* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 826c22d66c3eae74bb4c7287cdd81478a5341e01
@ 2014-03-10 20:49 git
0 siblings, 0 replies; only message in thread
From: git @ 2014-03-10 20:49 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 16393 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 826c22d66c3eae74bb4c7287cdd81478a5341e01 (commit)
via e9b5ba417924d00309736ca045997c5dec7ce4d3 (commit)
via cbb88df1548953beeca06d462c9d3006a15dc9ef (commit)
via e55334753d7dc49db0b5530b78b8d0f15ca03e9c (commit)
via 5ef260ae4192d644d621f82bfb0a8f514088cc0c (commit)
via d7050fc04a06f0decd8faf12c559e899b3848191 (commit)
from 9a5050b4c5e9a2635f859cae14820827742dfcf4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 826c22d66c3eae74bb4c7287cdd81478a5341e01
Merge: e9b5ba4 e553347
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Mar 10 21:35:15 2014 +0100
Merge remote-tracking branch 'amarx/INDEX' into next
commit e9b5ba417924d00309736ca045997c5dec7ce4d3
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Mar 10 19:40:20 2014 +0100
firewall: Add auxiliary rules for firewall access.
Rules for accessing the firewall are added when access
to networks (GREEN, BLUE, ...) the firewall resides in is allowed.
commit cbb88df1548953beeca06d462c9d3006a15dc9ef
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Mar 10 16:11:50 2014 +0100
vpnmain.cgi: Remove left-over </td> tag.
commit e55334753d7dc49db0b5530b78b8d0f15ca03e9c
Author: Alexander Marx <alexander.marx(a)ipfire.org>
Date: Mon Mar 10 12:54:06 2014 +0100
graphs.pl : fixed layout on Nexus 7 devices "hour-Day-week-month-year" now on top of graph
commit 5ef260ae4192d644d621f82bfb0a8f514088cc0c
Author: Alexander Marx <alexander.marx(a)ipfire.org>
Date: Mon Mar 10 12:22:32 2014 +0100
index.cgi: fix colors and tables for vpn connections
commit d7050fc04a06f0decd8faf12c559e899b3848191
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Mar 8 17:29:47 2014 +0100
ipsec: Allow to create firewall rules for IPsec input as well.
-----------------------------------------------------------------------
Summary of changes:
config/cfgroot/graphs.pl | 2 +-
config/firewall/firewall-policy | 9 +++++
config/firewall/rules.pl | 36 +++++++++++++++++
html/cgi-bin/index.cgi | 10 ++---
html/cgi-bin/vpnmain.cgi | 2 +-
src/patches/strongswan-5.0.2_ipfire.patch | 66 +++++++++++++++++++------------
6 files changed, 93 insertions(+), 32 deletions(-)
Difference in files:
diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl
index cc00c66..81b6fa4 100644
--- a/config/cfgroot/graphs.pl
+++ b/config/cfgroot/graphs.pl
@@ -92,8 +92,8 @@ sub makegraphbox {
print "<a href='".$_[0]."?".$_[1]."?month' target='".$_[1]."box'><b>".$Lang::tr{'month'}."</b></a>";
print " - ";
print "<a href='".$_[0]."?".$_[1]."?year' target='".$_[1]."box'><b>".$Lang::tr{'year'}."</b></a>";
- print "<iframe src='".$_[0]."?".$_[1]."?".$_[2]."' width='".$width."' height='".$height."' scrolling='no' frameborder='no' marginheight='0' name='".$_[1]."box'></iframe>";
print "</center>";
+ print "<iframe src='".$_[0]."?".$_[1]."?".$_[2]."' width='".$width."' height='".$height."' scrolling='no' frameborder='no' marginheight='0' name='".$_[1]."box'></iframe>";
}
# Generate the CPU Graph for the current period of time for values given by
diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index b820a7f..2c583c5 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -52,10 +52,19 @@ case "${CONFIG_TYPE}" in
;;
esac
+HAVE_IPSEC="true"
HAVE_OPENVPN="true"
# INPUT
+# IPsec INPUT
+case "${HAVE_IPSEC},${POLICY}" in
+ true,MODE1) ;;
+ true,*)
+ iptables -A POLICYIN -m policy --pol ipsec --dir in -j ACCEPT
+ ;;
