diff options
| author | Ermal <eri@pfsense.org> | 2013-01-31 11:07:59 +0000 |
|---|---|---|
| committer | Ermal <eri@pfsense.org> | 2013-01-31 11:07:59 +0000 |
| commit | 7a04cd20c4d5991c5afeb431589c75aa3956b654 (patch) | |
| tree | c0ce816db46701de74ef0a34b8234662598d5de3 | |
| parent | dd1fc379b433c9f6c03d45c2e7a9a5f7dda043d6 (diff) | |
| download | pfsense-7a04cd20c4d5991c5afeb431589c75aa3956b654.zip pfsense-7a04cd20c4d5991c5afeb431589c75aa3956b654.tar.gz | |
Create link_interface_to_track6 to make code more readble and easily trackble. Also improve the generation of rules to avoid creating problems during filter reload and some optimizations with it
| -rw-r--r-- | etc/inc/filter.inc | 88 | ||||
| -rw-r--r-- | etc/inc/interfaces.inc | 158 | ||||
| -rw-r--r-- | etc/inc/pfsense-utils.inc | 2 | ||||
| -rwxr-xr-x | etc/rc.newwanip | 4 | ||||
| -rwxr-xr-x | etc/rc.newwanipv6 | 20 |
5 files changed, 129 insertions, 143 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index f30ec90..dc9fb7b 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -842,6 +842,8 @@ function filter_generate_optcfg_array() { $oic['type'] = $oc['ipaddr']; if(!is_ipaddrv6($oc['ipaddrv6']) && !empty($oc['ipaddrv6'])) $oic['type6'] = $oc['ipaddrv6']; + if (!empty($oc['track6-interface'])) + $oc['track6-interface'] = $oc['track6-interface']; $oic['sn'] = get_interface_subnet($if); $oic['snv6'] = get_interface_subnetv6($if); $oic['mtu'] = empty($oc['mtu']) ? 1500 : $oc['mtu']; @@ -2684,21 +2686,23 @@ EOD; } break; default: - if((isset($config['dhcpdv6'][$on]['enable'])) || - (isset($config['interfaces'][$on]['track6-interface']))) { + if ((is_array($config['dhcpdv6'][$on]) && isset($config['dhcpdv6'][$on]['enable'])) || isset($oc['track6-interface'])) { $ipfrules .= <<<EOD - # allow access to DHCPv6 server on {$oc['descr']} -anchor "dhcpv6server{$oc['descr']}" # We need inet6 icmp for stateless autoconfig and dhcpv6 pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 label "allow access to DHCPv6 server" pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server" pass quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server" pass quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 label "allow access to DHCPv6 server" + +EOD; + if (is_ipaddrv6($oc['ipv6'])) { + $ipfrules .= <<<EOD pass in quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 label "allow access to DHCPv6 server" pass out quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 label "allow access to DHCPv6 server" EOD; + } } break; } @@ -2861,26 +2865,17 @@ EOD; $ipfrules .= "\n# Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients\n"; /* add automatic LAN rules to allow IPv6 traffic out for dynamic IPv6 networks */ foreach ($FilterIflist as $ifdescr => $ifcfg) { - $oc = $FilterIflist[$ifdescr]; - if($config['interfaces'][$ifdescr]['track6-interface'] <> "") { - $realif = get_real_interface($ifdescr); - $ifcfgipv6 = find_interface_ipv6($realif); - $trackifname = $config['interfaces'][$ifdescr]['track6-interface']; - $trackcfg = $config['interfaces'][$trackifname]; - if($trackcfg['descr'] == "") - $trackcfg['descr'] = $trackifname; - $trackcfg['descr'] = strtoupper($trackcfg['descr']); - - $pdlen = 64 - calculate_ipv6_delegation_length($trackifname); - if(is_ipaddrv6($ifcfgipv6)) { - $prefix = Net_IPv6::getNetmask($ifcfgipv6, $pdlen); - $ipfrules .