[PATCH 1/2] optionsfw.cgi: Forcing DNS and NTP requests to use only local servers on GREEN/BLUE

[PATCH 1/2] optionsfw.cgi: Forcing DNS and NTP requests to use only local servers on GREEN/BLUE

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 20650 bytes --]

Originally triggered by:
https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512

Current discussion:
https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888

Screenshots:
  => https://community.ipfire.org/t/testing-dns-redirect-code-snippet/3888/38

Summary and functionality:
  These new firewall-options add [DNS/NTP]_FORCED_ON_[INTERFACE] options to
  '/var/ipfire/optionsfw/settings'. They activate/deactivate appropriate
  REDIRECT rules in '/etc/rc.d/init.d/firewall'.

  Default of the new rules is OFF.

  If set to ON, they try to REDIRECT all DNS and NTP requests (TCP/UDP) to the DNS and NTP
  servers specified in IPFire.

Changed visibility (GUI):
  The corresponding interface options are only visible if the respective interface does
  actually exist. If BLUE interface doesn't exist, there are no ON/OFF switches for
  'DNS/NTP on BLUE' or BLUE logging options available.

No reboot required:
  Rules can be switched ON/OFF without rebooting IPFire by choosing a new 'Save And Restart'-button.
  Restarting is done with the help of a new binary: 'optionsfwctrl', which can also be used in
  a console session to restart/reload all firewall rules. For 'optionsfwctrl.c', see other patch #2.
  I used 'unboundctrl.c' as template.

Changes to '/etc/rc.d/init.d/firewall':
  I used REDIRECT rules and placed them just behind the CAPTIVE_PORTAL_CHAIN, as Michael mentioned
  on the list.

  All rules are tested for former existence to avoid setting multiple REDIRECTS.
  I used code like 'if ! iptables -t nat -C...' or 'if iptables -t nat -C...' ("Check for the
  existence of a rule") for these queries.

  Testing was ok - if just *one* rule is manually deleted, only the *missing* rule will be created
  through the next 'Save And Restart' - I found no duplicates. ON/OFF switches worked as expected.
  Testing with DNSSEC was also successful.

Other changes:
  Language strings, 'lfs/configroot' and 'update.sh' for Core update were altered accordingly.

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
 config/rootfiles/core/154/update.sh |  10 +++
 html/cgi-bin/optionsfw.cgi          | 101 ++++++++++++++++++++++++----
 langs/de/cgi-bin/de.pl              |   6 ++
 langs/en/cgi-bin/en.pl              |   6 ++
 lfs/configroot                      |   4 ++
 src/initscripts/system/firewall     |  71 +++++++++++++++++++
 6 files changed, 184 insertions(+), 14 deletions(-)

diff --git a/config/rootfiles/core/154/update.sh b/config/rootfiles/core/154/update.sh
index 37348e0df..62bee565c 100644
--- a/config/rootfiles/core/154/update.sh
+++ b/config/rootfiles/core/154/update.sh
@@ -31,6 +31,16 @@ for (( i=1; i<=$core; i++ )); do
 	rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
 done
 
+# Add default lines for new firewall options
+optionsfw_file="/var/ipfire/optionsfw/settings"
+
+	echo "FORCE_DNS_ON_GREEN=off" >> ${optionsfw_file}
+	echo "FORCE_DNS_ON_BLUE=off" >> ${optionsfw_file}
+	echo "FORCE_NTP_ON_GREEN=off" >> ${optionsfw_file}
+	echo "FORCE_NTP_ON_BLUE=off" >> ${optionsfw_file}
+
+unset optionsfw_file
+
 # Remove files
 
 # Stop services
diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index 47aba59cb..8771a85ba 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -69,6 +69,31 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
 	&General::readhash($filename, \%settings);             # Load good settings
 }
 
