From 60120e37425e3e0147bbc3a0cfe010c124ba0df6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ermal=20Lu=E7i?= Date: Sun, 26 Apr 2009 14:23:29 +0000 Subject: * Convert schedules to pf(4). This allows to schedule the whole feature of the rules like queues/limiters/gateways/blocks/allows/etc... * Whitespace cleaning on filter.inc * Move schedule backend logic from pfsense-utils.inc to filter.inc and prefix with filter_. * Small bugfixes here and there. --- etc/inc/filter.inc | 486 ++++++++++++++++++++++++------------ etc/inc/globals.inc | 2 +- etc/inc/pfsense-utils.inc | 599 --------------------------------------------- etc/inc/upgrade_config.inc | 9 + 4 files changed, 334 insertions(+), 762 deletions(-) (limited to 'etc') diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 970accc..d6d9af6 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -265,12 +265,11 @@ function filter_configure_sync() { update_filter_reload_status("Plugins completed."); } /* if time based rules are enabled then swap in the set */ - if($time_based_rules == true) { - tdr_install_cron(true); - tdr_install_set(); - } else { - tdr_install_cron(false); - } + if ($time_based_rules == true) + filter_tdr_install_cron(true); + else + filter_tdr_install_cron(false); + /* * we need a way to let a user run a shell cmd after each * filter_configure() call. run this xml command after @@ -278,16 +277,21 @@ function filter_configure_sync() { */ if($config['system']['afterfilterchangeshellcmd'] <> "") mwexec($config['system']['afterfilterchangeshellcmd']); + /* sync carp entries to other firewalls */ update_filter_reload_status("Syncing CARP data"); carp_sync_client(); + if ($g['booting'] == true) - echo "."; + echo "."; system_routing_configure(); + find_dns_aliases(); + update_filter_reload_status("Done"); if ($g['booting'] == true) echo "done.\n"; + return 0; } @@ -1224,7 +1228,7 @@ function generate_user_filter_rule($rule) /* we're not using load balancing, just setup gateway */ else if($foundlb == 0) { $gateway = $rule['gateway']; - if(!is_ipaddr($gateway)) { + if (!is_ipaddr($gateway)) { $gwip = $GatewaysList[$gateway]['gateway']; if ($GatewaysList[$gateway]['interface']) $int = $GatewaysList[$gateway]['interface']; @@ -1242,14 +1246,14 @@ function generate_user_filter_rule($rule) } if (isset($rule['protocol'])) { - if($rule['protocol'] == "tcp/udp") + if ($rule['protocol'] == "tcp/udp") $aline['prot'] = " proto { tcp udp } "; - elseif($rule['protocol'] == "icmp") + elseif ($rule['protocol'] == "icmp") $aline['prot'] = " inet proto icmp "; else $aline['prot'] = " proto {$rule['protocol']} "; } else { - if($rule['source']['port'] <> "" || $rule['destination']['port'] <> "") + if ($rule['source']['port'] <> "" || $rule['destination']['port'] <> "") $aline['prot'] = " proto tcp "; } update_filter_reload_status("Creating rule {$rule['descr']}"); @@ -1420,9 +1424,9 @@ function generate_user_filter_rule($rule) else $dst = "{ {$not} {$expdst} }"; } - if (!$dst || ($dst == "/")) { + if (!$dst || ($dst == "/")) return "# returning at dst $dst == \"/\""; - } + $aline['dst'] = "to $dst "; if (in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) { if ($rule['destination']['port']) { @@ -1458,9 +1462,8 @@ function generate_user_filter_rule($rule) $l7_structures = $l7rule->get_unique_structures(); $aline['divert'] = "divert " . $l7rule->GetRPort() . " "; } - if (($rule['protocol'] == "icmp") && $rule['icmptype']) { + if (($rule['protocol'] == "icmp") && $rule['icmptype']) $aline['icmp-type'] = "icmp-type {$rule['icmptype']} "; - } if (!empty($rule['tag'])) $aline['tag'] = " tag " .$rule['tag']. " "; if (!empty($rule['tagged'])) @@ -1474,18 +1477,18 @@ function generate_user_filter_rule($rule) if($rule['protocol'] == "tcp") $aline['flags'] = "flags S/SA "; /* - # keep state - works with TCP, UDP, and ICMP. - # modulate state - works only with TCP. pfSense will generate strong Initial Sequence Numbers (ISNs) - for packets matching this rule. - # synproxy state - proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. - This option includes the functionality of keep state and modulate state combined. - # none - do not use state mechanisms to keep track. this is only useful if your doing advanced - queueing in certain situations. please check the faq. - */ + * # keep state + * works with TCP, UDP, and ICMP. + * # modulate state + * works only with TCP. pfSense will generate strong Initial Sequence Numbers (ISNs) + * for packets matching this rule. + * # synproxy state + * proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. + * This option includes the functionality of keep state and modulate state combined. + * # none + * do not use state mechanisms to keep track. this is only useful if your doing advanced + * queueing in certain situations. please check the faq. + */ $noadvoptions = false; if (isset($rule['statetype']) && $rule['statetype'] <> "") { switch($rule['statetype']) { @@ -1501,17 +1504,17 @@ function generate_user_filter_rule($rule) default: $aline['flags'] = "{$rule['statetype']} "; } - } else { + } else $aline['flags'] = "keep state "; - } - if($noadvoptions == false || $l7_present) + + if ($noadvoptions == false || $l7_present) if( isset($rule['source-track']) and $rule['source-track'] <> "" or - isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "" or - isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" or + isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "" or + isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" or isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "" or - isset($rule['max-src-states']) and $rule['max-src-states'] <> "" or - isset($rule['statetimeout']) and $rule['statetimeout'] <> "" or - isset($rule['l7container']) and $rule['l7container'] != "none") { + isset($rule['max-src-states']) and $rule['max-src-states'] <> "" or + isset($rule['statetimeout']) and $rule['statetimeout'] <> "" or + isset($rule['l7container']) and $rule['l7container'] != "none") { $aline['flags'] .= "( "; if(isset($rule['source-track']) and $rule['source-track'] <> "") $aline['flags'] .= "source-track rule "; @@ -1532,123 +1535,89 @@ function generate_user_filter_rule($rule) $aline['flags'] .= " ) "; } } - if ($type == "reject" && $rule['protocol'] == "tcp") { - /* special reject packet */ - $aline['flags'] .= "flags S/SA "; - } - if ($type == "pass") { - if ($rule['defaultqueue'] <> "") { - $aline['queue'] = " queue (".$rule['defaultqueue']; - if ($rule['ackqueue'] <> "") - $aline['queue'] .= ",".$rule['ackqueue']; - $aline['queue'] .= ") "; - } - if ($rule['dnpipe'] <> "") { - if ($rule['dnpipe'][0] == "?") { - $aline['dnpipe'] = " dnqueue( "; - $aline['dnpipe'] .= substr($rule['dnpipe'],1); - if ($rule['pdnpipe'] <> "") - $aline['dnpipe'] .= ",".substr($rule['pdnpipe'], 1); - } else { - $aline['dnpipe'] = " dnpipe ( " . $rule['dnpipe']; - if ($rule['pdnpipe'] <> "") - $aline['dnpipe'] .= ", " . $rule['pdnpipe']; - } - $aline['dnpipe'] .= ") "; - } + if ($type == "reject" && $rule['protocol'] == "tcp") { + /* special reject packet */ + $aline['flags'] .= "flags S/SA "; + } + if ($type == "pass") { + if ($rule['defaultqueue'] <> "") { + $aline['queue'] = " queue (".$rule['defaultqueue']; + if ($rule['ackqueue'] <> "") + $aline['queue'] .= ",".$rule['ackqueue']; + $aline['queue'] .= ") "; } - /* cache entries */ - if (isset($src_table)) - if (isset($table_cache[$src_table])) { - if ($g['debug']) - echo "{$src_table} found in cache\n"; - } else { - if ($g['debug']) - echo "{$src_table} NOT found in cache...adding\n"; - $table_cache[$src_table] = $src_table_line; - } - if (isset($dst_table)) - if (isset($table_cache[$dst_table])) { - if ($g['debug']) - echo "{$dst_table} found in cache\n"; + if ($rule['dnpipe'] <> "") { + if ($rule['dnpipe'][0] == "?") { + $aline['dnpipe'] = " dnqueue( "; + $aline['dnpipe'] .= substr($rule['dnpipe'],1); + if ($rule['pdnpipe'] <> "") + $aline['dnpipe'] .= ",".substr($rule['pdnpipe'], 1); } else { - if ($g['debug']) - echo "{$dst_table} NOT found in cache...adding\n"; - $table_cache[$dst_table] = $dst_table_line; + $aline['dnpipe'] = " dnpipe ( " . $rule['dnpipe']; + if ($rule['pdnpipe'] <> "") + $aline['dnpipe'] .= ", " . $rule['pdnpipe']; } - - /* exception(s) to a user rules can go here. */ - /* rules with a gateway or pool should create another rule for routing to local networks or vpns */ - /* we only trigger this for a rule with the destination of any and without a gateway */ - if (($aline['route'] <> "") && (trim($aline['type']) == "pass") && (trim($dst) == "any")) { - /* negate VPN/PPTP/PPPoE networks for load balancer/gateway rules */ - $vpns = " to "; - $line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $aline['interface'] . $aline['prot'] . - $aline['src'] . $aline['srcport'] . $aline['os'] . $vpns . $aline['dstport']. - $aline['icmp-type'] . $aline['tag'] . $aline['tagged'] . $aline['dscp'] . $aline['allowopts'] . $aline['flags']. - $aline['queue'] . $aline['dnpipe'] . - " label \"NEGATE_ROUTE: Negate policy route for local network(s)\"\n"; - /* negate directly connected networks for load balancer/gateway rules */ - $direct_networks = " to "; - $line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $aline['interface'] . $aline['prot'] . - $aline['src'] . $aline['srcport'] . $aline['os'] . $direct_networks . $aline['dstport']. - $aline['icmp-type'] . $aline['tag'] . $aline['tagged'] . $aline['dscp'] . $aline['allowopts'] . - $aline['flags'] . $aline['queue'] . $aline['dnpipe'] . - " label \"NEGATE_ROUTE: Negate policy route for local network(s)\"\n"; + $aline['dnpipe'] .= ") "; } - /* piece together the actual user rule */ - $line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $aline['interface'] . $aline['reply'] . - $aline['route'] . $aline['prot'] . $aline['src'] . $aline['srcport'] . $aline['os'] . $aline['dst'] . - $aline['dstport'] . $aline['divert'] . $aline['icmp-type'] . $aline['tag'] . $aline['tagged'] . $aline['dscp'] . - $aline['allowopts'] . $aline['flags'] . $aline['queue'] . $aline['dnpipe']; - - /* is a time based rule schedule attached? */ - if(!empty($rule['sched'])) { - if($config['schedules']) { - $foundsched = false; - foreach($config['schedules']['schedule'] as $sched) { - if($sched['name'] == $rule['sched']) { - $status = get_time_based_rule_status($schedule_xml_block); - $foundsched = true; - break; - } - } - if ($foundsched == false) - return $line; - } else - return $line; - - if($status) { - if($g['debug']) - log_error("[TDR DEBUG] status true -- rule type '$type'"); - if($type == "block") { - // active deny rules should deny - $ipfw_rule = tdr_create_ipfw_rule($rule, "deny"); - tdr_install_rule($ipfw_rule); - } else { - // active allow rules should allow - $ipfw_rule = tdr_create_ipfw_rule($rule, "allow"); - tdr_install_rule($ipfw_rule); - } - return "$line"; - } else { - /* rule is turned off, if type == pass, deny traffic until - * active else allow traffic until active - */ - if($type == "pass") { - // inactive pass rules should deny - $ipfw_rule = tdr_create_ipfw_rule($rule, "deny"); - tdr_install_rule($ipfw_rule); - } else { - // inactive block rules should skipto - $ipfw_rule = tdr_create_ipfw_rule($rule, "skipto"); - tdr_install_rule($ipfw_rule); - } - return "# $line"; - } - } + } + /* cache entries */ + if (isset($src_table)) + if (isset($table_cache[$src_table])) { + if ($g['debug']) + echo "{$src_table} found in cache\n"; + } else { + if ($g['debug']) + echo "{$src_table} NOT found in cache...adding\n"; + $table_cache[$src_table] = $src_table_line; + } + if (isset($dst_table)) + if (isset($table_cache[$dst_table])) { + if ($g['debug']) + echo "{$dst_table} found in cache\n"; + } else { + if ($g['debug']) + echo "{$dst_table} NOT found in cache...adding\n"; + $table_cache[$dst_table] = $dst_table_line; + } + + /* is a time based rule schedule attached? */ + if(!empty($rule['sched']) && !empty($config['schedules'])) { + $aline['schedlabel'] = ""; + foreach ($config['schedules']['schedule'] as $sched) { + if ($sched['name'] == $rule['sched']) { + if (!filter_get_time_based_rule_status($sched)) { + mwexec("/sbin/pfctl -y \"{$sched['schedlabel']}\""); + $line = "# schedule finished - {$rule}"; + } else if ($g['debug']) + log_error("[TDR DEBUG] status true -- rule type '$type'"); + + $aline['schedlabel'] = " schedule \"{$sched['schedlabel']}\" "; + break; + } + } + } - return $line; + /* exception(s) to a user rules can go here. */ + /* rules with a gateway or pool should create another rule for routing to vpns */ + if (($aline['route'] <> "") && (trim($aline['type']) == "pass") && (trim($dst) == "any")) { + /* negate VPN/PPTP/PPPoE networks for load balancer/gateway rules */ + $vpns = " to "; + $line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . + $aline['interface'] . $aline['prot'] . $aline['src'] . $aline['srcport'] . + $aline['os'] . $vpns . $aline['dstport'] . $aline['icmp-type'] . $aline['tag'] . + $aline['tagged'] . $aline['dscp'] . $aline['allowopts'] . $aline['flags'] . + $aline['queue'] . $aline['dnpipe'] . $aline['schedlabel'] . + " label \"NEGATE_ROUTE: Negate policy route for vpn(s)\"\n"; + + } + /* piece together the actual user rule */ + $line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $aline['interface'] . + $aline['reply'] . $aline['route'] . $aline['prot'] . $aline['src'] . $aline['srcport'] . + $aline['os'] . $aline['dst'] . $aline['dstport'] . $aline['divert'] . $aline['icmp-type'] . + $aline['tag'] . $aline['tagged'] . $aline['dscp'] . $aline['allowopts'] . $aline['flags'] . + $aline['queue'] . $aline['dnpipe'] . $aline['schedlabel']; + + return $line; } function filter_rules_generate() @@ -1699,7 +1668,7 @@ block quick proto { tcp, udp } from any to any port = 0 EOD; - if(!isset($config['system']['ipv6allow'])) { + if (!isset($config['system']['ipv6allow'])) { $ipfrules .= "# Block all IPv6\n"; $ipfrules .= "block in quick inet6 all\n"; $ipfrules .= "block out quick inet6 all\n"; @@ -1940,7 +1909,6 @@ anchor "packagelate" EOD; if (isset($config['filter']['rule'])) { - $load_ipfw_module = false; /* Pre-cache all our rules so we only have to generate them once */ $rule_arr1 = array(); $rule_arr2 = array(); @@ -1956,25 +1924,18 @@ EOD; $rule_arr2[] = generate_user_filter_rule_arr($rule); } if ($rule['sched']) - $load_ipfw_module = true; + $time_based_rules = true; } } $rule_arr = array_merge($rule_arr1,$rule_arr2); /* - * check to see if any rules reference a schedule - * or if CP is enabled + * check to see if CP is enabled * and if so load ipfw for later usage. */ if (isset($config['captiveportal']['enable']) && isset($config['interfaces'][$config['captiveportal']['interface']]['enable'])) { - $load_ipfw_module = true; - } - - if ($load_ipfw_module == true) { filter_load_ipfw(); - $time_based_rules = true; - exec("/sbin/ipfw delete set 9"); - exec("/sbin/ipfw delete 2"); - exec("/sbin/ipfw delete 3"); + mwexec("/sbin/ipfw delete set 3"); + mwexec("/sbin/ipfw delete set 2"); } $ipfrules .= "\n# User-defined aliases follow\n"; /* tables for aliases */ @@ -2037,6 +1998,209 @@ function filter_rules_spoofcheck_generate($ifname, $if, $sa, $sn, $log) return $ipfrules; } +/****f* filter/filter_tdr_install_cron + * NAME + * filter_tdr_install_cron + * INPUTS + * $should_install true if the cron entry should be installed, false + * if the entry should be removed if it is present + * RESULT + * none + ******/ +function filter_tdr_install_cron($should_install) { + global $config, $g; + + if ($g['booting']==true) + return; + + $is_installed = false; + + if(!$config['cron']['item']) + return; + + $x=0; + foreach($config['cron']['item'] as $item) { + if (strstr($item['command'], "filter_configure_sync")) { + $is_installed = true; + break; + } + $x++; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "0,15,30,45"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/etc/rc.filter_configure_sync"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + break; + } +} + +/****f* filter/filter_get_time_based_rule_status + * NAME + * filter_get_time_based_rule_status + * INPUTS + * xml schedule block + * RESULT + * true/false - true if the rule should be installed + ******/ +/* + + + ScheduleMultipleTime + main descr + + + + +*/ +function filter_get_time_based_rule_status($schedule) { + $should_add_rule = false; + /* no schedule? rule should be installed */ + if (empty($schedule)) + return true; + /* + * iterate through time blocks and deterimine + * if the rule should be installed or not. + */ + foreach($schedule['timerange'] as $timeday) { + if($timeday['month']) + $month = $timeday['month']; + else + $week = ""; + if($timeday['day']) + $day = $timeday['day']; + else + $day = ""; + if($timeday['hour']) + $hour = $timeday['hour']; + else + $hour = ""; + if($timeday['position']) + $position = $timeday['position']; + else + $position = ""; + if($timeday['desc']) + $desc = $timeday['desc']; + else + $desc = ""; + if($month) { + $monthstatus = filter_tdr_month($month); + } else { + $monthstatus = true; + } + if($day) { + $daystatus = filter_tdr_day($day); + } else { + $daystatus = true; + } + if($hour) { + $hourstatus = filter_tdr_hour($hour); + } else { + $hourstatus = true; + } + if($position) { + $positionstatus = filter_tdr_position($position); + } else { + $positionstatus = true; + } + + if ($monthstatus == true && $daystatus == true && $positionstatus == true && $hourstatus == true) + $should_add_rule = true; + } + + return $should_add_rule; +} + +function filter_tdr_day($schedule) { + /* + * Calculate day of month. + * IE: 29th of may + */ + $weekday = date("w"); + if ($weekday == 0) + $weekday = 7; + $date = date("d"); + $defined_days = split(",", $schedule); + log_error("[TDR DEBUG] filter_tdr_day($schedule)"); + foreach($defined_days as $dd) { + if($date == $dd) + return true; + } + return false; +} +function filter_tdr_hour($schedule) { + /* $schedule should be a string such as 16:00-19:00 */ + $tmp = split("-", $schedule); + $starting_time = strtotime($tmp[0]); + $ending_time = strtotime($tmp[1]); + $now = strtotime("now"); + log_error("[TDR DEBUG] S: $starting_time E: $ending_time N: $now"); + if ($now >= $starting_time and $now <= $ending_time) + return true; + return false; +} + +function filter_tdr_position($schedule) { + /* + * Calculate possition, ie: day of week. + * Sunday = 7, Monday = 1, Tuesday = 2 + * Weds = 3, Thursday = 4, Friday = 5, + * Saturday = 6 + * ... + */ + $weekday = date("w"); + log_error("[TDR DEBUG] filter_tdr_position($schedule) $weekday"); + if ($weekday == 0) + $weekday = 7; + $schedule_days = split(",", $schedule); + foreach($schedule_days as $day) { + if ($day == $weekday) + return true; + } + return false; +} + +function filter_tdr_month($schedule) { + /* + * Calculate month + */ + $todays_month = date("n"); + $months = split(",", $schedule); + log_error("[TDR DEBUG] filter_tdr_month($schedule)"); + foreach($months as $month) { + if ($month == $todays_month) + return true; + } + return false; +} + function setup_logging_interfaces() { global $config; @@ -2051,8 +2215,6 @@ function setup_logging_interfaces() foreach ($ifdescrs as $ifdescr => $ifname) { /* do not work with tun interfaces */ $int = get_real_interface($ifname); - if(stristr($int, "tun") == true) - continue; $rules .= "set loginterface {$int}\n"; } return $rules; diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 0668027..389b71a 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -59,7 +59,7 @@ $g = array( "product_email" => "coreteam@pfsense.org", "hideplatform" => false, "debug" => false, - "latest_config" => "5.8", + "latest_config" => "5.9", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "115", "minimum_ram_warning_text" => "128 megabytes", diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index e74429d..b0afac5 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -131,605 +131,6 @@ function get_tmp_file() { return "/tmp/tmp-" . time(); } -/****f* pfsense-utils/tdr_install_cron - * NAME - * tdr_install_cron - * INPUTS - * $should_install true if the cron entry should be installed, false - * if the entry should be removed if it is present - * RESULT - * none - ******/ -function tdr_install_cron($should_install) { - global $config, $g; - if($g['booting']==true) - return; - $is_installed = false; - if(!$config['cron']['item']) - return; - $x=0; - foreach($config['cron']['item'] as $item) { - if(strstr($item['command'], "filter_configure_sync")) { - $is_installed = true; - break; - } - $x++; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "0,15,30,45"; - $cron_item['hour'] = "*"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/etc/rc.filter_configure_sync"; - $config['cron']['item'][] = $cron_item; - write_config("Installed 15 minute filter reload for Time Based Rules"); - configure_cron(); - } - break; - case false: - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - } - configure_cron(); - } - break; - } -} - -/****f* pfsense-utils/tdr_create_ipfw_rule - * NAME - * tdr_create_ipfw_rule - * INPUTS - * $rule xml firewall rule array, $type allow or deny - * RESULT - * text string with ipfw rule already formatted - ******/ -function tdr_create_ipfw_rule($rule, $type) { - global $config, $g, $tdr_get_next_ipfw_rule, $FilterIflist; - - if (isset($rule['disabled'])) - return ""; - - $int = ""; - /* Check to see if the interface is in our list */ - if (isset($rule['floating'])) { - if (isset($rule['interface']) && $rule['interface'] <> "") - $aline['interface'] = "multiple"; /* XXX */ - else - $aline['interface'] = ""; - } else if (!array_key_exists($rule['interface'], $FilterIflist)) - return "# {$rule['interface']} does not exist or is disabled for " . $rule['descr']; - else { - if ($rule['interface'] == "pptp" || $rule['interface'] == "pppoe" || $rule['interface'] == "l2tp") - $aline['interface'] = "ng*"; - else - $aline['interface'] = " " . $FilterIflist[$rule['interface']]['if'] . " "; - } - - $ifcfg = $FilterIflist[$rule['interface']]; - if ($pptpdcfg['mode'] != "server") { - if (($rule['source']['network'] == "pptp") || - ($rule['destination']['network'] == "pptp")) - return "# source network or destination network == pptp on " . $rule['descr']; - } - if ($rule['source']['network'] && strstr($rule['source']['network'], "opt")) { - if (!array_key_exists($rule['source']['network'], $FilterIflist)) { - $optmatch = ""; - if (preg_match("/opt([0-999])/", $rule['source']['network'], $optmatch)) { - $opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ip']; - if(!is_ipaddr($opt_ip)) - return "# unresolvable optarray $optmatch[0] - $opt_ip"; - } else { - return "# tdr {$rule['source']['network']} !array_key_exists source network " . $rule['descr']; - } - } - } - if ($rule['destination']['network'] && strstr($rule['destination']['network'], "opt")) { - if (!array_key_exists($rule['destination']['network'], $FilterIflist)) { - if(preg_match("/opt([0-999])/", $rule['destination']['network'], $optmatch)) { - $opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ip']; - if(!is_ipaddr($opt_ip)) - return "# unresolvable oparray $optmatch[0] - $opt_ip"; - } else { - return "# tdr {$item} {$rule['destination']['network']} !array_key_exists dest network " . $rule['descr']; - } - } - } - /* check for unresolvable aliases */ - if ($rule['source']['address'] && !alias_expand($rule['source']['address'])) { - file_notice("Filter_Reload", "# unresolvable source aliases {$rule['descr']}"); - return "# tdr unresolvable source aliases {$rule['descr']}"; - } - if ($rule['destination']['address'] && !alias_expand($rule['destination']['address'])) { - file_notice("Filter_Reload", "# unresolvable dest aliases {$rule['descr']}"); - return "# tdr unresolvable dest aliases {$rule['descr']}"; - } - - if (isset($rule['protocol'])) { - if($rule['protocol'] == "tcp/udp") - $aline['prot'] = "ip "; - else if($rule['protocol'] == "icmp") - $aline['prot'] = "icmp "; - else - $aline['prot'] = "{$rule['protocol']} "; - } else { - if($rule['source']['port'] <> "" || $rule['destination']['port'] <> "") - $aline['prot'] = "tcp "; - } - - /* source address */ - if (isset($rule['source']['any'])) - $src = "any"; - else if ($rule['source']['network']) { - if (strstr($rule['source']['network'], "opt")) { - $src = $FilterIflist[$rule['source']['network']]['sa'] . "/" . - $FilterIflist[$rule['source']['network']]['sn']; - if (isset($rule['source']['not'])) - $src = " not {$src}"; - /* check for opt$NUMip here */ - $matches = ""; - if (preg_match("/opt([0-9999])ip/", $rule['source']['network'], $matches)) { - $optnum = $matches[1]; - $src = $FilterIflist["opt{$optnum}"]['ip']; - } - } else { - switch ($rule['source']['network']) { - case 'wanip': - $src = $FilterIflist["wan"]['ip']; - break; - case 'lanip': - $src = $FilterIflist["lan"]['ip']; - break; - case 'lan': - $lansa = $FilterIflist['lan']['sa']; - $lansn = $FilterIflist['lan']['sn']; - $src = "{$lansa}/{$lansn}"; - break; - case 'pptp': - $pptpsa = gen_subnet($FilterIflist['pptp']['ip'], $FilterIflist['pptp']['sn']); - $pptpsn = $FilterIflist['pptp']['sn']; - $src = "{$pptpsa}/{$pptpsn}"; - break; - case 'pppoe': - $pppoesa = gen_subnet($FilterIflist['pppoe']['ip'], $FilterIflist['pppoe']['sn']); - $pppoesn = $FilterIflist['pppoe']['sn']; - $src = "{$pppoesa}/{$pppoesn}"; - break; - } - if (isset($rule['source']['not'])) - $src = " not {$src}"; - } - } else if ($rule['source']['address']) { - $expsrc = alias_expand_value($rule['source']['address']); - if(!$expsrc) - $expsrc = $rule['source']['address']; - - if (isset($rule['source']['not'])) - $not = " not"; - else - $not = ""; - - if (alias_expand_value($rule['source']['address'])) { - $src = "{"; - $first_item = true; - foreach(preg_split("/[\s]+/", alias_expand_value($rule['source']['address'])) as $item) { - if($item != "") { - if(!$first_item) - $src .= " or"; - $src .= " {$not}{$item}"; - $first_item = false; - } - } - $src .= " }"; - } else - $src = "{$not}" . $expsrc; - } - if (!$src || ($src == "/")) - return "# tdr at the break!"; - - $aline['src'] = "from $src "; - - $srcporta = ""; - if (in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) { - if ($rule['source']['port']) { - $srcport = explode("-", $rule['source']['port']); - if(alias_expand($srcport[0])) { - $first_time = true; - foreach(preg_split("/[\s]+/", alias_expand_value($srcport[0])) as $item) { - if(!$first_time) - $srcporta .= ","; - $srcporta .= $item; - $first_time = false; - } - } else - $srcporta = $srcport[0]; - - if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) { - if(alias_expand($srcport[0])) - $aline['srcport'] = "{$srcporta} "; - else - $aline['srcport'] = "{$srcporta} "; - } else if (($srcport[0] == 1) && ($srcport[1] == 65535)) { - /* no need for a port statement here */ - } else if ($srcport[1] == 65535) - $aline['srcport'] = ">={$srcport[0]} "; - else if ($srcport[0] == 1) - $aline['srcport']= "<={$srcport[1]} "; - else - $aline['srcport'] = "{$srcport[0]}-{$srcport[1]} "; - } - } - - /* destination address */ - if (isset($rule['destination']['any'])) - $dst = "any"; - else if ($rule['destination']['network']) { - if (strstr($rule['destination']['network'], "opt")) { - $dst = $FilterIflist[$rule['destination']['network']]['sa'] . "/" . - $FilterIflist[$rule['destination']['network']]['sn']; - if (isset($rule['destination']['not'])) - $dst = " not {$dst}"; - /* check for opt$NUMip here */ - $matches = ""; - if (preg_match("/opt([0-9999])ip/", $rule['destination']['network'], $matches)) { - $optnum = $matches[1]; - $dst = $FilterIflist["opt{$optnum}"]['ip']; - } - } else { - switch ($rule['source']['network']) { - case 'wanip': - $dst = $FilterIflist["wan"]['ip']; - break; - case 'lanip': - $dst = $FilterIflist["lan"]['ip']; - break; - case 'lan': - $lansa = $FilterIflist['lan']['sa']; - $lansn = $FilterIflist['lan']['sn']; - $dst = "{$lansa}/{$lansn}"; - break; - case 'pptp': - $pptpsa = gen_subnet($FilterIflist['pptp']['ip'], $FilterIflist['pptp']['sn']); - $pptpsn = $FilterIflist['pptp']['sn']; - $dst = "{$pptpsa}/{$pptpsn}"; - break; - case 'pppoe': - $pppoesa = gen_subnet($FilterIflist['pppoe']['ip'], $FilterIflist['pppoe']['sn']); - $pppoesn = $FilterIflist['pppoe']['sn']; - $dst = "{$pppoesa}/{$pppoesn}"; - break; - } - if (isset($rule['destination']['not'])) - $dst = " not {$dst}"; - } - } else if ($rule['destination']['address']) { - $expdst = alias_expand_value($rule['destination']['address']); - if(!$expdst) - $expdst = $rule['destination']['address']; - - if (isset($rule['destination']['not'])) - $not = " not"; - else - $not = ""; - - if (alias_expand_value($rule['destination']['address'])) { - $dst = "{"; - $first_item = true; - foreach(preg_split("/[\s]+/", alias_expand_value($rule['destination']['address'])) as $item) { - if($item != "") { - if(!$first_item) - $dst .= " or"; - $dst .= " {$not}{$item}"; - $first_item = false; - } - } - $dst .= " }"; - } else - $dst = "{$not}" . $expdst; - } - - if (!$dst || ($dst == "/")) - return "# returning at dst $dst == \"/\""; - - $aline['dst'] = "to $dst "; - $dstporta = ""; - if (in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) { - if ($rule['destination']['port']) { - $dstport = explode("-", $rule['destination']['port']); - if(alias_expand($dstport[0])) { - $first_time = true; - foreach(preg_split("/[\s]+/", alias_expand_value($dstport[0])) as $item) { - if(!$first_time) - $dstporta .= ","; - $dstporta .= $item; - $first_time = false; - } - } else - $dstporta = $dstport[0]; - - if ((!$dstport[1]) || ($dstport[0] == $dstport[1])) { - if(alias_expand($dstport[0])) - $aline['dstport'] = "{$dstporta} "; - else - $aline['dstport'] = "{$dstporta} "; - } else if (($dstport[0] == 1) && ($dstport[1] == 65535)) { - /* no need for a port statement here */ - } else if ($dstport[1] == 65535) - $aline['dstport'] = ">= {$dstport[0]} "; - else if ($dstport[0] == 1) - $aline['dstport'] = "<= {$dstport[1]} "; - else - $aline['dstport'] = "{$dstport[0]}-{$dstport[1]} "; - } - } - - if($aline['prot'] == "") - $aline['prot'] = "ip "; - - tdr_get_next_ipfw_rule(); - - /* piece together the actual user rule */ - if($type == "skipto") { - $next_rule = tdr_get_next_ipfw_rule(); - $next_rule = $next_rule+1; - $type = "skipto $next_rule"; - } - - /* piece together the actual user rule */ - if ($aline['interface'] == "multiple") { - $tmpline = $type . " " . $aline['prot'] . $aline['src'] . - $aline['srcport'] . $aline['dst'] . $aline['dstport'] . " in recv "; - $interfaces = explode(",", $rule['interface']); - $ifliste = ""; - foreach ($interfaces as $iface) { - if (array_key_exists($iface, $FilterIflist)) - $line .= "{$tmpline} " . $FilterIflist[$iface]['if'] . "; ";/* XXX */ - } - } else if ($aline['interface'] == "") - $line .= $type . " " . $aline['prot'] . $aline['src'] . - $aline['srcport'] . $aline['dst'] . $aline['dstport'] . " in "; - else - $line .= $type . " " . $aline['prot'] . $aline['src'] . - $aline['srcport'] . $aline['dst'] . $aline['dstport'] . " in recv " . - $aline['interface']; - - return $line; -} - -/****f* pfsense-utils/tdr_install_rule - * NAME - * tdr_install_rule - * INPUTS - * $rule - ascii string containing the ifpw rule to add - * RESULT - * none - ******/ -function tdr_install_rule($rule) { - global $tdr_next_ipfw_rule, $g; - - log_error("installing {$rule}"); - $lines = explode(";", $rule); - if (count($lines) > 1) { - foreach ($lines as $line) { - if ($g['debug']) - log_error("Executing /sbin/ipfw -f add {$tdr_next_ipfw_rule} set 9 $line"); - mwexec("/sbin/ipfw -f add {$tdr_next_ipfw_rule} set 9 $line"); - $tdr_next_ipfw_rule++; - } - } else { - if ($g['debug']) - log_error("Executing /sbin/ipfw -f add {$tdr_next_ipfw_rule} set 9 $rules"); - mwexec("/sbin/ipfw -f add $tdr_next_ipfw_rule set 9 $rule"); - } - $tdr_next_ipfw_rule++; -} - -/****f* pfsense-utils/tdr_get_next_ipfw_rule - * NAME - * tdr_get_next_ipfw_rule - * INPUTS - * none - * RESULT - * returns the next available ipfw rule number - ******/ -function tdr_get_next_ipfw_rule() { - global $tdr_next_ipfw_rule; - if(intval($tdr_next_ipfw_rule) < 2) - $tdr_next_ipfw_rule = 2; - return $tdr_next_ipfw_rule; - } - -/****f* pfsense-utils/tdr_install_set - * NAME - * tdr_install_set - * INPUTS - * none - * RESULT - * swaps in the temporary ipfw time based rule set - ******/ -function tdr_install_set() { - global $config; - - mwexec("/sbin/ipfw delete 1"); - mwexec("/sbin/ipfw add 1 check-state"); - mwexec("/sbin/ipfw delete 65534"); - mwexec("/sbin/ipfw add 1 allow all from me to any keep-state"); - if (!isset ($config['system']['webgui']['noantilockout']) && count($config['interfaces']) > 1) { - /* lan ip lockout */ - $lanip = get_interface_ip("lan"); - $lansn = get_interface_subnet("lan"); - $lansa = gen_subnet($lanip, $lansn); - mwexec("/sbin/ipfw add 1 allow all from {$lansa}/{$lansn} to $lanip keep-state"); - } - mwexec("/sbin/ipfw add 65534 check-state"); - /* set 8 contains time based rules */ - mwexec("/sbin/ipfw -f delete set 8"); - mwexec("/sbin/ipfw -f set swap 9 8"); -} - -/****f* pfsense-utils/get_time_based_rule_status - * NAME - * get_time_based_rule_status - * INPUTS - * xml schedule block - * RESULT - * true/false - true if the rule should be installed - ******/ -/* - - - ScheduleMultipleTime - main descr - - - - -*/ -function get_time_based_rule_status($schedule) { - $should_add_rule = false; - /* no schedule? rule should be installed */ - if($schedule == "") - return true; - /* - * iterate through time blocks and deterimine - * if the rule should be installed or not. - */ - foreach($schedule['timerange'] as $timeday) { - if($timeday['month']) - $month = $timeday['month']; - else - $week = ""; - if($timeday['day']) - $day = $timeday['day']; - else - $day = ""; - if($timeday['hour']) - $hour = $timeday['hour']; - else - $hour = ""; - if($timeday['position']) - $position = $timeday['position']; - else - $position = ""; - if($timeday['desc']) - $desc = $timeday['desc']; - else - $desc = ""; - if($month) { - $monthstatus = tdr_month($month); - } else { - $monthstatus = true; - } - if($day) { - $daystatus = tdr_day($day); - } else { - $daystatus = true; - } - if($hour) { - $hourstatus = tdr_hour($hour); - } else { - $hourstatus = true; - } - if($position) { - $positionstatus = tdr_position($position); - } else { - $positionstatus = true; - } - - if($monthstatus == true) - if($daystatus == true) - if($positionstatus == true) - if($hourstatus == true) { - $should_add_rule = true; - } - } - - return $should_add_rule; -} - -function tdr_day($schedule) { - /* - * Calculate day of month. - * IE: 29th of may - */ - $weekday = date("w"); - if ($weekday == 0) - $weekday = 7; - $date = date("d"); - $defined_days = split(",", $schedule); - log_error("[TDR DEBUG] tdr_day($schedule)"); - foreach($defined_days as $dd) { - if($date == $dd) { - return true; - } - } - return false; -} - -function tdr_hour($schedule) { - /* $schedule should be a string such as 16:00-19:00 */ - $tmp = split("-", $schedule); - $starting_time = strtotime($tmp[0]); - $ending_time = strtotime($tmp[1]); - $now = strtotime("now"); - log_error("[TDR DEBUG] S: $starting_time E: $ending_time N: $now"); - if($now >= $starting_time and $now <= $ending_time) { - return true; - } - return false; -} - -function tdr_position($schedule) { - /* - * Calculate possition, ie: day of week. - * Sunday = 7, Monday = 1, Tuesday = 2 - * Weds = 3, Thursday = 4, Friday = 5, - * Saturday = 6 - * ... - */ - $weekday = date("w"); - log_error("[TDR DEBUG] tdr_position($schedule) $weekday"); - if ($weekday == 0) - $weekday = 7; - $schedule_days = split(",", $schedule); - foreach($schedule_days as $day) { - if($day == $weekday) { - return true; - } - } - return false; -} - -function tdr_month($schedule) { - /* - * Calculate month - */ - $todays_month = date("n"); - $months = split(",", $schedule); - log_error("[TDR DEBUG] tdr_month($schedule)"); - foreach($months as $month) { - if($month == $todays_month) { - return true; - } - } - return false; -} - /****f* pfsense-utils/find_number_of_needed_carp_interfaces * NAME * find_number_of_needed_carp_interfaces diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index ae9075b..2918b69 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -1733,4 +1733,13 @@ function upgrade_057_to_058() { foreach($config['ipsec']['phase2'] as & $ph2ent) $ph2ent['mode'] = 'tunnel'; } + +function upgrade_058_to_059() { + global $config; + + if (is_array($config['schedules']['schedule'])) { + foreach ($config['schedules']['schedule'] as & $schedl) + $schedl['schedlabel'] = uniqid(); + } +} ?> -- cgit v1.1