diff options
| author | Jim P <jim@pingle.org> | 2012-09-10 11:45:17 -0700 |
|---|---|---|
| committer | Jim P <jim@pingle.org> | 2012-09-10 11:45:17 -0700 |
| commit | 2643df8d7848eefc0bb47c8c1efb7949730eac68 (patch) | |
| tree | eddac2c8ec4a29dd9836808466386427d8e8d2c9 | |
| parent | 18be4037b5c648fbde4afe4bbfe259b89319c2ce (diff) | |
| parent | 32f8552e8a3fc10ef8dec0f325189e4fcc295fcf (diff) | |
| download | pfsense-2643df8d7848eefc0bb47c8c1efb7949730eac68.zip pfsense-2643df8d7848eefc0bb47c8c1efb7949730eac68.tar.gz | |
Merge pull request #220 from PiBa-NL/master
firewall log, allowing the showing of applied rule description with optional setting
| -rw-r--r-- | etc/inc/filter.inc | 8 | ||||
| -rw-r--r-- | etc/inc/filter_log.inc | 34 | ||||
| -rwxr-xr-x | usr/local/www/diag_logs_filter.php | 92 | ||||
| -rwxr-xr-x | usr/local/www/diag_logs_settings.php | 18 | ||||
| -rw-r--r-- | usr/local/www/javascript/filter_log.js | 12 | ||||
| -rw-r--r-- | usr/local/www/themes/pfsense_ng/all.css | 4 |
6 files changed, 132 insertions, 36 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 0b2b883..a3cb67a 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2432,7 +2432,7 @@ block quick from any to <snort2c> label "Block snort2c hosts" EOD; - $ipfrules .= filter_process_carp_rules(); + $ipfrules .= filter_process_carp_rules($log); $ipfrules .= "\n# SSH lockout\n"; if(is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) { @@ -3157,17 +3157,17 @@ function filter_process_carp_nat_rules() { return $lines; } -function filter_process_carp_rules() { +function filter_process_carp_rules($log) { global $g, $config; if(isset($config['system']['developerspew'])) { $mt = microtime(); - echo "filter_process_carp_rules() being called $mt\n"; + echo "filter_process_carp_rules($log) being called $mt\n"; } $lines = ""; /* return if there are no carp configured items */ if (!empty($config['hasync']) or !empty($config['virtualip']['vip'])) { - $lines .= "block in log quick proto carp from (self) to any\n"; + $lines .= "block in $log quick proto carp from (self) to any\n"; $lines .= "pass quick proto carp\n"; $lines .= "pass quick proto pfsync\n"; } diff --git a/etc/inc/filter_log.inc b/etc/inc/filter_log.inc index 3a75f30..2bfc895 100644 --- a/etc/inc/filter_log.inc +++ b/etc/inc/filter_log.inc @@ -226,6 +226,40 @@ function find_rule_by_number($rulenum, $type="rules") { return `pfctl -vvsr | grep '^@{$rulenum} '`; } +function buffer_rules_load() { + global $buffer_rules_rdr, $buffer_rules_normal; + $buffer = explode("\n",`pfctl -vvsn -a "miniupnpd" | grep '^@'`); + foreach ($buffer as $line) { + list($key, $value) = explode (" ", $line, 2); + $buffer_rules_rdr[$key] = $value; + } + $buffer = explode("\n",`pfctl -vvsr | grep '^@'`); + foreach ($buffer as $line) { + list($key, $value) = explode (" ", $line, 2); + $buffer_rules_normal[$key] = $value; + } +} + +function buffer_rules_clear() { + unset($GLOBALS['buffer_rules_normal']); + unset($GLOBALS['buffer_rules_rdr']); +} + +function find_rule_by_number_buffer($rulenum, $type){ + global $g, $buffer_rules_rdr, $buffer_rules_normal; + + if ($type == "rdr") { + $ruleString = $buffer_rules_rdr["@".$rulenum]; + //TODO: get the correct 'description' part of a RDR log line. currently just first 30 characters.. + $rulename = substr($ruleString,0,30); + } else { + $ruleString = $buffer_rules_normal["@".$rulenum]; + list(,$rulename,) = explode("\"",$ruleString); + $rulename = str_replace("USER_RULE: ",'<img src="/themes/'.$g['theme'].'/images/icons/icon_frmfld_user.png" width="11" height="12" title="USER_RULE" alt="USER_RULE"/> ',$rulename); + } + return "@".$rulenum." ".$rulename; +} + function find_action_image($action) { global $g; if ((strstr(strtolower($action), "p")) || (strtolower($action) == "rdr")) diff --git a/usr/local/www/diag_logs_filter.php b/usr/local/www/diag_logs_filter.php index 951de95..ce076ab 100755 --- a/usr/local/www/diag_logs_filter.php +++ b/usr/local/www/diag_logs_filter.php @@ -118,47 +118,63 @@ include("head.inc"); <div id="mainarea"> <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> - <td colspan="3" align="left" valign="middle"> + <td colspan="<?=(!isset($config['syslog']['rawfilter']))?7:2?>" align="left" valign="middle"> + <div style="float: right; vertical-align:middle"> + <form id="filterform" name="filterform" action="diag_logs_filter.php" method="post"> + <input id="filtertext" name="filtertext" class="formfld search" style="vertical-align:top;" value="<?=gettext($filtertext);?>" /> + <input id="filtersubmit" name="filtersubmit" type="submit" class="formbtn" style="vertical-align:top;" value="<?=gettext("Filter");?>" /> + </form> + <br/> + </div> + <div style="float: left;"> <?=gettext("Normal View");?> | <a href="diag_logs_filter_dynamic.php"><?=gettext("Dynamic View");?></a> | <a href="diag_logs_filter_summary.php"><?=gettext("Summary View");?></a> <br/><br/> - </td> - <td colspan="3" align="right" valign="middle"> - <form id="filterform" name="filterform" action="diag_logs_filter.php" method="post" style="margin-top: 14px;"> - <input id="filtertext" name="filtertext" class="formfld search" value="<?=gettext($filtertext);?>" /> - <input id="filtersubmit" name="filtersubmit" type="submit" class="formbtn" value="<?=gettext("Filter");?>" /> - <br/><br/> - </form> + <?php if (isset($config['syslog']['filterdescriptions']) && $config['syslog']['filterdescriptions'] === "2"):?> + <a href="#" onclick="showRuleDescriptions()">Show/hide rule descriptions</a> + <?php endif;?> + <br/> + </div> </td> </tr> <?php if (!isset($config['syslog']['rawfilter'])): $filterlog = conv_log_filter($filter_logfile, $nentries, $nentries + 100, $filtertext); ?> - <tr> - <td colspan="6" class="listtopic"> - <?php if (!$filtertext) { ?> - <?php printf(gettext("Last %s firewall log entries."),count($filterlog));?> - <?php } else { ?> - <?php echo count($filterlog). ' ' . gettext("matched log entries."); ?> - <?php } ?> - <?php printf(gettext("Max(%s)"),$nentries);?> + <tr> + <td colspan="<?=$config['syslog']['filterdescriptions']==="1"?7:6?>" class="listtopic"> + <?php if (!$filtertext) + printf(gettext("Last %s firewall log entries."),count($filterlog)); + else + echo count($filterlog). ' ' . gettext("matched log entries."); + printf(gettext("Max(%s)"),$nentries);?> + </td> </tr> <tr> <td width="10%" class="listhdrr"><?=gettext("Act");?></td> <td width="10%" class="listhdrr"><?=gettext("Time");?></td> <td width="15%" class="listhdrr"><?=gettext("If");?></td> + <?php if ($config['syslog']['filterdescriptions'] === "1"):?> + <td width="10%" class="listhdrr"><?=gettext("Rule");?></td> + <?php endif;?> <td width="25%" class="listhdrr"><?=gettext("Source");?></td> <td width="25%" class="listhdrr"><?=gettext("Destination");?></td> <td width="15%" class="listhdrr"><?=gettext("Proto");?></td> - </tr><?php foreach ($filterlog as $filterent): ?> + </tr> + <?php + if ($config['syslog']['filterdescriptions']) + buffer_rules_load(); + foreach ($filterlog as $filterent): ?> <tr> - <td class="listlr" nowrap align="middle"> + <td class="listlr" nowrap="nowrap" align="center"> <center> - <a href="#" onClick="javascript:getURL('diag_logs_filter.php?getrulenum=<?php echo "{$filterent['rulenum']},{$filterent['act']}"; ?>', outputrule);"> - <img border="0" src="<?php echo find_action_image($filterent['act']);?>" width="11" height="11" align="absmiddle" alt="<?php echo $filterent['act'];?>" title="<?php echo $filterent['act'];?>" /> - <?php if ($filterent['count']) echo $filterent['count'];?></td> - <td class="listr" nowrap><?php echo htmlspecialchars($filterent['time']);?></td> - <td class="listr" nowrap><?php echo htmlspecialchars($filterent['interface']);?></td> - <?php + <a href="#" onclick="javascript:getURL('diag_logs_filter.php?getrulenum=<?php echo "{$filterent['rulenum']},{$filterent['act']}"; ?>', outputrule);"> + <img border="0" src="<?php echo find_action_image($filterent['act']);?>" width="11" height="11" align="middle" alt="<?php echo $filterent['act'];?>" title="<?php echo $filterent['act'];?>" /> + <?php if ($filterent['count']) echo $filterent['count'];?></a></center></td> + <td class="listr" nowrap="nowrap"><?php echo htmlspecialchars($filterent['time']);?></td> + <td class="listr" nowrap="nowrap"><?php echo htmlspecialchars($filterent['interface']);?></td> + <?php + if ($config['syslog']['filterdescriptions'] === "1") + echo("<td class=\"listr\" nowrap=\"nowrap\">".find_rule_by_number_buffer($filterent['rulenum'],$filterent['act'])."</td>"); + $int = strtolower($filterent['interface']); $proto = strtolower($filterent['proto']); if(is_ipaddrv6($filterent['srcip'])) { @@ -172,22 +188,34 @@ include("head.inc"); $srcstr = $filterent['srcip'] . get_port_with_service($filterent['srcport'], $proto); $dststr = $filterent['dstip'] . get_port_with_service($filterent['dstport'], $proto); ?> - <td class="listr" nowrap> - <a href="diag_dns.php?host=<?php echo $filterent['srcip']; ?>" title="<?=gettext("Reverse Resolve with DNS");?>"><img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_log.gif"></a> - <a href="easyrule.php?<?php echo "action=block&int={$int}&src={$filterent['srcip']}&ipproto={$ipproto}"; ?>" title="<?=gettext("Easy Rule: Add to Block List");?>" onclick="return confirm('<?=gettext("Do you really want to add this BLOCK rule?")."\n\n".gettext("Easy Rule is still experimental.")."\n".gettext("Continue at risk of your own peril.")."\n".gettext("Backups are also nice.")?>')"><img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_block_add.gif"></a> + <td class="listr" nowrap="nowrap"> + <a href="diag_dns.php?host=<?php echo $filterent['srcip']; ?>" title="<?=gettext("Reverse Resolve with DNS");?>"> + <img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_log.gif" alt="Icon Reverse Resolve with DNS"/></a> + <a href="easyrule.php?<?php echo "action=block&int={$int}&src={$filterent['srcip']}&ipproto={$ipproto}"; ?>" title="<?=gettext("Easy Rule: Add to Block List");?>" onclick="return confirm('<?=gettext("Do you really want to add this BLOCK rule?")."\n\n".gettext("Easy Rule is still experimental.")."\n".gettext("Continue at risk of your own peril.")."\n".gettext("Backups are also nice.")?>')"> + <img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_block_add.gif" alt="Icon Easy Rule: Add to Block List" /></a> <?php echo $srcstr;?> </td> - <td class="listr" nowrap> - <a href="diag_dns.php?host=<?php echo $filterent['dstip']; ?>" title="<?=gettext("Reverse Resolve with DNS");?>"><img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_log.gif"></a> - <a href="easyrule.php?<?php echo "action=pass&int={$int}&proto={$proto}&src={$filterent['srcip']}&dst={$filterent['dstip']}&dstport={$filterent['dstport']}&ipproto={$ipproto}"; ?>" title="<?=gettext("Easy Rule: Pass this traffic");?>" onclick="return confirm('<?=gettext("Do you really want to add this PASS rule?")."\n\n".gettext("Easy Rule is still experimental.")."\n".gettext("Continue at risk of your own peril.")."\n".gettext("Backups are also nice.");?>')"><img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_pass_add.gif"></a> + <td class="listr" nowrap="nowrap"> + <a href="diag_dns.php?host=<?php echo $filterent['dstip']; ?>" title="<?=gettext("Reverse Resolve with DNS");?>"> + <img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_log.gif" alt="Icon Reverse Resolve with DNS" /></a> + <a href="easyrule.php?<?php echo "action=pass&int={$int}&proto={$proto}&src={$filterent['srcip']}&dst={$filterent['dstip']}&dstport={$filterent['dstport']}&ipproto={$ipproto}"; ?>" title="<?=gettext("Easy Rule: Pass this traffic");?>" onclick="return confirm('<?=gettext("Do you really want to add this PASS rule?")."\n\n".gettext("Easy Rule is still experimental.")."\n".gettext("Continue at risk of your own peril.")."\n".gettext("Backups are also nice.");?>')"> + <img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_pass_add.gif" alt="Icon Easy Rule: Pass this traffic" /></a> <?php echo $dststr;?> </td> <?php if ($filterent['proto'] == "TCP") $filterent['proto'] .= ":{$filterent['tcpflags']}"; ?> - <td class="listr" nowrap><?php echo htmlspecialchars($filterent['proto']);?></td> - </tr><?php endforeach; ?> + <td class="listr" nowrap="nowrap"><?php echo htmlspecialchars($filterent['proto']);?></td> + </tr> + <?php if (isset($config['syslog']['filterdescriptions']) && $config['syslog']['filterdescriptions'] === "2"):?> + <tr> + <td colspan="2" class="listFirewall listlr" /> + <td class="listFirewall listr" colspan="4" nowrap="nowrap"><?=find_rule_by_number_buffer($filterent['rulenum'],$filterent['act']);?></td> + </tr> + <?php endif; + endforeach; + buffer_rules_clear(); ?> <?php else: ?> <tr> <td colspan="2" class="listtopic"> diff --git a/usr/local/www/diag_logs_settings.php b/usr/local/www/diag_logs_settings.php index 23c4754..42cf79e 100755 --- a/usr/local/www/diag_logs_settings.php +++ b/usr/local/www/diag_logs_settings.php @@ -64,6 +64,7 @@ $pconfig['system'] = isset($config['syslog']['system']); $pconfig['enable'] = isset($config['syslog']['enable']); $pconfig['logdefaultblock'] = !isset($config['syslog']['nologdefaultblock']); $pconfig['rawfilter'] = isset($config['syslog']['rawfilter']); +$pconfig['filterdescriptions'] = $config['syslog']['filterdescriptions']; $pconfig['disablelocallogging'] = isset($config['syslog']['disablelocallogging']); if (!$pconfig['nentries']) @@ -116,6 +117,10 @@ if ($_POST) { $oldnologdefaultblock = isset($config['syslog']['nologdefaultblock']); $config['syslog']['nologdefaultblock'] = $_POST['logdefaultblock'] ? false : true; $config['syslog']['rawfilter'] = $_POST['rawfilter'] ? true : false; + if (is_numeric($_POST['filterdescriptions']) && $_POST['filterdescriptions'] > 0) + $config['syslog']['filterdescriptions'] = $_POST['filterdescriptions']; + else + unset($config['syslog']['filterdescriptions']); if($config['syslog']['enable'] == false) { unset($config['syslog']['remoteserver']); unset($config['syslog']['remoteserver2']); @@ -261,6 +266,19 @@ function check_everything() { <?=gettext("Hint: If this is checked, filter logs are shown as generated by the packet filter, without any formatting. This will reveal more detailed information, but it is more difficult to read.");?></td> </tr> <tr> + <td valign="top" class="vtable">Filter descriptions</td> + <td class="vtable"> + <select name="filterdescriptions" id="filterdescriptions" > + <option value="0"<?=!isset($pconfig['filterdescriptions'])?" selected":""?>>Dont load descriptions</option> + <option value="1"<?=($pconfig['filterdescriptions'])==="1"?" selected":""?>>Display as column</option> + <option value="2"<?=($pconfig['filterdescriptions'])==="2"?" selected":""?>>Display as second row</option> + </select> + <strong><?=gettext("Show the applied rule description below or in the firewall log rows.");?></strong> + <br/> + <?=gettext("Displaying rule descriptions for all lines in the log might affect performance with large rulessets.");?></td> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vtable">Local Logging</td> <td width="78%" class="vtable"> <input name="disablelocallogging" type="checkbox" id="disablelocallogging" value="yes" <?php if ($pconfig['disablelocallogging']) echo "checked"; ?> onClick="enable_change(false)"> <?php if ($g['platform'] == "pfSense"): ?> diff --git a/usr/local/www/javascript/filter_log.js b/usr/local/www/javascript/filter_log.js index 1259afb..1acb5c2 100644 --- a/usr/local/www/javascript/filter_log.js +++ b/usr/local/www/javascript/filter_log.js @@ -120,3 +120,15 @@ function toggle_pause() { if (typeof updateDelay != 'undefined') { timer = setInterval('fetch_new_rules()', updateDelay); } + +function showRuleDescriptions(){ + var ss = document.styleSheets; + for (var i=0; i<ss.length; i++) { + var rules = ss[i].cssRules || ss[i].rules; + for (var j=0; j<rules.length; j++) { + if (rules[j].selectorText === ".listFirewall") { + rules[j].style.display = rules[j].style.display === "none" ? "table-cell" : "none"; + } + } + } +}
\ No newline at end of file diff --git a/usr/local/www/themes/pfsense_ng/all.css b/usr/local/www/themes/pfsense_ng/all.css index 3452c72..cdb9b9a 100644 --- a/usr/local/www/themes/pfsense_ng/all.css +++ b/usr/local/www/themes/pfsense_ng/all.css @@ -920,6 +920,10 @@ ul#wzdnav a:active { padding-top: 4px; padding-bottom: 4px; } +.listFirewall { + border-bottom: 2px solid #999999; + display:none; +} .listlrns { background-color: #FFFFFF; border-right: 1px solid #999999; |