+esac
+
# OpenVPN INPUT
# Allow direct access to the internal IP addresses of the firewall
# from remote subnets if forward policy is allowed.
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 4bb40a4..51ddb44 100755
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -278,6 +278,11 @@ sub buildrules {
# Add time constraint options.
push(@options, @time_options);
+ my $firewall_is_in_source_subnet = 0;
+ if ($source) {
+ $firewall_is_in_source_subnet = &firewall_is_in_subnet($source);
+ }
+
# Process NAT rules.
if ($NAT) {
my $nat_address = &get_nat_address($$hash{$key}[29]);
@@ -326,6 +331,14 @@ sub buildrules {
}
push(@options, @source_options);
+
+ if ($firewall_is_in_source_subnet && ($fwdfwsettings{"POLICY"} eq "MODE1") && ($chain eq $CHAIN_FORWARD)) {
+ if ($LOG && !$NAT) {
+ run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
+ }
+ run("$IPTABLES -A $CHAIN_INPUT @options -j $target");
+ }
+
push(@options, @destination_options);
# Insert firewall rule.
@@ -781,3 +794,26 @@ sub make_log_limit_options {
return @options;
}
+
+sub firewall_is_in_subnet {
+ my $subnet = shift;
+
+ my ($net_address, $net_mask) = split("/", $subnet);
+ if (!$net_mask) {
+ return 0;
+ }
+
+ # ORANGE is missing here, because nothing may ever access
+ # the firewall from this network.
+ foreach my $zone ("GREEN", "BLUE") {
+ next unless (exists $defaultNetworks{$zone . "_ADDRESS"});
+
+ my $zone_address = $defaultNetworks{$zone . "_ADDRESS"};
+
+ if (&General::IpInSubnet($zone_address, $net_address, $net_mask)) {
+ return 1;
+ }
+ }
+
+ return 0;
+}
diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi
index c5ccae8..2ce4030 100644
--- a/html/cgi-bin/index.cgi
+++ b/html/cgi-bin/index.cgi
@@ -358,7 +358,7 @@ if (($confighash{'ENABLED'} eq "on") ||
$ovpnip="$ovpnip/$sub";
print <<END;
<tr>
- <td style='width:25%; text-align:center; background-color:$Header::colourvpn;'>
+ <td style='width:25%; text-align:center; background-color:$Header::colourovpn;'>
<a href='/cgi-bin/ovpnmain.cgi' style='color:white'><b>OpenVPN</b></a>
</td>
<td style='width:30%; text-align:center;'>$ovpnip</td>
@@ -372,7 +372,7 @@ print"</table>";
#Check if there are any vpns configured (ipsec and openvpn)
&General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig);
foreach my $key (sort { ncmp($vpnconfig{$a}[1],$vpnconfig{$b}[1]) } keys %vpnconfig) {
- if ($vpnconfig{$key}[0] eq 'on'){
+ if ($vpnconfig{$key}[0] eq 'on' && $vpnconfig{$key}[3] ne 'host'){
$showipsec=1;
$showbox=1;
last;
@@ -409,7 +409,7 @@ if ($showbox){
</tr>
END
foreach my $key (sort { uc($vpnconfig{$a}[1]) cmp uc($vpnconfig{$b}[1]) } keys %vpnconfig) {
- if ($vpnconfig{$key}[0] eq 'on') {
+ if ($vpnconfig{$key}[0] eq 'on' && $vpnconfig{$key}[3] ne 'host') {
$count++;
my ($vpnip,$vpnsub) = split("/",$vpnconfig{$key}[11]);
$vpnsub=&General::iporsubtocidr($vpnsub);
@@ -420,8 +420,8 @@ END
$col = $color{'color20'};
}
print "<tr>";
- print "<td style='text-align:left; color:white; background-color:$Header::colourovpn;'>$vpnconfig{$key}[1]</td>";
- print "<td style='text-align:left; background-color:$col'>$vpnip</td>";
+ print "<td style='text-align:left; color:white; background-color:$Header::colourvpn;'>$vpnconfig{$key}[1]</td>";
+ print "<td style='text-align:center; background-color:$col'>$vpnip</td>";
my $activecolor = $Header::colourred;
my $activestatus = $Lang::tr{'capsclosed'};
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 7e90649..af836da 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -2520,7 +2520,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
<td>
<label>
<input type='checkbox' name='ONLY_PROPOSED' $checked{'ONLY_PROPOSED'} />
- IKE+ESP: $Lang::tr{'use only proposed settings'}</td>
+ IKE+ESP: $Lang::tr{'use only proposed settings'}
</label>
</td>
</tr>
diff --git a/src/patches/strongswan-5.0.2_ipfire.patch b/src/patches/strongswan-5.0.2_ipfire.patch
index 6606095..71eb24e 100644
--- a/src/patches/strongswan-5.0.2_ipfire.patch
+++ b/src/patches/strongswan-5.0.2_ipfire.patch
@@ -1,8 +1,6 @@
-diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
-index 3a40e21..d9f3ea0 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
-@@ -193,6 +193,29 @@ custom:*) # custom parameters (see above CAUTION comment)
+@@ -178,6 +178,29 @@
;;
esac
@@ -32,7 +30,7 @@ index 3a40e21..d9f3ea0 100644
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
