summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJim P <jim@pingle.org>2012-09-10 11:45:17 -0700
committerJim P <jim@pingle.org>2012-09-10 11:45:17 -0700
commit2643df8d7848eefc0bb47c8c1efb7949730eac68 (patch)
treeeddac2c8ec4a29dd9836808466386427d8e8d2c9
parent18be4037b5c648fbde4afe4bbfe259b89319c2ce (diff)
parent32f8552e8a3fc10ef8dec0f325189e4fcc295fcf (diff)
downloadpfsense-2643df8d7848eefc0bb47c8c1efb7949730eac68.zip
pfsense-2643df8d7848eefc0bb47c8c1efb7949730eac68.tar.gz
Merge pull request #220 from PiBa-NL/master
firewall log, allowing the showing of applied rule description with optional setting
-rw-r--r--etc/inc/filter.inc8
-rw-r--r--etc/inc/filter_log.inc34
-rwxr-xr-xusr/local/www/diag_logs_filter.php92
-rwxr-xr-xusr/local/www/diag_logs_settings.php18
-rw-r--r--usr/local/www/javascript/filter_log.js12
-rw-r--r--usr/local/www/themes/pfsense_ng/all.css4
6 files changed, 132 insertions, 36 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 0b2b883..a3cb67a 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -2432,7 +2432,7 @@ block quick from any to <snort2c> label "Block snort2c hosts"
EOD;
- $ipfrules .= filter_process_carp_rules();
+ $ipfrules .= filter_process_carp_rules($log);
$ipfrules .= "\n# SSH lockout\n";
if(is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) {
@@ -3157,17 +3157,17 @@ function filter_process_carp_nat_rules() {
return $lines;
}
-function filter_process_carp_rules() {
+function filter_process_carp_rules($log) {
global $g, $config;
if(isset($config['system']['developerspew'])) {
$mt = microtime();
- echo "filter_process_carp_rules() being called $mt\n";
+ echo "filter_process_carp_rules($log) being called $mt\n";
}
$lines = "";
/* return if there are no carp configured items */
if (!empty($config['hasync']) or !empty($config['virtualip']['vip'])) {
- $lines .= "block in log quick proto carp from (self) to any\n";
+ $lines .= "block in $log quick proto carp from (self) to any\n";
$lines .= "pass quick proto carp\n";
$lines .= "pass quick proto pfsync\n";
}
diff --git a/etc/inc/filter_log.inc b/etc/inc/filter_log.inc
index 3a75f30..2bfc895 100644
--- a/etc/inc/filter_log.inc
+++ b/etc/inc/filter_log.inc
@@ -226,6 +226,40 @@ function find_rule_by_number($rulenum, $type="rules") {
return `pfctl -vvsr | grep '^@{$rulenum} '`;
}
+function buffer_rules_load() {
+ global $buffer_rules_rdr, $buffer_rules_normal;
+ $buffer = explode("\n",`pfctl -vvsn -a "miniupnpd" | grep '^@'`);
+ foreach ($buffer as $line) {
+ list($key, $value) = explode (" ", $line, 2);
+ $buffer_rules_rdr[$key] = $value;
+ }
+ $buffer = explode("\n",`pfctl -vvsr | grep '^@'`);
+ foreach ($buffer as $line) {
+ list($key, $value) = explode (" ", $line, 2);
+ $buffer_rules_normal[$key] = $value;
+ }
+}
+
+function buffer_rules_clear() {
+ unset($GLOBALS['buffer_rules_normal']);
+ unset($GLOBALS['buffer_rules_rdr']);
+}
+
+function find_rule_by_number_buffer($rulenum, $type){
+ global $g, $buffer_rules_rdr, $buffer_rules_normal;
+
+ if ($type == "rdr") {
+ $ruleString = $buffer_rules_rdr["@".$rulenum];
+ //TODO: get the correct 'description' part of a RDR log line. currently just first 30 characters..
