diff --git a/firewall/edit_rule.cgi b/firewall/edit_rule.cgi index b33a1920a..44eceaa95 100755 --- a/firewall/edit_rule.cgi +++ b/firewall/edit_rule.cgi @@ -25,8 +25,9 @@ else { &can_jump($rule) || &error($text{'ejump'}); } -print &ui_form_start("save_rule.cgi", "post"); -foreach $f ('version', 'table', 'idx', 'new', 'chain', 'before', 'after') { +print &ui_form_start("save_rule${ipvx}.cgi", "post"); +print &ui_hidden("version", ${ipvx_arg}); +foreach $f ('table', 'idx', 'new', 'chain', 'before', 'after') { print &ui_hidden($f, $in{$f}); } @@ -83,15 +84,11 @@ if (&indexof('REJECT', @jumps) >= 0 && &can_jump("REJECT")) { if ($rule->{'j'}->[1] eq 'REJECT') { $rwith = $rule->{'reject-with'}->[1]; } - local @rtypes = ( "icmp-net-unreachable", "icmp-host-unreachable", - "icmp-port-unreachable", "icmp-proto-unreachable", - "icmp-net-prohibited", "icmp-host-prohibited", - "echo-reply", "tcp-reset" ); print &ui_table_row($text{'edit_rwith'}, &ui_radio("rwithdef", $rwith eq "" ? 1 : 0, [ [ 1, $text{'default'} ], [ 0, &text('edit_rwithtype', - &icmptype_input("rwithtype", $rwith, \@rtypes)) ], + &icmptype_input("rwithtype", $rwith, \@ipvx_rtypes)) ], ])); } @@ -128,7 +125,7 @@ if (($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'POSTROUTING') && &can_jump("DNAT")) { if ($rule->{'j'}->[1] eq 'DNAT') { if ($rule->{'to-destination'}->[1] =~ - /^([0-9\.]+)(\-([0-9\.]+))?(:(\d+)(\-(\d+))?)?$/) { + /$ipvx_todestpattern/) { $dipfrom = $1; $dipto = $3; $dpfrom = $5; diff --git a/firewall/edit_rule6.cgi b/firewall/edit_rule6.cgi deleted file mode 100755 index acac4f6ff..000000000 --- a/firewall/edit_rule6.cgi +++ /dev/null @@ -1,488 +0,0 @@ -#!/usr/local/bin/perl -# edit_rule.cgi -# Display the details of one firewall rule, or allow the adding of a new one -require './firewall-lib.pl'; -&ReadParse(); -if (&get_ipvx_version() == 6) { require './firewall6-lib.pl'; - } else { require './firewall4-lib.pl'; } -@tables = &get_iptables_save(); -$table = $tables[$in{'table'}]; -&can_edit_table($table->{'name'}) || &error($text{'etable'}); -if ($in{'clone'} ne '') { - &ui_print_header(undef, $text{'edit_title3'}, ""); - %clone = %{$table->{'rules'}->[$in{'clone'}]}; - $rule = \%clone; - } -elsif ($in{'new'}) { - &ui_print_header(undef, $text{'edit_title1'}, ""); - $rule = { 'chain' => $in{'chain'}, - 'j' => &can_jump('DROP') ? 'DROP' : "" }; - } -else { - &ui_print_header(undef, $text{'edit_title2'}, ""); - $rule = $table->{'rules'}->[$in{'idx'}]; - &can_jump($rule) || &error($text{'ejump'}); - } - -print &ui_form_start("save_rule.cgi", "post"); -foreach $f ('version', 'table', 'idx', 'new', 'chain', 'before', 'after') { - print &ui_hidden($f, $in{$f}); - } - -# Display action section -print &ui_table_start($text{'edit_header1'}, "width=100%", 2); - -print &ui_table_row($text{'edit_chain'}, - $text{"index_chain_".lc($rule->{'chain'})} || - &text('index_chain', "$rule->{'chain'}")); - -# Rule comment -if ($config{'comment_mod'} || $rule->{'comment'}) { - # Get comment from --comment option - $cmt = $rule->{'comment'}->[1]; - } -else { - # Get comment from # at end of line - $cmt = $rule->{'cmt'}; - } -print &ui_table_row($text{'edit_cmt'}, - &ui_textbox("cmt", $cmt, 50)); - -# Action to take or chain to jump to -if ($table->{'name'} eq 'nat') { - @jumps = ( undef, 'ACCEPT', 'DROP' ); - if ($rule->{'chain'} eq 'POSTROUTING') { - push(@jumps, 'MASQUERADE', 'SNAT'); - } - elsif ($rule->{'chain'} eq 'PREROUTING' || - $rule->{'chain'} eq 'OUTPUT') { - push(@jumps, 'REDIRECT', 'DNAT'); - } - else { - push(@jumps, 'MASQUERADE', 'SNAT', 'REDIRECT', 'DNAT'); - } - } -else { - @jumps = ( undef, 'ACCEPT', 'DROP', 'REJECT', 'QUEUE', 'RETURN', 'LOG' ); - } -@grid = ( ); -$found = 0; -foreach $j (grep { &can_jump($_) } @jumps) { - push(@grid, &ui_oneradio("jump", $j, $text{"index_jump_".lc($j)}, - $rule->{'j'}->[1] eq $j)); - $found++ if ($rule->{'j'}->[1] eq $j); - } -push(@grid, &ui_oneradio("jump", "*", $text{'edit_jump_other'}, !$found)); -push(@grid, &ui_textbox("other", $found ? "" : $rule->{'j'}->[1], 12)); -print &ui_table_row($text{'edit_jump'}, - &ui_grid_table(\@grid, 6, undef)); - -if (&indexof('REJECT', @jumps) >= 0 && &can_jump("REJECT")) { - # Show input for REJECT icmp type - if ($rule->{'j'}->[1] eq 'REJECT') { - $rwith = $rule->{'reject-with'}->[1]; - } - local @rtypes = ( "icmp6-no-route", "icmp6-adm-prohibited", - "icmp6-addr-unreachable", "icmp6-port-unreachable", - "echo-reply", "tcp-reset" ); - print &ui_table_row($text{'edit_rwith'}, - &ui_radio("rwithdef", $rwith eq "" ? 1 : 0, - [ [ 1, $text{'default'} ], - [ 0, &text('edit_rwithtype', - &icmptype_input("rwithtype", $rwith, \@rtypes)) ], - ])); - } - -if (($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'POSTROUTING') && - &can_jump("REDIRECT")) { - # Show inputs for redirect host and port - if ($rule->{'j'}->[1] eq 'REDIRECT') { - ($rtofrom, $rtoto) = split(/\-/, $rule->{'to-ports'}->[1]); - } - print &ui_table_row($text{'edit_rtoports'}, - &ui_radio("rtodef", $rtofrom eq "" ? 1 : 0, - [ [ 1, $text{'default'} ], - [ 0, &text('edit_prange', - &ui_textbox("rtofrom", $rtofrom, 6), - &ui_textbox("rtoto", $rtoto, 6)) ] ])); - } - -if (($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'PREROUTING' && - $rule->{'chain'} ne 'OUTPUT') && - &can_jump("MASQUERADE")) { - # Show inputs for masquerading ports - if ($rule->{'j'}->[1] eq 'MASQUERADE') { - ($mtofrom, $mtoto) = split(/\-/, $rule->{'to-ports'}->[1]); - } - print &ui_table_row($text{'edit_mtoports'}, - &ui_radio("mtodef", $mtofrom eq "" ? 1 : 0, - [ [ 1, $text{'edit_any'} ], - [ 0, &text('edit_prange', - &ui_textbox("mtofrom", $mtofrom, 6), - &ui_textbox("mtoto", $mtoto, 6)) ] ])); - } - -if (($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'POSTROUTING') && - &can_jump("DNAT")) { - if ($rule->{'j'}->[1] eq 'DNAT') { - if ($rule->{'to-destination'}->[1] =~ - /^\[([0-9A-Fa-f:]+)](\-([0-9A-Fa-f:]+))?(:(\d+)(\-(\d+))?)?$/) { - $dipfrom = $1; - $dipto = $3; - $dpfrom = $5; - $dpto = $7; - } - elsif ($rule->{'to-destination'}->[1] =~ /^(:(\d+)(\-(\d+))?)?$/) { - $dipfrom = ""; - $dipto = ""; - $dpfrom = $2; - $dpto = $4; - } - } - print &ui_table_row($text{'edit_dnat'}, - &ui_radio("dnatdef", $dipfrom eq "" ? 1 : 0, - [ [ 1, $text{'default'} ], - [ 0, &text('edit_dnatip', - &ui_textbox("dipfrom", $dipfrom, 15), - &ui_textbox("dipto", $dipto, 15))." ". - &text('edit_prange', - &ui_textbox("dpfrom", $dpfrom, 6), - &ui_textbox("dpto", $dpto, 6)) ] ])); - } - -if (($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'PREROUTING' && - $rule->{'chain'} ne 'OUTPUT') && - &can_jump("SNAT")) { - if ($rule->{'j'}->[1] eq 'SNAT') { - if ($rule->{'to-source'}->[1] =~ - /^([0-9\.]+)?(\-([0-9\.]+))?(:(\d+)(\-(\d+))?)?$/) { - $sipfrom = $1; - $sipto = $3; - $spfrom = $5; - $spto = $7; - } - } - print &ui_table_row($text{'edit_snat'}, - &ui_radio("snatdef", $sipfrom eq "" ? 1 : 0, - [ [ 1, $text{'default'} ], - [ 0, &text('edit_dnatip', - &ui_textbox("sipfrom", $sipfrom, 15), - &ui_textbox("sipto", $sipto, 15))." ". - &text('edit_prange', - &ui_textbox("spfrom", $spfrom, 6), - &ui_textbox("spto", $spto, 6)) ] ])); - } - -print &ui_table_end(); - -# Display conditions section -print "$text{'edit_desc'}
\n"; -print &ui_table_start($text{'edit_header2'}, "width=100%", 2); - -# Packet source -print &ui_table_row($text{'edit_source'}, - &print_mode("source", $rule->{'s'})." ". - &ui_textbox("source", $rule->{'s'}->[1], 40)); - -# Packet destination -print &ui_table_row($text{'edit_dest'}, - &print_mode("dest", $rule->{'d'})." ". - &ui_textbox("dest", $rule->{'d'}->[1], 40)); - -# Incoming interface -print &ui_table_row($text{'edit_in'}, - &print_mode("in", $rule->{'i'})." ". - &interface_choice("in", $rule->{'i'}->[1])); - -# Outgoing interface -print &ui_table_row($text{'edit_out'}, - &print_mode("out", $rule->{'o'})." ". - &interface_choice("out", $rule->{'o'}->[1])); - -# Packet fragmentation -$f = !$rule->{'f'} ? 0 : $rule->{'f'}->[0] eq "!" ? 2 : 1; -print &ui_table_row($text{'edit_frag'}, - &ui_radio("frag", $f, [ [ 0, $text{'edit_ignore'} ], - [ 1, $text{'edit_fragis'} ], - [ 2, $text{'edit_fragnot'} ] ])); - -# IP protocol -print &ui_table_row($text{'edit_proto'}, - &print_mode("proto", $rule->{'p'})." ". - &protocol_input("proto", $rule->{'p'}->[1])); - -print &ui_table_hr(); - -# Source port -print &ui_table_row($text{'edit_sport'}, - &print_mode("sport", $rule->{'sports'} || $rule->{'sport'})." ". - &port_input("sport", $rule->{'sports'}->[1] || $rule->{'sport'}->[1])); - -# Destination port -print &ui_table_row($text{'edit_dport'}, - &print_mode("dport", $rule->{'dports'} || $rule->{'dport'})." ". - &port_input("dport", $rule->{'dports'}->[1] || $rule->{'dport'}->[1])); - -# Source and destination ports -print &ui_table_row($text{'edit_ports'}, - &print_mode("ports", $rule->{'ports'})." ". - &ui_textbox("ports", $rule->{'ports'}->[1], 30)); - -# TCP flags -print &ui_table_row($text{'edit_tcpflags'}, - "
".&print_mode("tcpflags", $rule->{'tcp-flags'}). - " ".&text('edit_flags', - &tcpflag_input("tcpflags0", $rule->{'tcp-flags'}->[1]), - &tcpflag_input("tcpflags1", $rule->{'tcp-flags'}->[2])). - "
"); - -# TCP options -print &ui_table_row($text{'edit_tcpoption'}, - &print_mode("tcpoption", $rule->{'tcp-option'})." ". - &ui_textbox("tcpoption", $rule->{'tcp-option'}->[1], 6)); - -print &ui_table_hr(); - -# ICMP packet type -print &ui_table_row($text{'edit_icmptype'}, - &print_mode("icmptype", $rule->{"icmp${ipvx_icmp}-type"})." ". - &icmptype_input("icmptype", $rule->{"icmp${ipvx_icmp}-type"}->[1])); - -# MAC address -print &ui_table_row($text{'edit_mac'}, - &print_mode("macsource", $rule->{'mac-source'})." ". - &ui_textbox("macsource", $rule->{'mac-source'}->[1], 18)); - -print &ui_table_hr(); - -# Packet flow limit -($n, $u) = $rule->{'limit'} && - $rule->{'limit'}->[1] =~ /^(\d+)\/(\S+)$/ ? ($1, $2) : (); -print &ui_table_row($text{'edit_limit'}, - &print_mode("limit", $rule->{'limit'}, - $text{'edit_below'}, $text{'edit_above'}, 1)." ". - &ui_textbox("limit0", $n, 6)." / ". - &ui_select("limit1", $u, ['second', 'minute', 'hour', 'day'])); - -# Packet burst rate -print &ui_table_row($text{'edit_limitburst'}, - &print_mode("limitburst", $rule->{'limit-burst'}, - $text{'edit_below'}, $text{'edit_above'}, 1)." ". - &ui_textbox("limitburst", $rule->{'limit-burst'}->[1], 6)); - -if ($rule->{'chain'} eq 'OUTPUT') { - print &ui_table_hr(); - - # Sending UID - print &ui_table_row($text{'edit_uidowner'}, - &print_mode("uidowner", $rule->{'uid-owner'})." ". - &ui_user_textbox("uidowner", $rule->{'uid-owner'}->[1])); - - # Sending GID - print &ui_table_row($text{'edit_gidowner'}, - &print_mode("gidowner", $rule->{'gid-owner'})." ". - &ui_group_textbox("gidowner", $rule->{'gid-owner'}->[1])); - - # Sending process ID - print &ui_table_row($text{'edit_pidowner'}, - &print_mode("pidowner", $rule->{'pid-owner'})." ". - &ui_textbox("pidowner", $rule->{'pid-owner'}->[1], 6)); - - # Sending process group - print &ui_table_row($text{'edit_sidowner'}, - &print_mode("sidowner", $rule->{'sid-owner'})." ". - &ui_textbox("sidowner", $rule->{'sid-owner'}->[1], 6)); - } - -print &ui_table_hr(); - -# Connection states -print &ui_table_row($text{'edit_state'}, - "\n". - "
". - &print_mode("state", $rule->{'state'})." ". - &ui_select("state", [ split(/,/, $rule->{'state'}->[1]) ], - [ map { [ $_, $text{"edit_state_".lc($_)} ] } - ('NEW', 'ESTABLISHED', 'RELATED', 'INVALID', 'UNTRACKED') ], 5, 1). - "
