From: Alexander Marx <amarx@ipfire.org>
Date: Sat, 12 Jan 2013 07:07:33 +0000 (+0100)
Subject: Forward Firewall: changed hash sorting to get right ruleorder in Iptables
X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=992394d55cd19659a6717f2917e27d5a93a73e37

Forward Firewall: changed hash sorting to get right ruleorder in Iptables
---

diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl
index 44c0079b7..eb84c4af4 100755
--- a/config/forwardfw/firewall-lib.pl
+++ b/config/forwardfw/firewall-lib.pl
@@ -68,7 +68,7 @@ my $field;
 sub get_srv_prot
 {
 	my $val=shift;
-	foreach my $key (sort keys %customservice){
+	foreach my $key (sort {$a <=> $b} keys %customservice){
 		if($customservice{$key}[0] eq $val){
 			if ($customservice{$key}[0] eq $val){
 				return $customservice{$key}[2];
@@ -83,7 +83,7 @@ sub get_srvgrp_prot
 	my $tcp;
 	my $udp;
 	my $icmp;
-	foreach my $key (sort keys %customservicegrp){
+	foreach my $key (sort {$a <=> $b} keys %customservicegrp){
 		if($customservicegrp{$key}[0] eq $val){
 			if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){ 
 				$tcp=1;
@@ -108,7 +108,7 @@ sub get_srv_port
 	my $val=shift;
 	my $field=shift;
 	my $prot=shift;
-	foreach my $key (sort keys %customservice){
+	foreach my $key (sort {$a <=> $b} keys %customservice){
 		if($customservice{$key}[0] eq $val){
 			if($customservice{$key}[2] eq $prot){
 				return $customservice{$key}[$field];
@@ -123,7 +123,7 @@ sub get_srvgrp_port
 	my $back;
 	my $value;
 	my @ips=();
-	foreach my $key (sort keys %customservicegrp){
+	foreach my $key (sort {$a <=> $b} keys %customservicegrp){
 		if($customservicegrp{$key}[0] eq $val){
 			if ($prot ne 'ICMP'){
 				$value=&get_srv_port($customservicegrp{$key}[2],1,$prot);
@@ -146,7 +146,7 @@ sub get_ipsec_net_ip
 {
 	my $val=shift;
 	my $field=shift;
-	foreach my $key (sort keys %ipsecconf){
+	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
 		if($ipsecconf{$key}[1] eq $val){
 			return $ipsecconf{$key}[$field];
 		}
@@ -156,7 +156,7 @@ sub get_ipsec_host_ip
 {
 	my $val=shift;
 	my $field=shift;
-	foreach my $key (sort keys %ipsecconf){
+	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
 		if($ipsecconf{$key}[1] eq $val){
 			return $ipsecconf{$key}[$field];
 		}
@@ -166,7 +166,7 @@ sub get_ovpn_n2n_ip
 {
 	my $val=shift;
 	my $field=shift;
-	foreach my $key (sort keys %ccdhost){
+	foreach my $key (sort {$a <=> $b} keys %ccdhost){
 		if($ccdhost{$key}[1] eq $val){
 			return $ccdhost{$key}[$field];
 		}
@@ -176,7 +176,7 @@ sub get_ovpn_host_ip
 {
 	my $val=shift;
 	my $field=shift;
-	foreach my $key (sort keys %ccdhost){
+	foreach my $key (sort {$a <=> $b} keys %ccdhost){
 		if($ccdhost{$key}[1] eq $val){
 			return $ccdhost{$key}[$field];
 		}
@@ -187,7 +187,7 @@ sub get_ovpn_net_ip
 	
 	my $val=shift;
 	my $field=shift;
-	foreach my $key (sort keys %ccdnet){
+	foreach my $key (sort {$a <=> $b} keys %ccdnet){
 		if($ccdnet{$key}[0] eq $val){
 			return $ccdnet{$key}[$field];
 		}
@@ -197,7 +197,7 @@ sub get_grp_ip
 {
 	my $val=shift;
 	my $src=shift;
-	foreach my $key (sort keys %customgrp){
+	foreach my $key (sort {$a <=> $b} keys %customgrp){
 		if ($customgrp{$key}[0] eq $val){
 			&get_address($customgrp{$key}[3],$src);
 		}
@@ -226,7 +226,7 @@ sub get_std_net_ip
 sub get_net_ip
 {
 	my $val=shift;
-	foreach my $key (sort keys %customnetwork){
+	foreach my $key (sort {$a <=> $b} keys %customnetwork){
 		if($customnetwork{$key}[0] eq $val){
 			return "$customnetwork{$key}[1]/$customnetwork{$key}[2]";
 		}  
@@ -236,7 +236,7 @@ sub get_host_ip
 {
 	my $val=shift;
 	my $src=shift;
-	foreach my $key (sort keys %customhost){
+	foreach my $key (sort {$a <=> $b} keys %customhost){
 		if($customhost{$key}[0] eq $val){
 			if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){
 			return "-m mac --mac-source $customhost{$key}[2]";
diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
index e129d7621..1ac1bb345 100755
