From patchwork Fri Dec 13 17:28:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 2644 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 47ZHhT2QcJz43WR for ; Fri, 13 Dec 2019 17:28:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 47ZHhS2JN4z24D; Fri, 13 Dec 2019 17:28:56 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 47ZHhS0qyhz2yK5; Fri, 13 Dec 2019 17:28:56 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 47ZHhR1XvTz2xn4 for ; Fri, 13 Dec 2019 17:28:55 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 47ZHhQ2G08z24D; Fri, 13 Dec 2019 17:28:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1576258134; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Sfqh4eK3uTCigurZWoEKew2q/bXhUxITO1aK20TDDNM=; b=Sqjdwq68wx9dme4hxZ+LvIhAMwo8B9clIv4OF1J9YuQgtgiQHL502hPQrPAeil4rxmHwxQ F6eVPJZ+lY7qcFH3xewono8a0y0xebI5APHa3B0lhxCIxcq981QYYiNAWBNgn6i62Y/xeR QCniK8AJy9aYiZt8Jy56zRwLjoBa+qMqaM4GkrO8vCuz8CWjnt+Rx9JLmIPLuaiYn3PesF +YwrD5oWEVrh/Dfz40jA+BJ/D/eQDXV6aQw5oUQwoWeaanC5vtEoUcmfnyMvcaLBcnv6Op KnvOcK/jKVFGN7TeWRZYmENZszwuTasmdhlATZcrSywDhYQrvd3z8nKgRqErtQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1576258134; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Sfqh4eK3uTCigurZWoEKew2q/bXhUxITO1aK20TDDNM=; b=Mqoc5lkLn3Czz9rPRTvCm6nLGX8BdgHb2bOAhillUN3n2jE9dJjzVxsjk+/inSUZLeVlQs D2Ilari4Aj6tfTBQ== To: "IPFire: Development-List" , Michael Tremer , Stefan Schantl From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] Core Update 139: fix syntax of generated Suricata DNS server file Message-ID: <598e6606-8db3-5c1e-f50a-db19962eaa62@ipfire.org> Date: Fri, 13 Dec 2019 17:28:00 +0000 MIME-Version: 1.0 Content-Language: en-US Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" The YAML syntax of /var/ipfire/suricata/suricata-dns-servers.yaml was invalid and caused Suricata to crash after upgrading to Core Update 139. Due to strange NFQUEUE behaviour, this caused IPsec traffic to be emitted to the internet directly. While this patch represents a quick solution for Core Update 139, another one is needed for changing the IPtables chain order to avoid similar information leaks in future. Thanks to Michael for his debugging effort. Fixes #12260 Partially fixes #12257 Cc: Michael Tremer Cc: Stefan Schantl Signed-off-by: Peter Müller Reviewed-by: Stefan Schantl --- config/cfgroot/ids-functions.pl | 51 +++++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 25 deletions(-) diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 54d86f70f..89ad90c2e 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -17,7 +17,7 @@ # along with IPFire; if not, write to the Free Software # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # # -# Copyright (C) 2018 IPFire Team . # +# Copyright (C) 2018-2019 IPFire Team # # # ############################################################################ @@ -706,7 +706,7 @@ sub generate_dns_servers_file() { open (FILE, "${General::swroot}/red/dns") or die "Could not read DNS configuration from ${General::swroot}/red/dns. $!\n"; # Read-in whole file content and store it in a temporary array. - my @file_content = ; + my @file_content = split(' ', ); # Close file handle. close(FILE); @@ -714,31 +714,32 @@ sub generate_dns_servers_file() { # Format dns servers declaration. my $line = "\"\["; - # Loop through the array which contains the file content. - foreach my $server (@file_content) { - # Remove newlines. - chomp($server); - - # Check if the current DNS configuration is using the local recursor mode. - if ($server eq "local recursor") { - # The responsible DNS servers on red are directly used, and because we are not able - # to specify each single DNS server address here, we currently have to thread each - # address which is not part of the HOME_NET as possible DNS server. - $line = "$line" . "!\$HOME_NET"; - } else { + # Check if the current DNS configuration is using the local recursor mode. + if ($file_content[0] eq "local" && $file_content[1] eq "recursor") { + # The responsible DNS servers on red are directly used, and because we are not able + # to specify each single DNS server address here, we currently have to thread each + # address which is not part of the HOME_NET as possible DNS server. + $line = "$line" . "!\$HOME_NET"; + + } else { + # Loop through the array which contains the file content. + foreach my $server (@file_content) { + # Remove newlines. + chomp($server); + # Add the DNS server to the line. $line = "$line" . "$server"; + + # Check if the current DNS server was the last in the array. + if ($server ne $file_content[-1]) { + # Add "," for the next DNS server. + $line = "$line" . "\,"; + } } + } - # Check if the current DNS server was the last in the array. - if ($server eq $file_content[-1]) { - # Close the line. - $line = "$line" . "\]\""; - } else { - # Add "," for the next DNS server. - $line = "$line" . "\,"; - } - } + # Close the line... + $line = "$line" . "\]\""; # Open file to store the used DNS server addresses. open(FILE, ">$dns_servers_file") or die "Could not open $dns_servers_file. $!\n"; @@ -866,7 +867,7 @@ sub get_suricata_version($) { # Remove newlines. chomp($version_string); - # Grab the version from the version string. + # Grab the version from the version string. $version_string =~ /([0-9]+([.][0-9]+)+)/; # Splitt the version into single chunks. @@ -882,7 +883,7 @@ sub get_suricata_version($) { } else { # Return the full version string. return "$major_ver.$minor_ver.$patchlevel"; - } + } } #