summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--etc/inc/filter.inc292
-rwxr-xr-xusr/local/www/firewall_shaper.php1
2 files changed, 272 insertions, 21 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 878b7ef..84eeb14 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -76,7 +76,10 @@ function filter_configure() {
/* generate altq queues */
$altq_queues = filter_generate_altq_queues($altq_ints);
/* generate altq rules */
- $altq_rules = filter_generate_altq_rules();
+ /* Generate ipfw rules until billm finishes pf/altq */
+ $ipfw_altq_rules = filter_generate_ipfw_altq_rules();
+ /* pf/altq rules */
+ //$pf_altq_rules = filter_generate_pf_altq_rules();
}
if( !isset( $config['system']['disablefilter'] ) ) {
mwexec("/sbin/pfctl -e");
@@ -120,6 +123,7 @@ function filter_configure() {
$rules.= $altq_ints . "\n";
$rules.= $altq_queues . "\n";
$rules.= $natrules . "\n";
+ $rules.= $pf_altq_rules . "\n";
$rules.= $pfrules . "\n";
fwrite($fd, $rules);
fclose($fd);
@@ -143,7 +147,7 @@ function filter_configure() {
printf("Cannot open ipfw.rules in filter_configure()\n");
return 1;
}
- fwrite($fd, $altq_rules);
+ fwrite($fd, $ipfw_altq_rules);
fclose($fd);
mwexec("/sbin/ipfw {$g['tmp_path']}/ipfw.rules");
mwexec("/sbin/ipfw enable altq");
@@ -269,8 +273,10 @@ function filter_get_rule_real_interface($associatedrulenumber) {
function filter_is_queue_being_used_on_interface($queuename, $interface) {
global $config;
- if(!is_array($config['shaper']['rule'])) return;
- foreach($config['shaper']['rule'] as $rule) {
+ $lconfig = $config;
+
+ if(!is_array($lconfig['shaper']['rule'])) return;
+ foreach($lconfig['shaper']['rule'] as $rule) {
if($rule['targetqueue'] == $queuename && $rule['interface'] == $interface)
return $interface;
}
@@ -280,6 +286,8 @@ function filter_is_queue_being_used_on_interface($queuename, $interface) {
function filter_setup_altq_interfaces() {
global $config;
$altq_rules = "";
+ $altq_ifs = "";
+ $bandwidth = "";
$queue_names = "";
$is_first = "";
@@ -290,40 +298,32 @@ function filter_setup_altq_interfaces() {
$ifdescrs[] = "opt" . $j;
}
+ $queue_names = "";
foreach ($ifdescrs as $ifdescr => $ifname) {
- $queue_names = "";
- $is_first = "";
-
$workting_with_interface = $ifname;
foreach ($config['shaper']['queue'] as $queue) {
$rule_interface = "";
$q = $queue;
$rule_interface = filter_is_queue_being_used_on_interface($queue['name'], $workting_with_interface);
-// $rule_interface = queue_interface_recursive($q['name']);
if ($rule_interface == $workting_with_interface) {
$status_is_subqueue = is_subqueue($queue['name']);
-// $status_is_attached = is_queue_attached_children($q['name']);
if($queue['attachtoqueue'] <> "") $status_is_attached = 0;
-// if($status_is_subqueue == 0 or $status_is_attached == 1) {
- if($is_first) $queue_names .= ", ";
- $queue_names .= $queue['name'];
- $is_first = "1";
-// }
+ $queue_names .= " ";
+ $queue_names .= $queue['name'];
}
}
if($queue_names <> ""){
- $altq_rules .= "altq on " . $config['interfaces'][$ifname]['if'] . " ";
+ $altq_ifs .= " {$config['interfaces'][$ifname]['if']}";
if($config['interfaces'][$ifname]['bandwidth'] <> "")
- $bandwidth = " bandwidth " . $config['interfaces'][$ifname]['bandwidth'] . $config['interfaces'][$ifname]['bandwidthtype'];
- $altq_rules .= $config['system']['schedulertype'] . $bandwidth . " ";
- $altq_rules .= "queue { " . $queue_names . " }";
+ $bandwidth = $bandwidth + $config['interfaces'][$ifname]['bandwidth'];
}
- $altq_rules .= "\n";
}
+
+ $altq_rules = "altq on \{ {$altq_ifs} } {$config['system']['schedulertype']} bandwidth {$bandwidth}Kb queue \{ {$queue_names} }";
return $altq_rules;
}
@@ -441,7 +441,7 @@ function generate_optcfg_array(& $optcfg) {
}
-function filter_generate_altq_rules() {
+function filter_generate_ipfw_altq_rules() {
global $config, $g;
$wancfg = $config['interfaces']['wan'];
@@ -700,6 +700,256 @@ function filter_generate_altq_rules() {
return $shaperrules;
}
+function filter_generate_pf_altq_rules() {
+ /* I don't think we're in IPFW anymore Toto */
+
+ global $config, $g;
+
+ $wancfg = $config['interfaces']['wan'];
+ $lancfg = $config['interfaces']['lan'];
+ $pptpdcfg = $config['pptpd'];
+
+ $lanif = $lancfg['if'];
+ $wanif = get_real_wan_interface();
+
+ $lanip = $lancfg['ipaddr'];
+ $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
+ $lansn = $lancfg['subnet'];
+
+ /* optional interfaces */
+ $optcfg = array();
+ generate_optcfg_array($optcfg);
+
+ if ($pptpdcfg['mode'] == "server") {
+ $pptpip = $pptpdcfg['localip'];
+ $pptpsa = $pptpdcfg['remoteip'];
+ $pptpsn = $g['pptp_subnet'];
+ }
+
+ /* generate rules */
+ if (isset($config['shaper']['rule']))
+ foreach ($config['shaper']['rule'] as $rule) {
+
+ /* don't include disabled rules */
+ if (isset($rule['disabled'])) {
+ $i++;
+ continue;
+ }
+
+ /* does the rule deal with a PPTP interface? */
+ if ($rule['interface'] == "pptp") {
+
+ if ($pptpdcfg['mode'] != "server") {
+ $i++;
+ continue;
+ }
+
+ $nif = $g['n_pptp_units'];
+ $ispptp = true;
+ } else {
+
+ if (strstr($rule['interface'], "opt")) {
+ if (!array_key_exists($rule['interface'], $optcfg)) {
+ $i++;
+ continue;
+ }
+ }
+
+ $nif = 1;
+ $ispptp = false;
+ }
+
+ if ($pptpdcfg['mode'] != "server") {
+ if (($rule['source']['network'] == "pptp") ||
+ ($rule['destination']['network'] == "pptp")) {
+ $i++;
+ continue;
+ }
+ }
+
+ if (strstr($rule['source']['network'], "opt")) {
+ if (!array_key_exists($rule['source']['network'], $optcfg)) {
+ $i++;
+ continue;
+ }
+ }
+ if (strstr($rule['destination']['network'], "opt")) {
+ if (!array_key_exists($rule['destination']['network'], $optcfg)) {
+ $i++;
+ continue;
+ }
+ }
+
+ /* check for unresolvable aliases */
+ if ($rule['source']['address'] && !alias_expand($rule['source']['address'])) {
+ $i++;
+ continue;
+ }
+ if ($rule['destination']['address'] && !alias_expand($rule['destination']['address'])) {
+ $i++;
+ continue;
+ }
+
+ for ($iif = 0; $iif < $nif; $iif++) {
+
+ $line = "pass in on ";
+
+ if ($ispptp) {
+ $line .= " ng" . ($iif+1);
+ } else {
+ $if = $config['interfaces'][$rule['interface']]['if'];
+
+ if ($rule['interface'] == "wan")
+ $if = $wanif;
+ else if($rule['interface'] == "lan")
+ $if = $lanif;
+
+ $line .= " {$if} ";
+ }
+
+ if (isset($rule['protocol'])) {
+ $line .= "proto {$rule['protocol']} ";
+ }
+
+ /* source address */
+ if (isset($rule['source']['any'])) {
+ $src = "any";
+ } else if ($rule['source']['network']) {
+ if (strstr($rule['source']['network'], "opt")) {
+ $src = $optcfg[$rule['source']['network']]['sa'] . "/" .
+ $optcfg[$rule['source']['network']]['sn'];
+ } else {
+ switch ($rule['source']['network']) {
+ case 'lan':
+ $src = "$lansa/$lansn";
+ break;
+ case 'pptp':
+ $src = "$pptpsa/$pptpsn";
+ break;
+ }
+ }
+ } else if ($rule['source']['address']) {
+ $src = $rule['source']['address'];
+ }
+
+ if (!$src) {
+ printf("No source address found in rule $i\n");
+ break;
+ }
+
+ if (isset($rule['source']['not'])) {
+ $line .= "from ! $src ";
+ } else {
+ $line .= "from $src ";
+ }
+
+ if (!isset($rule['protocol']) || in_array($rule['protocol'], array("tcp","udp"))) {
+ if ($rule['source']['port']) {
+ /*
+ * Check to see if port is a alias. If so grab it and
+ * enclose it in { } to pass to pf.
+ *
+ * Otherwise combine the portrange into one if its only
+ * one item.
+ */
+ $src = alias_expand($rule['source']['port']);
+ if($src <> "") {
+ $line .= "port {$rule['destination']['port']}";
+ } else {
+ $srcport = explode("-", $rule['source']['port']);
+ if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) {
+ $line .= "port {$srcport[0]} ";
+ } else {
+ $line .= "port {$srcport[0]}:{$srcport[1]} ";
+ }
+ }
+ }
+ }
+
+ /* destination address */
+ if (isset($rule['destination']['any'])) {
+ $dst = "any";
+ } else if ($rule['destination']['network']) {
+
+ if (strstr($rule['destination']['network'], "opt")) {
+ $dst = $optcfg[$rule['destination']['network']]['sa'] . "/" .
+ $optcfg[$rule['destination']['network']]['sn'];
+ } else {
+ switch ($rule['destination']['network']) {
+ case 'lan':
+ $dst = "$lansa/$lansn";
+ break;
+ case 'pptp':
+ $dst = "$pptpsa/$pptpsn";
+ break;
+ }
+ }
+ } else if ($rule['destination']['address']) {
+ $dst = $rule['destination']['address'];
+ }
+
+ if (!$dst) {
+ printf("No destination address found in rule $i\n");
+ break;
+ }
+
+ if (isset($rule['destination']['not'])) {
+ $line .= "to ! $dst ";
+ } else {
+ $line .= "to $dst ";
+ }
+
+ if (!isset($rule['protocol']) || in_array($rule['protocol'], array("tcp","udp"))) {
+ if ($rule['destination']['port']) {
+ $dst = alias_expand($rule['destination']['port']);
+ /*
+ * Check to see if port is a alias. If so grab it and
+ * enclose it in { } to pass to pf.
+ *
+ * Otherwise combine the portrange into one if its only
+ * one item.
+ */
+ if($dst <> "") {
+ $line .= "port {$rule['destination']['port']}";
+ } else {
+ $dstport = explode("-", $rule['destination']['port']);
+ if ((!$dstport[1]) || ($dstport[0] == $dstport[1])) {
+ $line .= "port {$dstport[0]} ";
+ } else {
+ $line .= "port {$dstport[0]}:{$dstport[1]} ";
+ }
+ }
+ }
+ }
+
+/*
+ if ($rule['iplen'])
+ $line .= "iplen {$rule['iplen']} ";
+
+ if ($rule['iptos'])
+ $line .= "iptos {$rule['iptos']} ";
+
+ if ($rule['tcpflags'])
+ $line .= "tcpflags {$rule['tcpflags']} ";
+
+ if ($rule['direction'] == "in")
+ $line .= "in recv ";
+ else if ($rule['direction'] == "out")
+ $line .= "out xmit ";
+
+*/
+ $line .= " keep state tag {$rule['targetqueue']} ";
+
+ $line .= "\n";
+ $shaperrules .= $line;
+ }
+
+ $i++;
+ }
+
+ return $shaperrules;
+}
+
function filter_altq_get_queuename($queuenum) {
global $config;
$x=0;
@@ -1880,4 +2130,4 @@ function process_carp_rules() {
return $lines;
}
-?> \ No newline at end of file
+?>
diff --git a/usr/local/www/firewall_shaper.php b/usr/local/www/firewall_shaper.php
index 58fb7b5..e1bc11c 100755
--- a/usr/local/www/firewall_shaper.php
+++ b/usr/local/www/firewall_shaper.php
@@ -179,6 +179,7 @@ if ($_GET['act'] == "del") {
<li class="tabact">Rules</li>
<li class="tabinact"><a href="firewall_shaper_queues.php">Queues</a></li>
<li class="tabinact"><a href="firewall_shaper_magic.php">Magic shaper wizard</a></li>
+ <li class="tabinact"><a href="wizard.php?xml=setup_wizard.xml">Experimental magic shaper wizard</a></li>
</ul>
</td></tr>
<tr>
OpenPOWER on IntegriCloud