-@@ -397,12 +420,12 @@ up-host:iptables)
+@@ -407,12 +430,12 @@
# connection to me, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -46,9 +44,9 @@ index 3a40e21..d9f3ea0 100644
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
#
- # log IPsec host connection setup
- if [ $VPN_LOGGING ]
-@@ -410,10 +433,10 @@ up-host:iptables)
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+@@ -428,10 +451,10 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
@@ -61,7 +59,7 @@ index 3a40e21..d9f3ea0 100644
fi
fi
;;
-@@ -421,12 +444,12 @@ down-host:iptables)
+@@ -439,12 +462,12 @@
# connection to me, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -75,9 +73,9 @@ index 3a40e21..d9f3ea0 100644
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j MARK --set-mark 50
#
- # log IPsec host connection teardown
- if [ $VPN_LOGGING ]
-@@ -434,10 +457,10 @@ down-host:iptables)
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+@@ -459,10 +482,10 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
@@ -90,7 +88,7 @@ index 3a40e21..d9f3ea0 100644
fi
fi
;;
-@@ -447,24 +470,24 @@ up-client:iptables)
+@@ -472,24 +495,24 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
then
@@ -113,16 +111,26 @@ index 3a40e21..d9f3ea0 100644
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+- -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j RETURN
+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j MARK --set-mark 50
fi
#
- # log IPsec client connection setup
-@@ -473,12 +496,51 @@ up-client:iptables)
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+@@ -497,7 +520,7 @@
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
++ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+@@ -507,12 +530,51 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
@@ -176,7 +184,7 @@ index 3a40e21..d9f3ea0 100644
;;
down-client:iptables)
# connection to client subnet, with (left/right)firewall=yes, going down
-@@ -486,28 +548,28 @@ down-client:iptables)
+@@ -520,34 +582,34 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
then
@@ -202,8 +210,9 @@ index 3a40e21..d9f3ea0 100644
+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
- $IPSEC_POLICY_IN -j ACCEPT
+- $IPSEC_POLICY_IN -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
++ $IPSEC_POLICY_IN -j RETURN
+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT \
@@ -211,8 +220,15 @@ index 3a40e21..d9f3ea0 100644
+ $IPSEC_POLICY_OUT -j MARK --set-mark 50
fi
#
- # log IPsec client connection teardown
-@@ -516,12 +578,51 @@ down-client:iptables)
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+- iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
++ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+@@ -557,12 +619,51 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
@@ -266,7 +282,7 @@ index 3a40e21..d9f3ea0 100644
;;
#
# IPv6
-@@ -556,10 +657,10 @@ up-host-v6:iptables)
+@@ -597,10 +698,10 @@
# connection to me, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -279,7 +295,7 @@ index 3a40e21..d9f3ea0 100644
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
-@@ -580,10 +681,10 @@ down-host-v6:iptables)
+@@ -621,10 +722,10 @@
# connection to me, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -292,7 +308,7 @@ index 3a40e21..d9f3ea0 100644
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
-@@ -606,10 +707,10 @@ up-client-v6:iptables)
+@@ -647,10 +748,10 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
@@ -305,7 +321,7 @@ index 3a40e21..d9f3ea0 100644
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
fi
-@@ -618,10 +719,10 @@ up-client-v6:iptables)
+@@ -659,10 +760,10 @@
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
@@ -318,7 +334,7 @@ index 3a40e21..d9f3ea0 100644
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
-@@ -645,11 +746,11 @@ down-client-v6:iptables)
+@@ -686,11 +787,11 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
@@ -332,7 +348,7 @@ index 3a40e21..d9f3ea0 100644
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
$IPSEC_POLICY_IN -j ACCEPT
-@@ -659,11 +760,11 @@ down-client-v6:iptables)
+@@ -700,11 +801,11 @@
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-03-10 20:49 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-03-10 20:49 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 826c22d66c3eae74bb4c7287cdd81478a5341e01 git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox