filter, add "reply-to" to plugin model, disabled by default for bootstrapped...

filter, add "reply-to" to plugin model, disabled by default for bootstrapped rules. needs gateway/gatewayv6 registered in filter.inc before it can actually function.

filter, add "reply-to" to plugin model, disabled by default for bootstrapped...
filter, add "reply-to" to plugin model, disabled by default for bootstrapped rules. needs gateway/gatewayv6 registered in filter.inc before it can actually function.
b27abd7d · Ad Schellevis · e3d6b139 · b27abd7d · b27abd7d
Commit b27abd7d authored May 30, 2017 by Ad Schellevis
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 0 deletions

filter.lib.inc src/etc/inc/filter.lib.inc +1 -0

FilterRule.php ...opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php +33 -0

No files found.
--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@@ -33,6 +33,7 @@ function filter_core_bootstrap($fw)
    $filter_rule_defaults = array();
    $filter_rule_defaults['pass'] = array("type" => "pass", "log" => !isset($config['syslog']['nologdefaultpass']));
    $filter_rule_defaults['block'] = array("type" => "block", "log" => !isset($config['syslog']['nologdefaultblock']));
+    $filter_rule_defaults['disablereplyto'] = 1 ; // don't generate "reply-to" tags on internal rules by default
    // setup system filter rules
    filter_core_rules_system($fw, $filter_rule_defaults);

--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
@@ -47,6 +47,7 @@ class FilterRule
        'quick' => 'parseBool,quick',
        'interface' => 'parseInterface',
        'gateway' => 'parseRoute',
+        'reply' =>  'parsePlain',
        'ipprotocol' => 'parsePlain',
        'protocol' => 'parseReplaceSimple,tcp/udp:{tcp udp},proto ',
        'from' => 'parsePlain,from {,}',
@@ -251,6 +252,37 @@ class FilterRule
        }
    }
+    /**
+     * add reply-to tag when applicable
+     * @param array $rule rule
+     */
+    private function convertReplyTo(&$rule)
+    {
+        if (!isset($rule['disablereplyto'])) {
+            $proto = $rule['ipprotocol'];
+            if (!empty($this->interfaceMapping[$rule['interface']]['if']) && empty($rule['gateway'])) {
+                $if = $this->interfaceMapping[$rule['interface']]['if'];
+                switch ($proto) {
+                    case "inet6":
+                        if (!empty($this->interfaceMapping[$rule['interface']]['gatewayv6'])
+                           && Util::isIpAddress($this->interfaceMapping[$rule['interface']]['gatewayv6'])) {
+                            $gw = $this->interfaceMapping[$rule['interface']]['gatewayv6'];
+                            $rule['reply'] = "reply-to ( {$if} {$gw} ) ";
+                        }
+                        break;
+                    default:
+                        if (!empty($this->interfaceMapping[$rule['interface']]['gateway'])
+                           && Util::isIpAddress($this->interfaceMapping[$rule['interface']]['gateway'])) {
+                            $gw = $this->interfaceMapping[$rule['interface']]['gateway'];
+                            $rule['reply'] = "reply-to ( {$if} {$gw} ) ";
+                        }
+                        break;
+                }
+            }
+        }
+    }
    /**
     * preprocess internal rule data to detail level of actual ruleset
     * handles shortcuts, like inet46 and multiple interfaces
@@ -274,6 +306,7 @@ class FilterRule
                $tmp['interface'] = $interface;
                $tmp['ipprotocol'] = $ipproto;
                $this->convertAddress($tmp);
+                $this->convertReplyTo($tmp);
                $tmp['from'] = empty($tmp['from']) ? "any" : $tmp['from'];
                $tmp['to'] = empty($tmp['to']) ? "any" : $tmp['to'];
                // disable rule when interface not found