This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via c0ce920610c15e9a3639dbaadb29feea1747ac34 (commit)
via 896eb2d69354221b2a13770b60a61c5b454126a7 (commit)
via c71499d8d9296124cd08467efa938375e0bccb20 (commit)
via fd169d0adc87c82253b0655d94ea8213e9aaabe4 (commit)
via 4e54e3c6f531f356424c366c6c886efeceb5b8ae (commit)
via d7a14d01e120d7350f449a2694eb10feedede2d6 (commit)
from 0d0df35ca260e5934f66ac79247dd9682f20795f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit c0ce920610c15e9a3639dbaadb29feea1747ac34
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Mar 21 13:28:00 2014 +0100
firewall: rules.pl: Allow REDIRECT rules.
commit 896eb2d69354221b2a13770b60a61c5b454126a7
Author: Alexander Marx <alexander.marx(a)ipfire.org>
Date: Fri Mar 21 12:54:12 2014 +0100
Firewall: Allow DNAT with target firewall
commit c71499d8d9296124cd08467efa938375e0bccb20
Author: Alexander Marx <alexander.marx(a)ipfire.org>
Date: Fri Mar 21 12:20:50 2014 +0100
Firewall: Rename defaultNetworks to netsettings
commit fd169d0adc87c82253b0655d94ea8213e9aaabe4
Author: Alexander Marx <alexander.marx(a)ipfire.org>
Date: Fri Mar 21 08:28:24 2014 +0100
Firewall: DNAT - Show right DNAT interface in ruletable
Now:
When using a hostgroup as source there are all corresponding DNAT
interfaces shown in ruletable depending on the entries in the group.
When in DNAT area "-automatic" is selected, the DNAT interfaces are
shown as IP-Addresses, else they are shown as "ORANGE","GREEN","BLUE"...
BUGFIX: When there is a MAC address used in a sourcegroup, the rules could not be set. Now MAC addresses get allways the public interface as DNAT
commit 4e54e3c6f531f356424c366c6c886efeceb5b8ae
Author: Alexander Marx <alexander.marx(a)ipfire.org>
Date: Thu Mar 20 17:27:53 2014 +0100
Firewall: Move some functions from rules.pl to firewall-lib.pl
commit d7a14d01e120d7350f449a2694eb10feedede2d6
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Mar 21 12:40:55 2014 +0100
firewall: rules.pl: Fix rules with other NAT port.
-----------------------------------------------------------------------
Summary of changes:
config/firewall/firewall-lib.pl | 276 ++++++++++++++++++++++++++++++++-
config/firewall/rules.pl | 333 ++++++----------------------------------
html/cgi-bin/firewall.cgi | 26 +++-
3 files changed, 343 insertions(+), 292 deletions(-)
Difference in files:
diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index fc80555..ae2a462 100755
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -35,6 +35,7 @@ my %ipsecconf=();
my %ipsecsettings=();
my %netsettings=();
my %ovpnsettings=();
+my %aliases=();
require '/var/ipfire/general-functions.pl';
@@ -49,12 +50,12 @@ my $configipsec = "${General::swroot}/vpn/config";
my $configovpn = "${General::swroot}/ovpn/settings";
my $val;
my $field;
+my $netsettings = "${General::swroot}/ethernet/settings";
&General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
&General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings);
&General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings);
-
&General::readhasharray("$confignet", \%customnetwork);
&General::readhasharray("$confighost", \%customhost);
&General::readhasharray("$configgrp", \%customgrp);
@@ -103,8 +104,6 @@ sub get_srvgrp_prot
return $back;
}
-
-
sub get_srv_port
{
my $val=shift;
@@ -253,5 +252,276 @@ sub get_host_ip
}
}
}
+sub get_addresses
+{
+ my $hash = shift;
+ my $key = shift;
+ my $type = shift;
+
+ my @addresses = ();
+ my $addr_type;
+ my $value;
+ my $group_name;
+
+ if ($type eq "src") {
+ $addr_type = $$hash{$key}[3];
+ $value = $$hash{$key}[4];
+
+ } elsif ($type eq "tgt") {
+ $addr_type = $$hash{$key}[5];
+ $value = $$hash{$key}[6];
+ }
+
+ if ($addr_type ~~ ["cust_grp_src", "cust_grp_tgt"]) {
+ foreach my $grp (sort {$a <=> $b} keys %customgrp) {
+ if ($customgrp{$grp}[0] eq $value) {
+ my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type);
+
+ if (@address) {
+ push(@addresses, @address);
+ }
+ }
+ }
+ } else {
+ my @address = &get_address($addr_type, $value, $type);
+
+ if (@address) {
+ push(@addresses, @address);
+ }
+ }
+
+ return @addresses;
+}
+sub get_address
+{
+ my $key = shift;
+ my $value = shift;
+ my $type = shift;
+
+ my @ret = ();
+
+ # If the user manually typed an address, we just check if it is a MAC
+ # address. Otherwise, we assume that it is an IP address.