"); - -# Type of service -print &ui_table_row($text{'edit_tos'}, - &print_mode("tos", $rule->{'tos'})." ". - &tos_input("tos", $rule->{'tos'}->[1])); - -print &ui_table_hr(); - -# Input physical device -print &ui_table_row($text{'edit_physdevin'}, - &print_mode("physdevin", $rule->{'physdev-in'})." ". - &interface_choice("physdevin", $rule->{'physdev-in'}->[1])); - -# Output physical device -print &ui_table_row($text{'edit_physdevout'}, - &print_mode("physdevout", $rule->{'physdev-out'})." ". - &interface_choice("physdevout", $rule->{'physdev-out'}->[1])); - -# Physdev match modes -print &ui_table_row($text{'edit_physdevisin'}, - &print_mode("physdevisin", $rule->{'physdev-is-in'}, - $text{'yes'}, $text{'no'})); -print &ui_table_row($text{'edit_physdevisout'}, - &print_mode("physdevisout", $rule->{'physdev-is-out'}, - $text{'yes'}, $text{'no'})); -print &ui_table_row($text{'edit_physdevisbridged'}, - &print_mode("physdevisbridged", $rule->{'physdev-is-bridged'}, - $text{'yes'}, $text{'no'})); - -print &ui_table_hr(); - -# Show unknown modules -@mods = grep { !/^(tcp|udp|icmp${ipvx_icmp}|multiport|mac|limit|owner|state|tos|comment|physdev)$/ } map { $_->[1] } @{$rule->{'m'}}; -print &ui_table_row($text{'edit_mods'}, - &ui_textbox("mods", join(" ", @mods), 60)); - -# Show unknown parameters -$rule->{'args'} =~ s/^\s+//; -$rule->{'args'} =~ s/\s+$//; -print &ui_table_row($text{'edit_args'}, - &ui_textbox("args", $rule->{'args'}, 60)); - -print &ui_table_end(); -if ($in{'new'}) { - print &ui_form_end([ [ undef, $text{'create'} ] ]); - } -else { - print &ui_form_end([ [ undef, $text{'save'} ], - [ 'clone', $text{'edit_clone'} ], - [ 'delete', $text{'delete'} ] ]); - } - -&ui_print_footer("index.cgi?version=${ipvx_arg}", $text{'index_return'}); - -# print_mode(name, &value, [yes-option, no-option], [no-no-option]) -sub print_mode -{ -local ($name, $value, $yes_opt, $no_opt, $no_no_opt) = @_; -local $m = !$value ? 0 : - $value->[0] eq "!" ? 2 : 1; -return &ui_select($name."_mode", $m, - [ [ 0, "<$text{'edit_ignore'}>" ], - [ 1, $yes_opt || $text{'edit_is'} ], - !$no_no_opt || $m == 2 ? ( [ 2, $no_opt || $text{'edit_not'} ] ) - : ( ) ]); -} - -# port_input(name, value) -sub port_input -{ -local ($name, $value) = @_; -local ($s, $e, $p); -if ($value =~ /^(\d*):(\d*)$/) { - $s = $1; $e = $2; - } -else { - $p = $value || ""; - } -return &ui_radio($name."_type", defined($p) ? 0 : 1, - [ [ 0, $text{'edit_port0'}." ". - &ui_textbox($name, $p, 15) ], - [ 1, &text('edit_port1', - &ui_textbox($name."_from", $s, 6), - &ui_textbox($name."_to", $e, 6)) ] ]); -} - -# tcpflag_input(name, value) -sub tcpflag_input -{ -local ($name, $value) = @_; -local %flags = map { $_, 1 } split(/,/, $value); -local $f; -local $rv = "\n"; -foreach $f ('SYN', 'ACK', 'FIN', 'RST', 'URG', 'PSH') { - $rv .= &ui_checkbox($name, $f, "$f", - $flags{$f} || $flags{'ALL'})."\n"; - } -$rv .= "\n"; -return $rv; -} - -# icmptype_input(name, value, [&types]) -sub icmptype_input -{ -local ($name, $value, $types) = @_; -local ($started, @types, $major, $minor); -$major = -1; -if ($types) { - @types = @$types; - } -else { - open(IPTABLES, "ip${ipvx}tables -p icmp${ipvx_icmp} -h 2>/dev/null |"); - while() { - if (/valid\s+icmp\s+types:/i) { - $started = 1; - } - elsif (!/\S/) { - $started = 0; - } - elsif ($started && /^\s*(\S+)/) { - push(@types, $1); - } - } - close(IPTABLES); - } -if (@types && $value !~ /^\d+$/ && $value !~ /^\d+\/\d+$/) { - return &ui_select($name, $value, \@types); - } -else { - return &ui_textbox($name, $value, 6); - } -} - -# protocol_input(name, value) -sub protocol_input -{ -local ($name, $value) = @_; -local @stdprotos = ( 'tcp', 'udp', "icmp${ipvx_icmp}", undef ); -$value ||= "tcp"; -local @otherprotos; -open(PROTOS, "/etc/protocols"); -while() { - s/\r|\n//g; - s/#.*$//; - push(@otherprotos, $1) if (/^(\S+)\s+(\d+)/); - } -close(PROTOS); -@otherprotos = sort { lc($a) cmp lc($b) } @otherprotos; -local $p; -local @allprotos = &unique(@stdprotos, @otherprotos); -local $found = &indexof($value, @allprotos) >= 0; -return &ui_select($name, $found ? $value : "", - [ (map { [ $_, uc($_) || "-------" ] } @allprotos), - [ '', $text{'edit_oifc'} ] ])." ". - &ui_textbox($name."_other", $found ? undef : $value, 5); -} - -# tos_input(name, value) -sub tos_input -{ -local ($name, $value) = @_; -local ($started, @opts); -open(IPTABLES, "ip${ipvx}tables -m tos -h 2>/dev/null |"); -while() { - if (/TOS.*options:/i) { - $started = 1; - } - elsif ($started && /^\s+(\S+)\s+(\d+)\s+\((0x[0-9a-f]+)\)/i) { - push(@opts, [ $1, $3 ]); - } - } -close(IPTABLES); -if (@opts) { - return &ui_select($name, $value, - [ map { [ $o->[0], "$o->[0] ($o->[1])" ] } @opts ]); - } -else { - return &ui_textbox($name, $value, 20); - } -} - diff --git a/firewall/index.cgi b/firewall/index.cgi index bab8e590a..5a7f161bd 100755 --- a/firewall/index.cgi +++ b/firewall/index.cgi @@ -298,7 +298,7 @@ else { } # chain to jump to is filtered, switch of edit if ($edit && !$chain_filtered) { - push(@cols, &ui_link("edit_rule${ipvx}.cgi?version=${ipvx_arg}&table=".&urlize($in{'table'})."&idx=$r->{'index'}",$act)); + push(@cols, &ui_link("edit_rule.cgi?version=${ipvx_arg}&table=".&urlize($in{'table'})."&idx=$r->{'index'}",$act)); } else { # add col for not visible checkmark @@ -340,12 +340,12 @@ else { # Before / after adder local $adder; - $adder .= "{'index'}'>"; - $adder .