+if ($settings{'ACTION'} eq $Lang::tr{'fw settings save and restart'}) {
+	if ($settings{'defpol'} ne '1'){
+		&General::writehash($filename, \%settings);             # Save good settings
+		system("/usr/local/bin/firewallctrl");
+		system("/usr/local/bin/optionsfwctrl restart >/dev/null 2>&1");
+	}else{
+		if ($settings{'POLICY'} ne ''){
+			$fwdfwsettings{'POLICY'} = $settings{'POLICY'};
+		}
+		if ($settings{'POLICY1'} ne ''){
+			$fwdfwsettings{'POLICY1'} = $settings{'POLICY1'};
+		}
+		my $MODE = $fwdfwsettings{'POLICY'};
+		my $MODE1 = $fwdfwsettings{'POLICY1'};
+		%fwdfwsettings = ();
+		$fwdfwsettings{'POLICY'} = "$MODE";
+		$fwdfwsettings{'POLICY1'} = "$MODE1";
+		&General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
+		&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
+		system("/usr/local/bin/firewallctrl");
+		system("/usr/local/bin/optionsfwctrl restart >/dev/null 2>&1");
+	}
+	&General::readhash($filename, \%settings);             # Load good settings
+}
+
 &Header::openpage($Lang::tr{'options fw'}, 1, '');
 &Header::openbigbox('100%', 'left', '', $errormessage);
 &General::readhash($filename, \%settings);
@@ -158,6 +183,18 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele
 $selected{'MASQUERADE_BLUE'}{'off'} = '';
 $selected{'MASQUERADE_BLUE'}{'on'} = '';
 $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
+$checked{'DNS_FORCE_ON_GREEN'}{'off'} = '';
+$checked{'DNS_FORCE_ON_GREEN'}{'on'} = '';
+$checked{'DNS_FORCE_ON_GREEN'}{$settings{'DNS_FORCE_ON_GREEN'}} = "checked='checked'";
+$checked{'DNS_FORCE_ON_BLUE'}{'off'} = '';
+$checked{'DNS_FORCE_ON_BLUE'}{'on'} = '';
+$checked{'DNS_FORCE_ON_BLUE'}{$settings{'DNS_FORCE_ON_BLUE'}} = "checked='checked'";
+$checked{'NTP_FORCE_ON_GREEN'}{'off'} = '';
+$checked{'NTP_FORCE_ON_GREEN'}{'on'} = '';
+$checked{'NTP_FORCE_ON_GREEN'}{$settings{'NTP_FORCE_ON_GREEN'}} = "checked='checked'";
+$checked{'NTP_FORCE_ON_BLUE'}{'off'} = '';
+$checked{'NTP_FORCE_ON_BLUE'}{'on'} = '';
+$checked{'NTP_FORCE_ON_BLUE'}{$settings{'NTP_FORCE_ON_BLUE'}} = "checked='checked'";
 
 &Header::openbox('100%', 'center',);
 print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
@@ -207,7 +244,38 @@ END
 END
 	}
 
-	print <<END
+print <<END;
+	<table width='95%' cellspacing='0'>
+		<tr bgcolor='$color{'color20'}'></tr>
+		<tr>&nbsp;</tr>
+			<td colspan='2' align='left'><b>$Lang::tr{'fw green'}</b></td>
+		</tr>
+		<tr><td align='left' width='60%'>$Lang::tr{'dns force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_GREEN' value='on' $checked{'DNS_FORCE_ON_GREEN'}{'on'} />/
+																						<input type='radio' name='DNS_FORCE_ON_GREEN' value='off' $checked{'DNS_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
+		<tr><td align='left' width='60%'>$Lang::tr{'ntp force on green'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_GREEN' value='on' $checked{'NTP_FORCE_ON_GREEN'}{'on'} />/
+																						<input type='radio' name='NTP_FORCE_ON_GREEN' value='off' $checked{'NTP_FORCE_ON_GREEN'}{'off'} /> $Lang::tr{'off'}</td></tr>
+END
+
+	if (&Header::blue_used()) {
+		print <<END;
+		<table width='95%' cellspacing='0'>
+		<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
+		<tr>&nbsp;</tr>
+			<tr>
+			<tr><td align='left' width='60%'>$Lang::tr{'dns force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DNS_FORCE_ON_BLUE' value='on' $checked{'DNS_FORCE_ON_BLUE'}{'on'} />/
+																						<input type='radio' name='DNS_FORCE_ON_BLUE' value='off' $checked{'DNS_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
+			<tr><td align='left' width='60%'>$Lang::tr{'ntp force on blue'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='NTP_FORCE_ON_BLUE' value='on' $checked{'NTP_FORCE_ON_BLUE'}{'on'} />/
+																						<input type='radio' name='NTP_FORCE_ON_BLUE' value='off' $checked{'NTP_FORCE_ON_BLUE'}{'off'} /> $Lang::tr{'off'}</td></tr>
+			<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
+																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
+			<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
+																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
+			</td>
+			</tr>
+END
+	}
+
+	print <<END;
 	</table>
 
