From 7a4b11b6a495ddc747db5e44f5a62891ef86398c Mon Sep 17 00:00:00 2001 From: stilez Date: Thu, 15 Sep 2016 09:54:54 +0100 Subject: Enhance ICMP type handling in rules See main PR for details --- src/usr/local/www/firewall_rules_edit.php | 155 ++++++++++++++++++++---------- 1 file changed, 105 insertions(+), 50 deletions(-) (limited to 'src/usr/local/www/firewall_rules_edit.php') diff --git a/src/usr/local/www/firewall_rules_edit.php b/src/usr/local/www/firewall_rules_edit.php index 330191d..4ddfeed 100644 --- a/src/usr/local/www/firewall_rules_edit.php +++ b/src/usr/local/www/firewall_rules_edit.php @@ -35,6 +35,27 @@ require_once("ipsec.inc"); require_once("filter.inc"); require_once("shaper.inc"); +/* build icmptypes valid for IPv4, IPv6 and IPv */ +$icmptypes4 = array('any' => gettext('any')); +$icmptypes6 = array('any' => gettext('any')); +$icmptypes46 = array('any' => gettext('any')); +foreach ($icmptypes as $k => $v) { + if ($v['valid4']) { + $icmptypes4[$k] = $v['descrip']; + if ($v['valid6']) { + $icmptypes6[$k] = $v['descrip']; + $icmptypes46[$k] = $v['descrip']; + } + } else { + $icmptypes6[$k] = $v['descrip']; + } +} +$icmplookup = array( + 'inet' => array('name' => 'IPv4', 'icmptypes' => $icmptypes4, 'helpmsg' => gettext('For ICMP rules on IPv4, one or more of these ICMP subtypes may be specified.')), + 'inet6' => array('name' => 'IPv6', 'icmptypes' => $icmptypes6, 'helpmsg' => gettext('For ICMP rules on IPv6, one or more of these ICMP subtypes may be specified.')), + 'inet46' => array('name' => 'IPv4+6', 'icmptypes' => $icmptypes46, 'helpmsg' => gettext('For ICMP rules on IPv4+IPv6, one or more of these ICMP subtypes may be specified. (Other ICMP subtypes are only valid under IPv4 or IPv6, not both)')) +); + if (isset($_POST['referer'])) { $referer = $_POST['referer']; } else { @@ -329,11 +350,6 @@ if ($_POST) { } } } - if (($_POST['proto'] == "icmp") && ($_POST['icmptype'] <> "")) { - if ($_POST['ipprotocol'] == "inet46") { - $input_errors[] = gettext("An ICMP type can not be assigned to a rule that applies to IPv4 and IPv6"); - } - } if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "tcp/udp")) { $_POST['srcbeginport'] = 0; @@ -558,6 +574,27 @@ if ($_POST) { } } + if ($_POST['proto'] == "icmp") { + $t = $_POST['icmptype']; + $bad_types = array(); + if (is_array($t) && ((count($t) == 1 && !isset($t['any'])) || count($t) > 1)) { + // Only need to check valid if just one selected != "any", or >1 selected + $p = $_POST['ipprotocol']; + foreach ($t as $type) { + if ( ($p == 'inet' && !array_key_exists($type, $icmptypes4)) || + ($p == 'inet6' && !array_key_exists($type, $icmptypes6)) || + ($p == 'inet46' && !array_key_exists($type, $icmptypes46))) { + $bad_types[] = $type; + } + } + } + if (count($bad_types) > 0) { + $input_errors[] = sprintf(gettext("Invalid ICMP subtype: %s can not be used with %s."), implode(';', $bad_types), $t['name']); + } + } else { + unset($_POST['icmptype']); // field not applicable, might hold junk from old hidden selections. Unset it. + } + if ($_POST['ackqueue'] != "") { if ($_POST['defaultqueue'] == "") { $input_errors[] = gettext("A queue must be selected when an acknowledge queue is also selected."); @@ -790,14 +827,10 @@ if ($_POST) { unset($filterent['protocol']); } - if ($_POST['proto'] == "icmp") { - if ($filterent['ipprotocol'] == 'inet6' && $_POST['icmp6type']) { - $filterent['icmptype'] = $_POST['icmp6type']; - } else if ($filterent['ipprotocol'] != 'inet6' && $_POST['icmptype']) { - $filterent['icmptype'] = $_POST['icmptype']; - } else { - unset($filterent['icmptype']); - } + // Convert array of selected ICMP types to comma-separated string, for backwards