= "pass in quick on \${$oc['descr']} inet6 from $prefix/$pdlen to any keep state label \"Allow IPv6 on {$oc['descr']} to any\"\n"; + if (isset($ifcfg['track6-interface'])) { + if (is_ipaddrv6($ifcfg['ipv6'])) { + $trackifname = $ifcfg['track6-interface']; + $trackcfg = $FilterIflist[$trackifname]; + $pdlen = 64 - calculate_ipv6_delegation_length($trackifname); + $prefix = Net_IPv6::getNetmask($ifcfg['ipv6'], $pdlen); + $ipfrules .= "pass in on \${$ifcfg['descr']} inet6 from $prefix/$pdlen to any keep state label \"Allow IPv6 on {$ifcfg['descr']} to any\"\n"; /* add rules on the WAN for traffic back in, let the downstream router * figure out what to do with the traffic */ - $trackcfgipv6 = find_interface_ipv6(get_real_interface($trackifname)); - if(is_ipaddrv6($trackcfgipv6)) { - $ipfrules .= "pass in quick on \${$trackcfg['descr']} inet6 from any to $prefix/$pdlen keep state label \"Allow IPv6 in on {$trackcfg['descr']} to $prefix/$pdlen\"\n"; - } + if (is_ipaddrv6($trackcfg['ipv6'])) + $ipfrules .= "pass in on \${$trackcfg['descr']} inet6 from any to $prefix/$pdlen keep state label \"Allow IPv6 in on {$trackcfg['descr']} to $prefix/$pdlen\"\n"; } } } @@ -2896,12 +2891,12 @@ EOD; if(is_array($FilterIflist[$friendly])) { $oc = $FilterIflist[$friendly]; $routeent = explode("/", $route['network']); - if($oc['ip']) { + unset($sa); + if (is_ipaddrv4($oc['ip'])) { $sa = $oc['sa']; $sn = $oc['sn']; - $if = $oc['if']; } - if($sa && is_ipaddrv4($routeent[0])) { + if ($sa && is_ipaddrv4($routeent[0])) { $ipfrules .= <<<EOD pass quick on \${$oc['descr']} proto tcp from {$sa}/{$sn} to {$route['network']} flags any keep state(sloppy) label "pass traffic between statically routed subnets" pass quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} keep state(sloppy) label "pass traffic between statically routed subnets" @@ -2910,12 +2905,12 @@ pass quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} keep stat EOD; } - if($oc['ipv6']) { + unset($sa); + if (is_ipaddrv6($oc['ipv6'])) { $sa = $oc['sav6']; $sn = $oc['snv6']; - $if = $oc['if']; } - if($sa && is_ipaddrv6($routeent[0])) { + if ($sa && is_ipaddrv6($routeent[0])) { $ipfrules .= <<<EOD pass quick on \${$oc['descr']} inet6 proto tcp from {$sa}/{$sn} to {$route['network']} flags any keep state(sloppy) label "pass traffic between statically routed subnets" pass quick on \${$oc['descr']} inet6 from {$sa}/{$sn} to {$route['network']} keep state(sloppy) label "pass traffic between statically routed subnets" @@ -2937,29 +2932,26 @@ anchor "tftp-proxy/*" EOD; update_filter_reload_status("Creating uPNP rules..."); - if(isset($config['installedpackages']['miniupnpd']) && isset($config['installedpackages']['miniupnpd']['config'][0]['enable'])) { - - $ipfrules .= <<<EOD -# uPnPd -anchor "miniupnpd" - -EOD; - - $upnp_interfaces = explode(",", $config['installedpackages']['miniupnpd'][0]['config']['iface_array']); - foreach($upnp_interfaces as $upnp_if) { - if(is_array($FilterIflist[$upnp_if])) { - $oc = $FilterIflist[$upnp_if]; - if($oc['ip']) { - $sa = $oc['sa']; - $sn = $oc['sn']; - $if = $oc['if']; - } - if($sa) { - $ipfrules .= <<<EOD - + if (is_array($config['installedpackages']['miniupnpd']) && is_array($config['installedpackages']['miniupnpd'][0])) { + if (isset($config['installedpackages']['miniupnpd']['config'][0]['enable'])) + $ipfrules .