From 36c92ab00dd7d5a778199217bffe4c52c94d77ec Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Tue, 4 Mar 2014 07:07:31 +0100 Subject: [PATCH 01/24] kernel: arm-multi: add marvel and allwinner support. --- .../kernel.config.armv5tel-ipfire-multi | 46 +++++++++++++++++-- config/rootfiles/common/armv5tel/linux-multi | 19 +++++++- 2 files changed, 58 insertions(+), 7 deletions(-) diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi b/config/kernel/kernel.config.armv5tel-ipfire-multi index dfc746d23..dcd3b08f7 100644 --- a/config/kernel/kernel.config.armv5tel-ipfire-multi +++ b/config/kernel/kernel.config.armv5tel-ipfire-multi @@ -333,7 +333,14 @@ CONFIG_ARCH_MULTIPLATFORM=y CONFIG_ARCH_MULTI_V7=y CONFIG_ARCH_MULTI_V6_V7=y # CONFIG_ARCH_MULTI_CPU_AUTO is not set -# CONFIG_ARCH_MVEBU is not set +CONFIG_ARCH_MVEBU=y + +# +# Marvell SOC with device tree +# +CONFIG_MACH_ARMADA_370_XP=y +CONFIG_MACH_ARMADA_370=y +CONFIG_MACH_ARMADA_XP=y # CONFIG_ARCH_BCM is not set # CONFIG_GPIO_PCA953X is not set CONFIG_KEYBOARD_GPIO_POLLED=m @@ -443,7 +450,7 @@ CONFIG_MACH_OMAP4_PANDA=y # CONFIG_OMAP3_SDRC_AC_TIMING is not set # CONFIG_ARCH_SOCFPGA is not set # CONFIG_PLAT_SPEAR is not set -# CONFIG_ARCH_SUNXI is not set +CONFIG_ARCH_SUNXI=y # CONFIG_ARCH_SIRF is not set # CONFIG_ARCH_TEGRA is not set # CONFIG_ARCH_U8500 is not set @@ -460,12 +467,14 @@ CONFIG_ARCH_VIRT=y CONFIG_ARCH_VT8500=y CONFIG_ARCH_WM8850=y CONFIG_ARCH_ZYNQ=y +CONFIG_PLAT_ORION=y CONFIG_PLAT_VERSATILE=y CONFIG_ARM_TIMER_SP804=y # # Processor Type # +CONFIG_CPU_PJ4B=y CONFIG_CPU_V7=y CONFIG_CPU_32v6K=y CONFIG_CPU_32v7=y @@ -502,6 +511,7 @@ CONFIG_ARM_L1_CACHE_SHIFT=6 CONFIG_ARM_DMA_MEM_BUFFERABLE=y CONFIG_ARM_NR_BANKS=8 CONFIG_MULTI_IRQ_HANDLER=y +CONFIG_PJ4B_ERRATA_4742=y CONFIG_ARM_ERRATA_430973=y CONFIG_PL310_ERRATA_588369=y CONFIG_ARM_ERRATA_643719=y @@ -1314,6 +1324,7 @@ CONFIG_CMA_AREAS=7 # # Bus devices # +CONFIG_MVEBU_MBUS=y CONFIG_OMAP_OCP2SCP=y CONFIG_OMAP_INTERCONNECT=y CONFIG_CONNECTOR=y @@ -1402,6 +1413,7 @@ CONFIG_MTD_NAND_IDS=y CONFIG_MTD_NAND_GPMI_NAND=m # CONFIG_MTD_NAND_PLATFORM is not set # CONFIG_MTD_ALAUDA is not set +CONFIG_MTD_NAND_ORION=y CONFIG_MTD_NAND_MXC=m # CONFIG_MTD_ONENAND is not set @@ -1945,7 +1957,9 @@ CONFIG_NET_VENDOR_I825XX=y CONFIG_IP1000=m CONFIG_JME=m CONFIG_NET_VENDOR_MARVELL=y +CONFIG_MV643XX_ETH=m CONFIG_MVMDIO=m +CONFIG_MVNETA=m CONFIG_SKGE=m # CONFIG_SKGE_DEBUG is not set CONFIG_SKGE_GENESIS=y @@ -2542,8 +2556,10 @@ CONFIG_SERIAL_8250_RSA=y # # Non-8250 serial port support # -CONFIG_SERIAL_AMBA_PL010=m -CONFIG_SERIAL_AMBA_PL011=m +CONFIG_SERIAL_AMBA_PL010=y +CONFIG_SERIAL_AMBA_PL010_CONSOLE=y +CONFIG_SERIAL_AMBA_PL011=y +CONFIG_SERIAL_AMBA_PL011_CONSOLE=y # CONFIG_SERIAL_MFD_HSU is not set CONFIG_SERIAL_IMX=y CONFIG_SERIAL_IMX_CONSOLE=y @@ -2627,6 +2643,7 @@ CONFIG_I2C_CBUS_GPIO=m CONFIG_I2C_GPIO=m CONFIG_I2C_IMX=m # CONFIG_I2C_INTEL_MID is not set +CONFIG_I2C_MV64XXX=y CONFIG_I2C_NOMADIK=y # CONFIG_I2C_OCORES is not set CONFIG_I2C_OMAP=y @@ -2708,8 +2725,12 @@ CONFIG_PINCTRL_IMX51=y CONFIG_PINCTRL_IMX53=y CONFIG_PINCTRL_IMX6Q=y CONFIG_PINCTRL_SINGLE=y +CONFIG_PINCTRL_SUNXI=y # CONFIG_PINCTRL_EXYNOS is not set # CONFIG_PINCTRL_EXYNOS5440 is not set +CONFIG_PINCTRL_MVEBU=y +CONFIG_PINCTRL_ARMADA_370=y +CONFIG_PINCTRL_ARMADA_XP=y CONFIG_PINCTRL_WMT=y CONFIG_PINCTRL_WM8850=y CONFIG_ARCH_HAVE_CUSTOM_GPIO_H=y @@ -2727,6 +2748,7 @@ CONFIG_GPIO_GENERIC=y # CONFIG_GPIO_GENERIC_PLATFORM=y # CONFIG_GPIO_EM is not set +CONFIG_GPIO_MVEBU=y CONFIG_GPIO_MXC=y CONFIG_GPIO_PL061=y # CONFIG_GPIO_RCAR is not set @@ -2828,6 +2850,7 @@ CONFIG_CHARGER_TWL4030=y # CONFIG_BATTERY_GOLDFISH is not set CONFIG_POWER_RESET=y CONFIG_POWER_RESET_GPIO=y +CONFIG_POWER_RESET_QNAP=y CONFIG_POWER_RESET_RESTART=y CONFIG_POWER_RESET_VEXPRESS=y CONFIG_POWER_AVS=y @@ -2964,6 +2987,7 @@ CONFIG_THERMAL_GOV_USER_SPACE=y CONFIG_CPU_THERMAL=y CONFIG_THERMAL_EMULATION=y CONFIG_IMX_THERMAL=m +CONFIG_ARMADA_THERMAL=m CONFIG_WATCHDOG=y CONFIG_WATCHDOG_CORE=y CONFIG_WATCHDOG_NOWAYOUT=y @@ -4147,6 +4171,7 @@ CONFIG_USB_EHCI_TT_NEWSCHED=y CONFIG_USB_EHCI_PCI=y CONFIG_USB_EHCI_MXC=m CONFIG_USB_EHCI_HCD_OMAP=y +CONFIG_USB_EHCI_HCD_ORION=y CONFIG_USB_EHCI_HCD_PLATFORM=y # CONFIG_USB_OXU210HP_HCD is not set # CONFIG_USB_ISP116X_HCD is not set @@ -4345,6 +4370,7 @@ CONFIG_MMC_OMAP=y CONFIG_MMC_OMAP_HS=y CONFIG_MMC_MXC=m # CONFIG_MMC_TIFM_SD is not set +CONFIG_MMC_MVSDIO=y # CONFIG_MMC_CB710 is not set # CONFIG_MMC_VIA_SDMMC is not set CONFIG_MMC_DW=m @@ -4495,6 +4521,7 @@ CONFIG_RTC_DRV_OMAP=y CONFIG_RTC_DRV_PL030=m CONFIG_RTC_DRV_PL031=m CONFIG_RTC_DRV_VT8500=m +CONFIG_RTC_DRV_MV=m CONFIG_RTC_DRV_MXC=m CONFIG_RTC_DRV_SNVS=m @@ -4508,8 +4535,10 @@ CONFIG_DMADEVICES=y # # DMA Devices # +CONFIG_ASYNC_TX_ENABLE_CHANNEL_SWITCH=y CONFIG_AMBA_PL08X=y # CONFIG_DW_DMAC is not set +CONFIG_MV_XOR=y CONFIG_MX3_IPU=y CONFIG_MX3_IPU_IRQS=4 CONFIG_TIMB_DMA=m @@ -4687,6 +4716,9 @@ CONFIG_COMMON_CLK=y CONFIG_COMMON_CLK_VERSATILE=y CONFIG_COMMON_CLK_SI5351=m CONFIG_COMMON_CLK_AXI_CLKGEN=m +CONFIG_MVEBU_CLK_CORE=y +CONFIG_MVEBU_CLK_CPU=y +CONFIG_MVEBU_CLK_GATING=y CONFIG_HWSPINLOCK=y # @@ -4695,6 +4727,8 @@ CONFIG_HWSPINLOCK=y CONFIG_HWSPINLOCK_OMAP=y CONFIG_CLKSRC_OF=y CONFIG_CLKSRC_MMIO=y +CONFIG_ARMADA_370_XP_TIMER=y +CONFIG_SUN4I_TIMER=y CONFIG_VT8500_TIMER=y CONFIG_CADENCE_TTC_TIMER=y CONFIG_ARM_ARCH_TIMER=y @@ -5457,7 +5491,9 @@ CONFIG_CRYPTO_USER_API=y CONFIG_CRYPTO_USER_API_HASH=y CONFIG_CRYPTO_USER_API_SKCIPHER=y CONFIG_CRYPTO_HW=y -# CONFIG_CRYPTO_DEV_HIFN_795X is not set +CONFIG_CRYPTO_DEV_MV_CESA=m +CONFIG_CRYPTO_DEV_HIFN_795X=m +CONFIG_CRYPTO_DEV_HIFN_795X_RNG=y CONFIG_CRYPTO_DEV_OMAP_SHAM=y CONFIG_CRYPTO_DEV_OMAP_AES=y CONFIG_ASYMMETRIC_KEY_TYPE=m diff --git a/config/rootfiles/common/armv5tel/linux-multi b/config/rootfiles/common/armv5tel/linux-multi index 30c4d5529..89107a334 100644 --- a/config/rootfiles/common/armv5tel/linux-multi +++ b/config/rootfiles/common/armv5tel/linux-multi @@ -5,6 +5,12 @@ boot/dtb-KVER-ipfire-multi #boot/dtb-KVER-ipfire-multi/am335x-bone.dtb #boot/dtb-KVER-ipfire-multi/am335x-evm.dtb #boot/dtb-KVER-ipfire-multi/am335x-evmsk.dtb +#boot/dtb-KVER-ipfire-multi/armada-370-db.dtb +#boot/dtb-KVER-ipfire-multi/armada-370-mirabox.dtb +#boot/dtb-KVER-ipfire-multi/armada-370-rd.dtb +#boot/dtb-KVER-ipfire-multi/armada-xp-db.dtb +#boot/dtb-KVER-ipfire-multi/armada-xp-gp.dtb +#boot/dtb-KVER-ipfire-multi/armada-xp-openblocks-ax3-4.dtb #boot/dtb-KVER-ipfire-multi/imx25-karo-tx25.dtb #boot/dtb-KVER-ipfire-multi/imx25-pdk.dtb #boot/dtb-KVER-ipfire-multi/imx27-apf27.dtb @@ -45,6 +51,10 @@ boot/dtb-KVER-ipfire-multi #boot/dtb-KVER-ipfire-multi/omap4-sdp.dtb #boot/dtb-KVER-ipfire-multi/omap4-var-som.dtb #boot/dtb-KVER-ipfire-multi/omap5-evm.dtb +#boot/dtb-KVER-ipfire-multi/sun4i-a10-cubieboard.dtb +#boot/dtb-KVER-ipfire-multi/sun4i-a10-hackberry.dtb +#boot/dtb-KVER-ipfire-multi/sun4i-a10-mini-xplus.dtb +#boot/dtb-KVER-ipfire-multi/sun5i-a13-olinuxino.dtb #boot/dtb-KVER-ipfire-multi/vexpress-v2p-ca15-tc1.dtb #boot/dtb-KVER-ipfire-multi/vexpress-v2p-ca15_a7.dtb #boot/dtb-KVER-ipfire-multi/vexpress-v2p-ca5s.dtb @@ -181,6 +191,9 @@ lib/modules/KVER-ipfire-multi #lib/modules/KVER-ipfire-multi/kernel/drivers/clk/clk-si5351.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/cpufreq #lib/modules/KVER-ipfire-multi/kernel/drivers/cpufreq/imx6q-cpufreq.ko +#lib/modules/KVER-ipfire-multi/kernel/drivers/crypto +#lib/modules/KVER-ipfire-multi/kernel/drivers/crypto/hifn_795x.ko +#lib/modules/KVER-ipfire-multi/kernel/drivers/crypto/mv_cesa.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/dma #lib/modules/KVER-ipfire-multi/kernel/drivers/dma/timb_dma.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/firewire @@ -1135,7 +1148,9 @@ lib/modules/KVER-ipfire-multi #lib/modules/KVER-ipfire-multi/kernel/drivers/net/ethernet/intel/ixgbe/ixgbe.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/net/ethernet/jme.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/net/ethernet/marvell +#lib/modules/KVER-ipfire-multi/kernel/drivers/net/ethernet/marvell/mv643xx_eth.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/net/ethernet/marvell/mvmdio.ko +#lib/modules/KVER-ipfire-multi/kernel/drivers/net/ethernet/marvell/mvneta.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/net/ethernet/marvell/skge.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/net/ethernet/marvell/sky2.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/net/ethernet/mellanox @@ -1448,6 +1463,7 @@ lib/modules/KVER-ipfire-multi #lib/modules/KVER-ipfire-multi/kernel/drivers/rtc/rtc-m48t59.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/rtc/rtc-max6900.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/rtc/rtc-msm6242.ko +#lib/modules/KVER-ipfire-multi/kernel/drivers/rtc/rtc-mv.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/rtc/rtc-mxc.