[git.ipfire.org] IPFire 2.x development tree branch, fifteen, updated. a72fac881bf4181f487e3edcc356b5dea74ed7ca

[git@ipfire.org]

[-- Attachment #1: Type: text/plain, Size: 16323 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, fifteen has been updated
       via  a72fac881bf4181f487e3edcc356b5dea74ed7ca (commit)
       via  d7fcd5daa3addc8916a7c6be78c449a6ced6c3b3 (commit)
       via  d5a11b8405bc93f516fa0449f26dd1246fed131f (commit)
       via  35f95ba741115576b9d5d695183d24f8b9523327 (commit)
       via  8e9a041324f2d9197c06e4053864e77a9e9cc799 (commit)
       via  52c5ec837f1b8ebbb93d1477dcb345ea921b84a7 (commit)
       via  3ad23ee1d98c45520122c32bfeb92ef80a2e612a (commit)
      from  15ffeb1bdd298d8f525a11352489d8c84dc9fffb (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit a72fac881bf4181f487e3edcc356b5dea74ed7ca
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Sep 2 22:28:07 2013 +0200

    More rootfiles fixes for configroot files.

commit d7fcd5daa3addc8916a7c6be78c449a6ced6c3b3
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Sep 2 22:22:26 2013 +0200

    configroot: Fix permissions of executable files.
    
    This must always be owned by root and must not be editable
    and executable by the world.

commit d5a11b8405bc93f516fa0449f26dd1246fed131f
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Sep 2 22:16:30 2013 +0200

    Fix rootfile: /var/ipfire/forward and /var/ipfire/fwhosts were not writable.

commit 35f95ba741115576b9d5d695183d24f8b9523327
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Sep 2 22:04:42 2013 +0200

    firewall: Remove version information.

commit 8e9a041324f2d9197c06e4053864e77a9e9cc799
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Sep 2 21:52:35 2013 +0200

    openvpnctrl: Silence PID file error message.

commit 52c5ec837f1b8ebbb93d1477dcb345ea921b84a7
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Sep 2 21:51:22 2013 +0200

    firewall: Rewrite policy script.
    
    Restructure the code; add fallback options if no configuration
    is set; reliably check if BLUE or ORANGE are used.

commit 3ad23ee1d98c45520122c32bfeb92ef80a2e612a
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Sep 2 21:05:47 2013 +0200

    openvpnctrl: Suppress silly error messages and cleanup coding style.

-----------------------------------------------------------------------

Summary of changes:
 config/forwardfw/firewall-policy   | 141 +++++++++++++++++++++++--------------
 config/rootfiles/common/configroot |  60 ++++++++--------
 html/cgi-bin/forwardfw.cgi         |   3 -
 lfs/configroot                     |   4 +-
 src/misc-progs/openvpnctrl.c       |  30 +++-----
 5 files changed, 130 insertions(+), 108 deletions(-)

Difference in files:
diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
index 0fcfaa4..6f7e95c 100755
--- a/config/forwardfw/firewall-policy
+++ b/config/forwardfw/firewall-policy
@@ -1,5 +1,4 @@
 #!/bin/sh
-
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
@@ -20,72 +19,106 @@
 #                                                                             #
 ###############################################################################
 
-
+eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
-eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 
 iptables -F POLICYFWD
 iptables -F POLICYOUT
 iptables -F POLICYIN
 
 if [ -f "/var/ipfire/red/iface" ]; then
-	IFACE=`cat /var/ipfire/red/iface`
+	IFACE="$(</var/ipfire/red/iface)"
 fi
 
-#FORWARDFW
-if [ "$POLICY" == "MODE1" ]; then
-		if [ "$FWPOLICY" == "REJECT" ]; then
-			if [ "$DROPFORWARD" == "on" ]; then
-				/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
-			fi
-			/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
+# Figure out what devices are configured.
+HAVE_BLUE="false"
+HAVE_ORANGE="false"
+
+case "${CONFIG_TYPE}" in
+	2)
+		HAVE_BLUE="true"
+		;;
+	3)
+		HAVE_ORANGE="true"
+		;;
+	4)
+		HAVE_BLUE="true"
+		HAVE_ORANGE="true"
+		;;
+esac
+
+# INPUT
+case "${FWPOLICY2}" in
+	REJECT)
+		if [ "${DROPINPUT}" = "on" ]; then
+			/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
 		fi
-		if [ "$FWPOLICY" == "DROP" ]; then
-			if [ "$DROPFORWARD" == "on" ]; then
-				/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
-			fi
-			/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+		/sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
+		;;
+	*) # DROP
+		if [ "${DROPINPUT}" = "on" ]; then
+			/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
 		fi
-else
-	if [  "$BLUE_DEV" ] && [ "$IFACE" ]; then
-		/sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP 
-	fi
-	/sbin/iptables -A POLICYFWD -i orange0 ! -o $IFACE -j DROP
-	/sbin/iptables -A POLICYFWD -j ACCEPT 
-	/sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
-fi
+		/sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
+		;;
+esac
 
