From b526909163c325956f16fdd90287465aa78ffd17 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 10 Jan 2013 09:41:04 +0100 Subject: [PATCH] Forward Firewall: BUGFIX: MAC source addresses where not created as rules --- config/backup/exclude | 1 + config/forwardfw/rules.pl | 22 ++++++++++++++++------ html/cgi-bin/forwardfw.cgi | 33 ++++++++++++++++++++++----------- 3 files changed, 39 insertions(+), 17 deletions(-) diff --git a/config/backup/exclude b/config/backup/exclude index 8103bb9d9..bd15ceb21 100644 --- a/config/backup/exclude +++ b/config/backup/exclude @@ -1,5 +1,6 @@ *.tmp /var/ipfire/ethernet/settings +/var/ipfire/forward/bin/* /var/ipfire/proxy/calamaris/bin/* /var/ipfire/qos/bin/qos.pl /var/ipfire/urlfilter/blacklists/*/*.db diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl index 953aad0bc..58bdf2a05 100755 --- a/config/forwardfw/rules.pl +++ b/config/forwardfw/rules.pl @@ -115,7 +115,9 @@ sub preparerules sub buildrules { my $hash=shift; + my $STAG; foreach my $key (sort keys %$hash){ + $STAG=''; if($$hash{$key}[2] eq 'ON'){ #get source ip's if ($$hash{$key}[3] eq 'cust_grp_src'){ @@ -195,17 +197,17 @@ sub buildrules foreach my $b (sort keys %targethash){ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ + if(substr($sourcehash{$a}[0], 4, 6) eq 'mac'){ $STAG="-s";} if ($$hash{$key}[17] eq 'ON'){ - print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; } - print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } } } } print"\n"; } - }elsif($MODE eq '0'){ foreach my $DPROT (@DPROT){ $DPORT = &get_port($hash,$key,$DPROT); @@ -215,10 +217,11 @@ sub buildrules foreach my $b (sort keys %targethash){ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){ if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){ + if(substr($sourcehash{$a}[0], 4, 6) eq 'mac'){ $STAG="-s";} if ($$hash{$key}[17] eq 'ON'){ - system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); + system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); } - system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); + system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); } } } @@ -247,7 +250,11 @@ sub get_address } my $key = &General::findhasharraykey($hash); if($base eq 'src_addr' || $base eq 'tgt_addr' ){ - $$hash{$key}[0] = $base2; + if (&General::validmac($base2)){ + $$hash{$key}[0] = "-m mac --mac-source $base2"; + }else{ + $$hash{$key}[0] = $base2; + } }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){ $$hash{$key}[0]=&fwlib::get_std_net_ip($base2); }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){ @@ -307,6 +314,7 @@ sub get_port return; } }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ + if($$hash{$key}[14] eq 'TGT_PORT'){ if ($$hash{$key}[15] ne ''){ return "--dport $$hash{$key}[15] "; @@ -330,6 +338,8 @@ sub get_port elsif($prot eq 'ICMP'){ return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); } + + } } } diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 6aadb996b..21f680d46 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -544,24 +544,35 @@ sub checksource if ($fwdfwsettings{'src_addr'} =~ /^(.*?)\/(.*?)$/) { ($ip,$subnet)=split (/\//,$fwdfwsettings{'src_addr'}); $subnet = &General::iporsubtocidr($subnet); + $fwdfwsettings{'isip'}='on'; } #check if only ip if($fwdfwsettings{'src_addr'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ $ip=$fwdfwsettings{'src_addr'}; $subnet = '32'; + $fwdfwsettings{'isip'}='on'; } - #check and form valid IP - $ip=&General::ip2dec($ip); - $ip=&General::dec2ip($ip); - #check if net or broadcast - my @tmp= split (/\./,$ip); - if (($tmp[3] eq "0") || ($tmp[3] eq "255")) - { - $errormessage=$Lang::tr{'fwhost err hostip'}."
"; - } - $fwdfwsettings{'src_addr'}="$ip/$subnet"; - if(!&General::validipandmask($fwdfwsettings{'src_addr'})){ + if ($fwdfwsettings{'isip'} ne 'on'){ + if (&General::validmac($fwdfwsettings{'src_addr'})){$fwdfwsettings{'ismac'}='on';} + } + if ($fwdfwsettings{'isip'} eq 'on'){ + #check and form valid IP + $ip=&General::ip2dec($ip); + $ip=&General::dec2ip($ip); + #check if net or broadcast + my @tmp= split (/\./,$ip); + if (($tmp[3] eq "0") || ($tmp[3] eq "255")) + { + $errormessage=$Lang::tr{'fwhost err hostip'}."
"; + } + $fwdfwsettings{'src_addr'}="$ip/$subnet"; + + if(!&General::validipandmask($fwdfwsettings{'src_addr'})){ + $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; + } + } + if ($fwdfwsettings{'isip'} ne 'on' && $fwdfwsettings{'ismac'} ne 'on'){ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."
"; } }elsif($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} eq ''){ -- 2.39.2