[git.ipfire.org] IPFire 2.x development tree branch, fifteen, updated. 784098e4db6b4aca11b4b39d0fec17f8a2d3ad0c

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, fifteen has been updated via 784098e4db6b4aca11b4b39d0fec17f8a2d3ad0c (commit) via 0c733ab7502e5eb10e5ecbd4f9ad4196670fe175 (commit) via 2be048cedc75c8e09233a819d3eae5107a4ab452 (commit) via 02cb636c8b0abfeb8805d058e29d1a3f8d53ce9a (commit) via 5558ca2a9614c8d4393dc9287e4c0e7f7f014a95 (commit) via cdb3536bc82e410b4678a4740c198ecf74ec8bd3 (commit) from 09efb767f43718512311357a5634d00c8ad8c32e (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit 784098e4db6b4aca11b4b39d0fec17f8a2d3ad0c Author: Alexander Marx amarx@ipfire.org Date: Thu Dec 5 15:51:15 2013 +0100

Firewall: forgot to delete a development test string

commit 0c733ab7502e5eb10e5ecbd4f9ad4196670fe175 Author: Alexander Marx amarx@ipfire.org Date: Mon Dec 2 07:56:01 2013 +0100

Firewall: Bugfix: Fixed wrong language strings in outgoing FW rules when using std networks or ipfire

commit 2be048cedc75c8e09233a819d3eae5107a4ab452 Author: Alexander Marx amarx@ipfire.org Date: Fri Nov 29 13:41:57 2013 +0100

Firewall: FIxed wrong language strings in outgoing Firewall

commit 02cb636c8b0abfeb8805d058e29d1a3f8d53ce9a Author: Alexander Marx amarx@ipfire.org Date: Tue Nov 26 13:34:08 2013 +0100

Firewall: Fixes commit http://git.ipfire.org/?p=people/amarx/ipfire-2.x.git;a=commitdiff;h=e19a36c4...

Now all "active" Strings from all languagefiles are checked against the old rule to find out if logging is enabled

Conflicts: config/firewall/convert-outgoingfw

commit 5558ca2a9614c8d4393dc9287e4c0e7f7f014a95 Author: Alexander Marx amarx@ipfire.org Date: Tue Nov 26 13:02:08 2013 +0100

Firewall: fixes commit http://git.ipfire.org/?p=people/amarx/ipfire-2.x.git;a=commitdiff;h=1ed4b214...

Conflicts: html/cgi-bin/firewall.cgi

commit cdb3536bc82e410b4678a4740c198ecf74ec8bd3 Author: Alexander Marx amarx@ipfire.org Date: Tue Nov 26 11:45:05 2013 +0100

Firewall: BUGFIX: RUles.pl did not create LOGGING rules properly.

-----------------------------------------------------------------------

Summary of changes: config/firewall/convert-outgoingfw | 8 +++++++- config/firewall/rules.pl | 33 +++++++++++++++++++++++++-------- html/cgi-bin/firewall.cgi | 19 +++++++++++-------- langs/de/cgi-bin/de.pl | 2 +- 4 files changed, 44 insertions(+), 18 deletions(-)