+ if ($key ~~ ["src_addr", "tgt_addr"]) {
+ if (&General::validmac($value)) {
+ push(@ret, "-m mac --mac-source $value");
+ } else {
+ push(@ret, $value);
+ }
+
+ # If a default network interface (GREEN, BLUE, etc.) is selected, we
+ # try to get the corresponding address of the network.
+ } elsif ($key ~~ ["std_net_src", "std_net_tgt", "Standard Network"]) {
+ my $external_interface = &get_external_interface();
+
+ my $network_address = &get_std_net_ip($value, $external_interface);
+ if ($network_address) {
+ push(@ret, $network_address);
+ }
+
+ # Custom networks.
+ } elsif ($key ~~ ["cust_net_src", "cust_net_tgt", "Custom Network"]) {
+ my $network_address = &get_net_ip($value);
+ if ($network_address) {
+ push(@ret, $network_address);
+ }
+
+ # Custom hosts.
+ } elsif ($key ~~ ["cust_host_src", "cust_host_tgt", "Custom Host"]) {
+ my $host_address = &get_host_ip($value, $type);
+ if ($host_address) {
+ push(@ret, $host_address);
+ }
+
+ # OpenVPN networks.
+ } elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) {
+ my $network_address = &get_ovpn_net_ip($value, 1);
+ if ($network_address) {
+ push(@ret, $network_address);
+ }
+
+ # OpenVPN hosts.
+ } elsif ($key ~~ ["ovpn_host_src", "ovpn_host_tgt", "OpenVPN static host"]) {
+ my $host_address = &get_ovpn_host_ip($value, 33);
+ if ($host_address) {
+ push(@ret, $host_address);
+ }
+
+ # OpenVPN N2N.
+ } elsif ($key ~~ ["ovpn_n2n_src", "ovpn_n2n_tgt", "OpenVPN N-2-N"]) {
+ my $network_address = &get_ovpn_n2n_ip($value, 11);
+ if ($network_address) {
+ push(@ret, $network_address);
+ }
+
+ # IPsec networks.
+ } elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
+ my $network_address = &get_ipsec_net_ip($value, 11);
+ if ($network_address) {
+ push(@ret, $network_address);
+ }
+
+ # The firewall's own IP addresses.
+ } elsif ($key ~~ ["ipfire", "ipfire_src"]) {
+ # ALL
+ if ($value eq "ALL") {
+ push(@ret, "0/0");
+
+ # GREEN
+ } elsif ($value eq "GREEN") {
+ push(@ret, $netsettings{"GREEN_ADDRESS"});
+
+ # BLUE
+ } elsif ($value eq "BLUE") {
+ push(@ret, $netsettings{"BLUE_ADDRESS"});
+
+ # ORANGE
+ } elsif ($value eq "ORANGE") {
+ push(@ret, $netsettings{"ORANGE_ADDRESS"});
+
+ # RED
+ } elsif ($value ~~ ["RED", "RED1"]) {
+ my $address = &get_external_address();
+ if ($address) {
+ push(@ret, $address);
+ }
+
+ # Aliases
+ } else {
+ my %alias = &get_alias($value);
+ if (%alias) {
+ push(@ret, $alias{"IPT"});
+ }
+ }
+
+ # If nothing was selected, we assume "any".
+ } else {
+ push(@ret, "0/0");
+ }
+
+ return @ret;
+}
+sub get_external_interface()
+{
+ open(IFACE, "/var/ipfire/red/iface") or return "";
+ my $iface = <IFACE>;
+ close(IFACE);
+
+ return $iface;
+}
+sub get_external_address()
+{
+ open(ADDR, "/var/ipfire/red/local-ipaddress") or return "";
+ my $address = <ADDR>;
+ close(ADDR);
+
+ return $address;
+}
+sub get_alias
+{
+ my $id = shift;
+
+ foreach my $alias (sort keys %aliases) {
+ if ($id eq $alias) {
+ return $aliases{$alias};
+ }
+ }
+}
+sub get_nat_address
+{
+ my $zone = shift;
+ my $source = shift;
+
+ # Any static address of any zone.
