Filter log parsing update

* Share filter log parsing code instead of using copy/paste/code duplication.
* Reworked the JavaScript a little so it could also be shared
* Fix a large number of bugs, especially in the AJAX-based dynamic log viewer.
* Picks up some more detail from the logs, and more accurately determines the protocol of a given log entry.
* Adds a CLI log parser (filterparser.php)
* Removed some redundant/unused code
* Code cleanup/style fixes
* Added support for finding logged rdr rules from miniupnpd
NOTE: Due to the dynamic nature of upnp rules, the rule may not be present when checked.

1 files changed, 24 insertions, 178 deletions

diff --git a/usr/local/www/diag_logs_filter.php b/usr/local/www/diag_logs_filter.php
index 2e4045f..960956f 100755
--- a/usr/local/www/diag_logs_filter.php
+++ b/usr/local/www/diag_logs_filter.php
@@ -38,13 +38,15 @@
 ##|-PRIV
 
 require("guiconfig.inc");
+require_once("filter_log.inc");
 
 if($_GET['getrulenum'] or $_POST['getrulenum']) {
 	if($_GET['getrulenum'])
-		$rulenum = escapeshellarg($_GET['getrulenum']);
+		$rulenum = $_GET['getrulenum'];
 	if($_POST['getrulenum'])
-		$rulenum = escapeshellarg($_POST['getrulenum']);
-	$rule = `pfctl -vvsr | grep '@{$rulenum} '`;
+		$rulenum = $_POST['getrulenum'];
+	list($rulenum, $type) = explode(',', $rulenum);
+	$rule = find_rule_by_number($rulenum, $type);
 	echo "The rule that triggered this action is:\n\n{$rule}";
 	exit;
 }
@@ -58,126 +60,12 @@ if (!$nentries)
 if ($_POST['clear']) 
 	clear_log_file($filter_logfile);
 
