diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e594810 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +*.rpm +*.log +*spec-20* +*.tar.xz diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..7937134 --- /dev/null +++ b/Makefile @@ -0,0 +1,21 @@ +# Makefile for source rpm: e-smith-portforwarding +# $Id: Makefile,v 1.1 2016/02/05 22:00:01 stephdl Exp $ +NAME := e-smith-portforwarding +SPECFILE = $(firstword $(wildcard *.spec)) + +define find-makefile-common +for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done +endef + +MAKEFILE_COMMON := $(shell $(find-makefile-common)) + +ifeq ($(MAKEFILE_COMMON),) +# attept a checkout +define checkout-makefile-common +test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 +endef + +MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) +endif + +include $(MAKEFILE_COMMON) diff --git a/README.md b/README.md index 57ebf71..6da9e7a 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,17 @@ -# e-smith-portforwarding +# e-smith-portforwarding -SMEServer Koozali developed git repo for e-smith-portforwarding smeserver \ No newline at end of file +SMEServer Koozali developed git repo for e-smith-portforwarding smeserver + +## Wiki +
https://wiki.koozali.org/ + +## Bugzilla +Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=e-smith-portforwarding&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED) + +## Description + +
*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.* +*Once it has been checked, then this comment will be deleted* +
+ +E-Smith-Portforwarding is a powerful software solution for streamlining the process of setting up and managing port forwarding on an internal network. It provides users with an intuitive and easy-to-use interface for creating and managing port forwarding rules, as well as quickly viewing the current status of active ports. With E-Smith-Portforwarding, users can quickly and easily forward ports to any internal or external host, allowing secure, remote access to services running on the internal network. It also provides in-depth monitoring and logging capabilities, allowing administrators to keep track of the activity on forwarded ports, as well as detect and alert them of any suspicious activity. diff --git a/additional/COPYING b/additional/COPYING new file mode 100755 index 0000000..196760e --- /dev/null +++ b/additional/COPYING @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) 19yy + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/contriborbase b/contriborbase new file mode 100644 index 0000000..ef36a67 --- /dev/null +++ b/contriborbase @@ -0,0 +1 @@ +sme10 diff --git a/createlinks b/createlinks new file mode 100755 index 0000000..ec9a25c --- /dev/null +++ b/createlinks @@ -0,0 +1,23 @@ +#!/usr/bin/perl -w +# This script creates the symlinks needed by this RPM +# Specific support exists to create symlinks within e-smith web "panels" +# and for links from named "events" directories into the "actions" directory + +use esmith::Build::CreateLinks qw(:all); + +#-------------------------------------------------- +# functions for user panel +#-------------------------------------------------- +my $panel = "manager"; +panel_link("portforwarding", $panel); + +my $event = "portforwarding-update"; +templates2events("/etc/rc.d/init.d/masq", $event); +safe_symlink("adjust", "root/etc/e-smith/events/$event/services2adjust/masq"); + +my $event = "e-smith-portforwarding-update"; +templates2events("/etc/rc.d/init.d/masq", $event); +safe_symlink("adjust", "root/etc/e-smith/events/$event/services2adjust/masq"); +# systemd-specific action mandatory for this package-update event +event_link("systemd-reload", $event, "89"); +event_link("systemd-default", $event, "88"); diff --git a/e-smith-portforwarding.spec b/e-smith-portforwarding.spec new file mode 100644 index 0000000..ea639aa --- /dev/null +++ b/e-smith-portforwarding.spec @@ -0,0 +1,486 @@ +# $Id: e-smith-portforwarding.spec,v 1.3 2021/01/06 20:31:11 jpp Exp $ + +Summary: portforwarding panel for SME Server +%define name e-smith-portforwarding +Name: %{name} +%define version 2.6.0 +%define release 4 +Version: %{version} +Release: %{release}%{?dist} +License: GPL +Group: Networking/Daemons +Source: %{name}-%{version}.tar.xz + +BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot +BuildArchitectures: noarch +Requires: e-smith-base +Requires: e-smith-packetfilter >= 1.13.0-13 +Requires: e-smith-lib >= 1.15.1-19 +Requires: e-smith-formmagick >= 1.4.0-12 +BuildRequires: e-smith-devtools >= 1.13.1-03 +Obsoletes: e-smith-ipportfw dmc-mitel-portforwarding +AutoReqProv: no + +%description +Adds a Port Forwarding panel to the SME server-manager. + +%changelog +* Wed Jul 12 2023 cvs2git.sh aka Brian Read 2.6.0-4.sme +- Roll up patches and move to git repo [SME: 12338] + +* Wed Jul 12 2023 BogusDateBot +- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday, + by assuming the date is correct and changing the weekday. + Wed Jun 26 2007 --> Wed Jun 20 2007 or Tue Jun 26 2007 or Wed Jun 27 2007 or .... + +* Wed Jan 06 2021 Jean-Philipe Pialasse 2.6.0-3.sme +- add update event [SME: 11148] + +* Thu May 12 2016 Daniel Berteaud 2.6.0-2.sme +- Rebuild for [SME: 9393] + +* Fri Feb 05 2016 stephane de Labrusse 2.6.0-1.sme +- Initial release to sme10 + +* Thu Jan 31 2013 