From 49192c7b313d0fae39f16479594c06ca06684060 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 12 Nov 2013 15:08:58 +0100 Subject: [PATCH] Firewall: The maximum of definable services in a servicegroup is limited to 13 per protocol (tcp,udp) because iptables can only handle max 13 services in Multiport --- html/cgi-bin/fwhosts.cgi | 22 +++++++++++++++++++++- langs/de/cgi-bin/de.pl | 2 ++ langs/en/cgi-bin/en.pl | 2 ++ 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 91de897ec..7d1f215d5 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -764,12 +764,32 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp') my $prot; my $port; my $count=0; + my $tcpcounter=0; + my $udpcounter=0; &General::readhasharray("$configsrvgrp", \%customservicegrp ); &General::readhasharray("$configsrv", \%customservice ); $errormessage=&checkservicegroup; + #Check if we have more than 13 services from one Protocol in the group + #iptables can only handle 13 ports/portranges via multiport + foreach my $key (keys %customservicegrp){ + if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'}){ + foreach my $key1 (keys %customservice){ + $tcpcounter++ if $customservice{$key1}[2] eq 'TCP' && $customservicegrp{$key}[2] eq $customservice{$key1}[0]; + $udpcounter++ if $customservice{$key1}[2] eq 'UDP' && $customservicegrp{$key}[2] eq $customservice{$key1}[0]; + } + } + } + if ($tcpcounter > 13){ + $errormessage=$Lang::tr{'fwhost err maxservicetcp'}; + } + if ($udpcounter > 13){ + $errormessage=$Lang::tr{'fwhost err maxserviceudp'}; + } + $tcpcounter=0; + $udpcounter=0; #check remark if ($fwhostsettings{'SRVGRP_REMARK'} ne '' && !&validremark($fwhostsettings{'SRVGRP_REMARK'})){ - $errormessage=$Lang::tr{'fwhost err remark'}; + $errormessage .= $Lang::tr{'fwhost err remark'}; } if (!$errormessage){ #on first save, we have to enter a dummy value diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 11dd471ee..f63aff940 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1039,6 +1039,8 @@ 'fwhost err isccdnet' => 'Dieser Name wird bereits für einen OpenVPN-Netzwerk verwendet', 'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe', 'fwhost err mac' => 'Ungültige MAC-Adresse', +'fwhost err maxservicetcp' => 'Die maximale Anzahl von 13 TCP-Diensten in einer Gruppe wurde erreicht', +'fwhost err maxserviceudp' => 'Die maximale Anzahl von 13 UDP-Diensten in einer Gruppe wurde erreicht', 'fwhost err name' => 'Ungültiger Name. Erlaubte Zeichen: Klein- und Großbuchstaben, Leerzeichen und Bindestrich.', 'fwhost err name1' => 'Der Name muss ausgefüllt sein', 'fwhost err net' => 'Netzwerk/IP-Adresse existiert bereits', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index d75a08f6c..3884c8e17 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1064,6 +1064,8 @@ 'fwhost err isccdnet' => 'This name is already used by an OpenVPN network', 'fwhost err isingrp' => 'This entry already exists in the group', 'fwhost err mac' => 'Invalid MAC address', +'fwhost err maxservicetcp' => 'The maximal number of 13 TCP services has been reached in this group', +'fwhost err maxserviceudp' => 'The maximal number of 13 UDP services has been reached in this group', 'fwhost err name' => 'Invalid name. Allowed characters: Upper- and lowercase letters, digits, space and dash.', 'fwhost err name1' => 'Empty name.', 'fwhost err net' => 'Network/IP address already exists', -- 2.39.2