+ if ($zone eq "AUTO") {
+ if ($source && ($source !~ m/mac/i )) {
+ my $firewall_ip = &get_internal_firewall_ip_address($source, 1);
+ if ($firewall_ip) {
+ return $firewall_ip;
+ }
+
+ $firewall_ip = &get_matching_firewall_address($source, 1);
+ if ($firewall_ip) {
+ return $firewall_ip;
+ }
+ }
+
+ return &get_external_address();
+
+ } elsif ($zone eq "RED" || $zone eq "GREEN" || $zone eq "ORANGE" || $zone eq "BLUE") {
+ return $netsettings{$zone . "_ADDRESS"};
+
+ } elsif ($zone eq "Default IP") {
+ return &get_external_address();
+
+ } else {
+ return &get_alias($zone);
+ }
+
+ print_error("Could not find NAT address");
+}
+sub get_internal_firewall_ip_addresses
+{
+ my $use_orange = shift;
+
+ my @zones = ("GREEN", "BLUE");
+ if ($use_orange) {
+ push(@zones, "ORANGE");
+ }
+
+ my @addresses = ();
+ for my $zone (@zones) {
+ next unless (exists $netsettings{$zone . "_ADDRESS"});
+
+ my $zone_address = $netsettings{$zone . "_ADDRESS"};
+ push(@addresses, $zone_address);
+ }
+
+ return @addresses;
+}
+sub get_matching_firewall_address
+{
+ my $addr = shift;
+ my $use_orange = shift;
+
+ my ($address, $netmask) = split("/", $addr);
+
+ my @zones = ("GREEN", "BLUE");
+ if ($use_orange) {
+ push(@zones, "ORANGE");
+ }
+
+ foreach my $zone (@zones) {
+ next unless (exists $netsettings{$zone . "_ADDRESS"});
+
+ my $zone_subnet = $netsettings{$zone . "_NETADDRESS"};
+ my $zone_mask = $netsettings{$zone . "_NETMASK"};
+
+ if (&General::IpInSubnet($address, $zone_subnet, $zone_mask)) {
+ return $netsettings{$zone . "_ADDRESS"};
+ }
+ }
+
+ return 0;
+}
+sub get_internal_firewall_ip_address
+{
+ my $subnet = shift;
+ my $use_orange = shift;
+
+ my ($net_address, $net_mask) = split("/", $subnet);
+ if ((!$net_mask) || ($net_mask ~~ ["32", "255.255.255.255"])) {
+ return 0;
+ }
+
+ my @addresses = &get_internal_firewall_ip_addresses($use_orange);
+ foreach my $zone_address (@addresses) {
+ if (&General::IpInSubnet($zone_address, $net_address, $net_mask)) {
+ return $zone_address;
+ }
+ }
+
+ return 0;
+}
return 1;
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 50fff3f..d9c9b5c 100755
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -170,10 +170,13 @@ sub buildrules {
}
# Collect all sources.
- my @sources = &get_addresses($hash, $key, "src");
+ my @sources = &fwlib::get_addresses($hash, $key, "src");
# Collect all destinations.
- my @destinations = &get_addresses($hash, $key, "tgt");
+ my @destinations = &fwlib::get_addresses($hash, $key, "tgt");
+
+ # True if the destination is the firewall itself.
+ my $destination_is_firewall = ($$hash{$key}[5] eq "ipfire");
# Check if logging should be enabled.
my $LOG = ($$hash{$key}[17] eq 'ON');
@@ -246,7 +249,7 @@ sub buildrules {
}
# Prepare protocol options (like ICMP types, ports, etc...).
- my @protocol_options = &get_protocol_options($hash, $key, $protocol);
+ my @protocol_options = &get_protocol_options($hash, $key, $protocol, 0);
# Check if this protocol knows ports.
my $protocol_has_ports = ($protocol ~~ @PROTOCOLS_WITH_PORTS);
@@ -271,7 +274,6 @@ sub buildrules {
# Append protocol.
if ($protocol ne "all") {
- push(@options, ("-p", $protocol));
push(@options, @protocol_options);
}
@@ -299,7 +301,7 @@ sub buildrules {
# Process NAT rules.
if ($NAT) {
- my $nat_address = &get_nat_address($$hash{$key}[29], $source);
+ my $nat_address = &fwlib::get_nat_address($$hash{$key}[29], $source);
