diff mbox series

firewall.cgi: Bring back check for single IP when using DNAT.

Message ID 20210716182022.3016-1-stefan.schantl@ipfire.org
State Accepted
Commit 55da553742129623753baa86564cd65d3d7df680
Headers
Series firewall.cgi: Bring back check for single IP when using DNAT. |

Commit Message

Stefan Schantl July 16, 2021, 6:20 p.m. UTC 
  This check has been removed by commit: bbe8e009b824aef745c9ab9718dce9a1b557f5fc

So it was able to create DNAT rules with a network as target.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 html/cgi-bin/firewall.cgi | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

Comments

Michael Tremer Aug. 5, 2021, 8:37 p.m. UTC | #1 
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>

> On 16 Jul 2021, at 20:20, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
> 
> This check has been removed by commit: bbe8e009b824aef745c9ab9718dce9a1b557f5fc
> 
> So it was able to create DNAT rules with a network as target.
> 
> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
> ---
> html/cgi-bin/firewall.cgi | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
> 
> diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
> index e168788eb..b328b426c 100644
> --- a/html/cgi-bin/firewall.cgi
> +++ b/html/cgi-bin/firewall.cgi
> @@ -569,6 +569,24 @@ sub checktarget
> 	#check DNAT settings (has to be single Host and single Port or portrange)
> 	if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){
> 		if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){
> +			# Check if a manual entered IP is a single Host (if set)
> +			if ($fwdfwsettings{'grp2'} eq 'tgt_addr') {
> +				# Split input into address and prefix (if provided).
> +				my ($address, $subnet) = split ('/', $fwdfwsettings{$fwdfwsettings{'grp2'}});
> +
> +				# Check if a subnet is given.
> +				if ($subnet) {
> +					# Check if the prefix or subnetmask is for a single host.
> +					unless ($subnet eq "32" || $subnet eq "255.255.255.255") {
> +						# Set error message.
> +						$errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
> +
> +						# Return the error.
> +						return $errormessage;
> +					}
> +				}
> +			}
> +
> 			#check if Port is a single Port or portrange
> 			if ($fwdfwsettings{'nat'} eq 'dnat' &&  $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
> 				if(($fwdfwsettings{'PROT'} ne 'TCP'|| $fwdfwsettings{'PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){
> -- 
> 2.30.2
>
diff mbox series

Patch

diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index e168788eb..b328b426c 100644
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -569,6 +569,24 @@  sub checktarget
 	#check DNAT settings (has to be single Host and single Port or portrange)
 	if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){
 		if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){
+			# Check if a manual entered IP is a single Host (if set)
+			if ($fwdfwsettings{'grp2'} eq 'tgt_addr') {
+				# Split input into address and prefix (if provided).
+				my ($address, $subnet) = split ('/', $fwdfwsettings{$fwdfwsettings{'grp2'}});
+
+				# Check if a subnet is given.
+				if ($subnet) {
+					# Check if the prefix or subnetmask is for a single host.
+					unless ($subnet eq "32" || $subnet eq "255.255.255.255") {
+						# Set error message.
+						$errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
+
+						# Return the error.
+						return $errormessage;
+					}
+				}
+			}
+
 			#check if Port is a single Port or portrange
 			if ($fwdfwsettings{'nat'} eq 'dnat' &&  $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
 				if(($fwdfwsettings{'PROT'} ne 'TCP'|| $fwdfwsettings{'PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){