 	<br>
@@ -224,21 +292,25 @@ END
 																						<input type='radio' name='DROPOUTGOING' value='off' $checked{'DROPOUTGOING'}{'off'} /> $Lang::tr{'off'}</td></tr>
 <tr><td align='left' width='60%'>$Lang::tr{'drop portscan'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPORTSCAN' value='on' $checked{'DROPPORTSCAN'}{'on'} />/
 																						<input type='radio' name='DROPPORTSCAN' value='off' $checked{'DROPPORTSCAN'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
+END
+
+	if (&Header::blue_used()) {
+		print <<END;
+		<table width='95%' cellspacing='0'>
+			<tr>
+			<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessinput'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSINPUT' value='on' $checked{'DROPWIRELESSINPUT'}{'on'} />/
 																						<input type='radio' name='DROPWIRELESSINPUT' value='off' $checked{'DROPWIRELESSINPUT'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
+			<tr><td align='left' width='60%'>$Lang::tr{'drop wirelessforward'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPWIRELESSFORWARD' value='on' $checked{'DROPWIRELESSFORWARD'}{'on'} />/
 																						<input type='radio' name='DROPWIRELESSFORWARD' value='off' $checked{'DROPWIRELESSFORWARD'}{'off'} /> $Lang::tr{'off'}</td></tr>
-</table>
-<br/>
+			</tr>
+END
+	}
+
+	print <<END;
+	</table>
+
+	<br/>
 
