Merge remote-tracking branch 'amarx/firewall-dnat' into next

Conflicts: config/firewall/rules.pl
2026-04-27 19:23:24 +02:00 · 2014-09-26 12:55:55 +02:00
parent b30890aa06 48f07c1957
commit df6649b0fe
4 changed files with 61 additions and 22 deletions
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -217,7 +217,7 @@ sub get_std_net_ip
 	}elsif($val eq 'BLUE'){
 		return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
 	}elsif($val eq 'RED'){
-		return "0.0.0.0/0 -o $con";
+		return "0.0.0.0/0";
 	}elsif($val =~ /OpenVPN/i){
 		return "$ovpnsettings{'DOVPN_SUBNET'}";
 	}elsif($val =~ /IPsec/i){
@@ -226,6 +226,23 @@ sub get_std_net_ip
 		return ;
 	}
 }
 sub get_interface
 {
 	my $net=shift;
 	if($net eq "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"){
 		return "$netsettings{'GREEN_DEV'}";
 	}
 	if($net eq "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"){
 		return "$netsettings{'ORANGE_DEV'}";
 	}
 	if($net eq "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"){
 		return "$netsettings{'BLUE_DEV'}";
 	}
 	if($net eq "0.0.0.0/0"){
 		return "$netsettings{'RED_DEV'}";
 	}
 	return "";
 }
 sub get_net_ip
 {
 	my $val=shift;
@@ -305,9 +322,9 @@ sub get_address
 	# address. Otherwise, we assume that it is an IP address.
 	if ($key ~~ ["src_addr", "tgt_addr"]) {
 		if (&General::validmac($value)) {
-			push(@ret, "-m mac --mac-source $value");
+			push(@ret, ["-m mac --mac-source $value", ""]);
 		} else {
-			push(@ret, $value);
+			push(@ret, [$value, ""]);
 		}
 	# If a default network interface (GREEN, BLUE, etc.) is selected, we
@@ -316,88 +333,90 @@ sub get_address
 		my $external_interface = &get_external_interface();
 		my $network_address = &get_std_net_ip($value, $external_interface);
 		if ($network_address) {
-			push(@ret, $network_address);
+			my $interface = &get_interface($network_address);
 			push(@ret, [$network_address, $interface]);
 		}
 	# Custom networks.
 	} elsif ($key ~~ ["cust_net_src", "cust_net_tgt", "Custom Network"]) {
 		my $network_address = &get_net_ip($value);
 		if ($network_address) {
-			push(@ret, $network_address);
+			push(@ret, [$network_address, ""]);
 		}
 	# Custom hosts.
 	} elsif ($key ~~ ["cust_host_src", "cust_host_tgt", "Custom Host"]) {
 		my $host_address = &get_host_ip($value, $type);
 		if ($host_address) {
-			push(@ret, $host_address);
+			push(@ret, [$host_address, ""]);
 		}
 	# OpenVPN networks.
 	} elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) {
 		my $network_address = &get_ovpn_net_ip($value, 1);
 		if ($network_address) {
-			push(@ret, $network_address);
+			push(@ret, [$network_address, ""]);
 		}
 	# OpenVPN hosts.
 	} elsif ($key ~~ ["ovpn_host_src", "ovpn_host_tgt", "OpenVPN static host"]) {
 		my $host_address = &get_ovpn_host_ip($value, 33);
 		if ($host_address) {
-			push(@ret, $host_address);
+			push(@ret, [$host_address, ""]);
 		}
 	# OpenVPN N2N.
 	} elsif ($key ~~ ["ovpn_n2n_src", "ovpn_n2n_tgt", "OpenVPN N-2-N"]) {
 		my $network_address = &get_ovpn_n2n_ip($value, 11);
 		if ($network_address) {
-			push(@ret, $network_address);
+			push(@ret, [$network_address, ""]);
 		}
 	# IPsec networks.
 	} elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
 		my $network_address = &get_ipsec_net_ip($value, 11);
 		if ($network_address) {
-			push(@ret, $network_address);
+			push(@ret, [$network_address, ""]);
