This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 32c6ebdced9682fdbdbe54059de25a036557d3b0 (commit)
via 6e9cf9ad860616468a0d1367e345dd24a3664c17 (commit)
via 65c9b3a50815587bc212160465c92b6150e6fb77 (commit)
via 2610f3930ab91a3b7ba79a80ac9e6f6d0ea3c724 (commit)
via b062a11bbe730454c48c2c45ff0b1e0eec454471 (commit)
via 13e3cf285e32334e2de1a23a916fa941994fdd23 (commit)
via 179deb37d02efbb6c180568ef361a7caf3ede70e (commit)
via 5f050d607c11a875564916de98cb3c3f2c2ce390 (commit)
via 9556a0fb95e2a7c5458ea2dcaecc29c2a71c5f86 (commit)
via 5a09c99a89fdeed47e0fa9ea0b3623b08422ca26 (commit)
via abb3cfcc9ef1ffec5235ead3b9cad4014c141aa9 (commit)
from 9c3bcb9f00fc09c86312b382bfb594c08fabc9ed (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 32c6ebdced9682fdbdbe54059de25a036557d3b0
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Mar 5 12:31:36 2014 +0100
firewall: Make ICMP ratelimiting a bit saner again.
commit 6e9cf9ad860616468a0d1367e345dd24a3664c17
Merge: 9c3bcb9 65c9b3a
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Wed Mar 5 12:25:12 2014 +0100
Merge remote-tracking branch 'amarx/beta3' into next
commit 65c9b3a50815587bc212160465c92b6150e6fb77
Author: Alexander Marx <alexander.marx(a)ipfire.org>
Date: Wed Mar 5 08:13:04 2014 +0100
Firewall: Remarkcheck should now support old firewallrules from converter
commit 2610f3930ab91a3b7ba79a80ac9e6f6d0ea3c724
Author: Alexander Marx <alexander.marx(a)ipfire.org>
Date: Wed Mar 5 08:02:05 2014 +0100
Firewall: When no manual ip is given on rulecreation and rule is added, there's automatically std_networks "ALL" selected
commit b062a11bbe730454c48c2c45ff0b1e0eec454471
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Mar 4 14:26:55 2014 +0100
firewall: Don't colourise MAC addresses.
Fixes #10491.
commit 13e3cf285e32334e2de1a23a916fa941994fdd23
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Mar 4 14:14:54 2014 +0100
firewall: Extend rate limiting for ICMP error messages.
Fixes #10489.
commit 179deb37d02efbb6c180568ef361a7caf3ede70e
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Mar 4 12:38:13 2014 +0100
firewall: Add chain name to logged rules.
This helps us to debug faster where a packet has been dropped.
commit 5f050d607c11a875564916de98cb3c3f2c2ce390
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Mar 4 12:36:52 2014 +0100
firewall: Add rate limiting for LOG messages.
Fixes #10488.
commit 9556a0fb95e2a7c5458ea2dcaecc29c2a71c5f86
Author: Alexander Marx <alexander.marx(a)ipfire.org>
Date: Tue Mar 4 16:11:35 2014 +0100
Firewall: When no manual ip is given, standard networks "all" is selected
commit 5a09c99a89fdeed47e0fa9ea0b3623b08422ca26
Author: Alexander Marx <alexander.marx(a)ipfire.org>
Date: Tue Mar 4 16:00:14 2014 +0100
Firewall: Now it is possible to just change the remark in input and outgoing
commit abb3cfcc9ef1ffec5235ead3b9cad4014c141aa9
Author: Alexander Marx <alexander.marx(a)ipfire.org>
Date: Tue Mar 4 15:44:02 2014 +0100
Firewall: FIX allowed chars in remark
-----------------------------------------------------------------------
Summary of changes:
config/etc/sysctl.conf | 3 ++-
html/cgi-bin/firewall.cgi | 35 +++++++++++++++--------------------
2 files changed, 17 insertions(+), 21 deletions(-)
Difference in files:
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index a91aeb3..e2e3d81 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -3,7 +3,8 @@ net.ipv4.ip_dynaddr = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
-net.ipv4.icmp_ratemask = 88089
+net.ipv4.icmp_ratelimit = 1000
+net.ipv4.icmp_ratemask = 6168
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 30
diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index dfb9697..e633b3c 100644
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -194,6 +194,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
$errormessage=&checksource;
if(!$errormessage){&checktarget;}
if(!$errormessage){&checkrule;}
+
#check if manual ip (source) is orange network
if ($fwdfwsettings{'grp1'} eq 'src_addr'){
my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}});
@@ -313,6 +314,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
$errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
}
+ if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && &validremark($fwdfwsettings{'ruleremark'})){
+ $errormessage='';
+ }
if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
$fwdfwsettings{'nosave'} = 'on';
}
@@ -504,8 +508,8 @@ sub checksource
return $errormessage;
}
}elsif($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} eq ''){
- $errormessage.=$Lang::tr{'fwdfw err nosrcip'};
- return $errormessage;
+ $fwdfwsettings{'grp1'}='std_net_src';
+ $fwdfwsettings{$fwdfwsettings{'grp1'}} = 'ALL';
}
#check empty fields
@@ -605,8 +609,8 @@ sub checktarget
return $errormessage;
}
}elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){
- $errormessage.=$Lang::tr{'fwdfw err notgtip'};
- return $errormessage;
+ $fwdfwsettings{'grp2'}='std_net_tgt';
+ $fwdfwsettings{$fwdfwsettings{'grp2'}} = 'ALL';
}
#check for mac in targetgroup
if ($fwdfwsettings{'grp2'} eq 'cust_grp_tgt'){
@@ -2137,6 +2141,8 @@ sub saverule
&changerule($configfwdfw);
#print"6";
}
+ $fwdfwsettings{'ruleremark'}=~ s/,/;/g;
+ $fwdfwsettings{'ruleremark'}=&Header::escape($fwdfwsettings{'ruleremark'});
if ($fwdfwsettings{'updatefwrule'} ne 'on'){
my $key = &General::findhasharraykey ($hash);
$$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'};
@@ -2272,22 +2278,11 @@ sub saverule
sub validremark
{
# Checks a hostname against RFC1035
- my $remark = $_[0];
-
- # Each part should be at least two characters in length
- # but no more than 63 characters
- if (length ($remark) < 1 || length ($remark) > 255) {
- return 0;}
- # Only valid characters are a-z, A-Z, 0-9 and -
- if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;\|_()\/\s]*$/) {
- return 0;}
- # First character can only be a letter or a digit
- if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9(]*$/) {
- return 0;}
- # Last character can only be a letter or a digit
- if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.:;_)]*$/) {
- return 0;}
- return 1;
+ my $remark = $_[0];
+ if ($remark =~ /^[[:print:]]*$/) {
+ return 1;
+ }
+ return 0;
}
sub viewtablerule
{
hooks/post-receive
--
IPFire 2.x development tree