Skip to content

O
OpnSense
Commit ac28bc57 authored by Ad Schellevis's avatar Ad Schellevis Committed by GitHub
Browse files
Options

Merge pull request #1419 from phpb-com/pfrules_cleanup 

Clean-up how interface address/network rules are generated.
parents bcb17cdc cccec5ab
Hide whitespace changes
Inline Side-by-side
Showing with 29 additions and 153 deletions
src/etc/inc/filter.inc
View file @ ac28bc57
...@@ -2035,42 +2035,6 @@ function filter_generate_port(& $rule, $target = "source", $isnat = false) { ...@@ -2035,42 +2035,6 @@ function filter_generate_port(& $rule, $target = "source", $isnat = false) {
return $src; return $src;
} }
function filter_address_add_vips_subnets(&$FilterIflist, &$subnets, $if, $not)
{
$if_subnets = array($subnets);
if ($not == true) {
$subnets = "!{$subnets}";
}
if (!empty($FilterIflist[$if]['vips']) || !empty($FilterIflist[$if]['vips6'])) {
$all_vips = array();
$all_vips = array_merge($all_vips, !empty($FilterIflist[$if]['vips']) ? $FilterIflist[$if]['vips'] : array());
$all_vips = array_merge($all_vips, !empty($FilterIflist[$if]['vips6']) ? $FilterIflist[$if]['vips6'] : array());
foreach ($all_vips as $vip) {
foreach ($if_subnets as $subnet) {
if (ip_in_subnet($vip['ip'], $subnet)) {
continue 2;
}
}
$network = null;
if (is_ipaddrv4($vip['ip']) && is_subnetv4($if_subnets[0])) {
$network = gen_subnet($vip['ip'], $vip['sn']);
} elseif (is_ipaddrv6($vip['ip']) && is_subnetv6($if_subnets[0])) {
$network = gen_subnetv6($vip['ip'], $vip['sn']);
}
if (!empty($network)) {
$subnets .= ' ' . ($not == true ? '!' : '') . $network . '/' . $vip['sn'];
$if_subnets[] = $network . '/' . $vip['sn'];
}
}
if (strpos($subnets, ' ') !== false) {
$subnets = "{ {$subnets} }";
}
}
}
function filter_generate_address(&$FilterIflist, &$rule, $target = 'source', $isnat = false) function filter_generate_address(&$FilterIflist, &$rule, $target = 'source', $isnat = false)
{ {
global $config; global $config;
...@@ -2083,127 +2047,39 @@ function filter_generate_address(&$FilterIflist, &$rule, $target = 'source', $is ...@@ -2083,127 +2047,39 @@ function filter_generate_address(&$FilterIflist, &$rule, $target = 'source', $is
if (strstr($rule[$target]['network'], "opt")) { if (strstr($rule[$target]['network'], "opt")) {
$optmatch = ""; $optmatch = "";
$matches = ""; $matches = "";
if ($rule['ipprotocol'] == "inet6") { if (preg_match("/opt([0-9]*)$/", $rule[$target]['network'], $optmatch)) {
if (preg_match("/opt([0-9]*)$/", $rule[$target]['network'], $optmatch)) { $src = "({$FilterIflist["opt{$optmatch[1]}"]['if']}:network)";
$opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ipv6']; /* check for opt$NUMip here */
if (!is_ipaddrv6($opt_ip)) { } elseif (preg_match("/opt([0-9]*)ip/", $rule[$target]['network'], $matches)) {
return ""; $src = "({$FilterIflist["opt{$matches[1]}"]['if']})";
}
$src = $opt_ip . "/" . $FilterIflist["opt{$optmatch[1]}"]['snv6'];
/* check for opt$NUMip here */
} elseif (preg_match("/opt([0-9]*)ip/", $rule[$target]['network'], $matches)) {
$src = $FilterIflist["opt{$matches[1]}"]['ipv6'];
if (!is_ipaddrv6($src)) {
return "";
}
if (isset($rule[$target]['not'])) {
$src = " !{$src}";
}
}
} else {
