This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 826c22d66c3eae74bb4c7287cdd81478a5341e01 (commit) via e9b5ba417924d00309736ca045997c5dec7ce4d3 (commit) via cbb88df1548953beeca06d462c9d3006a15dc9ef (commit) via e55334753d7dc49db0b5530b78b8d0f15ca03e9c (commit) via 5ef260ae4192d644d621f82bfb0a8f514088cc0c (commit) via d7050fc04a06f0decd8faf12c559e899b3848191 (commit) from 9a5050b4c5e9a2635f859cae14820827742dfcf4 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 826c22d66c3eae74bb4c7287cdd81478a5341e01 Merge: e9b5ba4 e553347 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 10 21:35:15 2014 +0100
Merge remote-tracking branch 'amarx/INDEX' into next
commit e9b5ba417924d00309736ca045997c5dec7ce4d3 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 10 19:40:20 2014 +0100
firewall: Add auxiliary rules for firewall access.
Rules for accessing the firewall are added when access to networks (GREEN, BLUE, ...) the firewall resides in is allowed.
commit cbb88df1548953beeca06d462c9d3006a15dc9ef Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 10 16:11:50 2014 +0100
vpnmain.cgi: Remove left-over </td> tag.
commit e55334753d7dc49db0b5530b78b8d0f15ca03e9c Author: Alexander Marx alexander.marx@ipfire.org Date: Mon Mar 10 12:54:06 2014 +0100
graphs.pl : fixed layout on Nexus 7 devices "hour-Day-week-month-year" now on top of graph
commit 5ef260ae4192d644d621f82bfb0a8f514088cc0c Author: Alexander Marx alexander.marx@ipfire.org Date: Mon Mar 10 12:22:32 2014 +0100
index.cgi: fix colors and tables for vpn connections
commit d7050fc04a06f0decd8faf12c559e899b3848191 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Mar 8 17:29:47 2014 +0100
ipsec: Allow to create firewall rules for IPsec input as well.
-----------------------------------------------------------------------
Summary of changes: config/cfgroot/graphs.pl | 2 +- config/firewall/firewall-policy | 9 +++++ config/firewall/rules.pl | 36 +++++++++++++++++ html/cgi-bin/index.cgi | 10 ++--- html/cgi-bin/vpnmain.cgi | 2 +- src/patches/strongswan-5.0.2_ipfire.patch | 66 +++++++++++++++++++------------ 6 files changed, 93 insertions(+), 32 deletions(-)
Difference in files: diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index cc00c66..81b6fa4 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -92,8 +92,8 @@ sub makegraphbox { print "<a href='".$_[0]."?".$_[1]."?month' target='".$_[1]."box'><b>".$Lang::tr{'month'}."</b></a>"; print " - "; print "<a href='".$_[0]."?".$_[1]."?year' target='".$_[1]."box'><b>".$Lang::tr{'year'}."</b></a>"; - print "<iframe src='".$_[0]."?".$_[1]."?".$_[2]."' width='".$width."' height='".$height."' scrolling='no' frameborder='no' marginheight='0' name='".$_[1]."box'></iframe>"; print "</center>"; + print "<iframe src='".$_[0]."?".$_[1]."?".$_[2]."' width='".$width."' height='".$height."' scrolling='no' frameborder='no' marginheight='0' name='".$_[1]."box'></iframe>"; }
# Generate the CPU Graph for the current period of time for values given by diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy index b820a7f..2c583c5 100755 --- a/config/firewall/firewall-policy +++ b/config/firewall/firewall-policy @@ -52,10 +52,19 @@ case "${CONFIG_TYPE}" in ;; esac
+HAVE_IPSEC="true" HAVE_OPENVPN="true"
# INPUT
+# IPsec INPUT +case "${HAVE_IPSEC},${POLICY}" in + true,MODE1) ;; + true,*) + iptables -A POLICYIN -m policy --pol ipsec --dir in -j ACCEPT + ;; +esac + # OpenVPN INPUT # Allow direct access to the internal IP addresses of the firewall # from remote subnets if forward policy is allowed. diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 4bb40a4..51ddb44 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -278,6 +278,11 @@ sub buildrules { # Add time constraint options. push(@options, @time_options);
+ my $firewall_is_in_source_subnet = 0; + if ($source) { + $firewall_is_in_source_subnet = &firewall_is_in_subnet($source); + } + # Process NAT rules. if ($NAT) { my $nat_address = &get_nat_address($$hash{$key}[29]); @@ -326,6 +331,14 @@ sub buildrules { }
push(@options, @source_options); + + if ($firewall_is_in_source_subnet && ($fwdfwsettings{"POLICY"} eq "MODE1") && ($chain eq $CHAIN_FORWARD)) { + if ($LOG && !$NAT) { + run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '"); + } + run("$IPTABLES -A $CHAIN_INPUT @options -j $target"); + } + push(@options, @destination_options);
# Insert firewall rule. @@ -781,3 +794,26 @@ sub make_log_limit_options {
return @options; } + +sub firewall_is_in_subnet { + my $subnet = shift; + + my ($net_address, $net_mask) = split("/", $subnet); + if (!$net_mask) { + return 0; + } + + # ORANGE is missing here, because nothing may ever access + # the firewall from this network. + foreach my $zone ("GREEN", "BLUE") { + next unless (exists $defaultNetworks{$zone . "_ADDRESS"}); + + my $zone_address = $defaultNetworks{$zone . "_ADDRESS"}; + + if (&General::IpInSubnet($zone_address, $net_address, $net_mask)) { + return 1; + } + } + + return 0; +} diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index c5ccae8..2ce4030 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -358,7 +358,7 @@ if (($confighash{'ENABLED'} eq "on") || $ovpnip="$ovpnip/$sub"; print <<END; <tr> - <td style='width:25%; text-align:center; background-color:$Header::colourvpn;'> + <td style='width:25%; text-align:center; background-color:$Header::colourovpn;'> <a href='/cgi-bin/ovpnmain.cgi' style='color:white'><b>OpenVPN</b></a> </td> <td style='width:30%; text-align:center;'>$ovpnip</td> @@ -372,7 +372,7 @@ print"</table>"; #Check if there are any vpns configured (ipsec and openvpn) &General::readhasharray("${General::swroot}/vpn/config", %vpnconfig); foreach my $key (sort { ncmp($vpnconfig{$a}[1],$vpnconfig{$b}[1]) } keys %vpnconfig) { - if ($vpnconfig{$key}[0] eq 'on'){ + if ($vpnconfig{$key}[0] eq 'on' && $vpnconfig{$key}[3] ne 'host'){ $showipsec=1; $showbox=1; last; @@ -409,7 +409,7 @@ if ($showbox){ </tr> END foreach my $key (sort { uc($vpnconfig{$a}[1]) cmp uc($vpnconfig{$b}[1]) } keys %vpnconfig) { - if ($vpnconfig{$key}[0] eq 'on') { + if ($vpnconfig{$key}[0] eq 'on' && $vpnconfig{$key}[3] ne 'host') { $count++; my ($vpnip,$vpnsub) = split("/",$vpnconfig{$key}[11]); $vpnsub=&General::iporsubtocidr($vpnsub); @@ -420,8 +420,8 @@ END $col = $color{'color20'}; } print "<tr>"; - print "<td style='text-align:left; color:white; background-color:$Header::colourovpn;'>$vpnconfig{$key}[1]</td>"; - print "<td style='text-align:left; background-color:$col'>$vpnip</td>"; + print "<td style='text-align:left; color:white; background-color:$Header::colourvpn;'>$vpnconfig{$key}[1]</td>"; + print "<td style='text-align:center; background-color:$col'>$vpnip</td>";
my $activecolor = $Header::colourred; my $activestatus = $Lang::tr{'capsclosed'}; diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 7e90649..af836da 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2520,7 +2520,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || <td> <label> <input type='checkbox' name='ONLY_PROPOSED' $checked{'ONLY_PROPOSED'} /> - IKE+ESP: $Lang::tr{'use only proposed settings'}</td> + IKE+ESP: $Lang::tr{'use only proposed settings'} </label> </td> </tr> diff --git a/src/patches/strongswan-5.0.2_ipfire.patch b/src/patches/strongswan-5.0.2_ipfire.patch index 6606095..71eb24e 100644 --- a/src/patches/strongswan-5.0.2_ipfire.patch +++ b/src/patches/strongswan-5.0.2_ipfire.patch @@ -1,8 +1,6 @@ -diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in -index 3a40e21..d9f3ea0 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in -@@ -193,6 +193,29 @@ custom:*) # custom parameters (see above CAUTION comment) +@@ -178,6 +178,29 @@ ;; esac