# Skip NAT rules if the NAT address is unknown
# (i.e. no internet connection has been established, yet).
@@ -308,30 +310,51 @@ sub buildrules {
# Destination NAT
if ($NAT_MODE eq "DNAT") {
# Make port-forwardings useable from the internal networks.
- my @internal_addresses = &get_internal_firewall_ip_addresses(1);
+ my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
unless ($nat_address ~~ @internal_addresses) {
&add_dnat_mangle_rules($nat_address, @options);
}
- my @nat_options = @options;
+ my @nat_options = ();
+ if ($protocol ne "all") {
+ my @nat_protocol_options = &get_protocol_options($hash, $key, $protocol, 1);
+ push(@nat_options, @nat_protocol_options);
+ }
push(@nat_options, @source_options);
push(@nat_options, ("-d", $nat_address));
- my ($dnat_address, $dnat_mask) = split("/", $destination);
- @destination_options = ("-d", $dnat_address);
-
+ my $dnat_port;
if ($protocol_has_ports) {
- my $dnat_port = &get_dnat_target_port($hash, $key);
+ $dnat_port = &get_dnat_target_port($hash, $key);
+ }
+
+ my @nat_action_options = ();
+
+ # Use iptables REDIRECT
+ my $use_redirect = ($destination_is_firewall && !$destination && $protocol_has_ports && $dnat_port);
+ if ($use_redirect) {
+ push(@nat_action_options, ("-j", "REDIRECT", "--to-ports", $dnat_port));
+
+ # Use iptables DNAT
+ } else {
+ my ($dnat_address, $dnat_mask) = split("/", $destination);
+ @destination_options = ("-d", $dnat_address);
- if ($dnat_port) {
- $dnat_address .= ":$dnat_port";
+ if ($protocol_has_ports) {
+ my $dnat_port = &get_dnat_target_port($hash, $key);
+
+ if ($dnat_port) {
+ $dnat_address .= ":$dnat_port";
+ }
}
+
+ push(@nat_action_options, ("-j", "DNAT", "--to-destination", $dnat_address));
}
if ($LOG) {
run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @log_limit_options -j LOG --log-prefix 'DNAT '");
}
- run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options -j DNAT --to-destination $dnat_address");
+ run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @nat_action_options");
# Source NAT
} elsif ($NAT_MODE eq "SNAT") {
@@ -369,65 +392,6 @@ sub buildrules {
}
}
-sub get_external_interface() {
- open(IFACE, "/var/ipfire/red/iface") or return "";
- my $iface = <IFACE>;
- close(IFACE);
-
- return $iface;
-}
-
-sub get_external_address() {
- open(ADDR, "/var/ipfire/red/local-ipaddress") or return "";
- my $address = <ADDR>;
- close(ADDR);
-
- return $address;
-}
-
-sub get_alias {
- my $id = shift;
-
- foreach my $alias (sort keys %aliases) {
- if ($id eq $alias) {
- return $aliases{$alias};
- }
- }
-}
-
-sub get_nat_address {
- my $zone = shift;
- my $source = shift;
-
- # Any static address of any zone.
- if ($zone eq "AUTO") {
- if ($source) {
- my $firewall_ip = &get_internal_firewall_ip_address($source, 1);
- if ($firewall_ip) {
- return $firewall_ip;
- }
-
- $firewall_ip = &get_matching_firewall_address($source, 1);
- if ($firewall_ip) {
- return $firewall_ip;
- }
- }
-
- return &get_external_address();
-
- } elsif ($zone eq "RED" || $zone eq "GREEN" || $zone eq "ORANGE" || $zone eq "BLUE") {
- return $defaultNetworks{$zone . "_ADDRESS"};
-
- } elsif ($zone eq "Default IP") {
- return &get_external_address();
-
- } else {
- return &get_alias($zone);
- }
-
- print_error("Could not find NAT address");
-}
-
# Formats the given timestamp into the iptables format which is "hh:mm" UTC.
sub format_time {
my $val = shift;
@@ -493,155 +457,6 @@ sub p2pblock {
}
}
-sub get_addresses {
- my $hash = shift;
- my $key = shift;
- my $type = shift;
-
- my @addresses = ();
- my $addr_type;
- my $value;
- my $group_name;
-
- if ($type eq "src") {
- $addr_type = $$hash{$key}[3];
- $value = $$hash{$key}[4];
-
- } elsif ($type eq "tgt") {
- $addr_type = $$hash{$key}[5];
- $value = $$hash{$key}[6];
- }
-
- if ($addr_type ~~ ["cust_grp_src", "cust_grp_tgt"]) {
- foreach my $grp (sort {$a <=> $b} keys %customgrp) {
- if ($customgrp{$grp}[0] eq $value) {
- my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type);
-
- if (@address) {
- push(@addresses, @address);
- }
- }
- }
- } else {
- my @address = &get_address($addr_type, $value, $type);
-
- if (@address) {
- push(@addresses, @address);
- }
- }
-
- return @addresses;
-}
-
-sub get_address {
- my $key = shift;
- my $value = shift;
- my $type = shift;
-
- my @ret = ();
-
- # If the user manually typed an address, we just check if it is a MAC
- # address. Otherwise, we assume that it is an IP address.