-<table width='95%' cellspacing='0'>
-<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
-																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
-																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
-</table>
-<br>
 <table width='95%' cellspacing='0'>
 <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
 <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
@@ -323,7 +395,8 @@ END
 <br />
 <table width='100%' cellspacing='0'>
 <tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
-<input type='submit' name='ACTION' value=$Lang::tr{'save'} />
+<input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
+<input type='submit' name='ACTION' value='$Lang::tr{'fw settings save and restart'}' />
 </form></td></tr>
 </table>
 </form>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 87181c184..74f8d0f41 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -836,6 +836,8 @@
 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />',
 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!',
 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.',
+'dns force on blue' => 'Erzwinge lokale DNS-Server auf BLAU',
+'dns force on green' => 'Erzwinge lokale DNS-Server auf GRÜN',
 'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)',
 'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)',
 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0',
@@ -1104,12 +1106,14 @@
 'from warn email bad' => 'Von E-Mail-Adresse ist nicht gültig',
 'fw blue' => 'Firewalloptionen für das Blaue Interface',
 'fw default drop' => 'Firewallrichtlinie',
+'fw green' => 'Firewalloptionen für das Grüne Interface',
 'fw logging' => 'Firewallprotokollierung',
 'fw settings' => 'Firewalleinstellungen',
 'fw settings color' => 'Farben in Regeltabelle anzeigen',
 'fw settings dropdown' => 'Alle Netzwerke auf Regelerstellungsseite anzeigen',
 'fw settings remark' => 'Anmerkungen in Regeltabelle anzeigen',
 'fw settings ruletable' => 'Leere Regeltabellen anzeigen',
+'fw settings save and restart' => 'Speichern und Neustart',
 'fwdfw ACCEPT' => 'Akzeptieren (ACCEPT)',
 'fwdfw DROP' => 'Verwerfen (DROP)',
 'fwdfw MODE1' => 'Alle Pakete verwerfen',
@@ -1814,6 +1818,8 @@
 'november' => 'November',
 'ntp common settings' => 'Allgemeine Einstellungen',
 'ntp configuration' => 'Zeitserverkonfiguration',
+'ntp force on blue' => 'Erzwinge lokale NTP-Server auf BLAU',
+'ntp force on green' => 'Erzwinge lokale NTP-Server auf GRÜN',
 'ntp must be enabled to have clients' => 'Um Clients annehmen zu können, muss NTP vorher aktiviert sein.',
 'ntp server' => 'NTP-Server',
 'ntp sync' => 'Synchronisation',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 625c6899f..252af7536 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -859,6 +859,8 @@
 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.',
 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!',
 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.',
+'dns force on green' => 'Force DNS to use local DNS servers on GREEN',
+'dns force on blue' => 'Force DNS to use local DNS servers on BLUE',
 'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)',
 'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)',
 'dns header' => 'Assign DNS server addresses only for DHCP on red0',
@@ -1130,12 +1132,14 @@
 'from warn email bad' => 'From e-mail address is not valid',
 'fw blue' => 'Firewall options for BLUE interface',
 'fw default drop' => 'Firewall policy',
+'fw green' => 'Firewall options for GREEN interface',
 'fw logging' => 'Firewall logging',
 'fw settings' => 'Firewall settings',
 'fw settings color' => 'Show colors in ruletable',
 'fw settings dropdown' => 'Show all networks on rulecreation site',
 'fw settings remark' => 'Show remarks in ruletable',
 'fw settings ruletable' => 'Show empty ruletables',
+'fw settings save and restart' => 'Save and Restart',
 'fwdfw ACCEPT' => 'ACCEPT',
 'fwdfw DROP' => 'DROP',
 'fwdfw MODE1' => 'Drop all packets',
@@ -1844,6 +1848,8 @@
 'november' => 'November',
 'ntp common settings' => 'Common settings',
 'ntp configuration' => 'NTP Configuration',
+'ntp force on green' => 'Force NTP to use local NTP servers on GREEN',
+'ntp force on blue' => 'Force NTP to use local NTP servers on BLUE',
 'ntp must be enabled to have clients' => 'NTP must be enabled to have clients.',
 'ntp server' => 'NTP Server',
 'ntp sync' => 'Synchronization',
diff --git a/lfs/configroot b/lfs/configroot
index a37c2c401..2d8a5de46 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -129,6 +129,10 @@ $(TARGET) :
 	echo  "SHOWDROPDOWN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "DROPWIRELESSINPUT=on"	>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "DROPWIRELESSFORWARD=on"	>> $(CONFIG_ROOT)/optionsfw/settings
+	echo  "FORCE_DNS_ON_GREEN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
+	echo  "FORCE_DNS_ON_BLUE=off"	>> $(CONFIG_ROOT)/optionsfw/settings
+	echo  "FORCE_NTP_ON_GREEN=off"	>> $(CONFIG_ROOT)/optionsfw/settings
+	echo  "FORCE_NTP_ON_BLUE=off"	>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "POLICY=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
 	echo  "POLICY1=MODE2"		>> $(CONFIG_ROOT)/firewall/settings
 	echo  "USE_ISP_NAMESERVERS=on"  >> $(CONFIG_ROOT)/dns/settings
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 65f1c979b..4e02bd3d9 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -246,6 +246,77 @@ iptables_init() {
 		iptables -A ${i} -j CAPTIVE_PORTAL
 	done
 
