webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-28 03:33:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Forward Firewall: implemented multiport support for source and target ports

Browse Source
This commit is contained in:
Alexander Marx
2013-01-19 07:15:25 +01:00
committed by Michael Tremer
parent e0800c21db
commit 8f0b047b4b
3 changed files with 110 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
config/forwardfw/convert-outgoingfw
View File

@@ -3,7 +3,7 @@
require '/var/ipfire/general-functions.pl'; require '/var/ipfire/general-functions.pl';
use Socket; use Socket;
use File::Path;
my $ipgrouppath = "${General::swroot}/outgoing/groups/ipgroups/"; my $ipgrouppath = "${General::swroot}/outgoing/groups/ipgroups/";
my $macgrouppath = "${General::swroot}/outgoing/groups/macgroups/"; my $macgrouppath = "${General::swroot}/outgoing/groups/macgroups/";
my $outgoingrules = "${General::swroot}/outgoing/rules"; my $outgoingrules = "${General::swroot}/outgoing/rules";
@@ -37,7 +37,7 @@ my %fwdsettings=();
sub process_groups sub process_groups
{ {
if(! -d "/var/log/converters"){ mkdir("/var/log/converters");} if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
if( -f "/var/log/converters/groups-convert.log"){unlink ("/var/log/converters/groups-convert.log");} if( -f "/var/log/converters/groups-convert.log"){rmtree("var/log/converters");}
open (LOG, ">/var/log/converters/groups-convert.log") or die $!; open (LOG, ">/var/log/converters/groups-convert.log") or die $!;
#IP Group processing #IP Group processing
foreach my $group (@ipgroups){ foreach my $group (@ipgroups){
@@ -362,26 +362,36 @@ sub process_rules
$target='ALL'; $target='ALL';
} }
if($configline[8] ne ''){ if($configline[8] ne ''){
if (!($configline[8] =~ /^(\d+)\:(\d+)$/)) { my @values=();
if(&General::validport($configline[8])){ my @parts=split(",",$configline[8]);
$useport='ON'; foreach (@parts){
$port=$configline[8]; print"PRüfe port $_\n";
$grp3='TGT_PORT'; if (!($_ =~ /^(\d+)\:(\d+)$/)) {
}else{ if(&General::validport($_)){
print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n"; $useport='ON';
next; print" push single\n";
} push (@values,$_);
}else{ $grp3='TGT_PORT';
my ($a1,$a2) = split(/\:/,$configline[8]); }else{
if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){ print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n";
$useport='ON'; next;
$port=$configline[8]; }
$grp3='TGT_PORT';
}else{ }else{
print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n"; my ($a1,$a2) = split(/\:/,$_);
next; if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){
} $useport='ON';
print"push range $_\n";
push (@values,"$a1:$a2");
$grp3='TGT_PORT';
}else{
print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n";
next;
}
}
} }
$port=join("|",@values);
print"fertig, habe \"$port\"\n";
@values=();
} }
}else{ }else{
print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n"; print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n";

6
config/forwardfw/rules.pl
View File

@@ -339,7 +339,8 @@ sub get_port
my $prot=shift; my $prot=shift;
if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
if ($$hash{$key}[10] ne ''){ if ($$hash{$key}[10] ne ''){
return "--sport $$hash{$key}[10] "; $$hash{$key}[10] =~ s/\|/,/g;