compatibility (previously only allowed one type per rule) + if ($_POST['proto'] == "icmp" && is_array($_POST['icmptype']) && !isset($_POST['icmptype']['any']) && count($_POST['icmptype']) > 0) { + //if any of these conditions not met, rule would apply to all icmptypes, so we would unset + $filterent['icmptype'] = implode(',', $_POST['icmptype']); } else { unset($filterent['icmptype']); } @@ -1216,6 +1249,7 @@ $section->addInput(new Form_Select( 'Protocol', $pconfig['proto'], array( + 'any' => gettext('any'), 'tcp' => 'TCP', 'udp' => 'UDP', 'tcp/udp' => 'TCP/UDP', @@ -1228,25 +1262,22 @@ $section->addInput(new Form_Select( 'pim' => 'PIM', 'ospf' => 'OSPF', 'sctp' => 'SCTP', - 'any' => gettext('any'), 'carp' => 'CARP', 'pfsync' => 'PFSYNC', ) ))->setHelp('Choose which IP protocol this rule should match.'); -$section->addInput(new Form_Select( +$group = new Form_Group("ICMP Subtypes"); +$group->add(new Form_Select( 'icmptype', - 'ICMP type', - $pconfig['icmptype'], - $icmptypes -))->setHelp('If ICMP is selected for the protocol above, an ICMP type may be specified here.'); + 'ICMP subtypes', + ((isset($pconfig['icmptype']) && strlen($pconfig['icmptype']) > 0) ? explode(',', $pconfig['icmptype']) : 'any'), + $icmplookup[$pconfig['ipprotocol']]['icmptypes'], + true +))->setHelp('
' . gettext($icmplookup[$pconfig['ipprotocol']]['helpmsg']) . '
'); +$group->addClass('icmptype_section'); -$section->addInput(new Form_Select( - 'icmp6type', - 'ICMPv6 type', - $pconfig['icmptype'], - $icmp6types -))->setHelp('If ICMP is selected for the protocol above, an ICMP type may be specified here.'); +$section->add($group); $form->add($section); @@ -1856,32 +1887,22 @@ events.push(function() { disableInput('os', true); } - if ($('#proto').find(":selected").index() == 3) { - disableInput('icmptype', false); - disableInput('icmp6type', false); - } else { - disableInput('icmptype', true); - disableInput('icmp6type', true); + // Hide ICMP types if not icmp rule + hideClass('icmptype_section', $('#proto').val() != 'icmp'); + // Update ICMP help msg to match current IP protocol + $('#icmptype_help').html(icmphelp[$('#ipprotocol').val()]); + // Update ICMP types available for current IP protocol, copying over any still-valid selections + var listid = "#icmptype\\[\\]"; // for ease of use + var current_sel = ($(listid).val() || ['any']); // Ensures we get correct array when none selected + var new_options = icmptypes[$('#ipprotocol').val()]; + var new_html = ''; + for (var key in new_options) { + new_html += '\n'; } + $(listid).empty().html(new_html); ext_change(); - if ($('#proto').find(":selected").index() == 3 || $('#proto').find(":selected").index() == 4) { - if ($('#ipprotocol').find(":selected").index() == 0) { // IPv4 - hideInput('icmptype', false); - hideInput('icmp6type', true); - } else if ($('#ipprotocol').find(":selected").index() == 1) { // IPv6 - hideInput('icmptype', true); - hideInput('icmp6type', false); - } else { // IPv4 + IPv6 - hideInput('icmptype', true); - hideInput('icmp6type', true); - } - } else { - hideInput('icmptype', true); - hideInput('icmp6type', true); - } - if ($('#proto').find(":selected").index() <= 2) { hideClass('dstprtr', false); hideInput('btnsrcadv', false); @@ -1900,6 +1921,19 @@ events.push(function() { show_source_port_range(); } + function icmptype_change() { + var listid = "#icmptype\\[\\]"; // for ease of use + var current_sel = ($(listid).val() || ['any']); // Ensures we get correct array when none selected + if (jQuery.inArray('any', current_sel) != -1) { + // "any" negates all selections + $(listid).find('option').not('[value="any"]').removeAttr('selected'); + } + if ($(listid + ' option:selected').length == 0) { + // no selection = select "any" + $(listid + ' option[value="any"]').prop('selected', true); + } + } + function src_rep_change() { $('#srcendport').prop("selectedIndex", $('#srcbeginport').find(":selected").index()); } @@ -1909,6 +1943,23 @@ events.push(function() { } // On initial page load + + $v) { + $a = array(); + foreach ($v['icmptypes'] as $icmp_k => $icmp_v) { + $a[] = sprintf("'%s':'%s'", $icmp_k, $icmp_v); + } + $out1 .