From fd169d0adc87c82253b0655d94ea8213e9aaabe4 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Fri, 21 Mar 2014 08:28:24 +0100 Subject: [PATCH] Firewall: DNAT - Show right DNAT interface in ruletable Now: When using a hostgroup as source there are all corresponding DNAT interfaces shown in ruletable depending on the entries in the group. When in DNAT area "-automatic" is selected, the DNAT interfaces are shown as IP-Addresses, else they are shown as "ORANGE","GREEN","BLUE"... BUGFIX: When there is a MAC address used in a sourcegroup, the rules could not be set. Now MAC addresses get allways the public interface as DNAT --- config/firewall/firewall-lib.pl | 34 ++++++++++++++++++++------------- html/cgi-bin/firewall.cgi | 21 +++++++++++++++++++- 2 files changed, 41 insertions(+), 14 deletions(-) diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index 6f04b0cab..a82fc90b4 100755 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -51,11 +51,12 @@ my $configipsec = "${General::swroot}/vpn/config"; my $configovpn = "${General::swroot}/ovpn/settings"; my $val; my $field; +my $netsettings = "${General::swroot}/ethernet/settings"; &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); &General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings); &General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings); - +&General::readhash("$netsettings", \%defaultNetworks); &General::readhasharray("$confignet", \%customnetwork); &General::readhasharray("$confighost", \%customhost); @@ -253,8 +254,8 @@ sub get_host_ip } } } -# Functions used by rules.pl -sub get_addresses { +sub get_addresses +{ my $hash = shift; my $key = shift; my $type = shift; @@ -293,7 +294,8 @@ sub get_addresses { return @addresses; } -sub get_address { +sub get_address +{ my $key = shift; my $value = shift; my $type = shift; @@ -401,21 +403,24 @@ sub get_address { return @ret; } -sub get_external_interface() { +sub get_external_interface() +{ open(IFACE, "/var/ipfire/red/iface") or return ""; my $iface = ; close(IFACE); return $iface; } -sub get_external_address() { +sub get_external_address() +{ open(ADDR, "/var/ipfire/red/local-ipaddress") or return ""; my $address = ; close(ADDR); return $address; } -sub get_alias { +sub get_alias +{ my $id = shift; foreach my $alias (sort keys %aliases) { @@ -424,13 +429,14 @@ sub get_alias { } } } -sub get_nat_address { +sub get_nat_address +{ my $zone = shift; my $source = shift; # Any static address of any zone. if ($zone eq "AUTO") { - if ($source) { + if ($source && ($source !~ m/mac/i )) { my $firewall_ip = &get_internal_firewall_ip_address($source, 1); if ($firewall_ip) { return $firewall_ip; @@ -456,7 +462,8 @@ sub get_nat_address { print_error("Could not find NAT address"); } -sub get_internal_firewall_ip_addresses { +sub get_internal_firewall_ip_addresses +{ my $use_orange = shift; my @zones = ("GREEN", "BLUE"); @@ -474,7 +481,8 @@ sub get_internal_firewall_ip_addresses { return @addresses; } -sub get_matching_firewall_address { +sub get_matching_firewall_address +{ my $addr = shift; my $use_orange = shift; @@ -498,7 +506,8 @@ sub get_matching_firewall_address { return 0; } -sub get_internal_firewall_ip_address { +sub get_internal_firewall_ip_address +{ my $subnet = shift; my $use_orange = shift; @@ -517,5 +526,4 @@ sub get_internal_firewall_ip_address { return 0; } - return 1; diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 436bdafd0..d69d8217f 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -989,6 +989,12 @@ sub deleterule &base; } } +sub del_double +{ + my %all=(); + @all{@_}=1; + return (keys %all); +} sub disable_rule { my $key1=shift; @@ -2551,9 +2557,22 @@ END END #Is this a DNAT rule? + my $natstring; if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ if ($$hash{$key}[29] eq 'Default IP'){$$hash{$key}[29]=$Lang::tr{'red1'};} - print "Firewall ($$hash{$key}[29])"; + if ($$hash{$key}[29] eq 'AUTO'){ + my @src_addresses=&fwlib::get_addresses(\%$hash,$key,'src'); + my @nat_ifaces; + foreach my $val (@src_addresses){ + my ($ip,$sub)=split("/",$val); + push (@nat_ifaces,&fwlib::get_nat_address($$hash{$key}[29],$ip)); + } + @nat_ifaces=&del_double(@nat_ifaces); + $natstring = join(', ', @nat_ifaces); + }else{ + $natstring = $$hash{$key}[29]; + } + print "$Lang::tr{'firewall'} ($natstring)"; if($$hash{$key}[30] ne ''){ $$hash{$key}[30]=~ tr/|/,/; print": $$hash{$key}[30]"; -- 2.39.2