diff options
| author | Ermal Luçi <eri@pfsense.org> | 2009-07-06 17:50:15 +0000 |
|---|---|---|
| committer | Ermal Luçi <eri@pfsense.org> | 2009-07-06 17:50:15 +0000 |
| commit | 6bb91286ec348d5e716ce2beedacbda982437f2f (patch) | |
| tree | df99ea2e902dc2bf9aa3b09223c683357e02948e /etc | |
| parent | 7fc26246d6c49141b056fc34486b3de9b8006789 (diff) | |
| download | pfsense-6bb91286ec348d5e716ce2beedacbda982437f2f.zip pfsense-6bb91286ec348d5e716ce2beedacbda982437f2f.tar.gz | |
Present hook points for packages to present their rules.
This allows to remove the filter.inc dependecy from pkg-utils.inc and simplifies lot of package writing as concerened to the firewall.
The rules hardcoded in filter.inc for some packages will be removed at a second pass.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/filter.inc | 33 | ||||
| -rw-r--r-- | etc/inc/pkg-utils.inc | 56 |
2 files changed, 52 insertions, 37 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 8ef1e1f..1a6e2d0 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -587,6 +587,9 @@ function filter_nat_rules_generate() { global $config, $g, $after_filter_configure_run, $FilterIflist; $natrules .= "nat-anchor \"natearly/*\"\n"; + if (file_exists("{$g['tmp_path']}/rules.natearly.packages")) + $natrules .= file_get_contents("{$g['tmp_path']}/rules.natearly.packages"); + $natrules .= "nat-anchor \"natrules/*\"\n\n"; update_filter_reload_status("Creating 1:1 rules..."); @@ -751,6 +754,9 @@ function filter_nat_rules_generate() $natrules .= "\n# Load balancing anchor\n"; $natrules .= "rdr-anchor \"relayd/*\"\n"; + if (file_exists("{$g['tmp_path']}/rules.rdrearly.packages")) + $natrules .= file_get_contents("{$g['tmp_path']}/rules.rdrearly.packages"); + update_filter_reload_status("Setting up TFTP helper"); $natrules .= "# TFTP proxy\n"; $natrules .= "rdr-anchor \"tftp-proxy/*\"\n"; @@ -1033,6 +1039,12 @@ rdr on \${$FilterIflist['wan']['descr']} proto tcp from any to any port 1723 -> EOD; } } + + if (file_exists("{$g['tmp_path']}/rules.nat.packages")) + $natrules .= file_get_contents("{$g['tmp_path']}/rules.nat.packages"); + if (file_exists("{$g['tmp_path']}/rules.rdr.packages")) + $natrules .= file_get_contents("{$g['tmp_path']}/rules.rdr.packages"); + if (is_package_installed('squid') && file_exists('/usr/local/pkg/squid.inc')) { require_once('squid.inc'); $natrules .= squid_generate_rules('nat'); @@ -1600,6 +1612,13 @@ block quick from any to <snort2c> label "Block snort2c hosts" # package manager early specific hook anchor "packageearly" +EOD; + + if (file_exists("{$g['tmp_path']}/rules.rulesearly.packages")) + $ipfrules .= file_get_contents("{$g['tmp_path']}/rules.rulesearly.packages"); + + $ipfrules .= <<<EOD + # carp anchor "carp" @@ -1818,12 +1837,6 @@ pass in inet tagged PFREFLECT keep state label "NAT REFLECT: Allow traffic to lo EOD; } - $ipfrules .= <<<EOD -# package manager late specific hook -anchor "packagelate" - -EOD; - if (isset($config['filter']['rule'])) { /* Pre-cache all our rules so we only have to generate them once */ $rule_arr1 = array(); @@ -1863,6 +1876,14 @@ EOD; update_filter_reload_status("Creating IPsec rules..."); $ipfrules .= generate_ipsec_filter_rules(); + $ipfrules .= <<<EOD +# package manager late specific hook +anchor "packagelate" + +EOD; + if (file_exists("{$g['tmp_path']}/rules.packages")) + $ipfrules .= file_get_contents("{$g['tmp_path']}/rules.packages"); + if (is_package_installed('clamav') && file_exists('/usr/local/pkg/clamav.inc')) { require_once('clamav.inc'); $ipfrules .