From: Alexander Marx Date: Fri, 27 Sep 2013 08:16:52 +0000 (+0200) Subject: Firewall: Bugfix: wrong counter when using selfdefinded services in a rule that could... X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=2aeb4b256eb99c8971da60a5dff6bd3929270798 Firewall: Bugfix: wrong counter when using selfdefinded services in a rule that could not be applied Bugfix: When using ICMP-ALL in a rule, the rule was not applied Bugfix: When using selfdefined services (icmp) and group them together. Then when using these services/groups in a rule and afterwards changing the service, the edited service was not applied --- diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 370b7ecfb..3f491f794 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -146,8 +146,10 @@ sub buildrules my $nat; my $fwaccessdport; my $natchain; + my $icmptype; foreach my $key (sort {$a <=> $b} keys %$hash){ next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); + $command="iptables -A"; if ($$hash{$key}[28] eq 'ON'){ $command='iptables -t nat -A'; $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]); @@ -260,10 +262,15 @@ sub buildrules if(substr($DPORT, 2, 4) eq 'icmp'){ my @icmprule= split(",",substr($DPORT, 12,)); foreach (@icmprule){ + $icmptype="--icmp-type "; + if ($_ eq "BLANK") { + $icmptype=""; + $_=""; + } if ($$hash{$key}[17] eq 'ON'){ - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG\n"; } - print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n"; + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n"; } }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ $natchain='NAT_DESTINATION'; @@ -289,7 +296,7 @@ sub buildrules $natchain='NAT_SOURCE'; print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; } - if ($$hash{$key}[17] eq 'ON'){ + if ($$hash{$key}[17] eq 'ON' ){ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } if ($PROT ne '-p ICMP'){ @@ -315,10 +322,15 @@ sub buildrules if(substr($DPORT, 2, 4) eq 'icmp'){ my @icmprule= split(",",substr($DPORT, 12,)); foreach (@icmprule){ + $icmptype="--icmp-type "; + if ($_ eq "BLANK") { + $icmptype=""; + $_=""; + } if ($$hash{$key}[17] eq 'ON'){ - system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG"); + system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG"); } - system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]"); + system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]"); } #PROCESS DNAT RULE (Portforward) }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ @@ -346,7 +358,7 @@ sub buildrules $natchain='NAT_SOURCE'; system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; } - if ($$hash{$key}[17] eq 'ON'){ + if ($$hash{$key}[17] eq 'ON' && substr($DPORT, 2, 4) ne 'icmp'){ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index e3bbe5900..405a97dbc 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -183,19 +183,21 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') $fwdfwsettings{'nosave2'} = 'on'; } } - &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); - if ($fwdfwsettings{'nobase'} ne 'on'){ - &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); - } - if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { - &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); - }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - } - if($fwdfwsettings{'nosave2'} ne 'on'){ - &saverule(\%configinputfw,$configinput); + if (!$errormessage){ + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + if ($fwdfwsettings{'nobase'} ne 'on'){ + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + } + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if($fwdfwsettings{'nosave2'} ne 'on'){ + &saverule(\%configinputfw,$configinput); + } } }elsif($fwdfwsettings{'grp1'} eq 'ipfire_src' ){ # OUTGOING PART @@ -237,20 +239,22 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } } #increase counters - &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); - &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); - if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { - &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); - }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - } - if ($fwdfwsettings{'nobase'} eq 'on'){ - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - } - if ($fwdfwsettings{'nosave2'} ne 'on'){ - &saverule(\%configoutgoingfw,$configoutgoing); + if (!