From 6bb91286ec348d5e716ce2beedacbda982437f2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ermal=20Lu=E7i?= Date: Mon, 6 Jul 2009 17:50:15 +0000 Subject: Present hook points for packages to present their rules. This allows to remove the filter.inc dependecy from pkg-utils.inc and simplifies lot of package writing as concerened to the firewall. The rules hardcoded in filter.inc for some packages will be removed at a second pass. --- etc/inc/filter.inc | 33 ++++++++++++++++++++++++------ etc/inc/pkg-utils.inc | 56 +++++++++++++++++++++++---------------------------- 2 files changed, 52 insertions(+), 37 deletions(-) (limited to 'etc') diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 8ef1e1f..1a6e2d0 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -587,6 +587,9 @@ function filter_nat_rules_generate() { global $config, $g, $after_filter_configure_run, $FilterIflist; $natrules .= "nat-anchor \"natearly/*\"\n"; + if (file_exists("{$g['tmp_path']}/rules.natearly.packages")) + $natrules .= file_get_contents("{$g['tmp_path']}/rules.natearly.packages"); + $natrules .= "nat-anchor \"natrules/*\"\n\n"; update_filter_reload_status("Creating 1:1 rules..."); @@ -751,6 +754,9 @@ function filter_nat_rules_generate() $natrules .= "\n# Load balancing anchor\n"; $natrules .= "rdr-anchor \"relayd/*\"\n"; + if (file_exists("{$g['tmp_path']}/rules.rdrearly.packages")) + $natrules .= file_get_contents("{$g['tmp_path']}/rules.rdrearly.packages"); + update_filter_reload_status("Setting up TFTP helper"); $natrules .= "# TFTP proxy\n"; $natrules .= "rdr-anchor \"tftp-proxy/*\"\n"; @@ -1033,6 +1039,12 @@ rdr on \${$FilterIflist['wan']['descr']} proto tcp from any to any port 1723 -> EOD; } } + + if (file_exists("{$g['tmp_path']}/rules.nat.packages")) + $natrules .= file_get_contents("{$g['tmp_path']}/rules.nat.packages"); + if (file_exists("{$g['tmp_path']}/rules.rdr.packages")) + $natrules .= file_get_contents("{$g['tmp_path']}/rules.rdr.packages"); + if (is_package_installed('squid') && file_exists('/usr/local/pkg/squid.inc')) { require_once('squid.inc'); $natrules .= squid_generate_rules('nat'); @@ -1600,6 +1612,13 @@ block quick from any to label "Block snort2c hosts" # package manager early specific hook anchor "packageearly" +EOD; + + if (file_exists("{$g['tmp_path']}/rules.rulesearly.packages")) + $ipfrules .= file_get_contents("{$g['tmp_path']}/rules.rulesearly.packages"); + + $ipfrules .= << 0) { - log_error("There was an error while parsing the NAT early package rules."); - $error = "\nThere was an error while parsing the NAT early package rules."; - } else { - mwexec("/sbin/pfctl -a pkgnatearly -F rules"); - mwexec("/sbin/pfctl -a pkgnatearly -f {$g['tmp_path']}/rules.natearly.packages"); + $errornatearly = "There was an error while parsing the NAT early package rules.\n"; + $error .= $errornatearly; + log_error($errornatearly); + file_put_contents("{$g['tmp_path']}/rules.natearly.packages", "#{$errornatearly}\n"); } $status = mwexec("/sbin/pfctl -nf {$g['tmp_path']}/rules.nat.packages"); if ($status <> 0) { - log_error("There was an error while parsing the NAT package rules."); - $error = "\nThere was an error while parsing the NAT package rules."; - } else { - mwexec("/sbin/pfctl -a pkgnat -F rules"); - mwexec("/sbin/pfctl -a pkgnat -f {$g['tmp_path']}/rules.nat.packages"); + $errornat = "There was an error while parsing the NAT package rules.\n"; + $error .= $errornat; + log_error($errornat); + file_put_contents("{$g['tmp_path']}/rules.nat.packages", "#{$errornat}\n"); } $status = mwexec("/sbin/pfctl -nf {$g['tmp_path']}/rules.rulesearly.packages"); if ($status <> 0) { - log_error("There was an error while parsing the package filter early rules."); - $error = "\nThere was an error while parsing the package filter early rules."; - } else { - mwexec("/sbin/pfctl -a packageearly -F rules"); - mwexec("/sbin/pfctl -a packageearly -f {$g['tmp_path']}/rulesearly.packages"); + $errorrulesearly = "There was an error while parsing the package filter early rules.\n"; + $error .= $errorrulesearly; + log_error($errorrulesearly); + file_put_contents("{$g['tmp_path']}/rules.rulesearly.packages", "#{$errorrulesearly}\n"); } $status = mwexec("/sbin/pfctl -nf {$g['tmp_path']}/rules.packages"); if ($status <> 0) { - log_error("There was an error while parsing the package filter rules."); - $error = "\nThere was an error while parsing the package filter rules."; - } else { - mwexec("/sbin/pfctl -a packagelate -F rules"); - mwexec("/sbin/pfctl -a packagelate -f {$g['tmp_path']}/rules.packages"); + $errorrules = "There was an error while parsing the package filter rules.\n"; + $error .= $errorrules; + log_error($errorrules); + file_put_contents("{$g['tmp_path']}/rules.packages", "#{$errorrules}\n"); } $status = mwexec("/sbin/pfctl -nf {$g['tmp_path']}/rules.rdrearly.packages"); if ($status <> 0) { - log_error("There was an error while parsing the RDR early package rules."); - $error = "\nThere was an error while parsing the RDR early package rules."; - } else { - mwexec("/sbin/pfctl -a pkgrdrearly -F rules"); - mwexec("/sbin/pfctl -a pkgrdrearly -f {$g['tmp_path']}/rules.rdrearly.packages"); + $errorrdrearly = "There was an error while parsing the RDR early package rules.\n"; + $error .= $errorrdrearly; + log_error($errorrdrearly); + file_put_contents("{$g['tmp_path']}/rules.rdrearly.packages", "#{$errorrdrearly}\n"); } $status = mwexec("/sbin/pfctl -nf {$g['tmp_path']}/rules.rdr.packages"); if ($status <> 0) { - log_error("There was an error while parsing the RDR package rules."); - $error = "\nThere was an error while parsing the RDR package rules."; - } else { - mwexec("/sbin/pfctl -a pkgrdr -F rules"); - mwexec("/sbin/pfctl -a pkgrdr -f {$g['tmp_path']}/rules.rdr.packages"); + $errorrdr = "There was an error while parsing the RDR package rules.\n"; + $error .= $errorrdr; + log_error($errorrdr); + file_put_contents("{$g['tmp_path']}/rules.rdr.packages", "#{$errorrdr}\n"); } if ($error <> "") file_notice($error); } -?> \ No newline at end of file +?> -- cgit v1.1