= "anchor \"miniupnpd\"\n"; + + if (is_array($config['installedpackages']['miniupnpd'][0]['config'])) { + $upnp_interfaces = explode(",", $config['installedpackages']['miniupnpd'][0]['config']['iface_array']); + foreach($upnp_interfaces as $upnp_if) { + if (is_array($FilterIflist[$upnp_if])) { + $oc = $FilterIflist[$upnp_if]; + unset($sa); + if($oc['ip']) { + $sa = $oc['sa']; + $sn = $oc['sn']; + } + if($sa) { + $ipfrules .= <<<EOD pass in on \${$oc['descr']} proto tcp from {$sa}/{$sn} to 239.255.255.250/32 port 1900 keep state label "pass multicast traffic to miniupnpd" EOD; + } } } } diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 51400d2..107f9bf 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -2836,13 +2836,13 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven switch ($wancfg['ipaddrv6']) { case 'slaac': case 'dhcp6': - interface_dhcpv6_configure($interface); + interface_dhcpv6_configure($interface, $wancfg); break; case '6rd': - interface_6rd_configure($interface); + interface_6rd_configure($interface, $wancfg); break; case '6to4': - interface_6to4_configure($interface); + interface_6to4_configure($interface, $wancfg); break; case 'track6': interface_track6_configure($interface); @@ -2911,11 +2911,13 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven return 0; } -function interface_track6_configure($interface = "lan") { +function interface_track6_configure($interface = "lan", $wancfg) { global $config, $g; - $wancfg = $config['interfaces'][$interface]; - if (empty($config['interfaces'][$interface])) + if (!is_array($wancfg)) + return; + + if (!isset($wancfg['enable'])) return; /* If the interface is not configured via another, exit */ @@ -2926,22 +2928,27 @@ function interface_track6_configure($interface = "lan") { $realif = get_real_interface($interface); mwexec("/sbin/ifconfig {$realif} inet6 fe80::1:1%{$realif}"); - $type = $config['interfaces'][$wancfg['track6-interface']]['ipaddrv6']; - switch($type) { + $trackcfg = $config['interfaces'][$wancfg['track6-interface']]; + if (!isset($trackcfg['enable'])) { + log_error("Interface {$interface} tracking non-existant interface {$wancfg['track6-interface']}"); + return; + } + + switch($trackcfg['ipaddrv6']) { case "6to4": if ($g['debug']) log_error("Interface {$interface} configured via {$wancfg['track6-interface']} type {$type}"); - interface_track6_6to4_configure($interface); + interface_track6_6to4_configure($interface, $wancfg); break; case "6rd": if ($g['debug']) log_error("Interface {$interface} configured via {$wancfg['track6-interface']} type {$type}"); - interface_track6_6rd_configure($interface); + interface_track6_6rd_configure($interface, $wancfg); break; case "dhcp6": if ($g['debug']) log_error("Interface {$interface} configured via {$wancfg['track6-interface']} type {$type}"); - interface_track6_dhcp6_configure($interface); + interface_track6_dhcp6_configure($interface, $wancfg); break; } @@ -2949,11 +2956,10 @@ function interface_track6_configure($interface = "lan") { } -function interface_track6_6rd_configure($interface = "lan") { +function interface_track6_6rd_configure($interface = "lan", $lancfg) { global $config, $g; - $lancfg = $config['interfaces'][$interface]; - if (empty($config['interfaces'][$interface])) + if (!is_array($lancfg)) return; /* If the interface is not configured via another, exit */ @@ -2964,12 +2970,14 @@ function interface_track6_6rd_configure($interface = "lan") { $lancfg['track6-prefix-id'] = 0; $wancfg = $config['interfaces'][$lancfg['track6-interface']]; - if (empty($wancfg)) + if (empty($wancfg)) { + log_error("Interface {$interface} tracking non-existant interface {$lancfg['track6-interface']}"); return; + } $wanif = get_real_interface($lancfg['track6-interface']); $ip4address = find_interface_ip($wanif); - if ((!is_ipaddrv4($ip4address)) || (is_private_ip($ip4address))) { + if (!is_ipaddrv4($ip4address)) { /* XXX: This should not be needed by 6rd || (is_private_ip($ip4address))) { */ log_error("The interface IPv4 '{$ip4address}' address on interface '{$wanif}' is not public, not configuring 6RD tunnel"); return; } @@ -3006,27 +3014,26 @@ function interface_track6_6rd_configure($interface = "lan") { return 0; } -function interface_track6_6to4_configure($interface = "lan") { +function interface_track6_6to4_configure($interface = "lan", $lancfg) { global $config, $g; - $lancfg = $config['interfaces'][$interface]; - if (empty($config['interfaces'][$interface])) + if (!is_array($lancfg)) return; /* If the interface is not configured via another, exit */ if (empty($lancfg['track6-interface'])) return; + $wancfg = $config['interfaces'][$lancfg['track6-interface']]; + if (empty($wancfg)) { + log_error("Interface {$interface} tracking non-existant interface {$lancfg['track6-interface']}"); + return; + } + if (!is_numeric($lancfg['track6-prefix-id'])) $lancfg['track6-prefix-id'] = 0; $wanif = get_real_interface($lancfg['track6-interface']); - if (!$wanif) - return; - $wancfg = $config['interfaces'][$lancfg['track6-interface']]; - if (empty($wancfg)) - $wancfg = array(); - $ip4address = find_interface_ip($wanif); if (!is_ipaddrv4($ip4address) || is_private_ip($ip4address)) { log_error("The interface IPv4 '{$ip4address}' address on interface '{$wanif}' is not public, not configuring 6RD tunnel"); @@ -3061,11 +3068,10 @@ function interface_track6_6to4_configure($interface = "lan") { return 0; } -function interface_track6_dhcp6_configure($interface = "lan") { +function interface_track6_dhcp6_configure($interface = "lan", $lancfg) { global $config, $g; - $lancfg = $config['interfaces'][$interface]; - if (empty($config['interfaces'][$interface])) + if (!is_array($lancfg)) return; /* If the interface is not configured via another, exit */ @@ -3076,8 +3082,10 @@ function interface_track6_dhcp6_configure($interface = "lan") { $lancfg['track6-prefix-id'] = 0; $wancfg = $config['interfaces'][$lancfg['track6-interface']]; - if (empty($wancfg)) - $wancfg = array(); + if (empty($wancfg)) { + log_error("Interface {$interface} tracking non-existant interface {$lancfg['track6-interface']}"); + return; + } $wanif = get_real_interface($lancfg['track6-interface']); $ifcfgipv6 = find_interface_ipv6($wanif); @@ -3097,14 +3105,13 @@ function interface_track6_dhcp6_configure($interface = "lan") { return 0; } -function interface_6rd_configure($interface = "wan") { +function interface_6rd_configure($interface = "wan", $wancfg) { global $config, $g; /* because this is a tunnel interface we can only function * with a public IPv4 address on the interface */ - $wancfg = $config['interfaces'][$interface]; - if (empty($wancfg)) + if (!is_array($wancfg)) return; $wanif = get_real_interface($interface); @@ -3167,31 +3174,22 @@ function interface_6rd_configure($interface = "wan") { mwexec("/sbin/route change -host " . $wancfg['gateway-6rd'] . " {$ip4gateway}"); /* configure dependent interfaces */ - if (!