Use skipto type ipfw rules so that the pass type rules will not bail out of the ipfw ruleset and keep processing at the next rule.

2 files changed, 37 insertions, 4 deletions

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index c9a0eae..28765e2 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -1956,7 +1956,8 @@ function generate_user_filter_rule($rule, $ngcounter) {
 		if($schedule_xml_block)
 			$status = get_time_based_rule_status($schedule_xml_block);
 		if($status) {
-			log_error("[TDR DEBUG] status true -- rule type '$type'");
+			if($g['debug'])
+				log_error("[TDR DEBUG] status true -- rule type '$type'");
 			if($type == "block") {
 				$ipfw_rule = tdr_create_ipfw_rule($rule, "deny");
 				tdr_install_rule($ipfw_rule);
@@ -1972,6 +1973,9 @@ function generate_user_filter_rule($rule, $ngcounter) {
             if($type == "pass") {
 				$ipfw_rule = tdr_create_ipfw_rule($rule, "deny");
 				tdr_install_rule($ipfw_rule);
+			} else {
+				$ipfw_rule = tdr_create_ipfw_rule($rule, "allow");
+				tdr_install_rule($ipfw_rule);			
 			}
 			return "# $line";
 		}
diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc
index 1184e3a..2a72de5 100644
--- a/etc/inc/pfsense-utils.inc
+++ b/etc/inc/pfsense-utils.inc
@@ -102,7 +102,7 @@ function tdr_install_cron($should_install) {
  *   text string with ipfw rule already formatted
  ******/
 function tdr_create_ipfw_rule($rule, $type) {
-		global $config, $g;
+		global $config, $g, $tdr_get_next_ipfw_rule;
 
 		$wancfg = $config['interfaces']['wan'];
 		$lancfg = $config['interfaces']['lan'];
@@ -455,7 +455,15 @@ function tdr_create_ipfw_rule($rule, $type) {
 	
 	if($aline['prot'] == "")
 		$aline['prot'] = "ip ";
-		
+
+	tdr_get_next_ipfw_rule();
+
+ 	/* piece together the actual user rule */
+	if($type == "allow") {
+		$next_rule = tdr_get_next_ipfw_rule+2;
+		$type = "skipto $next_rule";
+	}
+
 	/* piece together the actual user rule */
 	$line .= $type . " " . $aline['prot'] . $aline['src'] . 
 	$aline['srcport'] . $aline['dst'] . $aline['dstport'] . " in recv " . $aline['interface'];
@@ -473,9 +481,26 @@ function tdr_create_ipfw_rule($rule, $type) {
  *   none
  ******/
 function tdr_install_rule($rule) {
-	mwexec("/sbin/ipfw -f add 2 set 9 $rule");
+	global $tdr_next_ipfw_rule;
+	mwexec("/sbin/ipfw -f add $tdr_next_ipfw_rule set 9 $rule");
+	$tdr_next_ipfw_rule++;
 }
 
+/****f* pfsense-utils/tdr_get_next_ipfw_rule
+ * NAME
+ *   tdr_get_next_ipfw_rule
+ * INPUTS
+ *  none
+ * RESULT
+ *   returns the next available ipfw rule number
+ ******/
+function tdr_get_next_ipfw_rule() {
+	global $tdr_next_ipfw_rule;
+	if(!$tdr_next_ipfw_rule) 
+		$tdr_next_ipfw_rule = 2;
+	return $tdr_next_ipfw_rule;
+ }
+
 /****f* pfsense-utils/tdr_install_set
  * NAME
  *   tdr_install_set
@@ -594,6 +619,7 @@ function tdr_day($schedule) {
 		$weekday = 7;
 	$date	 	= date("d");
 	$defined_days = split(",", $schedule);
+	log_error("[TDR DEBUG] tdr_day($schedule)");
 	foreach($defined_days as $dd) {
 		if($date == $dd) {
 			return true;
@@ -609,6 +635,7 @@ function tdr_hour($schedule) {
 	$starting_time = strtotime($tmp[0]);
 	$ending_time = strtotime($tmp[1]);
 	$now = strtotime("now");
+	log_error("[TDR DEBUG] S: $starting_time E: $ending_time N: $now");
 	if($now >= $starting_time and $now <= $ending_time) {
 		return true;
 	}
@@ -625,6 +652,7 @@ function tdr_position($schedule) {
 	 */
 	global $debug;
 	$weekday	= date("w");
+	log_error("[TDR DEBUG] tdr_position($schedule) $weekday");
 	if ($weekday == 0)
 		$weekday = 7;
 	$schedule_days = split(",", $schedule);
@@ -643,6 +671,7 @@ function tdr_month($schedule) {
 	global $debug;
 	$todays_month = date("n");
 	$months = split(",", $schedule);
+	log_error("[TDR DEBUG] tdr_month($schedule)");
 	foreach($months as $month) {
 		if($month == $todays_month) {
 			return true;