firewall: backport library changes for gateways (not enabled)

8238002d · Franco Fichtner · c5cd4b78 · 8238002d · 8238002d · 8238002d
Commit 8238002d authored May 15, 2017 by Franco Fichtner
Showing with 69 additions and 7 deletions

filter.inc src/etc/inc/filter.inc +2 -3

FilterRule.php ...opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php +19 -1

Plugin.php src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php +48 -3

No files found.
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -377,6 +377,8 @@ function filter_configure_sync($verbose = false)
    // initialize fw plugin object
    $fw = new \OPNsense\Firewall\Plugin();
    $fw->setInterfaceMapping(legacy_config_get_interfaces(array("enable" => true)));
+    //$fw->setGateways(return_gateways_array());
+    //$fw->setGatewayGroups(return_gateway_groups_array());
    filter_core_bootstrap($fw);

    plugins_firewall($fw);
@@ -895,9 +897,6 @@ function filter_generate_gateways()
            $int = $gateway['interface'];
            $gwip = $gateway['gateway'];
            $route = "";
-            if (!is_ipaddr($gwip)) {
-                $gwip = get_interface_gateway($gateway['friendlyiface']);
-            }
            if (is_ipaddr($gwip) && !empty($int)) {
                $route = "route-to ( {$int} {$gwip} )";
            }

--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
@@ -37,6 +37,7 @@ class FilterRule
 {
    private $rule = array();
    private $interfaceMapping = array();
+    private $gatewayMapping = array();

    private $procorder = array(
        'disabled' => 'parseIsComment',
@@ -45,6 +46,7 @@ class FilterRule
        'log' => 'parseBool,log',
        'quick' => 'parseBool,quick',
        'interface' => 'parseInterface',
+        'gateway' => 'parseRoute',
        'ipprotocol' => 'parsePlain',
        'protocol' => 'parseReplaceSimple,tcp/udp:{tcp udp},proto ',
        'from' => 'parsePlain,from {,}',
@@ -146,6 +148,20 @@ class FilterRule
        }
    }

+    /**
+     * parse gateway (route-to)
+     * @param string $value field value
+     * @return string
+     */
+    private function parseRoute($value)
+    {
+        if (!empty($this->gatewayMapping[$value]['logic'])) {
+            return " " . $this->gatewayMapping[$value]['logic'] . " ";
+        } else {
+            return "";
+        }
+    }
+
    /**
     * parse boolean, return text from $valueTrue / $valueFalse
     * @param string $value field value
@@ -325,11 +341,13 @@ class FilterRule
    /**
     * init FilterRule
     * @param array $interfaceMapping internal interface mapping
+     * @param array $gatewayMapping internal gateway mapping
     * @param array $conf rule configuration
     */
-    public function __construct(&$interfaceMapping, $conf)
+    public function __construct(&$interfaceMapping, &$gatewayMapping, $conf)
    {
        $this->interfaceMapping = $interfaceMapping;
+        $this->gatewayMapping = $gatewayMapping;
        $this->rule = $conf;
    }


--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
@@ -29,6 +29,8 @@
 */
 namespace OPNsense\Firewall;

+use \OPNsense\Core\Config;
+
 /**
 * Class Plugin
 * @package OPNsense\Firewall
@@ -38,7 +40,7 @@ class Plugin
    private $anchors = array();
    private $filterRules = array();
    private $interfaceMapping = array();
-    private $interfaceStaticMapping;
+    private $gatewayMapping = array();

    /**
     * init firewall plugin component
@@ -48,7 +50,7 @@ class Plugin
    }

    /**
-     * set interface mapping to USE
+     * set interface mapping to use
     * @param array $mapping named array
     */
    public function setInterfaceMapping(&$mapping)
@@ -58,6 +60,49 @@ class Plugin
        $this->interfaceMapping = array_merge($this->interfaceMapping, $mapping);
    }

+    /**
+     * set defined gateways (route-to)
+     * @param array $gateways named array
+     */
+    public function setGateways($gateways)
+    {
+        if (is_array($gateways)) {
+            foreach ($gateways as $key => $gw) {
+                if (Util::isIpAddress($gw['gateway']) && !empty($gw['interface'])) {
+                    $this->gatewayMapping[$key] = array("logic" => "route-to ( {$gw['interface']} {$gw['gateway']} )");
+                }
+            }
+        }
+    }
+
+    /**
+     * set defined gateway groups (route-to)
+     * @param array $groups named array
+     */
+    public function setGatewayGroups($groups)
+    {
+        if (is_array($groups)) {
+            foreach ($groups as $key => $gwgr) {
+                $routeto = array();
+                foreach ($gwgr as $gw) {
+                    if (Util::isIpAddress($gw['gwip']) && !empty($gw['int'])) {
+                        $routeto[] = str_repeat("( {$gw['int']} {$gw['gwip']} )", $gw['weight']);
+                    }
+                }
+                if (count($routeto) > 0) {
+                    $routetologic = "route-to {".implode(' ', $routeto)."}";
+                    if (count($routeto) > 1) {
+                        $routetologic .= " round-robin ";
+                    }
+                    if (!empty(Config::getInstance()->object()->system->lb_use_sticky)) {
+                        $routetologic .= " sticky-address ";
+                    }
+                    $this->gatewayMapping[$key] = array("logic" => $routetologic);
+                }
+            }
+        }
+    }
+
    /**
     * @return array
     */
@@ -112,7 +157,7 @@ class Plugin
        if ($defaults != null) {
            $conf = array_merge($defaults, $conf);
        }
-        $rule = new FilterRule($this->interfaceMapping, $conf);
+        $rule = new FilterRule($this->interfaceMapping, $this->gatewayMapping, $conf);
        if (empty($this->filterRules[$prio])) {
            $this->filterRules[$prio] = array();
        }