diff options
| author | Ermal <eri@pfsense.org> | 2010-05-05 19:24:28 +0000 |
|---|---|---|
| committer | Ermal <eri@pfsense.org> | 2010-05-05 19:26:34 +0000 |
| commit | b8ed2a11a038955f833cb6742928534200d831bf (patch) | |
| tree | a0653403d98887b805d1e6a5e75e0ff625ebc10d /etc/inc | |
| parent | b315e307decf76b0b5fd57488a0ed0f383d700e9 (diff) | |
| download | pfsense-b8ed2a11a038955f833cb6742928534200d831bf.zip pfsense-b8ed2a11a038955f833cb6742928534200d831bf.tar.gz | |
Implement tcp flags and sloppy state on the GUI.
Diffstat (limited to 'etc/inc')
| -rw-r--r-- | etc/inc/filter.inc | 57 |
1 files changed, 42 insertions, 15 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 2da8548..e0ed52c 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1599,9 +1599,29 @@ function filter_generate_user_rule($rule) { if($type == "pass") { if(isset($rule['allowopts'])) $aline['allowopts'] = " allow-opts "; - if( isset($rule['source-track']) or isset($rule['max']) or isset($rule['max-src-nodes']) or isset($rule['max-src-conn']) or isset($rule['max-src-states']) ) - if($rule['protocol'] == "tcp") + + $aline['flags'] = ""; + if($rule['protocol'] == "tcp") { + if (isset($rule['tcpflags_any'])) + $aline['flags'] = "flags any "; + else if (!empty($rule['tcpflags2'])) { + $aline['flags'] = "flags "; + if (!empty($rule['tcpflags1'])) { + $flags1 = explode(",", $rule['tcpflags1']); + foreach ($flags1 as $flag1) + $aline['flags'] .= strtoupper($flag1[0]); + } + $aline['flags'] .= "/"; + if (!empty($rule['tcpflags2'])) { + $flags2 = explode(",", $rule['tcpflags2']); + foreach ($flags2 as $flag2) + $aline['flags'] .= strtoupper($flag2[0]); + } + $aline['flags'] .= " "; + } else $aline['flags'] = "flags S/SA "; + } + /* * # keep state * works with TCP, UDP, and ICMP. @@ -1620,30 +1640,37 @@ function filter_generate_user_rule($rule) { switch($rule['statetype']) { case "none": $noadvoptions = true; - $aline['flags'] = " no state "; + $aline['flags'] .= " no state "; break; case "modulate state": case "synproxy state": if($rule['protocol'] == "tcp") - $aline['flags'] = "{$rule['statetype']} "; + $aline['flags'] .= "{$rule['statetype']} "; + break; + case "sloppy state": + $aline['flags'] .= "keep state "; + $rule['sloppy'] = true; break; default: - $aline['flags'] = "{$rule['statetype']} "; + $aline['flags'] .= "{$rule['statetype']} "; + break; } } else - $aline['flags'] = "keep state "; + $aline['flags'] .= "keep state "; if($noadvoptions == false || $l7_present) - if( isset($rule['source-track']) and $rule['source-track'] <> "" or - isset($rule['max']) and $rule['max'] <> "" or - isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "" or - isset($rule['max-src-conn']) and $rule['max-src-conn'] <> "" or - isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" or - isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "" or - isset($rule['max-src-states']) and $rule['max-src-states'] <> "" or - isset($rule['statetimeout']) and $rule['statetimeout'] <> "" or - $l7_present) { + if( (isset($rule['source-track']) and $rule['source-track'] <> "") or + (isset($rule['max']) and $rule['max'] <> "") or + (isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") or + (isset($rule['max-src-conn']) and $rule['max-src-conn'] <> "") or + (isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "") or + (isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "") or + (isset($rule['max-src-states']) and $rule['max-src-states'] <> "") or + (isset($rule['statetimeout']) and $rule['statetimeout'] <> "") or + isset($rule['sloppy']) or $l7_present) { $aline['flags'] .= "( "; + if (isset($rule['sloppy'])) + $aline['flags'] .= "sloppy "; if(isset($rule['source-track']) and $rule['source-track'] <> "") $aline['flags'] .= "source-track rule "; if(isset($rule['max']) and $rule['max'] <> "") |