= "{'index'}'> $table->{'name'}, - 'chain' => $r->[$in{'idx'}]->{'chain'} }); -&redirect("index.cgi?table=$in{'table'}"); - diff --git a/firewall6/move.cgi b/firewall6/move.cgi new file mode 120000 index 000000000..25bdd6fb6 --- /dev/null +++ b/firewall6/move.cgi @@ -0,0 +1 @@ +../firewall/move.cgi \ No newline at end of file diff --git a/firewall6/newchain.cgi b/firewall6/newchain.cgi deleted file mode 100755 index 24192a286..000000000 --- a/firewall6/newchain.cgi +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/local/bin/perl -# newchain.cgi -# Create a new user-defined chain - -require './firewall6-lib.pl'; -$access{'newchain'} || &error($text{'new_ecannot'}); -&ReadParse(); -@tables = &get_ip6tables_save(); -$table = $tables[$in{'table'}]; -&can_edit_table($table->{'name'}) || &error($text{'etable'}); -&error_setup($text{'new_err'}); -&lock_file($ip6tables_save_file); -$in{'chain'} =~ /^\S+$/ || &error($text{'new_ename'}); -$table->{'defaults'}->{$in{'chain'}} && &error($text{'new_etaken'}); -$table->{'defaults'}->{$in{'chain'}} = '-'; -&run_before_command(); -&save_table($table); -&run_after_command(); -©_to_cluster(); -&unlock_file($ip6tables_save_file); -&webmin_log("create", "chain", undef, { 'chain' => $in{'chain'}, - 'table' => $table->{'name'} }); - -&redirect("index.cgi?table=$in{'table'}"); - diff --git a/firewall6/newchain.cgi b/firewall6/newchain.cgi new file mode 120000 index 000000000..5cae1d6da --- /dev/null +++ b/firewall6/newchain.cgi @@ -0,0 +1 @@ +../firewall/newchain.cgi \ No newline at end of file diff --git a/firewall6/save_policy.cgi b/firewall6/save_policy.cgi deleted file mode 100755 index e398e4fd9..000000000 --- a/firewall6/save_policy.cgi +++ /dev/null @@ -1,217 +0,0 @@ -#!/usr/local/bin/perl -# save_policy.cgi -# Change the default policy for some chain - -require './firewall6-lib.pl'; -&ReadParse(); -@tables = &get_ip6tables_save(); -$table = $tables[$in{'table'}]; -&can_edit_table($table->{'name'}) || &error($text{'etable'}); -@d = split(/\0/, $in{'d'}); - -if ($in{'add'}) { - # Redirect to the rule page for adding a rule - &redirect("edit_rule.cgi?table=".&urlize($in{'table'}). - "&chain=".&urlize($in{'chain'})."&new=1"); - } -elsif ($in{'delete'} && $in{'confirm'}) { - # Delete this entire chain and all rules in it - &lock_file($ip6tables_save_file); - $access{'delchain'} || &error($text{'delete_ecannot'}); - $table->{'rules'} = [ grep { $_->{'chain'} ne $in{'chain'} } - @{$table->{'rules'}} ]; - delete($table->{'defaults'}->{$in{'chain'}}); - &run_before_command(); - &save_table($table); - &run_after_command(); - ©_to_cluster(); - &unlock_file($ip6tables_save_file); - &webmin_log("delete", "chain", undef, { 'chain' => $in{'chain'}, - 'table' => $table->{'name'} }); - &redirect("index.cgi?table=".&urlize($in{'table'})); - } -elsif ($in{'clear'} && $in{'confirm'}) { - # Delete all rules from this chain - $access{'delchain'} || &error($text{'clear_ecannot'}); - &lock_file($ip6tables_save_file); - $table->{'rules'} = [ grep { $_->{'chain'} ne $in{'chain'} } - @{$table->{'rules'}} ]; - &run_before_command(); - &save_table($table); - &run_after_command(); - ©_to_cluster(); - &unlock_file($ip6tables_save_file); - &webmin_log("clear", "chain", undef, { 'chain' => $in{'chain'}, - 'table' => $table->{'name'} }); - &redirect("index.cgi?table=".&urlize($in{'table'})); - } -elsif ($in{'delete'} || $in{'clear'}) { - # Ask for confirmation on deleting the chain - $mode = $in{'delete'} ? "delete" : "clear"; - $access{'delchain'} || &error($text{$mode.'_ecannot'}); - &ui_print_header(undef, $text{$mode.'_title'}, ""); - - @rules = grep { $_->{'chain'} eq $in{'chain'} } @{$table->{'rules'}}; - print &ui_form_start("save_policy.cgi"); - print &ui_hidden("table", $in{'table'}); - print &ui_hidden("chain", $in{'chain'}); - print &ui_hidden($mode, 1); - print "
",&text($mode.'_rusure', "$in{'chain'}", - scalar(@rules)),"

\n"; - print &ui_submit($text{'delete_ok'}, 'confirm'); - print "

\n"; - print &ui_form_end(); - - &ui_print_footer("index.cgi?table=".&urlize($in{'table'}), - $text{'index_return'}); - } -elsif ($in{'rename'} && $in{'newname'}) { - # Rename a chain - &lock_file($ip6tables_save_file); - $access{'delchain'} || &error($text{'rename_ecannot'}); - $in{'newname'} =~ /^\S+$/ || &error($text{'new_ename'}); - - # Change the chain on each rule - foreach $r (@{$table->{'rules'}}) { - if ($r->{'chain'} eq $in{'chain'}) { - $r->{'chain'} = $in{'newname'}; - } - } - - # Rename the default - $table->{'defaults'}->{$in{'newname'}} = - $table->{'defaults'}->{$in{'chain'}}; - delete($table->{'defaults'}->{$in{'chain'}}); - - # Adjust any other rules - if ($in{'adjust'}) { - foreach $r (@{$table->{'rules'}}) { - if ($r->{'j'} && $r->{'j'}->[1] eq $in{'chain'}) { - $r->{'j'}->[1] = $in{'newname'}; - } - } - } - - &run_before_command(); - &save_table($table); - &run_after_command(); - ©_to_cluster(); - &unlock_file($ip6tables_save_file); - &webmin_log("rename", "chain", undef, { 'chain' => $in{'chain'}, - 'table' => $table->{'name'} }); - &redirect("index.cgi?table=".&urlize($in{'table'})); - } -elsif ($in{'rename'}) { - # Show chain rename form - &ui_print_header(undef, $text{'rename_title'}, ""); - - print &ui_form_start("save_policy.cgi"); - print &ui_hidden("table", $in{'table'}); - print &ui_hidden("chain", $in{'chain'}); - print &ui_hidden("rename", 1); - print &ui_table_start($text{'rename_header'}, undef, 2); - - # Number of rules and old name - @rules = grep { $_->{'chain'} eq $in{'chain'} } @{$table->{'rules'}}; - print &ui_table_row($text{'rename_chain'}, $in{'chain'}); - print &ui_table_row($text{'rename_count'}, - scalar(@rules) || $text{'rename_none'}); - - # Destination chain - print &ui_table_row($text{'rename_name'}, - &ui_textbox("newname", undef, 20)); - - # Adjust other rules? - print &ui_table_row(" ", - &ui_checkbox("adjust", 1, $text{'rename_adjust'}, 1)); - - print &ui_table_end(); - print &ui_form_end([ [ undef, $text{'rename_ok'} ] ]); - - &ui_print_footer("index.cgi?table=".&urlize($in{'table'}), - $text{'index_return'}); - } -elsif ($in{'delsel'}) { - # Just delete selected rules - %idxs = map { $_, 1 } @d; - &lock_file($ip6tables_save_file); - $table->{'rules'} = [ grep { $_->{'chain'} ne $in{'chain'} || - !$idxs{$_->{'index'}} } - @{$table->{'rules'}} ]; - &run_before_command(); - &save_table($table); - &run_after_command(); - ©_to_cluster(); - &unlock_file($ip6tables_save_file); - &webmin_log("delsel", "chain", undef, { 'chain' => $in{'chain'}, - 'table' => $table->{'name'}, - 'count' => scalar(@d)}); - &redirect("index.cgi?table=".