diff options
| author | Luiz Otavio O Souza <luiz@netgate.com> | 2016-01-28 04:58:18 -0600 |
|---|---|---|
| committer | Luiz Otavio O Souza <luiz@netgate.com> | 2016-01-28 05:12:47 -0600 |
| commit | cc2cff0b9be33eaea6c947f1fffc746895fd24fe (patch) | |
| tree | b2d1aa4bc51af8d0587b3217cfaa7dc323d6fa2a | |
| parent | 7ffd90780c83615d6619a5f558634ad153c9218e (diff) | |
| download | pfsense-cc2cff0b9be33eaea6c947f1fffc746895fd24fe.zip pfsense-cc2cff0b9be33eaea6c947f1fffc746895fd24fe.tar.gz | |
Show rule state details in firewall rules.
Inspired by pull request #1901 from marcelloc/hitcount_23_02.
State visualization and kill will be committed in a subsequent commit.
| -rw-r--r-- | src/etc/inc/filter.inc | 36 | ||||
| -rw-r--r-- | src/etc/inc/util.inc | 13 | ||||
| -rw-r--r-- | src/usr/local/www/firewall_rules.php | 55 |
3 files changed, 91 insertions, 13 deletions
diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index 611425e..18c4cc3 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -136,8 +136,19 @@ $icmp6types = array( "mtrace" => gettext("mtrace messages") ); -global $tracker; -global $negate_tracker; +/* + * Fixed tracker values (used to group and track usage in GUI): + * + * bogons rules: 10000 + * anti-lockout rules: 11000 + * RFC1918 rules: 12000 + * + */ + +define("ANTILOCKOUT_TRACKER", 10000); +define("BOGONS_TRACKER", 11000); +define("RFC1918_TRACKER", 12000); + $tracker = 1000000000; $negate_tracker = 10000000; @@ -3271,10 +3282,11 @@ EOD; } if (isset($config['interfaces'][$on]['blockbogons'])) { + $bogons_tracker = BOGONS_TRACKER; $ipfrules .= <<<EOD # block bogon networks (IPv4) # http://www.cymru.com/Documents/bogon-bn-nonagg.txt -block in $bogonlog quick on \${$oc['descr']} from <bogons> to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("block bogon IPv4 networks from {$oc['descr']}")}" +block in $bogonlog quick on \${$oc['descr']} from <bogons> to any tracker $bogons_tracker label "{$fix_rule_label("block bogon IPv4 networks from {$oc['descr']}")}" EOD; @@ -3282,7 +3294,7 @@ EOD; $ipfrules .= <<<EOD # block bogon networks (IPv6) # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt -block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("block bogon IPv6 networks from {$oc['descr']}")}" +block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any tracker $bogons_tracker label "{$fix_rule_label("block bogon IPv6 networks from {$oc['descr']}")}" EOD; } @@ -3317,13 +3329,14 @@ EOD; if (isset($config['interfaces'][$on]['blockpriv'])) { if ($isbridged == false) { + $rfc1918_tracker = RFC1918_TRACKER; $ipfrules .= <<<EOD # block anything from private networks on interfaces with the option set -block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}" -block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}" -block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 172.16/12")}" -block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 192.168/16")}" -block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block ULA networks from {$oc['descr']} block fc00::/7")}" +block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any tracker $rfc1918_tracker label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}" +block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any tracker $rfc1918_tracker label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}" +block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any tracker $rfc1918_tracker label "{$fix_rule_label("Block private networks from {$oc['descr']} block 172.16/12")}" +block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any tracker $rfc1918_tracker label "{$fix_rule_label("Block private networks from {$oc['descr']} block 192.168/16")}" +block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any tracker $rfc1918_tracker label "{$fix_rule_label("Block ULA networks from {$oc['descr']} block fc00::/7")}" EOD; } @@ -3533,6 +3546,7 @@ EOD; if (is_array($config['system']['webgui']) && !isset($config['system']['webgui']['noantilockout'])) { $alports = filter_get_antilockout_ports(); + $lockout_tracker = ANTILOCKOUT_TRACKER; if (count($config['interfaces']) > 1 && !empty($FilterIflist['lan']['if'])) { /* if antilockout is enabled, LAN exists and has * an IP and subnet mask assigned @@ -3540,7 +3554,7 @@ EOD; $lanif = $FilterIflist['lan']['if']; $ipfrules .= <<<EOD # make sure the user cannot lock himself out of the webConfigurator or SSH -pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule" +pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } tracker $lockout_tracker keep state label "anti-lockout rule" EOD; } else if (count($config['interfaces']) == 1) { @@ -3548,7 +3562,7 @@ EOD; $wanif = $FilterIflist["wan"]['if']; $ipfrules .