= "icmptypes['{$k}'] = {\n\t" . implode(",\n\t", $a) . "\n};\n"; + $out2 .= "icmphelp['{$k}'] = '" . str_replace("'", ''', gettext($v['helpmsg'])) . "';\n"; + } + echo $out1; + echo $out2; +?> + proto_change(); ext_change(); @@ -1959,14 +2010,18 @@ events.push(function() { typesel_change(); }); - $('#proto').on('change', function() { + $('#ipprotocol').on('change', function() { proto_change(); }); - $('#ipprotocol').on('change', function() { + $('#proto').on('change', function() { proto_change(); }); + $('#icmptype\\[\\]').on('change', function() { + icmptype_change(); + }); + $('#tcpflags_any').click(function () { if (this.checked) { $('.table-flags').addClass('hidden'); @@ -2001,7 +2056,7 @@ events.push(function() { // fields are disabled function disable_most(disable) { var elementsToDisable = [ - 'interface', 'proto', 'icmptype', 'icmp6type', 'srcnot', 'srctype', 'src', 'srcmask', 'srcbebinport', 'srcbeginport_cust', 'srcendport', + 'interface', 'proto', 'icmptype\\[\\]', 'srcnot', 'srctype', 'src', 'srcmask', 'srcbebinport', 'srcbeginport_cust', 'srcendport', 'srcendport_cust', 'dstnot', 'dsttype', 'dst', 'dstmask', 'dstbeginport', 'dstbeginport_cust', 'dstendport', 'dstendport_cust']; for (var idx=0, len = elementsToDisable.length; idx Date: Thu, 15 Sep 2016 10:50:31 +0100 Subject: Improve icmptype input sanitising --- src/usr/local/www/firewall_rules_edit.php | 35 +++++++++++++++++++------------ 1 file changed, 22 insertions(+), 13 deletions(-) (limited to 'src/usr/local/www/firewall_rules_edit.php') diff --git a/src/usr/local/www/firewall_rules_edit.php b/src/usr/local/www/firewall_rules_edit.php index 4ddfeed..1f1c320 100644 --- a/src/usr/local/www/firewall_rules_edit.php +++ b/src/usr/local/www/firewall_rules_edit.php @@ -575,21 +575,30 @@ if ($_POST) { } if ($_POST['proto'] == "icmp") { - $t = $_POST['icmptype']; - $bad_types = array(); - if (is_array($t) && ((count($t) == 1 && !isset($t['any'])) || count($t) > 1)) { - // Only need to check valid if just one selected != "any", or >1 selected - $p = $_POST['ipprotocol']; - foreach ($t as $type) { - if ( ($p == 'inet' && !array_key_exists($type, $icmptypes4)) || - ($p == 'inet6' && !array_key_exists($type, $icmptypes6)) || - ($p == 'inet46' && !array_key_exists($type, $icmptypes46))) { - $bad_types[] = $type; + $t =& $_POST['icmptype']; + if (isset($t) && !is_array($t)) { + // shouldn't happen but avoids making assumptions for data-sanitising + $input_errors[] = gettext("ICMP types expected to be a list if present, but is not."); + } elseif (!isset($t) || count($t) == 0) { + // not specified or none selected + unset($_POST['icmptype']); + } else { + // check data + $bad_types = array(); + if ((count($t) == 1 && !isset($t['any'])) || count($t) > 1) { + // Only need to check valid if just one selected != "any", or >1 selected + $p = $_POST['ipprotocol']; + foreach ($t as $type) { + if ( ($p == 'inet' && !array_key_exists($type, $icmptypes4)) || + ($p == 'inet6' && !array_key_exists($type, $icmptypes6)) || + ($p == 'inet46' && !array_key_exists($type, $icmptypes46))) { + $bad_types[] = $type; + } } } - } - if (count($bad_types) > 0) { - $input_errors[] = sprintf(gettext("Invalid ICMP subtype: %s can not be used with %s."), implode(';', $bad_types), $t['name']); + if (count($bad_types) > 0) { + $input_errors[] = sprintf(gettext("Invalid ICMP subtype: %s can not be used with %s."), implode(';', $bad_types), $t['name']); + } } } else { unset($_POST['icmptype']); // field not applicable, might hold junk from old hidden selections. Unset it. -- cgit v1.1 From 640462d20b4d06b8ba14b9ce300c218b14998aef Mon Sep 17 00:00:00 2001 From: stilez Date: Thu, 15 Sep 2016 18:12:18 +0100 Subject: Bugfixes 1. On creating a new rule, $pconfig['ipprotocol'] is undefined, rather than defaults to what is seen in GUI (IPv4). Form generation logic for the ICMPType list box can't rely on a good value. It was fixed late here and missed when copying changes to Github. Very likely responsible for above issue by @rbgarga . Please confirm if this fixes it for you. On the off-chance that it still doesn't, can you let me know if _editing an existing rule_ works, which will help. 2. Reordering #proto options affects JS logic, because JS uses index() to identify which protocol is selected. Generally I feel this isn't the best practice, if the value is what matters then it's better and easier to review, if the code references the value itself (.val()) not the position in the list which could change (.index()). That said, I should have spotted this anyway. --- src/usr/local/www/firewall_rules_edit.php | 22 +++++++--------------- 1 file changed, 7 insertions(+), 15 deletions(-) (limited to 'src/usr/local/www/firewall_rules_edit.php') diff --git a/src/usr/local/www/firewall_rules_edit.php b/src/usr/local/www/firewall_rules_edit.php index 1f1c320..e51fed3 100644 --- a/src/usr/local/www/firewall_rules_edit.php +++ b/src/usr/local/www/firewall_rules_edit.php @@ -1281,9 +1281,9 @@ $group->add(new Form_Select( 'icmptype', 'ICMP subtypes', ((isset($pconfig['icmptype']) && strlen($pconfig['icmptype']) > 0) ? explode(',', $pconfig['icmptype']) : 'any'), - $icmplookup[$pconfig['ipprotocol']]['icmptypes'], + isset($icmplookup[$pconfig['ipprotocol']]) ? $icmplookup[$pconfig['ipprotocol']]['icmptypes'] : array('any' => gettext('any')), true -))->setHelp('
' . gettext($icmplookup[$pconfig['ipprotocol']]['helpmsg']) . '
'); +))->setHelp('
' . (isset($icmplookup[$pconfig['ipprotocol']]) ? gettext($icmplookup[$pconfig['ipprotocol']]['helpmsg']) : '') . '
'); $group->addClass('icmptype_section'); $section->add($group); @@ -1881,20 +1881,12 @@ events.push(function() { } function proto_change() { - if ($('#proto').find(":selected").index() < 3) { - portsenabled = 1; - hideClass('tcpflags', false); - } else { - portsenabled = 0; - hideClass('tcpflags', true); - } + var is_tcpudp = (jQuery.inArray($('#proto :selected').val(), ['tcp','udp', 'tcp/udp']) != -1); + portsenabled = (is_tcpudp ? 1 : 0); + hideClass('tcpflags', !is_tcpudp); // Disable OS if the proto is not TCP. - if ($('#proto').find(":selected").index() < 1) { - disableInput('os', false); - } else { - disableInput('os', true); - } + disableInput('os', ($('#proto :selected').val() != 'tcp')); // Hide ICMP types if not icmp rule hideClass('icmptype_section', $('#proto').val() != 'icmp'); @@ -1912,7 +1904,7 @@ events.push(function() { ext_change(); - if ($('#proto').find(":selected").index() <= 2) { + if (is_tcpudp) { hideClass('dstprtr', false); hideInput('btnsrcadv', false); if ((($('#srcbeginport').val() == "any") || ($('#srcbeginport').val() == "")) && -- cgit v1.1 From 9d4da801ebd426db89b515a9d12d3eb389898b62 Mon Sep 17 00:00:00 2001 From: Jared Dillard Date: Thu, 15 Dec 2016 11:04:52 -0600 Subject: Fix the Safari issue mentioned by @garga https://github.com/pfsense/pfsense/pull/3139#pullrequestreview-156718 I ended up having to remove the select element and re-create it (along with the options) in order to get around what appears to be a bug in Safari. --- src/usr/local/www/firewall_rules_edit.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'src/usr/local/www/firewall_rules_edit.php') diff --git a/src/usr/local/www/firewall_rules_edit.php b/src/usr/local/www/firewall_rules_edit.php index e51fed3..e6f296a 100644 --- a/src/usr/local/www/firewall_rules_edit.php +++ b/src/usr/local/www/firewall_rules_edit.php @@ -1897,10 +1897,16 @@ events.push(function() { var current_sel = ($(listid).val() || ['any']); // Ensures we get correct array when none selected var new_options = icmptypes[$('#ipprotocol').val()]; var new_html = ''; + //remove and re-create the select element (otherwise the options can disappear in Safari) + $(listid).remove(); + var select = $("").attr("id", "icmptype[]").attr("name", "icmptype[]").addClass("form-control").attr("multiple", "multiple"); + $('div.icmptype_section > div.col-sm-10').prepend(select); + for (var key in new_options) { new_html += '\n'; } - $(listid).empty().html(new_html); + + $(listid).html(new_html); ext_change(); -- cgit v1.1 From 8afd8c0409a9ed246a244e7a1dbdcb2ad627434b Mon Sep 17 00:00:00 2001 From: stilez Date: Tue, 27 Dec 2016 01:31:14 +0000 Subject: Alternate fix for jim-p's point that seems to resolve everything neatly @jim-p commented on the PR that: > This change is unwarranted. The protocol default should remain TCP, it is set that way on purpose (otherwise people get confused by the lack of port options being visible). It's also not relevant to the other changes being made on this PR. An alternate fix for jim-p's point. this only affects creating new rules and I take the point. I found this a much better fix (AFAICS). It seems to resolve all issues neatly. Proposed fix: leave "any" at the top of the list as that's the logical place people almost always look for it if they want it, _but set the default proto to tcp for new rules_ so that ports and other expected items are displayed by default too. After all, the default protocol is only relevant for showing tcp and ports fields, when a new blank rule is created (obvious: if the rule exists it would display the protocol in the existing rule). @jim-p can you try this as a fix, and see if it would be acceptable for resolving your point? --- src/usr/local/www/firewall_rules_edit.php | 1 + 1 file changed, 1 insertion(+) (limited to 'src/usr/local/www/firewall_rules_edit.php') diff --git a/src/usr/local/www/firewall_rules_edit.php b/src/usr/local/www/firewall_rules_edit.php index e6f296a..79b3fb0 100644 --- a/src/usr/local/www/firewall_rules_edit.php +++ b/src/usr/local/www/firewall_rules_edit.php @@ -296,6 +296,7 @@ if (isset($id) && $a_filter[$id]) { $pconfig['interface'] = $_GET['if']; } $pconfig['type'] = "pass"; + $pconfig['proto'] = "tcp"; // ensures port fields visible and default=tcp, for a new rule $pconfig['src'] = "any"; $pconfig['dst'] = "any"; } -- cgit v1.1 From 202e23a81613c5810679e9b119ad4cc53977dbea Mon Sep 17 00:00:00 2001 From: stilez Date: Tue, 27 Dec 2016 02:11:20 +0000 Subject: Data sanitation - check IP protocol in form data Code doesn't seem to check that IP protocol is valid (IPv4/6/4+6) or report via $input_errors[] if not. Simple fix. Only spotted recently. Should be fixed whatever else? --- src/usr/local/www/firewall_rules_edit.php | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/usr/local/www/firewall_rules_edit.php') diff --git a/src/usr/local/www/firewall_rules_edit.php b/src/usr/local/www/firewall_rules_edit.php index 79b3fb0..8eac894 100644 --- a/src/usr/local/www/firewall_rules_edit.php +++ b/src/usr/local/www/firewall_rules_edit.php @@ -317,6 +317,10 @@ if ($_POST) { unset($input_errors); + if (!array_key_exists($_POST['ipprotocol'], $icmplookup)) { + $input_errors[] = gettext("The IP protocol is not recognized.");  + } + if (isset($a_filter[$id]['associated-rule-id'])) { $_POST['proto'] = $pconfig['proto']; if ($pconfig['proto'] == "icmp") { -- cgit v1.1 From 86554b5aecb1d219e2f72c97b14de8b5fef495aa Mon Sep 17 00:00:00 2001 From: stilez Date: Wed, 28 Dec 2016 22:46:20 +0000 Subject: revert protocol order change (unrelated to PR) Will pu in separate PR afterwards as requested --- src/usr/local/www/firewall_rules_edit.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'src/usr/local/www/firewall_rules_edit.php') diff --git a/src/usr/local/www/firewall_rules_edit.php b/src/usr/local/www/firewall_rules_edit.php index 8eac894..6de6e69 100644 --- a/src/usr/local/www/firewall_rules_edit.php +++ b/src/usr/local/www/firewall_rules_edit.php @@ -296,7 +296,6 @@ if (isset($id) && $a_filter[$id]) { $pconfig['interface'] = $_GET['if']; } $pconfig['type'] = "pass"; - $pconfig['proto'] = "tcp"; // ensures port fields visible and default=tcp, for a new rule $pconfig['src'] = "any"; $pconfig['dst'] = "any"; } @@ -1263,10 +1262,10 @@ $section->addInput(new Form_Select( 'Protocol', $pconfig['proto'], array( - 'any' => gettext('any'), 'tcp' => 'TCP', 'udp' => 'UDP', 'tcp/udp' => 'TCP/UDP', + 'any' => gettext('any'), 'icmp' => 'ICMP', 'esp' => 'ESP', 'ah' => 'AH', -- cgit v1.1 From 43a0cf73f2c2f951b9a1c5e777551de1b82c25f2 Mon Sep 17 00:00:00 2001 From: stilez Date: Wed, 28 Dec 2016 22:51:57 +0000 Subject: Put back "any" in same place it came from in dropdown --- src/usr/local/www/firewall_rules_edit.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/usr/local/www/firewall_rules_edit.php') diff --git a/src/usr/local/www/firewall_rules_edit.php b/src/usr/local/www/firewall_rules_edit.php index 6de6e69..86ba555 100644 --- a/src/usr/local/www/firewall_rules_edit.php +++ b/src/usr/local/www/firewall_rules_edit.php @@ -1265,7 +1265,6 @@ $section->addInput(new Form_Select( 'tcp' => 'TCP', 'udp' => 'UDP', 'tcp/udp' => 'TCP/UDP', - 'any' => gettext('any'), 'icmp' => 'ICMP', 'esp' => 'ESP', 'ah' => 'AH', @@ -1275,6 +1274,7 @@ $section->addInput(new Form_Select( 'pim' => 'PIM', 'ospf' => 'OSPF', 'sctp' => 'SCTP', + 'any' => gettext('any'), 'carp' => 'CARP', 'pfsync' => 'PFSYNC', ) -- cgit v1.1 From d4b2ebaeb2fa2dcc635d061891aa858f8c16d407 Mon Sep 17 00:00:00 2001 From: stilez Date: Wed, 28 Dec 2016 22:56:03 +0000 Subject: Remove and replace white spaces Safari doesn't seem to have editing issues (or else they very quickly fixed it). Removed all white spaces and re-entered, hopefully this fixes any incorrect extraneous characters that existed? If not you'll have to let me know where exactly they are. --- src/usr/local/www/firewall_rules_edit.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/usr/local/www/firewall_rules_edit.php') diff --git a/src/usr/local/www/firewall_rules_edit.php b/src/usr/local/www/firewall_rules_edit.php index 86ba555..1dd5177 100644 --- a/src/usr/local/www/firewall_rules_edit.php +++ b/src/usr/local/www/firewall_rules_edit.php @@ -313,13 +313,13 @@ $dnqlist =& get_unique_dnqueue_list(); $a_gatewaygroups = return_gateway_groups_array(); if ($_POST) { - + unset($input_errors); - + if (!array_key_exists($_POST['ipprotocol'], $icmplookup)) { - $input_errors[] = gettext("The IP protocol is not recognized.");  + $input_errors[] = gettext("The IP protocol is not recognized."); } - + if (isset($a_filter[$id]['associated-rule-id'])) { $_POST['proto'] = $pconfig['proto']; if ($pconfig['proto'] == "icmp") { -- cgit v1.1