luci-mod-admin-full: protect iptables counter reset and restart with token
authorJo-Philipp Wich <jow@openwrt.org>
Tue, 20 Oct 2015 20:27:39 +0000 (22:27 +0200)
committerJo-Philipp Wich <jow@openwrt.org>
Tue, 20 Oct 2015 20:27:39 +0000 (22:27 +0200)
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
modules/luci-mod-admin-full/luasrc/controller/admin/status.lua
modules/luci-mod-admin-full/luasrc/view/admin_status/iptables.htm

index 1ceb24d..24db1e4 100644 (file)
@@ -7,7 +7,10 @@ module("luci.controller.admin.status", package.seeall)
 function index()
        entry({"admin", "status"}, alias("admin", "status", "overview"), _("Status"), 20).index = true
        entry({"admin", "status", "overview"}, template("admin_status/index"), _("Overview"), 1)
 function index()
        entry({"admin", "status"}, alias("admin", "status", "overview"), _("Status"), 20).index = true
        entry({"admin", "status", "overview"}, template("admin_status/index"), _("Overview"), 1)
-       entry({"admin", "status", "iptables"}, call("action_iptables"), _("Firewall"), 2).leaf = true
+
+       entry({"admin", "status", "iptables"}, template("admin_status/iptables"), _("Firewall"), 2).leaf = true
+       entry({"admin", "status", "iptables_action"}, post("action_iptables")).leaf = true
+
        entry({"admin", "status", "routes"}, template("admin_status/routes"), _("Routes"), 3)
        entry({"admin", "status", "syslog"}, call("action_syslog"), _("System Log"), 4)
        entry({"admin", "status", "dmesg"}, call("action_dmesg"), _("Kernel Log"), 5)
        entry({"admin", "status", "routes"}, template("admin_status/routes"), _("Routes"), 3)
        entry({"admin", "status", "syslog"}, call("action_syslog"), _("System Log"), 4)
        entry({"admin", "status", "dmesg"}, call("action_dmesg"), _("Kernel Log"), 5)
@@ -42,22 +45,16 @@ end
 
 function action_iptables()
        if luci.http.formvalue("zero") then
 
 function action_iptables()
        if luci.http.formvalue("zero") then
-               if luci.http.formvalue("zero") == "6" then
-                       luci.util.exec("ip6tables -Z")
+               if luci.http.formvalue("family") == "6" then
+                       luci.util.exec("/usr/sbin/ip6tables -Z")
                else
                else
-                       luci.util.exec("iptables -Z")
+                       luci.util.exec("/usr/sbin/iptables -Z")
                end
                end
-               luci.http.redirect(
-                       luci.dispatcher.build_url("admin", "status", "iptables")
-               )
-       elseif luci.http.formvalue("restart") == "1" then
+       elseif luci.http.formvalue("restart") then
                luci.util.exec("/etc/init.d/firewall restart")
                luci.util.exec("/etc/init.d/firewall restart")
-               luci.http.redirect(
-                       luci.dispatcher.build_url("admin", "status", "iptables")
-               )
-       else
-               luci.template.render("admin_status/iptables")
        end
        end
+
+       luci.http.redirect(luci.dispatcher.build_url("admin/status/iptables"))
 end
 
 function action_bandwidth(iface)
 end
 
 function action_bandwidth(iface)
index 3757388..f49469a 100644 (file)
@@ -1,6 +1,6 @@
 <%#
  Copyright 2008-2009 Steven Barth <steven@midlink.org>
 <%#
  Copyright 2008-2009 Steven Barth <steven@midlink.org>
- Copyright 2008-2011 Jo-Philipp Wich <jow@openwrt.org>
+ Copyright 2008-2015 Jo-Philipp Wich <jow@openwrt.org>
  Licensed to the public under the Apache License 2.0.
 -%>
 