+ $rulename = substr($ruleString,0,30);
+ } else {
+ $ruleString = $buffer_rules_normal["@".$rulenum];
+ list(,$rulename,) = explode("\"",$ruleString);
+ $rulename = str_replace("USER_RULE: ",'<img src="/themes/'.$g['theme'].'/images/icons/icon_frmfld_user.png" width="11" height="12" title="USER_RULE" alt="USER_RULE"/> ',$rulename);
+ }
+ return "@".$rulenum." ".$rulename;
+}
+
function find_action_image($action) {
global $g;
if ((strstr(strtolower($action), "p")) || (strtolower($action) == "rdr"))
diff --git a/usr/local/www/diag_logs_filter.php b/usr/local/www/diag_logs_filter.php
index 951de95..ce076ab 100755
--- a/usr/local/www/diag_logs_filter.php
+++ b/usr/local/www/diag_logs_filter.php
@@ -118,47 +118,63 @@ include("head.inc");
<div id="mainarea">
<table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
- <td colspan="3" align="left" valign="middle">
+ <td colspan="<?=(!isset($config['syslog']['rawfilter']))?7:2?>" align="left" valign="middle">
+ <div style="float: right; vertical-align:middle">
+ <form id="filterform" name="filterform" action="diag_logs_filter.php" method="post">
+ <input id="filtertext" name="filtertext" class="formfld search" style="vertical-align:top;" value="<?=gettext($filtertext);?>" />
+ <input id="filtersubmit" name="filtersubmit" type="submit" class="formbtn" style="vertical-align:top;" value="<?=gettext("Filter");?>" />
+ </form>
+ <br/>
+ </div>
+ <div style="float: left;">
<?=gettext("Normal View");?> | <a href="diag_logs_filter_dynamic.php"><?=gettext("Dynamic View");?></a> | <a href="diag_logs_filter_summary.php"><?=gettext("Summary View");?></a>
<br/><br/>
- </td>
- <td colspan="3" align="right" valign="middle">
- <form id="filterform" name="filterform" action="diag_logs_filter.php" method="post" style="margin-top: 14px;">
- <input id="filtertext" name="filtertext" class="formfld search" value="<?=gettext($filtertext);?>" />
- <input id="filtersubmit" name="filtersubmit" type="submit" class="formbtn" value="<?=gettext("Filter");?>" />
- <br/><br/>
- </form>
+ <?php if (isset($config['syslog']['filterdescriptions']) && $config['syslog']['filterdescriptions'] === "2"):?>
+ <a href="#" onclick="showRuleDescriptions()">Show/hide rule descriptions</a>
+ <?php endif;?>
+ <br/>
+ </div>
</td>
</tr>
<?php if (!isset($config['syslog']['rawfilter'])):
$filterlog = conv_log_filter($filter_logfile, $nentries, $nentries + 100, $filtertext);
?>
- <tr>
- <td colspan="6" class="listtopic">
- <?php if (!$filtertext) { ?>
- <?php printf(gettext("Last %s firewall log entries."),count($filterlog));?>
- <?php } else { ?>
- <?php echo count($filterlog). ' ' . gettext("matched log entries."); ?>
- <?php } ?>
- <?php printf(gettext("Max(%s)"),$nentries);?>
+ <tr>
+ <td colspan="<?=$config['syslog']['filterdescriptions']==="1"?7:6?>" class="listtopic">
+ <?php if (!$filtertext)
+ printf(gettext("Last %s firewall log entries."),count($filterlog));
+ else
+ echo count($filterlog). ' ' . gettext("matched log entries.");
+ printf(gettext("Max(%s)"),$nentries);?>
+ </td>
</tr>
<tr>
<td width="10%" class="listhdrr"><?=gettext("Act");?></td>
<td width="10%" class="listhdrr"><?=gettext("Time");?></td>
<td width="15%" class="listhdrr"><?=gettext("If");?></td>
+ <?php if ($config['syslog']['filterdescriptions'] === "1"):?>
+ <td width="10%" class="listhdrr"><?=gettext("Rule");?></td>
