From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alexander Marx <alexander.marx@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] BUG12265: firewall: iptables rules are being created in the
 wrong chain Fixes: #12265
Date: Thu, 25 Mar 2021 11:23:46 +0100
Message-ID: <20210325102346.55138-1-alexander.marx@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5265887888091578458=="
List-Id: <development.lists.ipfire.org>

--===============5265887888091578458==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

When creating a rule like Source:Orange and Target:green IPfire Interface,
the rule was created in the forward instead of input chain.

This patch sets correct chain and additionally checks
if a single target ip (when set) is one of the ipfire interface ip addresses.
If this is the case, the target is automatically changed to IPFIRE interface =
instead of single target ip.
---
 html/cgi-bin/firewall.cgi | 38 ++++++++++++++++++++++++++------------
 1 file changed, 26 insertions(+), 12 deletions(-)

diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index 532f99f91..c680eed1d 100644
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -2,7 +2,7 @@
 ############################################################################=
###
 #                                                                           =
  #
 # IPFire.org - A linux based firewall                                       =
  #
-# Copyright (C) 2013 Alexander Marx <amarx(a)ipfire.org>                    =
    #
+# Copyright (C) 2021 Alexander Marx <amarx(a)ipfire.org>                    =
    #
 #                                                                           =
  #
 # This program is free software: you can redistribute it and/or modify      =
  #
 # it under the terms of the GNU General Public License as published by      =
  #
@@ -213,6 +213,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 	&General::readhasharray("$configfwdfw", \%configfwdfw);
 	&General::readhasharray("$configinput", \%configinputfw);
 	&General::readhasharray("$configoutgoing", \%configoutgoingfw);
+	&General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
 	my $maxkey;
 	#Set Variables according to the JQuery code in protocol section
 	if ($fwdfwsettings{'PROT'} eq 'TCP' || $fwdfwsettings{'PROT'} eq 'UDP')
@@ -231,6 +232,19 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 	{
 		$fwdfwsettings{'USESRV'} =3D 'ON';
 	}
+	#Check if manual targetip is one of IPFire addresses
+	if ($fwdfwsettings{'grp2'} eq 'tgt_addr' && $fwdfwsettings{$fwdfwsettings{'=
grp2'}} eq $netsettings{'GREEN_ADDRESS'}){
+		$fwdfwsettings{'grp2'} =3D 'ipfire';
+		$fwdfwsettings{$fwdfwsettings{'grp2'}} =3D 'GREEN';
+	}
+	if ($fwdfwsettings{'grp2'} eq 'tgt_addr' && $fwdfwsettings{$fwdfwsettings{'=
grp2'}} eq $netsettings{'ORANGE_ADDRESS'}){
+		$fwdfwsettings{'grp2'} =3D 'ipfire';
+		$fwdfwsettings{$fwdfwsettings{'grp2'}} =3D 'ORANGE';
+	}
+	if ($fwdfwsettings{'grp2'} eq 'tgt_addr' && $fwdfwsettings{$fwdfwsettings{'=
grp2'}} eq $netsettings{'BLUE_ADDRESS'}){
+		$fwdfwsettings{'grp2'} =3D 'ipfire';
+		$fwdfwsettings{$fwdfwsettings{'grp2'}} =3D 'BLUE';
+	}
 	$errormessage=3D&checksource;
 	if(!$errormessage){&checktarget;}
 	if(!$errormessage){&checkrule;}
@@ -247,7 +261,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 		$errormessage=3D$Lang::tr{'fwdfw err same'};
 	}
 	# INPUT part
-	if ($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'gr=
p1'}} ne 'ORANGE'){
+	if ($fwdfwsettings{'grp2'} eq 'ipfire'){
 		$fwdfwsettings{'config'}=3D$configinput;
 		$fwdfwsettings{'chain'} =3D 'INPUTFW';
 		$maxkey=3D&General::findhasharraykey(\%configinputfw);
@@ -1512,7 +1526,7 @@ sub newrule
 	$checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}} 			=3D 'CHECKED';
 	$selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}}		=3D 'selected';
 	$selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}}			=3D 'selected';