+# Force DNS REDIRECT on GREEN (udp, tcp, 53)
+if [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
+	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT
+	fi
+
+	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
+	fi
+
+else
+
+	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1
+	fi
+
+	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1
+	fi
+fi
+
+# Force DNS REDIRECT on BLUE (udp, tcp, 53)
+if [ "$DNS_FORCE_ON_BLUE" == "on" ]; then
+	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT
+	fi
+
+	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT
+	fi
+
+else
+
+	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 53 -j REDIRECT >/dev/null 2>&1
+	fi
+
+	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p tcp -m tcp --dport 53 -j REDIRECT >/dev/null 2>&1
+	fi
+
+fi
+
+# Force NTP REDIRECT on GREEN (udp, 123)
+if [ "$NTP_FORCE_ON_GREEN" == "on" ]; then
+	if ! iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT
+	fi
+
+else
+
+	if iptables -t nat -C CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1
+	fi
+
+fi
+
+# Force DNS REDIRECT on BLUE (udp, 123)
+if [ "$NTP_FORCE_ON_BLUE" == "on" ]; then
+	if ! iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT
+	fi
+
+else
+
+	if iptables -t nat -C CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1; then
+		iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp -m udp --dport 123 -j REDIRECT >/dev/null 2>&1
+	fi
+
+fi
+
 	# Accept everything connected
 	for i in INPUT FORWARD OUTPUT; do
 		iptables -A ${i} -j CONNTRACK
-- 
2.18.0

[PATCH 2/2] New binary: optionsfwctrl - needed for new firewall DNS/NTP options

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 2523 bytes --]

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
 config/rootfiles/common/misc-progs |  1 +
 src/misc-progs/Makefile            |  2 +-
 src/misc-progs/optionsfwctrl.c     | 36 ++++++++++++++++++++++++++++++
 3 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 src/misc-progs/optionsfwctrl.c

diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
index c48a474b2..9d928ec72 100644
--- a/config/rootfiles/common/misc-progs
+++ b/config/rootfiles/common/misc-progs
@@ -18,6 +18,7 @@ usr/local/bin/launch-ether-wake
 usr/local/bin/logwatch
 #usr/local/bin/mpfirectrl
 usr/local/bin/openvpnctrl
+usr/local/bin/optionsfwctrl
 usr/local/bin/pakfire
 usr/local/bin/qosctrl
 usr/local/bin/rebuildhosts
diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
index bea54e773..9d8afcb3f 100644
--- a/src/misc-progs/Makefile
+++ b/src/misc-progs/Makefile
@@ -26,7 +26,7 @@ PROGS = iowrap
 SUID_PROGS = squidctrl sshctrl ipfirereboot \
 	ipsecctrl timectrl dhcpctrl suricatactrl \
 	applejuicectrl rebuildhosts backupctrl collectdctrl \
-	logwatch wioscan wiohelper openvpnctrl firewallctrl \
+	logwatch wioscan wiohelper openvpnctrl firewallctrl optionsfwctrl \
 	wirelessctrl getipstat qosctrl launch-ether-wake \
 	redctrl syslogdctrl extrahdctrl sambactrl upnpctrl \
 	smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
diff --git a/src/misc-progs/optionsfwctrl.c b/src/misc-progs/optionsfwctrl.c
new file mode 100644
index 000000000..f66b10983
--- /dev/null
+++ b/src/misc-progs/optionsfwctrl.c
@@ -0,0 +1,36 @@
+/* This file is part of the IPFire Firewall.
+ *
+ * This program is distributed under the terms of the GNU General Public
+ * Licence.  See the file COPYING for details.
+ *
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include "setuid.h"
+
+int main(int argc, char *argv[]) {
+
+	if (!(initsetuid()))
+		exit(1);
+
+	if (argc < 2) {
+		fprintf(stderr, "\nNo argument given.\n\noptionsfwctrl restart|reload\n\n");
+		exit(1);
+	}
+
+	if (strcmp(argv[1], "restart") == 0) {
+		safe_system("/etc/rc.d/init.d/firewall restart");
+	} else if (strcmp(argv[1], "reload") == 0) {
+		safe_system("/etc/rc.d/init.d/firewall reload");
+	} else {
+		fprintf(stderr, "\nBad argument given.\n\noptionsfwctrl restart|reload\n\n");
+		exit(1);
+	}
+
+	return 0;
+}
-- 
2.18.0