+ <?php endif;?>
<td width="25%" class="listhdrr"><?=gettext("Source");?></td>
<td width="25%" class="listhdrr"><?=gettext("Destination");?></td>
<td width="15%" class="listhdrr"><?=gettext("Proto");?></td>
- </tr><?php foreach ($filterlog as $filterent): ?>
+ </tr>
+ <?php
+ if ($config['syslog']['filterdescriptions'])
+ buffer_rules_load();
+ foreach ($filterlog as $filterent): ?>
<tr>
- <td class="listlr" nowrap align="middle">
+ <td class="listlr" nowrap="nowrap" align="center">
<center>
- <a href="#" onClick="javascript:getURL('diag_logs_filter.php?getrulenum=<?php echo "{$filterent['rulenum']},{$filterent['act']}"; ?>', outputrule);">
- <img border="0" src="<?php echo find_action_image($filterent['act']);?>" width="11" height="11" align="absmiddle" alt="<?php echo $filterent['act'];?>" title="<?php echo $filterent['act'];?>" />
- <?php if ($filterent['count']) echo $filterent['count'];?></td>
- <td class="listr" nowrap><?php echo htmlspecialchars($filterent['time']);?></td>
- <td class="listr" nowrap><?php echo htmlspecialchars($filterent['interface']);?></td>
- <?php
+ <a href="#" onclick="javascript:getURL('diag_logs_filter.php?getrulenum=<?php echo "{$filterent['rulenum']},{$filterent['act']}"; ?>', outputrule);">
+ <img border="0" src="<?php echo find_action_image($filterent['act']);?>" width="11" height="11" align="middle" alt="<?php echo $filterent['act'];?>" title="<?php echo $filterent['act'];?>" />
+ <?php if ($filterent['count']) echo $filterent['count'];?></a></center></td>
+ <td class="listr" nowrap="nowrap"><?php echo htmlspecialchars($filterent['time']);?></td>
+ <td class="listr" nowrap="nowrap"><?php echo htmlspecialchars($filterent['interface']);?></td>
+ <?php
+ if ($config['syslog']['filterdescriptions'] === "1")
+ echo("<td class=\"listr\" nowrap=\"nowrap\">".find_rule_by_number_buffer($filterent['rulenum'],$filterent['act'])."</td>");
+
$int = strtolower($filterent['interface']);
$proto = strtolower($filterent['proto']);
if(is_ipaddrv6($filterent['srcip'])) {
@@ -172,22 +188,34 @@ include("head.inc");
$srcstr = $filterent['srcip'] . get_port_with_service($filterent['srcport'], $proto);
$dststr = $filterent['dstip'] . get_port_with_service($filterent['dstport'], $proto);
?>
- <td class="listr" nowrap>
- <a href="diag_dns.php?host=<?php echo $filterent['srcip']; ?>" title="<?=gettext("Reverse Resolve with DNS");?>"><img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_log.gif"></a>
- <a href="easyrule.php?<?php echo "action=block&int={$int}&src={$filterent['srcip']}&ipproto={$ipproto}"; ?>" title="<?=gettext("Easy Rule: Add to Block List");?>" onclick="return confirm('<?=gettext("Do you really want to add this BLOCK rule?")."\n\n".gettext("Easy Rule is still experimental.")."\n".gettext("Continue at risk of your own peril.")."\n".gettext("Backups are also nice.")?>')"><img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_block_add.gif"></a>
+ <td class="listr" nowrap="nowrap">
+ <a href="diag_dns.php?host=<?php echo $filterent['srcip']; ?>" title="<?=gettext("Reverse Resolve with DNS");?>">
+ <img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_log.gif" alt="Icon Reverse Resolve with DNS"/></a>