Shad L. Lords 2.4.0-1.sme +- Roll new stream for sme9 + +* Thu Mar 11 2010 Jonathan Martens 2.2.0-6.sme +- Fix missing space cuasing errors parsing the iptables rules [SME: 2379] + +* Tue Mar 9 2010 Jonathan Martens 2.2.0-5.sme +- Rework 91adjustPortForward template fragment [SME: 2379] + +* Tue Dec 15 2009 Filippo Carletti 2.2.0-4.sme +- Enable port forwards to localhost if mode is serveronly [SME: 1003] + +* Tue Oct 20 2009 Filippo Carletti 2.2.0-3.sme +- Adjust xml entry in locale [SME: 771] + +* Mon Oct 19 2009 Filippo Carletti 2.2.0-2.sme +- Add option to limit port forwards from source ip [SME: 2379] +- Add Text Description For Each Port Forwarding [SME: 771] + +* Tue Oct 7 2008 Shad L. Lords 2.2.0-1.sme +- Roll new stream to separate sme7/sme8 trees [SME: 4633] + +* Sun Apr 27 2008 Jonathan Martens 1.2.0-9 +- Add common tags to e-smith-formmagick's general [SME: 4282] + +* Wed Feb 13 2008 Stephen Noble 1.2.0-8 +- Remove tags now in general [SME: 3913] + +* Sun Feb 10 2008 Stephen Noble 1.2.0-7 +- Remove duplicate entries [SME: 3888] + +* Thu Nov 08 2007 Gavin Weight 1.2.0-6 +- Remove/Fix portforwarding.pm.orig file. [SME: 3526] + +* Tue Oct 16 2007 Charlie Brady 1.2.0-5 +- Use $OUTERNET for target of localhost port forwards, not externalIP + pulled from db at template expansion time. [SME: 2760] + +* Tue Jun 26 2007 Shad L. Lords 1.2.0-4 + Wed Jun 26 2007 --> Wed Jun 20 2007 or Tue Jun 26 2007 or Wed Jun 27 2007 or .... +- Ensure portforwarding dbs exists [SME: 54] + +* Tue Jun 26 2007 Shad L. Lords 1.2.0-3 +- Migrate portforwarding to own databases [SME: 54] + +* Sun Apr 29 2007 Shad L. Lords +- Clean up spec so package can be built by koji/plague + +* Thu Dec 07 2006 Shad L. Lords +- Update to new release naming. No functional changes. +- Make Packager generic + +* Thu Mar 16 2006 Gordon Rowell 1.2.0-01 +- Roll stable stream version. [SME: 1016] + +* Wed Nov 30 2005 Gordon Rowell 1.1.2-02 +- Bump release number only + +* Fri Oct 14 2005 Gordon Rowell +- [1.1.2-01] +- Remove L10Ns from base packages [SF: 1309520] + +* Fri Oct 14 2005 Gordon Rowell +- [1.1.1-01] +- New dev stream before relocating L10Ns + +* Fri Sep 30 2005 Gordon Rowell +- [1.1.0-13] +- Added Italian L10N - Thanks Filippo Carletti [SF: 1309266] + +* Mon Sep 26 2005 Gordon Rowell +- [1.1.0-12] +- Added German L10N - Thanks Dietmar Berteld [SF: 1293325] + +* Thu Jul 14 2005 Charlie Brady +- [1.1.0-11] +- Fix an expression precedence problem with UDP portforwarding. [SF: 1237913] + +* Fri Jul 8 2005 Charlie Brady +- [1.1.0-10] +- Fix UDP portforwarding. [SF: 1234630] + +* Sat Mar 19 2005 Charlie Brady +- [1.1.0-09] +- Fix typo in createlinks. + +* Fri Mar 18 2005 Charlie Brady +- [1.1.0-08] +- Add fr and es localisations for new text. + +* Thu Mar 17 2005 Charlie Brady +- [1.1.0-07] +- Display text to indicate that portforwarding isn't available in + serveronly mode. +- Create new portforwarding-update event, as remoteaccess-update + is rather heavyweight. use generic_template_expand and + adjust-services. [MN00064130, MN00065576] +- Fix some run-time probs with Gordon's contributed patch. + +* Wed Mar 16 2005 Charlie Brady +- [1.1.0-06] +- Patch provided by Gordon to allow portforwarding to "localhost". + +* Wed May 5 2004 Michael Soulier +- [1.1.0-05] +- Now detecting serveronly mode, and disabling the ability to add + portforwarding rules while in that state. [msoulier MN00025609] + +* Wed Dec 3 2003 Michael Soulier +- [1.1.0-04] +- Added French and Spanish translations of new lexicon. [msoulier 10203] + +* Wed Dec 3 2003 Michael Soulier +- [1.1.0-03] +- Refactored 91adjustPortForward to remove duplicate code. [msoulier 10203] +- Added code to properly handle portforwarding to the external interface. + Forwarding to localhost or the private interface is now explicitly blocked. + [msoulier 10203] + +* Mon Oct 20 2003 Michael Soulier +- [1.1.0-02] +- Added better validation on the sort port to prevent conflicting rules. + [msoulier 9262] + +* Fri Oct 17 2003 Michael Soulier +- [1.1.0-01] +- forcing to dev stream - 1.1.0 + +* Fri Oct 17 2003 Michael Soulier +- [0.2.0-03] +- Fixed summaries so that the styling is now 6.0. [msoulier 9306] + +* Thu Aug 28 2003 Charlie Brady +- [0.2.0-02] +- Fix typo in masq fragment which prevented forwarding of UDP. + [charlieb 9859] + +* Thu Jun 26 2003 Charlie Brady +- [0.2.0-01] +- Changing version to stable stream number - 0.2.0 + +* Tue Jun 24 2003 Gordon Rowell +- [0.1.1-20] +- Wording update on main page [gordonr 9101] + +* Fri Jun 20 2003 Michael Soulier +- [0.1.1-19] +- Revert to previous version. [msoulier 8803] + +* Wed Jun 11 2003 Charlie Brady +- [0.1.1-18] +- Redo (simplify) some of the code in the portforwarding panel, and make + destination port explicit if not specified. [charlieb 8803] + +* Tue May 6 2003 Lijie Deng +- [0.1.1-17] +- Add Spanish lexicon for portfowarding [lijied 3793] + +* Tue Apr 8 2003 Lijie Deng +- [0.1.1-16] +- Removed colons on the label where necessary [lijied 7950] + +* Tue Apr 8 2003 Lijie Deng +- [0.1.1-15] +- Modified button Apply to Add [lijied 7921] + +* Tue Apr 8 2003 Lijie Deng +- [0.1.1-14] +- Added French translation for "Misuse of feature...." [lijied 8072] + +* Tue Apr 8 2003 Michael Soulier +- [0.1.1-13] +- Fixed lack of buttons on summary page. [msoulier 