Commit c43fcea6 authored by Franco Fichtner's avatar Franco Fichtner

firewall: remove command.txt magic; closes #525

o Synchronise the calls as there should be no drawback running
  in the background for a table flush.
o Locallise the after-filter hook to the two functions using it.
o Restrict the functionality to flush tables only.
o Remove some dead code along the way.
parent 82fd7db5
...@@ -30,9 +30,6 @@ ...@@ -30,9 +30,6 @@
POSSIBILITY OF SUCH DAMAGE. POSSIBILITY OF SUCH DAMAGE.
*/ */
/* holds the items that will be executed *AFTER* the filter is fully loaded */
$after_filter_configure_run = array();
/* For installing cron job of schedules */ /* For installing cron job of schedules */
$time_based_rules = false; $time_based_rules = false;
...@@ -165,8 +162,10 @@ function filter_delete_states_for_down_gateways() ...@@ -165,8 +162,10 @@ function filter_delete_states_for_down_gateways()
function filter_configure_sync() function filter_configure_sync()
{ {
global $config, $after_filter_configure_run; global $config, $time_based_rules, $filterdns, $aliases;
global $time_based_rules, $filterdns, $aliases;
/* holds the tables to be flushed *AFTER* the filter is fully loaded */
$after_filter_configure_run = array();
$FilterIflist = filter_generate_optcfg_array(); $FilterIflist = filter_generate_optcfg_array();
...@@ -186,7 +185,7 @@ function filter_configure_sync() ...@@ -186,7 +185,7 @@ function filter_configure_sync()
echo "."; echo ".";
} }
update_filter_reload_status(gettext("Creating aliases")); update_filter_reload_status(gettext("Creating aliases"));
$aliases = filter_generate_aliases($FilterIflist); $aliases = filter_generate_aliases($FilterIflist, $after_filter_configure_run);
$gateways = filter_generate_gateways(); $gateways = filter_generate_gateways();
if (file_exists("/var/run/booting")) { if (file_exists("/var/run/booting")) {
echo "."; echo ".";
...@@ -360,21 +359,8 @@ function filter_configure_sync() ...@@ -360,21 +359,8 @@ function filter_configure_sync()
} }
/* run items scheduled for after filter configure run */ /* run items scheduled for after filter configure run */
$fda = fopen('/tmp/commands.txt', 'w'); foreach ($after_filter_configure_run as $afcr) {
if ($fda) { mwexecf('/sbin/pfctl -T flush -t %s', $afcr);
if ($after_filter_configure_run) {
foreach($after_filter_configure_run as $afcr) {
fwrite($fda, $afcr . " >/dev/null 2>&1 \n");
}
unset($after_filter_configure_run);
}
fclose($fda);
}
if (file_exists('/tmp/commands.txt')) {
/* XXX eh, sorry, what are you doing? */
mwexec('sh /tmp/commands.txt &');
unlink('/tmp/commands.txt');
} }
/* if time based rules are enabled then swap in the set */ /* if time based rules are enabled then swap in the set */
...@@ -524,9 +510,9 @@ function filter_expand_alias_array($alias_name) { ...@@ -524,9 +510,9 @@ function filter_expand_alias_array($alias_name) {
return explode(" ", preg_replace('/\s+/', ' ', trim($expansion))); return explode(" ", preg_replace('/\s+/', ' ', trim($expansion)));
} }
function filter_generate_aliases(&$FilterIflist) function filter_generate_aliases(&$FilterIflist, &$after_filter_configure_run)
{ {
global $config, $after_filter_configure_run; global $config;
$alias = "#System aliases\n "; $alias = "#System aliases\n ";
$aliases = "loopback = \"{ lo0 }\"\n"; $aliases = "loopback = \"{ lo0 }\"\n";
...@@ -585,13 +571,6 @@ function filter_generate_aliases(&$FilterIflist) ...@@ -585,13 +571,6 @@ function filter_generate_aliases(&$FilterIflist)
/* Setup pf groups */ /* Setup pf groups */
if (isset($config['aliases']['alias'])) { if (isset($config['aliases']['alias'])) {
foreach ($config['aliases']['alias'] as $aliased) { foreach ($config['aliases']['alias'] as $aliased) {
$extralias = "";
/*
* XXX: i am not sure what this does so i am commenting it out for now, because as it is
* its quite dangerous!
* $ip = find_interface_ip($aliased['address']);
* $extraalias = " " . link_ip_to_carp_interface($ip);
*/
$aliasnesting = array(); $aliasnesting = array();
$aliasaddrnesting = array(); $aliasaddrnesting = array();
$addrlist = filter_generate_nested_alias($aliased['name'], $aliased['address'], $aliasnesting, $aliasaddrnesting); $addrlist = filter_generate_nested_alias($aliased['name'], $aliased['address'], $aliasnesting, $aliasaddrnesting);
...@@ -599,14 +578,14 @@ function filter_generate_aliases(&$FilterIflist) ...@@ -599,14 +578,14 @@ function filter_generate_aliases(&$FilterIflist)
case "host": case "host":
case "network": case "network":
case "url": case "url":
$tableaddrs = "{$addrlist}{$extralias}"; $tableaddrs = "{$addrlist}";
if (empty($tableaddrs)) { if (empty($tableaddrs)) {
$aliases .= "table <{$aliased['name']}> persist\n"; $aliases .= "table <{$aliased['name']}> persist\n";
if (empty($aliased['address'])) { if (empty($aliased['address'])) {
$after_filter_configure_run[] = "/sbin/pfctl -T flush -t " . escapeshellarg($aliased['name']); $after_filter_configure_run[] = $aliased['name'];
} }
} else { } else {
$aliases .= "table <{$aliased['name']}> { {$addrlist}{$extralias} } \n"; $aliases .= "table <{$aliased['name']}> { {$addrlist} } \n";
} }
$aliases .= "{$aliased['name']} = \"<{$aliased['name']}>\"\n"; $aliases .= "{$aliased['name']} = \"<{$aliased['name']}>\"\n";
break; break;
...@@ -629,7 +608,7 @@ function filter_generate_aliases(&$FilterIflist) ...@@ -629,7 +608,7 @@ function filter_generate_aliases(&$FilterIflist)
} }
} }
} }
$aliases .= "table <{$aliased['name']}> { {$newaddress}{$extralias} } \n"; $aliases .= "table <{$aliased['name']}> { {$newaddress} } \n";
$aliases .= "{$aliased['name']} = \"<{$aliased['name']}>\"\n"; $aliases .= "{$aliased['name']} = \"<{$aliased['name']}>\"\n";
break; break;
case "urltable": case "urltable":
...@@ -652,7 +631,7 @@ function filter_generate_aliases(&$FilterIflist) ...@@ -652,7 +631,7 @@ function filter_generate_aliases(&$FilterIflist)
$aliases .= "{$aliased['name']} = \"{ {$addrlist} }\"\n"; $aliases .= "{$aliased['name']} = \"{ {$addrlist} }\"\n";
break; break;
default: default:
$aliases .= "{$aliased['name']} = \"{ {$aliased['address']}{$extralias} }\"\n"; $aliases .= "{$aliased['name']} = \"{ {$aliased['address']}\"\n";
break; break;
} }
} }
...@@ -1642,7 +1621,7 @@ function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcpor ...@@ -1642,7 +1621,7 @@ function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcpor
function filter_nat_rules_generate(&$FilterIflist) function filter_nat_rules_generate(&$FilterIflist)
{ {
global $config, $after_filter_configure_run, $GatewaysList, $aliases; global $config, $GatewaysList, $aliases;
$natrules = "no nat proto carp\n"; $natrules = "no nat proto carp\n";
$natrules .= "no rdr proto carp\n"; $natrules .= "no rdr proto carp\n";
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment