diff options
author | Chris Buechler <cmb@pfsense.org> | 2015-11-20 20:06:48 -0600 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2015-11-20 20:06:48 -0600 |
commit | d65c61130ae616c372dd4ef73632bcbaf5d058d8 (patch) | |
tree | ba9d390f98a1a44aa17b203eb3c0208e8fd52b20 /src/etc | |
parent | d036bc07bca646598cfde90e4c440b033869afdb (diff) | |
download | pfsense-d65c61130ae616c372dd4ef73632bcbaf5d058d8.zip pfsense-d65c61130ae616c372dd4ef73632bcbaf5d058d8.tar.gz |
Remove layer7 components. Ticket #5508
Diffstat (limited to 'src/etc')
-rw-r--r-- | src/etc/inc/filter.inc | 22 | ||||
-rw-r--r-- | src/etc/inc/priv.defs.inc | 6 | ||||
-rw-r--r-- | src/etc/inc/shaper.inc | 455 | ||||
-rwxr-xr-x | src/etc/rc.filter_synchronize | 3 |
4 files changed, 3 insertions, 483 deletions
diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index e33c08f..9fcefbc 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -277,8 +277,6 @@ function filter_configure_sync($delete_states_if_needed = true) { } update_filter_reload_status(gettext("Generating ALTQ queues")); $altq_queues = filter_generate_altq_queues(); - update_filter_reload_status(gettext("Generating Layer7 rules")); - generate_layer7_files(); if (platform_booting() == true) { echo "."; } @@ -464,9 +462,6 @@ function filter_configure_sync($delete_states_if_needed = true) { $_grbg = exec("/sbin/pfctl -t bogonsv6 -T kill 2>/dev/null"); } - update_filter_reload_status(gettext("Starting up layer7 daemon")); - layer7_start_l7daemon(); - if (!platform_booting()) { if (!empty($filterdns)) { @file_put_contents("{$g['varetc_path']}/filterdns.conf", implode("", $filterdns)); @@ -1066,7 +1061,6 @@ function filter_generate_optcfg_array() { echo "filter_generate_optcfg_array() being called $mt\n"; } - read_layer7_config(); /* if list */ $iflist = get_configured_interface_with_descr(); foreach ($iflist as $if => $ifdetail) { @@ -2567,7 +2561,7 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { function filter_generate_user_rule($rule) { global $config, $g, $FilterIflist, $GatewaysList; - global $layer7_rules_list, $dummynet_name_list; + global $dummynet_name_list; if (isset($config['system']['developerspew'])) { $mt = microtime(); @@ -2728,15 +2722,6 @@ function filter_generate_user_rule($rule) { } $aline['dst'] = "to $dst "; - //Layer7 support - $l7_present = false; - $l7_structures = array(); - if (isset($rule['l7container']) && $rule['l7container'] != "none") { - $l7_present = true; - $l7rule =& $layer7_rules_list[$rule['l7container']]; - $l7_structures = $l7rule->get_unique_structures(); - $aline['divert'] = "divert-to " . $l7rule->GetRPort() . " "; - } if (($rule['protocol'] == "icmp") && $rule['icmptype'] && ($rule['ipprotocol'] == "inet")) { $aline['icmp-type'] = "icmp-type {$rule['icmptype']} "; } @@ -2875,7 +2860,7 @@ function filter_generate_user_rule($rule) { $rule['nopfsync'] = true; } - if ($noadvoptions == false || $l7_present) { + if ($noadvoptions == false) { if ((isset($rule['source-track']) and $rule['source-track'] <> "") or (isset($rule['max']) and $rule['max'] <> "") or (isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") or @@ -2886,8 +2871,7 @@ function filter_generate_user_rule($rule) { (isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "") or (isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> ""))) or (isset($rule['sloppy'])) or - (isset($rule['nopfsync'])) or - ($l7_present)) { + (isset($rule['nopfsync'])) ) { $aline['flags'] .= "( "; if (isset($rule['sloppy'])) { $aline['flags'] .= "sloppy "; diff --git a/src/etc/inc/priv.defs.inc b/src/etc/inc/priv.defs.inc index 69343bd..1a6bfac 100644 --- a/src/etc/inc/priv.defs.inc +++ b/src/etc/inc/priv.defs.inc @@ -404,12 +404,6 @@ $priv_list['page-firewall-trafficshaper']['descr'] = gettext("Allow access to th $priv_list['page-firewall-trafficshaper']['match'] = array(); $priv_list['page-firewall-trafficshaper']['match'][] = "firewall_shaper.php*"; -$priv_list['page-firewall-trafficshaper-layer7'] = array(); -$priv_list['page-firewall-trafficshaper-layer7']['name'] = gettext("WebCfg - Firewall: Traffic Shaper: Layer7 page"); -$priv_list['page-firewall-trafficshaper-layer7']['descr'] = gettext("Allow access to the 'Firewall: Traffic