* Delete previous rules

* If a schedule is referenced then ensure ipfw is loaded
* Add a deny rule via ipfw when a items schedule is expired

2 files changed, 22 insertions, 3 deletions

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 0280bae..7fb5b83 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -86,6 +86,19 @@ function filter_configure_sync() {
 		echo "filter_configure_sync() being called $mt\n";
 	}
 
+	/* check to see if any rules reference a schedule
+	 * and if so load ipfw for later usage.
+	 */
+	foreach($config['filter']['rule'] as $rule) {
+		if($rule['schedule'])
+			$time_based_rules = true;
+	}
+	if($time_based_rules == true) {
+		$status =`kldstat | grep ipfw | wc -l | awk '{ print $1 }'`;
+		if($status < 1) 
+			mwexec("/sbin/kldload ipfw");
+	}
+
 	$lan_if = $config['interfaces']['lan']['if'];
 	$wan_if = get_real_wan_interface();
 
@@ -1898,8 +1911,13 @@ function generate_user_filter_rule($rule, $ngcounter) {
 	/* is a time based rule schedule attached? */
 	if($rule['schedule']) {
 		$status = get_time_based_rule_status($rule['schedule']);
-		if($status) 
+		if($status) {
 			return $line;
+		} else {
+			/* rule is turned off, lets block the item */
+			$ipfw_rule = tdr_create_ipfw_rule($rule, "deny");
+			tdr_install_rule($ipfw_rule);
+		}
 	} else {
 		return $line;
 	}
@@ -3080,4 +3098,4 @@ function return_vpn_subnet($adr) {
 
 }
 
-?>
+?>
\ No newline at end of file
diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc
index d4ea3a2..f3a4d3f 100644
--- a/etc/inc/pfsense-utils.inc
+++ b/etc/inc/pfsense-utils.inc
@@ -402,12 +402,13 @@ function tdr_create_ipfw_rule($rule, $type) {
 }
 
 function tdr_install_rule($rule) {
-	mwexec("/sbin/ipfw -f add set 9 $rule");
+	mwexec("/sbin/ipfw -f add 1 set 9 $rule");
 }
 
 function tdr_install_set() {
 	/* set 8 contains time based rules */
 	mwexec("/sbin/ipfw -f delete set 8");
+	mwexec("/sbin/ipfw -f delete 1");
 	mwexec("/sbin/ipfw -f set swap 9 8");
 }