diff options
author | Ermal Luçi <eri@pfsense.org> | 2009-04-26 14:23:29 +0000 |
---|---|---|
committer | Ermal Luçi <eri@pfsense.org> | 2009-04-26 14:23:29 +0000 |
commit | 60120e37425e3e0147bbc3a0cfe010c124ba0df6 (patch) | |
tree | 2cdc7f3f4574ed10933035e38dd04533354e4c7d /etc/inc/pfsense-utils.inc | |
parent | 6dc3a5c2e428a6f8c0d11d904f12ab8ab86a8718 (diff) | |
download | pfsense-60120e37425e3e0147bbc3a0cfe010c124ba0df6.zip pfsense-60120e37425e3e0147bbc3a0cfe010c124ba0df6.tar.gz |
* Convert schedules to pf(4).
This allows to schedule the whole feature of the rules like queues/limiters/gateways/blocks/allows/etc...
* Whitespace cleaning on filter.inc
* Move schedule backend logic from pfsense-utils.inc to filter.inc and prefix with filter_.
* Small bugfixes here and there.
Diffstat (limited to 'etc/inc/pfsense-utils.inc')
-rw-r--r-- | etc/inc/pfsense-utils.inc | 599 |
1 files changed, 0 insertions, 599 deletions
diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index e74429d..b0afac5 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -131,605 +131,6 @@ function get_tmp_file() { return "/tmp/tmp-" . time(); } -/****f* pfsense-utils/tdr_install_cron - * NAME - * tdr_install_cron - * INPUTS - * $should_install true if the cron entry should be installed, false - * if the entry should be removed if it is present - * RESULT - * none - ******/ -function tdr_install_cron($should_install) { - global $config, $g; - if($g['booting']==true) - return; - $is_installed = false; - if(!$config['cron']['item']) - return; - $x=0; - foreach($config['cron']['item'] as $item) { - if(strstr($item['command'], "filter_configure_sync")) { - $is_installed = true; - break; - } - $x++; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "0,15,30,45"; - $cron_item['hour'] = "*"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/etc/rc.filter_configure_sync"; - $config['cron']['item'][] = $cron_item; - write_config("Installed 15 minute filter reload for Time Based Rules"); - configure_cron(); - } - break; - case false: - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - } - configure_cron(); - } - break; - } -} - -/****f* pfsense-utils/tdr_create_ipfw_rule - * NAME - * tdr_create_ipfw_rule - * INPUTS - * $rule xml firewall rule array, $type allow or deny - * RESULT - * text string with ipfw rule already formatted - ******/ -function tdr_create_ipfw_rule($rule, $type) { - global $config, $g, $tdr_get_next_ipfw_rule, $FilterIflist; - - if (isset($rule['disabled'])) - return ""; - - $int = ""; - /* Check to see if the interface is in our list */ - if (isset($rule['floating'])) { - if (isset($rule['interface']) && $rule['interface'] <> "") - $aline['interface'] = "multiple"; /* XXX */ - else - $aline['interface'] = ""; - } else if (!array_key_exists($rule['interface'], $FilterIflist)) - return "# {$rule['interface']} does not exist or is disabled for " . $rule['descr']; - else { - if ($rule['interface'] == "pptp" || $rule['interface'] == "pppoe" || $rule['interface'] == "l2tp") - $aline['interface'] = "ng*"; - else - $aline['interface'] = " " . $FilterIflist[$rule['interface']]['if'] . " "; - } - - $ifcfg = $FilterIflist[$rule['interface']]; - if ($pptpdcfg['mode'] != "server") { - if (($rule['source']['network'] == "pptp") || - ($rule['destination']['network'] == "pptp")) - return "# source network or destination network == pptp on " . $rule['descr']; - } - if ($rule['source']['network'] && strstr($rule['source']['network'], "opt")) { - if (!array_key_exists($rule['source']['network'], $FilterIflist)) { - $optmatch = ""; - if (preg_match("/opt([0-999])/", $rule['source']['network'], $optmatch)) { - $opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ip']; - if(!is_ipaddr($opt_ip)) - return "# unresolvable optarray $optmatch[0] - $opt_ip"; - } else { - return "# tdr {$rule['source']['network']} !array_key_exists source network " . $rule['descr']; - } - } - } - if ($rule['destination']['network'] && strstr($rule['destination']['network'], "opt")) { - if (!array_key_exists($rule['destination']['network'], $FilterIflist)) { - if(preg_match("/opt([0-999])/", $rule['destination']['network'], $optmatch)) { - $opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ip']; - if(!is_ipaddr($opt_ip)) - return "# unresolvable oparray $optmatch[0] - $opt_ip"; - } else { - return "# tdr {$item} {$rule['destination']['network']} !array_key_exists dest network " . $rule['descr']; - } - } - } - /* check for unresolvable aliases */ - if ($rule['source']['address'] && !alias_expand($rule['source']['address'])) { - file_notice("Filter_Reload", "# unresolvable source aliases {$rule['descr']}"); - return "# tdr unresolvable source aliases {$rule['descr']}"; - } - if ($rule['destination']['address'] && !alias_expand($rule['destination']['address'])) { - file_notice("Filter_Reload", "# unresolvable dest aliases {$rule['descr']}"); - return "# tdr unresolvable dest aliases {$rule['descr']}"; - } - - if (isset($rule['protocol'])) { - if($rule['protocol'] == "tcp/udp") - $aline['prot'] = "ip "; - else if($rule['protocol'] == "icmp") - $aline['prot'] = "icmp "; - else - $aline['prot'] = "{$rule['protocol']} "; - } else { - if($rule['source']['port'] <> "" || $rule['destination']['port'] <> "") - $aline['prot'] = "tcp "; - } - - /* source address */ - if (isset($rule['source']['any'])) - $src = "any"; - else if ($rule['source']['network']) { - if (strstr($rule['source']['network'], "opt")) { - $src = $FilterIflist[$rule['source']['network']]['sa'] . "/" . - $FilterIflist[$rule['source']['network']]['sn']; - if (isset($rule['source']['not'])) - $src = " not {$src}"; - /* check for opt$NUMip here */ - $matches = ""; - if (preg_match("/opt([0-9999])ip/", $rule['source']['network'], $matches)) { - $optnum = $matches[1]; - $src = $FilterIflist["opt{$optnum}"]['ip']; - } - } else { - switch ($rule['source']['network']) { - case 'wanip': - $src = $FilterIflist["wan"]['ip']; - break; - case 'lanip': - $src = $FilterIflist["lan"]['ip']; - break; - case 'lan': - $lansa = $FilterIflist['lan']['sa']; - $lansn = $FilterIflist['lan']['sn']; - $src = "{$lansa}/{$lansn}"; - break; - case 'pptp': - $pptpsa = gen_subnet($FilterIflist['pptp']['ip'], $FilterIflist['pptp']['sn']); - $pptpsn = $FilterIflist['pptp']['sn']; - $src = "{$pptpsa}/{$pptpsn}"; - break; - case 'pppoe': - $pppoesa = gen_subnet($FilterIflist['pppoe']['ip'], $FilterIflist['pppoe']['sn']); - $pppoesn = $FilterIflist['pppoe']['sn']; - $src = "{$pppoesa}/{$pppoesn}"; - break; - } - if (isset($rule['source']['not'])) - $src = " not {$src}"; - } - } else if ($rule['source']['address']) { - $expsrc = alias_expand_value($rule['source']['address']); - if(!$expsrc) - $expsrc = $rule['source']['address']; - - if (isset($rule['source']['not'])) - $not = " not"; - else - $not = ""; - - if (alias_expand_value($rule['source']['address'])) { - $src = "{"; - $first_item = true; - foreach(preg_split("/[\s]+/", alias_expand_value($rule['source']['address'])) as $item) { - if($item != "") { - if(!$first_item) - $src .