Difference in files: diff --git a/config/firewall/convert-outgoingfw b/config/firewall/convert-outgoingfw index 0d7f7d3..d7722f4 100755 --- a/config/firewall/convert-outgoingfw +++ b/config/firewall/convert-outgoingfw @@ -62,6 +62,7 @@ my %fwconfigout=(); my %fwdsettings=(); my %ownnet=(); my %ovpnSettings = (); +my @active= ('Aktiv', 'aktiv', 'Active', 'Activo', 'Actif', 'Actief', 'Aktywne', 'Активен', 'Aktif'); &General::readhash("${General::swroot}/ovpn/settings", %ovpnSettings); &General::readhash($outfwsettings,%outsettings); &General::readhash("${General::swroot}/ethernet/settings", %ownnet); @@ -382,7 +383,12 @@ sub process_rules $configline[4] =~ s/,/;/g; $remark = $configline[4]; }else{$remark = '';} - if($configline[9] eq 'Active'){ $log='ON';}else{$log='';} + #find all "active" tags in all language files and check them against the old config + my $logging='0'; + foreach (@active){ + $logging='1' if ($_ eq $configline[9]); + } + if($logging eq '1' ){ $log='ON';}else{$log='';} if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){ if($configline[17] eq '00:00' && $configline[18] eq '00:00'){ $time=''; diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index f1584f3..c54a2eb 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -259,6 +259,7 @@ sub buildrules if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ if($DPROT ne ''){ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} + #Process ICMP RULE if(substr($DPORT, 2, 4) eq 'icmp'){ my @icmprule= split(",",substr($DPORT, 12,)); foreach (@icmprule){ @@ -272,10 +273,11 @@ sub buildrules } print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n"; } + #PROCESS DNAT RULE (Portforward) }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ $natchain='NAT_DESTINATION'; if ($$hash{$key}[17] eq 'ON'){ - print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } my ($ip,$sub) =split("/",$targethash{$b}[0]); #Process NAT with servicegroup used @@ -298,17 +300,26 @@ sub buildrules } print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; next; + #PROCESS SNAT RULE }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ $natchain='NAT_SOURCE'; + if ($$hash{$key}[17] eq 'ON' ){ + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n"; + } print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; } - if ($$hash{$key}[17] eq 'ON' ){ - print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; - } + #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) if ($PROT ne '-p ICMP'){ + if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } + #PROCESS Prot ICMP and type = All ICMP-Types if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ + if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } } @@ -345,7 +356,7 @@ sub buildrules }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ $natchain='NAT_DESTINATION'; if ($$hash{$key}[17] eq 'ON'){ - system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } my ($ip,$sub) =split("/",$targethash{$b}[0]); #Process NAT with servicegroup used @@ -371,17 +382,23 @@ sub buildrules #PROCESS SNAT RULE }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ $natchain='NAT_SOURCE'; + if ($$hash{$key}[17] eq 'ON' ){ + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n"; + } system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; } - if ($$hash{$key}[17] eq 'ON' && substr($DPORT, 2, 4) ne 'icmp'){ - system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; - } #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) if ($PROT ne '-p ICMP'){ + if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } #PROCESS Prot ICMP and type = All ICMP-Types if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ + if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } } diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index d2aa217..58b16a5 100755 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -1182,7 +1182,7 @@ END if ($show eq '1'){$show='';print"</select></td></tr>";} #IPsec netze foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) { - if ($ipsecconf{$key}[3] eq 'net' || $optionsfw{'SHOWDROPDOWN'} eq 'on'){ + if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){ print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq ''); $show='1'; print "<option "; @@ -2579,8 +2579,14 @@ END } }elsif ($$hash{$key}[4] eq 'RED1'){ print "$ipfireiface $Lang::tr{'fwdfw red'}"; + }elsif ($$hash{$key}[4] eq 'ALL'){ + print "$ipfireiface $Lang::tr{'all'}"; }else{ - print "$$hash{$key}[4]"; + if ($$hash{$key}[4] eq 'GREEN' || $$hash{$key}[4] eq 'ORANGE' || $$hash{$key}[4] eq 'BLUE' || $$hash{$key}[4] eq 'RED'){ + print "$ipfireiface $Lang::tr{lc($$hash{$key}[4])}"; + }else{ + print "$ipfireiface $$hash{$key}[4]"; + } } $tdcolor=''; #SOURCEPORT @@ -2625,15 +2631,12 @@ END } print"<br>-&gt;"; } - if ($$hash{$key}[5] eq 'ipfire'){ - $ipfireiface='Interface'; - } - if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){ + if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire'){ if ($$hash{$key}[6] eq 'RED1'){ - print "$ipfireiface $Lang::tr{'red1'}"; + print "$Lang::tr{'red1'}"; }elsif ($$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE'|| $$hash{$key}[6] eq 'ALL' || $$hash{$key}[6] eq 'RED') { - print "$ipfireiface ".&get_name($$hash{$key}[6]); + print &get_name($$hash{$key}[6]); }else{ print $$hash{$key}[6]; } diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 5bcf5c8..dd7eb78 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -71,7 +71,7 @@ 'action' => 'Aktion', 'activate' => 'aktivieren', 'activate user' => 'Benutzer aktivieren', -'active' => 'aktiv', +'active' => 'Aktiv', 'add' => 'Hinzufügen', 'add a host' => 'Host hinzufügen:', 'add a new rule' => 'Neue Regel hinzufügen:',

hooks/post-receive -- IPFire 2.x development tree