-#OUTGOINGFW
-if [ "$POLICY1" == "MODE1" ]; then
-	if [ "$FWPOLICY1" == "REJECT" ]; then
-		if [ "$DROPOUTGOING" == "on" ]; then
-			/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
-		fi
-		/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
-	fi
-	if [ "$FWPOLICY1" == "DROP" ]; then
-		if [ "$DROPOUTGOING" == "on" ]; then
-			/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
+# FORWARD
+case "${POLICY}" in
+	MODE1)
+		case "${FWPOLICY}" in
+			REJECT)
+				if [ "${DROPFORWARD}" = "on" ]; then
+					/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "REJECT_FORWARD"
+				fi
+				/sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
+				;;
+			*) # DROP
+				if [ "${DROPFORWARD}" = "on" ]; then
+					/sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix "DROP_FORWARD"
+				fi
+				/sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+				;;
+		esac
+		;;
+
+	*)
+		if [ -n "${IFACE}" ]; then
+			if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
+				/sbin/iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP
+			fi
+			if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then
+				/sbin/iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP
+			fi
 		fi
-			/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
-	fi
-else
-	/sbin/iptables -A POLICYOUT -j ACCEPT 
-	/sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
-fi
-#INPUT
-if [ "$FWPOLICY2" == "REJECT" ]; then
-	if [ "$DROPINPUT" == "on" ]; then
-		/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "REJECT_INPUT"
-	fi
-	/sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_INPUT"
-fi
-if [ "$FWPOLICY2" == "DROP" ]; then
-	if [ "$DROPINPUT" == "on" ]; then
-		/sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix "DROP_INPUT"
-	fi
-	/sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
-fi
+		/sbin/iptables -A POLICYFWD -j ACCEPT
+		/sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
+		;;
+esac
+
+# OUTGOING
+case "${POLICY1}" in
+	MODE1)
+		case "${FWPOLICY1}" in
+			REJECT)
+				if [ "${DROPOUTGOING}" = "on" ]; then
+					/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "REJECT_OUTPUT"
+				fi
+				/sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_OUTPUT"
+				;;
+			*) # DROP
+				if [ "${DROPOUTGOING}" == "on" ]; then
+					/sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix "DROP_OUTPUT"
+				fi
+				/sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+				;;
+		esac
+		;;
+	*)
+		/sbin/iptables -A POLICYOUT -j ACCEPT
+		/sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
+		;;
+esac
 
 exit 0
diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
index 8cd4a8a..0e2cbb6 100644
--- a/config/rootfiles/common/configroot
+++ b/config/rootfiles/common/configroot
@@ -7,9 +7,9 @@ usr/sbin/firewall-policy
 var/ipfire/addon-lang
 var/ipfire/auth
 #var/ipfire/auth/users
-#var/ipfire/backup
-var/ipfire/backup/exclude.user
-var/ipfire/backup/include.user
+var/ipfire/backup
+#var/ipfire/backup/exclude.user
+#var/ipfire/backup/include.user
 var/ipfire/ca
 var/ipfire/certs
 #var/ipfire/certs/index.txt
@@ -42,31 +42,31 @@ var/ipfire/ethernet
 #var/ipfire/ethernet/settings
 #var/ipfire/ethernet/vlans
 #var/ipfire/ethernet/wireless
-#var/ipfire/extrahd
+var/ipfire/extrahd
 #var/ipfire/extrahd/bin
-var/ipfire/extrahd/bin/extrahd.pl
-var/ipfire/extrahd/devices
-var/ipfire/extrahd/partitions
-var/ipfire/extrahd/scan
-var/ipfire/extrahd/settings
-#var/ipfire/forward
+#var/ipfire/extrahd/bin/extrahd.pl
+#var/ipfire/extrahd/devices
+#var/ipfire/extrahd/partitions
+#var/ipfire/extrahd/scan
+#var/ipfire/extrahd/settings
+var/ipfire/forward
 #var/ipfire/forward/bin
-var/ipfire/forward/bin/firewall-lib.pl
-var/ipfire/forward/bin/rules.pl
-var/ipfire/forward/config
-var/ipfire/forward/dmz
-var/ipfire/forward/input
-var/ipfire/forward/nat
-var/ipfire/forward/outgoing
-var/ipfire/forward/p2protocols
-var/ipfire/forward/settings
-#var/ipfire/fwhosts
-var/ipfire/fwhosts/customgroups
-var/ipfire/fwhosts/customhosts
-var/ipfire/fwhosts/customnetworks
-var/ipfire/fwhosts/customservicegrp
-var/ipfire/fwhosts/customservices
-var/ipfire/fwhosts/icmp-types
+#var/ipfire/forward/bin/firewall-lib.pl
+#var/ipfire/forward/bin/rules.pl
+#var/ipfire/forward/config
+#var/ipfire/forward/dmz
+#var/ipfire/forward/input
+#var/ipfire/forward/nat
+#var/ipfire/forward/outgoing
+#var/ipfire/forward/p2protocols
+#var/ipfire/forward/settings
+var/ipfire/fwhosts
+#var/ipfire/fwhosts/customgroups
+#var/ipfire/fwhosts/customhosts
+#var/ipfire/fwhosts/customnetworks
+#var/ipfire/fwhosts/customservicegrp
+#var/ipfire/fwhosts/customservices
+#var/ipfire/fwhosts/icmp-types
 var/ipfire/fwlogs
 #var/ipfire/fwlogs/ipsettings
 #var/ipfire/fwlogs/portsettings
@@ -126,11 +126,11 @@ var/ipfire/net-traffic
 #var/ipfire/nfs
 #var/ipfire/nfs/nfs-server
 var/ipfire/optionsfw
-var/ipfire/optionsfw/settings
+#var/ipfire/optionsfw/settings
 var/ipfire/ovpn
-var/ipfire/ovpn/ccd.conf
-var/ipfire/ovpn/ccdroute
-var/ipfire/ovpn/ccdroute2
+#var/ipfire/ovpn/ccd.conf
+#var/ipfire/ovpn/ccdroute
+#var/ipfire/ovpn/ccdroute2
 var/ipfire/pakfire
 #var/ipfire/pakfire/settings
 #var/ipfire/patches
diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
index c18f4f4..e3bbe59 100755
--- a/html/cgi-bin/forwardfw.cgi
+++ b/html/cgi-bin/forwardfw.cgi
@@ -63,7 +63,6 @@ my %aliases=();
 my %optionsfw=();
 my %ifaces=();
 
-my $VERSION='0.9.9.14';
 my $color;
 my $confignet		= "${General::swroot}/fwhosts/customnetworks";
 my $confighost		= "${General::swroot}/fwhosts/customhosts";
@@ -400,8 +399,6 @@ sub base
 {
 	&hint;
 	&addrule;
-	print "<br><br>";
-	print "<br><br><div align='right'><font size='1' color='grey'>Version: $VERSION</font></div>";
 }
 sub changerule
 {
diff --git a/lfs/configroot b/lfs/configroot
index 690b9c9..7232e14 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -159,10 +159,10 @@ $(TARGET) :
 	# Configroot permissions
 	chown -R nobody:nobody $(CONFIG_ROOT)
 	chown      root:root   $(CONFIG_ROOT)
-	for i in backup/ header.pl general-functions.pl lang.pl addon-lang/ langs/ red/ ; do \
+	for i in backup/ header.pl general-functions.pl graphs.pl lang.pl addon-lang/ langs/ red/ ; do \
             chown -R root:root $(CONFIG_ROOT)/$$i; \
 	done
+	chown -Rv root:root $(CONFIG_ROOT)/bin
 	chown root:nobody $(CONFIG_ROOT)/dhcpc
 