8089] + +* Mon Apr 7 2003 Michael Soulier +- [0.1.1-12] +- Inserting PortForwarding chain as first entry in the PREROUTING chain. + [msoulier 8089] + +* Fri Apr 4 2003 Lijie Deng +- [0.1.1-11] +- Change $q->table to $q->start_table where necessary [lijied 8034] + +* Fri Apr 4 2003 Gordon Rowell +- [0.1.1-10] +- Text revision on panel [gordonr 8072] + +* Thu Apr 3 2003 Tony Clayton +- [0.1.1-09] +- Add colons to labels and fix text when table is empty in panel [tonyc 7950] + +* Wed Apr 2 2003 Michael Soulier +- [0.1.1-08] +- Added french lexicon for creating a port-forwarding rule. [msoulier 7284] + +* Tue Apr 1 2003 Gordon Rowell +- [0.1.1-07] +- Delete stray fr nav bar lexicon entries [gordonr 7926] + +* Tue Apr 1 2003 Gordon Rowell +- [0.1.1-06] +- Added french lexicon for security, so it shows up in the right spot + on the menu panel. [msoulier 7284] + +* Tue Apr 1 2003 Michael Soulier +- [0.1.1-05] +- Added proper styling to the tables. [msoulier 7284] +- Added spacing around table elements. [msoulier 7284] +- Put a 6.0 look on the buttons on the summary page. [msoulier 7284] +- Removed the button-like style from the remove links. [msoulier 7284] + +* Fri Mar 28 2003 Michael Soulier +- [0.1.1-04] +- Added proper styles to make links that behave like buttons, + look like buttons, for 6.0. [msoulier 7284] + +* Fri Mar 28 2003 Michael Soulier +- [0.1.1-03] +- Fixed a couple of typos in the english lexicon. [msoulier 7284] +- Included the french lexicon. [msoulier 7284] + +* Tue Mar 25 2003 Michael Soulier +- [0.1.1-02] +- Portforwarding still had problems, fixed here. [msoulier 7284] + +* Tue Mar 25 2003 Michael Soulier +- [0.1.1-01] +- Modified to work with new e-smith-packetfilter changes for 6.0 + [msoulier 7284] +- Note: This breaks backwards-compatibility with 5.6. + +* Tue Mar 18 2003 Lijie Deng +- [0.1.0-33] +- Modified port forwarding panel order [lijied 7356] + +* Thu Mar 13 2003 Lijie Deng +- [0.1.0-32] +- Split en-us lexicon from portwarding panel [lijied 4030] + +* Tue Mar 11 2003 Michael Soulier +- [0.1.0-31] +- Finished patching the interface to take an empty dport. [msoulier 5645] + +* Mon Mar 10 2003 Michael Soulier +- [0.1.0-30] +- Patched the masq fragments to accept an empty dport. [msoulier 5645] +- Patched the interface to accept an empty destination port. + [msoulier 5645] + +* Mon Mar 10 2003 Michael Soulier +- [0.1.0-29] +- Tweaked the wording in the panel. [msoulier 5645] + +* Mon Mar 10 2003 Michael Soulier +- [0.1.0-28] +- Additional tweaks to fix the iptables syntax and adjust the size of the + fields in the UI. [msoulier 5645] + +* Mon Mar 10 2003 Michael Soulier +- [0.1.0-27] +- Adding support for a port range on source and destination ports. + [msoulier 5645] + +* Mon Mar 10 2003 Michael Soulier +- [0.1.0-26] +- Updating dependencies. [msoulier 5645] + +* Mon Mar 10 2003 Michael Soulier +- [0.1.0-25] +- Fixed bad removal which set all destination ports to the same port. + [msoulier 5645] + +* Mon Mar 10 2003 Michael Soulier +- [0.1.0-24] +- Updated dependency information to make it use the backported + e-smith-packetfilter rpm for the 5.6 updates stream. [msoulier 5645] + +* Thu Mar 6 2003 Lijie Deng +- [0.1.0-23] +- Modified panel order [lijied 7356] + +* Sun Feb 23 2003 Michael Soulier +- [0.1.0-22] +- Backed-out the changes in 0.1.0-21. They're incompatible with + e-smith-packetfilter. We'll have to discuss this first. [msoulier 5696] + +* Sun Feb 23 2003 Michael Soulier +- [0.1.0-21] +- Permitting port ranges instead of just single ports. [msoulier 5696] + +* Sun Jan 26 2003 Mike Dickson +- [0.1.0-20] +- added ACTION to lexicon, and code to use it [miked 6363] + +* Sun Jan 26 2003 Mike Dickson +- [0.1.0-19] +- backed out previous patch since it applied too many changes at once. I will + re-submit in manageable chunks + +* Sat Jan 25 2003 Mike Dickson +- [0.1.0-18] +- added ACTION to lexicon [miked 6363] + +* Wed Dec 18 2002 Michael Soulier +- [0.1.0-17] +- Added a feature to remove the "finished" page and cycle back to the start + page with a status message instead. [msoulier 5696] +- Found and fixed a bug permitting the addition of duplicate rules. + +* Mon Dec 16 2002 Michael Soulier +- [0.1.0-16] +- Added a space between the two buttons on the summary panel. + [msoulier 5696] + +* Mon Dec 16 2002 Michael Soulier +- [0.1.0-15] +- Fixed broken removal due to using the wrong variable set to repopulate the + db entry. [msoulier 5696] + +* Fri Dec 6 2002 Michael Soulier +- [0.1.0-14] +- Fixed bad variable reference in test cases. [msoulier 5696] + +* Thu Dec 5 2002 Michael Soulier +- [0.1.0-13] +- Added some test cases to portforwarding.pm. [msoulier 5696] + +* Fri Nov 29 2002 Michael Soulier +- [0.1.0-12] +- Improved the IP address validation. [msoulier 5696] + +* Fri Nov 29 2002 Michael Soulier +- [0.1.0-11] +- Made sure all messages are localised, and added better error handling. + [msoulier 5696] + +* Thu Nov 28 2002 Michael Soulier +- [0.1.0-10] +- Updated to make use of changes to the packetfilter. Fixed the placement of + the udp portforwarding rules, and the spelling of "completely". + [msoulier 5696] + +* Wed Nov 27 2002 Michael Soulier +- [0.1.0-09] +- Localised the summary table labels. [msoulier 5696] + +* Wed Nov 27 2002 Michael Soulier +- [0.1.0-08] +- The