&urlize($in{'table'})); - } -elsif ($in{'movesel'} && $in{'dest'}) { - # Move selected rules to new chain - %idxs = map { $_, 1 } @d; - &lock_file($ip6tables_save_file); - - # Change the chain on each rule - foreach $r (@{$table->{'rules'}}) { - if ($r->{'chain'} eq $in{'chain'} && $idxs{$r->{'index'}}) { - $r->{'chain'} = $in{'dest'}; - } - } - - &run_before_command(); - &save_table($table); - &run_after_command(); - ©_to_cluster(); - &unlock_file($ip6tables_save_file); - &webmin_log("movesel", "chain", undef, { 'chain' => $in{'chain'}, - 'table' => $table->{'name'}, - 'count' => scalar(@d)}); - &redirect("index.cgi?table=".&urlize($in{'table'})); - } -elsif ($in{'movesel'}) { - # Show rule move form - &ui_print_header(undef, $text{'move_title'}, ""); - - print &ui_form_start("save_policy.cgi"); - print &ui_hidden("table", $in{'table'}); - print &ui_hidden("chain", $in{'chain'}); - print &ui_hidden("movesel", 1); - foreach $d (@d) { - print &ui_hidden("d", $d); - } - print &ui_table_start($text{'move_header'}, undef, 2); - - # Number of rules and source - print &ui_table_row($text{'move_count'}, scalar(@d)); - print &ui_table_row($text{'move_chain'}, $in{'chain'}); - - # Destination chain - print &ui_table_row($text{'move_dest'}, - &ui_select("dest", $in{'chain'}, - [ grep { $_ ne $in{'chain'} } - sort by_string_for_ip6tables - (keys %{$table->{'defaults'}}) ])); - - print &ui_table_end(); - print &ui_form_end([ [ undef, $text{'move_ok'} ] ]); - - &ui_print_footer("index.cgi?table=".&urlize($in{'table'}), - $text{'index_return'}); - } -else { - # Change the default for this chain - $access{'policy'} || &error($text{'policy_ecannot'}); - &lock_file($ip6tables_save_file); - $table->{'defaults'}->{$in{'chain'}} = $in{'policy'}; - &run_before_command(); - &save_table($table); - &run_after_command(); - ©_to_cluster(); - &unlock_file($ip6tables_save_file); - &webmin_log("modify", "chain", undef, { 'chain' => $in{'chain'}, - 'table' => $table->{'name'} }); - &redirect("index.cgi?table=".&urlize($in{'table'})); - } - diff --git a/firewall6/save_policy.cgi b/firewall6/save_policy.cgi new file mode 120000 index 000000000..e104db163 --- /dev/null +++ b/firewall6/save_policy.cgi @@ -0,0 +1 @@ +../firewall/save_policy.cgi \ No newline at end of file diff --git a/firewall6/save_rule.cgi b/firewall6/save_rule.cgi deleted file mode 100755 index c4996abbd..000000000 --- a/firewall6/save_rule.cgi +++ /dev/null @@ -1,410 +0,0 @@ -#!/usr/local/bin/perl -# save_rule.cgi -# Save, create or delete a rule in a chain - -require './firewall-lib.pl'; -&ReadParse(); -if (&get_ipvx_version() == 6) { require './firewall6-lib.pl'; - } else { require './firewall4-lib.pl'; } -&error_setup($text{'save_err'}); -@tables = &get_iptables_save(); -$table = $tables[$in{'table'}]; -&can_edit_table($table->{'name'}) || &error($text{'etable'}); -if ($in{'new'}) { - $rule = { 'chain' => $in{'chain'} }; - } -else { - $rule = $table->{'rules'}->[$in{'idx'}]; - &can_jump($rule) || &error($text{'ejump'}); - } -if ($in{'clone'}) { - # Go back to the editing page - &redirect("edit_rule.cgi?new=1&clone=$in{'idx'}&". - "table=".&urlize($in{'table'})."&". - "chain=".&urlize($rule->{'chain'})); - } - -&lock_file($ipvx_save); -if ($in{'delete'}) { - # Just delete this rule - splice(@{$table->{'rules'}}, $in{'idx'}, 1); - } -else { - # Validate and store inputs - if ($config{'comment_mod'}) { - $in{'cmt'} =~ s/^\s+//; - $in{'cmt'} =~ s/\s+$//; - if ($in{'cmt'}) { - $rule->{'comment'} = [ "", $in{'cmt'} ]; - push(@mods, "comment"); - } - else { - delete($rule->{'comment'}); - } - } - else { - $rule->{'cmt'} = $in{'cmt'}; - delete($rule->{'comment'}); - @mods = grep { $_ ne "comment" } @mods; - } - if ($in{'jump'} eq '*') { - $in{'other'} =~ /^\S+$/ || &error($text{'save_echain'}); - $rule->{'j'} = [ "", $in{'other'} ]; - } - elsif ($in{'jump'}) { - $rule->{'j'} = [ "", $in{'jump'} ]; - } - else { - delete($rule->{'j'}); - } - &can_jump($rule) || &error($text{'save_ecanjump'}); - if (defined($in{'rwithtype'})) { - if ($rule->{'j'}->[1] eq 'REJECT' && !$in{'rwithdef'}) { - $rule->{'reject-with'} = [ "", $in{'rwithtype'} ]; - } - else { - delete($rule->{'reject-with'}); - } - } - - # Parse redirect or masquerade input - if ($table->{'name'} eq 'nat') { - if ($rule->{'j'}->[1] eq 'REDIRECT' && !$in{'rtodef'}) { - $in{'rtofrom'} =~ /^\d+$/ || - &error($text{'save_ertoports'}); - $in{'rtoto'} =~ /^\d*$/ || - &error($text{'save_ertoports'}); - $rule->{'to-ports'} = [ "", $in{'rtoto'} eq '' ? - $in{'rtofrom'} : $in{'rtofrom'}."-".$in{'rtoto'} ]; - } - elsif ($rule->{'j'}->[1] eq 'MASQUERADE' && !$in{'mtodef'}) { - $in{'mtofrom'} =~ /^\d+$/ || - &error($text{'save_emtoports'}); - $in{'mtoto'} =~ /^\d*$/ || - &error($text{'save_emtoports'}); - $rule->{'to-ports'} = [ "", $in{'mtoto'} eq '' ? - $in{'mtofrom'} : $in{'mtofrom'}."-".$in{'mtoto'} ]; - } - else { - delete($rule->{'to-ports'}); - } - } - if ($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'POSTROUTING') { - if ($rule->{'j'}->[1] eq 'DNAT' && !$in{'dnatdef'}) { - !$in{'dipfrom'} || &check_ipaddress($in{'dipfrom'}) || - &error($text{'save_edipfrom'}); - !$in{'dipto'} || &check_ipaddress($in{'dipto'}) || - &error($text{'save_edipto'}); - local $v = "[".$in{'dipfrom'}."]"; - $v .= "-[".$in{'dipto'}."]" if ($in{'dipto'}); - if ($in{'dpfrom'} ne '') { - $in{'dpfrom'} =~ /^\d+$/ || - &error($text{'save_edpfrom'}); - $in{'dpto'} =~ /^\d*$/ || - &error($text{'save_edpto'}); - if ($in{'dpto'} eq '') { - $v .= ":".$in{'dpfrom'}; - } - else { - $v .= ":".$in{'dpfrom'}."-".$in{'dpto'}; - } - } - $rule->{'to-destination'} = [ "", $v ]; - } - else { - delete($rule->{'to-destination'}); - } - } - if ($table->{'name'} eq 'nat' && $rule->{'chain'} ne 'PREROUTING' && - $rule->{'chain'} ne 'OUTPUT') { - if ($rule->{'j'}->[1] eq 'SNAT' && !$in{'snatdef'}) { - (!$in{'sipfrom'} && !$in{'sipto'}) || - &check_ipaddress($in{'sipfrom'}) || - &error($text{'save_esipfrom'}); - !