-		
 	@$(POSTBUILD)
diff --git a/src/misc-progs/openvpnctrl.c b/src/misc-progs/openvpnctrl.c
index 97491e4..4c1d1c3 100644
--- a/src/misc-progs/openvpnctrl.c
+++ b/src/misc-progs/openvpnctrl.c
@@ -163,7 +163,6 @@ connection *getConnections() {
 int readPidFile(const char *pidfile) {
 	FILE *fp = fopen(pidfile, "r");
 	if (fp == NULL) {
-		fprintf(stderr, "PID file not found: '%s'\n", pidfile);
 		exit(1);
 	}
 
@@ -175,7 +174,6 @@ int readPidFile(const char *pidfile) {
 }
 
 void ovpnInit(void) {
-	
 	// Read OpenVPN configuration
 	kv = initkeyvalues();
 	if (!readkeyvalues(kv, CONFIG_ROOT "/ovpn/settings")) {
@@ -184,17 +182,14 @@ void ovpnInit(void) {
 	}
 
 	if (!findkey(kv, "ENABLED", enablered)) {
-		fprintf(stderr, "Cannot read ENABLED\n");
 		exit(1);
 	}
 
 	if (!findkey(kv, "ENABLED_BLUE", enableblue)){
-		fprintf(stderr, "Cannot read ENABLED_BLUE\n");
 		exit(1);
 	}
 
 	if (!findkey(kv, "ENABLED_ORANGE", enableorange)){
-		fprintf(stderr, "Cannot read ENABLED_ORANGE\n");
 		exit(1);
 	}
 	freekeyvalues(kv);
@@ -220,24 +215,22 @@ void ovpnInit(void) {
 	}
 
 	kv=initkeyvalues();
-	if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
-	{
+	if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) {
 		fprintf(stderr, "Cannot read ethernet settings\n");
 		exit(1);
 	}
 	
-	if (strcmp(enableblue, "on")==0){
-		if (!findkey(kv, "BLUE_DEV", blueif)){
-			fprintf(stderr, "Cannot read BLUE_DEV\n");
+	if (strcmp(enableblue, "on") == 0) {
+		if (!findkey(kv, "BLUE_DEV", blueif)) {
 			exit(1);
 		}
 	}
-	if (strcmp(enableorange, "on")==0){
-		if (!findkey(kv, "ORANGE_DEV", orangeif)){
-			fprintf(stderr, "Cannot read ORNAGE_DEV\n");
+
+	if (strcmp(enableorange, "on") == 0) {
+		if (!findkey(kv, "ORANGE_DEV", orangeif)) {
 			exit(1);
 		}
-	}		
+	}
 	freekeyvalues(kv);
 }
 
@@ -323,7 +316,7 @@ void createChain(char *chain) {
 void createAllChains(void) {
 	// create chain and chain references
 	if (!strcmp(enableorange, "on")) {
-		if (strlen(orangeif)) {
+		if (strlen(orangeif) > 0) {
 			createChain(OVPNORANGE);
 			createChainReference(OVPNORANGE);
 		} else {
@@ -333,7 +326,7 @@ void createAllChains(void) {
 	}
 
 	if (!strcmp(enableblue, "on")) {
-		if (strlen(blueif)) {
+		if (strlen(blueif) > 0) {
 			createChain(OVPNBLUE);
 			createChainReference(OVPNBLUE);
 		} else {
@@ -343,7 +336,7 @@ void createAllChains(void) {
 	}
 
 	if (!strcmp(enablered, "on")) {
-		if (strlen(redif)) {
+		if (strlen(redif) > 0) {
 			createChain(OVPNRED);
 			createChainReference(OVPNRED);
 		} else {
@@ -461,7 +454,6 @@ void setFirewallRules(void) {
 
 	if (!findkey(kv, "VPN_IP", dovpnip)){
 		fprintf(stderr, "Cannot read VPN_IP\n");
-//		exit(1); step further as we don't need an ip
 	}
 	freekeyvalues(kv);
 
@@ -530,7 +522,7 @@ void stopDaemon(void) {
 void startDaemon(void) {
 	char command[STRING_SIZE];
 	
-	if (!((strcmp(enablered, "on")==0) || (strcmp(enableblue, "on")==0) || (strcmp(enableorange, "on")==0))){
+	if (!((strcmp(enablered, "on") == 0) || (strcmp(enableblue, "on") == 0) || (strcmp(enableorange, "on") == 0))) {
 		fprintf(stderr, "OpenVPN is not enabled on any interface\n");
 		exit(1);
 	} else {


hooks/post-receive
--
IPFire 2.x development tree