Move two include files to /etc/inc instead of leaving them in the www dir. Move filterparser.php to /usr/local/bin since it's not meant to be used from the web interface.

3 files changed, 0 insertions, 549 deletions

diff --git a/usr/local/www/filterparser.php b/usr/local/bin/filterparser.php
index d432419..d432419 100644
--- a/usr/local/www/filterparser.php
+++ b/usr/local/bin/filterparser.php
diff --git a/usr/local/www/easyrule.inc b/usr/local/www/easyrule.inc
deleted file mode 100644
index 1747654..0000000
--- a/usr/local/www/easyrule.inc
+++ /dev/null
@@ -1,254 +0,0 @@
-<?php
-/*
-	easyrule.inc.php
-
-	Copyright (C) 2009 Jim Pingle (jpingle@gmail.com)
-	Sponsored By Anathematic @ pfSense Forums
-	All rights reserved.
-
-	Redistribution and use in source and binary forms, with or without
-	modification, are permitted provided that the following conditions are met:
-
-	1. Redistributions of source code must retain the above copyright notice,
-	this list of conditions and the following disclaimer.
-
-	2. Redistributions in binary form must reproduce the above copyright
-	notice, this list of conditions and the following disclaimer in the
-	documentation and/or other materials provided with the distribution.
-
-	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-	POSSIBILITY OF SUCH DAMAGE.
-*/
-/*
-	pfSense_BUILDER_BINARIES:	
-	pfSense_MODULE:	filter
-*/
-
-$blockaliasname = 'EasyRuleBlockHosts';
-
-function easyrule_find_rule_interface($int) {
-	global $config;
-	/* Borrowed from firewall_rules.php */
-	$iflist = get_configured_interface_with_descr(false, true);
-	
-	if ($config['pptpd']['mode'] == "server")
-		$iflist['pptp'] = "PPTP VPN";
-	
-	if ($config['pppoe']['mode'] == "server")
-		$iflist['pppoe'] = "PPPoE VPN";
-	
-	if ($config['l2tp']['mode'] == "server")
-                $iflist['l2tp'] = "L2TP VPN";
-
-	/* add ipsec interfaces */
-	if (isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable'])){ 
-		$iflist["enc0"] = "IPSEC";
-	}
-	
-	if (isset($iflist[$int]))
-		return $int;
-
-	foreach ($iflist as $if => $ifd) {
-		if (strtolower($int) == strtolower($ifd))
-			return $if;
-	}
-	
-	return false;
-}
-
-function easyrule_block_rule_exists($int = 'wan') {
-	global $blockaliasname, $config;
-	/* No rules, we we know it doesn't exist */
-	if (!is_array($config['filter']['rule'])) {
-		return false;
-	}
-
-	/* Search through the rules for one referencing our alias */
-	foreach ($config['filter']['rule'] as $rule)
-		if ($rule['source']['address'] == $blockaliasname . strtoupper($int) && ($rule['interface'] == $int))
-			return true;
-	return false;
-}
-
-function easyrule_block_rule_create($int = 'wan') {
-	global $blockaliasname, $config;
-	/* If the alias doesn't exist, exit.