= <<<EOD # make sure the user cannot lock himself out of the webConfigurator or SSH -pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule" +pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } tracker $lockout_tracker keep state label "anti-lockout rule" EOD; } diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc index c767f25..347219e 100644 --- a/src/etc/inc/util.inc +++ b/src/etc/inc/util.inc @@ -1724,6 +1724,19 @@ function format_bytes($bytes) { } } +function format_number($num, $precision = 3) { + $units = array('', 'K', 'M', 'G', 'T'); + + $i = 0; + while ($num > 1000 && $i < count($units)) { + $num /= 1000; + $i++; + } + round($num, $precision); + + return ("$num {$units[$i]}"); +} + function update_filter_reload_status($text) { global $g; diff --git a/src/usr/local/www/firewall_rules.php b/src/usr/local/www/firewall_rules.php index 9847280..04d9ee7 100644 --- a/src/usr/local/www/firewall_rules.php +++ b/src/usr/local/www/firewall_rules.php @@ -72,6 +72,51 @@ require_once("shaper.inc"); $pgtitle = array(gettext("Firewall"), gettext("Rules")); $shortcut_section = "firewall"; +function get_pf_rules($rules, $tracker) { + + if ($rules == NULL || !is_array($rules)) + return (NULL); + + $arr = array(); + for ($i = 0; $i < count($rules); $i++) { + if ($rules[$i]['tracker'] === $tracker) + $arr[] = $rules[$i]; + } + + if (count($arr) == 0) + return (NULL); + + return ($arr); +} + +function print_states($tracker) { + global $rulescnt; + + $rulesid = ""; + $bytes = 0; + $states = 0; + $packets = 0; + $evaluations = 0; + $stcreations = 0; + $rules = get_pf_rules($rulescnt, $tracker); + for ($j = 0; is_array($rules) && $j < count($rules); $j++) { + $bytes += $rules[$j]['bytes']; + $states += $rules[$j]['states']; + $packets += $rules[$j]['packets']; + $evaluations += $rules[$j]['evaluations']; + $stcreations += $rules[$j]['state creations']; + if (strlen($rulesid) > 0) + $rulesid .= ","; + $rulesid .= "{$rules[$j]['id']}"; + } + printf("<a href=\"diag_dump_states.php?ruleid=%s\" data-toggle=\"popover\" data-trigger=\"hover focus\" title=\"%s\" ", + $rulesid, gettext("States details")); + printf("data-content=\"evaluations: %s<br>packets: %s<br>bytes: %s<br>states: %s<br>state creations: %s\" data-html=\"true\">", + format_number($evaluations), format_number($packets), format_bytes($bytes), + format_number($states), format_number($stcreations)); + printf("%d/%s</a><br>", format_number($states), format_bytes($bytes)); +} + function delete_nat_association($id) { global $config; @@ -300,8 +345,10 @@ if (isset($config['interfaces'][$if]['blockbogons'])) { $showblockbogons = true; } -?> +/* Load the counter data of each pf rule. */ +$rulescnt = pfSense_get_pf_rules(); +?> <form method="post"> <div class="panel panel-default"> <div class="panel-heading"><h2 class="panel-title"><?=gettext("Rules (Drag to change order)")?></h2></div> @@ -311,6 +358,7 @@ if (isset($config['interfaces'][$if]['blockbogons'])) { <tr> <th><!-- checkbox --></th> <th><!-- status icons --></th> + <th><?=gettext("States")?></th> <th><?=gettext("Protocol")?></th> <th><?=gettext("Source")?></th> <th><?=gettext("Port")?></th> @@ -335,6 +383,7 @@ if (isset($config['interfaces'][$if]['blockbogons'])) { <tr id="antilockout"> <td></td> <td title="<?=gettext("traffic is passed")?>"><i class="fa fa-check text-success"></i></td> + <td><? print_states(intval(ANTILOCKOUT_TRACKER)); ?></td> <td>*</td> <td>*</td> <td>*</td> @@ -353,6 +402,7 @@ if (isset($config['interfaces'][$if]['blockbogons'])) { <tr id="frrfc1918"> <td></td> <td title="<?=gettext("traffic is blocked")?>"><i class="fa fa-times text-danger"></i></td> + <td><? print_states(intval(RFC1918_TRACKER)); ?></td> <td>*</td> <td><?=gettext("RFC 1918 networks");?></td> <td>*</td> @@ -371,6 +421,7 @@ if (isset($config['interfaces'][$if]['blockbogons'])) { <tr id="frrfc1918"> <td></td> <td title="<?=gettext("traffic is blocked")?>"><i class="fa fa-times text-danger"></i></td> + <td><? print_states(intval(BOGONS_TRACKER)); ?></td> <td>*</td> <td><?=gettext("Reserved/not assigned by IANA");?></td> <td>*</td> @@ -592,6 +643,7 @@ for ($i = 0; isset($a_filter[$i]); $i++): } } ?> + <td><? print_states(intval($filterent['tracker'])); ?></td> <td> <?php if (isset($filterent['ipprotocol'])) { @@ -975,4 +1027,3 @@ events.push(function() { </script> <?php include("foot.inc");?> - |
