[git.ipfire.org] IPFire 2.x development tree branch, next, updated. da7a2208d3a3c4143ce9029665ad9d738e70d3b1

public inbox for ipfire-scm@lists.ipfire.org
 help / color / mirror / Atom feed

From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. da7a2208d3a3c4143ce9029665ad9d738e70d3b1
Date: Mon, 17 Mar 2014 18:03:30 +0100	[thread overview]
Message-ID: <20140317170330.89E8920C44@argus.ipfire.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 6187 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  da7a2208d3a3c4143ce9029665ad9d738e70d3b1 (commit)
       via  5cf8c8c12382d77b07fbcb1b8916d78d2806cc74 (commit)
       via  c2a1af7545c52edc9354e778acecb6370ea15d48 (commit)
      from  2a07aa9d9c4c1968a1072147107d889a1a8aae5e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit da7a2208d3a3c4143ce9029665ad9d738e70d3b1
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Mar 17 18:03:00 2014 +0100

    firewall: rules.pl: Code cleanup.

commit 5cf8c8c12382d77b07fbcb1b8916d78d2806cc74
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Mar 17 17:39:47 2014 +0100

    firewall: Fix DNAT rules between internal zones.

commit c2a1af7545c52edc9354e778acecb6370ea15d48
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Mar 17 15:47:28 2014 +0100

    firewall: rules.pl: Sanitise source and destination IP addresses.
    
    Those variables are now empty if source or destination are
    unspecified.

-----------------------------------------------------------------------

Summary of changes:
 config/firewall/rules.pl | 79 ++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 66 insertions(+), 13 deletions(-)

Difference in files:
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 51ddb44..7a8e9ba 100755
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -39,6 +39,7 @@ my $CHAIN_NAT_SOURCE      = "NAT_SOURCE";
 my $CHAIN_NAT_DESTINATION = "NAT_DESTINATION";
 my $CHAIN_MANGLE_NAT_DESTINATION_FIX = "NAT_DESTINATION";
 my @VALID_CHAINS          = ($CHAIN_INPUT, $CHAIN_FORWARD, $CHAIN_OUTPUT);
+my @ANY_ADDRESSES         = ("0.0.0.0/0.0.0.0", "0.0.0.0/0", "0/0");
 
 my @PROTOCOLS = ("tcp", "udp", "icmp", "igmp", "ah", "esp", "gre", "ipv6", "ipip");
 my @PROTOCOLS_WITH_PORTS = ("tcp", "udp");
@@ -255,6 +256,16 @@ sub buildrules {
 					# Skip invalid rules.
 					next if (!$source || !$destination || ($destination eq "none"));
 
+					# Sanitize source.
+					if ($source ~~ @ANY_ADDRESSES) {
+						$source = "";
+					}
+
+					# Sanitize destination.
+					if ($destination ~~ @ANY_ADDRESSES) {
+						$destination = "";
+					}
+
 					# Array with iptables arguments.
 					my @options = ();
 
@@ -268,12 +279,15 @@ sub buildrules {
 					my @source_options = ();
 					if ($source =~ /mac/) {
 						push(@source_options, $source);
-					} else {
+					} elsif ($source) {
 						push(@source_options, ("-s", $source));
 					}
 
 					# Prepare destination options.
-					my @destination_options = ("-d", $destination);
+					my @destination_options = ();
+					if ($destination) {
+						push(@destination_options, ("-d", $destination));
+					}
 
 					# Add time constraint options.
 					push(@options, @time_options);
@@ -285,7 +299,7 @@ sub buildrules {
 
 					# Process NAT rules.
 					if ($NAT) {
-						my $nat_address = &get_nat_address($$hash{$key}[29]);
+						my $nat_address = &get_nat_address($$hash{$key}[29], $source);
 
 						# Skip NAT rules if the NAT address is unknown
 						# (i.e. no internet connection has been established, yet).
@@ -294,7 +308,10 @@ sub buildrules {
 						# Destination NAT
 						if ($NAT_MODE eq "DNAT") {
 							# Make port-forwardings useable from the internal networks.
-							&add_dnat_mangle_rules($nat_address, @options);
+							my @internal_addresses = &get_internal_firewall_ip_addresses(1);
+							unless ($nat_address ~~ @internal_addresses) {
+								&add_dnat_mangle_rules($nat_address, @options);
+							}
 
 							my @nat_options = @options;
 							push(@nat_options, @source_options);
@@ -380,12 +397,21 @@ sub get_alias {
 
 sub get_nat_address {
 	my $zone = shift;
+	my $source = shift;
 
 	# Any static address of any zone.
 	if ($zone eq "RED" || $zone eq "GREEN" || $zone eq "ORANGE" || $zone eq "BLUE") {
 		return $defaultNetworks{$zone . "_ADDRESS"};
 
 	} elsif ($zone eq "Default IP") {
+		if ($source) {
+			my $firewall_ip = &get_internal_firewall_ip_address($source, 1);
+
+			if ($firewall_ip) {
+				return $firewall_ip;
+			}
+		}
+
 		return &get_external_address();
 
 	} else {
@@ -795,25 +821,52 @@ sub make_log_limit_options {
 	return @options;
 }
 
-sub firewall_is_in_subnet {
-	my $subnet = shift;
+sub get_internal_firewall_ip_addresses {
+	my $use_orange = shift;
 
-	my ($net_address, $net_mask) = split("/", $subnet);
-	if (!$net_mask) {
-		return 0;
+	my @zones = ("GREEN", "BLUE");
+	if ($use_orange) {
+		push(@zones, "ORANGE");
 	}
 
-	# ORANGE is missing here, because nothing may ever access
-	# the firewall from this network.
-	foreach my $zone ("GREEN", "BLUE") {
+	my @addresses = ();
+	for my $zone (@zones) {
 		next unless (exists $defaultNetworks{$zone . "_ADDRESS"});
 
 		my $zone_address = $defaultNetworks{$zone . "_ADDRESS"};
+		push(@addresses, $zone_address);
+	}
 
+	return @addresses;
+}
+
+sub get_internal_firewall_ip_address {
+	my $subnet = shift;
+	my $use_orange = shift;
+
+	my ($net_address, $net_mask) = split("/", $subnet);
+	if (!$net_mask) {
+		return;
+	}
+
+	my @addresses = &get_internal_firewall_ip_addresses($use_orange);
+	foreach my $zone_address (@addresses) {
 		if (&General::IpInSubnet($zone_address, $net_address, $net_mask)) {
-			return 1;
+			return $zone_address;
 		}
 	}
+}
+
+sub firewall_is_in_subnet {
+	my $subnet = shift;
+
+	# ORANGE is missing here, because nothing may ever access
+	# the firewall from this network.
+	my $address = &get_internal_firewall_ip_address($subnet, 0);
+
+	if ($address) {
+		return 1;
+	}
 
 	return 0;
 }


hooks/post-receive
--
IPFire 2.x development tree

                 reply	other threads:[~2014-03-17 17:03 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140317170330.89E8920C44@argus.ipfire.org \
    --to=git@ipfire.org \
    --cc=ipfire-scm@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox