Forward Firewall: rewrote portcheck routine in ovpnmain so that checks for portforwardingports are made against /var/ipfire/forward/nat instead of /var/ipfire/portfw/config

2026-04-10 11:05:54 +02:00 · 2013-04-23 14:14:58 +02:00
parent 931e1fed53
commit 6945e46310
1 changed files with 23 additions and 67 deletions
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -165,49 +165,31 @@ sub deletebackupcert
 		unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem");
 	}
 }
-
 sub checkportfw {
-    my $KEY2 = $_[0]; # key2
-    my $SRC_PORT = $_[1]; # src_port
-    my $PROTOCOL = $_[2]; # protocol
-    my $SRC_IP = $_[3]; # sourceip
-
-    my $pfwfilename = "${General::swroot}/portfw/config";
-    open(FILE, $pfwfilename) or die 'Unable to open config file.';
-    my @pfwcurrent = <FILE>;
-    close(FILE);
-    my $pfwkey1 = 0; # used for finding last sequence number used 
-    foreach my $pfwline (@pfwcurrent)
-    {
-	my @pfwtemp = split(/\,/,$pfwline);
-
-	chomp ($pfwtemp[8]);
-	if ($KEY2 eq "0"){ # if key2 is 0 then it is a portfw addition
-		if ( $SRC_PORT eq $pfwtemp[3] &&
-			$PROTOCOL eq $pfwtemp[2] &&
-			$SRC_IP eq $pfwtemp[7])
-		{
-			 $errormessage = "$Lang::tr{'source port in use'} $SRC_PORT";
-		}
-		# Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number
-		if ( $pfwtemp[1] eq "0") {
-			$pfwkey1=$pfwtemp[0];
-		}
-		# Darren Critchley - Duplicate or overlapping Port range check
-		if ($pfwtemp[1] eq "0" && 
-			$PROTOCOL eq $pfwtemp[2] &&
-			$SRC_IP eq $pfwtemp[7] &&
-			$errormessage eq '') 
-		{
-			&portchecks($SRC_PORT, $pfwtemp[5]);		
-#			&portchecks($pfwtemp[3], $pfwtemp[5]);
-#			&portchecks($pfwtemp[3], $SRC_IP);
+	my $DPORT = shift;
+	my $DPROT = shift;
+	my %natconfig =();
+	my $confignat = "${General::swroot}/forward/nat";
+	$DPROT= uc ($DPROT);
+	&General::readhasharray($confignat, \%natconfig);
+	foreach my $key (sort keys %natconfig){
+		$errormessage .= "uzlputz: $natconfig{$key}[30] und $natconfig{$key}[12]<br>";
+		my @portarray = split (/\|/,$natconfig{$key}[30]);
+		foreach my $value (@portarray){
+			$errormessage .= "uzlputz -split portaray: $value<br>";
+			if ($value =~ /:/i){
+				my ($a,$b) = split (":",$value);
+				if ($DPROT eq $natconfig{$key}[12] && $DPORT gt $a && $DPORT lt $b){
+					$errormessage= "$Lang::tr{'source port in use'} $DPORT";
+				}
+			}else{
+				if ($DPROT eq $natconfig{$key}[12] && $DPORT eq $value){
+					$errormessage= "$Lang::tr{'source port in use'} $DPORT";
+				}
+			}
 		}
 	}
-    }
-#    $errormessage="$KEY2 $SRC_PORT $PROTOCOL $SRC_IP";
-
-    return;
+	return;
 }

 sub checkportoverlap
@@ -239,32 +221,6 @@ sub checkportinc
 		return 0; 
 	}
 }
-# Darren Critchley - Duplicate or overlapping Port range check
-sub portchecks
-{
-	my $p1 = $_[0]; # New port range
-	my $p2 = $_[1]; # existing port range
-#	$_ = $_[0];
-	our ($prtrange1, $prtrange2);
-	$prtrange1 = 0;
-#	if (m/:/ && $prtrange1 == 1) { # comparing two port ranges
-#		unless (&checkportoverlap($p1,$p2)) {
-#			$errormessage = "$Lang::tr{'source port overlaps'} $p1";
-#		}
-#	}
-	if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range
-		unless (&checkportinc($p2,$p1)) {
-			$errormessage = "$Lang::tr{'srcprt within existing'} $p1";
-		}
-	}
-	$prtrange1 = 1;
-	if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range
-		unless (&checkportinc($p1,$p2)) {
-			$errormessage = "$Lang::tr{'srcprt range overlaps'} $p2";
-		}
-	}
-	return;
-}

 # Darren Critchley - certain ports are reserved for IPFire 
 # TCP 67,68,81,222,445
@@ -1144,7 +1100,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
    
    
    if ($cgiparams{'ENABLED'} eq 'on'){
-	&checkportfw(0,$cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'},'0.0.0.0');
+	&checkportfw($cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'});
    }
    	
    if ($errormessage) { goto SETTINGS_ERROR; }