Shaper: Layer7' page."); -$priv_list['page-firewall-trafficshaper-layer7']['match'] = array(); -$priv_list['page-firewall-trafficshaper-layer7']['match'][] = "firewall_shaper_layer7.php*"; - $priv_list['page-firewall-trafficshaper-queues'] = array(); $priv_list['page-firewall-trafficshaper-queues']['name'] = gettext("WebCfg - Firewall: Traffic Shaper: Queues page"); $priv_list['page-firewall-trafficshaper-queues']['descr'] = gettext("Allow access to the 'Firewall: Traffic Shaper: Queues' page."); diff --git a/src/etc/inc/shaper.inc b/src/etc/inc/shaper.inc index f4fab87..e2a71ea 100644 --- a/src/etc/inc/shaper.inc +++ b/src/etc/inc/shaper.inc @@ -4338,461 +4338,6 @@ class dnqueue_class extends dummynet_class { } } -// List of layer7 objects -$layer7_rules_list = array(); - -class layer7 { - - var $rname; //alias - var $rdescription; //alias description - var $rport; //divert port - var $renabled; //rule enabled - var $rsets = array(); //array of l7 associations - - // Auxiliary functions - - function GetRName() { - return $this->rname; - } - function SetRName($rname) { - $this->rname = $rname; - } - function GetRDescription() { - return $this->rdescription; - } - function SetRDescription($rdescription) { - $this->rdescription = $rdescription; - } - function GetRPort() { - return $this->rport; - } - function SetRPort($rport) { - $this->rport = $rport; - } - function GetREnabled() { - return $this->renabled; - } - function SetREnabled($value) { - $this->renabled = $value; - } - function GetRl7() { - return $this->rsets; - } - function SetRl7($rsets) { - $this->rsets = $rsets; - } - - //Add a tuple (rule,structure,element) to the $rsets - - function add_rule($l7set) { - $this->rsets[] = $l7set; - } - - // Build the layer7 rules - function build_l7_rules() { - if ($this->GetREnabled() == "") { - return; - } - //$l7rules = "#" . $this->rdescription . "\n"; - foreach ($this->rsets as $rl7) { - $l7rules .= $rl7->build_rules(); - } - return $l7rules; - } - - // Read the config from array - function ReadConfig(&$qname, &$q) { - $this->SetRName($qname); - $this->SetREnabled($q['enabled']); - $this->SetRPort($q['divert_port']); - if (isset($q['description']) && $q['description'] <> "") { - $this->SetRDescription($q['description']); - } - $rsets = $q['l7rules']; - //Put individual rules in the array - if (is_array($rsets)) { - $this->rsets = array(); // XXX: ugly hack - foreach ($rsets as $l7r) { - $l7obj = new l7rule(); - $l7obj->SetRProtocol($l7r['protocol']); - $l7obj->SetRStructure($l7r['structure']); - $l7obj->SetRBehaviour($l7r['behaviour']); - $this->add_rule($l7obj); - } - } - } - - //Generate a random port for the divert socket - function gen_divert_port() { - $dports = get_divert_ports(); //array of used ports - $divert_port = 1; // Initialize - while (($divert_port % 2) != 0 || in_array($divert_port, $dports)) { - $divert_port = rand(40000, 60000); - } - return $divert_port; - } - - //Helps building the left tree - function build_tree() { - $tree = " <li><a href=\"firewall_shaper_layer7.php?container=" . $this->GetRName() ."&action=show\">"; - $tree .= $this->GetRName() . "</a>"; - $tree .= "</li>"; - - return $tree; - } - - function build_form() { - - $form = new Form(new Form_Button( - 'Submit', - 'Save' - )); - - $section = new Form_Section('Traffic Shaper'); - - $section->addInput(new Form_Checkbox( - 'enabled', - 'Enable/Disable', - 'Enable/disable discipline and its children', - ($this->GetREnabled() == "on"), - 'on' - )); - - $section->addInput(new Form_Input( - 'container', - 'Name', - 'text', - $this->GetRName() - )); - - $section->addInput(new Form_Input( - 'description', - 'Description', - 'text', - $this->GetRDescription() - ))->setHelp('You may enter a description here for your reference (not parsed).'); - - $form->add($section); - - return $form; - } - - //Write the setting to the $config array - function wconfig() { - global $config; - - if (!is_array($config['l7shaper']['container'])) { - $config['l7shaper']['container'] = array(); - } - // - $cflink =& get_l7c_reference_to_me_in_config($this->GetRName()); - // Test if this rule exists already - if (!