From mboxrd@z Thu Jan 1 00:00:00 1970 From: git@ipfire.org To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. fa8229546b11ac356ff1df733a0b17eb045559ee Date: Tue, 04 Mar 2014 14:16:29 +0100 Message-ID: <20140304131629.6E72D20505@argus.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7619739123895766730==" List-Id: --===============7619739123895766730== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via fa8229546b11ac356ff1df733a0b17eb045559ee (commit) via fbd8ac3c8c06c5cf6b262e98af17c85b1609cecc (commit) via 8225c4fc98da65f37e4fe1535dee46a27522ac3a (commit) via 7429ee78b62e5b248a646a02dbc198db57412291 (commit) via 0bda23f5a1bc182592f4ac1aa9d9929769877835 (commit) via 3bb4bb3fa136224792e7dbbcf8b4f801a5565284 (commit) via f620fa34dfe915c2e30d74614e6aeee1c99e2c59 (commit) from 36c92ab00dd7d5a778199217bffe4c52c94d77ec (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit fa8229546b11ac356ff1df733a0b17eb045559ee Author: Michael Tremer Date: Tue Mar 4 14:14:54 2014 +0100 firewall: Extend rate limiting for ICMP error messages. =20 Fixes #10489. commit fbd8ac3c8c06c5cf6b262e98af17c85b1609cecc Merge: 8225c4f 7429ee7 Author: Michael Tremer Date: Tue Mar 4 14:14:45 2014 +0100 Merge remote-tracking branch 'amarx/beta3' into next commit 8225c4fc98da65f37e4fe1535dee46a27522ac3a Merge: 0bda23f 36c92ab Author: Michael Tremer Date: Tue Mar 4 14:14:36 2014 +0100 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next commit 7429ee78b62e5b248a646a02dbc198db57412291 Author: Alexander Marx Date: Tue Mar 4 14:07:04 2014 +0100 Firewall: Fix oversized Textfields commit 0bda23f5a1bc182592f4ac1aa9d9929769877835 Author: Michael Tremer Date: Tue Mar 4 12:38:13 2014 +0100 firewall: Add chain name to logged rules. =20 This helps us to debug faster where a packet has been dropped. commit 3bb4bb3fa136224792e7dbbcf8b4f801a5565284 Author: Michael Tremer Date: Tue Mar 4 12:36:52 2014 +0100 firewall: Add rate limiting for LOG messages. =20 Fixes #10488. commit f620fa34dfe915c2e30d74614e6aeee1c99e2c59 Author: Alexander Marx Date: Tue Mar 4 11:37:58 2014 +0100 Firewall: Fix Bug 10490 and broken colorization of tables in firewall gro= ups ----------------------------------------------------------------------- Summary of changes: config/etc/sysctl.conf | 2 + config/firewall/rules.pl | 23 ++++++- html/cgi-bin/fwhosts.cgi | 164 +++++++++++++++++++++++++++++++++++++--------= -- 3 files changed, 151 insertions(+), 38 deletions(-) Difference in files: diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index d6a2f75..a91aeb3 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -1,7 +1,9 @@ net.ipv4.ip_forward =3D 1 net.ipv4.ip_dynaddr =3D 1 + net.ipv4.icmp_echo_ignore_broadcasts =3D 1 net.ipv4.icmp_ignore_bogus_error_responses =3D 1 +net.ipv4.icmp_ratemask =3D 88089 =20 net.ipv4.tcp_syncookies =3D 1 net.ipv4.tcp_fin_timeout =3D 30 diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 182c948..4bb40a4 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -70,6 +70,8 @@ my $netsettings =3D "${General::swroot}/ethernet/settings"; &General::readhasharray($configgrp, \%customgrp); &General::get_aliases(\%aliases); =20 +my @log_limit_options =3D &make_log_limit_options(); + # MAIN &main(); =20 @@ -305,7 +307,7 @@ sub buildrules { } =20 if ($LOG) { - run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options -j LOG = --log-prefix 'DNAT '"); + run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @log_li= mit_options -j LOG --log-prefix 'DNAT '"); } run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options -j DNAT = --to-destination $dnat_address"); =20 @@ -317,7 +319,7 @@ sub buildrules { push(@nat_options, @destination_options); =20 if ($LOG) { - run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j LOG --log= -prefix 'SNAT '"); + run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_o= ptions -j LOG --log-prefix 'SNAT '"); } run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-= source $nat_address"); } @@ -328,7 +330,7 @@ sub buildrules { =20 # Insert firewall rule. if ($LOG && !$NAT) { - run("$IPTABLES -A $chain @options -j LOG"); + run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-pref= ix '$chain '"); } run("$IPTABLES -A $chain @options -j $target"); } @@ -764,3 +766,18 @@ sub add_dnat_mangle_rules { run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_opti= ons"); } } + +sub make_log_limit_options { + my @options =3D ("-m", "limit"); + + # Maybe we should get this from the configuration. + my $limit =3D 10; + + # We limit log messages to $limit messages per minute. + push(@options, ("--limit", "$limit/min")); + + # And we allow bursts of 2x $limit. + push(@options, ("--limit-burst", $limit * 2)); + + return @options; +} diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index efcdfb9..34d43f3 100644 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -48,7 +48,7 @@ my %fwfwd=3D(); my %fwinp=3D(); my %fwout=3D(); my %ovpnsettings=3D(); - +my %netsettings=3D(); =20 my $errormessage; my $hint; @@ -80,7 +80,7 @@ unless (-e $configsrvgrp) { system("touch $configsrvgrp"); } &General::readhash("$configovpn", \%ovpnsettings); &General::readhasharray("$configipsec", \%ipsecconf); &General::readhash("$configipsecrw", \%ipsecsettings); - +&General::readhash("/var/ipfire/ethernet/settings", \%netsettings); &Header::getcgihash(\%fwhostsettings); =20 &Header::showhttpheaders(); @@ -1211,12 +1211,12 @@ sub addgrp print< - $Lang::tr{'fwhost addgrpname'} -
+ $Lang::tr{'fwhost addgrpname'} + - $Lang::tr{'remark'}: - + $Lang::tr{'remark'}: +
@@ -1225,16 +1225,16 @@ sub addgrp END }else{ print< + - - + + - +
$Lang::tr{'fwhost addgrpname'}$Lang::tr{'fwhost addgrpname'} <= input type=3D'hidden' name=3D'ACTION' value=3D'changegrpname'>
$Lang::tr{'remark'}: <= /td>
@@ -1246,8 +1246,16 @@ END
- -
$La= ng::tr{'fwhost stdnet'} + + + "; if (! -z $confignet){ - print" + "; } if (! -z $confighost){ - print" +
+ + +
$Lang::tr{'fwhost cust= net'}: + + +
$Lang::tr{'fwhost cust addr'}: + + +
"; #Inner table right - print"		"; + print"
"; #OVPN networks if (! -z $configccdnet){ - print" + + + + "; + print""; print< @@ -1516,50 +1581,79 @@ END sub getcolor { my $c=3Dshift; + my $sip; + my $scidr; + #Check if MAC + if (&General::validmac($c)){ return $c;} + + #Check if we got a full IP with subnet then split it + if($c =3D~ /^(.*?)\/(.*?)$/){ + ($sip,$scidr) =3D split ("/",$c); + }else{ + $sip=3D$c; + } + + #Now check if IP is part of ORANGE,BLUE or GREEN + if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings= {'ORANGE_NETMASK'})){ + $tdcolor=3D"$c"; + return $tdcolor; + } + if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{= 'GREEN_NETMASK'})){ + $tdcolor=3D"$c"; + return $tdcolor; + } + if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'= BLUE_NETMASK'})){ + $tdcolor=3D"$c"; + return $tdcolor; + } + #Check if IP is part of OpenVPN N2N subnet foreach my $key (sort keys %ccdhost){ if ($ccdhost{$key}[3] eq 'net'){ my ($a,$b) =3D split("/",$ccdhost{$key}[11]); - if (&General::IpInSubnet($c,$a,$b)){ - $tdcolor=3D"style=3D'color:$Header::colourovpn ;'"; + if (&General::IpInSubnet($sip,$a,$b)){ + $tdcolor=3D"$c"; return $tdcolor; } } } + #Check if IP is part of OpenVPN dynamic subnet my ($a,$b) =3D split("/",$ovpnsettings{'DOVPN_SUBNET'}); - if (&General::IpInSubnet($c,$a,$b)){ - $tdcolor=3D"style=3D'color: $Header::colourovpn;'"; + if (&General::IpInSubnet($sip,$a,$b)){ + $tdcolor=3D"$c"; return $tdcolor; } + #Check if IP is part of OpenVPN static subnet foreach my $key (sort keys %ccdnet){ my ($a,$b) =3D split("/",$ccdnet{$key}[1]); $b =3D&General::iporsubtodec($b); - if (&General::IpInSubnet($c,$a,$b)){ - $tdcolor=3D"style=3D'color: $Header::colourovpn;'"; + if (&General::IpInSubnet($sip,$a,$b)){ + $tdcolor=3D"$c"; return $tdcolor; } } + #Check if IP is part of IPsec RW network if ($ipsecsettings{'RW_NET'} ne ''){ my ($a,$b) =3D split("/",$ipsecsettings{'RW_NET'}); $b=3D&General::iporsubtodec($b); - if (&General::IpInSubnet($c,$a,$b)){ - $tdcolor=3D"style=3D'color: $Header::colourvpn;'"; + if (&General::IpInSubnet($sip,$a,$b)){ + $tdcolor=3D"$c"; return $tdcolor; } } + #Check if IP is part of a IPsec N2N network foreach my $key (sort keys %ipsecconf){ my ($a,$b) =3D split("/",$ipsecconf{$key}[11]); - if (&General::IpInSubnet($c,$a,$b)){ - $tdcolor=3D"style=3D'color: $Header::colourvpn;'"; + if (&General::IpInSubnet($sip,$a,$b)){ + $tdcolor=3D"$c"; return $tdcolor; } } - $tdcolor=3D''; - return $tdcolor; + return "$c"; } sub viewtablehost { @@ -1598,7 +1692,7 @@ END $customhost{$key}[4]=3D~s/\s+//g; my $hostcount=3D0; $hostcount=3D&gethostcount($customhost{$key}[0]); - print""; + print""; print< @@ -1709,7 +1803,7 @@ sub viewtablegrp }else{ my ($colip,$colsub) =3D split("/",$ip); $ip=3D"$colip/".&General::subtocidr($colsub) if ($colsub); - print"
$Lang::tr{'fwhost ccdnet'} + $Lang::tr{'fwhost ccdnet'} + + + $Lang::tr{'fwhost ccdhost'} + $Lang::tr{'fwhost ccdhost'} + + + $= Lang::tr{'fwhost ovpn_n2n'}: + $Lang::tr{'fwhost ovpn_n2n'}: + + + $Lang::tr{'fwhost ipsec net'} + $Lang::tr{'fwhost ipsec net'} + + + "; - print""; + print"
"; &Header::closebox(); } sub addservice @@ -1464,6 +1528,7 @@ sub viewtablenet &General::readhasharray("$fwconfigfwd", \%fwfwd); &General::readhasharray("$fwconfiginp", \%fwinp); &General::readhasharray("$fwconfigout", \%fwout); + if (!keys %customnetwork)=20 {=20 print "
$Lang::tr{'fwhost empty'}";=20 @@ -1490,7 +1555,7 @@ END } my $colnet=3D"$customnetwork{$key}[1]/".&General::subtocidr($customnetwor= k{$key}[2]); my $netcount=3D&getnetcount($customnetwork{$key}[0]); - print"
$customnetwork{$key}[0= ]".&Header::colorize($colnet)."<= /td>$customnetwork{$key}[3]$netcount x$customnetwork{$key}[0= ]".&getcolor($colnet)."$customnetwork{$key}[3]$net= count x$customhost{$key}[0]".&Header::colorize($ip)."$customhost{$key}[3]$hostcount x$customhost{$key}[0]".&getcolor($ip)."$customhost{$key}[3]$hostcount x".&Header::coloriz= e($ip)."$customgrp{$key}[3]"; + print"".&getcolor($ip)."$customgrp{$key}[3]= "; } if ($delflag > 0 && $ip ne ''){ print""; hooks/post-receive -- IPFire 2.x development tree --===============7619739123895766730==--