return "-m multiport --sport $$hash{$key}[10] ";
}elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){ }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
return "--icmp-type $$hash{$key}[9] "; return "--icmp-type $$hash{$key}[9] ";
}elsif($$hash{$key}[9] eq 'All ICMP-Types'){ }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
@@ -349,7 +350,8 @@ sub get_port
if($$hash{$key}[14] eq 'TGT_PORT'){ if($$hash{$key}[14] eq 'TGT_PORT'){
if ($$hash{$key}[15] ne ''){ if ($$hash{$key}[15] ne ''){
return "--dport $$hash{$key}[15] "; $$hash{$key}[15] =~ s/\|/,/g;
return "-m multiport --dport $$hash{$key}[15] ";
}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){ }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
return "--icmp-type $$hash{$key}[13] "; return "--icmp-type $$hash{$key}[13] ";
}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){ }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){

108
html/cgi-bin/forwardfw.cgi
View File

@@ -210,12 +210,13 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
} }
} }
#check if we just close a rule #check if we just close a rule
if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} ) { if( $fwdfwsettings{'oldgrp1a'} eq $fwdfwsettings{'grp1'} && $fwdfwsettings{'oldgrp1b'} eq $fwdfwsettings{$fwdfwsettings{'grp1'}} && $fwdfwsettings{'oldgrp2a'} eq $fwdfwsettings{'grp2'} && $fwdfwsettings{'oldgrp2b'} eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $fwdfwsettings{'oldgrp3a'} eq $fwdfwsettings{'grp3'} && $fwdfwsettings{'oldgrp3b'} eq $fwdfwsettings{$fwdfwsettings{'grp3'}} && $fwdfwsettings{'oldusesrv'} eq $fwdfwsettings{'USESRV'} && $fwdfwsettings{'oldruleremark'} eq $fwdfwsettings{'ruleremark'} ) {
if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){ if($fwdfwsettings{'nosave'} eq 'on' && $fwdfwsettings{'updatefwrule'} eq 'on'){
$fwdfwsettings{'nosave2'} = 'on'; $fwdfwsettings{'nosave2'} = 'on';
$errormessage=''; $errormessage='';
} }
} }
#increase counters #increase counters
&checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}}); &checkcounter($fwdfwsettings{'oldgrp1a'},$fwdfwsettings{'oldgrp1b'},$fwdfwsettings{'grp1'},$fwdfwsettings{$fwdfwsettings{'grp1'}});
&checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}}); &checkcounter($fwdfwsettings{'oldgrp2a'},$fwdfwsettings{'oldgrp2b'},$fwdfwsettings{'grp2'},$fwdfwsettings{$fwdfwsettings{'grp2'}});
@@ -663,23 +664,42 @@ sub checksource
$fwdfwsettings{'PROT'}=''; $fwdfwsettings{'PROT'}='';
} }
if($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && $fwdfwsettings{'PROT'} ne 'ICMP' && $fwdfwsettings{'SRC_PORT'} ne ''){ if($fwdfwsettings{'USE_SRC_PORT'} eq 'ON' && ($fwdfwsettings{'PROT'} eq 'TCP' || $fwdfwsettings{'PROT'} eq 'UDP') && $fwdfwsettings{'SRC_PORT'} ne ''){
#change dashes with : my @parts=split(",",$fwdfwsettings{'SRC_PORT'});
$fwdfwsettings{'SRC_PORT'}=~ tr/-/:/; my @values=();
foreach (@parts){
if ($fwdfwsettings{'SRC_PORT'} eq "*") { chomp($_);
$fwdfwsettings{'SRC_PORT'} = "1:65535"; if ($_ =~ /^(\d+)\:(\d+)$/) {
my $check;
#change dashes with :
$_=~ tr/-/:/;
if ($_ eq "*") {
push(@values,"1:65535");
$check='on';
}
if ($_ =~ /^(\D)\:(\d+)$/) {
push(@values,"1:$2");
$check='on';
}
if ($_ =~ /^(\d+)\:(\D)$/) {
push(@values,"$1:65535");