$in{'sipto'} || &check_ipaddress($in{'sipto'}) || - &error($text{'save_esipto'}); - local $v = $in{'sipfrom'}; - $v .= "-".$in{'sipto'} if ($in{'sipto'}); - if ($in{'spfrom'} ne '') { - $in{'spfrom'} =~ /^\d+$/ || - &error($text{'save_espfrom'}); - $in{'spto'} =~ /^\d*$/ || - &error($text{'save_espto'}); - if ($in{'spto'} eq '') { - $v .= ":".$in{'spfrom'}; - } - else { - $v .= ":".$in{'spfrom'}."-".$in{'spto'}; - } - } - $rule->{'to-source'} = [ "", $v ]; - } - else { - delete($rule->{'to-source'}); - } - } - if (&parse_mode("source", $rule, "s")) { - &check_ipmask($in{'source'}) || &error($text{'save_esource'}); - $rule->{'s'}->[1] = $in{'source'}; - } - if (&parse_mode("dest", $rule, "d")) { - &check_ipmask($in{'dest'}) || &error($text{'save_edest'}); - $rule->{'d'}->[1] = $in{'dest'}; - } - if (&parse_mode("in", $rule, "i")) { - $in{'in'} ne '' || $in{'in_other'} =~ /^\S+$/ || - &error($text{'save_ein'}); - $rule->{'i'}->[1] = $in{'in'} eq '' || $in{'in'} eq 'other' ? - $in{'in_other'} : $in{'in'}; - } - if (&parse_mode("out", $rule, "o")) { - $in{'out'} ne '' || $in{'out_other'} =~ /^\S+$/ || - &error($text{'save_eout'}); - $rule->{'o'}->[1] = $in{'out'} eq '' || $in{'out'} eq 'other' ? - $in{'out_other'} : $in{'out'}; - } - if ($in{'frag'} == 0) { delete($rule->{'f'}); } - elsif ($in{'frag'} == 1) { $rule->{'f'} = [ "" ]; } - else { $rule->{'f'} = [ "!" ]; } - if (&parse_mode("proto", $rule, "p")) { - $in{'proto'} || $in{'proto_other'} =~ /^\d+$/ || - &error($text{'save_eproto'}); - $rule->{'p'}->[1] = $in{'proto'} || $in{'proto_other'}; - if (!$rule->{'p'}->[0]) { - $proto = $in{'proto'}; - push(@mods, $in{'proto'}) - if ($proto eq 'tcp' || $proto eq 'udp' || - $proto eq "icmp${ipvx_icmp}" && $in{'icmptype_mode'}); - } - } - - if (&parse_mode("sport", $rule, "sport")) { - $proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" || - &error($text{'save_etcpudp'}); - if ($in{"sport_type"} == 0) { - $in{"sport"} =~ /^\S+$/ || - &error($text{'save_esport'}); - if ($in{"sport"} =~ /,/) { - $rule->{'sports'}->[1] = $in{"sport"}; - $rule->{'sports'}->[0] = $rule->{'sport'}->[0]; - push(@mods, "multiport"); - delete($rule->{'sport'}); - } - else { - $rule->{'sport'}->[1] = $in{"sport"}; - delete($rule->{'sports'}); - } - } - else { - $in{"sport_from"} =~ /^\d*$/ || - &error($text{'save_esportfrom'}); - $in{"sport_to"} =~ /^\d*$/ || - &error($text{'save_esportto'}); - $rule->{'sport'}->[1] = $in{"sport_from"}.":". - $in{"sport_to"}; - $rule->{'sport'}->[1] eq ":" && - &error($text{'save_esportrange'}); - delete($rule->{'sports'}); - } - } - else { - delete($rule->{'sports'}); - } - if (&parse_mode("dport", $rule, "dport")) { - $proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" || - &error($text{'save_etcpudp'}); - if ($in{"dport_type"} == 0) { - $in{"dport"} =~ /^\S+$/ || - &error($text{'save_edport'}); - if ($in{"dport"} =~ /,/) { - $rule->{'dports'}->[1] = $in{"dport"}; - $rule->{'dports'}->[0] = $rule->{'dport'}->[0]; - push(@mods, "multiport"); - delete($rule->{'dport'}); - } - else { - $rule->{'dport'}->[1] = $in{"dport"}; - delete($rule->{'dports'}); - } - } - else { - $in{"dport_from"} =~ /^\d*$/ || - &error($text{'save_edportfrom'}); - $in{"dport_to"} =~ /^\d*$/ || - &error($text{'save_edportto'}); - $rule->{'dport'}->[1] = $in{"dport_from"}.":". - $in{"dport_to"}; - $rule->{'dport'}->[1] eq ":" && - &error($text{'save_edportrange'}); - delete($rule->{'dports'}); - } - } - else { - delete($rule->{'dports'}); - } - if (&parse_mode("ports", $rule, "ports")) { - $proto eq "tcp" || $proto eq "udp" || $proto eq "sctp" || - &error($text{'save_etcpudp'}); - $in{"ports"} =~ /^\S+$/ || &error($text{'save_eports'}); - $rule->{'ports'}->[1] = $in{'ports'}; - push(@mods, "multiport"); - } - if (&parse_mode("tcpflags", $rule, "tcp-flags")) { - $proto eq "tcp" || &error($text{'save_etcp1'}); - local $tcp0 = join(",", split(/\0/, $in{"tcpflags0"})); - local $tcp1 = join(",", split(/\0/, $in{"tcpflags1"})); - #$tcp0 && $tcp1 || &error($text{'save_etcpflags'}); - $tcp0 || &error($text{'save_etcpflags2'}); - $rule->{'tcp-flags'}->[1] = $tcp0; - $rule->{'tcp-flags'}->[2] = $tcp1 || "NONE"; - } - if (&parse_mode("tcpoption", $rule, "tcp-option")) { - $proto eq "tcp" || &error($text{'save_etcp2'}); - $in{"tcpoption"} =~ /^\d+$/ || - &error($text{'save_etcpoption'}); - $rule->{'tcp-option'}->[1] = $in{"tcpoption"}; - } - if (&parse_mode("icmptype", $rule, "icmp${ipvx_icmp}-type")) { - $proto eq "icmp${ipvx_icmp}" || &error($text{'save_eicmp'}); - $rule->{"icmp${ipvx_icmp}-type"}->[1] = $in{'icmptype'}; - } - if (&parse_mode("macsource", $rule, "mac-source")) { - $in{"macsource"} =~ /^([0-9a-z]{2}:){5}[[0-9a-z]{2}$/i || - &error($text{'save_emac'}); - $rule->{'mac-source'}->[1] = $in{'macsource'}; - push(@mods, "mac"); - } - if (&parse_mode("limit", $rule, "limit")) { - $in{'limit0'} =~ /^\d+$/ || &error($text{'save_elimit'}); - $rule->{'limit'}->[1] = $in{'limit0'}."/".$in{'limit1'}; - push(@mods, "limit"); - } - if (&parse_mode("limitburst", $rule, "limit-burst")) { - $in{'limitburst'} =~ /^\d+$/ || - &error($text{'save_elimitburst'}); - $rule->{'limit-burst'}->[1] = $in{'limitburst'}; - push(@mods, "limit"); - } - - if ($rule->{'chain'} eq 'OUTPUT') { - if (&parse_mode("uidowner", $rule, "uid-owner")) { - defined(getpwnam($in{"uidowner"})) || - &error($text{'save_euidowner'}); - $rule->{'uid-owner'}->[1] = $in{"uidowner"}; - push(@mods, "owner"); - } - if (&parse_mode("gidowner", $rule, "gid-owner")) { - defined(getgrnam($in{"gidowner"})) || - &error($text{'save_egidowner'}); - $rule->{'gid-owner'}->[1] = $in{"gidowner"}; - push(@mods, "owner"); - } - if (&parse_mode("pidowner", $rule, "pid-owner")) { - $in{"pidowner"} =~ /^\d+$/ || - &error($text{'save_epidowner'}); - $rule->{'pid-owner'}->[1] = $in{"pidowner"}; - push(@mods, "owner"); - } - if (&parse_mode("sidowner", $rule, "sid-owner")) { - $in{"sidowner"} =~ /^\d+$/ || - &error($text{'save_esidowner'}); - $rule->{'sid-owner'}->[1] = $in{"sidowner"}; - push(@mods, "owner"); - } - } - - # Save connection states and TOS - if (&parse_mode("state", $rule, "state")) { - @states = split(/\0/, $in{'state'}); - @states || &error($text{'save_estates'}); - $rule->{'state'}->[1] = join(",", @states); - push(@mods, "state"); - } - if (&parse_mode("tos", $rule, "tos")) { - $rule->{'tos'}->[1] = $in{'tos'}; - push(@mods, "tos"); - } - - # Parse physical input and output interfaces - if (&parse_mode("physdevin", $rule, "physdev-in")) { - $in{'physdevin'} ne '' || $in{'physdevin_other'} =~ /^\S+$/ || - &error($text{'save_ephysdevin'}); - $rule->{'physdev-in'}->[1] = - $in{'physdevin'} eq '' || $in{'physdevin'} eq 'other' ? - $in{'physdevin_other'} : $in{'physdevin'}; - push(@mods, "physdev"); - } - if (&parse_mode("physdevout", $rule, "physdev-out")) { - $in{'physdevout'} ne '' || $in{'physdevout_other'} =~ /^\S+$/ || - &error($text{'save_ephysdevout'}); - $rule->{'physdev-out'}->[1] = - $in{'physdevout'} eq '' || $in{'physdevout'} eq 'other' ? - $in{'physdevout_other'} : $in{'physdevout'}; - push(@mods, "physdev"); - } - - # Parse physdev match modes - if (&parse_mode("physdevisin", $rule, "physdev-is-in")) { - push(@mods, "physdev"); - } - if (&parse_mode("physdevisout", $rule, "physdev-is-out")) { - push(@mods, "physdev"); - } - if (&parse_mode("physdevisbridged", $rule, "physdev-is-bridged")) { - push(@mods, "physdev"); - } - - # Add custom paramters and modules - $rule->{'args'} = $in{'args'}; - push(@mods, split(/\s+/, $in{'mods'})); - - # Save the rule - if (@mods) { - $rule->{'m'} = [ map { [ "", $_ ] } &unique(@mods) ]; - } - else { - delete($rule->{'m'}); - } - delete($rule->{'j'}) if (!$in{'jump'}); - if ($in{'new'}) { - if ($in{'before'} ne '') { - splice(@{$table->{'rules'}}, $in{'before'}, 0, $rule); - } - elsif ($in{'after'} ne '') { - splice(@{$table->{'rules'}}, $in{'after'}+1, 0, $rule); - } - else { - push(@{$table->{'rules'}}, $rule); - } - } - } - -# Write out the new save file -&run_before_command(); -&save_table($table); -&run_after_command(); -©_to_cluster(); -&unlock_file($ipvx_save); -&webmin_log($in{'delete'} ? "delete" : $in{'new'} ? "create" : "modify", - "rule", undef, { 'chain' => $rule->{'chain'}, - 'table' => $table->{'name'} }); -&redirect("index.cgi?table=$in{'table'}"); - -# parse_mode(name, &rule, option) -sub parse_mode -{ -if ($in{"$_[0]_mode"} == 0) { - delete($_[1]->{$_[2]}); - return 0; - } -elsif ($in{"$_[0]_mode"} == 1) { - $_[1]->{$_[2]} = [ "" ]; - return 1; - } -else { - $_[1]->{$_[2]} = [ "!" ]; - return 1; - } -} - - diff --git a/firewall6/setup.cgi b/firewall6/setup.cgi deleted file mode 100755 index 94609e264..000000000 --- a/firewall6/setup.cgi +++ /dev/null @@ -1,250 +0,0 @@ -#!/usr/local/bin/perl -# setup.cgi -# Setup an initial save file - -require './firewall6-lib.pl'; -&ReadParse(); -$access{'setup'} || &error($text{'setup_ecannot'}); - -&lock_file($ip6tables_save_file); -if ($in{'reset'}) { - # Clear out all rules - foreach $t ("filter", "nat", "mangle") { - &system_logged("ip6tables -t $t -P INPUT ACCEPT >/dev/null 2>&1"); - &system_logged("ip6tables -t $t -P OUTPUT ACCEPT >/dev/null 2>&1"); - &system_logged("ip6tables -t $t -P FORWARD ACCEPT >/dev/null 2>&1"); - &system_logged("ip6tables -t $t -P PREROUTING ACCEPT >/dev/null 2>&1"); - &system_logged("ip6tables -t $t -P POSTROUTING ACCEPT >/dev/null 2>&1"); - &system_logged("ip6tables -t $t -F >/dev/null 2>&1"); - &system_logged("ip6tables -t $t -X >/dev/null 2>&1"); - } - } - -# Save all existing active rules -if (defined(&unapply_ip6tables)) { - &unapply_ip6tables(); - } -else { - &backquote_logged("ip6tables-save >$ip6tables_save_file 2>&1"); - } - -# Get important variable ports -&get_miniserv_config(\%miniserv); -$webmin_port = $miniserv{'port'} || 10000; -$webmin_port2 = $webmin_port + 10; -$usermin_port = undef; -if (&foreign_installed("usermin")) { - &foreign_require("usermin", "usermin-lib.pl"); - &usermin::get_usermin_miniserv_config(\%uminiserv); - $usermin_port = $uminiserv{'port'}; - } -$usermin_port ||= 20000; -$ssh_port = undef; -if (&foreign_installed("sshd")) { - &foreign_require("sshd", "sshd-lib.pl"); - $conf = &sshd::get_sshd_config(); - $ssh_port = &sshd::find_value("Port", $conf); - } -$ssh_port ||= 22; - -if ($in{'auto'}) { - @tables = &get_ip6tables_save(); - if ($in{'auto'} == 1) { - # Add a single rule to the nat table for masquerading - $iface = $in{'iface1'} eq 'other' ? $in{'iface1_other'} - : $in{'iface1'}; - $iface || &error($text{'setup_eiface'}); - ($table) = grep { $_->{'name'} eq 'nat' } @tables; - $table ||= { 'name' => 'nat', - 'rules' => [ ], - 'defaults' => { } }; - push(@{$table->{'rules'}}, - { 'chain' => 'POSTROUTING', - 'o' => [ "", $iface ], - 'j' => [ "", 'MASQUERADE' ] } ); - } - elsif ($in{'auto'} >= 2) { - # Block all incoming traffic, except for established - # connections, DNS replies and safe ICMP types - # In mode 3 allow ssh and ident too - # In mode 4 allow ftp, echo-request and high ports too - $iface = $in{'iface'.$in{'auto'}} eq 'other' ? - $in{'iface'.$in{'auto'}.'_other'} : - $in{'iface'.