 		}
 	# The firewall's own IP addresses.
 	} elsif ($key ~~ ["ipfire", "ipfire_src"]) {
 		# ALL
 		if ($value eq "ALL") {
-			push(@ret, "0/0");
+			push(@ret, ["0/0", ""]);
 		# GREEN
 		} elsif ($value eq "GREEN") {
-			push(@ret, $netsettings{"GREEN_ADDRESS"});
+			push(@ret, [$netsettings{"GREEN_ADDRESS"}, ""]);
 		# BLUE
 		} elsif ($value eq "BLUE") {
-			push(@ret, $netsettings{"BLUE_ADDRESS"});
+			push(@ret, [$netsettings{"BLUE_ADDRESS"}, ""]);
 		# ORANGE
 		} elsif ($value eq "ORANGE") {
-			push(@ret, $netsettings{"ORANGE_ADDRESS"});
+			push(@ret, [$netsettings{"ORANGE_ADDRESS"}, ""]);
 		# RED
 		} elsif ($value ~~ ["RED", "RED1"]) {
 			my $address = &get_external_address();
 			if ($address) {
-				push(@ret, $address);
+				push(@ret, [$address, ""]);
 			}
 		# Aliases
 		} else {
 			my $alias = &get_alias($value);
 			if ($alias) {
-				push(@ret, $alias);
+				push(@ret, [$alias, ""]);
 			}
 		}
 	# If nothing was selected, we assume "any".
 	} else {
-		push(@ret, "0/0");
+		push(@ret, ["0/0", ""]);
 	}
 	return @ret;
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -295,22 +295,26 @@ sub buildrules {
 				next unless ($src);
 				# Sanitize source.
-				my $source = $src;
+				my $source = @$src[0];
 				if ($source ~~ @ANY_ADDRESSES) {
 					$source = "";
 				}
 				my $source_intf = @$src[1];
 				foreach my $dst (@destinations) {
 					# Skip invalid rules.
 					next unless (defined $dst);
 					next if (!$dst || ($dst eq "none"));
 					# Sanitize destination.
-					my $destination = $dst;
+					my $destination = @$dst[0];
 					if ($destination ~~ @ANY_ADDRESSES) {
 						$destination = "";
 					}
 					my $destination_intf = @$dst[1];
 					# Array with iptables arguments.
 					my @options = ();
@@ -327,12 +331,20 @@ sub buildrules {
 						push(@source_options, ("-s", $source));
 					}
 					if ($source_intf) {
 						push(@source_options, ("-i", $source_intf));
 					}
 					# Prepare destination options.
 					my @destination_options = ();
 					if ($destination) {
 						push(@destination_options, ("-d", $destination));
 					}
 					if ($destination_intf) {
 						push(@destination_options, ("-o", $destination_intf));
 					}
 					# Add time constraint options.
 					push(@options, @time_options);
@@ -366,7 +378,7 @@ sub buildrules {
 							# Make port-forwardings useable from the internal networks.
 							my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
 							unless ($nat_address ~~ @internal_addresses) {
-								&add_dnat_mangle_rules($nat_address, @nat_options);
+								&add_dnat_mangle_rules($nat_address, $source_intf, @nat_options);
 							}
 							push(@nat_options, @source_options);
@@ -683,6 +695,7 @@ sub get_dnat_target_port {
 sub add_dnat_mangle_rules {
 	my $nat_address = shift;
 	my $interface = shift;
 	my @options = @_;
 	my $mark = 0;
@@ -693,6 +706,8 @@ sub add_dnat_mangle_rules {
 		next unless (exists $defaultNetworks{$zone . "_NETADDRESS"});
 		next unless (exists $defaultNetworks{$zone . "_NETMASK"});
 		next if ($interface && $interface ne $defaultNetworks{$zone . "_DEV"});
 		my @mangle_options = @options;
 		my $netaddress = $defaultNetworks{$zone . "_NETADDRESS"};
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -1064,7 +1064,6 @@ print<<END;
 END
 	foreach my $network (sort keys %defaultNetworks)
 		{
 			next if($defaultNetworks{$network}{'NAME'} eq "RED" && $srctgt eq 'src');
 			next if($defaultNetworks{$network}{'NAME'} eq "IPFire");
 			print "<option value='$defaultNetworks{$network}{'NAME'}'";
 			print " selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $defaultNetworks{$network}{'NAME'});
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -1644,7 +1644,10 @@ sub getcolor
 			$tdcolor="<font style='color: $Header::colourblue;'>$c</font>";
 			return $tdcolor;
 		}
-
+		if ("$sip/$scidr" eq "0.0.0.0/0"){
 			$tdcolor="<font style='color: $Header::colourred;'>$c</font>";
 			return $tdcolor;
 		}
 		#Check if IP is part of OpenVPN N2N subnet
 		foreach my $key (sort keys %ccdhost){
 			if ($ccdhost{$key}[3] eq 'net'){
@@ -2501,6 +2504,9 @@ sub getipforgroup
 			&General::readhash("${General::swroot}/vpn/settings",\%hash);
 			return $hash{'RW_NET'};
 		}
 		if ($name eq 'RED'){
 			return "0.0.0.0/0";
 		}
 	}
 }
 sub decrease