$check='on'
}
$errormessage .= &General::validportrange($_, 'destination');
if(!$check){
push (@values,$_);
}
}else{
if (&General::validport($_)){
push (@values,$_);
}else{
}
}
} }
if ($fwdfwsettings{'SRC_PORT'} =~ /^(\D)\:(\d+)$/) { $fwdfwsettings{'SRC_PORT'}=join("|",@values);
$fwdfwsettings{'SRC_PORT'} = "1:$2"; return $errormessage;
}
if ($fwdfwsettings{'SRC_PORT'} =~ /^(\d+)\:(\D)$/) {
$fwdfwsettings{'SRC_PORT'} = "$1:65535";
}
$errormessage.=&General::validportrange($fwdfwsettings{'SRC_PORT'},'src');
} }
return $errormessage;
} }
sub checktarget sub checktarget
{ {
@@ -737,18 +757,39 @@ sub checktarget
if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){ if ($fwdfwsettings{'grp3'} eq 'TGT_PORT'){
if ($fwdfwsettings{'TGT_PROT'} eq 'TCP' || $fwdfwsettings{'TGT_PROT'} eq 'UDP'){ if ($fwdfwsettings{'TGT_PROT'} eq 'TCP' || $fwdfwsettings{'TGT_PROT'} eq 'UDP'){
if ($fwdfwsettings{'TGT_PORT'} ne ''){ if ($fwdfwsettings{'TGT_PORT'} ne ''){
#change dashes with : my @parts=split(",",$fwdfwsettings{'TGT_PORT'});
$fwdfwsettings{'TGT_PORT'}=~ tr/-/:/; my @values=();
if ($fwdfwsettings{'TGT_PORT'} eq "*") { foreach (@parts){
$fwdfwsettings{'TGT_PORT'} = "1:65535"; chomp($_);
if ($_ =~ /^(\d+)\:(\d+)$/) {
my $check;
#change dashes with :
$_=~ tr/-/:/;
if ($_ eq "*") {
push(@values,"1:65535");
$check='on';
}
if ($_ =~ /^(\D)\:(\d+)$/) {
push(@values,"1:$2");
$check='on';
}
if ($_ =~ /^(\d+)\:(\D)$/) {
push(@values,"$1:65535");
$check='on'
}
$errormessage .= &General::validportrange($_, 'destination');
if(!$check){
push (@values,$_);
}
}else{
if (&General::validport($_)){
push (@values,$_);
}else{
}
}
} }
if ($fwdfwsettings{'TGT_PORT'} =~ /^(\D)\:(\d+)$/) { $fwdfwsettings{'TGT_PORT'}=join("|",@values);
$fwdfwsettings{'TGT_PORT'} = "1:$2";
}
if ($fwdfwsettings{'TGT_PORT'} =~ /^(\d+)\:(\D)$/) {
$fwdfwsettings{'TGT_PORT'} = "$1:65535";
}
$errormessage .= &General::validportrange($fwdfwsettings{'TGT_PORT'}, 'destination');
} }
}elsif ($fwdfwsettings{'TGT_PROT'} eq 'GRE'){ }elsif ($fwdfwsettings{'TGT_PROT'} eq 'GRE'){
$fwdfwsettings{$fwdfwsettings{'grp3'}} = ''; $fwdfwsettings{$fwdfwsettings{'grp3'}} = '';
@@ -782,7 +823,6 @@ sub checktarget
$fwdfwsettings{$fwdfwsettings{'grp3'}}=''; $fwdfwsettings{$fwdfwsettings{'grp3'}}='';
$fwdfwsettings{'TGT_PROT'}=''; $fwdfwsettings{'TGT_PROT'}='';
$fwdfwsettings{'ICMP_TGT'}=''; $fwdfwsettings{'ICMP_TGT'}='';
} }
#check timeframe #check timeframe
if($fwdfwsettings{'TIME'} eq 'ON'){ if($fwdfwsettings{'TIME'} eq 'ON'){
@@ -1140,8 +1180,9 @@ END
print"<option>$_</option>"; print"<option>$_</option>";
} }
} }
$fwdfwsettings{'SRC_PORT'}=~ s/\|/,/g;
print<<END; print<<END;
</select></td><td align='right'><input type='text' name='SRC_PORT' value='$fwdfwsettings{'SRC_PORT'}' maxlength='11' size='9' ></td></tr> </select></td><td align='right'><input type='text' name='SRC_PORT' value='$fwdfwsettings{'SRC_PORT'}' maxlength='20' size='18' ></td></tr>
<tr><td></td><td></td><td></td><td></td><td nowrap='nowrap'>$Lang::tr{'fwhost icmptype'}</td><td colspan='2'><select name='ICMP_TYPES'> <tr><td></td><td></td><td></td><td></td><td nowrap='nowrap'>$Lang::tr{'fwhost icmptype'}</td><td colspan='2'><select name='ICMP_TYPES'>
END END
&General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