$errormessage){ + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if ($fwdfwsettings{'nobase'} eq 'on'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if ($fwdfwsettings{'nosave2'} ne 'on'){ + &saverule(\%configoutgoingfw,$configoutgoing); + } } }else{ #FORWARD PART @@ -292,21 +296,23 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } } #increase counters - &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); - &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); - if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { - &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); - }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ - &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - } - if ($fwdfwsettings{'nobase'} eq 'on'){ - &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); - } - if ($fwdfwsettings{'nosave2'} ne 'on'){ - &saverule(\%configfwdfw,$configfwdfw); - } + if (!$errormessage){ + &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); + &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); + if($fwdfwsettings{'oldusesrv'} eq '' && $fwdfwsettings{'USESRV'} eq 'ON'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + }elsif ($fwdfwsettings{'USESRV'} eq '' && $fwdfwsettings{'oldusesrv'} eq 'ON') { + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},0,0); + }elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){ + &checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if ($fwdfwsettings{'nobase'} eq 'on'){ + &checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}}); + } + if ($fwdfwsettings{'nosave2'} ne 'on'){ + &saverule(\%configfwdfw,$configfwdfw); + } + } } if ($errormessage){ &newrule; diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 7ed27c4f6..2d4c69f6a 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -47,8 +47,7 @@ my %ipsecsettings=(); my %fwfwd=(); my %fwinp=(); my %ovpnsettings=(); -my %ipsecconf=(); -my %ipsecsettings=(); + my $errormessage; my $hint; @@ -65,7 +64,6 @@ my $fwconfigfwd = "${General::swroot}/forward/config"; my $fwconfiginp = "${General::swroot}/forward/input"; my $configovpn = "${General::swroot}/ovpn/settings"; my $tdcolor=''; -my $configipsec = "${General::swroot}/vpn/config"; my $configipsecrw = "${General::swroot}/vpn/settings"; unless (-e $confignet) { system("touch $confignet"); } @@ -179,6 +177,13 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice') $fwhostsettings{'ICMP_TYPES'}='BLANK'; } my $key1 = &General::findhasharraykey(\%customservice); + #find out short ICMP-TYPE + &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); + foreach my $key (keys %icmptypes){ + if ("$icmptypes{$key}[0] ($icmptypes{$key}[1])" eq $fwhostsettings{'ICMP_TYPES'}){ + $fwhostsettings{'ICMP_TYPES'}=$icmptypes{$key}[0]; + } + } foreach my $i (0 .. 4) { $customservice{$key1}[$i] = "";} $customservice{$key1}[0] = $fwhostsettings{'SRV_NAME'}; $customservice{$key1}[1] = $fwhostsettings{'SRV_PORT'}; @@ -222,15 +227,22 @@ if ($fwhostsettings{'ACTION'} eq 'updateservice') if($count gt 0 && $fwhostsettings{'oldsrvprot'} ne $fwhostsettings{'PROT'} ){ $needrules='on'; } + if($count gt 0 && $fwhostsettings{'oldsrvicmp'} ne $fwhostsettings{'ICMP'} ){ + $needrules='on'; + } $fwhostsettings{'SRV_NAME'} = ''; $fwhostsettings{'SRV_PORT'} = ''; $fwhostsettings{'PROT'} = ''; + $fwhostsettings{'ICMP'} = ''; + $fwhostsettings{'oldsrvicmp'} = ''; }else{ $fwhostsettings{'SRV_NAME'} = $fwhostsettings{'oldsrvname'}; $fwhostsettings{'SRV_PORT'} = $fwhostsettings{'oldsrvport'}; $fwhostsettings{'PROT'} = $fwhostsettings{'oldsrvprot'}; + $fwhostsettings{'ICMP'} = $fwhostsettings{'oldsrvicmp'}; $fwhostsettings{'updatesrv'}= 'on'; } + $fwhostsettings{'updatesrv'} = ''; if($needrules eq 'on'){ &rules; } @@ -1289,6 +1301,7 @@ sub addservice $fwhostsettings{'oldsrvname'} = $fwhostsettings{'SRV_NAME'}; $fwhostsettings{'oldsrvport'} = $fwhostsettings{'SRV_PORT'}; $fwhostsettings{'oldsrvprot'} = $fwhostsettings{'PROT'}; + $fwhostsettings{'oldsrvicmp'} = $fwhostsettings{'ICMP'}; } print<
@@ -1311,9 +1324,12 @@ END &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); print""; foreach my $key (sort { ncmp($icmptypes{$a}[0],$icmptypes{$b}[0]) }keys %icmptypes){ - print""; + if ($icmptypes{$key}[0] eq $fwhostsettings{'oldsrvicmp'}){ + print""; + }else{ + print""; + } } - print< $Lang::tr{'fwhost port'}: @@ -1327,7 +1343,9 @@ END - + + + END }else{ @@ -1647,7 +1665,8 @@ END
-
+ + END if ($customservice{$key}[4] eq '0') {