From patchwork Thu Jul 15 10:07:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 4531 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4GQVRm3Kt9z3xGl for ; Thu, 15 Jul 2021 10:07:48 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4GQVRk2vPyz178; Thu, 15 Jul 2021 10:07:46 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4GQVRk0tdZz2y2X; Thu, 15 Jul 2021 10:07:46 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4GQVRh57w3z2y2X for ; Thu, 15 Jul 2021 10:07:44 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4GQVRg4rfgzR7; Thu, 15 Jul 2021 10:07:43 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1626343663; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=b67A35oTTXuLIFjFAzMyTd2L3JN8ZIquwPSypsRkeqc=; b=u81SFerl6b9/gPvR++rl6OlmceF4qFgxfanMSYKVoF+kPrDaRg2Vb/P8LKkrohD93aImJD 6xoduvz3BlTVqnDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1626343663; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=b67A35oTTXuLIFjFAzMyTd2L3JN8ZIquwPSypsRkeqc=; b=sQWChLKVpNlH1lEFNDnC1YjCsZICh0T+880dxEVZhz5azPjcuQbxVPTYwb0MYJks9BRYfo gZejDw0Jj/npmw5F02+A7P+kDzwjIxVHMDHwWPiHD9GrgsWLEz61A+t4uBzUiVb7WPrK2Z mM3n+MsuJ2aoC5jy0zD/6BgihqdUwx43QEN/KmqX9ajWe3PdGD4LqtDlRMYstww+DMkLQE SdYkrHx1mGrNRnG3rTTe7wZJcGQ4yskHbV+IOeCWK04esssShobHLqzCmbqzkTJ9xkV2Z4 39mWiuOpaLeUkJkKEaRy1J6vFdt9ryOVnwlbWVn+A3yn4DeMRL9prrsV40CSpA== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH] fwhosts.cgi: Fix check to limit amount of ports in custom service groups. Date: Thu, 15 Jul 2021 12:07:37 +0200 Message-Id: <20210715100737.3733-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" iptables multiport only supports up to 15 elements for each protocol (TCP or UDP). That can be single ports or portranges (they count doubble). This commit extends the check to calculate the amount of used TCP and/or UDP ports of all existing entries in a group, by increasing the amount for the service which should be added. If the amount of ports for TCP or UDP ports become greater than the limit of 15 the error message will be displayed. Fixes #11323. Signed-off-by: Stefan Schantl Reviewed-by: Michael Tremer Reviewed-by: Bernhard Bitsch --- html/cgi-bin/fwhosts.cgi | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 35611ac08..f6c7227ce 100644 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -818,10 +818,28 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp') } } } - if ($tcpcounter > 14){ + + # Loop through the hash of configured services. + foreach my $key (keys %customservice) { + # Assign nice human-readable values. + my $service_name = $customservice{$key}[0]; + my $service_port = $customservice{$key}[1]; + my $service_proto = $customservice{$key}[2]; + + # Skip services unless the processed one has found. + next unless $service_name eq $fwhostsettings{'CUST_SRV'}; + + # Increase the counters. + $tcpcounter++ if $service_proto eq 'TCP'; + $tcpcounter++ if $service_proto eq 'TCP' && $service_port =~ m/:/i; + $udpcounter++ if $service_proto eq 'UDP'; + $udpcounter++ if $service_proto eq 'UDP' && $service_port =~ m/:/i; + } + + if ($tcpcounter > 15) { $errormessage=$Lang::tr{'fwhost err maxservicetcp'}; } - if ($udpcounter > 14){ + if ($udpcounter > 15) { $errormessage=$Lang::tr{'fwhost err maxserviceudp'}; } $tcpcounter=0;