@@ -1294,8 +1335,9 @@ END
print"<option>$_</option>"; print"<option>$_</option>";
} }
} }
$fwdfwsettings{'TGT_PORT'} =~ s/\|/,/g;
print<<END; print<<END;
</select></td><td align='right'><input type='text' name='TGT_PORT' value='$fwdfwsettings{'TGT_PORT'}' maxlength='11' size='9' ></td></tr> </select></td><td align='right'><input type='text' name='TGT_PORT' value='$fwdfwsettings{'TGT_PORT'}' maxlength='20' size='18' ></td></tr>
<tr><td colspan='2'></td><td></td><td>$Lang::tr{'fwhost icmptype'}</td><td colspan='2'><select name='ICMP_TGT'> <tr><td colspan='2'></td><td></td><td>$Lang::tr{'fwhost icmptype'}</td><td colspan='2'><select name='ICMP_TGT'>
END END
&General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes); &General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
@@ -1407,6 +1449,7 @@ END
<input type='hidden' name='oldusesrv' value='$fwdfwsettings{'oldusesrv'}' /> <input type='hidden' name='oldusesrv' value='$fwdfwsettings{'oldusesrv'}' />
<input type='hidden' name='oldrulenumber' value='$fwdfwsettings{'oldrulenumber'}' /> <input type='hidden' name='oldrulenumber' value='$fwdfwsettings{'oldrulenumber'}' />
<input type='hidden' name='rulenumber' value='$fwdfwsettings{'rulepos'}' /> <input type='hidden' name='rulenumber' value='$fwdfwsettings{'rulepos'}' />
<input type='hidden' name='oldruleremark' value='$fwdfwsettings{'oldruleremark'}' />
<input type='hidden' name='ACTION' value='saverule' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td> <input type='hidden' name='ACTION' value='saverule' ></form><form method='post' style='display:inline'><input type='submit' value='$Lang::tr{'fwhost back'}' style='min-width:100px;'><input type='hidden' name='ACTION' value'reset'></td></td>
</table></form> </table></form>
END END
@@ -1596,7 +1639,8 @@ sub getsrcport
{ {
my %hash=%{(shift)}; my %hash=%{(shift)};
my $key=shift; my $key=shift;
if($hash{$key}[7] eq 'ON' && $hash{$key}[8] ne 'ICMP'){ if($hash{$key}[7] eq 'ON' && ($hash{$key}[8] eq 'TCP' || $hash{$key}[8] eq 'UDP')){
$hash{$key}[10]=~ s/\|/,/g;
print" : ($hash{$key}[8]) $hash{$key}[10]"; print" : ($hash{$key}[8]) $hash{$key}[10]";
}elsif($hash{$key}[7] eq 'ON' && $hash{$key}[8] eq 'ICMP'){ }elsif($hash{$key}[7] eq 'ON' && $hash{$key}[8] eq 'ICMP'){
print" : ($hash{$key}[8]) <br> $hash{$key}[9]"; print" : ($hash{$key}[8]) <br> $hash{$key}[9]";
@@ -1613,7 +1657,6 @@ sub gettgtport
if($hash{$key}[14] eq 'cust_srv'){ if($hash{$key}[14] eq 'cust_srv'){
&General::readhasharray("$configsrv", \%customservice); &General::readhasharray("$configsrv", \%customservice);
foreach my $i (sort keys %customservice){ foreach my $i (sort keys %customservice){
#print "HHUHU: $customservice{$i}[0] und $hash{$key}[15]<br>";
if($customservice{$i}[0] eq $hash{$key}[15]){ if($customservice{$i}[0] eq $hash{$key}[15]){
$prot = $hash{$key}[12]; $prot = $hash{$key}[12];
$service = $customservice{$i}[0]; $service = $customservice{$i}[0];
@@ -1623,6 +1666,7 @@ sub gettgtport
$service=$hash{$key}[15]; $service=$hash{$key}[15];
}elsif($hash{$key}[14] eq 'TGT_PORT'){ }elsif($hash{$key}[14] eq 'TGT_PORT'){
$hash{$key}[15]=~ s/\|/,/g;
$service=$hash{$key}[15]; $service=$hash{$key}[15];
$prot=$hash{$key}[12]; $prot=$hash{$key}[12];
} }