if (preg_match("/opt([0-9]*)$/", $rule[$target]['network'], $optmatch)) {
$opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ip'];
if (!is_ipaddrv4($opt_ip)) {
return "";
}
$src = $opt_ip . "/" . $FilterIflist["opt{$optmatch[1]}"]['sn'];
/* check for opt$NUMip here */
} elseif (preg_match("/opt([0-9]*)ip/", $rule[$target]['network'], $matches)) {
$src = $FilterIflist["opt{$matches[1]}"]['ip'];
if (!is_ipaddrv4($src)) {
return "";
}
if (isset($rule[$target]['not'])) {
$src = " !{$src}";
}
}
} }
} else { } else {
if ($rule['ipprotocol'] == "inet6") { switch ($rule[$target]['network']) {
switch ($rule[$target]['network']) { case 'wan':
case 'wan': $src = "({$FilterIflist['wan']['if']}:network)";
$wansa = $FilterIflist['wan']['sav6']; break;
if (!is_ipaddrv6($wansa)) { case 'wanip':
return ""; $src = "({$FilterIflist['wan']['if']})";
} break;
$wansn = $FilterIflist['wan']['snv6']; case 'lan':
$src = "{$wansa}/{$wansn}"; $src = "({$FilterIflist['lan']['if']}:network)";
break; break;
case 'wanip': case 'lanip':
$src = $FilterIflist["wan"]['ipv6']; $src = "({$FilterIflist['lan']['if']})";
if (!is_ipaddrv6($src)) { break;
return ""; case '(self)':
} $src = "(self)";
break; break;
case 'lanip': default:
$src = $FilterIflist["lan"]['ipv6']; if (!empty($FilterIflist[$rule[$target]['network']]['if'])) {
if (!is_ipaddrv6($src)) { $src = "({$FilterIflist[$rule[$target]['network']]['if']}:network)";
return ""; } else {
} return "";
break; }
case 'lan':
$lansa = $FilterIflist['lan']['sav6'];
if (!is_ipaddrv6($lansa)) {
return "";
}
$lansn = $FilterIflist['lan']['snv6'];
$src = "{$lansa}/{$lansn}";
break;
case '(self)':
$src = "(self)";
break;
default:
if (!empty($FilterIflist[$rule[$target]['network']]['sav6'])) {
$src = $FilterIflist[$rule[$target]['network']]['sav6'] . "/" . $FilterIflist[$rule[$target]['network']]['snv6'];
} else {
return "";
}
}
if (isset($rule[$target]['not']) && !is_subnet($src)) {
$src = " !{$src}";
}
} else {
switch ($rule[$target]['network']) {
case 'wan':
$wansa = $FilterIflist['wan']['sa'];
if (!is_ipaddrv4($wansa)) {
return "";
}
$wansn = $FilterIflist['wan']['sn'];
$src = "{$wansa}/{$wansn}";
break;
case 'wanip':
$src = $FilterIflist["wan"]['ip'];
break;
case 'lanip':
$src = $FilterIflist["lan"]['ip'];
break;
case 'lan':
$lansa = $FilterIflist['lan']['sa'];
if (!is_ipaddrv4($lansa)) {
return "";
}
$lansn = $FilterIflist['lan']['sn'];
$src = "{$lansa}/{$lansn}";
break;
case '(self)':
$src = "(self)";
break;
default:
if (!empty($FilterIflist[$rule[$target]['network']]['sa'])) {
$src = $FilterIflist[$rule[$target]['network']]['sa'] . "/" . $FilterIflist[$rule[$target]['network']]['sn'];
} else {
return "";
}
}
if (isset($rule[$target]['not']) && !is_subnet($src) &&
(strpos($src, '{') === false)) {
$src = " !{$src}";
}
} }
} }
if (is_subnet($src)) { if (isset($rule[$target]['not'])) {
filter_address_add_vips_subnets($FilterIflist, $src, $rule[$target]['network'], isset($rule[$target]['not'])); $src = " !{$src}";
} }
} elseif ($rule[$target]['address']) { } elseif ($rule[$target]['address']) {
$expsrc = alias_expand($rule[$target]['address']); $expsrc = alias_expand($rule[$target]['address']);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023