This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via da7a2208d3a3c4143ce9029665ad9d738e70d3b1 (commit) via 5cf8c8c12382d77b07fbcb1b8916d78d2806cc74 (commit) via c2a1af7545c52edc9354e778acecb6370ea15d48 (commit) from 2a07aa9d9c4c1968a1072147107d889a1a8aae5e (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit da7a2208d3a3c4143ce9029665ad9d738e70d3b1 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 17 18:03:00 2014 +0100
firewall: rules.pl: Code cleanup.
commit 5cf8c8c12382d77b07fbcb1b8916d78d2806cc74 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 17 17:39:47 2014 +0100
firewall: Fix DNAT rules between internal zones.
commit c2a1af7545c52edc9354e778acecb6370ea15d48 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 17 15:47:28 2014 +0100
firewall: rules.pl: Sanitise source and destination IP addresses.
Those variables are now empty if source or destination are unspecified.
-----------------------------------------------------------------------
Summary of changes: config/firewall/rules.pl | 79 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 66 insertions(+), 13 deletions(-)
Difference in files: diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 51ddb44..7a8e9ba 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -39,6 +39,7 @@ my $CHAIN_NAT_SOURCE = "NAT_SOURCE"; my $CHAIN_NAT_DESTINATION = "NAT_DESTINATION"; my $CHAIN_MANGLE_NAT_DESTINATION_FIX = "NAT_DESTINATION"; my @VALID_CHAINS = ($CHAIN_INPUT, $CHAIN_FORWARD, $CHAIN_OUTPUT); +my @ANY_ADDRESSES = ("0.0.0.0/0.0.0.0", "0.0.0.0/0", "0/0");
my @PROTOCOLS = ("tcp", "udp", "icmp", "igmp", "ah", "esp", "gre", "ipv6", "ipip"); my @PROTOCOLS_WITH_PORTS = ("tcp", "udp"); @@ -255,6 +256,16 @@ sub buildrules { # Skip invalid rules. next if (!$source || !$destination || ($destination eq "none"));
+ # Sanitize source. + if ($source ~~ @ANY_ADDRESSES) { + $source = ""; + } + + # Sanitize destination. + if ($destination ~~ @ANY_ADDRESSES) { + $destination = ""; + } + # Array with iptables arguments. my @options = ();
@@ -268,12 +279,15 @@ sub buildrules { my @source_options = (); if ($source =~ /mac/) { push(@source_options, $source); - } else { + } elsif ($source) { push(@source_options, ("-s", $source)); }
# Prepare destination options. - my @destination_options = ("-d", $destination); + my @destination_options = (); + if ($destination) { + push(@destination_options, ("-d", $destination)); + }
# Add time constraint options. push(@options, @time_options); @@ -285,7 +299,7 @@ sub buildrules {
# Process NAT rules. if ($NAT) { - my $nat_address = &get_nat_address($$hash{$key}[29]); + my $nat_address = &get_nat_address($$hash{$key}[29], $source);
# Skip NAT rules if the NAT address is unknown # (i.e. no internet connection has been established, yet). @@ -294,7 +308,10 @@ sub buildrules { # Destination NAT if ($NAT_MODE eq "DNAT") { # Make port-forwardings useable from the internal networks. - &add_dnat_mangle_rules($nat_address, @options); + my @internal_addresses = &get_internal_firewall_ip_addresses(1); + unless ($nat_address ~~ @internal_addresses) { + &add_dnat_mangle_rules($nat_address, @options); + }
my @nat_options = @options; push(@nat_options, @source_options); @@ -380,12 +397,21 @@ sub get_alias {
sub get_nat_address { my $zone = shift; + my $source = shift;
# Any static address of any zone. if ($zone eq "RED" || $zone eq "GREEN" || $zone eq "ORANGE" || $zone eq "BLUE") { return $defaultNetworks{$zone . "_ADDRESS"};
} elsif ($zone eq "Default IP") { + if ($source) { + my $firewall_ip = &get_internal_firewall_ip_address($source, 1); + + if ($firewall_ip) { + return $firewall_ip; + } + } + return &get_external_address();
} else { @@ -795,25 +821,52 @@ sub make_log_limit_options { return @options; }
-sub firewall_is_in_subnet { - my $subnet = shift; +sub get_internal_firewall_ip_addresses { + my $use_orange = shift;
- my ($net_address, $net_mask) = split("/", $subnet); - if (!$net_mask) { - return 0; + my @zones = ("GREEN", "BLUE"); + if ($use_orange) { + push(@zones, "ORANGE"); }
- # ORANGE is missing here, because nothing may ever access - # the firewall from this network. - foreach my $zone ("GREEN", "BLUE") { + my @addresses = (); + for my $zone (@zones) { next unless (exists $defaultNetworks{$zone . "_ADDRESS"});
my $zone_address = $defaultNetworks{$zone . "_ADDRESS"}; + push(@addresses, $zone_address); + }
+ return @addresses; +} + +sub get_internal_firewall_ip_address { + my $subnet = shift; + my $use_orange = shift; + + my ($net_address, $net_mask) = split("/", $subnet); + if (!$net_mask) { + return; + } + + my @addresses = &get_internal_firewall_ip_addresses($use_orange); + foreach my $zone_address (@addresses) { if (&General::IpInSubnet($zone_address, $net_address, $net_mask)) { - return 1; + return $zone_address; } } +} + +sub firewall_is_in_subnet { + my $subnet = shift; + + # ORANGE is missing here, because nothing may ever access + # the firewall from this network. + my $address = &get_internal_firewall_ip_address($subnet, 0); + + if ($address) { + return 1; + }
return 0; }
hooks/post-receive -- IPFire 2.x development tree