- if ($key ~~ ["src_addr", "tgt_addr"]) {
- if (&General::validmac($value)) {
- push(@ret, "-m mac --mac-source $value");
- } else {
- push(@ret, $value);
- }
-
- # If a default network interface (GREEN, BLUE, etc.) is selected, we
- # try to get the corresponding address of the network.
- } elsif ($key ~~ ["std_net_src", "std_net_tgt", "Standard Network"]) {
- my $external_interface = &get_external_interface();
-
- my $network_address = &fwlib::get_std_net_ip($value, $external_interface);
- if ($network_address) {
- push(@ret, $network_address);
- }
-
- # Custom networks.
- } elsif ($key ~~ ["cust_net_src", "cust_net_tgt", "Custom Network"]) {
- my $network_address = &fwlib::get_net_ip($value);
- if ($network_address) {
- push(@ret, $network_address);
- }
-
- # Custom hosts.
- } elsif ($key ~~ ["cust_host_src", "cust_host_tgt", "Custom Host"]) {
- my $host_address = &fwlib::get_host_ip($value, $type);
- if ($host_address) {
- push(@ret, $host_address);
- }
-
- # OpenVPN networks.
- } elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) {
- my $network_address = &fwlib::get_ovpn_net_ip($value, 1);
- if ($network_address) {
- push(@ret, $network_address);
- }
-
- # OpenVPN hosts.
- } elsif ($key ~~ ["ovpn_host_src", "ovpn_host_tgt", "OpenVPN static host"]) {
- my $host_address = &fwlib::get_ovpn_host_ip($value, 33);
- if ($host_address) {
- push(@ret, $host_address);
- }
-
- # OpenVPN N2N.
- } elsif ($key ~~ ["ovpn_n2n_src", "ovpn_n2n_tgt", "OpenVPN N-2-N"]) {
- my $network_address = &fwlib::get_ovpn_n2n_ip($value, 11);
- if ($network_address) {
- push(@ret, $network_address);
- }
-
- # IPsec networks.
- } elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
- my $network_address = &fwlib::get_ipsec_net_ip($value, 11);
- if ($network_address) {
- push(@ret, $network_address);
- }
-
- # The firewall's own IP addresses.
- } elsif ($key ~~ ["ipfire", "ipfire_src"]) {
- # ALL
- if ($value eq "ALL") {
- push(@ret, "0/0");
-
- # GREEN
- } elsif ($value eq "GREEN") {
- push(@ret, $defaultNetworks{"GREEN_ADDRESS"});
-
- # BLUE
- } elsif ($value eq "BLUE") {
- push(@ret, $defaultNetworks{"BLUE_ADDRESS"});
-
- # ORANGE
- } elsif ($value eq "ORANGE") {
- push(@ret, $defaultNetworks{"ORANGE_ADDRESS"});
-
- # RED
- } elsif ($value ~~ ["RED", "RED1"]) {
- my $address = &get_external_address();
- if ($address) {
- push(@ret, $address);
- }
-
- # Aliases
- } else {
- my %alias = &get_alias($value);
- if (%alias) {
- push(@ret, $alias{"IPT"});
- }
- }
-
- # If nothing was selected, we assume "any".
- } else {
- push(@ret, "0/0");
- }
-
- return @ret;
-}
-
sub get_protocols {
my $hash = shift;
my $key = shift;
@@ -701,8 +516,16 @@ sub get_protocol_options {
my $hash = shift;
my $key = shift;
my $protocol = shift;
+ my $nat_options_wanted = shift;
my @options = ();
+ # Nothing to do if no protocol is specified.