-	 * Can't create an empty alias, and we don't know a host */
-	if (easyrule_block_alias_getid($int) === false)
-		return false;
-
-	/* If the rule already exists, no need to do it again */
-	if (easyrule_block_rule_exists($int))
-		return true;
-
-	/* No rules, start a new array */
-	if (!is_array($config['filter']['rule'])) {
-		$config['filter']['rule'] = array();
-	}
-
-	filter_rules_sort();
-	$a_filter = &$config['filter']['rule'];
-
-	/* Make up a new rule */
-	$filterent = array();
-	$filterent['type'] = 'block';
-	$filterent['interface'] = $int; 
-	$filterent['source']['address'] = $blockaliasname . strtoupper($int);
-	$filterent['destination']['any'] = '';
-	$filterent['descr'] = "Easy Rule: Blocked from Firewall Log View";
-
-	$a_filter[] = $filterent;
-
-	return true;
-}
-
-function easyrule_block_alias_getid($int = 'wan') {
-	global $blockaliasname, $config;
-	if (!is_array($config['aliases']))
-		return false;
-
-	/* Hunt down an alias with the name we want, return its id */
-	foreach ($config['aliases']['alias'] as $aliasid => $alias)
-		if ($alias['name'] == $blockaliasname . strtoupper($int))
-			return $aliasid;
-
-	return false;
-}
-
-function easyrule_block_alias_add($host, $int = 'wan') {
-	global $blockaliasname, $config;
-	/* If the host isn't a valid IP address, bail */
-	if (!is_ipaddr($host))
-		return false;
-
-	/* If there are no aliases, start an array */
-	if (!is_array($config['aliases']['alias']))
-		$config['aliases']['alias'] = array();
-
-	aliases_sort();
-	$a_aliases = &$config['aliases']['alias'];
-
-	/* Try to get the ID if the alias already exists */
-	$id = easyrule_block_alias_getid($int);
-	if ($id === false)
-	  unset($id);
-
-	$alias = array();
-
-	if (isset($id) && $a_aliases[$id]) {
-		/* Make sure this IP isn't already in the list. */
-		if (in_array($host.'/32', explode(" ", $a_aliases[$id]['address'])))
-			return true;
-		/* Since the alias already exists, just add to it. */
-		$alias['name']    = $a_aliases[$id]['name'];
-		$alias['type']    = $a_aliases[$id]['type'];
-		$alias['descr']   = $a_aliases[$id]['descr'];
-
-		$alias['address'] = $a_aliases[$id]['address'] . ' ' . $host . '/32';
-	 	$alias['detail']  = $a_aliases[$id]['detail'] . 'Entry added ' . date('r') . '||';
-	} else {
-		/* Create a new alias with all the proper information */
-	 	$alias['name']    = $blockaliasname . strtoupper($int);
-	 	$alias['type']    = 'network';
-	 	$alias['descr']   = mb_convert_encoding("Hosts blocked from Firewall Log view","HTML-ENTITIES","auto");
-
-		$alias['address'] = $host . '/32';
-	 	$alias['detail']  = 'Entry added ' . date('r') . '||';
-	}
-
-	/* Replace the old alias if needed, otherwise tack it on the end */
-	if (isset($id) && $a_aliases[$id])
-		$a_aliases[$id] = $alias;
-	else
-		$a_aliases[] = $alias;
-
-	return true;
-}
-
-function easyrule_block_host_add($host, $int = 'wan') {
-	global $retval;
-	/* Bail if the supplied host is not a valid IP address */
-	if (!is_ipaddr($host))
-		return false;
-
-	/* Flag whether or not we need to reload the filter */
-	$dirty = false;
-
-	/* Attempt to add this host to the alias */
-	if (easyrule_block_alias_add($host, $int)) {
-		$dirty = true;
-	} else {
-		/* Couldn't add the alias, or adding the host failed. */
-		return false;
-	}
-
-	/* Attempt to add the firewall rule if it doesn't exist.
-	 * Failing to add the rule isn't necessarily an error, it may
-	 * have been modified by the user in some way. Adding to the
-	 * Alias is what's important.
-	 */
-	if (!easyrule_block_rule_exists($int)) {
-		if (easyrule_block_rule_create($int)) {
-			$dirty = true;
-		} else {
-			return false;
-		}
-	}
-
-	/* If needed, write the config and reload the filter */
-	if ($dirty) {
-		write_config();
-		$retval = filter_configure();
-		header("Location: firewall_aliases.php");
-		exit;
-	} else {
-		return false;
-	}
-}
-
-function easyrule_pass_rule_add($int, $proto, $srchost, $dsthost, $dstport) {
-	global $config;
-
-	/* No rules, start a new array */
-	if (!is_array($config['filter']['rule'])) {
-		$config['filter']['rule'] = array();
-	}
-
-	filter_rules_sort();
-	$a_filter = &$config['filter']['rule'];
-
-	/* Make up a new rule */
-	$filterent = array();
-	$filterent['type'] = 'pass';
-	$filterent['interface'] = $int;
-	$filterent['descr'] = "Easy Rule: Passed from Firewall Log View";
-
-	if ($proto != "any")
-		$filterent['protocol'] = $proto;
-	else
-		unset($filterent['protocol']);
-
-	/* Default to only allow echo requests, since that's what most people want and
-	 *  it should be a safe choice. */
-	if ($proto == "icmp")
-		$filterent['icmptype'] = 'echoreq';
-
-	pconfig_to_address($filterent['source'], $srchost, 32);
-	pconfig_to_address($filterent['destination'], $dsthost, 32, '', $dstport, $dstport);
-
-	$a_filter[] = $filterent;
-
-	write_config();
-	$retval = filter_configure();
-	header("Location: firewall_rules.php?if={$int}");
-	exit;
-}
-?>
diff --git a/usr/local/www/filter_log.inc b/usr/local/www/filter_log.inc
deleted file mode 100644
index 3dc00c8..0000000
--- a/usr/local/www/filter_log.inc
+++ /dev/null
@@ -1,295 +0,0 @@
-<?php
-/* $Id$ */
-/*
-	filter_log.inc
-	part of pfSesne by Scott Ullrich
-	originally based on m0n0wall (http://m0n0.ch/wall)
-
-	Copyright (C) 2009 Jim Pingle <myfirstname>@<mylastname>.org
-	All rights reserved.
-
-	Redistribution and use in source and binary forms, with or without
-	modification, are permitted provided that the following conditions are met:
-
-	1. Redistributions of source code must retain the above copyright notice,
-	   this list of conditions and the following disclaimer.
-
-	2. Redistributions in binary form must reproduce the above copyright
-	   notice, this list of conditions and the following disclaimer in the
-	   documentation and/or other materials provided with the distribution.
-
-	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-	POSSIBILITY OF SUCH DAMAGE.
-*/
-/*
-	pfSense_BUILDER_BINARIES:	/usr/sbin/fifolog_reader	/usr/bin/tail	/usr/sbin/clog
-	pfSense_MODULE:	filter
-*/
-
-/* format filter logs */
-function conv_log_filter($logfile, $nentries, $tail = 50, $filtertext = "") {
-	global $config, $g;
-
-	/* Make sure this is a number before using it in a system call */
-	if (!(is_numeric($tail)))
-		return;
-
-	if ($filtertext)
-		$tail = 5000;
-
-	/* FreeBSD 8 splits pf log lines into two lines, so we need to at least
-	 * tail twice as many, plus some extra to account for unparseable lines */
-	$tail = $tail * 2 + 50;
-
-	/* Always do a reverse tail, to be sure we're grabbing the 'end' of the log. */
-	$logarr = "";
-
-	if(isset($config['system']['usefifolog']))
-		exec("/usr/sbin/fifolog_reader {$logfile} | /usr/bin/tail -r -n {$tail}", $logarr);
-	else
-		exec("/usr/sbin/clog {$logfile} | grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail -r -n {$tail}", $logarr);
-
-	$filterlog = array();
-	$counter = 0;
-
-	$logarr = array_reverse(collapse_filter_lines(array_reverse($logarr)));
-
-	foreach ($logarr as $logent) {
-		if($counter >= $nentries)
-			break;
-
-		$flent = parse_filter_line($logent);
-		if (($flent != "") && (match_filter_line($flent, $filtertext))) {
-			$counter++;
-			$filterlog[] = $flent;
-		}
-	}
-	/* Since the lines are in reverse order, flip them around if needed based on the user's preference */
-	return isset($config['syslog']['reverse']) ? $filterlog : array_reverse($filterlog);
-}
-
-function match_filter_line($flent, $filtertext = "") {
-	if (!$filtertext)
-		return true;
-	$filtertext = str_replace(' ', '\s+', $filtertext);
-	return preg_match("/{$filtertext}/i", implode(" ", array_values($flent)));
-}
-
-function collapse_filter_lines($logarr) {
-	$lastline = "";
-	$collapsed = array();
-	foreach ($logarr as $logent) {
-		$line_split = "";
-		preg_match("/.*\spf:\s(.*)/", $logent, $line_split);
-		if (substr($line_split[1], 0, 4) != "    ") {
-			if (($lastline != "") && (substr($lastline, 0, 1) != " ")) {
-				$collapsed[] = $lastline;
-			}
-			$lastline = $logent;
-		} else {
-			$lastline .= substr($line_split[1], 3);
-		}
-	}
-	//print_r($collapsed);
-	return $collapsed;
-}
-
-function parse_filter_line($line) {
-	global $config, $g;
-	$log_split = "";
-	preg_match("/(.*)\s(.*)\spf:\s.*\srule\s(.*)\(match\)\:\s(.*)\s\w+\son\s(\w+)\:\s\((.*)\)\s(.*)\s>\s(.*)\:\s(.*)/", $line, $log_split);
-
-	list($all, $flent['time'], $host, $rule, $flent['act'], $flent['realint'], $details, $src, $dst, $leftovers) = $log_split;
-
-	list($flent['srcip'], $flent['srcport']) = parse_ipport($src);
-	list($flent['dstip'], $flent['dstport']) = parse_ipport($dst);
-
-	$flent['src'] = $flent['srcip'];
-	$flent['dst'] = $flent['dstip'];
-
-	if ($flent['srcport'])
-		$flent['src'] .= ':' . $flent['srcport'];
-	if ($flent['dstport'])
-		$flent['dst'] .= ':' . $flent['dstport'];
-
-	$flent['interface']  = convert_log_interface_to_friendly_interface_name($flent['realint']);
-
-	$tmp = split("/", $rule);
-	$flent['rulenum'] = $tmp[0];
-
-	$proto = array(" ", "(?)");
-	/* Attempt to determine the protocol, based on several possible patterns.
-	 * The value returned by strpos() must be strictly checkeded against the
-	 * boolean FALSE because it could return a valid answer of 0 upon success. */
-	if (!(strpos($details, 'proto ') === FALSE)) {
-		preg_match("/.*\sproto\s(.*)\s\(/", $details, $proto);
-	} elseif (!(strpos($details, 'proto: ') === FALSE)) {
-		preg_match("/.*\sproto\:(.*)\s\(/", $details, $proto);
-	} elseif (!(strpos($leftovers, 'sum ok] ') === FALSE)) {
-		preg_match("/.*\ssum ok]\s(.*)\,\s.*/", $leftovers, $proto);
-	} elseif (!(strpos($line, 'sum ok] ') === FALSE)) {
-		preg_match("/.*\ssum ok]\s(.*)\,\s.*/", $line, $proto);
-	}
-	$proto = split(" ", trim($proto[1]));
-	$flent['proto'] = rtrim($proto[0], ",");
-
-	/* If we're dealing with TCP, try to determine the flags/control bits */
-	$flent['tcpflags'] = "";
-	if ($flent['proto'] == "TCP") {
-		$flags = split('[\, ]', $leftovers);
-		$flent['tcpflags'] = str_replace(".", "A", substr($flags[1], 1, -1));
-	}
-
-	/* If there is a src, a dst, and a time, then the line should be usable/good */
-	if (!((trim($flent['src']) == "") || (trim($flent['dst']) == "") || (trim($flent['time']) == ""))) {
-		return $flent;
-	} else {
-		if($g['debug']) {
-			log_error("There was a error parsing rule: $errline.   Please report to mailing list or forum.");
-		}
-		return "";
-	}
-}
-
-function convert_log_interface_to_friendly_interface_name($int) {
-	global $config;
-
-	$iflist = get_configured_interface_with_descr();
-	foreach ($iflist as $if => $ifdesc)
-		$iftable[get_real_interface($if)] = $ifdesc;
-
-	/* Check for WAN first, pppoe (ng0) doesn't return properly otherwise */
-	if ($int == get_real_wan_interface($int))
-		$int = 'wan';
-	else
-		$int = empty($iftable[$int]) ? $int : $iftable[$int];
-
-	return $int;
-}
-
-function parse_ipport($addr) {
-	$addr = rtrim($addr, ":");
-	$port = '';
-	if (substr_count($addr, '.') > 1) {
-		/* IPv4 */
-		$addr_split = split("\.", $addr);
-		$ip = "{$addr_split[0]}.{$addr_split[1]}.{$addr_split[2]}.{$addr_split[3]}";
-
-		if ($ip == "...")
-			return array($addr, '');
-
-		if($addr_split[4] != "") {
-			$port_split = split("\:", $addr_split[4]);
-			$port = $port_split[0];
-		}
-	} else {
-		/* IPv6 */
-		$addr = split(" ", $addr);
-		$addr = rtrim($addr[0], ":");
-		$addr_split = split("\.", $addr);
-		if (count($addr_split) > 1) {
-			$ip   = $addr_split[0];
-			$port = $addr_split[1];
-		} else {
-			$ip   = $addr;
-		}
-	}
-
-	return array($ip, $port);
-}
-
-function get_port_with_service($port, $proto) {
-	if (!$port)
-		return '';
-
-	$service = getservbyport($port, $proto);
-	$portstr = "";
-	if ($service) {
-		$portstr = "<span title=\"Service {$port}/{$proto}: {$service}\">" . htmlspecialchars($port) . "</span>";
-	} else {
-		$portstr = htmlspecialchars($port);
-	}
-	return ':' . $portstr;
-}
-
-function find_rule_by_number($rulenum, $type="rules") {
-	/* Passing arbitrary input to grep could be a Very Bad Thing(tm) */
-	if (!(is_numeric($rulenum)))
-		return;
-	/* At the moment, miniupnpd is the only thing I know of that
-	   generates logging rdr rules */
-	if ($type == "rdr")
-		return `pfctl -vvsn -a "miniupnpd" | grep '^@{$rulenum} '`;
-	else
-		return `pfctl -vvsr | grep '^@{$rulenum} '`;
-}
-
-function find_action_image($action) {
-	global $g;
-	if ((strstr(strtolower($action), "p")) || (strtolower($action) == "rdr"))
-		return "/themes/{$g['theme']}/images/icons/icon_pass.gif";
-	else if(strstr(strtolower($action), "r"))
-		return "/themes/{$g['theme']}/images/icons/icon_reject.gif";
-	else
-		return "/themes/{$g['theme']}/images/icons/icon_block.gif";
-}
-
-function is_first_row($rownum, $totalrows) {
-	global $config;
-	if(isset($config['syslog']['reverse'])) {
-		/* Honor reverse logging setting */
-		if($rownum == 0)
-			return " id=\"firstrow\"";
-	} else {
-		/* non-reverse logging */
-		if($rownum == $totalrows - 1)
-			return " id=\"firstrow\"";
-	}
-	return "";
-}
-
-/* AJAX specific handlers */
-function handle_ajax($nentries, $tail = 50) {
-	global $config;
-	if($_GET['lastsawtime'] or $_POST['lastsawtime']) {
-		global $filter_logfile,$filterent;
-		if($_GET['lastsawtime'])
-			$lastsawtime = $_GET['lastsawtime'];
-		if($_POST['lastsawtime'])
-			$lastsawtime = $_POST['lastsawtime'];
-		/*  compare lastsawrule's time stamp to filter logs.
-		 *  afterwards return the newer records so that client
-                 *  can update AJAX interface screen.
-		 */
-		$new_rules = "";
-		$filterlog = conv_log_filter($filter_logfile, $nentries, $tail);
-		/* We need this to always be in forward order for the AJAX update to work properly */
-		$filterlog = isset($config['syslog']['reverse']) ? array_reverse($filterlog) : $filterlog;
-		foreach($filterlog as $log_row) {
-			$time_regex = "";
-			preg_match("/.*([0-9][0-9]:[0-9][0-9]:[0-9][0-9])/", $log_row['time'], $time_regex);
-			$row_time = strtotime($time_regex[1]);
-			$img = "<img border='0' src='" . find_action_image($log_row['act']) . "' alt={$log_row['act']} title={$log_row['act']} />";
-			//echo "{$time_regex[1]} - $row_time > $lastsawtime<p>";
-			if($row_time > $lastsawtime) {
-				if ($log_row['proto'] == "TCP")
-					$log_row['proto'] .= ":{$log_row['tcpflags']}";
-
-				$img = "<a href=\"#\" onClick=\"javascript:getURL('diag_logs_filter.php?getrulenum={$log_row['rulenum']},{$log_row['rulenum']}', outputrule);\">{$img}</a>";
-				$new_rules .= "{$img}||{$log_row['time']}||{$log_row['interface']}||{$log_row['src']}||{$log_row['dst']}||{$log_row['proto']}||" . time() . "||\n";
-			}
-		}
-		echo $new_rules;
-		exit;
-	}
-}
-
-?>
\ No newline at end of file