This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, fifteen has been updated via 7d3b1f7eafe2122c3b9cc0c46448846158a6abf7 (commit) via 7db6ad6acb8ba4339cb26970bf261942e90b65c0 (commit) via 49192c7b313d0fae39f16479594c06ca06684060 (commit) via 14bcb9a23d6d96fedaf0d5d71f65a8e7a8e6a4eb (commit) via a15f7d0dd53d686bd77e5a94eadc0ea9853feace (commit) via d8afe3e2c0690899e2efa6742b13a619c4f92298 (commit) via dd4796fbea96922f3bf58bcf866cf9ea7aaa70f0 (commit) from ac14b325e03276f9e17e334b03a3d3129903bac7 (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit 7d3b1f7eafe2122c3b9cc0c46448846158a6abf7 Author: Alexander Marx amarx@ipfire.org Date: Tue Nov 12 16:24:29 2013 +0100

Firewall: new errormessage for maximum number of ports in servicegroups

commit 7db6ad6acb8ba4339cb26970bf261942e90b65c0 Author: Alexander Marx amarx@ipfire.org Date: Tue Nov 12 16:04:55 2013 +0100

Firewall: appended check of maximum ports per protocol. portranges 100:200 count as 2 ports

commit 49192c7b313d0fae39f16479594c06ca06684060 Author: Alexander Marx amarx@ipfire.org Date: Tue Nov 12 15:08:58 2013 +0100

Firewall: The maximum of definable services in a servicegroup is limited to 13 per protocol (tcp,udp) because iptables can only handle max 13 services in Multiport

commit 14bcb9a23d6d96fedaf0d5d71f65a8e7a8e6a4eb Author: Alexander Marx amarx@ipfire.org Date: Tue Nov 12 09:27:16 2013 +0100

Firewall: New feature: Now it is possible to define a custom service with a portrange. When using this service in a rule or in a servciegroup, the rule is applied correctly.

commit a15f7d0dd53d686bd77e5a94eadc0ea9853feace Author: Alexander Marx amarx@ipfire.org Date: Mon Nov 11 10:23:39 2013 +0100

Firewall: Bugfix: the routine to check if a vpn net or host was deleted did not work as expected. Now it even works when source and target contain a vpn host or net

commit d8afe3e2c0690899e2efa6742b13a619c4f92298 Author: Alexander Marx amarx@ipfire.org Date: Sun Nov 10 09:28:02 2013 +0100

Firewall: fixed colors of target column when using standard networks

When using RED, OpenVPN-Dyn or IPsec RW as target, the column was not colored.

commit dd4796fbea96922f3bf58bcf866cf9ea7aaa70f0 Author: Erik Kapfer erik.kapfer@ipfire.org Date: Sun Nov 3 21:29:04 2013 +0100

langs: Fix typo

-----------------------------------------------------------------------

Summary of changes: config/firewall/firewall-lib.pl | 6 ++--- config/firewall/rules.pl | 12 +++++++--- html/cgi-bin/firewall.cgi | 49 +++++++++++++++++++++++++++++++++++------ html/cgi-bin/fwhosts.cgi | 24 +++++++++++++++++++- langs/de/cgi-bin/de.pl | 4 +++- langs/en/cgi-bin/en.pl | 4 +++- 6 files changed, 82 insertions(+), 17 deletions(-)

Difference in files: diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index f1e8403..8cff76b 100755 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -108,10 +108,8 @@ sub get_srv_port my $field=shift; my $prot=shift; foreach my $key (sort {$a <=> $b} keys %customservice){ - if($customservice{$key}[0] eq $val){ - if($customservice{$key}[2] eq $prot){ - return $customservice{$key}[$field]; - } + if($customservice{$key}[0] eq $val && $customservice{$key}[2] eq $prot){ + return $customservice{$key}[$field]; } } } diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index c724aa8..f1584f3 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -86,8 +86,8 @@ close(CONN1); # DEBUG/TEST # ################# my $MODE=0; # 0 - normal operation - # 1 - print configline and rules to console - # + # 1 - print configline and rules to console + # ################# my $param=shift;

