Enhancement #3056
Protect built-int zones in Firewall.pm library
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.6 | |||
Resolution: | NEEDINFO: | No |
Description
The Firewall.pm library can map firewall objects to the corresponding zone.
For example, given a green interface with IP 192.168.1.2 and an host object "test" with ip address 192.168.1.55:
use NethServer::Firewall; my $fw = new NethServer::Firewall(); my $src_addr = $fw->getAddress("test"); my $z = $fw->getZone($src_addr); print "$src_addr ** $fw";
Below code will print:
192.168.1.55 ** loc:192.168.1.55
The library can also handle built-in zone names. For example, executing this code:
use NethServer::Firewall; my $fw = new NethServer::Firewall(); my $src_addr = $fw->getAddress("role;green"); my $z = $fw->getZone($src_addr); print "$src_addr ** $z";
the output will be:
loc ** loc
where loc is the Shorewall mapping for green zone.
But, if there is a resolvable host name called loc for example with IP 1.2.3.4, the library will fail and will print:
loc ** net:loc
The problem is caused by perl NetAddr::IP library.
To avoid this behavior all built-in zone names must be protected inside the Firewall.pm library.
Associated revisions
Firewall.pm: protect built-in zones. Refs #3056
History
#1 Updated by Giacomo Sanchietti over 6 years ago
Tested fix:
--- /usr/share/perl5/vendor_perl/NethServer/Firewall.pm.ori 2015-02-20 16:50:58.171513245 +0100 +++ /usr/share/perl5/vendor_perl/NethServer/Firewall.pm 2015-02-20 17:54:05.250276154 +0100 @@ -246,6 +246,11 @@ # sanitize the list: $value = join(",", grep { $_ ne '' } split(/,/, $value)); + # protect built-in zone from name resolution Refs #3056 + if ($value =~ /loc|net|blue|orang|ivpn|lvpn|ovpn/) { + return $value; + } + # host group or not: always pick the first element: my $needle = NetAddr::IP->new((split(/,/, $value))[0]); return $value unless defined($needle); # skip garbage
#2 Updated by Giacomo Sanchietti over 6 years ago
- Subject changed from Protect built-int zoned in Firewall.pm library to Protect built-int zones in Firewall.pm library
#3 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from NEW to TRIAGED
- Assignee set to Giacomo Sanchietti
- Target version set to v6.6
- % Done changed from 0 to 20
#4 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- % Done changed from 20 to 30
#5 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#6 Updated by Giacomo Sanchietti over 6 years ago
- Description updated (diff)
#7 Updated by Giacomo Sanchietti over 6 years ago
- Add a fake host in
/etc/hosts
:echo "1.2.3.4 loc" >> /etc/hosts
- Create
test.pl
script with following content:use NethServer::Firewall; my $fw = new NethServer::Firewall(); my $src_addr = $fw->getAddress("role;green"); my $z = $fw->getZone($src_addr); print "*$src_addr* *$z*";
- Execute the script , result must be:
*loc* *loc*
#8 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-firewall-base-2.2.3-1.9.ge940576.ns6.noarch.rpm
#9 Updated by Filippo Carletti over 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
Prior to upgrade I had a broken rule:
ACCEPT:none net:loc net:1.2.3.4 all
and shorewall complained.
Test program output was:
loc net:loc
Update:
Updated:
nethserver-firewall-base.noarch 0:2.2.3-1.9.ge940576.ns6
Test output:
loc loc
The firewall rule has been changed to:
ACCEPT:none loc net:1.2.3.4 all
#10 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-firewall-base-2.3.0-1.ns6.noarch.rpm