diff options
| author | jim-p <jimp@pfsense.org> | 2013-03-20 13:24:12 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2013-03-20 13:26:16 -0400 |
| commit | ba1d9714c5a96d892a6a80157d542f2dbe4fb71c (patch) | |
| tree | 079bdc26e13959e111de0c3e70e1523e80ed1f16 | |
| parent | 919ff1f07070287ee1408ae4d8e530efa756106f (diff) | |
| download | pfsense-ba1d9714c5a96d892a6a80157d542f2dbe4fb71c.zip pfsense-ba1d9714c5a96d892a6a80157d542f2dbe4fb71c.tar.gz | |
Track user/time a firewall rule was created and last updated, and show this information at the bottom of the page when viewing the firewall rule. Have various places in the system that create rules add a proper entry to indicate their origin.
| -rw-r--r-- | etc/inc/config.lib.inc | 59 | ||||
| -rw-r--r-- | etc/inc/easyrule.inc | 2 | ||||
| -rwxr-xr-x | usr/local/www/firewall_nat_edit.php | 1 | ||||
| -rwxr-xr-x | usr/local/www/firewall_rules_edit.php | 40 | ||||
| -rw-r--r-- | usr/local/www/wizards/openvpn_wizard.inc | 2 | ||||
| -rw-r--r-- | usr/local/www/wizards/traffic_shaper_wizard.inc | 11 | ||||
| -rwxr-xr-x | usr/local/www/wizards/traffic_shaper_wizard_dedicated.inc | 8 | ||||
| -rwxr-xr-x | usr/local/www/wizards/traffic_shaper_wizard_multi_all.inc | 9 | ||||
| -rw-r--r-- | usr/local/www/wizards/traffic_shaper_wizard_multi_lan.inc | 11 |
9 files changed, 114 insertions, 29 deletions
diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index d6e48e5..bbd6fec 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -509,35 +509,13 @@ function write_config($desc="Unknown", $backup = true) { } } - if (empty($_SESSION["Username"])) { - if (empty($_ENV['USER']) || $_ENV['USER'] == "root") - $username = "(system)"; - else - $username = $_ENV['USER']; - } else - $username = $_SESSION["Username"]; - - if (!empty($_SERVER['REMOTE_ADDR'])) - $username .= '@' . $_SERVER['REMOTE_ADDR']; - if (!isset($argc)) session_commit(); if($backup) backup_config(); - if (!is_array($config['revision'])) - $config['revision'] = array(); - - if (time() > mktime(0, 0, 0, 9, 1, 2004)) /* make sure the clock settings are plausible */ - $config['revision']['time'] = time(); - - /* Log the running script so it's not entirely unlogged what changed */ - if ($desc == "Unknown") - $desc = sprintf(gettext("%s made unknown change"), $_SERVER['SCRIPT_NAME']); - - $config['revision']['description'] = "{$username}: " . $desc; - $config['revision']['username'] = $username; + $config['revision'] = make_config_revision_entry($desc); conf_mount_rw(); $lockkey = lock('config', LOCK_EX); @@ -894,4 +872,39 @@ function set_device_perms() { } } +function get_config_user() { + if (empty($_SESSION["Username"])) { + if (empty($_ENV['USER']) || $_ENV['USER'] == "root") + $username = "(system)"; + else + $username = $_ENV['USER']; + } else + $username = $_SESSION["Username"]; + + if (!empty($_SERVER['REMOTE_ADDR'])) + $username .= '@' . $_SERVER['REMOTE_ADDR']; + + return $username; +} + +function make_config_revision_entry($desc = null, $override_user = null) { + if (empty($override_user)) + $username = get_config_user(); + else + $username = $override_user; + + $revision = array(); + + if (time() > mktime(0, 0, 0, 9, 1, 2004)) /* make sure the clock settings are plausible */ + $revision['time'] = time(); + + /* Log the running script so it's not entirely unlogged what changed */ + if ($desc == "Unknown") + $desc = sprintf(gettext("%s made unknown change"), $_SERVER['SCRIPT_NAME']); + if (!empty($desc)) + $revision['description'] = "{$username}: " . $desc; + $revision['username'] = $username; + return $revision; +} + ?> diff --git a/etc/inc/easyrule.inc b/etc/inc/easyrule.inc index d7bbcf9..a88b322 100644 --- a/etc/inc/easyrule.inc +++ b/etc/inc/easyrule.inc @@ -115,6 +115,7 @@ function easyrule_block_rule_create($int = 'wan', $ipproto = "inet") { $filterent['source']['address'] = $blockaliasname . strtoupper($int); $filterent['destination']['any'] = ''; $filterent['descr'] = gettext("Easy Rule: Blocked from Firewall Log View"); + $filterent['created'] = make_config_revision_entry(null, gettext("Easy Rule")); array_splice($a_filter, 0, 0, array($filterent)); @@ -294,6 +295,7 @@ function easyrule_pass_rule_add($int, $proto, $srchost, $dsthost, $dstport, $ipp pconfig_to_address($filterent['source'], $srchost, $srcmask); pconfig_to_address($filterent['destination'], $dsthost, $dstmask, '', $dstport, $dstport); + $filterent['created'] = make_config_revision_entry(null, gettext("Easy Rule")); $a_filter[] = $filterent; write_config($filterent['descr']); diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index f4b4587..29ca7a5 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -409,6 +409,7 @@ if ($_POST) { // If this is a new rule, create an ID and add the rule if( $_POST['filter-rule-association']=='add-associated' ) { $filterent['associated-rule-id'] = $natent['associated-rule-id'] = get_unique_id(); + $filterent['created'] = make_config_revision_entry(null, gettext("NAT Port Forward")); $config['filter']['rule'][] = $filterent; } diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index b205c46..b3e3c5e 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -78,6 +78,12 @@ if (isset($id) && $a_filter[$id]) { if (isset($a_filter[$id]['id'])) $pconfig['ruleid'] = $a_filter[$id]['id']; + if ( isset($a_filter[$id]['created']) && is_array($a_filter[$id]['created']) ) + $pconfig['created'] = $a_filter[$id]['created']; + + if ( isset($a_filter[$id]['updated']) && is_array($a_filter[$id]['updated']) ) + $pconfig['updated'] = $a_filter[$id]['updated']; + if (!isset($a_filter[$id]['type'])) $pconfig['type'] = "pass"; else @@ -636,12 +642,18 @@ if ($_POST) { $filterent['associated-rule-id'] = $a_filter[$id]['associated-rule-id']; } + if ( isset($a_filter[$id]['created']) && is_array($a_filter[$id]['created']) ) + $filterent['created'] = $a_filter[$id]['created']; + + $filterent['updated'] = make_config_revision_entry(); + // Allow extending of the firewall edit page and include custom input validation pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/pre_write_config"); if (isset($id) && $a_filter[$id]) $a_filter[$id] = $filterent; else { + $filterent['created'] = make_config_revision_entry(); if (is_numeric($after)) array_splice($a_filter, $after+1, 0, array($filterent)); else @@ -1559,6 +1571,34 @@ $i--): ?> // Allow extending of the firewall edit page and include custom input validation pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/htmlphplate"); ?> +<?php +$has_created_time = (isset($a_filter[$id]['created']) && is_array($a_filter[$id]['created'])); +$has_updated_time = (isset($a_filter[$id]['updated']) && is_array($a_filter[$id]['updated'])); +?> + <?php if ($has_created_time || $has_updated_time): ?> + <tr> + <td> </td> + </tr> + <tr> + <td colspan="2" valign="top" class="listtopic"><?=gettext("Rule Information");?></td> + </tr> + <?php if ($has_created_time): ?> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Created");?></td> + <td width="78%" class="vtable"> + <?= date(gettext("n/j/y H:i:s"), $a_filter[$id]['created']['time']) ?> <?= gettext("by") ?> <strong><?= $a_filter[$id]['created']['username'] ?></strong> + </td> + </tr> + <?php endif; ?> + <?php if ($has_updated_time): ?> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Updated");?></td> + <td width="78%" class="vtable"> + <?= date(gettext("n/j/y H:i:s"), $a_filter[$id]['updated']['time']) ?> <?= gettext("by") ?> <strong><?= $a_filter[$id]['updated']['username'] ?></strong> + </td> + </tr> + <?php endif; ?> + <?php endif; ?> <tr> <td width="22%" valign="top"> </td> <td width="78%"> diff --git a/usr/local/www/wizards/openvpn_wizard.inc b/usr/local/www/wizards/openvpn_wizard.inc index 86dec52..0637639 100644 --- a/usr/local/www/wizards/openvpn_wizard.inc +++ b/usr/local/www/wizards/openvpn_wizard.inc @@ -611,6 +611,7 @@ function step12_submitphpaction() { $rule['protocol'] = strtolower($server['protocol']); $rule['type'] = "pass"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("OpenVPN Wizard")); $config['filter']['rule'][] = $rule; } if (isset($pconfig['step11']['ovpnallow'])) { @@ -625,6 +626,7 @@ function step12_submitphpaction() { //$rule['protocol'] = $server['protocol']; $rule['type'] = "pass"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("OpenVPN Wizard")); $config['filter']['rule'][] = $rule; } diff --git a/usr/local/www/wizards/traffic_shaper_wizard.inc b/usr/local/www/wizards/traffic_shaper_wizard.inc index d13a5a7..71bcea0 100644 --- a/usr/local/www/wizards/traffic_shaper_wizard.inc +++ b/usr/local/www/wizards/traffic_shaper_wizard.inc @@ -1349,6 +1349,7 @@ function apply_all_choosen_items() { $rule['floating'] = "yes"; $rule['wizard'] = "yes"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } @@ -1369,6 +1370,7 @@ function apply_all_choosen_items() { $rule['floating'] = "yes"; $rule['wizard'] = "yes"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; $rule = array(); @@ -1382,6 +1384,7 @@ function apply_all_choosen_items() { $rule['floating'] = "yes"; $rule['wizard'] = "yes"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } elseif( $config['ezshaper']['step3']['provider'] == "Generic" ) { /* create VOIP rules */ @@ -1397,6 +1400,7 @@ function apply_all_choosen_items() { $rule['floating'] = "yes"; $rule['wizard'] = "yes"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } else { @@ -1415,6 +1419,7 @@ function apply_all_choosen_items() { $rule['destination']['port'] = $voip[2]."-".$voip[3]; if($voip[1] != '') $rule['protocol'] = $voip[1]; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } } @@ -1438,6 +1443,7 @@ function apply_all_choosen_items() { $rule['destination']['port'] = $p2pclient[2]."-".$p2pclient[3]; if($p2pclient[1] != '') $rule['protocol'] = $p2pclient[1]; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } } @@ -1464,6 +1470,7 @@ function apply_all_choosen_items() { $rule['destination']['port'] = $Gameclient[2]."-".$Gameclient[3]; if($Gameclient[1] != '') $rule['protocol'] = $Gameclient[1]; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } } @@ -1516,8 +1523,8 @@ function apply_all_choosen_items() { } if($otherclient[1] != '') $rule['protocol'] = $otherclient[1]; - - $config['filter']['rule'][] = $rule; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); + $config['filter']['rule'][] = $rule; } } } diff --git a/usr/local/www/wizards/traffic_shaper_wizard_dedicated.inc b/usr/local/www/wizards/traffic_shaper_wizard_dedicated.inc index 2cc43e2..a5a73e1 100755 --- a/usr/local/www/wizards/traffic_shaper_wizard_dedicated.inc +++ b/usr/local/www/wizards/traffic_shaper_wizard_dedicated.inc @@ -1413,6 +1413,7 @@ function apply_all_choosen_items() { $rule['floating'] = "yes"; $rule['wizard'] = "yes"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } } @@ -1432,6 +1433,7 @@ function apply_all_choosen_items() { $rule['floating'] = "yes"; $rule['wizard'] = "yes"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; $rule = array(); @@ -1445,6 +1447,7 @@ function apply_all_choosen_items() { $rule['floating'] = "yes"; $rule['wizard'] = "yes"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } elseif( $config['ezshaper']['step3']['provider'] == "Generic" ) { @@ -1461,6 +1464,7 @@ function apply_all_choosen_items() { $rule['floating'] = "yes"; $rule['wizard'] = "yes"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } else { @@ -1479,6 +1483,7 @@ function apply_all_choosen_items() { $rule['destination']['port'] = $voip[2]."-".$voip[3]; if($voip[1] != '') $rule['protocol'] = $voip[1]; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } } @@ -1502,6 +1507,7 @@ function apply_all_choosen_items() { $rule['destination']['port'] = $p2pclient[2]."-".$p2pclient[3]; if($p2pclient[1] != '') $rule['protocol'] = $p2pclient[1]; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } } @@ -1580,7 +1586,7 @@ function apply_all_choosen_items() { } if($otherclient[1] != '') $rule['protocol'] = $otherclient[1]; - + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } } diff --git a/usr/local/www/wizards/traffic_shaper_wizard_multi_all.inc b/usr/local/www/wizards/traffic_shaper_wizard_multi_all.inc index 707463d..8a1c8c6 100755 --- a/usr/local/www/wizards/traffic_shaper_wizard_multi_all.inc +++ b/usr/local/www/wizards/traffic_shaper_wizard_multi_all.inc @@ -1469,6 +1469,7 @@ function apply_all_choosen_items() { $rule['floating'] = "yes"; $rule['wizard'] = "yes"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } @@ -1489,6 +1490,7 @@ function apply_all_choosen_items() { $rule['floating'] = "yes"; $rule['wizard'] = "yes"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; $rule = array(); @@ -1502,6 +1504,7 @@ function apply_all_choosen_items() { $rule['floating'] = "yes"; $rule['wizard'] = "yes"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } elseif( $config['ezshaper']['step3']['provider'] == "Generic" ) { @@ -1518,6 +1521,7 @@ function apply_all_choosen_items() { $rule['floating'] = "yes"; $rule['wizard'] = "yes"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } else { @@ -1536,6 +1540,7 @@ function apply_all_choosen_items() { $rule['destination']['port'] = $voip[2]."-".$voip[3]; if($voip[1] != '') $rule['protocol'] = $voip[1]; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } } @@ -1559,6 +1564,7 @@ function apply_all_choosen_items() { $rule['destination']['port'] = $p2pclient[2]."-".$p2pclient[3]; if($p2pclient[1] != '') $rule['protocol'] = $p2pclient[1]; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } } @@ -1585,6 +1591,7 @@ function apply_all_choosen_items() { $rule['destination']['port'] = $Gameclient[2]."-".$Gameclient[3]; if($Gameclient[1] != '') $rule['protocol'] = $Gameclient[1]; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } } @@ -1637,7 +1644,7 @@ function apply_all_choosen_items() { } if($otherclient[1] != '') $rule['protocol'] = $otherclient[1]; - + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } } diff --git a/usr/local/www/wizards/traffic_shaper_wizard_multi_lan.inc b/usr/local/www/wizards/traffic_shaper_wizard_multi_lan.inc index 95a4d94..8f53d60 100644 --- a/usr/local/www/wizards/traffic_shaper_wizard_multi_lan.inc +++ b/usr/local/www/wizards/traffic_shaper_wizard_multi_lan.inc @@ -1210,6 +1210,7 @@ function apply_all_choosen_items() { $rule['floating'] = "yes"; $rule['wizard'] = "yes"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } @@ -1230,6 +1231,7 @@ function apply_all_choosen_items() { $rule['floating'] = "yes"; $rule['wizard'] = "yes"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; $rule = array(); @@ -1243,6 +1245,7 @@ function apply_all_choosen_items() { $rule['floating'] = "yes"; $rule['wizard'] = "yes"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } elseif( $config['ezshaper']['step3']['provider'] == "Generic" ) { @@ -1259,6 +1262,7 @@ function apply_all_choosen_items() { $rule['floating'] = "yes"; $rule['wizard'] = "yes"; $rule['enabled'] = "on"; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } else { @@ -1277,6 +1281,7 @@ function apply_all_choosen_items() { $rule['destination']['port'] = $voip[2]."-".$voip[3]; if($voip[1] != '') $rule['protocol'] = $voip[1]; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } } @@ -1300,6 +1305,7 @@ function apply_all_choosen_items() { $rule['destination']['port'] = $p2pclient[2]."-".$p2pclient[3]; if($p2pclient[1] != '') $rule['protocol'] = $p2pclient[1]; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } } @@ -1326,6 +1332,7 @@ function apply_all_choosen_items() { $rule['destination']['port'] = $Gameclient[2]."-".$Gameclient[3]; if($Gameclient[1] != '') $rule['protocol'] = $Gameclient[1]; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); $config['filter']['rule'][] = $rule; } } @@ -1378,8 +1385,8 @@ function apply_all_choosen_items() { } if($otherclient[1] != '') $rule['protocol'] = $otherclient[1]; - - $config['filter']['rule'][] = $rule; + $rule['created'] = make_config_revision_entry(null, gettext("Traffic Shaper Wizard")); + $config['filter']['rule'][] = $rule; } } } |