destination host must be an IP address. Enforcing now. + [msoulier 5696] + +* Tue Nov 26 2002 Michael Soulier +- [0.1.0-07] +- First working prototype. [msoulier 5696] + +* Mon Nov 25 2002 Michael Soulier +- [0.1.0-06] +- Basic functionality present. Still need to add the ability to + delete rules, and display current rules. [msoulier 5696] + +* Fri Nov 22 2002 Michael Soulier +- [0.1.0-05] +- Starting the FormMagick conversion of the panel. [msoulier 5696] + +* Thu Nov 21 2002 Charlie Brady +- [0.1.0-04] +- Use "--list --numeric" to avoid DNS lookup delays. [charlieb 5645] + +* Mon Nov 11 2002 Charlie Brady +- [0.1.0-03] +- Fix portforwarding rules to match DB format used by panel code - + which is $ip:[$dport], this allows forwarding to a port other than the + listen port [charlieb 5645]. + +* Mon Nov 11 2002 Charlie Brady +- [0.1.0-02] +- Convert to iptables, and conform to "masq adjust" way of doing things. + [charlieb 5645] + +* Mon Nov 11 2002 Charlie Brady +- [0.1.0-01] +- Rolling to development stream to 0.1.0 + +* Mon Nov 11 2002 Charlie Brady +- [0.0.1-6] +- Renamed to e-smith-portforwarding. +- Imported into CVS as baseline for further development. + +* Sat Sep 21 2002 Darrell May +- updated 35SetPortFW to support dynamic external IP +- [0.0.1-5] +* Tue Jan 01 2002 Darrell May +- added Obsoletes: e-smith-ipportfw dmc-mitel-portfowarding +- [0.0.1-4] +* Tue Jan 01 2002 Darrell May +- fixed spelling in rpm name, now to dmc-mitel-portforwarding +- merged in e-smith-ipportfw-0.1.1-1.noarch.rpm +- [0.0.1-3] +* Mon Dec 31 2001 Darrell May +- added "Shad L. Lords" , e-smith-iportfw 35SetPortFW +- templates-custom fragment supporting dest port addresses +- updated portforwarding panel to match +- removed first/last portforward panel bug by adding return on Operation Status +- [0.0.1-2] +* Sun Dec 30 2001 Darrell May +- initial release +- [0.0.1-1] + +%prep +%setup + +%build +perl createlinks + +%install +rm -rf $RPM_BUILD_ROOT +(cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT) +rm -f e-smith-%{version}-filelist +/sbin/e-smith/genfilelist $RPM_BUILD_ROOT > %{name}-%{version}-filelist + +for proto in tcp udp +do + mkdir -p $RPM_BUILD_ROOT/home/e-smith/db + touch $RPM_BUILD_ROOT/home/e-smith/db/portforward_$proto + echo "%config(noreplace) %attr(0640,root,admin) /home/e-smith/db/portforward_$proto" \ + >> %{name}-%{version}-filelist +done + +%clean +rm -rf $RPM_BUILD_ROOT + +%files -f %{name}-%{version}-filelist + +%defattr(-,root,root) + +%pre + +%post + +%preun + +%postun diff --git a/root/etc/e-smith/db/configuration/migrate/10migrateMasqForwards b/root/etc/e-smith/db/configuration/migrate/10migrateMasqForwards new file mode 100644 index 0000000..ed3e1ad --- /dev/null +++ b/root/etc/e-smith/db/configuration/migrate/10migrateMasqForwards @@ -0,0 +1,19 @@ +{ + my %FDB; + foreach my $proto ('TCP', 'UDP') { + $FDB{$proto} = esmith::ConfigDB->open("portforward_" . lc($proto)) + || esmith::ConfigDB->create("portforward_" . lc($proto)); + + my %rules = split ',', $DB->get_prop_and_delete('masq', "${proto}Forwards") + || next; + + foreach my $entry (keys %rules) { + my %props = ( type => 'forward' ); + my ($addr, $port) = split ':', $rules{$entry}; + $props{'DestHost'} = $addr; + $props{'DestPort'} = $port if $port; + + $FDB{$proto}->new_record($entry, \%props); + } + } +} diff --git a/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/portforwarding b/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/portforwarding new file mode 100755 index 0000000..f1fdda9 --- /dev/null +++ b/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/portforwarding @@ -0,0 +1,168 @@ + + + + FORM_TITLE + Configure Port Forwarding + + + FIRST_PAGE_DESCRIPTION + + You can use this panel to modify your firewall rules so + as to open a specific port on this server and forward it + to another port on another host. Doing so will permit + incoming traffic to directly access a private host on + your LAN. +

+

+ WARNING: Misuse of this feature can seriously compromise the + security of your network. Do not use this feature + lightly, or without fully understanding the implications + of your actions. +

+ ]]> + + + + CREATE_RULE + Create portforwarding rule + + + SUMMARY_ADD_DESC + The following summarizes the port-forwarding rule + that you are about to add. If you are satisfied with the rule, + click the "Add" button. If you are not, click the + "Cancel" button. + + + + SUMMARY_REMOVE_DESC + The following summarizes the port-forwarding rule + that you are about to remove. If you are sure you want to + remove the rule, click the "Remove" button. If not, + click the "Cancel" button. + + + + SHOW_FORWARDS + + Below you will find a table summarizing the current + port-forwarding rules installed on this server. Click on the + "Remove" link to remove the corresponding rule. + + + + NO_FORWARDS + There are currently no forwarded ports on the system. + + + CREATE_PAGE_DESCRIPTION + Select the protocol, the port you wish to forward, the + destination host, and the port on the destination host + that you wish to forward to. If you wish to specify a port + range, enter the lower and upper boundaries separated by a + hyphen. The destination port may be left blank, which will + instruct the firewall to leave the source port + unaltered.

