warnings;
-#use CGI::Carp 'fatalsToBrowser';
-
-require '/var/ipfire/general-functions.pl';
-require "${General::swroot}/lang.pl";
-require "${General::swroot}/header.pl";
-
-#workaround to suppress a warning when a variable is used only once
-my @dummy = ( ${Header::colouryellow} );
-undef (@dummy);
-
-my %color = ();
-my %mainsettings = ();
-&General::readhash("${General::swroot}/main/settings", \%mainsettings);
-&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
-
-my %cgiparams=();
-my %selected=();
-my %checked=();
-my $prtrange1=0;
-my $prtrange2=0;
-my $errormessage = '';
-my $filename = "${General::swroot}/portfw/config";
-my $aliasfile = "${General::swroot}/ethernet/aliases";
-
-&Header::showhttpheaders();
-
-$cgiparams{'ENABLED'} = 'off';
-$cgiparams{'KEY1'} = '0';
-$cgiparams{'KEY2'} = '0';
-$cgiparams{'PROTOCOL'} = '';
-$cgiparams{'SRC_PORT'} = '';
-$cgiparams{'DEST_IP'} = '';
-$cgiparams{'DEST_PORT'} = '';
-$cgiparams{'SRC_IP'} = '';
-$cgiparams{'ORIG_IP'} = '';
-$cgiparams{'REMARK'} = '';
-$cgiparams{'OVERRIDE'} = 'off';
-$cgiparams{'ACTION'} = '';
-
-&Header::getcgihash(\%cgiparams);
-
-my $disable_all = "0";
-my $enable_all = "0";
-
-if ($cgiparams{'ACTION'} eq $Lang::tr{'add'})
-{
-       &valaddupdate();
-       
-       # Darren Critchley - if there is an error, don't waste any more time processing
-       if ($errormessage) { goto ERROR; }
-       
-       open(FILE, $filename) or die 'Unable to open config file.';
-       my @current = <FILE>;
-       close(FILE);
-       my $key1 = 0; # used for finding last sequence number used 
-       foreach my $line (@current)
-       {
-               my @temp = split(/\,/,$line);
-
-               chomp ($temp[8]);
-               if ($cgiparams{'KEY2'} eq "0"){ # if key2 is 0 then it is a portfw addition
-                       if ( $cgiparams{'SRC_PORT'} eq $temp[3] &&
-                               $cgiparams{'PROTOCOL'} eq $temp[2] &&
-                               $cgiparams{'SRC_IP'} eq $temp[7])
-                       {
-                                $errormessage =  
-                                       "$Lang::tr{'source port in use'} $cgiparams{'SRC_PORT'}";
-                       }
-                       # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number
-                       if ( $temp[1] eq "0") {
-                               $key1=$temp[0];
-                       }
-                       # Darren Critchley - Duplicate or overlapping Port range check
-                       if ($temp[1] eq "0" && 
-                               $cgiparams{'PROTOCOL'} eq $temp[2] &&
-                               $cgiparams{'SRC_IP'} eq $temp[7] &&
-                               $errormessage eq '') 
-                       {
-                               &portchecks($temp[3], $temp[5]);
-                       }
-               } else {
-                       if ( $cgiparams{'KEY1'} eq $temp[0] &&
-                               $cgiparams{'ORIG_IP'} eq $temp[8])
-                       {
-                                $errormessage =  
-                                       "$Lang::tr{'source ip in use'} $cgiparams{'ORIG_IP'}";
-                       }
-               }
-       }
-
-ERROR:
-       unless ($errormessage)
-       {
-               # Darren Critchley - we only want to store ranges with Colons
-               $cgiparams{'SRC_PORT'} =~ tr/-/:/; 
-               $cgiparams{'DEST_PORT'} =~ tr/-/:/;
-
-               if ($cgiparams{'KEY1'} eq "0") { # 0 in KEY1 indicates it is a portfw add
-                       $key1++; # Add one to last sequence number
-                       open(FILE,">>$filename") or die 'Unable to open config file.';
-                       flock FILE, 2;
-                               if ($cgiparams{'ORIG_IP'} eq '0.0.0.0/0') {
-                                       # if the default/all is taken, then write it to the rule
-                                               print FILE "$key1,0,$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n";
-                       } else { # else create an extra record so it shows up 
-                                       print FILE "$key1,0,$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},0,$cgiparams{'REMARK'}\n";
-                                               print FILE "$key1,1,$cgiparams{'PROTOCOL'},0,$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},0,$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n";
-                                       }                       
-                       close(FILE);
-                       undef %cgiparams;
-                       &General::log($Lang::tr{'forwarding rule added'});
-                       system('/usr/local/bin/setportfw');
-               } else { # else key1 eq 0
-                       my $insertpoint = ($cgiparams{'KEY2'} - 1);
-                       open(FILE, ">$filename") or die 'Unable to open config file.';
-                       flock FILE, 2;
-                       foreach my $line (@current) {
-                               chomp($line);
-                               my @temp = split(/\,/,$line);
-                               if ($cgiparams{'KEY1'} eq $temp[0] && $insertpoint eq $temp[1]) {
-                                       if ($temp[1] eq "0") { # this is the first xtaccess rule, therefore modify the portfw rule
-                                               $temp[8] = '0';
-                                       }
-                                       print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n";
-                                       print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$cgiparams{'PROTOCOL'},0,$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},0,$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n";
-                               } else {
-                                       print FILE "$line\n";
-                               }
-                       }
-                       close(FILE);
-                       undef %cgiparams;
-                       &General::log($Lang::tr{'external access rule added'});
-                       system('/usr/local/bin/setportfw');
-               } # end if if KEY1 eq 0
-       } # end unless($errormessage)
-}
-
-if ($cgiparams{'ACTION'} eq $Lang::tr{'update'})
-{
-       &valaddupdate();
-       
-       # Darren Critchley - If there is an error don't waste any more processing time
-       if ($errormessage) { $cgiparams{'ACTION'} = $Lang::tr{'edit'}; goto UPD_ERROR; }
-
-       open(FILE, $filename) or die 'Unable to open config file.';
-       my @current = <FILE>;
-       close(FILE);
-       my $disabledpfw = '0';
-       my $lastpfw = '';
-       my $xtaccessdel = '0';
-       
-       foreach my $line (@current)
-       {
-               my @temp = split(/\,/,$line);
-               if ( $temp[1] eq "0" ) { # keep track of the last portfw and if it is enabled
-                       $disabledpfw = $temp[6];
-                       $lastpfw = $temp[0];
-               }               
-               chomp ($temp[8]);
-               if ( $cgiparams{'SRC_PORT'} eq $temp[3] &&
-                       $cgiparams{'PROTOCOL'} eq $temp[2] &&
-                       $cgiparams{'SRC_IP'} eq $temp[7])
-               {
-                        if ($cgiparams{'KEY1'} ne $temp[0] && $cgiparams{'KEY2'} eq "0")
-                        { 
-                        $errormessage =  
-                               "$Lang::tr{'source port in use'} $cgiparams{'SRC_PORT'}";
-                        }
-               }
-               if ($cgiparams{'ORIG_IP'} eq $temp[8]) 
-               {
-                        if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} ne $temp[1])
-                        # If we have the same source ip within a portfw group, then we have a problem!
