From c2a1af7545c52edc9354e778acecb6370ea15d48 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 17 Mar 2014 15:47:28 +0100
Subject: [PATCH] firewall: rules.pl: Sanitise source and destination IP
 addresses.

Those variables are now empty if source or destination are
unspecified.
---
 config/firewall/rules.pl | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 51ddb446a..5b3383125 100755
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -39,6 +39,7 @@ my $CHAIN_NAT_SOURCE      = "NAT_SOURCE";
 my $CHAIN_NAT_DESTINATION = "NAT_DESTINATION";
 my $CHAIN_MANGLE_NAT_DESTINATION_FIX = "NAT_DESTINATION";
 my @VALID_CHAINS          = ($CHAIN_INPUT, $CHAIN_FORWARD, $CHAIN_OUTPUT);
+my @ANY_ADDRESSES         = ("0.0.0.0/0.0.0.0", "0.0.0.0/0", "0/0");
 
 my @PROTOCOLS = ("tcp", "udp", "icmp", "igmp", "ah", "esp", "gre", "ipv6", "ipip");
 my @PROTOCOLS_WITH_PORTS = ("tcp", "udp");
@@ -255,6 +256,16 @@ sub buildrules {
 					# Skip invalid rules.
 					next if (!$source || !$destination || ($destination eq "none"));
 
+					# Sanitize source.
+					if ($source ~~ @ANY_ADDRESSES) {
+						$source = "";
+					}
+
+					# Sanitize destination.
+					if ($destination ~~ @ANY_ADDRESSES) {
+						$destination = "";
+					}
+
 					# Array with iptables arguments.
 					my @options = ();
 
@@ -268,12 +279,15 @@ sub buildrules {
 					my @source_options = ();
 					if ($source =~ /mac/) {
 						push(@source_options, $source);
-					} else {
+					} elsif ($source) {
 						push(@source_options, ("-s", $source));
 					}
 
 					# Prepare destination options.
-					my @destination_options = ("-d", $destination);
+					my @destination_options = ();
+					if ($destination) {
+						push(@destination_options, ("-d", $destination));
+					}
 
 					# Add time constraint options.
 					push(@options, @time_options);
-- 
2.39.2