$cflink) { - $cflink =& $config['l7shaper']['container'][]; - } - $cflink['name'] = $this->GetRName(); - $cflink['enabled'] = $this->GetREnabled(); - $cflink['description'] = $this->GetRDescription(); - $cflink['divert_port'] = $this->GetRPort(); - - // Destroy previously existent rules - if (is_array($cflink['rules'])) { - unset($cflink['l7rules']); - } - - $cflink['l7rules'] = array(); - - $i = 0; - foreach ($this->rsets as $rulel7) { - $cflink['l7rules'][$i]['protocol'] = $rulel7->GetRProtocol(); - $cflink['l7rules'][$i]['structure'] = $rulel7->GetRStructure(); - $cflink['l7rules'][$i]['behaviour'] = $rulel7->GetRBehaviour(); - $i++; - } - } - - //This function is necessary to help producing the overload options for keep state - function get_unique_structures() { - - $unique_structures = array("action" => false, "dummynet" => false, "altq" => false); - foreach ($this->rsets as $l7rule) { - if ($l7rule->GetRStructure() == "action") { - $unique_structures['action'] = true; - } else if ($l7rule->GetRStructure() == "limiter") { - $unique_structures['dummynet'] = true; - } else { - $unique_structures['altq'] = true; - } - } - //Delete non used structures so we don't have to check this in filter.inc - foreach ($unique_structures as $key => $value) { - if (!$value) { - unset($unique_structures[$key]); - } - } - return $unique_structures; - } - - function validate_input($data, &$input_errors) { - $reqdfields[] = "container"; - $reqdfieldsn[] = gettext("Name"); - - shaper_do_input_validation($data, $reqdfields, $reqdfieldsn, $input_errors); - - if (!preg_match("/^[a-zA-Z0-9_-]+$/", $data['container'])) { - $input_errors[] = gettext("Queue names must be alphanumeric and _ or - only."); - } - } - - function delete_l7c() { - mwexec("/bin/pkill -f 'ipfw-classifyd .* -p ". $this->GetRPort() . "'", true); - unset_l7_object_by_reference($this->GetRName()); - cleanup_l7_from_rules($this->GetRName()); - } -} - -class l7rule { - - var $rprotocol; //protocol - var $rstructure; //action, limiter, queue - var $rbehaviour; //allow, block, queue_name, pipe_number ... - - //Auxiliary Functions - - function GetRProtocol() { - return $this->rprotocol; - } - function SetRProtocol($rprotocol) { - $this->rprotocol = $rprotocol; - } - function GetRStructure() { - return $this->rstructure; - } - function SetRStructure($rstructure) { - $this->rstructure = $rstructure; - } - function GetRBehaviour() { - return $this->rbehaviour; - } - function SetRBehaviour($rbehaviour) { - $this->rbehaviour = $rbehaviour; - } - - //XXX Do we need to test any particularity for AltQ queues? - function build_rules() { - global $dummynet_pipe_list; - switch ($this->GetRStructure()) { - case "limiter": - read_dummynet_config(); - $dn_list =& get_unique_dnqueue_list(); - $found = false; - if (is_array($dn_list)) { - foreach ($dn_list as $key => $value) { - if ($key == $this->GetRBehaviour()) { - if ($value[0] == "?") { - $l7rule = $this->GetRProtocol() . " = dnqueue " . substr($value, 1) . "\n"; - } else { - $l7rule = $this->GetRProtocol() . " = dnpipe " . $value . "\n"; - } - $found = true; - } - if ($found) { - break; - } - } - } - break; - default: //This is for action and for altq - $l7rule = $this->GetRProtocol() . " = " . $this->GetRStructure() . " " . $this->GetRBehaviour() . "\n"; - break; - } - return $l7rule; - } -} - -/* - * This function allows to return an array with all the used divert socket ports - */ -function get_divert_ports() { - global $layer7_rules_list; - $dports = array(); - - foreach ($layer7_rules_list as $l7r) { - $dports[] = $l7r->GetRPort(); - } - - return $dports; -} - -function &get_l7c_reference_to_me_in_config(&$name) { - global $config; - - $ptr = NULL; - - if (is_array($config['l7shaper']['container'])) { - foreach ($config['l7shaper']['container'] as $key => $value) { - if ($value['name'] == $name) { - $ptr =& $config['l7shaper']['container'][$key]; - } - } - } - return $ptr; - // $ptr can be null. has to be checked later -} - -function unset_l7_object_by_reference(&$name) { - global $config; - - if (is_array($config['l7shaper']['container'])) { - foreach ($config['l7shaper']['container'] as $key => $value) { - if ($value['name'] == $name) { - unset($config['l7shaper']['container'][$key]['l7rules']); - unset($config['l7shaper']['container'][$key]); - break; - } - } - } -} - -function