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/rtc/rtc-pcf8523.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/rtc/rtc-pcf8563.ko @@ -1579,14 +1595,13 @@ lib/modules/KVER-ipfire-multi #lib/modules/KVER-ipfire-multi/kernel/drivers/staging/usbip/usbip-host.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/staging/usbip/vhci-hcd.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/thermal +#lib/modules/KVER-ipfire-multi/kernel/drivers/thermal/armada_thermal.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/thermal/imx_thermal.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/tty #lib/modules/KVER-ipfire-multi/kernel/drivers/tty/n_gsm.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/tty/n_hdlc.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/tty/n_r3964.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/tty/serial -#lib/modules/KVER-ipfire-multi/kernel/drivers/tty/serial/amba-pl010.ko -#lib/modules/KVER-ipfire-multi/kernel/drivers/tty/serial/amba-pl011.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/tty/serial/arc_uart.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/tty/serial/sccnxp.ko #lib/modules/KVER-ipfire-multi/kernel/drivers/uio From f620fa34dfe915c2e30d74614e6aeee1c99e2c59 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 4 Mar 2014 11:37:58 +0100 Subject: [PATCH 02/24] Firewall: Fix Bug 10490 and broken colorization of tables in firewall groups --- html/cgi-bin/fwhosts.cgi | 162 +++++++++++++++++++++++++++++++-------- 1 file changed, 128 insertions(+), 34 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index efcdfb933..ceab1873d 100644 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -48,7 +48,7 @@ my %fwfwd=(); my %fwinp=(); my %fwout=(); my %ovpnsettings=(); - +my %netsettings=(); my $errormessage; my $hint; @@ -80,7 +80,7 @@ unless (-e $configsrvgrp) { system("touch $configsrvgrp"); } &General::readhash("$configovpn", \%ovpnsettings); &General::readhasharray("$configipsec", \%ipsecconf); &General::readhash("$configipsecrw", \%ipsecsettings); - +&General::readhash("/var/ipfire/ethernet/settings", \%netsettings); &Header::getcgihash(\%fwhostsettings); &Header::showhttpheaders(); @@ -1211,12 +1211,12 @@ sub addgrp print< - $Lang::tr{'fwhost addgrpname'} + $Lang::tr{'fwhost addgrpname'}
- $Lang::tr{'remark'}: - + $Lang::tr{'remark'}: +
@@ -1225,16 +1225,16 @@ sub addgrp END }else{ print< + - - + + - +
$Lang::tr{'fwhost addgrpname'}$Lang::tr{'fwhost addgrpname'}
$Lang::tr{'remark'}:
@@ -1246,8 +1246,16 @@ END
- -
$Lang::tr{'fwhost stdnet'} + + + "; if (! -z $confignet){ - print" + "; } if (! -z $confighost){ - print" +
+ + +
$Lang::tr{'fwhost cust net'}: + + +
$Lang::tr{'fwhost cust addr'}: + + +
"; #Inner table right - print"		"; + print""; + print""; print< @@ -1516,50 +1581,79 @@ END sub getcolor { my $c=shift; + my $sip; + my $scidr; + #Check if MAC + if (&General::validmac($c)){ return $c;} + + #Check if we got a full IP with subnet then split it + if($c =~ /^(.*?)\/(.*?)$/){ + ($sip,$scidr) = split ("/",$c); + }else{ + $sip=$c; + } + + #Now check if IP is part of ORANGE,BLUE or GREEN + if ( &General::IpInSubnet($sip,$netsettings{'ORANGE_ADDRESS'},$netsettings{'ORANGE_NETMASK'})){ + $tdcolor="$c"; + return $tdcolor; + } + if ( &General::IpInSubnet($sip,$netsettings{'GREEN_ADDRESS'},$netsettings{'GREEN_NETMASK'})){ + $tdcolor="$c"; + return $tdcolor; + } + if ( &General::IpInSubnet($sip,$netsettings{'BLUE_ADDRESS'},$netsettings{'BLUE_NETMASK'})){ + $tdcolor="$c"; + return $tdcolor; + } + #Check if IP is part of OpenVPN N2N subnet foreach my $key (sort keys %ccdhost){ if ($ccdhost{$key}[3] eq 'net'){ my ($a,$b) = split("/",$ccdhost{$key}[11]); - if (&General::IpInSubnet($c,$a,$b)){ - $tdcolor="style='color:$Header::colourovpn ;'"; + if (&General::IpInSubnet($sip,$a,$b)){ + $tdcolor="$c"; return $tdcolor; } } } + #Check if IP is part of OpenVPN dynamic subnet my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'}); - if (&General::IpInSubnet($c,$a,$b)){ - $tdcolor="style='color: $Header::colourovpn;'"; + if (&General::IpInSubnet($sip,$a,$b)){ + $tdcolor="$c"; return $tdcolor; } + #Check if IP is part of OpenVPN static subnet foreach my $key (sort keys %ccdnet){ my ($a,$b) = split("/",$ccdnet{$key}[1]); $b =&General::iporsubtodec($b); - if (&General::IpInSubnet($c,$a,$b)){ - $tdcolor="style='color: $Header::colourovpn;'"; + if (&General::IpInSubnet($sip,$a,$b)){ + $tdcolor="$c"; return $tdcolor; } } + #Check if IP is part of IPsec RW network if ($ipsecsettings{'RW_NET'} ne ''){ my ($a,$b) = split("/",$ipsecsettings{'RW_NET'}); $b=&General::iporsubtodec($b); - if (&General::IpInSubnet($c,$a,$b)){ - $tdcolor="style='color: $Header::colourvpn;'"; + if (&General::IpInSubnet($sip,$a,$b)){ + $tdcolor="$c"; return $tdcolor; } } + #Check if IP is part of a IPsec N2N network foreach my $key (sort keys %ipsecconf){ my ($a,$b) = split("/",$ipsecconf{$key}[11]); - if (&General::IpInSubnet($c,$a,$b)){ - $tdcolor="style='color: $Header::colourvpn;'"; + if (&General::IpInSubnet($sip,$a,$b)){ + $tdcolor="$c"; return $tdcolor; } } - $tdcolor=''; - return $tdcolor; + return "$c"; } sub viewtablehost { @@ -1598,7 +1692,7 @@ END $customhost{$key}[4]=~s/\s+//g; my $hostcount=0; $hostcount=&gethostcount($customhost{$key}[0]); - print""; + print""; print< @@ -1709,7 +1803,7 @@ sub viewtablegrp }else{ my ($colip,$colsub) = split("/",$ip); $ip="$colip/".&General::subtocidr($colsub) if ($colsub); - print" - - + + - + @@ -1225,16 +1225,16 @@ sub addgrp END }else{ print< +
"; #OVPN networks if (! -z $configccdnet){ - print" + + + +
$Lang::tr{'fwhost ccdnet'} + $Lang::tr{'fwhost ccdnet'} + + + $Lang::tr{'fwhost ccdhost'} + $Lang::tr{'fwhost ccdhost'} + + + $Lang::tr{'fwhost ovpn_n2n'}: + $Lang::tr{'fwhost ovpn_n2n'}: + + + $Lang::tr{'fwhost ipsec net'} + $Lang::tr{'fwhost ipsec net'} + + + "; - print"
"; + print"
"; &Header::closebox(); } sub addservice @@ -1464,6 +1528,7 @@ sub viewtablenet &General::readhasharray("$fwconfigfwd", \%fwfwd); &General::readhasharray("$fwconfiginp", \%fwinp); &General::readhasharray("$fwconfigout", \%fwout); + if (!keys %customnetwork) { print "
$Lang::tr{'fwhost empty'}"; @@ -1490,7 +1555,7 @@ END } my $colnet="$customnetwork{$key}[1]/".&General::subtocidr($customnetwork{$key}[2]); my $netcount=&getnetcount($customnetwork{$key}[0]); - print"
$customnetwork{$key}[0]
".&Header::colorize($colnet)."$customnetwork{$key}[3]$netcount x$customnetwork{$key}[0]".&getcolor($colnet)."$customnetwork{$key}[3]$netcount x$customhost{$key}[0]".&Header::colorize($ip)."$customhost{$key}[3]$hostcount x$customhost{$key}[0]".&getcolor($ip)."$customhost{$key}[3]$hostcount x".&Header::colorize($ip)."$customgrp{$key}[3]"; + print"".&getcolor($ip)."$customgrp{$key}[3]"; } if ($delflag > 0 && $ip ne ''){ print""; From 3bb4bb3fa136224792e7dbbcf8b4f801a5565284 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 4 Mar 2014 12:36:52 +0100 Subject: [PATCH 03/24] firewall: Add rate limiting for LOG messages. Fixes #10488. --- config/firewall/rules.pl | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 182c9482a..0998c1b53 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -70,6 +70,8 @@ my $netsettings = "${General::swroot}/ethernet/settings"; &General::readhasharray($configgrp, \%customgrp); &General::get_aliases(\%aliases); +my @log_limit_options = &make_log_limit_options(); + # MAIN &main(); @@ -305,7 +307,7 @@ sub buildrules { } if ($LOG) { - run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options -j LOG --log-prefix 'DNAT '"); + run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @log_limit_options -j LOG --log-prefix 'DNAT '"); } run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options -j DNAT --to-destination $dnat_address"); @@ -317,7 +319,7 @@ sub buildrules { push(@nat_options, @destination_options); if ($LOG) { - run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j LOG --log-prefix 'SNAT '"); + run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '"); } run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address"); } @@ -328,7 +330,7 @@ sub buildrules { # Insert firewall rule. if ($LOG && !$NAT) { - run("$IPTABLES -A $chain @options -j LOG"); + run("$IPTABLES -A $chain @options @log_limit_options -j LOG"); } run("$IPTABLES -A $chain @options -j $target"); } @@ -764,3 +766,18 @@ sub add_dnat_mangle_rules { run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options"); } } + +sub make_log_limit_options { + my @options = ("-m", "limit"); + + # Maybe we should get this from the configuration. + my $limit = 10; + + # We limit log messages to $limit messages per minute. + push(@options, ("--limit", "$limit/min")); + + # And we allow bursts of 2x $limit. + push(@options, ("--limit-burst", $limit * 2)); + + return @options; +} From 0bda23f5a1bc182592f4ac1aa9d9929769877835 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 4 Mar 2014 12:38:13 +0100 Subject: [PATCH 04/24] firewall: Add chain name to logged rules. This helps us to debug faster where a packet has been dropped. --- config/firewall/rules.