Skip to content

O
OpnSense
Commit 59a6705a authored by Ad Schellevis's avatar Ad Schellevis Committed by Franco Fichtner
Browse files
Options

firewall, cleanup old code

parent ddc623cc
Hide whitespace changes
Inline Side-by-side
Showing with 0 additions and 459 deletions
src/etc/inc/filter.inc
View file @ 59a6705a
......@@ -2009,32 +2009,6 @@ function filter_nat_rules_generate(&$FilterIflist)
return $natrules;
}
function filter_generate_user_rule_arr(&$FilterIflist, $rule)
{
global $config;
update_filter_reload_status(sprintf(gettext("Creating filter rule %s ..."), $rule['descr']));
$ret = array();
$sched = '';
$descr = '';
if (!empty($rule['sched'])) {
$sched = "({$rule['sched']})";
}
if (!empty($rule['descr'])) {
$descr = ": {$rule['descr']}";
}
$line = filter_generate_user_rule($FilterIflist, $rule);
$ret['rule'] = $line;
$ret['interface'] = $rule['interface'];
$ret['descr'] = 'label "' . fix_rule_label("USER_RULE{$sched}{$descr}") . '"';
return $ret;
}
function filter_generate_port(& $rule, $target = "source", $isnat = false) {
$src = "";
......@@ -2096,346 +2070,6 @@ function filter_generate_address(&$FilterIflist, &$rule, $target = 'source', $is
return $src;
}
function filter_generate_user_rule(&$FilterIflist, $rule)
{
global $config, $GatewaysList;
/* don't include disabled rules */
if (isset($rule['disabled'])) {
return "# rule " . $rule['descr'] . " disabled \n";
}
update_filter_reload_status("Creating filter rules {$rule['descr']} ...");
$int = "";
$aline = array();
// initialize array with empty tags
foreach (array('icmp-type','icmp6-type','tag','tagged','route','os','reply','prot','log', 'set-prio', 'set-prio-low', 'prio') as $tag) {
$aline[$tag] = "";
}
/* Check to see if the interface is in our list */
if (isset($rule['floating'])) {
$aline['interface'] = "";
if (isset($rule['interface']) && $rule['interface'] <> "") {
$ifliste = "";
foreach (explode(",", $rule['interface']) as $iface) {
if (array_key_exists($iface, $FilterIflist)) {
$ifliste .= " " . $FilterIflist[$iface]['if'] . " ";
}
}
if ($ifliste <> "") {
$aline['interface'] = " on { {$ifliste} } ";
}
}
} elseif (!array_key_exists($rule['interface'], $FilterIflist)) {
foreach($FilterIflist as $oc) {
$items .= $oc['descr'] . " ";
}
return "# array key \"{$rule['interface']}\" does not exist for \"" . $rule['descr'] . "\" in array: {{$items}}";
} else {
$aline['interface'] = " on \$" . $FilterIflist[$rule['interface']]['descr'] . " ";
}
$ifcfg = $FilterIflist[$rule['interface']];
switch(isset($rule['ipprotocol']) ? $rule['ipprotocol'] : null) {
case "inet":
$aline['ipprotocol'] = "inet";
break;
case "inet6":
$aline['ipprotocol'] = "inet6";
break;
default:
$aline['ipprotocol'] = "";
break;
}
/* check for unresolvable aliases */
if (isset($rule['source']['address']) && !alias_expand($rule['source']['address'])) {
$error_text = "Unresolvable source alias '{$rule['source']['address']}' for rule '{$rule['descr']}'";
file_notice("Filter_Reload", $error_text);
return "# {$error_text}";
}
if (isset($rule['destination']['address']) && !alias_expand($rule['destination']['address'])) {
$error_text = "Unresolvable destination alias '{$rule['destination']['address']}' for rule '{$rule['descr']}'";
file_notice("Filter_Reload", $error_text);
return "# {$error_text}";
}
update_filter_reload_status("Setting up pass/block rules");
if (isset($rule['type'])) {
$type = $rule['type'];
} else {
$type = null;
}
if ($type != "pass" && $type != "block" && $type != "reject") {
/* default (for older rules) is pass */
$type = "pass";
}
if ($type == "reject") {
$aline['type'] = "block return ";
} else {
$aline['type'] = $type . " ";
}
if (isset($rule['floating']) && $rule['floating'] == 'yes') {
if ($rule['direction'] != 'any') {
$aline['direction'] = " {$rule['direction']} ";
} elseif ($$rule['direction'] == 'any') {
$aline['direction'] = '';
}
} else {
/* ensure the direction is 'in' */
$aline['direction'] = ' in ';
}
if (isset($rule['log'])) {
$aline['log'] = "log ";
}
if (!isset($rule['floating']) || isset($rule['quick'])) {
$aline['quick'] = " quick ";
}
/* set the gateway interface */
update_filter_reload_status(sprintf(gettext("Setting up pass/block rules %s"), $rule['descr']));
/* do not process reply-to for gateway'd rules */
if ( empty($rule['gateway']) && !empty($aline['direction']) && (interface_has_gateway($rule['interface']) || interface_has_gatewayv6($rule['interface'])) && !isset($config['system']['disablereplyto']) && !isset($rule['disablereplyto'])) {
if (isset($rule['ipprotocol']) && $rule['ipprotocol'] == "inet6") {
$rg = get_interface_gateway_v6($rule['interface']);
if (is_ipaddrv6($rg)) {
$aline['reply'] = "reply-to ( {$ifcfg['ifv6']} {$rg} ) ";
} elseif ($rule['interface'] <> "pptp") {
log_error("Could not find IPv6 gateway for interface({$rule['interface']}).");
}
} else {
$rg = get_interface_gateway($rule['interface']);
if (is_ipaddrv4($rg)) {
$aline['reply'] = "reply-to ( {$ifcfg['if']} {$rg} ) ";
} elseif ($rule['interface'] <> "pptp") {
log_error(sprintf('Could not find IPv4 gateway for interface (%s).', $rule['interface']));
}
}
} elseif (!empty($rule['gateway']) && $type == "pass") {
/* if user has selected a custom gateway, lets work with it */
if (isset($GatewaysList[$rule['gateway']])) {
/* Add the load balanced gateways */
$aline['route'] = " \$GW{$rule['gateway']} ";
} elseif (isset($config['system']['skip_rules_gw_down'])) {
return "# rule " . $rule['descr'] . " disabled because gateway " . $rule['gateway'] . " is down ";
} else {
log_error("The gateway: {$rule['gateway']} is invalid or unknown, not using it.");
}
}
if (isset($rule['protocol']) && !empty($rule['protocol'])) {
if ($rule['protocol'] == "tcp/udp") {
$aline['prot'] = " proto { tcp udp } ";
} elseif (($rule['protocol'] == "icmp") && ($rule['ipprotocol'] == "inet6")) {
$aline['prot'] = " proto ipv6-icmp ";
} elseif ($rule['protocol'] == "icmp") {
$aline['prot'] = " proto icmp ";
} else {
$aline['prot'] = " proto {$rule['protocol']} ";
}
} else {
if (!empty($rule['source']['port']) || !empty($rule['destination']['port'])) {
$aline['prot'] = " proto tcp ";
}
}
update_filter_reload_status(sprintf(gettext("Creating rule %s"), $rule['descr']));
/* source address */
$src = trim(filter_generate_address($FilterIflist, $rule, "source"));
if (empty($src) || ($src == "/")) {
return "# source not found : " . implode(" ", $aline);
}
$aline['src'] = " from $src ";
/* OS signatures */
if ( isset($rule['protocol']) && $rule['protocol'] == "tcp" && !empty($rule['os'])) {
$aline['os'] = " os \"{$rule['os']}\" ";
}
/* destination address */
$dst = trim(filter_generate_address($FilterIflist, $rule, "destination"));
if (empty($dst) || ($dst == "/")) {
return "# destination not found : " . implode(" ", $aline);
}
$aline['dst'] = "to $dst ";
if (isset($rule['protocol']) && $rule['protocol'] == "icmp" && $rule['icmptype'] && $rule['ipprotocol'] == "inet") {
$aline['icmp-type'] = "icmp-type {$rule['icmptype']} ";
}
if (isset($rule['protocol']) && $rule['protocol'] == "icmp" && $rule['icmptype'] && $rule['ipprotocol'] == "inet6") {
$aline['icmp6-type'] = "icmp6-type {$rule['icmptype']} ";
}
if (isset($rule['set-prio']) && $rule['set-prio'] !== '') {
$prio = $rule['set-prio'];
if (isset($rule['set-prio-low']) && $rule['set-prio-low'] !== '') {
$prio = '('.$rule['set-prio'].','.$rule['set-prio-low'].')';
}
$aline['set-prio'] = ' set prio '.$prio.' ';
}
if (isset($rule['prio']) && $rule['prio'] !== '') {
$aline['prio'] = ' prio '.$rule['prio'].' ';
}
if (!empty($rule['tag'])) {
$aline['tag'] = " tag " .$rule['tag']. " ";
}
if (!empty($rule['tagged'])) {
$aline['tagged'] = " tagged " .$rule['tagged'] . " ";
}
$aline['allowopts'] = "";
if ($type == "pass") {
if (isset($rule['allowopts'])) {
$aline['allowopts'] = " allow-opts ";
}
}
$aline['flags'] = "";
if (isset($rule['protocol']) && $rule['protocol'] == "tcp") {
if (isset($rule['tcpflags_any'])) {
$aline['flags'] = "flags any ";
} elseif (!empty($rule['tcpflags2'])) {
$aline['flags'] = "flags ";
if (!empty($rule['tcpflags1'])) {
$flags1 = explode(",", $rule['tcpflags1']);
foreach ($flags1 as $flag1) {
// CWR flag needs special treatment
if ($flag1[0] == "c") {
$aline['flags'] .= "W";
} else {
$aline['flags'] .= strtoupper($flag1[0]);
}
}
}
$aline['flags'] .= "/";
if (!empty($rule['tcpflags2'])) {
$flags2 = explode(",", $rule['tcpflags2']);
foreach ($flags2 as $flag2) {
// CWR flag needs special treatment
if ($flag2[0] == "c") {
$aline['flags'] .= "W";
} else {
$aline['flags'] .= strtoupper($flag2[0]);
}
}
}
$aline['flags'] .= " ";
} else {
$aline['flags'] = "flags S/SA ";
}
}
if ($type == "pass") {
/*
* # keep state
* works with TCP, UDP, and ICMP.
* # modulate state
* works only with TCP. OPNsense will generate strong Initial Sequence Numbers (ISNs)
* for packets matching this rule.
* # synproxy state
* proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods.
* This option includes the functionality of keep state and modulate state combined.
* # none
* do not use state mechanisms to keep track. this is only useful if your doing advanced
* queueing in certain situations. please check the faq.
*/
$noadvoptions = false;
if (isset($rule['statetype']) && $rule['statetype'] <> "") {
switch($rule['statetype']) {
case "none":
$noadvoptions = true;
$aline['flags'] .= " no state ";
break;
case "modulate state":
case "synproxy state":
if ($rule['protocol'] == "tcp") {
$aline['flags'] .= "{$rule['statetype']} ";
}
break;
case "sloppy state":
$aline['flags'] .= "keep state ";
$rule['sloppy'] = true;
break;
default:
$aline['flags'] .= "{$rule['statetype']} ";
break;
}
} else {
$aline['flags'] .= "keep state ";
}
if ($noadvoptions == false && isset($rule['nopfsync'])) {
$rule['nopfsync'] = true;
}
if ($noadvoptions == false) {
$advanced_options = array();
if (isset($rule['sloppy'])) {
$advanced_options[] = "sloppy ";
}
if (isset($rule['nopfsync'])) {
$advanced_options[] = "no-sync ";
}
if (isset($rule['max']) && $rule['max'] <> "") {
$advanced_options[] = "max " . $rule['max'] . " ";
}
if (isset($rule['max-src-nodes']) && $rule['max-src-nodes'] <> "") {
$advanced_options[] = "max-src-nodes " . $rule['max-src-nodes'] . " ";
}
if ((in_array($rule['protocol'], array("tcp","tcp/udp"))) && !empty($rule['max-src-conn'])) {
$advanced_options[] = "max-src-conn " . $rule['max-src-conn'] . " ";
}
if (isset($rule['max-src-states']) && $rule['max-src-states'] <> "") {
$advanced_options[] = "max-src-states " . $rule['max-src-states'] . " ";
}
if ((in_array($rule['protocol'], array("tcp","tcp/udp"))) && !empty($rule['statetimeout'])) {
$advanced_options[] = "tcp.established " . $rule['statetimeout'] . " ";
}
if ((in_array($rule['protocol'], array("tcp","tcp/udp"))) && !empty($rule['max-src-conn-rate']) && !empty($rule['max-src-conn-rates'])) {
$advanced_options[] = "max-src-conn-rate " . $rule['max-src-conn-rate'] . " " .
"/" . $rule['max-src-conn-rates'] . ", overload <virusprot> flush global ";
}
if (count($advanced_options) > 0) {
$aline['flags'] .= "( " . implode(" ", $advanced_options) . " ) ";
}
}
}
/* is a time based rule schedule attached? */
if (!empty($rule['sched']) && !empty($config['schedules'])) {
foreach ($config['schedules']['schedule'] as $sched) {
if ($sched['name'] == $rule['sched']) {
if (!filter_get_time_based_rule_status($sched)) {
if (!isset($config['system']['schedule_states'])) {
$descr = '';
if (!empty($rule['descr'])) {
$descr = ": {$rule['descr']}";
}
mwexecf(
'/sbin/pfctl -k label -k %s',
fix_rule_label("USER_RULE({$rule['sched']}){$descr}")
);
}
/* looks weird but is fine: printed in rules for traceability */
return "# schedule finished for";
}
break;
}
}
}
$line = "";
/* piece together the actual user rule */
$line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $aline['interface'] .
$aline['reply'] . $aline['route'] . $aline['ipprotocol'] . $aline['prot'] . $aline['src'] . $aline['os'] . $aline['dst'] .
$aline['icmp-type'] . $aline['icmp6-type'] . $aline['tag'] . $aline['tagged'] .
$aline['set-prio'] . $aline['prio'] . $aline['allowopts'] . $aline['flags'];
unset($aline);
return $line;
}
function filter_rules_legacy(&$FilterIflist)
{
global $config;
......@@ -2460,99 +2094,6 @@ function filter_rules_legacy(&$FilterIflist)
return $ipfrules;
}
function filter_rules_generate(&$FilterIflist)
{
global $config, $GatewaysList;
$fix_rule_label = 'fix_rule_label';
update_filter_reload_status(gettext("Creating default rules"));
$ipfrules = "";
# BEGIN OF firewall rules
if (isset($config['filter']['rule'])) {
/* Pre-cache all our rules so we only have to generate them once */
$rule_arr1 = array();
$rule_arr2 = array();
$rule_arr3 = array();
$vpn_and_ppp_ifs = array("l2tp", "pptp", "pppoe", "enc0", "openvpn");
/*
* NB: The order must be: Floating rules, then interface group and then regular ones.
*/
foreach ($config['filter']['rule'] as $rule) {
update_filter_reload_status("Pre-caching {$rule['descr']}...");
if (isset ($rule['disabled'])) {
continue;
}
if (!empty($rule['ipprotocol']) && $rule['ipprotocol'] == "inet46") {
if (isset($rule['floating'])) {
$rule['ipprotocol'] = "inet";
$rule_arr1[] = filter_generate_user_rule_arr($FilterIflist, $rule);
$rule['ipprotocol'] = "inet6";
$rule_arr1[] = filter_generate_user_rule_arr($FilterIflist, $rule);
} elseif (is_interface_group($rule['interface']) || in_array($rule['interface'], $vpn_and_ppp_ifs)) {
$rule['ipprotocol'] = "inet";
$rule_arr2[] = filter_generate_user_rule_arr($FilterIflist, $rule);
$rule['ipprotocol'] = "inet6";
$rule_arr2[] = filter_generate_user_rule_arr($FilterIflist, $rule);
} else {
$rule['ipprotocol'] = "inet";
$rule_arr3[] = filter_generate_user_rule_arr($FilterIflist, $rule);
$rule['ipprotocol'] = "inet6";
$rule_arr3[] = filter_generate_user_rule_arr($FilterIflist, $rule);
}
$rule['ipprotocol'] = "inet46";
} else {
if (isset($rule['floating'])) {
$rule_arr1[] = filter_generate_user_rule_arr($FilterIflist, $rule);
} elseif (is_interface_group($rule['interface']) || in_array($rule['interface'], $vpn_and_ppp_ifs)) {
$rule_arr2[] = filter_generate_user_rule_arr($FilterIflist, $rule);
} else {
$rule_arr3[] = filter_generate_user_rule_arr($FilterIflist, $rule);
}
}
}
$ipfrules .= "\n# User-defined rules follow\n";
/* Generate user rule lines */
foreach($rule_arr1 as $rule) {
if (isset($rule['disabled'])) {
continue;
}
if (!$rule['rule']) {
continue;
}
$ipfrules .= "{$rule['rule']} {$rule['descr']}\n";
}
foreach($rule_arr2 as $rule) {
if (isset($rule['disabled'])) {
continue;
}
if (!$rule['rule']) {
continue;
}
$ipfrules .= "{$rule['rule']} {$rule['descr']}\n";
}
foreach($rule_arr3 as $rule) {
if (isset($rule['disabled'])) {
continue;
}
if (!$rule['rule']) {
continue;
}
$ipfrules .= "{$rule['rule']} {$rule['descr']}\n";
}
unset($rule_arr1, $rule_arr2, $rule_arr3);
}
return $ipfrules;
}
/****f* filter/filter_get_time_based_rule_status
* NAME
* filter_get_time_based_rule_status
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023