+ <a href="easyrule.php?<?php echo "action=block&amp;int={$int}&amp;src={$filterent['srcip']}&amp;ipproto={$ipproto}"; ?>" title="<?=gettext("Easy Rule: Add to Block List");?>" onclick="return confirm('<?=gettext("Do you really want to add this BLOCK rule?")."\n\n".gettext("Easy Rule is still experimental.")."\n".gettext("Continue at risk of your own peril.")."\n".gettext("Backups are also nice.")?>')">
+ <img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_block_add.gif" alt="Icon Easy Rule: Add to Block List" /></a>
<?php echo $srcstr;?>
</td>
- <td class="listr" nowrap>
- <a href="diag_dns.php?host=<?php echo $filterent['dstip']; ?>" title="<?=gettext("Reverse Resolve with DNS");?>"><img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_log.gif"></a>
- <a href="easyrule.php?<?php echo "action=pass&int={$int}&proto={$proto}&src={$filterent['srcip']}&dst={$filterent['dstip']}&dstport={$filterent['dstport']}&ipproto={$ipproto}"; ?>" title="<?=gettext("Easy Rule: Pass this traffic");?>" onclick="return confirm('<?=gettext("Do you really want to add this PASS rule?")."\n\n".gettext("Easy Rule is still experimental.")."\n".gettext("Continue at risk of your own peril.")."\n".gettext("Backups are also nice.");?>')"><img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_pass_add.gif"></a>
+ <td class="listr" nowrap="nowrap">
+ <a href="diag_dns.php?host=<?php echo $filterent['dstip']; ?>" title="<?=gettext("Reverse Resolve with DNS");?>">
+ <img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_log.gif" alt="Icon Reverse Resolve with DNS" /></a>
+ <a href="easyrule.php?<?php echo "action=pass&amp;int={$int}&amp;proto={$proto}&amp;src={$filterent['srcip']}&amp;dst={$filterent['dstip']}&amp;dstport={$filterent['dstport']}&amp;ipproto={$ipproto}"; ?>" title="<?=gettext("Easy Rule: Pass this traffic");?>" onclick="return confirm('<?=gettext("Do you really want to add this PASS rule?")."\n\n".gettext("Easy Rule is still experimental.")."\n".gettext("Continue at risk of your own peril.")."\n".gettext("Backups are also nice.");?>')">
+ <img border="0" src="/themes/<?= $g['theme']; ?>/images/icons/icon_pass_add.gif" alt="Icon Easy Rule: Pass this traffic" /></a>
<?php echo $dststr;?>
</td>
<?php
if ($filterent['proto'] == "TCP")
$filterent['proto'] .= ":{$filterent['tcpflags']}";
?>
- <td class="listr" nowrap><?php echo htmlspecialchars($filterent['proto']);?></td>
- </tr><?php endforeach; ?>
+ <td class="listr" nowrap="nowrap"><?php echo htmlspecialchars($filterent['proto']);?></td>
+ </tr>
+ <?php if (isset($config['syslog']['filterdescriptions']) && $config['syslog']['filterdescriptions'] === "2"):?>
+ <tr>
+ <td colspan="2" class="listFirewall listlr" />
+ <td class="listFirewall listr" colspan="4" nowrap="nowrap"><?=find_rule_by_number_buffer($filterent['rulenum'],$filterent['act']);?></td>
+ </tr>
+ <?php endif;
+ endforeach;
+ buffer_rules_clear(); ?>
<?php else: ?>
<tr>
<td colspan="2" class="listtopic">
diff --git a/usr/local/www/diag_logs_settings.php b/usr/local/www/diag_logs_settings.php
index 23c4754..42cf79e 100755
--- a/usr/local/www/diag_logs_settings.php
+++ b/usr/local/www/diag_logs_settings.php
@@ -64,6 +64,7 @@ $pconfig['system'] = isset($config['syslog']['system']);
$pconfig['enable'] = isset($config['syslog']['enable']);
$pconfig['logdefaultblock'] = !isset($config['syslog']['nologdefaultblock']);
$pconfig['rawfilter'] = isset($config['syslog']['rawfilter']);