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 0998c1b53..4bb40a4f9 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -330,7 +330,7 @@ sub buildrules { # Insert firewall rule. if ($LOG && !$NAT) { - run("$IPTABLES -A $chain @options @log_limit_options -j LOG"); + run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '"); } run("$IPTABLES -A $chain @options -j $target"); } From 7429ee78b62e5b248a646a02dbc198db57412291 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 4 Mar 2014 14:07:04 +0100 Subject: [PATCH 05/24] Firewall: Fix oversized Textfields --- html/cgi-bin/fwhosts.cgi | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index ceab1873d..34d43f3b1 100644 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -1211,12 +1211,12 @@ sub addgrp print<
$Lang::tr{'fwhost addgrpname'}$Lang::tr{'fwhost addgrpname'}
$Lang::tr{'remark'}:

- - + + - +
$Lang::tr{'fwhost addgrpname'}$Lang::tr{'fwhost addgrpname'}
$Lang::tr{'remark'}:
From fa8229546b11ac356ff1df733a0b17eb045559ee Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 4 Mar 2014 14:14:54 +0100 Subject: [PATCH 06/24] firewall: Extend rate limiting for ICMP error messages. Fixes #10489. --- config/etc/sysctl.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index d6a2f7504..a91aeb37f 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -1,7 +1,9 @@ net.ipv4.ip_forward = 1 net.ipv4.ip_dynaddr = 1 + net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 +net.ipv4.icmp_ratemask = 88089 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_fin_timeout = 30 From 0ba66e9293e106469894d84268b997a67f71e105 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 4 Mar 2014 14:26:55 +0100 Subject: [PATCH 07/24] firewall: Don't colourise MAC addresses. Fixes #10491. --- html/cgi-bin/firewall.cgi | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 7b75765b2..9f960b4c0 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -1286,6 +1286,12 @@ sub getcolor my $val=shift; my $hash=shift; if($optionsfw{'SHOWCOLORS'} eq 'on'){ + # Don't colourise MAC addresses + if (&General::validmac($val)) { + $tdcolor = ""; + return; + } + #custom Hosts if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){ foreach my $key (sort keys %$hash){ From 40962f9760ce8da23ebd5c723d75775e7853943d Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 4 Mar 2014 14:40:59 +0100 Subject: [PATCH 08/24] Firewall: Bugfix - when creating a new hostgroup, the system checked for existing name in servicegroups instead of hostgroups --- html/cgi-bin/fwhosts.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 34d43f3b1..049233c43 100644 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -2014,7 +2014,7 @@ sub checkname } sub checkgroup { - &General::readhasharray("$configsrvgrp", \%customservicegrp ); + &General::readhasharray("$configgrp", \%customgrp ); my $name=shift; foreach my $key (keys %customservicegrp) { if($customservicegrp{$key}[0] eq $name){ From 90c2ce0c20c8b0cdb027220f5363b51dd9195d83 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 4 Mar 2014 14:51:20 +0100 Subject: [PATCH 09/24] Firewall: get rid of /32 subnetz when using manual ip addresses --- html/cgi-bin/firewall.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 7b75765b2..e1573acdb 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -1565,7 +1565,7 @@ sub newrule my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); if ($scidr eq '32'){$fwdfwsettings{$fwdfwsettings{'grp1'}}=$sip;} my ($dip,$dcidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp2'}}); - if ($scidr eq '32'){$fwdfwsettings{$fwdfwsettings{'grp2'}}=$dip;} + if ($dcidr eq '32'){$fwdfwsettings{$fwdfwsettings{'grp2'}}=$dip;} &Header::openbox('100%', 'left', $Lang::tr{'fwdfw source'}); #------SOURCE------------------------------------------------------- print "
