[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 32c6ebdced9682fdbdbe54059de25a036557d3b0

[git@ipfire.org]

[-- Attachment #1: Type: text/plain, Size: 7770 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  32c6ebdced9682fdbdbe54059de25a036557d3b0 (commit)
       via  6e9cf9ad860616468a0d1367e345dd24a3664c17 (commit)
       via  65c9b3a50815587bc212160465c92b6150e6fb77 (commit)
       via  2610f3930ab91a3b7ba79a80ac9e6f6d0ea3c724 (commit)
       via  b062a11bbe730454c48c2c45ff0b1e0eec454471 (commit)
       via  13e3cf285e32334e2de1a23a916fa941994fdd23 (commit)
       via  179deb37d02efbb6c180568ef361a7caf3ede70e (commit)
       via  5f050d607c11a875564916de98cb3c3f2c2ce390 (commit)
       via  9556a0fb95e2a7c5458ea2dcaecc29c2a71c5f86 (commit)
       via  5a09c99a89fdeed47e0fa9ea0b3623b08422ca26 (commit)
       via  abb3cfcc9ef1ffec5235ead3b9cad4014c141aa9 (commit)
      from  9c3bcb9f00fc09c86312b382bfb594c08fabc9ed (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 32c6ebdced9682fdbdbe54059de25a036557d3b0
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Wed Mar 5 12:31:36 2014 +0100

    firewall: Make ICMP ratelimiting a bit saner again.

commit 6e9cf9ad860616468a0d1367e345dd24a3664c17
Merge: 9c3bcb9 65c9b3a
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Wed Mar 5 12:25:12 2014 +0100

    Merge remote-tracking branch 'amarx/beta3' into next

commit 65c9b3a50815587bc212160465c92b6150e6fb77
Author: Alexander Marx <alexander.marx(a)ipfire.org>
Date:   Wed Mar 5 08:13:04 2014 +0100

    Firewall: Remarkcheck should now support old firewallrules from converter

commit 2610f3930ab91a3b7ba79a80ac9e6f6d0ea3c724
Author: Alexander Marx <alexander.marx(a)ipfire.org>
Date:   Wed Mar 5 08:02:05 2014 +0100

    Firewall: When no manual ip is given on rulecreation and rule is added, there's automatically std_networks "ALL" selected

commit b062a11bbe730454c48c2c45ff0b1e0eec454471
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Tue Mar 4 14:26:55 2014 +0100

    firewall: Don't colourise MAC addresses.
    
    Fixes #10491.

commit 13e3cf285e32334e2de1a23a916fa941994fdd23
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Tue Mar 4 14:14:54 2014 +0100

    firewall: Extend rate limiting for ICMP error messages.
    
    Fixes #10489.

commit 179deb37d02efbb6c180568ef361a7caf3ede70e
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Tue Mar 4 12:38:13 2014 +0100

    firewall: Add chain name to logged rules.
    
    This helps us to debug faster where a packet has been dropped.

commit 5f050d607c11a875564916de98cb3c3f2c2ce390
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Tue Mar 4 12:36:52 2014 +0100

    firewall: Add rate limiting for LOG messages.
    
    Fixes #10488.

commit 9556a0fb95e2a7c5458ea2dcaecc29c2a71c5f86
Author: Alexander Marx <alexander.marx(a)ipfire.org>
Date:   Tue Mar 4 16:11:35 2014 +0100

    Firewall: When no manual ip is given, standard networks "all" is selected

commit 5a09c99a89fdeed47e0fa9ea0b3623b08422ca26
Author: Alexander Marx <alexander.marx(a)ipfire.org>
Date:   Tue Mar 4 16:00:14 2014 +0100

    Firewall: Now it is possible to just change the remark in input and outgoing

commit abb3cfcc9ef1ffec5235ead3b9cad4014c141aa9
Author: Alexander Marx <alexander.marx(a)ipfire.org>
Date:   Tue Mar 4 15:44:02 2014 +0100

