diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2007-04-21 23:22:34 +0000 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2007-04-21 23:22:34 +0000 |
commit | ffecf891209570563d982554fca069b0e2a4be1a (patch) | |
tree | 87223a2b3ca67738e56e8cf65522bc609b02d71d /etc | |
parent | b18e3f2e75c50efb0c05124c8bbd971db6fa9ac9 (diff) | |
download | pfsense-ffecf891209570563d982554fca069b0e2a4be1a.zip pfsense-ffecf891209570563d982554fca069b0e2a4be1a.tar.gz |
Use skipto type ipfw rules so that the pass type rules will not bail out of the ipfw ruleset and keep processing at the next rule.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 6 | ||||
-rw-r--r-- | etc/inc/pfsense-utils.inc | 35 |
2 files changed, 37 insertions, 4 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index c9a0eae..28765e2 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1956,7 +1956,8 @@ function generate_user_filter_rule($rule, $ngcounter) { if($schedule_xml_block) $status = get_time_based_rule_status($schedule_xml_block); if($status) { - log_error("[TDR DEBUG] status true -- rule type '$type'"); + if($g['debug']) + log_error("[TDR DEBUG] status true -- rule type '$type'"); if($type == "block") { $ipfw_rule = tdr_create_ipfw_rule($rule, "deny"); tdr_install_rule($ipfw_rule); @@ -1972,6 +1973,9 @@ function generate_user_filter_rule($rule, $ngcounter) { if($type == "pass") { $ipfw_rule = tdr_create_ipfw_rule($rule, "deny"); tdr_install_rule($ipfw_rule); + } else { + $ipfw_rule = tdr_create_ipfw_rule($rule, "allow"); + tdr_install_rule($ipfw_rule); } return "# $line"; } diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 1184e3a..2a72de5 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -102,7 +102,7 @@ function tdr_install_cron($should_install) { * text string with ipfw rule already formatted ******/ function tdr_create_ipfw_rule($rule, $type) { - global $config, $g; + global $config, $g, $tdr_get_next_ipfw_rule; $wancfg = $config['interfaces']['wan']; $lancfg = $config['interfaces']['lan']; @@ -455,7 +455,15 @@ function tdr_create_ipfw_rule($rule, $type) { if($aline['prot'] == "") $aline['prot'] = "ip "; - + + tdr_get_next_ipfw_rule(); + + /* piece together the actual user rule */ + if($type == "allow") { + $next_rule = tdr_get_next_ipfw_rule+2; + $type = "skipto $next_rule"; + } + /* piece together the actual user rule */ $line .= $type . " " . $aline['prot'] . $aline['src'] . $aline['srcport'] . $aline['dst'] . $aline['dstport'] . " in recv " . $aline['interface']; @@ -473,9 +481,26 @@ function tdr_create_ipfw_rule($rule, $type) { * none ******/ function tdr_install_rule($rule) { - mwexec("/sbin/ipfw -f add 2 set 9 $rule"); + global $tdr_next_ipfw_rule; + mwexec("/sbin/ipfw -f add $tdr_next_ipfw_rule set 9 $rule"); + $tdr_next_ipfw_rule++; } +/****f* pfsense-utils/tdr_get_next_ipfw_rule + * NAME + * tdr_get_next_ipfw_rule + * INPUTS + * none + * RESULT + * returns the next available ipfw rule number + ******/ +function tdr_get_next_ipfw_rule() { + global $tdr_next_ipfw_rule; + if(!$tdr_next_ipfw_rule) + $tdr_next_ipfw_rule = 2; + return $tdr_next_ipfw_rule; + } + /****f* pfsense-utils/tdr_install_set * NAME * tdr_install_set @@ -594,6 +619,7 @@ function tdr_day($schedule) { $weekday = 7; $date = date("d"); $defined_days = split(",", $schedule); + log_error("[TDR DEBUG] tdr_day($schedule)"); foreach($defined_days as $dd) { if($date == $dd) { return true; @@ -609,6 +635,7 @@ function tdr_hour($schedule) { $starting_time = strtotime($tmp[0]); $ending_time = strtotime($tmp[1]); $now = strtotime("now"); + log_error("[TDR DEBUG] S: $starting_time E: $ending_time N: $now"); if($now >= $starting_time and $now <= $ending_time) { return true; } @@ -625,6 +652,7 @@ function tdr_position($schedule) { */ global $debug; $weekday = date("w"); + log_error("[TDR DEBUG] tdr_position($schedule) $weekday"); if ($weekday == 0) $weekday = 7; $schedule_days = split(",", $schedule); @@ -643,6 +671,7 @@ function tdr_month($schedule) { global $debug; $todays_month = date("n"); $months = split(",", $schedule); + log_error("[TDR DEBUG] tdr_month($schedule)"); foreach($months as $month) { if($month == $todays_month) { return true; |