+$pconfig['filterdescriptions'] = $config['syslog']['filterdescriptions'];
$pconfig['disablelocallogging'] = isset($config['syslog']['disablelocallogging']);
if (!$pconfig['nentries'])
@@ -116,6 +117,10 @@ if ($_POST) {
$oldnologdefaultblock = isset($config['syslog']['nologdefaultblock']);
$config['syslog']['nologdefaultblock'] = $_POST['logdefaultblock'] ? false : true;
$config['syslog']['rawfilter'] = $_POST['rawfilter'] ? true : false;
+ if (is_numeric($_POST['filterdescriptions']) && $_POST['filterdescriptions'] > 0)
+ $config['syslog']['filterdescriptions'] = $_POST['filterdescriptions'];
+ else
+ unset($config['syslog']['filterdescriptions']);
if($config['syslog']['enable'] == false) {
unset($config['syslog']['remoteserver']);
unset($config['syslog']['remoteserver2']);
@@ -261,6 +266,19 @@ function check_everything() {
<?=gettext("Hint: If this is checked, filter logs are shown as generated by the packet filter, without any formatting. This will reveal more detailed information, but it is more difficult to read.");?></td>
</tr>
<tr>
+ <td valign="top" class="vtable">Filter descriptions</td>
+ <td class="vtable">
+ <select name="filterdescriptions" id="filterdescriptions" >
+ <option value="0"<?=!isset($pconfig['filterdescriptions'])?" selected":""?>>Dont load descriptions</option>
+ <option value="1"<?=($pconfig['filterdescriptions'])==="1"?" selected":""?>>Display as column</option>
+ <option value="2"<?=($pconfig['filterdescriptions'])==="2"?" selected":""?>>Display as second row</option>
+ </select>
+ <strong><?=gettext("Show the applied rule description below or in the firewall log rows.");?></strong>
+ <br/>
+ <?=gettext("Displaying rule descriptions for all lines in the log might affect performance with large rulessets.");?></td>
+ </td>
+ </tr>
+ <tr>
<td width="22%" valign="top" class="vtable">Local Logging</td>
<td width="78%" class="vtable"> <input name="disablelocallogging" type="checkbox" id="disablelocallogging" value="yes" <?php if ($pconfig['disablelocallogging']) echo "checked"; ?> onClick="enable_change(false)">
<?php if ($g['platform'] == "pfSense"): ?>
diff --git a/usr/local/www/javascript/filter_log.js b/usr/local/www/javascript/filter_log.js
index 1259afb..1acb5c2 100644
--- a/usr/local/www/javascript/filter_log.js
+++ b/usr/local/www/javascript/filter_log.js
@@ -120,3 +120,15 @@ function toggle_pause() {
if (typeof updateDelay != 'undefined') {
timer = setInterval('fetch_new_rules()', updateDelay);
}
+
+function showRuleDescriptions(){
+ var ss = document.styleSheets;
+ for (var i=0; i<ss.length; i++) {
+ var rules = ss[i].cssRules || ss[i].rules;
+ for (var j=0; j<rules.length; j++) {
+ if (rules[j].selectorText === ".listFirewall") {
+ rules[j].style.display = rules[j].style.display === "none" ? "table-cell" : "none";
+ }
+ }
+ }
+} \ No newline at end of file
diff --git a/usr/local/www/themes/pfsense_ng/all.css b/usr/local/www/themes/pfsense_ng/all.css
index 3452c72..cdb9b9a 100644
--- a/usr/local/www/themes/pfsense_ng/all.css
+++ b/usr/local/www/themes/pfsense_ng/all.css
@@ -920,6 +920,10 @@ ul#wzdnav a:active {
padding-top: 4px;
padding-bottom: 4px;
}
+.listFirewall {
+ border-bottom: 2px solid #999999;
+ display:none;
+}
.listlrns {
background-color: #FFFFFF;
border-right: 1px solid #999999;
OpenPOWER on IntegriCloud