From patchwork Tue Jan 17 13:41:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 6436 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Nx96S16mGz3wgZ for ; Tue, 17 Jan 2023 13:41:52 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Nx96P5tK5zyJ; Tue, 17 Jan 2023 13:41:49 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Nx96P3tdjz2yjs; Tue, 17 Jan 2023 13:41:49 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Nx96N1yZWz2xZS for ; Tue, 17 Jan 2023 13:41:48 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Nx96L2Sypzv5; Tue, 17 Jan 2023 13:41:46 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4Nx96K5GJhzVc3j; Tue, 17 Jan 2023 13:41:45 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH] firewall: Avoid creating a rule that permits all traffic on invalid source Date: Tue, 17 Jan 2023 13:41:44 +0000 Message-Id: <20230117134144.2763140-1-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" The firewall engine generated rules that did not have any traffic selectors due to an improperly initialized variable in the source. Signed-off-by: Michael Tremer Acked-by: Peter Müller --- config/firewall/rules.pl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 30ad20df1..1b628df16 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -401,6 +401,9 @@ sub buildrules { $source = ""; } + # Make sure that $source is properly defined + next unless (defined $source); + my $source_intf = @$src[1]; foreach my $dst (@destinations) {