+ ]]> + + + + LABEL_SOURCE_PORT + Source Port(s) + + + LABEL_PROTOCOL + Protocol + + + LABEL_DESTINATION_PORT + Destination Port(s) + + + LABEL_DESTINATION_HOST + Destination Host IP Address + + + LABEL_RULE_COMMENT + Rule Comment + + + LABEL_ALLOW_HOSTS + Allow Hosts + + + Port forwarding + Port forwarding + + + SUCCESS + Your change to the port forwarding rules has been + successfully saved. + + + + RULE_COMMENT + Rule Comment + + + ALLOW_HOSTS + Allow Hosts + + + ERR_NO_MASQ_RECORD + Cannot retrieve masq record from the configuration + database. + + + ERR_UNSUPPORTED_MODE + Unsupported mode. + + + ERR_CANNOT_REMOVE_NORULE + Cannot remove non-existant rule. + + + ERR_NONZERO_RETURN_EVENT + Event returned a non-zero return value. + + + ERR_BADPORT + The ports must be a positive integer less than + 65536. + + + ERR_BADIP + This does not appear to be an IP address. You must use + dotted-quad notation, and each of the four numbers should be less + than 256. ie: 192.168.0.5 + + + ERR_DUPRULE + This rule has already been added, it cannot be added + twice. + + + ERR_PORT_COLLISION + + ERROR: This port or port range conflicts with an existing + rule. Please modify this new rule, or remove the old rule. + + + + ERR_BADAHOST + + This does not appear to be a valid IP address list. + ie: 192.168.0.1,192.168.1.1/24 + + + + IN_SERVERONLY + + This server is currently in serveronly mode and portforwarding + is possible only to localhost. + + + diff --git a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/42SetupPortForwarding b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/42SetupPortForwarding new file mode 100644 index 0000000..0d6c421 --- /dev/null +++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/42SetupPortForwarding @@ -0,0 +1,5 @@ + /sbin/iptables -t nat --new-chain PortForwarding + /sbin/iptables -t nat --new-chain PortForwarding_1 + /sbin/iptables -t nat --insert PREROUTING --jump PortForwarding + /sbin/iptables -t nat --append PortForwarding --destination $OUTERNET \ + --jump PortForwarding_1 diff --git a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/91adjustPortForward b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/91adjustPortForward new file mode 100644 index 0000000..41c636c --- /dev/null +++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/91adjustPortForward @@ -0,0 +1,73 @@ +{ + my $pf_chain = "PortForwarding_\$\$"; + $OUT .= "# Create a new PortForwarding chain\n"; + $OUT .= "PFC=\$(/sbin/iptables --table nat "; + $OUT .= "--numeric --list PortForwarding |\\\n"; + $OUT .= " sed -n '3s/ .*//p')\n"; + $OUT .= " /sbin/iptables --table nat --new-chain $pf_chain\n"; + + my %FDB; + + foreach my $protocol (qw(tcp udp)) + { + my $uproto = uc $protocol; + $FDB{$protocol} = esmith::ConfigDB->open("portforward_$protocol") + || die "Can't open portforward_$protocol database: $!\n"; + + foreach my $entry ( $FDB{$protocol}->get_all ) { + my $port = $entry->key; + my $ip = $entry->prop('DestHost'); + my $dport = $entry->prop('DestPort') || $port; + $port =~ s/-/:/; + + # Map canonical localhost back to our current external IP + $ip = '$OUTERNET' if ($ip eq 'localhost'); + + my $host_list = $entry->prop("AllowHosts") || '0.0.0.0/0'; + foreach my $host (split(',', $host_list)) { + + $OUT .= " /sbin/iptables --table nat --append $pf_chain"; + + # Set up local port to forward + $OUT .= " --proto $protocol --destination-port ${port}"; + $OUT .= " --src $host" unless $host eq '0.0.0.0/0'; + + # Set up the remote port to forward to + $OUT .= " -j DNAT --to-destination $ip:$dport\n"; + + } + + # And accept the incoming packets. Use the dport if there is one. + ($port = $dport) =~ s/-/:/ if $dport; + + # If this rule is forwarding to localhost, ExternalIP or LocalIP, + # then we must allow it on the INPUT chain instead of the FORWARD + # chain. + + my $target_chain = (($ip eq '$OUTERNET') ? + "Inbound${uproto}_\$\$" : "Forwarded${uproto}_\$\$"); + + foreach my $access_type (("Allow", "Deny")) { + my $jump_target = (($access_type eq "Allow") ? "ACCEPT" : "denylog"); + my $host_list = $entry->prop("${access_type}Hosts") || ""; + + $host_list = "0.0.0.0/0" + if (($host_list eq "") and ($access_type eq "Allow")); + + foreach my $host (split(',', $host_list)) { + $OUT .= " /sbin/iptables -A $target_chain"; + $OUT .= " --proto $protocol --dport $port \\\n "; + $OUT .= " --destination $ip" if ($ip ne '$OUTERNET'); + $OUT .= " --src $host --jump $jump_target\n"; + } + } + } + } + + # having created a new PortForwarding chain, activate it and destroy + # the old. + $OUT .= " /sbin/iptables --table nat --replace PortForwarding 1 " . + "--destination \$OUTERNET --jump $pf_chain\n"; + $OUT .= " /sbin/iptables --table nat --flush \$PFC\n"; + $OUT .= " /sbin/iptables --table nat --delete-chain \$PFC\n"; +} diff --git a/root/etc/e-smith/web/functions/portforwarding b/root/etc/e-smith/web/functions/portforwarding new file mode 100755 index 0000000..a5b9e8b --- /dev/null +++ b/root/etc/e-smith/web/functions/portforwarding @@ -0,0 +1,128 @@ +#!/usr/bin/perl -wT +# vim: ft=xml ts=4 sw=4 et: +#---------------------------------------------------------------------- +# heading : Security +# description : Port forwarding +# navigation : 5000 5400 +#---------------------------------------------------------------------- +#---------------------------------------------------------------------- +# copyright (C) 2002 Mitel Networks Corporation +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Technical support for this program is available from Mitel Networks +# Please visit our web site www.mitel.com/sme/ for details. +#---------------------------------------------------------------------- + +use strict; +use esmith::FormMagick::Panel::portforwarding; +my $form = esmith::FormMagick::Panel::portforwarding->new(); +# Uncomment the next line for debugging purposes. +#$form->debug(1); +$form->display(); + + +__DATA__ +
