Enhancement #3056
Protect built-int zones in Firewall.pm library
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-firewall-base | |||
| Target version: | v6.6 | |||
| Resolution: | NEEDINFO: | No |
Description
The Firewall.pm library can map firewall objects to the corresponding zone.
For example, given a green interface with IP 192.168.1.2 and an host object "test" with ip address 192.168.1.55:
use NethServer::Firewall;
my $fw = new NethServer::Firewall();
my $src_addr = $fw->getAddress("test");
my $z = $fw->getZone($src_addr);
print "$src_addr ** $fw";
Below code will print:
192.168.1.55 ** loc:192.168.1.55
The library can also handle built-in zone names. For example, executing this code:
use NethServer::Firewall;
my $fw = new NethServer::Firewall();
my $src_addr = $fw->getAddress("role;green");
my $z = $fw->getZone($src_addr);
print "$src_addr ** $z";
the output will be:
loc ** loc
where loc is the Shorewall mapping for green zone.
But, if there is a resolvable host name called loc for example with IP 1.2.3.4, the library will fail and will print:
loc ** net:loc
The problem is caused by perl NetAddr::IP library.
To avoid this behavior all built-in zone names must be protected inside the Firewall.pm library.
Associated revisions
Firewall.pm: protect built-in zones. Refs #3056
History
#1
Updated by Giacomo Sanchietti over 6 years ago
Tested fix:
--- /usr/share/perl5/vendor_perl/NethServer/Firewall.pm.ori 2015-02-20 16:50:58.171513245 +0100
+++ /usr/share/perl5/vendor_perl/NethServer/Firewall.pm 2015-02-20 17:54:05.250276154 +0100
@@ -246,6 +246,11 @@
# sanitize the list:
$value = join(",", grep { $_ ne '' } split(/,/, $value));
+ # protect built-in zone from name resolution Refs #3056
+ if ($value =~ /loc|net|blue|orang|ivpn|lvpn|ovpn/) {
+ return $value;
+ }
+
# host group or not: always pick the first element:
my $needle = NetAddr::IP->new((split(/,/, $value))[0]);
return $value unless defined($needle); # skip garbage
#2
Updated by Giacomo Sanchietti over 6 years ago
- Subject changed from Protect built-int zoned in Firewall.pm library to Protect built-int zones in Firewall.pm library
#3
Updated by Giacomo Sanchietti over 6 years ago
- Status changed from NEW to TRIAGED
- Assignee set to Giacomo Sanchietti
- Target version set to v6.6
- % Done changed from 0 to 20
#4
Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- % Done changed from 20 to 30
#5
Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#6
Updated by Giacomo Sanchietti over 6 years ago
- Description updated (diff)
#7
Updated by Giacomo Sanchietti over 6 years ago
- Add a fake host in
/etc/hosts:echo "1.2.3.4 loc" >> /etc/hosts
- Create
test.plscript with following content:use NethServer::Firewall; my $fw = new NethServer::Firewall(); my $src_addr = $fw->getAddress("role;green"); my $z = $fw->getZone($src_addr); print "*$src_addr* *$z*"; - Execute the script , result must be:
*loc* *loc*
#8
Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-firewall-base-2.2.3-1.9.ge940576.ns6.noarch.rpm
#9
Updated by Filippo Carletti over 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
Prior to upgrade I had a broken rule:
ACCEPT:none net:loc net:1.2.3.4 all
and shorewall complained.
Test program output was:
loc net:loc
Update:
Updated:
nethserver-firewall-base.noarch 0:2.2.3-1.9.ge940576.ns6
Test output:
loc loc
The firewall rule has been changed to:
ACCEPT:none loc net:1.2.3.4 all
#10
Updated by Giacomo Sanchietti over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-firewall-base-2.3.0-1.ns6.noarch.rpm