diff options
author | jim-p <jim@pingle.org> | 2010-03-14 17:13:22 -0400 |
---|---|---|
committer | jim-p <jim@pingle.org> | 2010-03-14 17:16:32 -0400 |
commit | 865ff9b4640ffe622d551b6bbb5d39cd1acd3ced (patch) | |
tree | 3775dfd187aa6e9e54095c6ae1e7f6639784f05e /usr/local/bin | |
parent | ec5c695d2361564b35266f9105442402e4aa8a0f (diff) | |
download | pfsense-865ff9b4640ffe622d551b6bbb5d39cd1acd3ced.zip pfsense-865ff9b4640ffe622d551b6bbb5d39cd1acd3ced.tar.gz |
Refactor the Easy Rule code a bit. Add a CLI version.
Diffstat (limited to 'usr/local/bin')
-rw-r--r-- | usr/local/bin/easyrule | 140 |
1 files changed, 140 insertions, 0 deletions
diff --git a/usr/local/bin/easyrule b/usr/local/bin/easyrule new file mode 100644 index 0000000..60f5fb1 --- /dev/null +++ b/usr/local/bin/easyrule @@ -0,0 +1,140 @@ +#!/usr/local/bin/php -q +<?php +/* + easyrule CLI Program + + Copyright (C) 2010 Jim Pingle (jpingle@gmail.com) + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once("pfsense-utils.inc"); +require_once("easyrule.inc"); +require_once("filter.inc"); +require_once("shaper.inc"); + +$message = ""; +$specialsrcdst = explode(" ", "any pptp pppoe l2tp openvpn"); + +/* Borrow this function from guiconfig.inc since we can't include it for use at the CLI + + - Maybe these need to be moved to util.inc or pfsense-utils.inc? + +*/ +function pconfig_to_address(&$adr, $padr, $pmask, $pnot=false, $pbeginport=0, $pendport=0) { + + $adr = array(); + + if ($padr == "any") + $adr['any'] = true; + else if (is_specialnet($padr)) + $adr['network'] = $padr; + else { + $adr['address'] = $padr; + if ($pmask != 32) + $adr['address'] .= "/" . $pmask; + } + + if ($pnot) + $adr['not'] = true; + else + unset($adr['not']); + + if (($pbeginport != 0) && ($pbeginport != "any")) { + if ($pbeginport != $pendport) + $adr['port'] = $pbeginport . "-" . $pendport; + else + $adr['port'] = $pbeginport; + } + + if(is_alias($pbeginport)) { + $adr['port'] = $pbeginport; + } +} + +/* Borrow this one from guiconfig.inc also */ +function is_specialnet($net) { + global $specialsrcdst; + + if(!$net) + return false; + if (in_array($net, $specialsrcdst)) + return true; + else + return false; +} + +/* Another one we need from guiconfig.inc but can't include... */ +function filter_rules_sort() { + global $config; + + /* mark each rule with the sequence number (to retain the order while sorting) */ + for ($i = 0; isset($config['filter']['rule'][$i]); $i++) + $config['filter']['rule'][$i]['seq'] = $i; + + function filtercmp($a, $b) { + if ($a['interface'] == $b['interface']) + return $a['seq'] - $b['seq']; + else + return -strcmp($a['interface'], $b['interface']); + } + + usort($config['filter']['rule'], "filtercmp"); + + /* strip the sequence numbers again */ + for ($i = 0; isset($config['filter']['rule'][$i]); $i++) + unset($config['filter']['rule'][$i]['seq']); +} + + +if (($argc > 1) && !empty($argv[1])) { + $message = ""; + switch ($argv[1]) { + case 'block': + $message = easyrule_parse_block($argv[2], $argv[3]); + break; + case 'pass': + $message = easyrule_parse_pass($argv[2], $argv[3], $argv[4], $argv[5], $argv[6]); + break; + } + echo $message . "\n"; +} else { + // Print usage: + echo "usage:\n"; + echo " Blocking only requires an IP to block\n"; + echo " " . basename($argv[0]) . " block <interface> <source IP>\n"; + echo "\n"; + echo " Passing requires more detail, as it must be as specific as possible. The destination port is optional if you're using a protocol without a port (e.g. ICMP, OSPF, etc).\n"; + echo " " . basename($argv[0]) . " pass <interface> <protocol> <source IP> <destination ip> [destination port]\n"; + echo "\n"; + echo " Block example:\n"; + echo " " . basename($argv[0]) . " block wan 1.2.3.4\n"; + echo "\n"; + echo " Pass example (protocol with port):\n"; + echo " " . basename($argv[0]) . " pass wan tcp 1.2.3.4 192.168.0.4 80\n"; + echo "\n"; + echo " Block example (protocol without port):\n"; + echo " " . basename($argv[0]) . " pass wan icmp 1.2.3.4 192.168.0.4\n"; + echo "\n"; +} +?>
\ No newline at end of file |