$in{'auto'}}; - $iface || &error($text{'setup_eiface'}); - ($table) = grep { $_->{'name'} eq 'filter' } @tables; - $table ||= { 'name' => 'nat', - 'rules' => [ ], - 'defaults' => { } }; - $table->{'defaults'}->{'INPUT'} = 'DROP'; - push(@{$table->{'rules'}}, - { 'chain' => 'INPUT', - 'i' => [ "!", $iface ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Accept traffic from internal interfaces' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ] ], - 'p' => [ "", "tcp" ], - 'tcp-flags' => [ "", "ACK", "ACK" ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Accept traffic with the ACK flag set' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "state" ] ], - 'state' => [ "", "ESTABLISHED" ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Allow incoming data that is part of a connection we established' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "state" ] ], - 'state' => [ "", "RELATED" ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Allow data that is related to existing connections' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "udp" ] ], - 'p' => [ "", "udp" ], - 'sport' => [ "", 53 ], - 'dport' => [ "", "1024:65535" ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Accept responses to DNS queries' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "icmpv6" ] ], - 'p' => [ [ "", "icmpv6" ] ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Accept all ICMPv6 traffic' }, - ); - if ($in{'auto'} >= 3) { - # Allow ssh and ident - push(@{$table->{'rules'}}, - { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ] ], - 'p' => [ "", "tcp" ], - 'dport' => [ "", $ssh_port ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Allow connections to our SSH server' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ] ], - 'p' => [ "", "tcp" ], - 'dport' => [ "", "auth" ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Allow connections to our IDENT server'} - ); - } - if ($in{'auto'} >= 4) { - # Allow pings - push(@{$table->{'rules'}}, - { 'chain' => 'INPUT', - 'm' => [ [ "", "icmpv6" ] ], - 'p' => [ [ "", "icmpv6" ] ], - 'icmpv6-type' => [ "", "echo-request" ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Respond to pings' }, ); - } - if ($in{'auto'} == 4) { - # Allow pings and most high ports - push(@{$table->{'rules'}}, - { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ] ], - 'p' => [ "", "tcp" ], - 'dport' => [ "", "2049:2050" ], - 'j' => [ "", 'DROP' ], - 'cmt' => 'Protect our NFS server' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ] ], - 'p' => [ "", "tcp" ], - 'dport' => [ "", "6000:6063" ], - 'j' => [ "", 'DROP' ], - 'cmt' => 'Protect our X11 display server' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ] ], - 'p' => [ "", "tcp" ], - 'dport' => [ "", "7000:7010" ], - 'j' => [ "", 'DROP' ], - 'cmt' => 'Protect our X font server' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ] ], - 'p' => [ "", "tcp" ], - 'dport' => [ "", "1024:65535" ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Allow connections to unprivileged ports' }, - ); - } - if ($in{'auto'} == 5) { - # Allow typical hosting server ports - push(@{$table->{'rules'}}, - { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ] ], - 'p' => [ "", "tcp" ], - 'dport' => [ "", "53" ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Allow DNS zone transfers' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "udp" ] ], - 'p' => [ "", "udp" ], - 'dport' => [ "", "53" ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Allow DNS queries' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ] ], - 'p' => [ "", "tcp" ], - 'dport' => [ "", "80" ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Allow connections to webserver' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ] ], - 'p' => [ "", "tcp" ], - 'dport' => [ "", "443" ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Allow SSL connections to webserver' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ], [ "", "multiport" ] ], - 'p' => [ "", "tcp" ], - 'dports' => [ "", "25,587" ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Allow connections to mail server' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ] ], - 'p' => [ "", "tcp" ], - 'dport' => [ "", "20:21" ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Allow connections to FTP server' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ], [ "", "multiport" ] ], - 'p' => [ "", "tcp" ], - 'dports' => [ "", "110,995" ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Allow connections to POP3 server' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ], [ "", "multiport" ] ], - 'p' => [ "", "tcp" ], - 'dports' => [ "", "143,220,993" ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Allow connections to IMAP server' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ] ], - 'p' => [ "", "tcp" ], - 'dport' => [ "",$webmin_port.":".$webmin_port2 ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Allow connections to Webmin' }, - { 'chain' => 'INPUT', - 'm' => [ [ "", "tcp" ] ], - 'p' => [ "", "tcp" ], - 'dport' => [ "", $usermin_port ], - 'j' => [ "", 'ACCEPT' ], - 'cmt' => 'Allow connections to Usermin' }, - ); - } - } - &run_before_command(); - &save_table($table); - &run_after_command(); - ©_to_cluster(); - } - -if ($in{'atboot'}) { - &create_firewall_init(); - } -&unlock_file($ip6tables_save_file); - -&webmin_log("setup"); -&redirect(""); - - diff --git a/firewall6/setup6.cgi b/firewall6/setup6.cgi new file mode 120000 index 000000000..78301dec7 --- /dev/null +++ b/firewall6/setup6.cgi @@ -0,0 +1 @@ +../firewall/setup6.cgi \ No newline at end of file diff --git a/firewall6/unapply.cgi b/firewall6/unapply.cgi deleted file mode 100755 index cd87c0359..000000000 --- a/firewall6/unapply.cgi +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/local/bin/perl -# unapply.cgi -# Revert the firewall configuration from the kernel settings - -require './firewall6-lib.pl'; -&ReadParse(); -$access{'unapply'} || &error($text{'unapply_ecannot'}); -&error_setup($text{'apply_err'}); -if (defined(&unapply_ip6tables)) { - # Call distro's unapply command - $err = &unapply_ip6tables(); - } -else { - # Manually run ip6tables-save - $err = &ip6tables_save(); - } -&error($err) if ($err); -&webmin_log("unapply"); -&redirect("index.cgi?table=$in{'table'}"); - diff --git a/firewall6/unapply.cgi b/firewall6/unapply.cgi new file mode 120000 index 000000000..d143b082c --- /dev/null +++ b/firewall6/unapply.cgi @@ -0,0 +1 @@ +../firewall/unapply.cgi \ No newline at end of file