Enhancement #3056

Protect built-int zones in Firewall.pm library

Added by Giacomo Sanchietti over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.6
Resolution: NEEDINFO:No

Description

The Firewall.pm library can map firewall objects to the corresponding zone.
For example, given a green interface with IP 192.168.1.2 and an host object "test" with ip address 192.168.1.55:

use NethServer::Firewall;
my $fw = new NethServer::Firewall();
my $src_addr = $fw->getAddress("test");
my $z = $fw->getZone($src_addr);
print "$src_addr ** $fw";

Below code will print:

192.168.1.55 ** loc:192.168.1.55

The library can also handle built-in zone names. For example, executing this code:

use NethServer::Firewall;
my $fw = new NethServer::Firewall();
my $src_addr = $fw->getAddress("role;green");
my $z = $fw->getZone($src_addr);
print "$src_addr ** $z";

the output will be:

loc ** loc

where loc is the Shorewall mapping for green zone.

But, if there is a resolvable host name called loc for example with IP 1.2.3.4, the library will fail and will print:

loc ** net:loc

The problem is caused by perl NetAddr::IP library.
To avoid this behavior all built-in zone names must be protected inside the Firewall.pm library.

Associated revisions

Revision e9405765
Added by Giacomo Sanchietti over 6 years ago

Firewall.pm: protect built-in zones. Refs #3056

History

#1 Updated by Giacomo Sanchietti over 6 years ago

Tested fix:

--- /usr/share/perl5/vendor_perl/NethServer/Firewall.pm.ori    2015-02-20 16:50:58.171513245 +0100
+++ /usr/share/perl5/vendor_perl/NethServer/Firewall.pm    2015-02-20 17:54:05.250276154 +0100
@@ -246,6 +246,11 @@
     # sanitize the list:
     $value = join(",", grep { $_ ne '' } split(/,/, $value));

+    # protect built-in zone from name resolution Refs #3056
+    if ($value =~ /loc|net|blue|orang|ivpn|lvpn|ovpn/) {
+        return $value;
+    }
+
     # host group or not: always pick the first element:
     my $needle = NetAddr::IP->new((split(/,/, $value))[0]);
     return $value unless defined($needle); # skip garbage

#2 Updated by Giacomo Sanchietti over 6 years ago

  • Subject changed from Protect built-int zoned in Firewall.pm library to Protect built-int zones in Firewall.pm library

#3 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from NEW to TRIAGED
  • Assignee set to Giacomo Sanchietti
  • Target version set to v6.6
  • % Done changed from 0 to 20

#4 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • % Done changed from 20 to 30

#5 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#6 Updated by Giacomo Sanchietti over 6 years ago

  • Description updated (diff)

#7 Updated by Giacomo Sanchietti over 6 years ago

Test case
  • Add a fake host in /etc/hosts:
     echo "1.2.3.4 loc" >> /etc/hosts
    
  • Create test.pl script with following content:
    use NethServer::Firewall;
    my $fw = new NethServer::Firewall();
    my $src_addr = $fw->getAddress("role;green");
    my $z = $fw->getZone($src_addr);
    print "*$src_addr* *$z*";
    
  • Execute the script , result must be:
    *loc* *loc*
    

#8 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-firewall-base-2.2.3-1.9.ge940576.ns6.noarch.rpm

#9 Updated by Filippo Carletti over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

Prior to upgrade I had a broken rule:
ACCEPT:none net:loc net:1.2.3.4 all
and shorewall complained.
Test program output was:
loc net:loc

Update:
Updated:
nethserver-firewall-base.noarch 0:2.2.3-1.9.ge940576.ns6

Test output:
loc loc

The firewall rule has been changed to:
ACCEPT:none loc net:1.2.3.4 all

#10 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-base:
  • nethserver-firewall-base-2.3.0-1.ns6.noarch.rpm

Also available in: Atom PDF