+ if ($protocol eq "all") {
+ return @options;
+ } else {
+ push(@options, ("-p", $protocol));
+ }
+
# Process source ports.
my $use_src_ports = ($$hash{$key}[7] eq "ON");
my $src_ports = $$hash{$key}[10];
@@ -720,7 +543,7 @@ sub get_protocol_options {
my $dst_ports = $$hash{$key}[15];
if (($dst_ports_mode eq "TGT_PORT") && $dst_ports) {
- if ($use_dnat && $$hash{$key}[30]) {
+ if ($nat_options_wanted && $use_dnat && $$hash{$key}[30]) {
$dst_ports = $$hash{$key}[30];
}
push(@options, &format_ports($dst_ports, "dst"));
@@ -828,50 +651,12 @@ sub make_log_limit_options {
return @options;
}
-sub get_internal_firewall_ip_addresses {
- my $use_orange = shift;
-
- my @zones = ("GREEN", "BLUE");
- if ($use_orange) {
- push(@zones, "ORANGE");
- }
-
- my @addresses = ();
- for my $zone (@zones) {
- next unless (exists $defaultNetworks{$zone . "_ADDRESS"});
-
- my $zone_address = $defaultNetworks{$zone . "_ADDRESS"};
- push(@addresses, $zone_address);
- }
-
- return @addresses;
-}
-
-sub get_internal_firewall_ip_address {
- my $subnet = shift;
- my $use_orange = shift;
-
- my ($net_address, $net_mask) = split("/", $subnet);
- if ((!$net_mask) || ($net_mask ~~ ["32", "255.255.255.255"])) {
- return 0;
- }
-
- my @addresses = &get_internal_firewall_ip_addresses($use_orange);
- foreach my $zone_address (@addresses) {
- if (&General::IpInSubnet($zone_address, $net_address, $net_mask)) {
- return $zone_address;
- }
- }
-
- return 0;
-}
-
sub firewall_is_in_subnet {
my $subnet = shift;
# ORANGE is missing here, because nothing may ever access
# the firewall from this network.
- my $address = &get_internal_firewall_ip_address($subnet, 0);
+ my $address = &fwlib::get_internal_firewall_ip_address($subnet, 0);
if ($address) {
return 1;
@@ -880,27 +665,3 @@ sub firewall_is_in_subnet {
return 0;
}
-sub get_matching_firewall_address {
- my $addr = shift;
- my $use_orange = shift;
-
- my ($address, $netmask) = split("/", $addr);
-
- my @zones = ("GREEN", "BLUE");
- if ($use_orange) {
- push(@zones, "ORANGE");
- }
-
- foreach my $zone (@zones) {
- next unless (exists $defaultNetworks{$zone . "_ADDRESS"});
-
- my $zone_subnet = $defaultNetworks{$zone . "_NETADDRESS"};
- my $zone_mask = $defaultNetworks{$zone . "_NETMASK"};
-
- if (&General::IpInSubnet($address, $zone_subnet, $zone_mask)) {
- return $defaultNetworks{$zone . "_ADDRESS"};
- }
- }
-
- return 0;
-}
diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index 436bdaf..164e7cb 100644
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -584,8 +584,10 @@ sub checktarget
}
}
}else{
- $errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
- return $errormessage;
+ if ($fwdfwsettings{'grp2'} ne 'ipfire'){
+ $errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
+ return $errormessage;
+ }
}
}
if ($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} ne ''){
@@ -989,6 +991,12 @@ sub deleterule
&base;
}
}
+sub del_double
+{
+ my %all=();
+ @all{@_}=1;
+ return (keys %all);
+}
sub disable_rule
{
my $key1=shift;
@@ -2551,9 +2559,21 @@ END
<td align='center' $tdcolor>
END
#Is this a DNAT rule?
+ my $natstring;
if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
if ($$hash{$key}[29] eq 'Default IP'){$$hash{$key}[29]=$Lang::tr{'red1'};}
- print "Firewall ($$hash{$key}[29])";
+ if ($$hash{$key}[29] eq 'AUTO'){
+ my @src_addresses=&fwlib::get_addresses(\%$hash,$key,'src');
+ my @nat_ifaces;
+ foreach my $val (@src_addresses){
+ push (@nat_ifaces,&fwlib::get_nat_address($$hash{$key}[29],$val));
+ }
+ @nat_ifaces=&del_double(@nat_ifaces);
+ $natstring = join(', ', @nat_ifaces);
+ }else{
+ $natstring = $$hash{$key}[29];
+ }
+ print "$Lang::tr{'firewall'} ($natstring)";
if($$hash{$key}[30] ne ''){
$$hash{$key}[30]=~ tr/|/,/;
print": $$hash{$key}[30]";
hooks/post-receive
--
IPFire 2.x development tree