"; From abb3cfcc9ef1ffec5235ead3b9cad4014c141aa9 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 4 Mar 2014 15:44:02 +0100 Subject: [PATCH 10/24] Firewall: FIX allowed chars in remark --- html/cgi-bin/firewall.cgi | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index e1573acdb..3eac4f9d6 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -194,6 +194,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} + #check if manual ip (source) is orange network if ($fwdfwsettings{'grp1'} eq 'src_addr'){ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); @@ -307,6 +308,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; } + if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && &validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=''; + } if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ $fwdfwsettings{'nosave'} = 'on'; } @@ -2125,6 +2129,7 @@ sub saverule &changerule($configfwdfw); #print"6"; } + $fwdfwsettings{'ruleremark'}=&Header::escape($fwdfwsettings{'ruleremark'}); if ($fwdfwsettings{'updatefwrule'} ne 'on'){ my $key = &General::findhasharraykey ($hash); $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; @@ -2260,22 +2265,12 @@ sub saverule sub validremark { # Checks a hostname against RFC1035 - my $remark = $_[0]; - - # Each part should be at least two characters in length - # but no more than 63 characters - if (length ($remark) < 1 || length ($remark) > 255) { - return 0;} - # Only valid characters are a-z, A-Z, 0-9 and - - if ($remark !~ /^[a-zäöüA-ZÖÄÜ0-9-.:;\|_()\/\s]*$/) { - return 0;} - # First character can only be a letter or a digit - if (substr ($remark, 0, 1) !~ /^[a-zäöüA-ZÖÄÜ0-9(]*$/) { - return 0;} - # Last character can only be a letter or a digit - if (substr ($remark, -1, 1) !~ /^[a-zöäüA-ZÖÄÜ0-9.:;_)]*$/) { - return 0;} - return 1; + my $remark = $_[0]; + $remark =~ s/,/;/g; + if ($remark =~ /^[[:print:]]*$/) { + return 1; + } + return 0; } sub viewtablerule { From 5a09c99a89fdeed47e0fa9ea0b3623b08422ca26 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 4 Mar 2014 16:00:14 +0100 Subject: [PATCH 11/24] Firewall: Now it is possible to just change the remark in input and outgoing --- html/cgi-bin/firewall.cgi | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 3eac4f9d6..1c3d1ef48 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -224,6 +224,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; } + if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && &validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=''; + } if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ $fwdfwsettings{'nosave'} = 'on'; } @@ -265,6 +268,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; } + if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && &validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=''; + } if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ $fwdfwsettings{'nosave'} = 'on'; } From 9556a0fb95e2a7c5458ea2dcaecc29c2a71c5f86 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 4 Mar 2014 16:11:35 +0100 Subject: [PATCH 12/24] Firewall: When no manual ip is given, standard networks "all" is selected --- html/cgi-bin/firewall.cgi | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 1c3d1ef48..6ddf745f3 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -508,8 +508,7 @@ sub checksource return $errormessage; } }elsif($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} eq ''){ - $errormessage.=$Lang::tr{'fwdfw err nosrcip'}; - return $errormessage; + $fwdfwsettings{$fwdfwsettings{'grp1'}} = 'ALL'; } #check empty fields @@ -609,8 +608,7 @@ sub checktarget return $errormessage; } }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){ - $errormessage.=$Lang::tr{'fwdfw err notgtip'}; - return $errormessage; + $fwdfwsettings{$fwdfwsettings{'grp2'}} = 'ALL'; } #check for mac in targetgroup if ($fwdfwsettings{'grp2'} eq 'cust_grp_tgt'){ From 9c3bcb9f00fc09c86312b382bfb594c08fabc9ed Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 4 Mar 2014 16:00:14 +0100 Subject: [PATCH 13/24] Firewall: Now it is possible to just change the remark in input and outgoing --- html/cgi-bin/firewall.cgi | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 52bac58be..dfb969738 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -223,6 +223,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; } + if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && &validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=''; + } if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ $fwdfwsettings{'nosave'} = 'on'; } @@ -264,6 +267,9 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && !&validremark($fwdfwsettings{'ruleremark'})){ $errormessage=$Lang::tr{'fwdfw err remark'}."