-                        {
-                               $errormessage =  "$Lang::tr{'source ip in use'} $cgiparams{'ORIG_IP'}";
-                               $cgiparams{'ACTION'} = $Lang::tr{'edit'};
-                        }
-               }
-               
-               # Darren Critchley - Flag when a user disables an xtaccess
-               if ($cgiparams{'KEY1'} eq $temp[0] &&
-                               $cgiparams{'KEY2'} eq $temp[1] &&
-                               $cgiparams{'KEY2'} ne "0" && # if KEY2 is 0 then it is a portfw
-                               $cgiparams{'ENABLED'} eq "off" &&
-                               $temp[6] eq "on") { # we have determined that someone has turned an xtaccess off
-                       $xtaccessdel = "1";             
-               }
-               
-               # Darren Critchley - Portfw enabled, then enable xtaccess for all associated xtaccess records
-               if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'KEY2'} eq "0" && $cgiparams{'ENABLED'} ne $temp[6]) 
-               {
-                       $enable_all = "1";
-               } else {
-                       $enable_all = "0";
-               }
-               # Darren Critchley - Portfw disabled, then disable xtaccess for all associated xtaccess records
-               if ($cgiparams{'ENABLED'} eq "off" && $cgiparams{'KEY2'} eq "0") 
-               {
-                       $disable_all = "1";
-               } else {
-                       $disable_all = "0";
-               }
-
-               # Darren Critchley - if we are enabling an xtaccess, only allow if the associated Portfw is enabled
-               if ($cgiparams{'KEY1'} eq $lastpfw && $cgiparams{'KEY2'} ne "0") { # identifies an xtaccess record in the group
-                       if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'ENABLED'} ne $temp[6] ){ # a change has been made
-                               if ($disabledpfw eq "off")
-                               { 
-                                       $errormessage =  "$Lang::tr{'cant enable xtaccess'}";
-                                       $cgiparams{'ACTION'} = $Lang::tr{'edit'};
-                               }
-                       }
-               }
-               
-               # Darren Critchley - rule to stop someone from entering ALL into a external access rule, 
-               # the portfw is the only place that ALL can be specified
-               if ($cgiparams{'KEY2'} ne "0" && $cgiparams{'ORIG_IP'} eq "0.0.0.0/0") {
-                       $errormessage =  "$Lang::tr{'xtaccess all error'}";
-                       $cgiparams{'ACTION'} = $Lang::tr{'edit'};
-               }
-               
-               # Darren Critchley - Duplicate or overlapping Port range check
-               if ($temp[1] eq "0" &&
-                       $cgiparams{'KEY1'} ne $temp[0] && 
-                       $cgiparams{'PROTOCOL'} eq $temp[2] &&
-                       $cgiparams{'SRC_IP'} eq $temp[7] &&
-                       $errormessage eq '') 
-               {
-                               &portchecks($temp[3], $temp[5]);
-               } # end port testing
-               
-       }
-       
-       # Darren Critchley - if an xtaccess was disabled, now we need to check to see if it was the only xtaccess
-       if($xtaccessdel eq "1") {
-               my $xctr = 0;
-               foreach my $line (@current)
-               {
-                       my @temp = split(/\,/,$line);
-                       if($temp[0] eq $cgiparams{'KEY1'} &&
-                               $temp[6] eq "on") { # we only want to count the enabled xtaccess's
-                               $xctr++;
-                       }
-               }
-               if ($xctr == 2){
-                       $disable_all = "1";
-               }
-       }
-
-UPD_ERROR:
-       unless ($errormessage)
-       {
-               # Darren Critchley - we only want to store ranges with Colons
-               $cgiparams{'SRC_PORT'} =~ tr/-/:/; 
-               $cgiparams{'DEST_PORT'} =~ tr/-/:/;
-
-               open(FILE, ">$filename") or die 'Unable to open config file.';
-               flock FILE, 2;
-               foreach my $line (@current) {
-                       chomp($line);
-                       my @temp = split(/\,/,$line);
-                       if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1]) {
-               print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$cgiparams{'PROTOCOL'},$cgiparams{'SRC_PORT'},$cgiparams{'DEST_IP'},$cgiparams{'DEST_PORT'},$cgiparams{'ENABLED'},$cgiparams{'SRC_IP'},$cgiparams{'ORIG_IP'},$cgiparams{'REMARK'}\n";
-                       } else {
-                               # Darren Critchley - If it is a port forward record, then chances are good that a change was made to 
-                               # Destination Ip or Port, and we need to update all the associated external access records
-                               if ($cgiparams{'KEY2'} eq "0" && $cgiparams{'KEY1'} eq $temp[0]) {
-                                       $temp[4] = $cgiparams{'DEST_IP'};
-                                       $temp[5] = $cgiparams{'DEST_PORT'};
-                                       $temp[2] = $cgiparams{'PROTOCOL'};
-                               }
-                               
-                               # Darren Critchley - If a Portfw has been disabled, then set all associated xtaccess as disabled
-                               if ( $disable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) {
-                                       $temp[6] = 'off';
-                               }
-                               if ( $enable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) {
-                                       $temp[6] = 'on';
-                               }
-                               # Darren Critchley - Deal with the override to allow ALL
-                               if ( $cgiparams{'OVERRIDE'} eq "on" && $temp[1] ne "0" && $cgiparams{'KEY1'} eq $temp[0] ) {
-                                       $temp[6] = 'off';
-                               }
-                       print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n";
-                       }
-               }
-               close(FILE);
-               undef %cgiparams;
-               &General::log($Lang::tr{'forwarding rule updated'});
-               system('/usr/local/bin/setportfw');
-       } 
-       if ($errormessage) {
-       $cgiparams{'ACTION'} = $Lang::tr{'edit'};
-       }
-}
-
-# Darren Critchley - Allows rules to be enabled and disabled
-if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'})
-{
-       open(FILE, $filename) or die 'Unable to open config file.';
-       my @current = <FILE>;
-       close(FILE);
-       my $disabledpfw = '0';
-       my $lastpfw = '';
-       my $xtaccessdel = '0';
-       
-       foreach my $line (@current)
-       {
-               my @temp = split(/\,/,$line);
-               if ( $temp[1] eq "0" ) { # keep track of the last portfw and if it is enabled
-                       $disabledpfw = $temp[6];
-                       $lastpfw = $temp[0];
-               }               
-               # Darren Critchley - Flag when a user disables an xtaccess
-               if ($cgiparams{'KEY1'} eq $temp[0] &&
-                               $cgiparams{'KEY2'} eq $temp[1] &&
-                               $cgiparams{'KEY2'} ne "0" && # if KEY2 is 0 then it is a portfw
-                               $cgiparams{'ENABLED'} eq "off" &&
-                               $temp[6] eq "on") { # we have determined that someone has turned an xtaccess off
-                       $xtaccessdel = "1";             
-               }
-               
-               # Darren Critchley - Portfw enabled, then enable xtaccess for all associated xtaccess records
-               if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'KEY2'} eq "0" && $cgiparams{'ENABLED'} ne $temp[6]) 
-               {
-                       $enable_all = "1";
-               } else {
-                       $enable_all = "0";
-               }
-               # Darren Critchley - Portfw disabled, then disable xtaccess for all associated xtaccess records
-               if ($cgiparams{'ENABLED'} eq "off" && $cgiparams{'KEY2'} eq "0") 
-               {
-                       $disable_all = "1";
-               } else {
-                       $disable_all = "0";
-               }
-
-               # Darren Critchley - if we are enabling an xtaccess, only allow if the associated Portfw is enabled
-               if ($cgiparams{'KEY1'} eq $lastpfw && $cgiparams{'KEY2'} ne "0") { # identifies an xtaccess record in the group
-                       if ($cgiparams{'ENABLED'} eq "on" && $cgiparams{'ENABLED'} ne $temp[6] ){ # a change has been made