= " or"; - $src .= " {$not}{$item}"; - $first_item = false; - } - } - $src .= " }"; - } else - $src = "{$not}" . $expsrc; - } - if (!$src || ($src == "/")) - return "# tdr at the break!"; - - $aline['src'] = "from $src "; - - $srcporta = ""; - if (in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) { - if ($rule['source']['port']) { - $srcport = explode("-", $rule['source']['port']); - if(alias_expand($srcport[0])) { - $first_time = true; - foreach(preg_split("/[\s]+/", alias_expand_value($srcport[0])) as $item) { - if(!$first_time) - $srcporta .= ","; - $srcporta .= $item; - $first_time = false; - } - } else - $srcporta = $srcport[0]; - - if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) { - if(alias_expand($srcport[0])) - $aline['srcport'] = "{$srcporta} "; - else - $aline['srcport'] = "{$srcporta} "; - } else if (($srcport[0] == 1) && ($srcport[1] == 65535)) { - /* no need for a port statement here */ - } else if ($srcport[1] == 65535) - $aline['srcport'] = ">={$srcport[0]} "; - else if ($srcport[0] == 1) - $aline['srcport']= "<={$srcport[1]} "; - else - $aline['srcport'] = "{$srcport[0]}-{$srcport[1]} "; - } - } - - /* destination address */ - if (isset($rule['destination']['any'])) - $dst = "any"; - else if ($rule['destination']['network']) { - if (strstr($rule['destination']['network'], "opt")) { - $dst = $FilterIflist[$rule['destination']['network']]['sa'] . "/" . - $FilterIflist[$rule['destination']['network']]['sn']; - if (isset($rule['destination']['not'])) - $dst = " not {$dst}"; - /* check for opt$NUMip here */ - $matches = ""; - if (preg_match("/opt([0-9999])ip/", $rule['destination']['network'], $matches)) { - $optnum = $matches[1]; - $dst = $FilterIflist["opt{$optnum}"]['ip']; - } - } else { - switch ($rule['source']['network']) { - case 'wanip': - $dst = $FilterIflist["wan"]['ip']; - break; - case 'lanip': - $dst = $FilterIflist["lan"]['ip']; - break; - case 'lan': - $lansa = $FilterIflist['lan']['sa']; - $lansn = $FilterIflist['lan']['sn']; - $dst = "{$lansa}/{$lansn}"; - break; - case 'pptp': - $pptpsa = gen_subnet($FilterIflist['pptp']['ip'], $FilterIflist['pptp']['sn']); - $pptpsn = $FilterIflist['pptp']['sn']; - $dst = "{$pptpsa}/{$pptpsn}"; - break; - case 'pppoe': - $pppoesa = gen_subnet($FilterIflist['pppoe']['ip'], $FilterIflist['pppoe']['sn']); - $pppoesn = $FilterIflist['pppoe']['sn']; - $dst = "{$pppoesa}/{$pppoesn}"; - break; - } - if (isset($rule['destination']['not'])) - $dst = " not {$dst}"; - } - } else if ($rule['destination']['address']) { - $expdst = alias_expand_value($rule['destination']['address']); - if(!$expdst) - $expdst = $rule['destination']['address']; - - if (isset($rule['destination']['not'])) - $not = " not"; - else - $not = ""; - - if (alias_expand_value($rule['destination']['address'])) { - $dst = "{"; - $first_item = true; - foreach(preg_split("/[\s]+/", alias_expand_value($rule['destination']['address'])) as $item) { - if($item != "") { - if(!$first_item) - $dst .= " or"; - $dst .= " {$not}{$item}"; - $first_item = false; - } - } - $dst .= " }"; - } else - $dst = "{$not}" . $expdst; - } - - if (!$dst || ($dst == "/")) - return "# returning at dst $dst == \"/\""; - - $aline['dst'] = "to $dst "; - $dstporta = ""; - if (in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) { - if ($rule['destination']['port']) { - $dstport = explode("-", $rule['destination']['port']); - if(alias_expand($dstport[0])) { - $first_time = true; - foreach(preg_split("/[\s]+/", alias_expand_value($dstport[0])) as $item) { - if(!