$g['booting']) { - /* XXX: Really necessary? */ - $iflist = get_configured_interface_with_descr(false, true); - foreach($iflist as $if => $ifname) { - if ($config['interfaces'][$if]['track6-interface'] == $interface) - interface_track6_configure($if); - } - unset($iflist); - } + if (!$g['booting']) + link_interface_to_track6($interface, "update"); return 0; } -function interface_6to4_configure($interface = "wan"){ +function interface_6to4_configure($interface = "wan", $wancfg){ global $config, $g; /* because this is a tunnel interface we can only function * with a public IPv4 address on the interface */ - $wancfg = $config['interfaces'][$interface]; - if (empty($wancfg)) - $wancfg = array(); + if (!is_array($wancfg)) + return; $wanif = get_real_interface($interface); - $ip4address = find_interface_ip($wanif); if((!is_ipaddrv4($ip4address)) || (is_private_ip($ip4address))) { log_error("The interface IPv4 '{$ip4address}' address on interface '{$wanif}' is not public, not configuring 6RD tunnel"); @@ -3269,28 +3267,19 @@ function interface_6to4_configure($interface = "wan"){ if (is_ipaddrv4($ip4gateway)) mwexec("route change -host 192.88.99.1 {$ip4gateway}"); - if (!$g['booting']) { - /* configure dependent interfaces */ - $iflist = get_configured_interface_with_descr(false, true); - foreach($iflist as $if => $ifname) { - if($config['interfaces'][$if]['track6-interface'] == $interface) - interface_track6_configure($if); - } - unset($iflist); - } + if (!$g['booting']) + link_interface_to_track6($interface, "update"); return 0; } -function interface_dhcpv6_configure($interface = "wan") { +function interface_dhcpv6_configure($interface = "wan", $wancfg) { global $config, $g; - $wancfg = $config['interfaces'][$interface]; - if (empty($config['interfaces'][$interface])) + if (!is_array($wancfg)) return; $wanif = get_real_interface($interface); - $dhcp6cconf = ""; $dhcp6cconf .= "interface {$wanif} {\n"; @@ -3316,19 +3305,19 @@ function interface_dhcpv6_configure($interface = "wan") { /* Setup the prefix delegation */ $dhcp6cconf .= "id-assoc pd 0 {\n"; $iflist = get_configured_interface_with_descr(false, true); - foreach($iflist as $friendly => $ifdescr) { - if($config['interfaces'][$friendly]['track6-interface'] != $interface) - continue; - if (is_numeric($config['interfaces'][$friendly]['track6-prefix-id'])) { - log_error("setting up $ifdescr - {$config['interfaces'][$friendly]['track6-prefix-id']}"); + $iflist = link_interface_to_track6($interface); + foreach ($iflist as $friendly => $ifcfg) { + if (is_numeric($ifcfg['track6-prefix-id'])) { + if ($g['debug']) + log_error("setting up $ifdescr - {$ifcfg['track6-prefix-id']}"); $realif = get_real_interface($friendly); $dhcp6cconf .= " prefix-interface {$realif} {\n"; - $dhcp6cconf .= " sla-id {$config['interfaces'][$friendly]['track6-prefix-id']};\n"; + $dhcp6cconf .= " sla-id {$ifcfg['track6-prefix-id']};\n"; $dhcp6cconf .= " sla-len {$wancfg['dhcp6-ia-pd-len']};\n"; $dhcp6cconf .= " };\n"; } } - unset($iflist); + unset($iflist, $ifcfg); $dhcp6cconf .= "};\n"; } } @@ -3380,18 +3369,11 @@ function interface_dhcpv6_configure($interface = "wan") { } } } + unset($out); } /* worst case is that the rc.newwanipv6 handles setting up the track6 interface */ - if (!