"; } + if($fwdfwsettings{'oldruleremark'} ne $fwdfwsettings{'ruleremark'} && $fwdfwsettings{'updatefwrule'} eq 'on' && $fwdfwsettings{'ruleremark'} ne '' && &validremark($fwdfwsettings{'ruleremark'})){ + $errormessage=''; + } if ($fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'}){ $fwdfwsettings{'nosave'} = 'on'; } From 5f050d607c11a875564916de98cb3c3f2c2ce390 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 4 Mar 2014 12:36:52 +0100 Subject: [PATCH 14/24] firewall: Add rate limiting for LOG messages. Fixes #10488. --- config/firewall/rules.pl | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 182c9482a..0998c1b53 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -70,6 +70,8 @@ my $netsettings = "${General::swroot}/ethernet/settings"; &General::readhasharray($configgrp, \%customgrp); &General::get_aliases(\%aliases); +my @log_limit_options = &make_log_limit_options(); + # MAIN &main(); @@ -305,7 +307,7 @@ sub buildrules { } if ($LOG) { - run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options -j LOG --log-prefix 'DNAT '"); + run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @log_limit_options -j LOG --log-prefix 'DNAT '"); } run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options -j DNAT --to-destination $dnat_address"); @@ -317,7 +319,7 @@ sub buildrules { push(@nat_options, @destination_options); if ($LOG) { - run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j LOG --log-prefix 'SNAT '"); + run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '"); } run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address"); } @@ -328,7 +330,7 @@ sub buildrules { # Insert firewall rule. if ($LOG && !$NAT) { - run("$IPTABLES -A $chain @options -j LOG"); + run("$IPTABLES -A $chain @options @log_limit_options -j LOG"); } run("$IPTABLES -A $chain @options -j $target"); } @@ -764,3 +766,18 @@ sub add_dnat_mangle_rules { run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options"); } } + +sub make_log_limit_options { + my @options = ("-m", "limit"); + + # Maybe we should get this from the configuration. + my $limit = 10; + + # We limit log messages to $limit messages per minute. + push(@options, ("--limit", "$limit/min")); + + # And we allow bursts of 2x $limit. + push(@options, ("--limit-burst", $limit * 2)); + + return @options; +} From 179deb37d02efbb6c180568ef361a7caf3ede70e Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 4 Mar 2014 12:38:13 +0100 Subject: [PATCH 15/24] firewall: Add chain name to logged rules. This helps us to debug faster where a packet has been dropped. --- config/firewall/rules.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 0998c1b53..4bb40a4f9 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -330,7 +330,7 @@ sub buildrules { # Insert firewall rule. if ($LOG && !$NAT) { - run("$IPTABLES -A $chain @options @log_limit_options -j LOG"); + run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '"); } run("$IPTABLES -A $chain @options -j $target"); } From 13e3cf285e32334e2de1a23a916fa941994fdd23 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 4 Mar 2014 14:14:54 +0100 Subject: [PATCH 16/24] firewall: Extend rate limiting for ICMP error messages. Fixes #10489. --- config/etc/sysctl.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index d6a2f7504..a91aeb37f 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -1,7 +1,9 @@ net.ipv4.ip_forward = 1 net.ipv4.ip_dynaddr = 1 + net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 +net.ipv4.icmp_ratemask = 88089 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_fin_timeout = 30 From b062a11bbe730454c48c2c45ff0b1e0eec454471 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 4 Mar 2014 14:26:55 +0100 Subject: [PATCH 17/24] firewall: Don't colourise MAC addresses. Fixes #10491. --- html/cgi-bin/firewall.cgi | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 6ddf745f3..99a9e58e4 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -1294,6 +1294,12 @@ sub getcolor my $val=shift; my $hash=shift; if($optionsfw{'SHOWCOLORS'} eq 'on'){ + # Don't colourise MAC addresses + if (&General::validmac($val)) { + $tdcolor = ""; + return; + } + #custom Hosts if ($nettype eq 'cust_host_src' || $nettype eq 'cust_host_tgt'){ foreach my $key (sort keys %$hash){ From 2610f3930ab91a3b7ba79a80ac9e6f6d0ea3c724 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 5 Mar 2014 08:02:05 +0100 Subject: [PATCH 18/24] Firewall: When no manual ip is given on rulecreation and rule is added, there's automatically std_networks "ALL" selected --- html/cgi-bin/firewall.cgi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 99a9e58e4..d9f9e0f8a 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -508,6 +508,7 @@ sub checksource return $errormessage; } }elsif($fwdfwsettings{'src_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'src_addr'} eq ''){ + $fwdfwsettings{'grp1'}='std_net_src'; $fwdfwsettings{$fwdfwsettings{'grp1'}} = 'ALL'; } @@ -608,6 +609,7 @@ sub checktarget return $errormessage; } }elsif($fwdfwsettings{'tgt_addr'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'tgt_addr'} eq ''){ + $fwdfwsettings{'grp2'}='std_net_tgt'; $fwdfwsettings{$fwdfwsettings{'grp2'}} = 'ALL'; } #check for mac in targetgroup From 65c9b3a50815587bc212160465c92b6150e6fb77 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Wed, 5 Mar 2014 08:13:04 +0100 Subject: [PATCH 19/24] Firewall: Remarkcheck should now support old firewallrules from converter --- html/cgi-bin/firewall.