@@ -577,6 +577,7 @@ sub get_port my $hash=shift; my $key=shift; my $prot=shift; + #Get manual defined Ports from SOURCE if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ if ($$hash{$key}[10] ne ''){ $$hash{$key}[10] =~ s/|/,/g; @@ -590,6 +591,7 @@ sub get_port } } } + #Get manual ports from TARGET }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ if($$hash{$key}[14] eq 'TGT_PORT'){ if ($$hash{$key}[15] ne ''){ @@ -605,16 +607,20 @@ sub get_port } } } + #Get ports defined in custom Service (firewall-groups) }elsif($$hash{$key}[14] eq 'cust_srv'){ if ($prot ne 'ICMP'){ if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ - return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + my $ports =&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + $ports =~ s/:/-/g; + return ":".$ports }else{ return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); } }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); } + #Get ports from services which are used in custom servicegroups (firewall-groups) }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ if ($prot ne 'ICMP'){ return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot); diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 3e4e3b0..d1c086d 100755 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -1376,6 +1376,12 @@ sub getcolor }elsif ($val eq 'IPFire' ){ $tdcolor="style='background-color: $Header::colourred;color:white;'"; return; + }elsif ($val eq 'OpenVPN-Dyn' ){ + $tdcolor="style='background-color: $Header::colourovpn;color:white;'"; + return; + }elsif ($val eq 'IPsec RW' ){ + $tdcolor="style='background-color: $Header::colourvpn;color:white;'"; + return; }elsif($val =~ /^(.*?)/(.*?)$/){ my ($sip,$scidr) = split ("/",$val); if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ @@ -2397,6 +2403,7 @@ sub viewtablenew my $rulecolor; my $tooltip; my @tmpsrc=(); + my @tmptgt=(); my $coloryellow='';

