From patchwork Thu Mar 25 10:23:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Marx X-Patchwork-Id: 3982 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4F5h690fkzz3xCX for ; Thu, 25 Mar 2021 10:24:01 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4F5h675TD3zHv; Thu, 25 Mar 2021 10:23:59 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4F5h6655jxz2xn3; Thu, 25 Mar 2021 10:23:58 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4F5h650VLlz2xVn for ; Thu, 25 Mar 2021 10:23:57 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4F5h641cb1zHv; Thu, 25 Mar 2021 10:23:56 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1616667836; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=6r6Uf1BQQBiRJF+ptqnHYhIkbATfnyrC8vWX4BGe+S8=; b=TApaSLV5DQ6zc1LgCmmYSjP5uGaa9K9/bQ28UED/Ba16qQmDqiqboE1y073+hdEJXJJ2eT ZhxaEUN1B98FsmAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1616667836; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=6r6Uf1BQQBiRJF+ptqnHYhIkbATfnyrC8vWX4BGe+S8=; b=TJuR4S5hroEHCjWa2yDTXwv4laAL+O/gma/Suxk65H+K5+VAgh5ztq/IyZl92Qm9uvMHpZ sByh5TJzqX2nfzcKLuah4h0Z2IfTw5gf/ZBLK+8aNAomKXh4+pcMKwznntZkb42VqYEVV/ Mv+5CjgJvAglTLOe9of7UfS50knxhN22o5mv8SsaWdlLBZs7eQCwmW7kliGELfWjssLzl3 4GQEBKWLGWaXtfZ7X1UoqKKreuY5SMj9sgL+vjzb68hV61aMdeZMjwH1Y6Euvp9ziCU11b 4y1GAfk2sQZn0QwZ7j1dGf7CS6h7zEoPxdJIwIHl95/Hn5iikYdjJAptxpbNRA== From: Alexander Marx To: development@lists.ipfire.org Subject: [PATCH] BUG12265: firewall: iptables rules are being created in the wrong chain Fixes: #12265 Date: Thu, 25 Mar 2021 11:23:46 +0100 Message-Id: <20210325102346.55138-1-alexander.marx@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" When creating a rule like Source:Orange and Target:green IPfire Interface, the rule was created in the forward instead of input chain. This patch sets correct chain and additionally checks if a single target ip (when set) is one of the ipfire interface ip addresses. If this is the case, the target is automatically changed to IPFIRE interface instead of single target ip. --- html/cgi-bin/firewall.cgi | 38 ++++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 532f99f91..c680eed1d 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx # +# Copyright (C) 2021 Alexander Marx # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -213,6 +213,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') &General::readhasharray("$configfwdfw", \%configfwdfw); &General::readhasharray("$configinput", \%configinputfw); &General::readhasharray("$configoutgoing", \%configoutgoingfw); + &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); my $maxkey; #Set Variables according to the JQuery code in protocol section if ($fwdfwsettings{'PROT'} eq 'TCP' || $fwdfwsettings{'PROT'} eq 'UDP') @@ -231,6 +232,19 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') { $fwdfwsettings{'USESRV'} = 'ON'; } + #Check if manual targetip is one of IPFire addresses + if ($fwdfwsettings{'grp2'} eq 'tgt_addr' && $fwdfwsettings{$fwdfwsettings{'grp2'}} eq $netsettings{'GREEN_ADDRESS'}){ + $fwdfwsettings{'grp2'} = 'ipfire'; + $fwdfwsettings{$fwdfwsettings{'grp2'}} = 'GREEN'; + } + if ($fwdfwsettings{'grp2'} eq 'tgt_addr' && $fwdfwsettings{$fwdfwsettings{'grp2'}} eq $netsettings{'ORANGE_ADDRESS'}){ + $fwdfwsettings{'grp2'} = 'ipfire'; + $fwdfwsettings{$fwdfwsettings{'grp2'}} = 'ORANGE'; + } + if ($fwdfwsettings{'grp2'} eq 'tgt_addr' && $fwdfwsettings{$fwdfwsettings{'grp2'}} eq $netsettings{'BLUE_ADDRESS'}){ + $fwdfwsettings{'grp2'} = 'ipfire'; + $fwdfwsettings{$fwdfwsettings{'grp2'}} = 'BLUE'; + } $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} @@ -247,7 +261,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') $errormessage=$Lang::tr{'fwdfw err same'}; } # INPUT part - if ($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){ + if ($fwdfwsettings{'grp2'} eq 'ipfire'){ $fwdfwsettings{'config'}=$configinput; $fwdfwsettings{'chain'} = 'INPUTFW'; $maxkey=&General::findhasharraykey(\%configinputfw); @@ -1512,7 +1526,7 @@ sub newrule $checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}} = 'CHECKED'; $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; - $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; + $selected{'ipfire tgt'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; $selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; #check if update and get values if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){ @@ -1526,7 +1540,7 @@ sub newrule $fwdfwsettings{'ACTIVE'} = $hash{$key}[2]; $fwdfwsettings{'grp1'} = $hash{$key}[3]; $fwdfwsettings{$fwdfwsettings{'grp1'}} = $hash{$key}[4]; - $fwdfwsettings{'grp2'} = $hash{$key}[5]; + $fwdfwsettings{'grp2'} = $hash{$key}[5]; $fwdfwsettings{$fwdfwsettings{'grp2'}} = $hash{$key}[6]; $fwdfwsettings{'USE_SRC_PORT'} = $hash{$key}[7]; $fwdfwsettings{'PROT'} = $hash{$key}[8]; @@ -1584,7 +1598,7 @@ sub newrule $checked{'RATE_LIMIT'}{$fwdfwsettings{'RATE_LIMIT'}} = 'CHECKED'; $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; - $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; + $selected{'ipfire tgt'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; $selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; $selected{'dnat'}{$fwdfwsettings{'dnat'}} ='selected'; $selected{'snat'}{$fwdfwsettings{'snat'}} ='selected'; @@ -1753,16 +1767,16 @@ END END - print"
$Lang::tr{'fwdfw targetip'}Firewall