luci-mod-admin-full: protect iptables counter reset and restart with token

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
2015-10-20 22:27:39 +02:00 · 2015-10-20 22:27:39 +02:00 · d4666757b7
parent 8bb749ecc3
commit d4666757b7
2 changed files with 85 additions and 91 deletions
--- a/modules/luci-mod-admin-full/luasrc/controller/admin/status.lua
+++ b/modules/luci-mod-admin-full/luasrc/controller/admin/status.lua
@ -7,7 +7,10 @@ module("luci.controller.admin.status", package.seeall)
 function index()
 	entry({"admin", "status"}, alias("admin", "status", "overview"), _("Status"), 20).index = true
 	entry({"admin", "status", "overview"}, template("admin_status/index"), _("Overview"), 1)
-	entry({"admin", "status", "iptables"}, call("action_iptables"), _("Firewall"), 2).leaf = true
+
+	entry({"admin", "status", "iptables"}, template("admin_status/iptables"), _("Firewall"), 2).leaf = true
+	entry({"admin", "status", "iptables_action"}, post("action_iptables")).leaf = true
+
 	entry({"admin", "status", "routes"}, template("admin_status/routes"), _("Routes"), 3)
 	entry({"admin", "status", "syslog"}, call("action_syslog"), _("System Log"), 4)
 	entry({"admin", "status", "dmesg"}, call("action_dmesg"), _("Kernel Log"), 5)
@ -42,22 +45,16 @@ end

 function action_iptables()
 	if luci.http.formvalue("zero") then
-		if luci.http.formvalue("zero") == "6" then
-			luci.util.exec("ip6tables -Z")
+		if luci.http.formvalue("family") == "6" then
+			luci.util.exec("/usr/sbin/ip6tables -Z")
 		else
-			luci.util.exec("iptables -Z")
+			luci.util.exec("/usr/sbin/iptables -Z")
 		end
-		luci.http.redirect(
-			luci.dispatcher.build_url("admin", "status", "iptables")
-		)
-	elseif luci.http.formvalue("restart") == "1" then
+	elseif luci.http.formvalue("restart") then
 		luci.util.exec("/etc/init.d/firewall restart")
-		luci.http.redirect(
-			luci.dispatcher.build_url("admin", "status", "iptables")
-		)
-	else
-		luci.template.render("admin_status/iptables")
 	end
+
+	luci.http.redirect(luci.dispatcher.build_url("admin/status/iptables"))
 end

 function action_bandwidth(iface)
--- a/modules/luci-mod-admin-full/luasrc/view/admin_status/iptables.htm
+++ b/modules/luci-mod-admin-full/luasrc/view/admin_status/iptables.htm
@ -1,6 +1,6 @@
 <%#
 Copyright 2008-2009 Steven Barth <steven@midlink.org>
- Copyright 2008-2011 Jo-Philipp Wich <jow@openwrt.org>
+ Copyright 2008-2015 Jo-Philipp Wich <jow@openwrt.org>
 Licensed to the public under the Apache License 2.0.
 -%>

@ -37,7 +37,7 @@
 		local net = wba.iface_get_network(i)
 		if net and i ~= "lo" then
 			return '<a href="%s">%s</a>' %{
-				luci.dispatcher.build_url("admin", "network", "network", net), i
+				url("admin/network/network", net), i
 			}

 		end
@ -60,6 +60,7 @@
 </style>

 <h2 name="content"><%:Firewall Status%></h2>
+<br />

 <% if has_ip6tables then %>
 <ul class="cbi-tabmenu">
@ -68,82 +69,78 @@
 </ul>
 <% end %>

