(plugins / firewall) first steps in moving static firewall rules to plugin registrations.

Te idea is simple, start parsing rules in a uniform way, so we're eventually able to display and alter all auto generated rules. Because of the large set of legacy code rules, we're going to migrate step by step, leaving the current setup intact.

(plugins / firewall) first steps in moving static firewall rules to plugin registrations.
Te idea is simple, start parsing rules in a uniform way, so we're eventually able to display and alter all auto generated rules. Because of the large set of legacy code rules, we're going to migrate step by step, leaving the current setup intact.
3085e4d1 · Ad Schellevis · 0755bdac · 3085e4d1 · 3085e4d1 · 3085e4d1
Commit 3085e4d1 authored Oct 28, 2016 by Ad Schellevis
4 changed files
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -374,6 +374,7 @@ function filter_configure_sync()
    // initialize fw plugin object
    $fw = new \OPNsense\Firewall\Plugin();
+    $fw->setInterfaceMapping($FilterIflist);
    if (function_exists('plugins_firewall')) {
        plugins_firewall($fw);
@@ -478,6 +479,7 @@ function filter_configure_sync()
    $rules .= $fw->anchorToText('nat,binat,rdr', 'tail');
    $rules .= $fw->anchorToText('fw', 'head');
    $rules .= "anchor \"relayd/*\"\n"; // relayd
+    $rules .= $fw->outputFilterRules();
    $rules .= "{$pfrules}\n";
    $rules .= $fw->anchorToText('fw', 'tail');
@@ -2494,19 +2496,9 @@ function filter_rules_generate(&$FilterIflist)
    # BEGIN OF firewall rules
    /* default block logging? */
-    $log = array("block"=>null,"pass"=>null);
+    $log = array();
-    if (!isset($config['syslog']['nologdefaultblock'])) {
+    $log['block'] = !isset($config['syslog']['nologdefaultblock']) ? "log" : "";
-        $log['block'] = "log";
+    $log['pass'] = !isset($config['syslog']['nologdefaultpass']) ? "log" : "";
-    }
-    if (!isset($config['syslog']['nologdefaultpass'])) {
-        $log['pass'] = "log";
-    }
-    if (!isset($config['system']['ipv6allow'])) {
-        $ipfrules .= "\n# Block all IPv6 except loopback traffic\n";
-        $ipfrules .= "pass {$log['pass']} quick on \$loopback inet6\n";
-        $ipfrules .= "block {$log['block']} quick inet6 all label \"Block all IPv6\"\n";
-    }
    $ipfrules .= <<<EOD

--- a/src/etc/inc/plugins.inc.d/core_fw.inc
+++ b/src/etc/inc/plugins.inc.d/core_fw.inc
+<?php
+function core_fw_firewall($fw)
+{
+    global $config;
+    $log_block = !isset($config['syslog']['nologdefaultblock']);
+    $log_pass = !isset($config['syslog']['nologdefaultpass']);
+    if (!isset($config['system']['ipv6allow'])) {
+        // block All IPv6 except loopback traffic
+        $fw->registerFilterRule(0,
+          array('type'=>'pass','log'=>$log_pass, 'interface' => 'loopback', 'ipprotocol'=>'inet6')
+        );
+        $fw->registerFilterRule(0,
+          array('type'=>'block','log'=>$log_block, 'ipprotocol'=>'inet6', 'label' => 'Block all IPv6')
+        );
+    }
+}
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
@@ -41,8 +41,12 @@ class FilterRule
    private $procorder = array(
        'disabled' => 'parseIsComment',
        'type' => 'parseType',
+        'log' => 'parseBool,log',
+        'quick' => 'parseBool,quick',
+        'interface' => 'parseInterface',
        'ipprotocol' => 'parsePlain',
-        'interface' => 'parseInterface'
+        'protocol' => 'parseReplaceSimple,tcp/udp:{tcp udp}',
+        'label' => 'parsePlain,label ","'
    );
    /**
@@ -60,9 +64,26 @@ class FilterRule
     * @param string $value field value
     * @return string
     */
-    private function parsePlain($value)
+    private function parsePlain($value, $prefix="", $suffix="")
    {
-        return empty($value) ? "" : $value . " ";
+        return empty($value) ? "" : $prefix . $value . $suffix . " ";
+    }
+    /**
+     * parse data, use replace map
+     * @param string $value field value
+     * @param string $map
+     * @return string
+     */
+    private function parseReplaceSimple($value, $map)
+    {
+        foreach (explode('|', $map) as $item) {
+            $tmp = explode(':', $item);
+            if ($tmp[0] == $value) {
+                return $tmp[1] . " ";
+            }
+        }
+        return $value . " ";
    }
    /**
@@ -89,10 +110,26 @@ class FilterRule
     */
    private function parseInterface($value)
    {
-        if (empty($this->interfaceMapping[$value]['if'])) {
+        if (empty($value)) {
-            return "##{$value}##";
+            return "";
+        } elseif (empty($this->interfaceMapping[$value]['if'])) {
+            return "on ##{$value}## ";
+        } else {
+            return "on ". $this->interfaceMapping[$value]['if']." ";
+        }
+    }
+    /**
+     * parse boolean, return text from $valueTrue / $valueFalse
+     * @param string $value field value
+     * @return string
+     */
+    private function parseBool($value, $valueTrue, $valueFalse="")
+    {
+        if (!empty($value)) {
+            return !empty($valueTrue) ? $valueTrue . " " : "";
        } else {
-            return $this->interfaceMapping[$value]['if']." ";
+            return !empty($valueFalse) ? $valueFalse . " " : "";
        }
    }
@@ -117,10 +154,14 @@ class FilterRule
                $tmp = $this->rule;
                $tmp['interface'] = $interface;
                $tmp['ipprotocol'] = $ipproto;
-                if (empty($this->interfaceMapping[$interface]['if'])) {
+                // disable rule when interface not found
-                    // disable rule when interface not found
+                if (!empty($interface) && empty($this->interfaceMapping[$interface]['if'])) {
                    $tmp['disabled'] = true;
                }
+                if (!isset($tmp['quick'])) {
+                    // all rules are quick by default except floating
+                    $tmp['quick'] = !isset($rule['floating']) ? true : false ;
+                }
                $result[] = $tmp;
            }
        }
@@ -147,7 +188,14 @@ class FilterRule
        $ruleTxt = '';
        foreach ($this->fetchActualRules() as $rule) {
            foreach ($this->procorder as $tag => $handle) {
-                $ruleTxt .= $this->$handle(isset($rule[$tag]) ? $rule[$tag] : null);
+                $tmp = explode(',', $handle);
+                $method = $tmp[0];
+                $args = array(isset($rule[$tag]) ? $rule[$tag] : null);
+                if (count($tmp) > 1) {
+                    array_shift($tmp);
+                    $args = array_merge($args, $tmp);
+                }
+                $ruleTxt .= call_user_func_array(array($this,$method), $args);
            }
            $ruleTxt .= "\n";
        }

--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
@@ -38,13 +38,16 @@ class Plugin
    private $anchors = array();
    private $filterRules = array();
    private $interfaceMapping ;
+    private $interfaceStaticMapping;
    /**
     * init firewall plugin component
     */
    public function __construct()
    {
+        // set static mappings
        $this->interfaceMapping = array();
+        $this->interfaceMapping['loopback'] = array('if' => 'lo0');
    }
    /**
@@ -53,7 +56,7 @@ class Plugin
     */
    public function setInterfaceMapping(&$mapping)
    {
-        $this->interfaceMapping = $mapping;
+        $this->interfaceMapping = array_merge($this->interfaceMapping, $mapping);
    }
    /**