= clamav_generate_rules('filter'); diff --git a/etc/inc/pkg-utils.inc b/etc/inc/pkg-utils.inc index 680fc49..09f402b 100644 --- a/etc/inc/pkg-utils.inc +++ b/etc/inc/pkg-utils.inc @@ -1034,54 +1034,48 @@ function pkg_build_filter_rules() { $error = ""; $status = mwexec("/sbin/pfctl -nf {$g['tmp_path']}/rules.natearly.packages"); if ($status <> 0) { - log_error("There was an error while parsing the NAT early package rules."); - $error = "\nThere was an error while parsing the NAT early package rules."; - } else { - mwexec("/sbin/pfctl -a pkgnatearly -F rules"); - mwexec("/sbin/pfctl -a pkgnatearly -f {$g['tmp_path']}/rules.natearly.packages"); + $errornatearly = "There was an error while parsing the NAT early package rules.\n"; + $error .= $errornatearly; + log_error($errornatearly); + file_put_contents("{$g['tmp_path']}/rules.natearly.packages", "#{$errornatearly}\n"); } $status = mwexec("/sbin/pfctl -nf {$g['tmp_path']}/rules.nat.packages"); if ($status <> 0) { - log_error("There was an error while parsing the NAT package rules."); - $error = "\nThere was an error while parsing the NAT package rules."; - } else { - mwexec("/sbin/pfctl -a pkgnat -F rules"); - mwexec("/sbin/pfctl -a pkgnat -f {$g['tmp_path']}/rules.nat.packages"); + $errornat = "There was an error while parsing the NAT package rules.\n"; + $error .= $errornat; + log_error($errornat); + file_put_contents("{$g['tmp_path']}/rules.nat.packages", "#{$errornat}\n"); } $status = mwexec("/sbin/pfctl -nf {$g['tmp_path']}/rules.rulesearly.packages"); if ($status <> 0) { - log_error("There was an error while parsing the package filter early rules."); - $error = "\nThere was an error while parsing the package filter early rules."; - } else { - mwexec("/sbin/pfctl -a packageearly -F rules"); - mwexec("/sbin/pfctl -a packageearly -f {$g['tmp_path']}/rulesearly.packages"); + $errorrulesearly = "There was an error while parsing the package filter early rules.\n"; + $error .= $errorrulesearly; + log_error($errorrulesearly); + file_put_contents("{$g['tmp_path']}/rules.rulesearly.packages", "#{$errorrulesearly}\n"); } $status = mwexec("/sbin/pfctl -nf {$g['tmp_path']}/rules.packages"); if ($status <> 0) { - log_error("There was an error while parsing the package filter rules."); - $error = "\nThere was an error while parsing the package filter rules."; - } else { - mwexec("/sbin/pfctl -a packagelate -F rules"); - mwexec("/sbin/pfctl -a packagelate -f {$g['tmp_path']}/rules.packages"); + $errorrules = "There was an error while parsing the package filter rules.\n"; + $error .= $errorrules; + log_error($errorrules); + file_put_contents("{$g['tmp_path']}/rules.packages", "#{$errorrules}\n"); } $status = mwexec("/sbin/pfctl -nf {$g['tmp_path']}/rules.rdrearly.packages"); if ($status <> 0) { - log_error("There was an error while parsing the RDR early package rules."); - $error = "\nThere was an error while parsing the RDR early package rules."; - } else { - mwexec("/sbin/pfctl -a pkgrdrearly -F rules"); - mwexec("/sbin/pfctl -a pkgrdrearly -f {$g['tmp_path']}/rules.rdrearly.packages"); + $errorrdrearly = "There was an error while parsing the RDR early package rules.\n"; + $error .= $errorrdrearly; + log_error($errorrdrearly); + file_put_contents("{$g['tmp_path']}/rules.rdrearly.packages", "#{$errorrdrearly}\n"); } $status = mwexec("/sbin/pfctl -nf {$g['tmp_path']}/rules.rdr.packages"); if ($status <> 0) { - log_error("There was an error while parsing the RDR package rules."); - $error = "\nThere was an error while parsing the RDR package rules."; - } else { - mwexec("/sbin/pfctl -a pkgrdr -F rules"); - mwexec("/sbin/pfctl -a pkgrdr -f {$g['tmp_path']}/rules.rdr.packages"); + $errorrdr = "There was an error while parsing the RDR package rules.\n"; + $error .= $errorrdr; + log_error($errorrdr); + file_put_contents("{$g['tmp_path']}/rules.rdr.packages", "#{$errorrdr}\n"); } if ($error <> "") file_notice($error); } -?>
\ No newline at end of file +?> |