-<form method="post" action="<%=REQUEST_URI%>">
-	<div class="cbi-map">
-		<fieldset class="cbi-section">
-			<h3><%:Actions%></h3>
-			<ul>
-				<li><a href="<%=REQUEST_URI%>?zero=<%=mode%>"><%:Reset Counters%></a></li>
-				<li><a href="<%=REQUEST_URI%>?restart=1"><%:Restart Firewall%></a></li>
-			</ul>
+<div class="cbi-map" style="position: relative">
+
+	<form method="post" action="<%=url("admin/status/iptables_action")%>" style="position: absolute; right: 0">
+		<input type="hidden" name="token" value="<%=token%>" />
+		<input type="hidden" name="family" value="<%=mode%>" />
+		<input type="submit" class="cbi-button" name="zero" value="<%:Reset Counters%>" />
+		<input type="submit" class="cbi-button" name="restart" value="<%:Restart Firewall%>" />
+	</form>
+
+	<fieldset class="cbi-section">
+
+		<% for _, tbl in ipairs(tables) do chaincnt = 0 %>
+			<h3><%:Table%>: <%=tbl%></h3>
+			<table class="cbi-section-table" style="font-size:90%">
+				<% for _, chain in ipairs(ipt:chains(tbl)) do
+					rowcnt    = 0
+					chaincnt  = chaincnt + 1
+					chaininfo = ipt:chain(tbl, chain)
+				%>
+					<tr class="cbi-section-table-titles cbi-rowstyle-<%=rowstyle()%>">
+						<th class="cbi-section-table-cell" style="text-align:left" colspan="11">
+							<br /><span id="rule_<%=tbl:lower()%>_<%=chain%>">
+							<%:Chain%> <em><%=chain%></em>
+							(<%- if chaininfo.policy then -%>
+								<%:Policy%>: <em><%=chaininfo.policy%></em>, <%:Packets%>: <%=chaininfo.packets%>, <%:Traffic%>: <%=wba.byte_format(chaininfo.bytes)-%>
+							<%- else -%>
+								<%:References%>: <%=chaininfo.references-%>
+							<%- end -%>)</span>
+						</th>
+					</tr>
+					<tr class="cbi-section-table-descr">
+						<th class="cbi-section-table-cell"><%:Pkts.%></th>
+						<th class="cbi-section-table-cell"><%:Traffic%></th>
+						<th class="cbi-section-table-cell"><%:Target%></th>
+						<th class="cbi-section-table-cell"><%:Prot.%></th>
+						<th class="cbi-section-table-cell"><%:In%></th>
+						<th class="cbi-section-table-cell"><%:Out%></th>
+						<th class="cbi-section-table-cell"><%:Source%></th>
+						<th class="cbi-section-table-cell"><%:Destination%></th>
+						<th class="cbi-section-table-cell" style="width:30%"><%:Options%></th>
+					</tr>
+
+					<% for _, rule in ipairs(ipt:find({table=tbl, chain=chain})) do %>
+						<tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
+							<td><%=rule.packets%></td>
+							<td style="white-space: nowrap"><%=wba.byte_format(rule.bytes)%></td>
+							<td><%=rule.target and link_target(tbl, rule.target) or "-"%></td>
+							<td><%=rule.protocol%></td>
+							<td><%=link_iface(rule.inputif)%></td>
+							<td><%=link_iface(rule.outputif)%></td>
+							<td><%=rule.source%></td>
+							<td><%=rule.destination%></td>
+							<td style="width:30%"><small><%=#rule.options > 0 and luci.util.pcdata(table.concat(rule.options, " ")) or "-"%></small></td>
+						</tr>
+					<% end %>
+
+					<% if rowcnt == 1 then %>
+						<tr class="cbi-section-table-titles cbi-rowstyle-<%=rowstyle()%>">
+							<td colspan="9"><em><%:No rules in this chain%></em></td>
+						</tr>
+					<% end %>
+				<% end %>
+
+				<% if chaincnt == 0 then %>
+					<tr class="cbi-section-table-titles cbi-rowstyle-<%=rowstyle()%>">
+						<td colspan="9"><em><%:No chains in this table%></em></td>
+					</tr>
+				<% end %>
+			</table>
 			<br /><br />
-
-			<% for _, tbl in ipairs(tables) do chaincnt = 0 %>
-				<h3><%:Table%>: <%=tbl%></h3>
-				<table class="cbi-section-table" style="font-size:90%">
-					<% for _, chain in ipairs(ipt:chains(tbl)) do
-						rowcnt    = 0
-						chaincnt  = chaincnt + 1
-						chaininfo = ipt:chain(tbl, chain)
-					%>
-						<tr class="cbi-section-table-titles cbi-rowstyle-<%=rowstyle()%>">
-							<th class="cbi-section-table-cell" style="text-align:left" colspan="11">
-								<br /><span id="rule_<%=tbl:lower()%>_<%=chain%>">
-								<%:Chain%> <em><%=chain%></em>
-								(<%- if chaininfo.policy then -%>
-									<%:Policy%>: <em><%=chaininfo.policy%></em>, <%:Packets%>: <%=chaininfo.packets%>, <%:Traffic%>: <%=wba.byte_format(chaininfo.bytes)-%>
-								<%- else -%>
-									<%:References%>: <%=chaininfo.references-%>
-								<%- end -%>)</span>
-							</th>
-						</tr>
-						<tr class="cbi-section-table-descr">
-							<th class="cbi-section-table-cell"><%:Rule #%></th>
-							<th class="cbi-section-table-cell"><%:Pkts.%></th>
-							<th class="cbi-section-table-cell"><%:Traffic%></th>
-							<th class="cbi-section-table-cell"><%:Target%></th>
-							<th class="cbi-section-table-cell"><%:Prot.%></th>
-							<th class="cbi-section-table-cell"><%:Flags%></th>
-							<th class="cbi-section-table-cell"><%:In%></th>
-							<th class="cbi-section-table-cell"><%:Out%></th>
-							<th class="cbi-section-table-cell"><%:Source%></th>
-							<th class="cbi-section-table-cell"><%:Destination%></th>
-							<th class="cbi-section-table-cell" style="width:30%"><%:Options%></th>
-						</tr>
-
-						<% for _, rule in ipairs(ipt:find({table=tbl, chain=chain})) do %>
-							<tr class="cbi-section-table-row cbi-rowstyle-<%=rowstyle()%>">
-								<td><%=rule.index%></td>
-								<td><%=rule.packets%></td>
-								<td><%=wba.byte_format(rule.bytes)%></td>
-								<td><%=rule.target and link_target(tbl, rule.target) or "-"%></td>
-								<td><%=rule.protocol%></td>
-								<td><%=rule.flags%></td>
-								<td><%=link_iface(rule.inputif)%></td>
-								<td><%=link_iface(rule.outputif)%></td>
-								<td><%=rule.source%></td>
-								<td><%=rule.destination%></td>
-								<td style="width:30%"><small><%=#rule.options > 0 and luci.util.pcdata(table.concat(rule.options, " ")) or "-"%></small></td>
-							</tr>
-						<% end %>
-
-						<% if rowcnt == 1 then %>
-							<tr class="cbi-section-table-titles cbi-rowstyle-<%=rowstyle()%>">
-								<td colspan="11"><em><%:No rules in this chain%></em></td>
-							</tr>
-						<% end %>
-					<% end %>
-
-					<% if chaincnt == 0 then %>
-						<tr class="cbi-section-table-titles cbi-rowstyle-<%=rowstyle()%>">
-							<td colspan="11"><em><%:No chains in this table%></em></td>
-						</tr>
-					<% end %>
-				</table>
-				<br /><br />
-			<% end %>
-		</fieldset>
-	</div>
-</form>
+		<% end %>
+	</fieldset>
+</div>

 <%+footer%>