print <<END; @@ -2426,33 +2433,61 @@ END foreach my $key (sort {$a <=> $b} keys %$hash){ $tdcolor=''; @tmpsrc=(); + @tmptgt=(); #check if vpn hosts/nets have been deleted if($$hash{$key}[3] =~ /ipsec/i || $$hash{$key}[3] =~ /ovpn/i){ push (@tmpsrc,$$hash{$key}[4]); } if($$hash{$key}[5] =~ /ipsec/i || $$hash{$key}[5] =~ /ovpn/i){ - push (@tmpsrc,$$hash{$key}[6]); + push (@tmptgt,$$hash{$key}[6]); } foreach my $host (@tmpsrc){ - if($$hash{$key}[3] eq 'ipsec_net_src' || $$hash{$key}[5] eq 'ipsec_net_tgt'){ + if($$hash{$key}[3] eq 'ipsec_net_src'){ + if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[3] eq 'ovpn_net_src'){ + if(&fwlib::get_ovpn_net_ip($host,1) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[3] eq 'ovpn_n2n_src'){ + if(&fwlib::get_ovpn_n2n_ip($host,27) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + }elsif($$hash{$key}[3] eq 'ovpn_host_src'){ + if(&fwlib::get_ovpn_host_ip($host,33) eq ''){ + $coloryellow='on'; + &disable_rule($key); + $$hash{$key}[2]=''; + } + } + } + foreach my $host (@tmptgt){ + if($$hash{$key}[5] eq 'ipsec_net_tgt'){ if(&fwlib::get_ipsec_net_ip($host,11) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } - }elsif($$hash{$key}[3] eq 'ovpn_net_src' || $$hash{$key}[5] eq 'ovpn_net_tgt'){ + }elsif($$hash{$key}[5] eq 'ovpn_net_tgt'){ if(&fwlib::get_ovpn_net_ip($host,1) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } - }elsif($$hash{$key}[3] eq 'ovpn_n2n_src' || $$hash{$key}[5] eq 'ovpn_n2n_tgt'){ + }elsif($$hash{$key}[5] eq 'ovpn_n2n_tgt'){ if(&fwlib::get_ovpn_n2n_ip($host,27) eq ''){ $coloryellow='on'; &disable_rule($key); $$hash{$key}[2]=''; } - }elsif($$hash{$key}[3] eq 'ovpn_host_src' || $$hash{$key}[5] eq 'ovpn_host_tgt'){ + }elsif($$hash{$key}[5] eq 'ovpn_host_tgt'){ if(&fwlib::get_ovpn_host_ip($host,33) eq ''){ $coloryellow='on'; &disable_rule($key); @@ -2463,7 +2498,7 @@ END $$hash{'ACTIVE'}=$$hash{$key}[2]; $count++; if($coloryellow eq 'on'){ - print"<tr bgcolor='$color{'color14'}' >"; + $color="$color{'color14'}"; $coloryellow=''; }elsif($coloryellow eq ''){ if ($count % 2){ @@ -2600,7 +2635,7 @@ END if ($$hash{$key}[5] eq 'std_net_tgt' || $$hash{$key}[5] eq 'ipfire' || $$hash{$key}[6] eq 'RED1' || $$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE' ){ if ($$hash{$key}[6] eq 'RED1'){ print "$ipfireiface $Lang::tr{'red1'}"; - }elsif ($$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE'|| $$hash{$key}[6] eq 'ALL') + }elsif ($$hash{$key}[6] eq 'GREEN' || $$hash{$key}[6] eq 'ORANGE' || $$hash{$key}[6] eq 'BLUE'|| $$hash{$key}[6] eq 'ALL' || $$hash{$key}[6] eq 'RED') { print "$ipfireiface ".&get_name($$hash{$key}[6]); }else{ diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 91de897..bc9ca85 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -764,12 +764,34 @@ if ($fwhostsettings{'ACTION'} eq 'saveservicegrp') my $prot; my $port; my $count=0; + my $tcpcounter=0; + my $udpcounter=0; &General::readhasharray("$configsrvgrp", %customservicegrp ); &General::readhasharray("$configsrv", %customservice ); $errormessage=&checkservicegroup; + #Check if we have more than 13 services from one Protocol in the group + #iptables can only handle 13 ports/portranges via multiport + foreach my $key (keys %customservicegrp){ + if($customservicegrp{$key}[0] eq $fwhostsettings{'SRVGRP_NAME'}){ + foreach my $key1 (keys %customservice){ + $tcpcounter++ if $customservice{$key1}[2] eq 'TCP' && $customservicegrp{$key}[2] eq $customservice{$key1}[0]; + $tcpcounter++ if $customservice{$key1}[2] eq 'TCP' && $customservicegrp{$key}[2] eq $customservice{$key1}[0] && $customservice{$key1}[1] =~m/:/i; + $udpcounter++ if $customservice{$key1}[2] eq 'UDP' && $customservicegrp{$key}[2] eq $customservice{$key1}[0]; + $udpcounter++ if $customservice{$key1}[2] eq 'UDP' && $customservicegrp{$key}[2] eq $customservice{$key1}[0] && $customservice{$key1}[1] =~m/:/i; + } + } + } + if ($tcpcounter > 15){ + $errormessage=$Lang::tr{'fwhost err maxservicetcp'}; + } + if ($udpcounter > 15){ + $errormessage=$Lang::tr{'fwhost err maxserviceudp'}; + } + $tcpcounter=0; + $udpcounter=0; #check remark if ($fwhostsettings{'SRVGRP_REMARK'} ne '' && !&validremark($fwhostsettings{'SRVGRP_REMARK'})){ - $errormessage=$Lang::tr{'fwhost err remark'}; + $errormessage .= $Lang::tr{'fwhost err remark'}; } if (!$errormessage){ #on first save, we have to enter a dummy value diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index af8851f..5bcf5c8 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1039,6 +1039,8 @@ 'fwhost err isccdnet' => 'Dieser Name wird bereits für einen OpenVPN-Netzwerk verwendet', 'fwhost err isingrp' => 'Dieser Eintrag existiert bereits in der Gruppe', 'fwhost err mac' => 'Ungültige MAC-Adresse', +'fwhost err maxservicetcp' => 'Die maximale Anzahl von 15 TCP-Diensten in einer Gruppe wurde erreicht (Portranges zählen zweifach)', +'fwhost err maxserviceudp' => 'Die maximale Anzahl von 15 UDP-Diensten in einer Gruppe wurde erreicht (Portranges zählen zweifach)', 'fwhost err name' => 'Ungültiger Name. Erlaubte Zeichen: Klein- und Großbuchstaben, Leerzeichen und Bindestrich.', 'fwhost err name1' => 'Der Name muss ausgefüllt sein', 'fwhost err net' => 'Netzwerk/IP-Adresse existiert bereits', @@ -1702,7 +1704,7 @@ 'proxy admin password' => 'Cache Administrator Passwort', 'proxy cachemgr' => 'Cachemanager aktivieren', 'proxy errmsg filedescriptors' => 'Ungültiger Anzahl Filedescriptoren', -'proxy filedescriptors' => 'Anzahl Fildescriptoren', +'proxy filedescriptors' => 'Anzahl Filedescriptoren', 'proxy log viewer' => 'Ansicht Proxy-Log', 'proxy logs' => 'Proxy-Logdateien', 'proxy no proxy extend' => 'oder geben Sie eine Liste von Zielen an, welche nicht über den Proxy angesprochen werden sollen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index bdb66fa..f03ea37 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1064,6 +1064,8 @@ 'fwhost err isccdnet' => 'This name is already used by an OpenVPN network', 'fwhost err isingrp' => 'This entry already exists in the group', 'fwhost err mac' => 'Invalid MAC address', +'fwhost err maxservicetcp' => 'The maximal number of 15 TCP services has been reached in this group (port ranges count twice)', +'fwhost err maxserviceudp' => 'The maximal number of 15 UDP services has been reached in this group (port ranges count twice)', 'fwhost err name' => 'Invalid name. Allowed characters: Upper- and lowercase letters, digits, space and dash.', 'fwhost err name1' => 'Empty name.', 'fwhost err net' => 'Network/IP address already exists', @@ -1731,7 +1733,7 @@ 'proxy admin password' => 'Cache administrator password', 'proxy cachemgr' => 'Activate cachemanager', 'proxy errmsg filedescriptors' => 'Wrong amount of filedescriptors', -'proxy filedescriptors' => 'Amount of fildescriptors', +'proxy filedescriptors' => 'Amount of filedescriptors', 'proxy log viewer' => 'Proxy log viewer', 'proxy logs' => 'Proxy Logs', 'proxy no proxy extend' => 'or specify a list of not proxied destination',

hooks/post-receive -- IPFire 2.x development tree