$first_time) - $dstporta .= ","; - $dstporta .= $item; - $first_time = false; - } - } else - $dstporta = $dstport[0]; - - if ((!$dstport[1]) || ($dstport[0] == $dstport[1])) { - if(alias_expand($dstport[0])) - $aline['dstport'] = "{$dstporta} "; - else - $aline['dstport'] = "{$dstporta} "; - } else if (($dstport[0] == 1) && ($dstport[1] == 65535)) { - /* no need for a port statement here */ - } else if ($dstport[1] == 65535) - $aline['dstport'] = ">= {$dstport[0]} "; - else if ($dstport[0] == 1) - $aline['dstport'] = "<= {$dstport[1]} "; - else - $aline['dstport'] = "{$dstport[0]}-{$dstport[1]} "; - } - } - - if($aline['prot'] == "") - $aline['prot'] = "ip "; - - tdr_get_next_ipfw_rule(); - - /* piece together the actual user rule */ - if($type == "skipto") { - $next_rule = tdr_get_next_ipfw_rule(); - $next_rule = $next_rule+1; - $type = "skipto $next_rule"; - } - - /* piece together the actual user rule */ - if ($aline['interface'] == "multiple") { - $tmpline = $type . " " . $aline['prot'] . $aline['src'] . - $aline['srcport'] . $aline['dst'] . $aline['dstport'] . " in recv "; - $interfaces = explode(",", $rule['interface']); - $ifliste = ""; - foreach ($interfaces as $iface) { - if (array_key_exists($iface, $FilterIflist)) - $line .= "{$tmpline} " . $FilterIflist[$iface]['if'] . "; ";/* XXX */ - } - } else if ($aline['interface'] == "") - $line .= $type . " " . $aline['prot'] . $aline['src'] . - $aline['srcport'] . $aline['dst'] . $aline['dstport'] . " in "; - else - $line .= $type . " " . $aline['prot'] . $aline['src'] . - $aline['srcport'] . $aline['dst'] . $aline['dstport'] . " in recv " . - $aline['interface']; - - return $line; -} - -/****f* pfsense-utils/tdr_install_rule - * NAME - * tdr_install_rule - * INPUTS - * $rule - ascii string containing the ifpw rule to add - * RESULT - * none - ******/ -function tdr_install_rule($rule) { - global $tdr_next_ipfw_rule, $g; - - log_error("installing {$rule}"); - $lines = explode(";", $rule); - if (count($lines) > 1) { - foreach ($lines as $line) { - if ($g['debug']) - log_error("Executing /sbin/ipfw -f add {$tdr_next_ipfw_rule} set 9 $line"); - mwexec("/sbin/ipfw -f add {$tdr_next_ipfw_rule} set 9 $line"); - $tdr_next_ipfw_rule++; - } - } else { - if ($g['debug']) - log_error("Executing /sbin/ipfw -f add {$tdr_next_ipfw_rule} set 9 $rules"); - mwexec("/sbin/ipfw -f add $tdr_next_ipfw_rule set 9 $rule"); - } - $tdr_next_ipfw_rule++; -} - -/****f* pfsense-utils/tdr_get_next_ipfw_rule - * NAME - * tdr_get_next_ipfw_rule - * INPUTS - * none - * RESULT - * returns the next available ipfw rule number - ******/ -function tdr_get_next_ipfw_rule() { - global $tdr_next_ipfw_rule; - if(intval($tdr_next_ipfw_rule) < 2) - $tdr_next_ipfw_rule = 2; - return $tdr_next_ipfw_rule; - } - -/****f* pfsense-utils/tdr_install_set - * NAME - * tdr_install_set - * INPUTS - * none - * RESULT - * swaps in the temporary ipfw time based rule set - ******/ -function tdr_install_set() { - global $config; - - mwexec("/sbin/ipfw delete 1"); - mwexec("/sbin/ipfw add 1 check-state"); - mwexec("/sbin/ipfw delete 65534"); - mwexec("/sbin/ipfw add 1 allow all from me to any keep-state"); - if (!isset ($config['system']['webgui']['noantilockout']) && count($config['interfaces']) > 1) { - /* lan ip lockout */ - $lanip = get_interface_ip("lan"); - $lansn = get_interface_subnet("lan"); - $lansa = gen_subnet($lanip, $lansn); - mwexec("/sbin/ipfw add 1 allow all from {$lansa}/{$lansn} to $lanip keep-state"); - } - mwexec("/sbin/ipfw add 65534 check-state"); - /* set 8 contains time based rules */ - mwexec("/sbin/ipfw -f delete set 8"); - mwexec("/sbin/ipfw -f set swap 9 8"); -} - -/****f* pfsense-utils/get_time_based_rule_status - * NAME - * get_time_based_rule_status - * INPUTS - * xml schedule block - * RESULT - * true/false - true if the rule should be installed - ******/ -/* - <schedules> - <schedule> - <name>ScheduleMultipleTime</name> - <descr>main descr</descr> - <time> - <position>0,1,2</position> - <hour>0:0-24:0</hour> - <desc>time range 2</desc> - </time> - <time> - <position>4,5,6</position> - <hour>0:0-24:0</hour> - <desc>time range 1</desc> - </time> - </schedule> - </schedules> -*/ -function get_time_based_rule_status($schedule) { - $should_add_rule = false; - /* no schedule? rule should be installed */ - if($schedule == "") - return true; - /* - * iterate through time blocks and deterimine - * if the rule should be installed or not. - */ - foreach($schedule['timerange'] as $timeday) { - if($timeday['month']) - $month = $timeday['month']; - else - $week = ""; - if($timeday['day']) - $day = $timeday['day']; - else - $day = ""; - if($timeday['hour']) - $hour = $timeday['hour']; - else - $hour = ""; - if($timeday['position']) - $position = $timeday['position']; - else - $position = ""; - if($timeday['desc']) - $desc = $timeday['desc']; - else - $desc = ""; - if($month) { - $monthstatus = tdr_month($month); - } else { - $monthstatus = true; - } - if($day) { - $daystatus = tdr_day($day); - } else { - $daystatus = true; - } - if($hour) { - $hourstatus = tdr_hour($hour); - } else { - $hourstatus = true; - } - if($position) { - $positionstatus = tdr_position($position); - } else { - $positionstatus = true; - } - - if($monthstatus == true) - if($daystatus == true) - if($positionstatus == true) - if($hourstatus == true) { - $should_add_rule = true; - } - } - - return $should_add_rule; -} - -function tdr_day($schedule) { - /* - * Calculate day of month. - * IE: 29th of may - */ - $weekday = date("w"); - if ($weekday == 0) - $weekday = 7; - $date = date("d"); - $defined_days = split(",", $schedule); - log_error("[TDR DEBUG] tdr_day($schedule)"); - foreach($defined_days as $dd) { - if($date == $dd) { - return true; - } - } - return false; -} - -function tdr_hour($schedule) { - /* $schedule should be a string such as 16:00-19:00 */ - $tmp = split("-", $schedule); - $starting_time = strtotime($tmp[0]); - $ending_time = strtotime($tmp[1]); - $now = strtotime("now"); - log_error("[TDR DEBUG] S: $starting_time E: $ending_time N: $now"); - if($now >= $starting_time and $now <= $ending_time) { - return true; - } - return false; -} - -function tdr_position($schedule) { - /* - * Calculate possition, ie: day of week. - * Sunday = 7, Monday = 1, Tuesday = 2 - * Weds = 3, Thursday = 4, Friday = 5, - * Saturday = 6 - * ... - */ - $weekday = date("w"); - log_error("[TDR DEBUG] tdr_position($schedule) $weekday"); - if ($weekday == 0) - $weekday = 7; - $schedule_days = split(",", $schedule); - foreach($schedule_days as $day) { - if($day == $weekday) { - return true; - } - } - return false; -} - -function tdr_month($schedule) { - /* - * Calculate month - */ - $todays_month = date("n"); - $months = split(",", $schedule); - log_error("[TDR DEBUG] tdr_month($schedule)"); - foreach($months as $month) { - if($month == $todays_month) { - return true; - } - } - return false; -} - /****f* pfsense-utils/find_number_of_needed_carp_interfaces * NAME * find_number_of_needed_carp_interfaces |