@@ -32,7 +30,7 @@ index 3a40e21..d9f3ea0 100644 # utility functions for route manipulation # Meddling with this stuff should not be necessary and requires great care. uproute() { -@@ -397,12 +420,12 @@ up-host:iptables) +@@ -407,12 +430,12 @@ # connection to me, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -46,9 +44,9 @@ index 3a40e21..d9f3ea0 100644 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 # - # log IPsec host connection setup - if [ $VPN_LOGGING ] -@@ -410,10 +433,10 @@ up-host:iptables) + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) +@@ -428,10 +451,10 @@ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ @@ -61,7 +59,7 @@ index 3a40e21..d9f3ea0 100644 fi fi ;; -@@ -421,12 +444,12 @@ down-host:iptables) +@@ -439,12 +462,12 @@ # connection to me, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -75,9 +73,9 @@ index 3a40e21..d9f3ea0 100644 - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50 # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] -@@ -434,10 +457,10 @@ down-host:iptables) + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] +@@ -459,10 +482,10 @@ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ @@ -90,7 +88,7 @@ index 3a40e21..d9f3ea0 100644 fi fi ;; -@@ -447,24 +470,24 @@ up-client:iptables) +@@ -472,24 +495,24 @@ # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] then @@ -113,16 +111,26 @@ index 3a40e21..d9f3ea0 100644 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT +- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN + iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50 fi # - # log IPsec client connection setup -@@ -473,12 +496,51 @@ up-client:iptables) + # allow IPIP traffic because of the implicit SA created by the kernel if +@@ -497,7 +520,7 @@ + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then +- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ ++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # +@@ -507,12 +530,51 @@ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO \ @@ -176,7 +184,7 @@ index 3a40e21..d9f3ea0 100644 ;; down-client:iptables) # connection to client subnet, with (left/right)firewall=yes, going down -@@ -486,28 +548,28 @@ down-client:iptables) +@@ -520,34 +582,34 @@ # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] then @@ -202,8 +210,9 @@ index 3a40e21..d9f3ea0 100644 + iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT +- $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ ++ $IPSEC_POLICY_IN -j RETURN + iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ @@ -211,8 +220,15 @@ index 3a40e21..d9f3ea0 100644 + $IPSEC_POLICY_OUT -j MARK --set-mark 50 fi # - # log IPsec client connection teardown -@@ -516,12 +578,51 @@ down-client:iptables) + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then +- iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ ++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # +@@ -557,12 +619,51 @@ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] then logger -t $TAG -p $FAC_PRIO -- \ @@ -266,7 +282,7 @@ index 3a40e21..d9f3ea0 100644 ;; # # IPv6 -@@ -556,10 +657,10 @@ up-host-v6:iptables) +@@ -597,10 +698,10 @@ # connection to me, with (left/right)firewall=yes, coming up # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -279,7 +295,7 @@ index 3a40e21..d9f3ea0 100644 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -580,10 +681,10 @@ down-host-v6:iptables) +@@ -621,10 +722,10 @@ # connection to me, with (left/right)firewall=yes, going down # This is used only by the default updown script, not by your custom # ones, so do not mess with it; see CAUTION comment up at top. @@ -292,7 +308,7 @@ index 3a40e21..d9f3ea0 100644 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # -@@ -606,10 +707,10 @@ up-client-v6:iptables) +@@ -647,10 +748,10 @@ # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -305,7 +321,7 @@ index 3a40e21..d9f3ea0 100644 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT fi -@@ -618,10 +719,10 @@ up-client-v6:iptables) +@@ -659,10 +760,10 @@ # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then @@ -318,7 +334,7 @@ index 3a40e21..d9f3ea0 100644 -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi -@@ -645,11 +746,11 @@ down-client-v6:iptables) +@@ -686,11 +787,11 @@ # ones, so do not mess with it; see CAUTION comment up at top. if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] then @@ -332,7 +348,7 @@ index 3a40e21..d9f3ea0 100644 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT \ $IPSEC_POLICY_IN -j ACCEPT -@@ -659,11 +760,11 @@ down-client-v6:iptables) +@@ -700,11 +801,11 @@ # or sometimes host access via the internal IP is needed if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then
hooks/post-receive -- IPFire 2.x development tree