-                               if ($disabledpfw eq "off")
-                               { 
-                                       $errormessage =  "$Lang::tr{'cant enable xtaccess'}";
-                                       goto TOGGLEEXIT;
-                               }
-                       }
-               }
-       }
-       
-       # Darren Critchley - if an xtaccess was disabled, now we need to check to see if it was the only xtaccess
-       if($xtaccessdel eq "1") {
-               my $xctr = 0;
-               foreach my $line (@current)
-               {
-                       my @temp = split(/\,/,$line);
-                       if($temp[0] eq $cgiparams{'KEY1'} &&
-                               $temp[6] eq "on") { # we only want to count the enabled xtaccess's
-                               $xctr++;
-                       }
-               }
-               if ($xctr == 2){
-                       $disable_all = "1";
-               }
-       }
-
-       open(FILE, ">$filename") or die 'Unable to open config file.';
-       flock FILE, 2;
-       foreach my $line (@current) {
-               chomp($line);
-               my @temp = split(/\,/,$line);
-               if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1]) {
-               print FILE "$cgiparams{'KEY1'},$cgiparams{'KEY2'},$temp[2],$temp[3],$temp[4],$temp[5],$cgiparams{'ENABLED'},$temp[7],$temp[8],$temp[9]\n";
-               } else {
-                       # Darren Critchley - If a Portfw has been disabled, then set all associated xtaccess as disabled
-                       if ( $disable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) {
-                               $temp[6] = 'off';
-                       }
-                       if ( $enable_all eq "1" && $cgiparams{'KEY1'} eq $temp[0] ) {
-                               $temp[6] = 'on';
-                       }
-               print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n";
-               }
-       }
-       close(FILE);
-       &General::log($Lang::tr{'forwarding rule updated'});
-       system('/usr/local/bin/setportfw');
-TOGGLEEXIT:
-       undef %cgiparams;
-} 
-
-
-# Darren Critchley - broke out Edit routine from the delete routine - Edit routine now just puts values in fields
-if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'})
-{
-       open(FILE, "$filename") or die 'Unable to open config file.';
-       my @current = <FILE>;
-       close(FILE);
-
-       unless ($errormessage)
-       {
-               foreach my $line (@current)
-               {
-                       chomp($line);
-                       my @temp = split(/\,/,$line);
-                       if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) {
-                               $cgiparams{'PROTOCOL'} = $temp[2];
-                               $cgiparams{'SRC_PORT'} = $temp[3];
-                               $cgiparams{'DEST_IP'} = $temp[4];
-                               $cgiparams{'DEST_PORT'} = $temp[5];
-                               $cgiparams{'ENABLED'} = $temp[6];
-                               $cgiparams{'SRC_IP'} = $temp[7];
-                               $cgiparams{'ORIG_IP'} = $temp[8];
-                               $cgiparams{'REMARK'} = $temp[9];
-                       }
-                       
-               }
-       }
-}
-
-# Darren Critchley - broke out Remove routine as the logic is getting too complex to be combined with the Edit
-if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'})
-{
-       open(FILE, "$filename") or die 'Unable to open config file.';
-       my @current = <FILE>;
-       close(FILE);
-       
-       # If the record being deleted is an xtaccess record, and it is the only one for a portfw record
-       # then we need to adjust the portfw record to be open to ALL ip addressess or an error will occur
-       # in setportfw.c
-       my $fixportfw = '0';
-       if ($cgiparams{'KEY2'} ne "0") {
-               my $counter = 0;
-               foreach my $line (@current)
-               {
-                       chomp($line);
-                       my @temp = split(/\,/,$line);
-                       if ($temp[0] eq $cgiparams{'KEY1'}) {
-                               $counter++;
-                       }
-               } 
-               if ($counter eq 2) {
-                       $fixportfw = '1';
-               }
-       }
-       
-       unless ($errormessage)
-       {
-               open(FILE, ">$filename") or die 'Unable to open config file.';
-               flock FILE, 2;
-               my $linedeleted = 0;
-               foreach my $line (@current)
-               {
-                       chomp($line);
-                       my @temp = split(/\,/,$line);
-
-                       if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ||
-                               $cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq "0" ) 
-                       {
-                               $linedeleted = 1;
-                       } else {
-                               if ($temp[0] eq $cgiparams{'KEY1'} && $temp[1] eq "0" && $fixportfw eq "1") {
-                                       $temp[8] = '0.0.0.0/0';
-                               }
-                       print FILE "$temp[0],$temp[1],$temp[2],$temp[3],$temp[4],$temp[5],$temp[6],$temp[7],$temp[8],$temp[9]\n";
-#                              print FILE "$line\n";
-                       }
-               }
-               close(FILE);
-               if ($linedeleted == 1) {
-                       &General::log($Lang::tr{'forwarding rule removed'});
-                       undef %cgiparams;
-               }
-               system('/usr/local/bin/setportfw');
-       }
-}
-
-# Darren Critchley - Added routine to allow external access rules to be added
-if ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'})
-{
-       open(FILE, $filename) or die 'Unable to open config file.';
-       my @current = <FILE>;
-       close(FILE);
-       my $key = 0; # used for finding last sequence number used 
-       foreach my $line (@current)
-       {
-               my @temp = split(/\,/,$line);
-               if ($temp[0] eq $cgiparams{'KEY1'}) {
-                       $key = $temp[1]
-               }
-               if ($cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) {
-                       $cgiparams{'PROTOCOL'} = $temp[2];
-                       $cgiparams{'SRC_PORT'} = $temp[3];
-                       $cgiparams{'DEST_IP'} = $temp[4];
-                       $cgiparams{'DEST_PORT'} = $temp[5];
-                       $cgiparams{'ENABLED'} = $temp[6];
-                       $cgiparams{'SRC_IP'} = $temp[7];
-                       $cgiparams{'ORIG_IP'} = '';
-                       $cgiparams{'REMARK'} = $temp[9];
-               }
-       }
-       $key++;
-       $cgiparams{'KEY2'} = $key;
-       # Until the ADD button is hit, there needs to be no change to portfw rules
-}
-
-if ($cgiparams{'ACTION'} eq $Lang::tr{'reset'})
-{
-       undef %cgiparams;
-}
-
-if ($cgiparams{'ACTION'} eq '')
-{
-       $cgiparams{'PROTOCOL'} = 'tcp';
-       $cgiparams{'ENABLED'} = 'on';
-       $cgiparams{'SRC_IP'} = '0.0.0.0';
-}
-
-$selected{'PROTOCOL'}{'udp'} = '';
-$selected{'PROTOCOL'}{'tcp'} = '';
-$selected{'PROTOCOL'}{'gre'} = '';
-$selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = "selected='selected'";
-
-$selected{'SRC_IP'}{$cgiparams{'SRC_IP'}} = "selected='selected'";
-
-$checked{'ENABLED'}{'off'} = '';
-$checked{'ENABLED'}{'on'} = '';  
-$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'";
-
-&Header::openpage($Lang::tr{'port forwarding configuration'}, 1, '');
-
-&Header::openbigbox('100%', 'left', '', $errormessage);
-
-if ($errormessage) {
-       &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
-       print "<class name='base'><font color='${Header::colourred}'>$errormessage\n</font>";
-       print "&nbsp;</class>\n";
-       &Header::closebox();
-}
-
-print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>\n";
-
-if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}){
-       &Header::openbox('100%', 'left', $Lang::tr{'edit a rule'});
-} else {
-       &Header::openbox('100%', 'left', $Lang::tr{'add a new rule'});
-}
-
-if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY2'} ne "0" || $cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'}){ 
-# if it is not a port forward record, don't validate as the fields are disabled
-       my $PROT = "\U$cgiparams{'PROTOCOL'}\E";
-       # Darren Critchley - Format the source and destination ports
-       my $dstprt = $cgiparams{'DEST_PORT'};
-       $dstprt =~ s/-/ - /;
-       $dstprt =~ s/:/ - /;
-
-print <<END
-<table>
-       <tr>
-               <td class='base'>$Lang::tr{'protocol'}: <b>$PROT</b></td>
-               <td width='20'>&nbsp;</td>
-               <td class='base' align='right'>$Lang::tr{'destination ip'}:&nbsp;</td>
-               <td><b>$cgiparams{'DEST_IP'}</b></td>
-               <td width='20'>&nbsp;</td>
-               <td class='base' align='right'>$Lang::tr{'destination port'}:&nbsp;</td>
-               <td><b>$dstprt</b></td>
-       </tr>
-</table>
-
-<input type='hidden' name='PROTOCOL' value='$cgiparams{'PROTOCOL'}' />
-<input type='hidden' name='SRC_IP' value='$cgiparams{'SRC_IP'}' />
-<input type='hidden' name='SRC_PORT' value='$cgiparams{'SRC_PORT'}' />
-<input type='hidden' name='DEST_IP' value='$cgiparams{'DEST_IP'}' />
-<input type='hidden' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' />
-END
-;
-} else {
-print <<END
-<table width='100%'>
-       <tr>
-               <td width='10%'>$Lang::tr{'protocol'}:&nbsp;</td>
-               <td width='15%'> 
-               <select name='PROTOCOL'>
-                       <option value='tcp' $selected{'PROTOCOL'}{'tcp'}>TCP</option>
-                       <option value='udp' $selected{'PROTOCOL'}{'udp'}>UDP</option>
-                       <option value='gre' $selected{'PROTOCOL'}{'gre'}>GRE</option>
-               </select>
-               </td>
-               <td class='base' width='20%'><font color='${Header::colourred}'>$Lang::tr{'alias ip'}:</font></td>
-               <td>
-                       <select name='SRC_IP'>
-                       <option value='0.0.0.0' $selected{'SRC_IP'}{'0.0.0.0'}>DEFAULT IP</option>
-END
-;
-open(ALIASES, "$aliasfile") or die 'Unable to open aliases file.';
-while (<ALIASES>)
-{
-       chomp($_);
-       my @temp = split(/\,/,$_);
-       if ($temp[1] eq 'on') {
-               print "<option value='$temp[0]' $selected{'SRC_IP'}{$temp[0]}>$temp[0]";
-               if (defined $temp[2] and ($temp[2] ne '')) { print " ($temp[2])"; }
-               print "</option>\n";
-       }
-}
-close(ALIASES);
-print <<END
-                       </select>
-               </td>
-               <td class='base' width='20%'><font color='${Header::colourred}'>$Lang::tr{'source port'}:</font></td>
-               <td width='10%'><input type='text' name='SRC_PORT' value='$cgiparams{'SRC_PORT'}' size='8' /></td>
-       </tr>
-       <tr>
-               <td class='base'>&nbsp;</td>
-               <td>&nbsp;</td>
-               <td class='base'>$Lang::tr{'destination ip'}:</td>
-               <td><input type='text' name='DEST_IP' value='$cgiparams{'DEST_IP'}' size='15' /></td>
-               <td class='base'>$Lang::tr{'destination port'}:</td>
-               <td><input type='text' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' size='8' /></td>
-       </tr>
-</table>
-END
-;
-}
-
-print <<END
-<table>
-       <tr>
-               <td class='base'>$Lang::tr{'remark title'}&nbsp;<img src='/blob.gif' alt='*' />&nbsp;</td>
-               <td><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td>
-END
-;
-unless ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'} && $cgiparams{'ENABLED'} eq "off") {
-       print "<td width='20'>&nbsp;</td>";
-       print "<td>$Lang::tr{'enabled'}&nbsp;</td><td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>\n";
-}
-print <<END
-       </tr>
-</table>
-END
-;
-
-if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY2'} eq "0" && ($cgiparams{'ORIG_IP'} eq "0" || $cgiparams{'ORIG_IP'} eq "0.0.0.0/0")){ 
-# if it is a port forward rule with a 0 in the orig_port field, this means there are xtaccess records, and we
-# don't want to allow a person to change the orig_ip field as it will mess other logic up
-       print "<input type='hidden' name='ORIG_IP' value='$cgiparams{'ORIG_IP'}' />\n";
-} else {
-print <<END
-<table>
-       <tr>
-               <td class='base'><font class='boldbase' color='${Header::colourred}'>$Lang::tr{'source network'}</font>&nbsp;<img src='/blob.gif' alt='*' />&nbsp;</td>
-               <td><input type='text' name='ORIG_IP' value='$cgiparams{'ORIG_IP'}' size='15' /></td>
-       </tr>
-</table>
-END
-;
-}
-
-print <<END
-<table width='100%'>
-       <hr />
-       <tr>
-               <td class='base' width='25%'><img src='/blob.gif' alt ='*' align='top' />&nbsp;<font class='base'>$Lang::tr{'this field may be blank'}</font></td>
-END
-;
-
-
-if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}){
-       if($cgiparams{'KEY2'} eq "0"){
-               print "<td width='35%' align='right'>$Lang::tr{'open to all'}:&nbsp;</td><td width='5%'><input type='checkbox' name='OVERRIDE' $checked{'OVERRIDE'}{'on'} /></td>\n";
-       } else {
-               print "<td width='40%'>&nbsp;</td>\n";
-       }
-       print "<td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'update'}' />";
-       print "<input type='hidden' name='KEY1' value='$cgiparams{'KEY1'}' />";
-       print "<input type='hidden' name='KEY2' value='$cgiparams{'KEY2'}' /></TD>";
-       print "<td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /></td>";
-       # on an edit and an xtaccess add, for some reason the "Reset" button stops working, so I make it a submit button
-} else {
-       print "<td width='30%'>&nbsp;</td>\n";
-       print "<td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td>";
-       if ($cgiparams{'ACTION'} eq $Lang::tr{'add xtaccess'}) {
-               print "<td align='center' width='15%'><input type='hidden' name='KEY1' value='$cgiparams{'KEY1'}' />";
-               print "<input type='hidden' name='KEY2' value='$cgiparams{'KEY2'}' />";
-               print "<input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /></td>";
-       } elsif ($errormessage ne '') {
-               print "<td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /></td>";
-       } else {
-               print "<td align='center' width='15%'><input type='reset' name='ACTION' value='$Lang::tr{'reset'}' /></td>";
-       }
-}
-print <<END
-       <td width='5%' align='right'>&nbsp;</td>
-       </tr>
-</table>
-END
-;
-&Header::closebox();
-
-print "</form>\n";
-
-&Header::openbox('100%', 'left', $Lang::tr{'current rules'});
-print <<END
-<table width='100%'>
-<tr>
-<td width='7%' class='boldbase' align='center'><b>$Lang::tr{'proto'}</b></td>
-<td width='31%' class='boldbase' align='center'><b>$Lang::tr{'source'}</b></td>
-<td width='2%' class='boldbase' align='center'>&nbsp;</td>
-<td width='31%' class='boldbase' align='center'><b>$Lang::tr{'destination'}</b></td>
-<td width='24%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></td>
-<td width='4%' class='boldbase' colspan='4' align='center'><b>$Lang::tr{'action'}</b></td>
-</tr>
-END
-;
-
-my $id = 0;
-my $xtaccesscolor = '#F6F4F4';
-open(RULES, "$filename") or die 'Unable to open config file.';
-while (<RULES>)
-{
-       my $protocol = '';
-       my $gif = '';
-       my $gdesc = '';
-       my $toggle = '';
-       chomp($_);
-       my @temp = split(/\,/,$_);
-       $temp[9] ='' unless defined $temp[9];# Glles ESpinasse : suppress warning on page init
-       if ($temp[2] eq 'udp') {
-               $protocol = 'UDP'; }
-       elsif ($temp[2] eq 'gre') {
-               $protocol = 'GRE' }
-       else {
-               $protocol = 'TCP' }
-       # Change bgcolor when a new portfw rule is added
-       if ($temp[1] eq "0"){
-               $id++;
-       }
-       # Darren Critchley highlight the row we are editing
-       if ( $cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'KEY1'} eq $temp[0] && $cgiparams{'KEY2'} eq $temp[1] ) { 
-               print "<tr bgcolor='${Header::colouryellow}'>\n";
-       } else {
-               if ($id % 2) {
-                       print "<tr bgcolor='$color{'color22'}'>\n"; 
-               }
-               else {
-                       print "<tr bgcolor='$color{'color20'}'>\n";
-               }
-       }
-       
-       if ($temp[6] eq 'on') { $gif = 'on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};}
-               else { $gif = 'off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'}; }
-
-               # Darren Critchley - this code no longer works - should we remove?
-       # catch for 'old-style' rules file - assume default ip if
-       # none exists
-       if (!&General::validip($temp[7]) || $temp[7] eq '0.0.0.0') {
-               $temp[7] = 'DEFAULT IP'; }
-               if ($temp[1] eq '0') { # Port forwarding entry
-
-               # Darren Critchley - Format the source and destintation ports
-               my $srcprt = $temp[3];
-               $srcprt =~ s/-/ - /;
-               $srcprt =~ s/:/ - /;
-               my $dstprt = $temp[5];
-               $dstprt =~ s/-/ - /;
-               $dstprt =~ s/:/ - /;
-
-               # Darren Critchley - Get Port Service Name if we can - code borrowed from firewalllog.dat
-               $_=$temp[3];
-               if (/^\d+$/) {
-                       my $servi = uc(getservbyport($temp[3], lc($temp[2])));
-                       if ($servi ne '' && $temp[3] < 1024) {
-                               $srcprt = "$srcprt($servi)"; }