    Firewall: FIX allowed chars in remark

-----------------------------------------------------------------------

Summary of changes:
 config/etc/sysctl.conf    |  3 ++-
 html/cgi-bin/firewall.cgi | 35 +++++++++++++++--------------------
 2 files changed, 17 insertions(+), 21 deletions(-)

Difference in files:
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index a91aeb3..e2e3d81 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -3,7 +3,8 @@ net.ipv4.ip_dynaddr = 1
 
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 net.ipv4.icmp_ignore_bogus_error_responses = 1
-net.ipv4.icmp_ratemask = 88089
+net.ipv4.icmp_ratelimit = 1000
+net.ipv4.icmp_ratemask = 6168
 
 net.ipv4.tcp_syncookies = 1
 net.ipv4.tcp_fin_timeout = 30
diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index dfb9697..e633b3c 100644
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -194,6 +194,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 	$errormessage=&checksource;
 	if(!$errormessage){&checktarget;}
 	if(!$errormessage){&checkrule;}
+
 	#check if manual ip (source) is orange network
 	if ($fwdfwsettings{'grp1'} eq 'src_addr'){
 		my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}});
@@ -313,6 +314,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 						if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){
 							$errormessage=$Lang::tr{'fwdfw err remark'}."<br>";
 						}
+						if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && &validremark($fwdfwsettings{'ruleremark'})){
+							$errormessage='';
+						}
 						if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){
 							$fwdfwsettings{'nosave'} = 'on';
 						}
@@ -504,8 +508,8 @@ sub checksource
 			return $errormessage;
 		}
 	}elsif($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} eq ''){
-		$errormessage.=$Lang::tr{'fwdfw err nosrcip'};
-		return $errormessage;
+		$fwdfwsettings{'grp1'}='std_net_src';
+		$fwdfwsettings{$fwdfwsettings{'grp1'}} = 'ALL';
 	}
 
 	#check empty fields
@@ -605,8 +609,8 @@ sub checktarget
 			return $errormessage;
 		}
 	}elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){
-		$errormessage.=$Lang::tr{'fwdfw err notgtip'};
-		return $errormessage;
+		$fwdfwsettings{'grp2'}='std_net_tgt';
+		$fwdfwsettings{$fwdfwsettings{'grp2'}} = 'ALL';
 	}
 	#check for mac in targetgroup
 	if ($fwdfwsettings{'grp2'} eq 'cust_grp_tgt'){
@@ -2137,6 +2141,8 @@ sub saverule
 			&changerule($configfwdfw);
 			#print"6";
 		}
+		$fwdfwsettings{'ruleremark'}=~ s/,/;/g;
+		$fwdfwsettings{'ruleremark'}=&Header::escape($fwdfwsettings{'ruleremark'});
 		if ($fwdfwsettings{'updatefwrule'} ne 'on'){
 			my $key = &General::findhasharraykey ($hash);
 			$$hash{$key}[0]  = $fwdfwsettings{'RULE_ACTION'};
@@ -2272,22 +2278,11 @@ sub saverule
 sub validremark
 {
 	# Checks a hostname against RFC1035
-        my $remark = $_[0];
-
-	# Each part should be at least two characters in length
-	# but no more than 63 characters
-	if (length ($remark) < 1 || length ($remark) > 255) {
-		return 0;}
-	# Only valid characters are a-z, A-Z, 0-9 and -
-	if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;\|_()\/\s]*$/) {
-		return 0;}
-	# First character can only be a letter or a digit
-	if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9(]*$/) {
-		return 0;}
-	# Last character can only be a letter or a digit
-	if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.:;_)]*$/) {
-		return 0;}
-	return 1;
+	my $remark = $_[0];
+	if ($remark =~ /^[[:print:]]*$/) {
+		return 1;
+	}
+	return 0;
 }
 sub viewtablerule
 {


hooks/post-receive
--
IPFire 2.x development tree