  Licensed to the public under the Apache License 2.0.
 -%>
 
@@ -37,7 +37,7 @@
                local net = wba.iface_get_network(i)
                if net and i ~= "lo" then
                        return '<a href="%s">%s</a>' %{
                local net = wba.iface_get_network(i)
                if net and i ~= "lo" then
                        return '<a href="%s">%s</a>' %{
-                               luci.dispatcher.build_url("admin", "network", "network", net), i
+                               url("admin/network/network", net), i
                        }
 
                end
                        }
 
                end
@@ -60,6 +60,7 @@
 </style>
 
 <h2 name="content"><%:Firewall Status%></h2>
 </style>
 
 <h2 name="content"><%:Firewall Status%></h2>
+<br />
 
 <% if has_ip6tables then %>
 <ul class="cbi-tabmenu">
 
 <% if has_ip6tables then %>
 <ul class="cbi-tabmenu">
 </ul>
 <% end %>
 
 </ul>
 <% end %>
 
-<form method="post" action="<%=REQUEST_URI%>">
-       <div class="cbi-map">
-               <fieldset class="cbi-section">
-                       <h3><%:Actions%></h3>
-                       <ul>
-                               <li><a href="<%=REQUEST_URI%>?zero=<%=mode%>"><%:Reset Counters%></a></li>
-                               <li><a href="<%=REQUEST_URI%>?restart=1"><%:Restart Firewall%></a></li>
-                       </ul>
-                       <br /><br />
-
-                       <% for _, tbl in ipairs(tables) do chaincnt = 0 %>
-                               <h3><%:Table%>: <%=tbl%></h3>
-                               <table class="cbi-section-table" style="font-size:90%">
-                                       <% for _, chain in ipairs(ipt:chains(tbl)) do
-                                               rowcnt    = 0
-                                               chaincnt  = chaincnt + 1
-                                               chaininfo = ipt:chain(tbl, chain)
-                                       %>
-                                               <tr class="cbi-section-table-titles cbi-rowstyle-<%=rowstyle()%>">
-                                                       <th class="cbi-section-table-cell" style="text-align:left" colspan="11">
-                                                               <br /><span id="rule_<%=tbl:lower()%>_<%=chain%>">
-                                                               <%:Chain%> <em><%=chain%></em>
-                                                               (<%- if chaininfo.policy then -%>
-                                                                       <%:Policy%>: <em><%=chaininfo.policy%></em>, <%:Packets%>: <%=chaininfo.packets%>, <%:Traffic%>: <%=wba.byte_format(chaininfo.bytes)-%>
-                                                               <%- else -%>
-                                                                       <%:References%>: <%=chaininfo.references-%>
-                                                               <%- end -%>)</span>
-                                                       </th>
+<div class="cbi-map" style="position: relative">
+
+       <form method="post" action="<%=url("admin/status/iptables_action")%>" style="position: absolute; right: 0">
+               <input type="hidden" name="token" value="<%=token%>" />
+               <input type="hidden" name="family" value="<%=mode%>" />
+               <input type="submit" class="cbi-button" name="zero" value="<%:Reset Counters%>" />
+               <input type="submit" class="cbi-button" name="restart" value="<%:Restart Firewall%>" />
+       </form>
+
+       <fieldset class="cbi-section">
+
+               <% for _, tbl in ipairs(tables) do chaincnt = 0 %>
+                       <h3><%:Table%>: <%=tbl%></h3>
+                       <table class="cbi-section-table" style="font-size:90%">
+                               <% for _, chain in ipairs(ipt:chains(tbl)) do
+                                       rowcnt    = 0
+                                       chaincnt  = chaincnt + 1
+                                       chaininfo = ipt:chain(tbl, chain)
+                               %>
+                                       <tr class="cbi-section-table-titles cbi-rowstyle-<%=rowstyle()%>">
+                                               <th class="cbi-section-table-cell" style="text-align:left" colspan="11">
+                                                       <br /><span id="rule_<%=tbl:lower()%>_<%=chain%>">
+                                                       <%:Chain%> <em><%=chain%></em>
+                                                       (<%- if chaininfo.policy then -%>
+                                                               <%:Policy%>: <em><%=chaininfo.policy%></em>, <%:Packets%>: <%=chaininfo.packets%>, <%:Traffic%>: <%=wba.byte_format(chaininfo.bytes)-%>
+                                                       <%- else -%>
+                                                               <%:References%>: <%=chaininfo.references-%>
+                                                       <%- end -%>)</span>
+                                               </th>
+                                       </tr>
+                                       <tr class="cbi-section-table-descr">
+                                               <th class="cbi-section-table-cell"><%:Pkts.%></th>
+                                               <th class="cbi-section-table-cell"><%:Traffic%></th>
+                                               <th class="cbi-section-table-cell"><%:Target%></th>
+                                               <th class="cbi-section-table-cell"><%:Prot.%></th>
+                                               <th class="cbi-section-table-cell"><%:In%></th>
+                                               <th class="cbi-section-table-cell"><%:Out%></th>
+                                               <th class="cbi-section-table-cell"><%:Source%></th>
+                                               <th class="cbi-section-table-cell"><%:Destination%></th>
+                                               <th class="cbi-section-table-cell" style="width:30%"><%:Options%></th>
+                                       </tr>
+
+                                       <% for _, rule in ipairs(ipt:find({table=tbl, chain=chain})) do %>
+                                               <tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
+                                                       <td><%=rule.packets%></td>
+                                                       <td style="white-space: nowrap"><%=wba.byte_format(rule.bytes)%></td>
+                                                       <td><%=rule.target and link_target(tbl, rule.target) or "-"%></td>
+                                                       <td><%=rule.protocol%></td>
+                                                       <td><%=link_iface(rule.inputif)%></td>
+                                                       <td><%=link_iface(rule.outputif)%></td>
+                                                       <td><%=rule.source%></td>
+                                                       <td><%=rule.destination%></td>
+                                                       <td style="width:30%"><small><%=#rule.options > 0 and luci.util.pcdata(table.concat(rule.options, " ")) or "-"%></small></td>
                                                </tr>
                                                </tr>
-                                               <tr class="cbi-section-table-descr">
-                                                       <th class="cbi-section-table-cell"><%:Rule #%></th>
-                                                       <th class="cbi-section-table-cell"><%:Pkts.%></th>
-                                                       <th class="cbi-section-table-cell"><%:Traffic%></th>
-                                                       <th class="cbi-section-table-cell"><%:Target%></th>
-                                                       <th class="cbi-section-table-cell"><%:Prot.%></th>
-                                                       <th class="cbi-section-table-cell"><%:Flags%></th>
-                                                       <th class="cbi-section-table-cell"><%:In%></th>
-                                                       <th class="cbi-section-table-cell"><%:Out%></th>
-                                                       <th class="cbi-section-table-cell"><%:Source%></th>
-                                                       <th class="cbi-section-table-cell"><%:Destination%></th>
-                                                       <th class="cbi-section-table-cell" style="width:30%"><%:Options%></th>
-                                               </tr>
-
-                                               <% for _, rule in ipairs(ipt:find({table=tbl, chain=chain})) do %>
-                                                       <tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
-                                                               <td><%=rule.index%></td>
-                                                               <td><%=rule.packets%></td>
-                                                               <td><%=wba.byte_format(rule.bytes)%></td>
-                                                               <td><%=rule.target and link_target(tbl, rule.target) or "-"%></td>
-                                                               <td><%=rule.protocol%></td>
-                                                               <td><%=rule.flags%></td>
-                                                               <td><%=link_iface(rule.inputif)%></td>
-                                                               <td><%=link_iface(rule.outputif)%></td>
-                                                               <td><%=rule.source%></td>
-                                                               <td><%=rule.destination%></td>
-                                                               <td style="width:30%"><small><%=#rule.options > 0 and luci.util.pcdata(table.concat(rule.options, " ")) or "-"%></small></td>
-                                                       </tr>
-                                               <% end %>
-
-                                               <% if rowcnt == 1 then %>
-                                                       <tr class="cbi-section-table-titles cbi-rowstyle-<%=rowstyle()%>">
-                                                               <td colspan="11"><em><%:No rules in this chain%></em></td>
-                                                       </tr>
-                                               <% end %>
                                        <% end %>
 
                                        <% end %>
 
-                                       <% if chaincnt == 0 then %>
+                                       <% if rowcnt == 1 then %>
                                                <tr class="cbi-section-table-titles cbi-rowstyle-<%=rowstyle()%>">
                                                <tr class="cbi-section-table-titles cbi-rowstyle-<%=rowstyle()%>">
-                                                       <td colspan="11"><em><%:No chains in this table%></em></td>
+                                                       <td colspan="9"><em><%:No rules in this chain%></em></td>
                                                </tr>
                                        <% end %>
                                                </tr>
                                        <% end %>
-                               </table>
-                               <br /><br />
-                       <% end %>
-               </fieldset>
-       </div>
-</form>
+                               <% end %>
+
+                               <% if chaincnt == 0 then %>
+                                       <tr class="cbi-section-table-titles cbi-rowstyle-<%=rowstyle()%>">
+                                               <td colspan="9"><em><%:No chains in this table%></em></td>
+                                       </tr>
+                               <% end %>
+                       </table>
+                       <br /><br />
+               <% end %>
+       </fieldset>
+</div>
 
 <%+footer%>
 
 <%+footer%>