+ + + + FIRST_PAGE_DESCRIPTION + + + + + + + CREATE_PAGE_DESCRIPTION + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
diff --git a/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/portforwarding.pm b/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/portforwarding.pm new file mode 100644 index 0000000..9c6dbd7 --- /dev/null +++ b/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/portforwarding.pm @@ -0,0 +1,676 @@ +#---------------------------------------------------------------------- +# $Id: portforwarding.pm,v 1.38 2005/03/16 23:37:02 charlieb Exp $ +# vim: ft=perl ts=4 sw=4 et: +#---------------------------------------------------------------------- +# copyright (C) 2002 Mitel Networks Corporation +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Technical support for this program is available from Mitel Networks +# Please visit our web site www.e-smith.com for details. +#---------------------------------------------------------------------- + +package esmith::FormMagick::Panel::portforwarding; + +use strict; +use esmith::ConfigDB; +use esmith::FormMagick; +use esmith::util; +use esmith::util::network qw(isValidIP); +use esmith::cgi; +use Exporter; + +use constant TRUE => 1; +use constant FALSE => 0; + +our @ISA = qw(esmith::FormMagick Exporter); + +our @EXPORT = qw( + show_port_forwards create_new validate_source_port + validate_destination_port display_create_summary + ); + +our $VERSION = sprintf '%d.%03d', q$Revision: 1.38 $ =~ /: (\d+).(\d+)/; +our $db = esmith::ConfigDB->open + || die "Can't open configuration database: $!\n"; +our $tcp_db = esmith::ConfigDB->open('portforward_tcp') + || die "Can't open portforward_tcp database: $!\n"; +our $udp_db = esmith::ConfigDB->open('portforward_udp') + || die "Can't open portforward_udp database: $!\n"; + +=head1 NAME + +esmith::FormMagick::Panels::portforwarding - useful panel functions + +=head1 SYNOPSIS + + use esmith::FormMagick::Panels::portforwarding + + my $panel = esmith::FormMagick::Panel::portforwarding->new(); + $panel->display(); + +=head1 DESCRIPTION + +This module is the backend to the portforwarding panel, responsible for +supplying all functions used by that panel. It is a subclass of +esmith::FormMagick itself, so it inherits the functionality of a FormMagick +object. + +=head2 new + +This is the class constructor. + +=begin testing + +$ENV{ESMITH_CONFIG_DB} = "10e-smith-base/configuration.conf"; + +use_ok('esmith::FormMagick::Panels::portforwarding'); +our $panel; +ok($panel = esmith::FormMagick::Panels::portforwarding->new(), + "Create panel object"); +isa_ok($panel, 'esmith::FormMagick::Panels::portforwarding'); + +=end testing + +=cut + +sub new { + my $class = ref($_[0]) || $_[0]; + my $self = esmith::FormMagick->new(); + bless $self, $class; + # Uncomment the following line for debugging. + #$self->debug(TRUE); + return $self; +} + +=head2 show_port_forwards + +This method displays the data on currently forwarded ports on +the system. + +=cut + +sub show_port_forwards { + my $self = shift; + my $q = $self->cgi; + + my $empty = 0; + my @tcpforwards = $tcp_db->get_all; + my @udpforwards = $udp_db->get_all; + $empty = 1 if not @tcpforwards and not @udpforwards; + + my %forwards = (); + $forwards{TCP} = \@tcpforwards; + $forwards{UDP} = \@udpforwards; + + print $q->Tr( + $q->td({-colspan => 2}, + '
' . + $q->a({-class => "button-like", + -href => "portforwarding?page=0&page_stack=&Next=Create"}, + $self->localise('CREATE_RULE')))); + + unless ($empty) { + print $q->Tr( + $q->td({-colspan => 2}, + $q->p($self->localise('SHOW_FORWARDS')))),"\n"; + + my $q = $self->{cgi}; + print ""; + print $q->start_table({-class => 'sme-border'}), "\n "; + print $q->Tr( + esmith::cgi::genSmallCell( + $q, + $self->localise('LABEL_PROTOCOL'), + "header" + ), " ", + esmith::cgi::genSmallCell( + $q, + $self->localise('LABEL_SOURCE_PORT'), + "header" + ), " ", + esmith::cgi::genSmallCell( + $q, + $self->localise('LABEL_DESTINATION_HOST'), + "header" + ), " ", + esmith::cgi::genSmallCell( + $q, + $self->localise('LABEL_DESTINATION_PORT'), + "header", + ), " ", + esmith::cgi::genSmallCell( + $q, + $self->localise('ALLOW_HOSTS'), + "header", + ), " ", + esmith::cgi::genSmallCell( + $q, + $self->localise('RULE_COMMENT'), + "header", + ), " ", + $q->th({-class => "sme-border", -colspan => 2}, + $self->localise('ACTION') + ), "\n ", + ); + foreach my $proto (sort keys %forwards) { + if (@{ $forwards{$proto} }) { + foreach my $entry (@{ $forwards{$proto} }) { + my $sport = $entry->key; + my $dhost = $entry->prop('DestHost'); + my $dport = $entry->prop('DestPort') || ''; + my $cmmnt = $entry->prop('Comment') || ''; + my $allow = $entry->prop('AllowHosts') || ''; + print $q->Tr( + esmith::cgi::genSmallCell($q, $proto), + " ", + esmith::cgi::genSmallCell($q, $sport), + " ", + esmith::cgi::genSmallCell($q, $dhost), + " ", + esmith::cgi::genSmallCell($q, $dport || ' '), + " ", + esmith::cgi::genSmallCell($q, $allow || ' '), + " ", + esmith::cgi::genSmallCell($q, $cmmnt || ' '), + " ", + esmith::cgi::genSmallCell( + $q, + $q->a({href => $q->url(-absolute => 1) + . "?page=3&Next=Next&protocol=$proto&" + . "source_port=$sport&" + . "destination_host=$dhost&" + . "destination_port=$dport&" + . "rule_comment=".CGI::escape($cmmnt)."&" + . "allow_hosts=$allow"}, + $self->localise("REMOVE")) + ), + "\n ", + ); + } + } + } + print $q->end_table,"\n"; + print ''; + + } + else { + print $q->Tr( + $q->td({-colspan => 2}, '
