From patchwork Tue Mar 30 13:07:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Marx X-Patchwork-Id: 3999 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4F8qVy2lYwz3ws3 for ; Tue, 30 Mar 2021 13:07:54 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4F8qVx28jRz1Kp; Tue, 30 Mar 2021 13:07:53 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4F8qVx1kKCz2xZr; Tue, 30 Mar 2021 13:07:53 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4F8qVw342Hz2xBf for ; Tue, 30 Mar 2021 13:07:52 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4F8qVv3tkKzZ0; Tue, 30 Mar 2021 13:07:51 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1617109671; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=o6L/P/hHbAQIvsm4XJoHSSEmym2joUb8otwLv3fU3XE=; b=e/hc8KxttbW3uTpRSPi3Up9PNwz5btAWDr2ffpMhxovXhnMiyZ0GAVnopLQKM3MmISBEYs /F75RWOS19rd0AAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1617109671; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=o6L/P/hHbAQIvsm4XJoHSSEmym2joUb8otwLv3fU3XE=; b=bA9xDeHzdovfnTr5+wk3HuxgaY0WA7RkFPQE7IKatYjxTDQzh4IVN7fdrIj2qFpjs7mDz9 aSQcLPldJ2J3lce6L2lUcwKUeXQroDB8Y3iYaJC0EZwl8GdyfRKsmbV/p8Tl/Bj+6Sm16d ndg1NvClQC/+X/Nw1IXnJIzS6j7Lu500ktfLJwNKD+KXXEjDgfB5sdvGB9h1gLPPHJbpdk FoPRVt+GTfqNfn9104m5QJiaQxZ1/u+vxFS3fRyzZXUfXxb5WULY1bHJOKwppWAWD0X2dL HZICsdGtCXGcJbxFuWsAqNesh2oLgoLyW85zBYJzQoCnT5q6cT4LwlUH4zIuUw== From: Alexander Marx To: development@lists.ipfire.org Subject: [PATCH] BUG12265: firewall: iptables rules are being created in the wrong chain Date: Tue, 30 Mar 2021 15:07:37 +0200 Message-Id: <20210330130737.27113-1-alexander.marx@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Fixes: #12265 When creating a rule with a local network as source and a firewallinterface as target, the rule was created in the FORWARD instead of INPUT chain. This one fixes that and additionally checks if a manual target ip address is one of IPFire's interfaces and changes the rule accordingly. --- config/firewall/firewall-lib.pl | 4 ++-- html/cgi-bin/firewall.cgi | 42 ++++++++++++++++++++++----------- 2 files changed, 30 insertions(+), 16 deletions(-) diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index bc0b30ca5..26d357ea2 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx # +# Copyright (C) 2021 Alexander Marx # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -427,7 +427,7 @@ sub get_address } # The firewall's own IP addresses. - } elsif ($key ~~ ["ipfire", "ipfire_src"]) { + } elsif ($key ~~ ["ipfire_tgt", "ipfire_src"]) { # ALL if ($value eq "ALL") { push(@ret, ["0/0", ""]); diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 532f99f91..6c9b7e9a7 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx # +# Copyright (C) 2021 Alexander Marx # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -213,6 +213,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') &General::readhasharray("$configfwdfw", \%configfwdfw); &General::readhasharray("$configinput", \%configinputfw); &General::readhasharray("$configoutgoing", \%configoutgoingfw); + &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); my $maxkey; #Set Variables according to the JQuery code in protocol section if ($fwdfwsettings{'PROT'} eq 'TCP' || $fwdfwsettings{'PROT'} eq 'UDP') @@ -231,6 +232,19 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') { $fwdfwsettings{'USESRV'} = 'ON'; } + #Check if manual targetip is one of IPFire addresses + if ($fwdfwsettings{'grp2'} eq 'tgt_addr' && $fwdfwsettings{$fwdfwsettings{'grp2'}} eq $netsettings{'GREEN_ADDRESS'}){ + $fwdfwsettings{'grp2'} = 'ipfire_tgt'; + $fwdfwsettings{$fwdfwsettings{'grp2'}} = 'GREEN'; + } + if ($fwdfwsettings{'grp2'} eq 'tgt_addr' && $fwdfwsettings{$fwdfwsettings{'grp2'}} eq $netsettings{'ORANGE_ADDRESS'}){ + $fwdfwsettings{'grp2'} = 'ipfire_tgt'; + $fwdfwsettings{$fwdfwsettings{'grp2'}} = 'ORANGE'; + } + if ($fwdfwsettings{'grp2'} eq 'tgt_addr' && $fwdfwsettings{$fwdfwsettings{'grp2'}} eq $netsettings{'BLUE_ADDRESS'}){ + $fwdfwsettings{'grp2'} = 'ipfire_tgt'; + $fwdfwsettings{$fwdfwsettings{'grp2'}} = 'BLUE'; + } $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} @@ -243,11 +257,11 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') } } #check if we try to break rules - if( $fwdfwsettings{'grp1'} eq 'ipfire_src' && $fwdfwsettings{'grp2'} eq 'ipfire'){ + if( $fwdfwsettings{'grp1'} eq 'ipfire_src' && $fwdfwsettings{'grp2'} eq 'ipfire_tgt'){ $errormessage=$Lang::tr{'fwdfw err same'}; } # INPUT part - if ($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){ + if ($fwdfwsettings{'grp2'} eq 'ipfire_tgt'){ $fwdfwsettings{'config'}=$configinput; $fwdfwsettings{'chain'} = 'INPUTFW'; $maxkey=&General::findhasharraykey(\%configinputfw); @@ -600,7 +614,7 @@ sub checktarget } } #check empty fields - if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq ''){ $errormessage.=$Lang::tr{'fwdfw err notgt'}."
";} + if ($fwdfwsettings{$fwdfwsettings{'grp2'}} eq '' && !$fwdfwsettings{'grp2'}){ $errormessage.=$Lang::tr{'fwdfw err notgt'}."
";} #check tgt services if ($fwdfwsettings{'USESRV'} eq 'ON'){ if ($fwdfwsettings{'grp3'} eq 'cust_srv'){ @@ -1512,7 +1526,7 @@ sub newrule $checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}} = 'CHECKED'; $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; - $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; + $selected{'ipfire_tgt'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; $selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; #check if update and get values if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} eq 'on' && !$errormessage){ @@ -1584,7 +1598,7 @@ sub newrule $checked{'RATE_LIMIT'}{$fwdfwsettings{'RATE_LIMIT'}} = 'CHECKED'; $selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}} = 'selected'; $selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}} = 'selected'; - $selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; + $selected{'ipfire_tgt'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} ='selected'; $selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} ='selected'; $selected{'dnat'}{$fwdfwsettings{'dnat'}} ='selected'; $selected{'snat'}{$fwdfwsettings{'snat'}} ='selected'; @@ -1751,18 +1765,18 @@ END &Header::openbox('100%', 'left', $Lang::tr{'fwdfw target'}); print< - $Lang::tr{'fwdfw targetip'}Firewall + $Lang::tr{'fwdfw targetip'}Firewall END - print""; + print ""; + print "" if $ifaces{'GREEN_ADDRESS'}; + print "" if (&Header::orange_used()); + print ""if (&Header::blue_used()); + print ""; + print ""; } } print<