$g['booting'] && $wancfg['ippaddrv6'] != "slaac") { - /* configure dependent interfaces */ - /* XXX: Really necessary? */ - $iflist = get_configured_interface_with_descr(false, true); - foreach($iflist as $if => $ifname) { - if ($config['interfaces'][$if]['track6-interface'] == $interface) - interface_track6_configure($if); - } - unset($iflist); - } + if (!$g['booting'] && $wancfg['ippaddrv6'] != "slaac") + link_interface_to_track6($interface, "update"); return 0; } @@ -3970,6 +3952,28 @@ function link_ip_to_carp_interface($ip) { return $carp_ints; } +function link_interface_to_track6($int, $action = "") { + global $config; + + if (empty($int)) + return; + + if (is_array($config['interfaces'])) { + $list = array(); + foreach ($config['interfaces'] as $ifname => $ifcfg) { + if (!isset($ifcfg['enable'])) + continue; + if (!empty($ifcfg['ipaddrv6']) && $ifcfg['track6-interface'] == $int) { + if ($action == "update") + interface_track6_configure($ifname, $ifcfg); + else if ($action == "") + $list[$ifname] = $ifcfg; + } + } + return $list; + } +} + function link_interface_to_vlans($int, $action = "") { global $config; diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 85c9211..6219793 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -1074,7 +1074,7 @@ function is_dhcpv6_server_enabled() { if (is_array($config['interfaces'])) { foreach ($config['interfaces'] as $ifcfg) { - if (!empty($ifcfg['track6-interface'])) + if (isset($ifcfg['enable']) && !empty($ifcfg['track6-interface'])) return true; } } diff --git a/etc/rc.newwanip b/etc/rc.newwanip index 4df5343..ef72c2d 100755 --- a/etc/rc.newwanip +++ b/etc/rc.newwanip @@ -126,10 +126,10 @@ if ($interface == "lan") /* check tunneled IPv6 interface tracking */ switch($config['interfaces'][$interface]['ipaddrv6']) { case "6to4": - interface_6to4_configure($interface); + interface_6to4_configure($interface, $config['interfaces'][$interface]); break; case "6rd": - interface_6rd_configure($interface); + interface_6rd_configure($interface, $config['interfaces'][$interface]); break; } diff --git a/etc/rc.newwanipv6 b/etc/rc.newwanipv6 index c2266ae..6d33ead 100755 --- a/etc/rc.newwanipv6 +++ b/etc/rc.newwanipv6 @@ -104,6 +104,9 @@ if(count($valid_ns > 0)) if(!empty($_ENV['new_domain_name'])) file_put_contents("{$g['varetc_path']}/searchdomain_v6{$interface}", $_ENV['new_domain_name']); +/* write current WAN IPv6 to file */ +file_put_contents("{$g['vardb_path']}/{$interface}_ipv6", $curwanipv6); + log_error("rc.newwanipv6: on (IP address: {$curwanipv6}) (interface: {$interface}) (real interface: {$interface_real})."); $oldipv6 = ""; @@ -114,24 +117,11 @@ $grouptmp = link_interface_to_group($interface); if (!empty($grouptmp)) array_walk($grouptmp, 'interface_group_add_member'); +link_interface_to_track6($interface, "update"); + /* regenerate resolv.conf if DNS overrides are allowed */ system_resolvconf_generate(true); -/* write current WAN IPv6 to file */ -file_put_contents("{$g['vardb_path']}/{$interface}_ipv6", $curwanipv6); - -/* check native IPv6 interface tracking */ -switch($config['interfaces'][$interface]['ipaddrv6']) { - case "dhcp6": - foreach($config['interfaces'] as $iftrackname => $iftrack) { - if($iftrack['track6-interface'] == $interface) { - log_error("interface {$iftrackname} depends on {$interface}, configuring"); - interface_track6_configure($iftrackname); - } - } - break; -} - /* reconfigure static routes (kernel may have deleted them) */ system_routing_configure($interface); |