-               }
-               $_=$temp[5];
-               if (/^\d+$/) {
-                       my $servi = uc(getservbyport($temp[5], lc($temp[2])));
-                       if ($servi ne '' && $temp[5] < 1024) {
-                               $dstprt = "$dstprt($servi)"; }
-               }
-
-               # Darren Critchley - If the line is too long, wrap the port numbers
-               my $srcaddr = "$temp[7] : $srcprt";
-               if (length($srcaddr) > 22) {
-                       $srcaddr = "$temp[7] :<br /> $srcprt";
-               }
-               my $dstaddr = "$temp[4] : $dstprt";
-               if (length($dstaddr) > 26) {
-                       $dstaddr = "$temp[4] :<br /> $dstprt";
-               }
-print <<END
-<td align='center'>$protocol</td>
-<td align='center'>$srcaddr</td>
-<td align='center'><img src='/images/forward.gif' alt='=&gt;' /></td>
-<td align='center'>$dstaddr</td>
-<td align='left'>&nbsp;$temp[9]</td>
-<td align='center'>
-       <form method='post' name='frm$temp[0]c' action='$ENV{'SCRIPT_NAME'}'>
-       <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$gdesc' title='$gdesc' />
-       <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
-       <input type='hidden' name='KEY1' value='$temp[0]' />
-       <input type='hidden' name='KEY2' value='$temp[1]' />
-       <input type='hidden' name='ENABLED' value='$toggle' />
-       </form>
-</td>
-
-<td align='center'>
-       <form method='post' name='frm$temp[0]' action='$ENV{'SCRIPT_NAME'}'>
-       <input type='hidden' name='ACTION' value='$Lang::tr{'add xtaccess'}' />
-       <input type='image' name='$Lang::tr{'add xtaccess'}' src='/images/add.gif' alt='$Lang::tr{'add xtaccess'}' title='$Lang::tr{'add xtaccess'}' />
-       <input type='hidden' name='KEY1' value='$temp[0]' />
-       <input type='hidden' name='KEY2' value='$temp[1]' />
-       </form>
-</td>
-
-<td align='center'>
-       <form method='post' name='frm$temp[0]' action='$ENV{'SCRIPT_NAME'}'>
-       <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
-       <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
-       <input type='hidden' name='KEY1' value='$temp[0]' />
-       <input type='hidden' name='KEY2' value='$temp[1]' />
-       </form>
-</td>
-
-<td align='center'>
-       <form method='post' name='frm$temp[0]b' action='$ENV{'SCRIPT_NAME'}'>
-       <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
-       <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' />
-       <input type='hidden' name='KEY1' value='$temp[0]' />
-       <input type='hidden' name='KEY2' value='$temp[1]' />
-       </form>
-</td>
-
-</tr>
-END
-       ;
-       } else { # external access entry
-print <<END
-<td align='center'>&nbsp;</td>
-
-<td align='left' colspan='4'>&nbsp;<font color='${Header::colourred}'>$Lang::tr{'access allowed'}</font> $temp[8]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;($temp[9])</td>
-
-<td align='center'>
-       <form method='post' name='frm$temp[0]$temp[1]t' action='$ENV{'SCRIPT_NAME'}'>
-       <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' />
-       <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
-       <input type='hidden' name='KEY1' value='$temp[0]' />
-       <input type='hidden' name='KEY2' value='$temp[1]' />
-       <input type='hidden' name='ENABLED' value='$toggle' />
-       </form>
-</td>
-
-<td align='center'>&nbsp;</td>
-
-<td align='center'>
-       <form method='post' name='frm$temp[0]$temp[1]' action='$ENV{'SCRIPT_NAME'}'>
-       <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
-       <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
-       <input type='hidden' name='KEY1' value='$temp[0]' />
-       <input type='hidden' name='KEY2' value='$temp[1]' />
-       </form>
-</td>
-
-<td align='center'>
-       <form method='post' name='frm$temp[0]b$temp[1]b' action='$ENV{'SCRIPT_NAME'}'>
-       <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
-       <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' />
-       <input type='hidden' name='KEY1' value='$temp[0]' />
-       <input type='hidden' name='KEY2' value='$temp[1]' />
-       </form>
-</td>
-
-</tr>
-END
-       ;
-       }
-}
-
-close(RULES);
-
-print "</table>";
-
-# If the fixed lease file contains entries, print Key to action icons
-if ( ! -z "$filename") {
-print <<END
-<table>
-<tr>
-       <td class='boldbase'>&nbsp;<b>$Lang::tr{'legend'}:&nbsp;</b></td>
-       <td><img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
-       <td class='base'>$Lang::tr{'click to disable'}</td>
-       <td>&nbsp;&nbsp;</td>
-       <td><img src='/images/off.gif' alt='$Lang::tr{'click to enable'}' /></td>
-       <td class='base'>$Lang::tr{'click to enable'}</td>
-       <td>&nbsp;&nbsp;</td>
-       <td><img src='/images/add.gif' alt='$Lang::tr{'add xtaccess'}' /></td>
-       <td class='base'>$Lang::tr{'add xtaccess'}</td>
-       <td>&nbsp;&nbsp;</td>
-       <td><img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
-       <td class='base'>$Lang::tr{'edit'}</td>
-       <td>&nbsp;&nbsp;</td>
-       <td><img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
-       <td class='base'>$Lang::tr{'remove'}</td>
-</tr>
-</table>
-END
-;
-}
-
-&Header::closebox();
-
-&Header::closebigbox();
-
-&Header::closepage();
-
-# Validate Field Entries
-sub validateparams 
-{
-       # Darren Critchley - Get rid of dashes in port ranges
-       $cgiparams{'DEST_PORT'}=~ tr/-/:/;
-       $cgiparams{'SRC_PORT'}=~ tr/-/:/;
-       
-       # Darren Critchley - code to substitue wildcards
-       if ($cgiparams{'SRC_PORT'} eq "*") {
-               $cgiparams{'SRC_PORT'} = "1:65535";
-       }
-       if ($cgiparams{'SRC_PORT'} =~ /^(\D)\:(\d+)$/) {
-               $cgiparams{'SRC_PORT'} = "1:$2";
-       }
-       if ($cgiparams{'SRC_PORT'} =~ /^(\d+)\:(\D)$/) {
-               $cgiparams{'SRC_PORT'} = "$1:65535";
-       }
-       if ($cgiparams{'DEST_PORT'} eq "*") {
-               $cgiparams{'DEST_PORT'} = "1:65535";
-       }
-       if ($cgiparams{'DEST_PORT'} =~ /^(\D)\:(\d+)$/) {
-               $cgiparams{'DEST_PORT'} = "1:$2";
-       }
-       if ($cgiparams{'DEST_PORT'} =~ /^(\d+)\:(\D)$/) {
-               $cgiparams{'DEST_PORT'} = "$1:65535";
-       }
-
-       # Darren Critchley - Add code for GRE protocol - we want to ignore ports, but we need a place holder
-       if ($cgiparams{'PROTOCOL'} eq 'gre') {
-               $cgiparams{'SRC_PORT'} = "GRE";
-               $cgiparams{'DEST_PORT'} = "GRE";
-       }
-
-       unless($cgiparams{'PROTOCOL'} =~ /^(tcp|udp|gre)$/) { $errormessage = $Lang::tr{'invalid input'}; }
-       # Darren Critchley - Changed how the error routine works a bit - for the validportrange check, we need to 
-       # pass in src or dest to determine which side we are working with.
-       # the routine returns the complete error or ''
-       if ($cgiparams{'PROTOCOL'} ne 'gre') {
-               $errormessage = &General::validportrange($cgiparams{'SRC_PORT'}, 'src');
-       }
-       if( ($cgiparams{'ORIG_IP'} ne "0" && $cgiparams{'KEY2'} ne "0") || $cgiparams{'ACTION'} eq $Lang::tr{'add'}) { 
-       # if it is a port forward record with 0 in orig_ip then ignore checking this field
-               unless(&General::validipormask($cgiparams{'ORIG_IP'}))
-               {
-                       if ($cgiparams{'ORIG_IP'} ne '') {
-                               $errormessage = $Lang::tr{'source ip bad'}; }
-                       else {
-                               $cgiparams{'ORIG_IP'} = '0.0.0.0/0'; }
-               }
-       }
-       # Darren Critchey - New rule that sets destination same as source if dest_port is blank.
-       if ($cgiparams{'DEST_PORT'} eq ''){
-               $cgiparams{'DEST_PORT'} = $cgiparams{'SRC_PORT'};
-       }
-       # Darren Critchey - Just in case error message is already set, this routine would wipe it out if
-       # we don't do a test here
-       if ($cgiparams{'PROTOCOL'} ne 'gre') {
-               unless($errormessage) {$errormessage = &General::validportrange($cgiparams{'DEST_PORT'}, 'dest');}
-       }
-       unless(&General::validip($cgiparams{'DEST_IP'})) { $errormessage = $Lang::tr{'destination ip bad'}; }
-       return;
-}
-
-# Darren Critchley - we want to make sure that a port range does not overlap another port range
-sub checkportoverlap
-{
-       my $portrange1 = $_[0]; # New port range
-       my $portrange2 = $_[1]; # existing port range
-       my @tempr1 = split(/\:/,$portrange1);
-       my @tempr2 = split(/\:/,$portrange2);
-
-       unless (&checkportinc($tempr1[0], $portrange2)){ return 0;}
-       unless (&checkportinc($tempr1[1], $portrange2)){ return 0;}
-       
-       unless (&checkportinc($tempr2[0], $portrange1)){ return 0;}
-       unless (&checkportinc($tempr2[1], $portrange1)){ return 0;}
-
-       return 1; # Everything checks out!