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index d9f9e0f8a..e633b3c5c 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -2141,6 +2141,7 @@ sub saverule &changerule($configfwdfw); #print"6"; } + $fwdfwsettings{'ruleremark'}=~ s/,/;/g; $fwdfwsettings{'ruleremark'}=&Header::escape($fwdfwsettings{'ruleremark'}); if ($fwdfwsettings{'updatefwrule'} ne 'on'){ my $key = &General::findhasharraykey ($hash); @@ -2278,7 +2279,6 @@ sub validremark { # Checks a hostname against RFC1035 my $remark = $_[0]; - $remark =~ s/,/;/g; if ($remark =~ /^[[:print:]]*$/) { return 1; } From 32c6ebdced9682fdbdbe54059de25a036557d3b0 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 5 Mar 2014 12:31:36 +0100 Subject: [PATCH 20/24] firewall: Make ICMP ratelimiting a bit saner again. --- config/etc/sysctl.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index a91aeb37f..e2e3d81b0 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -3,7 +3,8 @@ net.ipv4.ip_dynaddr = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 -net.ipv4.icmp_ratemask = 88089 +net.ipv4.icmp_ratelimit = 1000 +net.ipv4.icmp_ratemask = 6168 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_fin_timeout = 30 From 323923d912cb86fd2e89326aa61bad06bf05d6dd Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 5 Mar 2014 13:59:28 +0100 Subject: [PATCH 21/24] firewall: Allow remarks in Unicode. --- html/cgi-bin/firewall.cgi | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index e633b3c5c..7bcb07964 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -21,7 +21,11 @@ use strict; use Sort::Naturally; +use utf8; +use feature 'unicode_strings'; + no warnings 'uninitialized'; + # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; @@ -2142,6 +2146,7 @@ sub saverule #print"6"; } $fwdfwsettings{'ruleremark'}=~ s/,/;/g; + utf8::decode($fwdfwsettings{'ruleremark'}); $fwdfwsettings{'ruleremark'}=&Header::escape($fwdfwsettings{'ruleremark'}); if ($fwdfwsettings{'updatefwrule'} ne 'on'){ my $key = &General::findhasharraykey ($hash); @@ -2279,6 +2284,14 @@ sub validremark { # Checks a hostname against RFC1035 my $remark = $_[0]; + + # Try to decode $remark into UTF-8. If this doesn't work, + # we assume that the string it not sane. + if (!utf8::decode($remark)) { + return 0; + } + + # Check if the string only contains of printable characters. if ($remark =~ /^[[:print:]]*$/) { return 1; } From 63f2fb7fda9112d9e39414328e5d4fab28809c63 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 5 Mar 2014 14:07:23 +0100 Subject: [PATCH 22/24] firewall: Filter logging of broadcasts from the internal networks. --- src/initscripts/init.d/firewall | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index e87952bac..a67af7056 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -230,6 +230,20 @@ iptables_init() { iptables -t nat -N REDNAT iptables -t nat -A POSTROUTING -j REDNAT + # Filter logging of incoming broadcasts. + iptables -N BROADCAST_FILTER + iptables -A INPUT -j BROADCAST_FILTER + + iptables -A BROADCAST_FILTER -i "${GREEN_DEV}" -d "${GREEN_BROADCAST}" -j DROP + + if [ -n "${BLUE_DEV}" -a -n "${BLUE_BROADCAST}" ]; then + iptables -A BROADCAST_FILTER -i "${BLUE_DEV}" -d "${BLUE_BROADCAST}" -j DROP + fi + + if [ -n "${ORANGE_DEV}" -a -n "${ORANGE_BROADCAST}" ]; then + iptables -A BROADCAST_FILTER -i "${ORANGE_DEV}" -d "${ORANGE_BROADCAST}" -j DROP + fi + # Apply OpenVPN firewall rules /usr/local/bin/openvpnctrl --firewall-rules From 91dd042b20210df0bb0461ebf09791e3c028ea86 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 5 Mar 2014 23:53:21 +0100 Subject: [PATCH 23/24] gpl.cgi: Fix proper redirection so that the agreement has only to be accepted once. --- html/cgi-bin/gpl.cgi | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/html/cgi-bin/gpl.cgi b/html/cgi-bin/gpl.cgi index 5cfbebd15..94187ce7a 100644 --- a/html/cgi-bin/gpl.cgi +++ b/html/cgi-bin/gpl.cgi @@ -29,28 +29,29 @@ require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; require "/opt/pakfire/lib/functions.pl"; +# If the license has already been accepted. +if ( -e "/var/ipfire/main/gpl_accepted" ) { + &redirect(); +} my %cgiparams; -my $refresh; - -if ( -e "/var/ipfire/main/gpl_accepted" ) { - print "Status: 302 Moved Temporarily\n"; - print "Location: index.cgi\n\n"; - exit (0); -} -&Header::showhttpheaders(); - $cgiparams{'ACTION'} = ''; + &Header::getcgihash(\%cgiparams); -&Header::openpage($Lang::tr{'main page'}, 1, $refresh); -&Header::openbigbox('', 'center'); +# Check if the license agreement has been accepted. +if ($cgiparams{'ACTION'} eq "$Lang::tr{'yes'}" && $cgiparams{'gpl_accepted'} eq '1') { + open(FILE, ">/var/ipfire/main/gpl_accepted"); + close(FILE); -# licence agreement -if ($cgiparams{'ACTION'} eq $Lang::tr{'yes'} && $cgiparams{'gpl_accepted'} eq '1') { - system('touch /var/ipfire/main/gpl_accepted'); + &redirect(); } +&Header::showhttpheaders(); + +&Header::openpage($Lang::tr{'main page'}, 1); +&Header::openbigbox('', 'center'); + &Header::openbox('100%', 'left', $Lang::tr{'gpl license agreement'}); print < Date: Fri, 7 Mar 2014 09:29:20 +0100 Subject: [PATCH 24/24] kernel: update to 3.10.33. --- lfs/linux | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lfs/linux b/lfs/linux index fcadd69e4..1993cc8aa 100644 --- a/lfs/linux +++ b/lfs/linux @@ -24,10 +24,10 @@ include Config -VER = 3.10.32 +VER = 3.10.33 RPI_PATCHES = linux-3.10.27-grsec-943b563 -GRS_PATCHES = grsecurity-2.9.1-3.10.32-ipfire1.patch.xz +GRS_PATCHES = grsecurity-2.9.1-3.10.33-ipfire1.patch.xz THISAPP = linux-$(VER) DL_FILE = linux-$(VER).tar.xz @@ -36,7 +36,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) CFLAGS = CXXFLAGS = -PAK_VER = 37 +PAK_VER = 38 DEPS = "" VERSUFIX=ipfire$(KCFG) @@ -74,9 +74,9 @@ $(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE) rpi-patches-$(RPI_PATCHES).patch.xz = $(URL_IPFIRE)/rpi-patches-$(RPI_PATCHES).patch.xz $(GRS_PATCHES) = $(URL_IPFIRE)/$(GRS_PATCHES) -$(DL_FILE)_MD5 = 58bfaf95f4e23be2d658dab0a7fb9615 +$(DL_FILE)_MD5 = 01865f9c129f3c7eee51e25b3781a364 rpi-patches-$(RPI_PATCHES).patch.xz_MD5 = 8cf81f48408306d93ccee59b58af2e92 -$(GRS_PATCHES)_MD5 = b67dbf569e3f3657dad0e64ec951e1cc +$(GRS_PATCHES)_MD5 = c99be0018e8bc55fb2e2b8f0ea9783d5 install : $(TARGET)