From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] BUG12265: firewall: iptables rules are being created in
 the wrong chain Fixes: #12265
Date: Sat, 27 Mar 2021 21:45:55 +0100
Message-ID: <6bb0622b-a68e-78b9-4756-43d5462d9c2e@ipfire.org>
In-Reply-To: <20210325102346.55138-1-alexander.marx@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1852993124022694101=="
List-Id: <development.lists.ipfire.org>

--===============1852993124022694101==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Alex,

thank you for submitting this one.

Unfortunately, this patch is not behaving correctly on my testing machine (ru=
nning Core Update 155):

A firewall rule with source =3D ORANGE and destination =3D firewall | GREEN I=
P is still displayed in the
wrong section in the WebUI. Worse, the destination IP address is silently omi=
tted, resulting in=20
destination =3D any instead.

This faulty behaviour can be reproduced by creating and modifying firewall ru=
les for arbitrary source
networks and arbitrary IP addresses of IPFire's interface as a destination.

Oddly enough, when accidentally leaving "destination IP" checked without ente=
ring one (why does the
WebUI even accept such rules?!), the rule is created in the correct section (=
"incoming firewall access"),
with it's target section displayed in blue and without an IP address - the IP=
Fire machine, however, does
not even _have_ a BLUE interface.

Whatever goes wrong here seems to go seriously wrong.