-	$selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} =3D'selected';
+	$selected{'ipfire tgt'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} =3D'selecte=
d';
 	$selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} =3D'selecte=
d';
 	#check if update and get values
 	if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'} e=
q 'on' && !$errormessage){
@@ -1526,7 +1540,7 @@ sub newrule
 				$fwdfwsettings{'ACTIVE'}				=3D $hash{$key}[2];
 				$fwdfwsettings{'grp1'}					=3D $hash{$key}[3];  =20
 				$fwdfwsettings{$fwdfwsettings{'grp1'}}	=3D $hash{$key}[4];  =20
-				$fwdfwsettings{'grp2'}					=3D $hash{$key}[5];  =20
+				$fwdfwsettings{'grp2'}					=3D $hash{$key}[5];
 				$fwdfwsettings{$fwdfwsettings{'grp2'}}	=3D $hash{$key}[6];  =20
 				$fwdfwsettings{'USE_SRC_PORT'}			=3D $hash{$key}[7];
 				$fwdfwsettings{'PROT'}					=3D $hash{$key}[8];
@@ -1584,7 +1598,7 @@ sub newrule
 				$checked{'RATE_LIMIT'}{$fwdfwsettings{'RATE_LIMIT'}}	=3D 'CHECKED';
 				$selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}}		=3D 'selected';
 				$selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}}			=3D 'selected';
-				$selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} =3D'selected=
';
+				$selected{'ipfire tgt'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} =3D'sele=
cted';
 				$selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} =3D'sele=
cted';
 				$selected{'dnat'}{$fwdfwsettings{'dnat'}}				=3D'selected';
 				$selected{'snat'}{$fwdfwsettings{'snat'}}				=3D'selected';
@@ -1753,16 +1767,16 @@ END
 		<table width=3D'100%' border=3D'0'>=09
 		<tr><td width=3D'1%'><input type=3D'radio' name=3D'grp2' value=3D'tgt_addr=
'  checked></td><td width=3D'60%' nowrap=3D'nowrap'>$Lang::tr{'fwdfw targetip=
'}<input type=3D'TEXT' name=3D'tgt_addr' value=3D'$fwdfwsettings{'tgt_addr'}'=
 size=3D'16' maxlength=3D'18'><td width=3D'1%'><input type=3D'radio' name=3D'=
grp2' id=3D'ipfire' value=3D'ipfire'  $checked{'grp2'}{'ipfire'}></td><td><b>=
Firewall</b></td>
 END
-		print"<td align=3D'right'><select name=3D'ipfire' style=3D'width:200px;'>";
-		print "<option value=3D'ALL' $selected{'ipfire'}{'ALL'}>$Lang::tr{'all'}</=
option>";
-		print "<option value=3D'GREEN' $selected{'ipfire'}{'GREEN'}>$Lang::tr{'gre=
en'} ($ifaces{'GREEN_ADDRESS'})</option>" if $ifaces{'GREEN_ADDRESS'};
-		print "<option value=3D'ORANGE' $selected{'ipfire'}{'ORANGE'}>$Lang::tr{'o=
range'} ($ifaces{'ORANGE_ADDRESS'})</option>" if (&Header::orange_used());
-		print "<option value=3D'BLUE' $selected{'ipfire'}{'BLUE'}>$Lang::tr{'blue'=
} ($ifaces{'BLUE_ADDRESS'})</option>"if (&Header::blue_used());
-		print "<option value=3D'RED1' $selected{'ipfire'}{'RED1'}>$Lang::tr{'red1'=
} ($redip)" if ($redip);
+		print"<td align=3D'right'><select name=3D'ipfire tgt' style=3D'width:200px=
;'>";
+		print "<option value=3D'ALL' $selected{'ipfire tgt'}{'ALL'}>$Lang::tr{'all=
'}</option>";
+		print "<option value=3D'GREEN' $selected{'ipfire tgt'}{'GREEN'}>$Lang::tr{=
'green'} ($ifaces{'GREEN_ADDRESS'})</option>" if $ifaces{'GREEN_ADDRESS'};
+		print "<option value=3D'ORANGE' $selected{'ipfire tgt'}{'ORANGE'}>$Lang::t=
r{'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if (&Header::orange_used());
+		print "<option value=3D'BLUE' $selected{'ipfire tgt'}{'BLUE'}>$Lang::tr{'b=
lue'} ($ifaces{'BLUE_ADDRESS'})</option>"if (&Header::blue_used());
+		print "<option value=3D'RED1' $selected{'ipfire tgt'}{'RED1'}>$Lang::tr{'r=
ed1'} ($redip)" if ($redip);
 		if (! -z "${General::swroot}/ethernet/aliases"){
 			foreach my $alias (sort keys %aliases)
 			{
-				print "<option value=3D'$alias' $selected{'ipfire'}{$alias}>$alias ($ali=
ases{$alias}{'IPT'})</option>";
+				print "<option value=3D'$alias' $selected{'ipfire tgt'}{$alias}>$alias (=
$aliases{$alias}{'IPT'})</option>";
 			}
 		}
 		print<<END;
--=20
2.25.1


--===============5265887888091578458==--