When a forwarding rule is being created, we sometimes create
INPUT/OUTPUT rules, too. Those were slightly invalid because
the source and destination interfaces where passed, too.
This could render some rules in certain circumstances useless.
This patch fixes this and only adds -i for INPUT and -o for
OUTPUT rules.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The special_input/output_targets array assumed that firewall access
will always be denied. However, rules also need to be created when
access is granted. Therefore the ACCEPT target needs to be included
in this list and rules must be created in INPUTFW/OUTGOINGFW too
when ACCEPT rules are created in FORWARDFW.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When creating SNAT rules, the outgoing interface is not set. As a side
effect, traffic that should be send unnatted to a vpn tunnel can be
natted which is a BUG.
With this patch the SNAT rules are getting a outgoing interface
according to the configuration. When selecting the RED Target network,
all SNAT rules will be configured with "-o red0". Otherwise if "all" is
selected, there is no interface in the rule, which matches all networks.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit adds support to the rules.pl and firewall-lib.pl to generate
correct iptables commands for inserting GeoIP-based firewall rules
into the kernel.
In the POSTROUTING chain using -i intf0 does not work at all.
We now only use the -s parameter to figure out if the rule applied.
The filter chain still uses -i and -o to match patches not only
by the network address, but also by the incoming/outgoing interface.
The configuration parser determines how many comma-separated
values there are in a line. If new values are added we need
to check first if those are set in every line to avoid any
undefined behaviour. A wrong comparison parameter was used
which caused that the limit feature was never enabled in
the rule generation.
The state of some code especially in general-functions.pl
is in such a bad shape and faulty.
This is a first step that replaces some of the network
functions with those who have been tested and work for
undefined inputs.
The old functions have been left in place as stubs
and must be removed at some time.
We added RED to the standard networks and now portforwardings are only
useable from the selected source. If selected "all" the portforwarding
can be used from any internal network. Else the access is only grnated
from the selected source network.
If the firewall is part of a local network (e.g. GREEN),
we automatically add rules that grant/forbid access for the firewall,
too.
This has been broken for various default policies other than ALLOWED.
Example:
my @as = (1, 2, 3);
foreach my $a (@as) {
$a += 1;
print "$a\n";
}
$a will be a reference to the number in the array and not
copied. Therefore $a += 1 will change the numbers in the
array as well, so that after the loop the content of @as
would be (2, 3, 4).
To avoid that, the number needs to be copied into a new
variable like: my $b = $a; and we are fine.
This caused that the content of the @sources and @destinations
array has been altered for the second run of the loop and
incorrect (i.e. no) rules were created.
Various perl coding errors that have been suppressed by "no warnings uninitialized"
have been fixed and lots of helper variables have been introduced to make
it much more clearer what the code is actually doing.