-}
-
-# Darren Critchley - we want to make sure that a port entry is not within an already existing range
-sub checkportinc
-{
-       my $port1 = $_[0]; # Port
-       my $portrange2 = $_[1]; # Port range
-       my @tempr1 = split(/\:/,$portrange2);
-
-       if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) {
-               return 1; 
-       } else {
-               return 0; 
-       }
-}
-
-# Darren Critchley - certain ports are reserved for Ipcop 
-# TCP 67,68,81,222,445
-# UDP 67,68
-# Params passed in -> port, rangeyn, protocol
-sub disallowreserved
-{
-       # port 67 and 68 same for tcp and udp, don't bother putting in an array
-       my $msg = "";
-       my @tcp_reserved = ();
-       my $prt = $_[0]; # the port or range
-       my $ryn = $_[1]; # tells us whether or not it is a port range
-       my $prot = $_[2]; # protocol
-       my $srcdst = $_[3]; # source or destination
-       
-       if ($ryn) { # disect port range
-               if ($srcdst eq "src") {
-                       $msg = "$Lang::tr{'rsvd src port overlap'}";
-               } else {
-                       $msg = "$Lang::tr{'rsvd dst port overlap'}";
-               }
-               my @tmprng = split(/\:/,$prt);
-               unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; }
-               unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; }
-               if ($prot eq "tcp") {
-                       foreach my $prange (@tcp_reserved) {
-                               unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; }
-                       }
-               }
-       } else {
-               if ($srcdst eq "src") {
-                       $msg = "$Lang::tr{'reserved src port'}";
-               } else {
-                       $msg = "$Lang::tr{'reserved dst port'}";
-               }
-               if ($prt == 67) { $errormessage="$msg 67"; return; }
-               if ($prt == 68) { $errormessage="$msg 68"; return; }
-               if ($prot eq "tcp") {
-                       foreach my $prange (@tcp_reserved) {
-                               if ($prange == $prt) { $errormessage="$msg $prange"; return; }
-                       }
-               }
-       }
-       return;
-}
-
-# Darren Critchley - Attempt to combine Add/Update validation as they are almost the same
-sub valaddupdate
-{
-       if ($cgiparams{'KEY2'} eq "0"){ # if it is a port forward rule, then validate properly
-               &validateparams();
-       } else { # it is an xtaccess rule, just check for a valid ip
-               unless(&General::validipormask($cgiparams{'ORIG_IP'}))
-               {
-                       if ($cgiparams{'ORIG_IP'} ne '') {
-                               $errormessage = $Lang::tr{'source ip bad'}; }
-                       else { # this rule stops someone from adding an ALL xtaccess record
-                               $errormessage = $Lang::tr{'xtaccess all error'}; 
-                               $cgiparams{'ACTION'} = $Lang::tr{'add xtaccess'};
-                       }
-               }
-               # Darren Critchley - check for 0.0.0.0/0 - not allowed for xtaccess
-               if ($cgiparams{'ORIG_IP'} eq "0.0.0.0/0" || $cgiparams{'ORIG_IP'} eq "0.0.0.0") {
-                       $errormessage = $Lang::tr{'xtaccess all error'}; 
-                       $cgiparams{'ACTION'} = $Lang::tr{'add xtaccess'};
-               }
-       }
-       # Darren Critchley - Remove commas from remarks
-       $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
-
-       # Darren Critchley - Check to see if we are working with port ranges
-       our ($prtrange1, $prtrange2);
-       $_ = $cgiparams{'SRC_PORT'};
-       if ($cgiparams{'KEY2'} eq "0" && m/:/){
-               $prtrange1 = 1;
-       }
-       if ($cgiparams{'SRC_IP'} eq '0.0.0.0') { # Dave Roberts - only check if using DEFAULT IP
-               if ($prtrange1 == 1){ # check for source ports reserved for Ipcop
-                       &disallowreserved($cgiparams{'SRC_PORT'},1,$cgiparams{'PROTOCOL'},"src");
-                       if ($errormessage) { goto EXITSUB; }
-               } else { # check for source port reserved for Ipcop
-                       &disallowreserved($cgiparams{'SRC_PORT'},0,$cgiparams{'PROTOCOL'},"src");
-                       if ($errormessage) { goto EXITSUB; }
-               }
-       }
-       
-       $_ = $cgiparams{'DEST_PORT'};
-       if ($cgiparams{'KEY2'} eq "0" && m/:/){
-               $prtrange2 = 1;
-       }
-       if ($cgiparams{'SRC_IP'} eq '0.0.0.0') { # Dave Roberts - only check if using DEFAULT IP
-               if ($prtrange2 == 1){ # check for destination ports reserved for IPFire
-                       &disallowreserved($cgiparams{'DEST_PORT'},1,$cgiparams{'PROTOCOL'},"dst");
-                       if ($errormessage) { goto EXITSUB; }
-               } else { # check for destination port reserved for IPFire
-                       &disallowreserved($cgiparams{'DEST_PORT'},0,$cgiparams{'PROTOCOL'},"dst");
-                       if ($errormessage) { goto EXITSUB; }
-               }
-       }
-       
-
-EXITSUB:
-       return;
-}
-
-# Darren Critchley - Duplicate or overlapping Port range check
-sub portchecks
-{
-       $_ = $_[0];
-       our ($prtrange1, $prtrange2);
-       if (m/:/ && $prtrange1 == 1) { # comparing two port ranges
-               unless (&checkportoverlap($cgiparams{'SRC_PORT'},$_[0])) {
-                       $errormessage = "$Lang::tr{'source port overlaps'} $_[0]";
-               }
-       }
-       if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range
-               unless (&checkportinc($cgiparams{'SRC_PORT'}, $_[0])) {
-                       $errormessage = "$Lang::tr{'srcprt within existing'} $_[0]";
-               }
-       }
-       if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range
-               unless (&checkportinc($_[0], $cgiparams{'SRC_PORT'})) {
-                       $errormessage = "$Lang::tr{'srcprt range overlaps'} $_[0]";
-               }
-       }
-
-       if ($errormessage eq ''){
-               $_ = $_[1];
-               if (m/:/ && $prtrange2 == 1) { # if true then there is a port range
-                       unless (&checkportoverlap($cgiparams{'DEST_PORT'},$_[1])) {
-                               $errormessage = "$Lang::tr{'destination port overlaps'} $_[1]";
-                       }
-               }
-               if (m/:/ && $prtrange2 == 0 && $errormessage eq '') { # compare one port to a range
-                       unless (&checkportinc($cgiparams{'DEST_PORT'}, $_[1])) {
-                               $errormessage = "$Lang::tr{'dstprt within existing'} $_[1]";
-                       }
-               }
-               if (! m/:/ && $prtrange2 == 1 && $errormessage eq '') { # compare one port to a range
-                       unless (&checkportinc($_[1], $cgiparams{'DEST_PORT'})) {
-                               $errormessage = "$Lang::tr{'dstprt range overlaps'} $_[1]";
-                       }
-               }
-       }
-       return;
-}
index f78d3939e047eb43b393d545a793daaa90864285..091b61a4253b961d50d23ae085ced9a101924c74 100644 (file)
@@ -185,8 +185,6 @@ $(TARGET) :
                /etc/rc.d/init.d/networking/red.up/24-RS-snort
        ln -sf ../../../../../usr/local/bin/qosctrl \
                /etc/rc.d/init.d/networking/red.up/25-RS-qos
-       ln -sf ../../../../../usr/local/bin/setportfw \
-               /etc/rc.d/init.d/networking/red.up/26-portfw
        ln -sf ../../../../../usr/local/bin/dialctrl.pl \
                /etc/rc.d/init.d/networking/red.up/99-U-dialctrl.pl
        ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/28-RS-squid
index 9024a88fdae8069f9e74a43b4bb4b09c7496be76..39e1dfd7b1fd981eb34658b91251495e3ad4cecf 100644 (file)
@@ -223,7 +223,7 @@ case "$1" in
        /sbin/iptables -N WIRELESSINPUT
        /sbin/iptables -A INPUT -m state --state NEW -j WIRELESSINPUT
        /sbin/iptables -N WIRELESSFORWARD
-       /sbin/iptables -A FORWARDFW -m state --state NEW -j WIRELESSFORWARD
+       /sbin/iptables -A FORWARD -m state --state NEW -j WIRELESSFORWARD
        
        # PORTFWACCESS chain, used for portforwarding
        /sbin/iptables -N PORTFWACCESS
@@ -252,19 +252,18 @@ case "$1" in
        # Custom prerouting chains (for transparent proxy and port forwarding)
        /sbin/iptables -t nat -N SQUID
        /sbin/iptables -t nat -A PREROUTING -j SQUID
-       /sbin/iptables -t nat -N PORTFW
-       /sbin/iptables -t nat -A PREROUTING -j PORTFW
-
+       /sbin/iptables -t nat -N NAT_DESTINATION
+       /sbin/iptables -t nat -N NAT_SOURCE
+       /sbin/iptables -t nat -A PREROUTING -j NAT_DESTINATION
+       /sbin/iptables -t nat -A POSTROUTING -j NAT_SOURCE
+       
+       
        # upnp chain for our upnp daemon
        /sbin/iptables -t nat -N UPNPFW
        /sbin/iptables -t nat -A PREROUTING -j UPNPFW
        /sbin/iptables -N UPNPFW
        /sbin/iptables -A FORWARD -m state --state NEW -j UPNPFW
 
-       # Custom mangle chain (for port fowarding)
-       /sbin/iptables -t mangle -N PORTFWMANGLE
-       /sbin/iptables -t mangle -A PREROUTING -j PORTFWMANGLE
-
        # Postrouting rules (for port forwarding)
        /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT \
         --to-source $GREEN_ADDRESS
@@ -354,7 +353,6 @@ case "$1" in
        $0 stop
        $0 start
        /usr/local/bin/forwardfwctrl
-       /usr/local/bin/setportfw
        /usr/local/bin/openvpnctrl -s > /dev/null 2>&1
        /usr/local/bin/openvpnctrl -sn2n > /dev/null 2>&1
        ;;
index c3f3b6c2f19a389392d6e5ce2b78bc7771da681d..c748a66b4704c82f55ddcef04664d867280dd135 100644 (file)
@@ -24,8 +24,7 @@ CFLAGS=-O2 -Wall
 COMPILE=$(CC) $(CFLAGS)
 
 PROGS = iowrap
-SUID_PROGS = setportfw \
-       squidctrl sshctrl ipfirereboot \
+SUID_PROGS = squidctrl sshctrl ipfirereboot \
        ipsecctrl timectrl dhcpctrl snortctrl \
        applejuicectrl rebuildhosts backupctrl \
        logwatch openvpnctrl forwardfwctrl \
@@ -96,9 +95,6 @@ timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o
 launch-ether-wake: launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o
        $(COMPILE) -I../install+setup/libsmooth/ launch-ether-wake.c setuid.o ../install+setup/libsmooth/varval.o -o $@
 
-setportfw: setportfw.c setuid.o ../install+setup/libsmooth/varval.o
-       $(COMPILE) -I../install+setup/libsmooth/ setportfw.c setuid.o ../install+setup/libsmooth/varval.o -o $@
-
 rebuildhosts: rebuildhosts.c setuid.o ../install+setup/libsmooth/varval.o
        $(COMPILE) -I../install+setup/libsmooth/ rebuildhosts.c setuid.o ../install+setup/libsmooth/varval.o -o $@
 
diff --git a/src/misc-progs/setportfw.c b/src/misc-progs/setportfw.c
deleted file mode 100644 (file)
index a65aebd..0000000
+++ /dev/null
@@ -1,369 +0,0 @@
-/* SmoothWall helper program - setportfw\r
- *\r
- * This program is distributed under the terms of the GNU General Public\r
- * Licence.  See the file COPYING for details.\r
- *\r
- * (c) Daniel Goscomb, 2001\r
- * Copyright (c) 2002/04/13 Steve Bootes - Added source ip support for aliases\r
- * \r
- * Modifications and improvements by Lawrence Manning.\r
- *\r
- * 10/04/01 Aslak added protocol support\r
- * This program reads the list of ports to forward and setups iptables\r
- * and rules in ipmasqadm to enable them.\r
- *\r
- * 02/11/03 Darren Critchley modifications to allow it to open multiple\r
- *                                                      source ip addresses\r
- * 02/25/03 Darren Critchley modifications to allow port ranges\r
- * 04/01/03 Darren Critchley modifications to allow gre protocol\r
- * 20/04/03 Robert Kerr Fixed root exploit, validated all variables properly,\r
- *                      tidied up the iptables logic, killed duplicated code,\r
- *                      removed srciptmp (unecessary)\r
- *\r
- * $Id: setportfw.c,v 1.3.2.6 2005/08/24 18:44:19 gespinasse Exp $\r
- * \r
- */\r
-\r
-#include <stdio.h>\r
-#include <string.h>\r
-#include <stdlib.h>\r
-#include "libsmooth.h"\r
-#include "setuid.h"\r
-\r
-struct keyvalue *kv = NULL;\r
-FILE *fwdfile = NULL;\r
-\r
-void exithandler(void)\r
-{\r
-       if(kv)\r
-               freekeyvalues(kv);\r
-       if (fwdfile)\r
-               fclose(fwdfile);\r
-}\r
-\r
-int main(void)\r
-{\r
-       FILE *ipfile = NULL, *ifacefile = NULL;\r
-       int count;\r
-       char iface[STRING_SIZE] ="";
-       char locip[STRING_SIZE] ="";
-       char greenip[STRING_SIZE] ="", greenmask[STRING_SIZE] ="";
-       char bluedev[STRING_SIZE] ="", blueip[STRING_SIZE] ="", bluemask[STRING_SIZE] ="";
-       char orangedev[STRING_SIZE] ="", orangeip[STRING_SIZE] ="", orangemask[STRING_SIZE] ="";
-       char *protocol;\r
-       char *srcip;\r
-       char *locport;\r
-       char *remip;\r
-       char *remport;\r
-       char *origip;\r
-       char *enabled;\r
-       char s[STRING_SIZE];\r
-       char *result;\r
-       char *key1;\r
-       char *key2;\r
-       char command[STRING_SIZE];\r
-\r
-       if (!(initsetuid()))\r
-               exit(1);\r
-\r
-       atexit(exithandler);\r
-\r
-       /* Read in and verify config */\r
-       kv=initkeyvalues();\r
-\r
-       if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))\r
-       {\r
-               fprintf(stderr, "Cannot read ethernet settings\n");\r
-               exit(1);\r
-       }\r
-\r
-       if (!findkey(kv, "GREEN_ADDRESS", greenip))\r
-       {\r
-               fprintf(stderr, "Cannot read GREEN_ADDRESS\n");\r
-               exit(1);\r
-       }\r
-\r
-       if (!VALID_IP(greenip))\r
-       {\r
-               fprintf(stderr, "Bad GREEN_ADDRESS: %s\n", greenip);\r
-               exit(1);\r
-       }\r
-\r
-       if (!findkey(kv, "GREEN_NETMASK", greenmask))\r
-       {\r
-               fprintf(stderr, "Cannot read GREEN_NETMASK\n");\r
-               exit(1);\r
-       }\r
-\r
-       if (!VALID_IP(greenmask))\r
-       {\r
-               fprintf(stderr, "Bad GREEN_NETMASK: %s\n", greenmask);\r
-               exit(1);\r
-       }\r
-\r
-       /* Get the BLUE interface details */\r
-       findkey(kv, "BLUE_DEV", bluedev);\r
-\r
-       if (strlen(bluedev))\r
-       {\r
-\r
-               if (!VALID_DEVICE(bluedev))\r
-               {\r
-                       fprintf(stderr, "Bad BLUE_DEV: %s\n", bluedev);\r
-                       exit(1);\r
-               }\r
-\r
-               if (!findkey(kv, "BLUE_ADDRESS", blueip))\r
-               {\r
-                       fprintf(stderr, "Cannot read BLUE_ADDRESS\n");\r
-                       exit(1);\r
-               }\r
-\r
-               if (!VALID_IP(blueip))\r
-               {\r
-                       fprintf(stderr, "Bad BLUE_ADDRESS: %s\n", blueip);\r
-                       exit(1);\r
-               }\r
-\r
-               if (!findkey(kv, "BLUE_NETMASK", bluemask))\r
-               {\r
-                       fprintf(stderr, "Cannot read BLUE_NETMASK\n");\r
-                       exit(1);\r
-               }\r
-\r
-               if (!VALID_IP(bluemask))\r
-               {\r
-                       fprintf(stderr, "Bad BLUE_NETMASK: %s\n", bluemask);\r
-                       exit(1);\r
-               }\r
-\r
-       }\r
-\r
-       /* Get the ORANGE interface details */\r
-       findkey(kv, "ORANGE_DEV", orangedev);\r
-\r
-       if (strlen(orangedev))\r
-       {\r
-\r
-               if (!VALID_DEVICE(orangedev))\r
-               {\r
-                       fprintf(stderr, "Bad ORANGE_DEV: %s\n", orangedev);\r
-                       exit(1);\r
-               }\r
-\r
-               if (!findkey(kv, "ORANGE_ADDRESS", orangeip))\r
-               {\r
-                       fprintf(stderr, "Cannot read ORANGE_ADDRESS\n");\r
-                       exit(1);\r
-               }\r
-\r
-               if (!VALID_IP(orangeip))\r
-               {\r
-                       fprintf(stderr, "Bad ORANGE_ADDRESS: %s\n", orangeip);\r
-                       exit(1);\r
-               }\r
-\r
-               if (!findkey(kv, "ORANGE_NETMASK", orangemask))\r
-               {\r
-                       fprintf(stderr, "Cannot read ORANGE_NETMASK\n");\r
-                       exit(1);\r
-               }\r
-\r
-               if (!VALID_IP(orangemask))\r
-               {\r
-                       fprintf(stderr, "Bad ORANGE_NETMASK: %s\n", orangemask);\r
-                       exit(1);\r
-               }\r
-\r
-       }\r
-\r
-\r
-       if (!(ipfile = fopen(CONFIG_ROOT "/red/local-ipaddress", "r")))\r
-       {\r
-               fprintf(stderr, "Couldn't open local ip file\n");\r
-               exit(1);\r
-       }\r
-       fgets(locip, STRING_SIZE, ipfile);\r
-       if (locip[strlen(locip) - 1] == '\n')\r
-               locip[strlen(locip) - 1] = '\0';\r
-       fclose (ipfile);\r
-       if (!VALID_IP(locip))\r
-       {\r
-               fprintf(stderr, "Bad local IP: %s\n", locip);\r
-               exit(1);\r
-       }\r
-       \r
-       if (!(ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))\r
-       {\r
-               fprintf(stderr, "Couldn't open iface file\n");\r
-               exit(1);\r
-       }\r
-       fgets(iface, STRING_SIZE, ifacefile);\r
-       if (iface[strlen(iface) - 1] == '\n')\r
-               iface[strlen(iface) - 1] = '\0';\r
-       fclose (ifacefile);\r
-       if (!VALID_DEVICE(iface))\r
-       {\r
-               fprintf(stderr, "Bad iface: %s\n", iface);\r
-               exit(1);\r
-       }\r
-       \r
-       if (!(fwdfile = fopen(CONFIG_ROOT "/portfw/config", "r")))\r
-       {\r
-               fprintf(stderr, "Couldn't open portfw settings file\n");\r
-               exit(1);\r
-       }\r
-\r
-       safe_system("/sbin/iptables -t nat -F PORTFW");\r
-       safe_system("/sbin/iptables -t mangle -F PORTFWMANGLE");\r
-       safe_system("/sbin/iptables -F PORTFWACCESS");\r
-\r
-       while (fgets(s, STRING_SIZE, fwdfile) != NULL)\r
-       {\r
-               if (s[strlen(s) - 1] == '\n')\r
-                       s[strlen(s) - 1] = '\0';\r
-               result = strtok(s, ",");\r
-\r
-               count = 0;\r
-               key1 = NULL;\r
-               key2 = NULL;\r
-               protocol = NULL;\r
-               srcip = NULL;\r
-               locport = NULL;\r
-               remip = NULL;\r
-               origip = NULL;\r
-               remport = NULL;\r
-               enabled = NULL;\r
-               while (result)\r
-               {\r
-                       if (count == 0)\r
-                               key1 = result;\r
-                       else if (count == 1)\r
-                               key2 = result;\r
-                       else if (count == 2)\r
-                               protocol = result;\r
-                       else if (count == 3)\r
-                               locport = result;\r
-                       else if (count == 4)\r
-                               remip = result;\r
-                       else if (count == 5)\r
-                               remport = result;\r
-                       else if (count == 6)\r
-                               enabled = result;\r
-                       else if (count == 7)\r
-                               srcip = result;\r
-                       else if (count == 8)\r
-                               origip = result;\r
-                       count++;\r
-                       result = strtok(NULL, ",");\r
-               }\r
-               \r
-               if (!(key1 && key2 && protocol && locport && remip && remport && enabled\r
-                       && srcip && origip))\r
-                       break;\r
-               \r
-               if (!VALID_PROTOCOL(protocol))\r
-               {\r
-                       fprintf(stderr, "Bad protocol: %s\n", protocol);\r
-                       exit(1);\r
-               }\r
-               if (strcmp(protocol, "gre") == 0)\r
-               {\r
-                       locport = "0";\r
-                       remport = "0";\r
-               }\r
-               if (strcmp(origip,"0") && !VALID_IP_AND_MASK(origip))\r
-               {\r
-                       fprintf(stderr, "Bad IP: %s\n", origip);\r
-                       exit(1);\r
-               }\r
-               if (!VALID_PORT_RANGE(locport))\r
-               {\r
-                       fprintf(stderr, "Bad local port: %s\n", locport);\r
-                       exit(1);\r
-               }\r
-               if (!VALID_IP(remip))\r
-               {\r
-                       fprintf(stderr, "Bad remote IP: %s\n", remip);\r
-                       exit(1);\r
-               }\r
-               if (!VALID_PORT_RANGE(remport))\r
-               {\r
-                       fprintf(stderr, "Bad remote port: %s\n", remport);\r
-                       exit(1);\r
-               }\r
-\r
-                /* check for source ip in config file. If it's there\r
-                 * and it's not 0.0.0.0, use it; else use the\r
-                 * local ip address. (This makes sure we can use old-style\r
-                 * config files without the source ip) */\r
-               if (!srcip || !strcmp(srcip, "0.0.0.0"))\r
-                       srcip = locip;\r
-               if (strcmp(srcip,"0") && !VALID_IP(srcip))\r
-               {\r
-                       fprintf(stderr, "Bad source IP: %s\n", srcip);\r
-                       exit(1);\r
-               }\r
-\r
-               /* This may seem complicated... refer to portfw.pl for an explanation of\r
-                * the keys and their meaning in certain circumstances */\r
-                        \r
-               if (strcmp(enabled, "on") == 0)\r
-               {\r
-\r
-                       /* If key2 is a zero, then it is a portfw command, otherwise it is an\r
-                        * external access command */\r
-                       if (strcmp(key2, "0") == 0) \r
-                       {\r
-                               memset(command, 0, STRING_SIZE);\r
-                               if (strcmp(protocol, "gre") == 0)\r
-                                       snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s -j DNAT --to %s", protocol, srcip, remip);\r
-                               else \r
-                               {\r
-                                       char *ctr;\r
-                                       /* If locport contains a - we need to change it to a : */\r
-                                       if ((ctr = strchr(locport, '-')) != NULL) {*ctr = ':';}\r
-                                       /* If remport contains a : we need to change it to a - */\r
-                                       if ((ctr = strchr(remport,':')) != NULL){*ctr = '-';}\r
-                                       snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t nat -A PORTFW -p %s -d %s --dport %s -j DNAT --to %s:%s", protocol, srcip, locport, remip, remport);\r
-                                       safe_system(command);\r
-                                       /* Now if remport contains a - we need to change it to a : */\r
-                                       if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}\r
-                                       snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 1", protocol, greenip, greenmask, srcip, locport);\r
-                                       if (strlen(bluedev))\r
-                                       {\r
-                                               safe_system(command);\r
-                                               snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 2", protocol, blueip, bluemask, srcip, locport);\r
-                                       }\r
-                                       if (strlen(orangedev))\r
-                                       {\r
-                                               safe_system(command);\r
-                                               snprintf(command, STRING_SIZE - 1, "/sbin/iptables -t mangle -A PORTFWMANGLE -p %s -s %s/%s -d %s --dport %s -j MARK --set-mark 3", protocol, orangeip, orangemask, srcip, locport);\r
-                                       }\r
-                               }\r
-                               safe_system(command);\r
-                       }\r
-\r
-                       /* if key2 is not "0" then it's an external access rule, if key2 is "0"\r
-                        * then the portfw rule may contain external access information if origip\r
-                        * is not "0" (the only defined not 0 value seems to be 0.0.0.0 - open\r
-                        * to all; again, check portfw.pl for more details) */\r
-                       if(strcmp(key2, "0") || strcmp(origip,"0") )\r
-                       {\r
-                               memset(command, 0, STRING_SIZE);\r
-                               if (strcmp(protocol, "gre") == 0)\r
-                                       snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s -j ACCEPT", iface, protocol, origip, remip);\r
-                               else\r
-                               {\r
-                                       char *ctr;\r
-                                       /* If remport contains a - we need to change it to a : */\r
-                                       if ((ctr = strchr(remport,'-')) != NULL){*ctr = ':';}\r
-                                       snprintf(command, STRING_SIZE - 1, "/sbin/iptables -A PORTFWACCESS -i %s -p %s -s %s -d %s --dport %s -j ACCEPT", iface, protocol, origip, remip, remport);\r
-                               }\r
-                               safe_system(command);\r
-                       }\r
-               }\r
-       }\r
-\r
-       return 0;\r
-}\r
index 90f602d5f4d7eb38d0e862c3fac54fed70f043a8..2a6ed0cae1193d34fdcf0d4b106c70142fe7eefa 100644 (file)
@@ -154,7 +154,7 @@ int main(void)
                                                                        (VALID_IP_AND_MASK(ipaddress))) {
                                                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev);
                                                                        safe_system(command);
-                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev);
+                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s ! -o %s -j RETURN", macaddress, ipaddress, blue_dev, green_dev);
                                                                        safe_system(command);
                                                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j FORWARDFW", macaddress, ipaddress, blue_dev);
                                                                        safe_system(command);
@@ -164,7 +164,7 @@ int main(void)
                                                                        if (strlen(macaddress) == 17) {
                                                                                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev);
                                                                                                        safe_system(command);
-                                                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j ACCEPT", macaddress, blue_dev, green_dev);
+                                                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s ! -o %s -j RETURN", macaddress, blue_dev, green_dev);
                                                                                                        safe_system(command);
                                                                                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j FORWARDFW", macaddress, blue_dev);
                                                                                                        safe_system(command);
@@ -173,7 +173,7 @@ int main(void)
                                                                        if (VALID_IP_AND_MASK(ipaddress)) {
                                                                                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev);
                                                                                                        safe_system(command);
-                                                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j ACCEPT", ipaddress, blue_dev, green_dev);
+                                                                                                       snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s ! -o %s -j RETURN", ipaddress, blue_dev, green_dev);
                                                                                                        safe_system(command);
                                                                                                        snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j FORWARDFW", ipaddress, blue_dev);
                                                                                                        safe_system(command);