--- a/config/forwardfw/rules.pl
+++ b/config/forwardfw/rules.pl
@@ -115,12 +115,12 @@ sub buildrules
 {
 	my $hash=shift;
 	my $STAG;
-	foreach my $key (sort keys %$hash){
+	foreach my $key (sort {$a <=> $b} keys %$hash){
 		$STAG='';
 		if($$hash{$key}[2] eq 'ON'){
 			#get source ip's
 			if ($$hash{$key}[3] eq 'cust_grp_src'){
-				foreach my $grp (sort keys %customgrp){
+				foreach my $grp (sort {$a <=> $b} keys %customgrp){
 						if($customgrp{$grp}[0] eq $$hash{$key}[4]){
 						&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
 					}
@@ -130,7 +130,7 @@ sub buildrules
 			}
 			#get target ip's
 			if ($$hash{$key}[5] eq 'cust_grp_tgt'){
-				foreach my $grp (sort keys %customgrp){
+				foreach my $grp (sort {$a <=> $b} keys %customgrp){
 					if($customgrp{$grp}[0] eq $$hash{$key}[6]){
 						&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
 					}
@@ -187,7 +187,6 @@ sub buildrules
 				print "\n";
 				print"##################################\n";
 				#print rules to console
-
 				foreach my $DPROT (@DPROT){
 					$DPORT = &get_port($hash,$key,$DPROT);
 					if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
index 7b7271d55..78b7827de 100755
--- a/html/cgi-bin/forwardfw.cgi
+++ b/html/cgi-bin/forwardfw.cgi
@@ -112,7 +112,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 	$errormessage=&checksource;
 	if(!$errormessage){&checktarget;}
 	if(!$errormessage){&checkrule;}
-
 	#check if we change an forward rule to an external access
 	if(	$fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{'oldgrp2a'} ne 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
 		$fwdfwsettings{'updatefwrule'}='';
@@ -122,7 +121,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 		&checkcounter(0,0,$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
 		&checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
 	}
-
 	#check if we change an external access rule to an forward
 	if(	$fwdfwsettings{'grp2'} ne 'ipfire' && $fwdfwsettings{'oldgrp2a'} eq 'ipfire' && $fwdfwsettings{'updatefwrule'} eq 'on'){
 		$fwdfwsettings{'updatefwrule'}='';
@@ -141,9 +139,17 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 				if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" 
 					eq "$configinputfw{$key}[0],$configinputfw{$key}[2],$configinputfw{$key}[3],$configinputfw{$key}[4],$configinputfw{$key}[5],$configinputfw{$key}[6],$configinputfw{$key}[7],$configinputfw{$key}[8],$configinputfw{$key}[9],$configinputfw{$key}[10],$configinputfw{$key}[11],$configinputfw{$key}[12],$configinputfw{$key}[13],$configinputfw{$key}[14],$configinputfw{$key}[15],$configinputfw{$key}[17],$configinputfw{$key}[18],$configinputfw{$key}[19],$configinputfw{$key}[20],$configinputfw{$key}[21],$configinputfw{$key}[22],$configinputfw{$key}[23],$configinputfw{$key}[24],$configinputfw{$key}[25],$configinputfw{$key}[26],$configinputfw{$key}[27]"){
 						$errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+						$fwdfwsettings{'nosave'} = 'on';
 				}	
 			}	
 		}
+		#check if we just close a rule
+		if( $fwdfwsettings{'oldgrp1a'} eq  $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq  $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} &&  $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq  $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} ) {
+			if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+				$errormessage='';
+				$fwdfwsettings{'nosave2'} = 'on';
+			}
+		}
 		&checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
 		if ($fwdfwsettings{'nobase'} ne 'on'){
 			&checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
@@ -155,8 +161,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 		}elsif ($fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldgrp3b'} ne $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'updatefwrule'} eq 'on'){
 			&checkcounter($fwdfwsettings{'oldgrp3a'},$fwdfwsettings{'oldgrp3b'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