' . + $self->localise('NO_FORWARDS'))); + } + return undef; +} + +=head2 validate_source_port + +This method validates the source port field in the new port forward page. + +=cut + +sub validate_source_port { + my $self = shift; + my $q = $self->{cgi}; + my $sport = $q->param('source_port'); + $sport =~ s/^\s+|\s+$//g; + # If this is a port range, split it up and validate it individually. + my @ports = (); + if ($sport =~ /-/) + { + @ports = split /-/, $sport; + if (@ports > 2) + { + $self->debug_msg("found more than 2 ports: @ports"); + return $self->localise('ERR_BADPORT'); + } + } + else + { + push @ports, $sport; + } + $self->debug_msg("the ports array is: @ports"); + foreach my $port (@ports) + { + $self->debug_msg("looping on port $port"); + if (! $self->isValidPort($port)) + { + $self->debug_msg("returning: " . $self->localise('ERR_BADPORT')); + return $self->localise('ERR_BADPORT'); + } + } + # Now, lets screen any duplicates. + my $protocol = $q->param('protocol'); + my @forwards = (); + + # Grab the existing rules for this protocol. + if ($protocol eq 'TCP') { + @forwards = map { $_->key } $tcp_db->get_all; + } elsif ($protocol eq 'UDP') { + @forwards = map { $_->key } $udp_db->get_all; + } + foreach my $psport (@forwards) + { + if ($self->detect_collision($sport, $psport)) + { + return $self->localise('ERR_PORT_COLLISION'); + } + } + return 'OK'; +} + +=head2 detect_collision + +This method looks for a collision between two ports or port ranges. + +=cut + +sub detect_collision +{ + my $self = shift; + my $port_a = shift; + my $port_b = shift; + + # If they're both single ports, see if they're the same. + if (($port_a !~ /-/) && ($port_b !~ /-/)) + { + return $port_a eq $port_b; + } + # If port_a is not a range but port_b is, is a in b? + elsif ($port_a !~ /-/) + { + my ($b1, $b2) = split /-/, $port_b; + return (($port_a >= $b1) && ($port_a <= $b2)); + } + elsif ($port_b !~ /-/) + { + my ($a1, $a2) = split /-/, $port_a; + return (($port_b >= $a1) && ($port_b <= $a2)); + } + else + { + # They're both ranges. Do they overlap? + my ($a1, $a2) = split /-/, $port_a; + my ($b1, $b2) = split /-/, $port_b; + # They can overlap in two ways. Either a1 is in b, or b1 is in a. + if (($a1 >= $b1) && ($a1 <= $b2)) + { + return TRUE; + } + elsif (($b1 >= $a1) && ($b1 <= $a2)) + { + return TRUE; + } + return FALSE; + } +} + +=head2 validate_destination_port + +This method validates the destination port field in the new port +forward page. + +=cut + +sub validate_destination_port { + my $self = shift; + my $dport = $self->{cgi}->param('destination_port'); + $dport =~ s/^\s+|\s+$//g; + # If the dport is empty, that's ok. + return 'OK' if not $dport; + + # If this is a port range, split it up and validate it individually. + my @ports = (); + if ($dport =~ /-/) + { + @ports = split /-/, $dport; + if (@ports > 2) + { + $self->debug_msg("found more than 2 ports: @ports"); + return $self->localise('ERR_BADPORT'); + } + } + else + { + push @ports, $dport; + } + $self->debug_msg("the ports array is: @ports"); + + foreach my $port (@ports) + { + $self->debug_msg("looping on port $port"); + if (! $self->isValidPort($port)) + { + $self->debug_msg("returning: " . $self->localise('ERR_BADPORT')); + return $self->localise('ERR_BADPORT'); + } + } + return 'OK'; +} + +=head2 isValidPort + +Test for a valid port. +FIXME: Remove this when 5.6 is no longer supported, and use +esmith::util::network::isValidPort instead. + +=begin testing + +@badports = (98765434, -183, 0, 'bad port', 'a'); +@goodports = (67, 23, 1, 54736); + +foreach $port (@badports) { + $panel->{cgi}->param('destination_port' => $port); + isnt($panel->validate_source_port(), "OK"); +} +foreach $port (@goodports) { + $panel->{cgi}->param('source_port' => $port); + is($panel->validate_source_port(), "OK"); +} + +=end testing + +=cut + +sub isValidPort() { + my $self = shift; + my $port = shift; + + return FALSE unless defined $port; + + if (($port =~ /^\d+$/) && + ($port > 0) && + ($port < 65536)) + { + return TRUE; + } + else { + return FALSE; + } +} + +=head2 validate_destination_host + +The purpose of this method is to validate the destination host field in the +new port forward page. + +=cut + +sub validate_destination_host { + my $self = shift; + my $dhost = $self->{cgi}->param('destination_host'); + $dhost =~ s/^\s+|\s+$//g; + + my $localip = $db->get_prop('InternalInterface', 'IPAddress'); + my $external_ip = $db->get_prop('ExternalInterface', 'IPAddress') || $localip; + + if ($dhost =~ /^(localhost|127.0.0.1|$localip|$external_ip)$/i) + { + # localhost token gets expanded at runtime to current external IP + $self->{cgi}->param(-name=>'destination_host', -value=>'localhost'); + return "OK"; + } + + my $systemmode = $db->get_value('SystemMode'); + + if ($systemmode eq 'serveronly') { + return $self->localise('IN_SERVERONLY'); + } + + if (isValidIP($dhost)) { + return 'OK'; + } + else { + return $self->localise('ERR_BADIP'); + } +} + +=head2 validate_allowed_hosts + +=cut + +sub validate_allowed_hosts { + my $self = shift; + my $ahost = $self->{cgi}->param('allow_hosts'); + $ahost =~ s/^\s+|\s+$//g; + + my $valid_ahost_list = "OK"; + + foreach (split(/[\s,]+/, $ahost)) { + my $valid_ipnet = 0; + $valid_ipnet = 1 if ($_ =~ m/^\d+\.\d+\.\d+\.\d+$/); + $valid_ipnet = 1 if ($_ =~ m/^\d+\.\d+\.\d+\.\d+\/\d+$/); + $valid_ahost_list = "ERR_BADAHOST" if ($valid_ipnet != 1); + } + + return $valid_ahost_list; +} + +=head2 display_summary_create + +This is a wrapper for the display_summary method, to call it in create mode. + +=cut + +sub display_summary_create { + my $self = shift; + $self->display_summary('create'); +} + +=head2 display_summary_remove + +This is a wrapper for the display_summary method, to call it in remove mode. + +=cut + +sub display_summary_remove { + my $self = shift; + $self->display_summary('remove'); +} + +=head2 display_create_summary + +This method's purpose is to display a summary of the rule about to be added. + +=cut + +sub display_summary { + my $self = shift; + my $mode = shift; + my $save = $self->localise('SAVE'); + my $cancel = $self->localise('CANCEL'); + my $output = ""; + my $q = $self->{cgi}; + $self->debug_msg("start of method"); + + print ""; + + my $description = ""; + if ($mode eq 'create') { + $description = $self->localise('SUMMARY_ADD_DESC'); + } + elsif ($mode eq 'remove') { + $description = $self->localise('SUMMARY_REMOVE_DESC'); + } + else { + return $self->error('ERR_UNSUPPORTED_MODE'); + } + + print $q->p($description); + + my $dhost = $self->get_destination_host(); + foreach my $tablearrayref ( + [$self->localise('LABEL_PROTOCOL') + => $q->param('protocol')], + [$self->localise('LABEL_SOURCE_PORT') + => $q->param('source_port')], + [$self->localise('LABEL_DESTINATION_PORT') + => $q->param('destination_port') || ' '], + [$self->localise('LABEL_DESTINATION_HOST') + => $dhost], + [$self->localise('RULE_COMMENT') + => $q->param('rule_comment')], + [$self->localise('ALLOW_HOSTS') + => $q->param('allow_hosts')], + ) + { + print $q->Tr( + $q->td({-class => 'sme-noborders-label'}, + $tablearrayref->[0], + $q->td({-class => 'sme-noborders-content'}, + $tablearrayref->[1]))), "\n"; + } + + if ($mode eq 'create') { + print $q->table({-width => '100%'}, $q->Tr($q->th({-class => 'sme-layout'}, + $q->submit(-name => 'apply', + -value => $self->localise("ADD")), + ' ', + $q->submit(-name => 'cancel', + -value => $self->localise("CANCEL"))))); + } + elsif ($mode eq 'remove') { + print $q->table({-width => '100%'}, $q->Tr($q->th({-class => 'sme-layout'}, + $q->submit( -name => 'remove', + -value => $self->localise("REMOVE")), + ' ', + $q->submit( -name => 'cancel', + -value => $self->localise("CANCEL"))))); + } + else { + return $self->error('ERR_UNSUPPORTED_MODE'); + } + $self->debug_msg("returning"); + + print ""; + return undef; +} + +=head2 remove_rule + +This method is a remove wrapper for the modify method. + +=cut + +sub remove_rule { + my $self = shift; + $self->modify('remove'); +} + +=head2 create_new + +This method is a create wrapper for the modify method. + +=cut + +sub create_new { + my $self = shift; + $self->modify('create'); +} + +=head2 modify + +This method's purpose is to add or remove rules from the database, and then +cause the firewall rules to update. + +=cut + +sub modify { + no strict 'refs'; + my $self = shift; + my $mode = shift; + my $q = $self->{cgi}; + $self->debug_msg("at start of modify method"); + + # If the cancel button was pressed, just go back to the start page. + if ($q->param("cancel")) { + $self->debug_msg("the cancel button was pressed"); + $self->wherenext("First"); + } + else { + # Save the changes. + my $proto = $q->param("protocol"); + my $sport = $q->param("source_port"); + my $dport = $q->param("destination_port"); + my $dhost = $self->get_destination_host(); + my $cmmnt = $q->param("rule_comment") || ""; + my $allow = $q->param("allow_hosts") || ""; + my $deny = (($q->param("allow_hosts")) ? "0.0.0.0/0" : ""); + $proto =~ s/^\s+|\s+$//g; + $sport =~ s/^\s+|\s+$//g; + $dport =~ s/^\s+|\s+$//g; + $dhost =~ s/^\s+|\s+$//g; + + $self->debug_msg("protocol is $proto"); + $self->debug_msg("source_port is $sport"); + $self->debug_msg("destination_port is $dport"); + $self->debug_msg("destination_host is $dhost"); + + my $whichforwards = ""; + my $fdb; + if ($proto eq 'TCP') { + $fdb = $tcp_db; + } + else { + $fdb = $udp_db; + } + + if ($mode eq 'create') { + $self->debug_msg("we are in create mode"); + my $entry = $fdb->get($sport) || $fdb->new_record($sport, { type => 'forward' }); + $entry->set_prop('DestHost', $dhost); + $entry->set_prop('DestPort', $dport) if $dport; + $entry->set_prop('Comment', $cmmnt); + $entry->set_prop('AllowHosts', $allow); + $entry->set_prop('DenyHosts', $deny); + } + elsif ($mode eq 'remove') { + $self->debug_msg("we are in remove mode"); + my $entry = $fdb->get($sport); + return $self->error('ERR_CANNOT_REMOVE_NORULE') unless $entry; + $entry->delete; + } + + system("/sbin/e-smith/signal-event", + "portforwarding-update") == 0 + || return $self->error('ERR_NONZERO_RETURN_EVENT'); + + return $self->success(); + } +} + +=head2 get_destination_host + +Get the 'destination_host' parameter, and fold it to 'localhost' if it +matches any local interface IP address. + +=cut + +sub get_destination_host +{ + my $self = shift; + my $q = $self->{cgi}; + my $dhost = $q->param("destination_host"); + my $localip = $db->get_prop('InternalInterface', 'IPAddress'); + my $external_ip = $db->get_prop('ExternalInterface', 'IPAddress') || $localip; + + if ($dhost =~ /^(127.0.0.1|$localip|$external_ip)$/i) + { + # localhost token gets expanded at runtime to current external IP + $dhost = 'localhost'; + } + return $dhost; +} + +1;