mirror/iopsys-feed
1
0
Fork 0
mirror of https://dev.iopsys.eu/feed/iopsys.git synced 2025-12-10 07:44:50 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

bbfdm: fix shell injection in /etc/firewall.portmap

Browse source 
Rework the script to use iptables-restore instead of eval

(cherry picked from commit cf8350b6b365429aa68f0f957f79eb31bb43e2db)
(cherry picked from commit df87055d04)
This commit is contained in:
Erik Karlsson 2024-03-12 18:47:03 +01:00
parent 3d68c3b9f7
commit e9f40eba08
1 changed files with 19 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

69
firewallmngr/files/firewall.portmap
View file

@ -2,71 +2,40 @@
. /lib/functions.sh . /lib/functions.sh
log() {
echo "${@}"|logger -t firewall.dnat -p info
}
exec_cmd() {
if ! eval "$*"; then
log "Failed to run [$*]"
fi
}
reorder_dnat_rules() { reorder_dnat_rules() {
nat_chains=$(iptables -t nat -S | grep -E "^-N zone[a-zA-Z0-9_]+prerouting$" | cut -d' ' -f 2) nat_chains=$(iptables -t nat -S | grep -E "^-N zone[a-zA-Z0-9_]+prerouting$" | cut -d' ' -f 2)
for chain in ${nat_chains}; do for chain in ${nat_chains}; do
# Collect empty remote host & empty dport rules # Collect empty remote host & empty dport rules
EMPTY_HOST_PORT=$(iptables -t nat -S ${chain} | grep -E "REDIRECT|DNAT" | grep -v "\-\-dport" | grep -v "\-s ") EMPTY_HOST_PORT=$(iptables -t nat -S ${chain} | grep -E "REDIRECT|DNAT" | grep -v "\-\-dport" | grep -v "\-s ")
if [ -n "${EMPTY_HOST_PORT}" ]; then
echo "${EMPTY_HOST_PORT}" | while read cmd; do
cmd1="iptables -t nat $(echo $cmd | sed 's/-A /-D /g')"
exec_cmd $cmd1
done
fi
# Collect empty remote host but non empty dport rules # Collect empty remote host but non empty dport rules
EMPTY_HOST=$(iptables -t nat -S ${chain} | grep -E "REDIRECT|DNAT" | grep "\-\-dport" | grep -v "\-s ") EMPTY_HOST=$(iptables -t nat -S ${chain} | grep -E "REDIRECT|DNAT" | grep "\-\-dport" | grep -v "\-s ")
if [ -n "${EMPTY_HOST}" ]; then
echo "${EMPTY_HOST}" | while read cmd; do
cmd1="iptables -t nat $(echo $cmd | sed 's/-A /-D /g')"
exec_cmd $cmd1
done
fi
# Collect non empty remote host but empty dport rules # Collect non empty remote host but empty dport rules
EMPTY_PORT=$(iptables -t nat -S ${chain} | grep -E "REDIRECT|DNAT" | grep -v "\-\-dport" | grep "\-s ") EMPTY_PORT=$(iptables -t nat -S ${chain} | grep -E "REDIRECT|DNAT" | grep -v "\-\-dport" | grep "\-s ")
if [ -n "${EMPTY_PORT}" ]; then
echo "${EMPTY_PORT}" | while read cmd; do
cmd1="iptables -t nat $(echo $cmd | sed 's/-A /-D /g')"
exec_cmd $cmd1
done
fi
# Now add rules as per datamodel precedence shown below # Skip this chain if no matching rules were found
## Non empty remote host, empty dport [ -n "${EMPTY_HOST_PORT}" -o -n "${EMPTY_HOST}" -o -n "${EMPTY_PORT}" ] || continue
## empty remote host, non empty dport
## empty remote host, empty dport
if [ -n "${EMPTY_PORT}" ]; then
echo "${EMPTY_PORT}" | while read cmd; do
cmd1="iptables -t nat $(echo $cmd)"
exec_cmd $cmd1
done
fi
if [ -n "${EMPTY_HOST}" ]; then (
echo "${EMPTY_HOST}" | while read cmd; do echo '*nat'
cmd1="iptables -t nat $(echo $cmd)"
exec_cmd $cmd1
done
fi
if [ -n "${EMPTY_HOST_PORT}" ]; then # Delete collected rules
echo "${EMPTY_HOST_PORT}" | while read cmd; do [ -n "${EMPTY_HOST_PORT}" ] && echo "${EMPTY_HOST_PORT}" | sed 's/^-A /-D /'
cmd1="iptables -t nat $(echo $cmd)" [ -n "${EMPTY_HOST}" ] && echo "${EMPTY_HOST}" | sed 's/^-A /-D /'
exec_cmd $cmd1 [ -n "${EMPTY_PORT}" ] && echo "${EMPTY_PORT}" | sed 's/^-A /-D /'
done
fi # Now add rules as per datamodel precedence shown below
## Non empty remote host, empty dport
## empty remote host, non empty dport
## empty remote host, empty dport
[ -n "${EMPTY_PORT}" ] && echo "${EMPTY_PORT}"
[ -n "${EMPTY_HOST}" ] && echo "${EMPTY_HOST}"
[ -n "${EMPTY_HOST_PORT}" ] && echo "${EMPTY_HOST_PORT}"
echo 'COMMIT'
) | iptables-restore -w -n
done done
} }