-/* format filter logs */
-function conv_clog($logfile, $tail = 50) {
-	global $config, $nentries, $g;
-	$logarr = "";
-	/* make interface/port table */
-	$iftable = array();
-	$iflist = get_configured_interface_with_descr();
-	foreach ($iflist as $if => $ifdesc)
-		$iftable[get_real_interface($if)] = $ifdesc;
-
-	$sor = isset($config['syslog']['reverse']) ? "-r" : "";
-
-	if(isset($config['system']['usefifolog'])) 
-		exec("/usr/sbin/fifolog_reader {$logfile} | /usr/bin/tail {$sor} -n 500", $logarr);
-	else
-		exec("/usr/sbin/clog {$logfile} | grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail {$sor} -n 500", $logarr);
-
-	$filterlog = array();
-
-	$counter = 1;
-
-	foreach ($logarr as $logent) {
-
-		if($counter > $nentries)
-			break;
-
-		$log_split = "";
-
-
-		preg_match("/(\b(?:\d{1,3}\.){3}\d{1,3}(\.\w+)?)\s.*\s(\b(?:\d{1,3}\.){3}\d{1,3}(\.\w+)?)/", $logent, $log_split);
-
-		$flent['src'] 		= convert_port_period_to_colon($log_split[1]);
-		$flent['dst'] 		= convert_port_period_to_colon($log_split[3]);
-
-		preg_match("/(.*)\s.*\spf:\s.*\srule\s(.*)\(match\)\:\s(.*)\s\w+\son\s(\w+)\:\s(.*)\s>\s(.*)\:\s.*/", $logent, $log_split);
-
-		$beforeupper = $logent;
-		$logent = strtoupper($logent);
-
-		if(stristr(strtoupper($logent), "UDP") == true)
-			$flent['proto'] = "UDP";
-		else if(stristr(strtoupper($logent), "TCP") == true)
-			$flent['proto'] = "TCP";
-		else if(stristr(strtoupper($logent), "ICMP") == true)
-			$flent['proto'] = "ICMP";
-		else if(stristr(strtoupper($logent), "HSRP") == true)
-			$flent['proto'] = "HSRP";
-		else if(stristr(strtoupper($logent), "ESP") == true)
-			$flent['proto'] = "ESP";
-		else if(stristr(strtoupper($logent), "AH") == true)
-			$flent['proto'] = "AH";
-		else if(stristr(strtoupper($logent), "GRE") == true)
-			$flent['proto'] = "GRE";
-		else if(stristr(strtoupper($logent), "IGMP") == true)
-			$flent['proto'] = "IGMP";
-		else if(stristr(strtoupper($logent), "CARP") == true)
-			$flent['proto'] = "CARP";
-		else if(stristr(strtoupper($logent), "VRRP") == true)
-			$flent['proto'] = "VRRP";
-		else if(stristr(strtoupper($logent), "PFSYNC") == true)
-			$flent['proto'] = "PFSYNC";
-		else if(stristr($logent, "sack") == true)
-			$flent['proto'] = "TCP";
-		else
-			$flent['proto'] = "TCP";
-
-		$flent['time'] = $log_split[1];
-		$flent['act'] = $log_split[3];
-		$flent['interface'] = empty($iftable[$log_split[4]]) ? $log_split[4] : $iftable[$log_split[4]];
-
-		$tmp = split("/", $log_split[2]);
-		$flent['rulenum'] = $tmp[0];
-
-		$shouldadd = true;
-
-		if(trim($flent['src']) == "")
-			$shouldadd = false;
-		if(trim($flent['dst']) == "")
-			$shouldadd = false;
-		if(trim($flent['time']) == "")
-			$shouldadd = false;
-
-		if($shouldadd == true) {
-			$counter++;
-			$filterlog[] = $flent;
-		} else {
-			if($g['debug']) {
-				log_error("There was a error parsing rule: $beforeupper .   Please report to mailing list or forum.");
-			}
-		}
-
-	}
-
-	return $filterlog;
-}
-
-function convert_port_period_to_colon($addr) {
-	$addr_split = split("\.", $addr);
-	if($addr_split[4] == "")
-		$newvar = $addr_split[0] . "." . $addr_split[1] . "." . $addr_split[2] . "." . $addr_split[3];
-	else
-		$newvar = $addr_split[0] . "." . $addr_split[1] . "." . $addr_split[2] . "." . $addr_split[3] . ":" . $addr_split[4];
-	if($newvar == "...")
-		return $addr;
-	return $newvar;
-}
-
-function format_ipf_ip($ipfip) {
-	list($ip,$port) = explode(",", $ipfip);
-	if (!$port)
-		return $ip;
-
-	return $ip . ", port " . $port;
-}
-
 $pgtitle = array("Status","System logs","Firewall");
 include("head.inc");
 
 ?>
 <body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+<script src="/javascript/filter_log.js" type="text/javascript"></script>
 <?php include("fbegin.inc"); ?>
 <table width="100%" border="0" cellpadding="0" cellspacing="0">
   <tr><td>
@@ -201,11 +89,11 @@ include("head.inc");
 	<div id="mainarea">
 		<table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
 <?php if (!isset($config['syslog']['rawfilter'])):
-	$filterlog = conv_clog($filter_logfile, $nentries);
+	$filterlog = conv_log_filter($filter_logfile, $nentries, $nentries + 100);
 ?>
 		<tr>
 		  <td colspan="6" class="listtopic">
-			    Last <?=$nentries;?> firewall log entries &nbsp;&nbsp;&nbsp;(<a href='/diag_logs_filter_dynamic.php'>switch</a> to dynamic view)</td>
+			    Last <?php echo $nentries;?> firewall log entries &nbsp;&nbsp;&nbsp;(<a href='/diag_logs_filter_dynamic.php'>switch</a> to dynamic view)</td>
 			</tr>
 			<tr>
 			  <td width="10%" class="listhdrr">Act</td>
@@ -218,79 +106,37 @@ include("head.inc");
 			<tr>
 			  <td class="listlr" nowrap align="middle">
 			  <center>
-			  <a href="#" onClick="javascript:getURL('diag_logs_filter.php?getrulenum=<?php echo $filterent['rulenum']; ?>', outputrule);">
-			  <?php if (strstr(strtolower($filterent['act']), "p"))
-			  			$img = "/themes/{$g['theme']}/images/icons/icon_pass.gif";
-					else if(strstr(strtolower($filterent['act']), "r"))
-					 	$img = "/themes/{$g['theme']}/images/icons/icon_reject.gif";
-					else
-						$img = "/themes/{$g['theme']}/images/icons/icon_block.gif";
-			  ?>
-			  <img border="0" src="<?=$img;?>" width="11" height="11" align="absmiddle">
+			  <a href="#" onClick="javascript:getURL('diag_logs_filter.php?getrulenum=<?php echo "{$filterent['rulenum']},{$filterent['act']}"; ?>', outputrule);">
+			  <img border="0" src="<?php echo find_action_image($filterent['act']);?>" width="11" height="11" align="absmiddle" alt="<?php echo $filterent['act'];?>" title="<?php echo $filterent['act'];?>" />
 			  <?php if ($filterent['count']) echo $filterent['count'];?></td>
-			  <td class="listr" nowrap><?=htmlspecialchars($filterent['time']);?></td>
-			  <td class="listr" nowrap><?=htmlspecialchars($filterent['interface']);?></td>
-			  <td class="listr" nowrap><?=htmlspecialchars($filterent['src']);?></td>
-			  <td class="listr" nowrap><?=htmlspecialchars($filterent['dst']);?></td>
-			  <td class="listr" nowrap><?=htmlspecialchars($filterent['proto']);?></td>
+			  <td class="listr" nowrap><?php echo htmlspecialchars($filterent['time']);?></td>
+			  <td class="listr" nowrap><?php echo htmlspecialchars($filterent['interface']);?></td>
+			  <td class="listr" nowrap><?php echo htmlspecialchars($filterent['src']);?></td>
+			  <td class="listr" nowrap><?php echo htmlspecialchars($filterent['dst']);?></td>
+			  <?php
+				if ($filterent['proto'] == "TCP")
+					$filterent['proto'] .= ":{$filterent['tcpflags']}";
+			  ?>
+			  <td class="listr" nowrap><?php echo htmlspecialchars($filterent['proto']);?></td>
 			</tr><?php endforeach; ?>
 <?php else: ?>
 		  <tr>
 			<td colspan="2" class="listtopic">
-			  Last <?=$nentries;?> firewall log entries</td>
+			  Last <?php echo $nentries;?> firewall log entries</td>
 		  </tr>
 		  <?php dump_clog($filter_logfile, $nentries); ?>
 <?php endif; ?>
-		<tr><td><br><form action="diag_logs_filter.php" method="post">
-<input name="clear" type="submit" class="formbtn" value="Clear log"></td></tr>
+		<tr><td><br /><form action="diag_logs_filter.php" method="post">
+<input name="clear" type="submit" class="formbtn" value="Clear log" /></td></tr>
 </form>
 		</table>
 		</div>
 	</td>
   </tr>
 </table>
-<script language="javascript">
-if (typeof getURL == 'undefined') {
-	getURL = function(url, callback) {
-		if (!url)
-			throw 'No URL for getURL';
-		try {
-			if (typeof callback.operationComplete == 'function')
-				callback = callback.operationComplete;
-		} catch (e) {}
-			if (typeof callback != 'function')
-				throw 'No callback function for getURL';
-		var http_request = null;
-		if (typeof XMLHttpRequest != 'undefined') {
-		    http_request = new XMLHttpRequest();
-		}
-		else if (typeof ActiveXObject != 'undefined') {
-			try {
-				http_request = new ActiveXObject('Msxml2.XMLHTTP');
-			} catch (e) {
-				try {
-					http_request = new ActiveXObject('Microsoft.XMLHTTP');
-				} catch (e) {}
-			}
-		}
-		if (!http_request)
-			throw 'Both getURL and XMLHttpRequest are undefined';
-		http_request.onreadystatechange = function() {
-			if (http_request.readyState == 4) {
-				callback( { success : true,
-				  content : http_request.responseText,
-				  contentType : http_request.getResponseHeader("Content-Type") } );
-			}
-		}
-		http_request.open('GET', url, true);
-		http_request.send(null);
-	}
-}
 
-function outputrule(req) {
-	alert(req.content);
-}
-</script>
+<p><span class="vexpl"><a href="http://doc.pfsense.org/index.php/What_are_TCP_Flags%3F">TCP Flags</a>: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, C - CWR</span></p>
+
 <?php include("fend.inc"); ?>
 </body>
 </html>