read_layer7_config() { - global $layer7_rules_list, $config; - - if (!is_array($config['l7shaper']['container']) || !count($config['l7shaper']['container'])) { - $layer7_rules_list = array(); - return; - } - - $l7cs = &$config['l7shaper']['container']; - - $layer7_rules_list = array(); - - foreach ($l7cs as $conf) { - if (empty($conf['name'])) { - continue; /* XXX: grrrrrr at php */ - } - $root =& new layer7(); - $root->ReadConfig($conf['name'], $conf); - $layer7_rules_list[$root->GetRName()] = &$root; - } -} - -function update_layer7_custom_patterns() { - global $config; - - if (!is_array($config['l7shaper']['custom_pat'])) { - return; - } - - foreach ($config['l7shaper']['custom_pat'] as $filename => $filecontent) { - if (!file_exists("/usr/local/share/protocols/" . $filename)) { - @file_put_contents("/usr/local/share/protocols/" . $filename, base64_decode($filecontent)); - } - } -} - -function generate_layer7_files() { - global $layer7_rules_list, $g; - - read_layer7_config(); - - if (!empty($layer7_rules_list)) { - if (!is_module_loaded("ipdivert.ko")) { - mwexec("/sbin/kldload ipdivert.ko"); - } - - array_map('unlink', glob("{$g['tmp_path']}/*.l7")); - } - - update_layer7_custom_patterns(); - - foreach ($layer7_rules_list as $l7rules) { - if ($l7rules->GetREnabled()) { - $filename = $l7rules->GetRName() . ".l7"; - $path = "{$g['tmp_path']}/" . $filename; - - $rules = $l7rules->build_l7_rules(); - - $fp = fopen($path, 'w'); - fwrite($fp, $rules); - fclose($fp); - } - } -} - -function layer7_start_l7daemon() { - global $layer7_rules_list, $g; - - /* - * XXX: ermal - Needed ?! - * read_layer7_config(); - */ - - foreach ($layer7_rules_list as $l7rules) { - if ($l7rules->GetREnabled()) { - $filename = $l7rules->GetRName() . ".l7"; - $path = "{$g['tmp_path']}/" . $filename; - - unset($l7pid); - /* Only reread the configuration rather than restart to avoid losing information. */ - exec("/bin/pgrep -f 'ipfw-classifyd .* -p ". $l7rules->GetRPort() . "'", $l7pid); - if (count($l7pid) > 0) { - log_error(sprintf(gettext("Sending HUP signal to %s"), $l7pid[0])); - mwexec("/bin/kill -HUP {$l7pid[0]}"); - } else { - // XXX: Hardcoded number of packets to garbage collect and queue length. - $ipfw_classifyd_init = "/usr/local/sbin/ipfw-classifyd -n 8 -q 700 -c {$path} -p " . $l7rules->GetRPort() . " -P /usr/local/share/protocols"; - mwexec_bg($ipfw_classifyd_init); - } - } - } -} - -// This function uses /usr/local/share/protocols as a default directory for searching .pat files -function generate_protocols_array() { - - update_layer7_custom_patterns(); - - $protocols = return_dir_as_array("/usr/local/share/protocols"); - $protocols_new = array(); - if (is_array($protocols)) { - foreach ($protocols as $key => $proto) { - if (strstr($proto, ".pat")) { - $protocols_new[$key] =& str_replace(".pat", "", $proto); - } - } - sort($protocols_new); - } - return $protocols_new; -} - -function get_l7_unique_list() { - global $layer7_rules_list; - - $l7list = array(); - if (is_array($layer7_rules_list)) { - foreach ($layer7_rules_list as $l7c) { - if ($l7c->GetREnabled()) { - $l7list[] = $l7c->GetRName(); - } - } - } - - return $l7list; -} - -// Disable a removed l7 container from the filter -function cleanup_l7_from_rules(&$name) { - global $config; - - if (is_array($config['filter']['rule'])) { - foreach ($config['filter']['rule'] as $key => $rule) { - if ($rule['l7container'] == $name) { - unset($config['filter']['rule'][$key]['l7container']); - } - } - } -} - function get_dummynet_name_list() { $dn_name_list =& get_unique_dnqueue_list(); diff --git a/src/etc/rc.filter_synchronize b/src/etc/rc.filter_synchronize index b7148eb..4964f5c 100755 --- a/src/etc/rc.filter_synchronize +++ b/src/etc/rc.filter_synchronize @@ -359,9 +359,6 @@ if (is_array($config['hasync'])) { if ($hasync['synchronizetrafficshaperlimiter'] != "" and is_array($config['dnshaper'])) { $sections[] = 'dnshaper'; } - if ($hasync['synchronizetrafficshaperlayer7'] != "" and is_array($config['l7shaper'])) { - $sections[] = 'l7shaper'; - } if ($hasync['synchronizestaticroutes'] != "") { if (!is_array($config['staticroutes'])) { $config['staticroutes'] = array(); |