 		}
-
-		&saverule(\%configinputfw,$configinput);
+		if($fwdfwsettings{'nosave2'} ne 'on'){
+			&saverule(\%configinputfw,$configinput);
+		}
 		#print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}<br>";
 		#print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}<br>";
 		#print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
@@ -186,9 +193,17 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 				if ("$fwdfwsettings{'RULE_ACTION'},$fwdfwsettings{'ACTIVE'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}},$fwdfwsettings{'USE_SRC_PORT'},$fwdfwsettings{'PROT'},$fwdfwsettings{'ICMP_TYPES'},$fwdfwsettings{'SRC_PORT'},$fwdfwsettings{'USESRV'},$fwdfwsettings{'TGT_PROT'},$fwdfwsettings{'ICMP_TGT'},$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}},$fwdfwsettings{'LOG'},$fwdfwsettings{'TIME'},$fwdfwsettings{'TIME_MON'},$fwdfwsettings{'TIME_TUE'},$fwdfwsettings{'TIME_WED'},$fwdfwsettings{'TIME_THU'},$fwdfwsettings{'TIME_FRI'},$fwdfwsettings{'TIME_SAT'},$fwdfwsettings{'TIME_SUN'},$fwdfwsettings{'TIME_FROM'},$fwdfwsettings{'TIME_TO'}" 
 					eq "$configfwdfw{$key}[0],$configfwdfw{$key}[2],$configfwdfw{$key}[3],$configfwdfw{$key}[4],$configfwdfw{$key}[5],$configfwdfw{$key}[6],$configfwdfw{$key}[7],$configfwdfw{$key}[8],$configfwdfw{$key}[9],$configfwdfw{$key}[10],$configfwdfw{$key}[11],$configfwdfw{$key}[12],$configfwdfw{$key}[13],$configfwdfw{$key}[14],$configfwdfw{$key}[15],$configfwdfw{$key}[17],$configfwdfw{$key}[18],$configfwdfw{$key}[19],$configfwdfw{$key}[20],$configfwdfw{$key}[21],$configfwdfw{$key}[22],$configfwdfw{$key}[23],$configfwdfw{$key}[24],$configfwdfw{$key}[25],$configfwdfw{$key}[26],$configfwdfw{$key}[27]"){
 						$errormessage.=$Lang::tr{'fwdfw err ruleexists'};
+						$fwdfwsettings{'nosave'} = 'on';
 				}		
 			}
 		}	
+		#check if we just close a rule
+		if( $fwdfwsettings{'oldgrp1a'} eq  $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq  $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} &&  $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq  $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} ) {
+			if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
+				$fwdfwsettings{'nosave2'} = 'on';
+				$errormessage='';
+			}
+		}
 		#increase counters
 		&checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
 		&checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
@@ -202,7 +217,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 		if ($fwdfwsettings{'nobase'} eq 'on'){
 			&checkcounter(0,0,$fwdfwsettings{'grp3'},$fwdfwsettings{$fwdfwsettings{'grp3'}});
 		}
-		&saverule(\%configfwdfw,$configfwdfw);
+		if ($fwdfwsettings{'nosave2'} ne 'on'){
+			&saverule(\%configfwdfw,$configfwdfw);
+		}	
 		#print "Source: $fwdfwsettings{'grp1'} -> $fwdfwsettings{$fwdfwsettings{'grp1'}}<br>";
 		#print "Sourceport: $fwdfwsettings{'USE_SRC_PORT'}, $fwdfwsettings{'PROT'}, $fwdfwsettings{'ICMP_TYPES'}, $fwdfwsettings{'SRC_PORT'}<br>";
 		#print "Target: $fwdfwsettings{'grp2'} -> $fwdfwsettings{$fwdfwsettings{'grp2'}}<br>";
@@ -228,7 +245,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 	if ($errormessage){
 		&newrule;
 	}else{
-		&rules;
+		if($fwdfwsettings{'nosave2'} ne 'on'){
+			&rules;
+		}
 		&base;
 	}
 }
@@ -491,7 +510,7 @@ sub deleterule
 	my %delhash=();
 	&General::readhasharray($fwdfwsettings{'config'}, \%delhash);
 	foreach my $key (sort {$a <=> $b} keys %delhash){
-		if ($key eq $fwdfwsettings{'key'}){
+		if ($key == $fwdfwsettings{'key'}){
 			#check hosts/net and groups
 			&checkcounter($delhash{$key}[3],$delhash{$key}[4],,);
 			&checkcounter($delhash{$key}[5],$delhash{$key}[6],,);
@@ -500,7 +519,7 @@ sub deleterule
 				&checkcounter($delhash{$key}[14],$delhash{$key}[15],,);
 			}
 		}
-		if ($key ge $fwdfwsettings{'key'}) {
+		if ($key >= $fwdfwsettings{'key'}) {
 			my $next = $key + 1;
 			if (exists $delhash{$next}) {
 				foreach my $i (0 .. $#{$delhash{$next}}) {