Thanks, and best regards,
Peter M=C3=BCller


> When creating a rule like Source:Orange and Target:green IPfire Interface,
> the rule was created in the forward instead of input chain.
>=20
> This patch sets correct chain and additionally checks
> if a single target ip (when set) is one of the ipfire interface ip addresse=
s.
> If this is the case, the target is automatically changed to IPFIRE interfac=
e instead of single target ip.
> ---
>  html/cgi-bin/firewall.cgi | 38 ++++++++++++++++++++++++++------------
>  1 file changed, 26 insertions(+), 12 deletions(-)
>=20
> diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
> index 532f99f91..c680eed1d 100644
> --- a/html/cgi-bin/firewall.cgi
> +++ b/html/cgi-bin/firewall.cgi
> @@ -2,7 +2,7 @@
>  ##########################################################################=
#####
>  #                                                                         =
    #
>  # IPFire.org - A linux based firewall                                     =
    #
> -# Copyright (C) 2013 Alexander Marx <amarx(a)ipfire.org>                  =
      #
> +# Copyright (C) 2021 Alexander Marx <amarx(a)ipfire.org>                  =
      #
>  #                                                                         =
    #
>  # This program is free software: you can redistribute it and/or modify    =
    #
>  # it under the terms of the GNU General Public License as published by    =
    #
> @@ -213,6 +213,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
>  	&General::readhasharray("$configfwdfw", \%configfwdfw);
>  	&General::readhasharray("$configinput", \%configinputfw);
>  	&General::readhasharray("$configoutgoing", \%configoutgoingfw);
> +	&General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
>  	my $maxkey;
>  	#Set Variables according to the JQuery code in protocol section
>  	if ($fwdfwsettings{'PROT'} eq 'TCP' || $fwdfwsettings{'PROT'} eq 'UDP')
> @@ -231,6 +232,19 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
>  	{
>  		$fwdfwsettings{'USESRV'} =3D 'ON';
>  	}
> +	#Check if manual targetip is one of IPFire addresses
> +	if ($fwdfwsettings{'grp2'} eq 'tgt_addr' && $fwdfwsettings{$fwdfwsettings=
{'grp2'}} eq $netsettings{'GREEN_ADDRESS'}){
> +		$fwdfwsettings{'grp2'} =3D 'ipfire';
> +		$fwdfwsettings{$fwdfwsettings{'grp2'}} =3D 'GREEN';
> +	}
> +	if ($fwdfwsettings{'grp2'} eq 'tgt_addr' && $fwdfwsettings{$fwdfwsettings=
{'grp2'}} eq $netsettings{'ORANGE_ADDRESS'}){
> +		$fwdfwsettings{'grp2'} =3D 'ipfire';
> +		$fwdfwsettings{$fwdfwsettings{'grp2'}} =3D 'ORANGE';
> +	}
> +	if ($fwdfwsettings{'grp2'} eq 'tgt_addr' && $fwdfwsettings{$fwdfwsettings=
{'grp2'}} eq $netsettings{'BLUE_ADDRESS'}){
> +		$fwdfwsettings{'grp2'} =3D 'ipfire';
> +		$fwdfwsettings{$fwdfwsettings{'grp2'}} =3D 'BLUE';
> +	}
>  	$errormessage=3D&checksource;
>  	if(!$errormessage){&checktarget;}
>  	if(!$errormessage){&checkrule;}
> @@ -247,7 +261,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
>  		$errormessage=3D$Lang::tr{'fwdfw err same'};
>  	}
>  	# INPUT part
> -	if ($fwdfwsettings{'grp2'} eq 'ipfire' && $fwdfwsettings{$fwdfwsettings{'=
grp1'}} ne 'ORANGE'){
> +	if ($fwdfwsettings{'grp2'} eq 'ipfire'){
>  		$fwdfwsettings{'config'}=3D$configinput;
>  		$fwdfwsettings{'chain'} =3D 'INPUTFW';
>  		$maxkey=3D&General::findhasharraykey(\%configinputfw);
> @@ -1512,7 +1526,7 @@ sub newrule
>  	$checked{'USE_NAT'}{$fwdfwsettings{'USE_NAT'}} 			=3D 'CHECKED';
>  	$selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}}		=3D 'selected';
>  	$selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}}			=3D 'selected';
> -	$selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} =3D'selected';
> +	$selected{'ipfire tgt'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} =3D'selec=
ted';
>  	$selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} =3D'selec=
ted';
>  	#check if update and get values
>  	if($fwdfwsettings{'updatefwrule'} eq 'on' || $fwdfwsettings{'copyfwrule'}=
 eq 'on' && !$errormessage){
> @@ -1526,7 +1540,7 @@ sub newrule
>  				$fwdfwsettings{'ACTIVE'}				=3D $hash{$key}[2];
>  				$fwdfwsettings{'grp1'}					=3D $hash{$key}[3];  =20
>  				$fwdfwsettings{$fwdfwsettings{'grp1'}}	=3D $hash{$key}[4];  =20
> -				$fwdfwsettings{'grp2'}					=3D $hash{$key}[5];  =20
> +				$fwdfwsettings{'grp2'}					=3D $hash{$key}[5];
>  				$fwdfwsettings{$fwdfwsettings{'grp2'}}	=3D $hash{$key}[6];  =20
>  				$fwdfwsettings{'USE_SRC_PORT'}			=3D $hash{$key}[7];
>  				$fwdfwsettings{'PROT'}					=3D $hash{$key}[8];
> @@ -1584,7 +1598,7 @@ sub newrule
>  				$checked{'RATE_LIMIT'}{$fwdfwsettings{'RATE_LIMIT'}}	=3D 'CHECKED';
>  				$selected{'TIME_FROM'}{$fwdfwsettings{'TIME_FROM'}}		=3D 'selected';
>  				$selected{'TIME_TO'}{$fwdfwsettings{'TIME_TO'}}			=3D 'selected';
> -				$selected{'ipfire'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} =3D'select=
ed';
> +				$selected{'ipfire tgt'}{$fwdfwsettings{$fwdfwsettings{'grp2'}}} =3D'se=
lected';
>  				$selected{'ipfire_src'}{$fwdfwsettings{$fwdfwsettings{'grp1'}}} =3D'se=
lected';
>  				$selected{'dnat'}{$fwdfwsettings{'dnat'}}				=3D'selected';
>  				$selected{'snat'}{$fwdfwsettings{'snat'}}				=3D'selected';
> @@ -1753,16 +1767,16 @@ END
>  		<table width=3D'100%' border=3D'0'>=09
>  		<tr><td width=3D'1%'><input type=3D'radio' name=3D'grp2' value=3D'tgt_ad=
dr'  checked></td><td width=3D'60%' nowrap=3D'nowrap'>$Lang::tr{'fwdfw target=
ip'}<input type=3D'TEXT' name=3D'tgt_addr' value=3D'$fwdfwsettings{'tgt_addr'=
}' size=3D'16' maxlength=3D'18'><td width=3D'1%'><input type=3D'radio' name=
=3D'grp2' id=3D'ipfire' value=3D'ipfire'  $checked{'grp2'}{'ipfire'}></td><td=
><b>Firewall</b></td>
>  END
> -		print"<td align=3D'right'><select name=3D'ipfire' style=3D'width:200px;'=
>";
> -		print "<option value=3D'ALL' $selected{'ipfire'}{'ALL'}>$Lang::tr{'all'}=
</option>";
> -		print "<option value=3D'GREEN' $selected{'ipfire'}{'GREEN'}>$Lang::tr{'g=
reen'} ($ifaces{'GREEN_ADDRESS'})</option>" if $ifaces{'GREEN_ADDRESS'};
> -		print "<option value=3D'ORANGE' $selected{'ipfire'}{'ORANGE'}>$Lang::tr{=
'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if (&Header::orange_used());
> -		print "<option value=3D'BLUE' $selected{'ipfire'}{'BLUE'}>$Lang::tr{'blu=
e'} ($ifaces{'BLUE_ADDRESS'})</option>"if (&Header::blue_used());
> -		print "<option value=3D'RED1' $selected{'ipfire'}{'RED1'}>$Lang::tr{'red=
1'} ($redip)" if ($redip);
> +		print"<td align=3D'right'><select name=3D'ipfire tgt' style=3D'width:200=
px;'>";
> +		print "<option value=3D'ALL' $selected{'ipfire tgt'}{'ALL'}>$Lang::tr{'a=
ll'}</option>";
> +		print "<option value=3D'GREEN' $selected{'ipfire tgt'}{'GREEN'}>$Lang::t=
r{'green'} ($ifaces{'GREEN_ADDRESS'})</option>" if $ifaces{'GREEN_ADDRESS'};
> +		print "<option value=3D'ORANGE' $selected{'ipfire tgt'}{'ORANGE'}>$Lang:=
:tr{'orange'} ($ifaces{'ORANGE_ADDRESS'})</option>" if (&Header::orange_used(=
));
> +		print "<option value=3D'BLUE' $selected{'ipfire tgt'}{'BLUE'}>$Lang::tr{=
'blue'} ($ifaces{'BLUE_ADDRESS'})</option>"if (&Header::blue_used());
> +		print "<option value=3D'RED1' $selected{'ipfire tgt'}{'RED1'}>$Lang::tr{=
'red1'} ($redip)" if ($redip);
>  		if (! -z "${General::swroot}/ethernet/aliases"){
>  			foreach my $alias (sort keys %aliases)
>  			{
> -				print "<option value=3D'$alias' $selected{'ipfire'}{$alias}>$alias ($a=
liases{$alias}{'IPT'})</option>";
> +				print "<option value=3D'$alias' $selected{'ipfire tgt'}{$alias}>$alias=
 ($aliases{$alias}{'IPT'})</option>";
>  			}
>  		}
>  		print<<END;
>=20

--===============1852993124022694101==--