Revision 3e28d716
Added by Marcos M about 1 year ago
| src/etc/inc/filter.inc | ||
|---|---|---|
| 129 | 129 |
if (!isset($ipsecp1['disabled']) && ($ipsecp1['ikeid'] == $ipsecp2['ikeid'])) {
|
| 130 | 130 |
$use_floating_states_for_ipsec = true; |
| 131 | 131 |
break 2; |
| 132 |
}
|
|
| 132 |
} |
|
| 133 | 133 |
} |
| 134 | 134 |
} |
| 135 | 135 |
} |
| ... | ... | |
| 3572 | 3572 |
$aline['flags'] = "flags S/SA "; |
| 3573 | 3573 |
} |
| 3574 | 3574 |
} |
| 3575 |
|
|
| 3576 |
/* State Tracking Options */ |
|
| 3577 |
$rule_tracks_state = true; |
|
| 3575 | 3578 |
if ($type == "pass") {
|
| 3576 |
/* |
|
| 3577 |
* # keep state |
|
| 3578 |
* works with TCP, UDP, and ICMP. |
|
| 3579 |
* # modulate state |
|
| 3580 |
* deprecated |
|
| 3581 |
* # synproxy state |
|
| 3582 |
* proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. |
|
| 3583 |
* # none |
|
| 3584 |
* do not use state mechanisms to keep track. this is only useful if your doing advanced |
|
| 3585 |
* queueing in certain situations. please check the faq. |
|
| 3586 |
*/ |
|
| 3587 |
$noadvoptions = false; |
|
| 3588 |
if (isset($rule['statetype']) && $rule['statetype'] <> "") {
|
|
| 3579 |
if (empty($rule['statetype'])) {
|
|
| 3580 |
// Default to 'keep state'; works with TCP, UDP, and ICMP. |
|
| 3581 |
$aline['flags'] .= "keep state "; |
|
| 3582 |
} else {
|
|
| 3589 | 3583 |
switch ($rule['statetype']) {
|
| 3590 |
case "none":
|
|
| 3591 |
$noadvoptions = true;
|
|
| 3592 |
$aline['flags'] .= " no state ";
|
|
| 3584 |
case "sloppy state":
|
|
| 3585 |
$aline['flags'] .= "keep state ";
|
|
| 3586 |
$rule['sloppy'] = true;
|
|
| 3593 | 3587 |
break; |
| 3594 | 3588 |
case "modulate state": |
| 3589 |
// deprecated |
|
| 3595 | 3590 |
case "synproxy state": |
| 3591 |
// Proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. |
|
| 3596 | 3592 |
if ($rule['protocol'] == "tcp") {
|
| 3597 | 3593 |
$aline['flags'] .= "{$rule['statetype']} ";
|
| 3598 | 3594 |
} |
| 3599 | 3595 |
break; |
| 3600 |
case "sloppy state": |
|
| 3601 |
$aline['flags'] .= "keep state "; |
|
| 3602 |
$rule['sloppy'] = true; |
|
| 3596 |
case "none": |
|
| 3597 |
// Do not track the state for this rule. This can be useful for advanced queueing. |
|
| 3598 |
$rule_tracks_state = false; |
|
| 3599 |
$aline['flags'] .= "no state "; |
|
| 3603 | 3600 |
break; |
| 3604 | 3601 |
default: |
| 3605 |
$aline['flags'] .= "{$rule['statetype']} ";
|
|
| 3602 |
// Default to 'keep state' for unknown options. |
|
| 3603 |
$aline['flags'] .= "keep state "; |
|
| 3606 | 3604 |
break; |
| 3607 | 3605 |
} |
| 3608 |
} else {
|
|
| 3609 |
$aline['flags'] .= "keep state "; |
|
| 3610 | 3606 |
} |
| 3607 |
} |
|
| 3608 |
// Set 'state-opts' and 'timeout' options. |
|
| 3609 |
if ($rule_tracks_state) {
|
|
| 3610 |
$track_options = []; |
|
| 3611 | 3611 |
|
| 3612 |
if ($noadvoptions == false && isset($rule['nopfsync'])) {
|
|
| 3612 |
// state-opt |
|
| 3613 |
if (isset($rule['nopfsync'])) {
|
|
| 3613 | 3614 |
$rule['nopfsync'] = true; |
| 3615 |
$track_options[] = "no-sync"; |
|
| 3616 |
} |
|
| 3617 |
if (!empty($rule['statepolicy'])) {
|
|
| 3618 |
$track_options[] = "{$rule['statepolicy']}";
|
|
| 3619 |
} elseif ($use_floating_states_for_ipsec && ($rule['interface'] == 'enc0')) {
|
|
| 3620 |
// a floating state is needed for enc0 rules - see #15430 |
|
| 3621 |
$track_options[] = 'floating'; |
|
| 3622 |
} |
|
| 3623 |
if (isset($rule['sloppy'])) {
|
|
| 3624 |
$track_options[] = "sloppy"; |
|
| 3625 |
} |
|
| 3626 |
if (!empty($rule['source-track'])) {
|
|
| 3627 |
$track_options[] = "source-track rule"; |
|
| 3628 |
} |
|
| 3629 |
if (!empty($rule['max'])) {
|
|
| 3630 |
$track_options[] = "max {$rule['max']}";
|
|
| 3631 |
} |
|
| 3632 |
if (!empty($rule['max-src-nodes'])) {
|
|
| 3633 |
$track_options[] = "max-src-nodes {$rule['max-src-nodes']}";
|
|
| 3634 |
} |
|
| 3635 |
if (!empty($rule['max-src-states'])) {
|
|
| 3636 |
$track_options[] = "max-src-states {$rule['max-src-states']}";
|
|
| 3637 |
} |
|
| 3638 |
if (!empty($rule['max-src-conn']) && (!empty($rule['protocol']) && |
|
| 3639 |
($rule['protocol'] == 'tcp' || $rule['protocol'] == 'tcp/udp'))) {
|
|
| 3640 |
$track_options[] = "max-src-conn {$rule['max-src-conn']}";
|
|
| 3641 |
} |
|
| 3642 |
if (!empty($rule['max-src-conn-rate']) && !empty($rule['max-src-conn-rates']) && |
|
| 3643 |
($rule['protocol'] == 'tcp' || $rule['protocol'] == 'tcp/udp')) {
|
|
| 3644 |
$track_options[] = "max-src-conn-rate {$rule['max-src-conn-rate']} / {$rule['max-src-conn-rates']}, overload <virusprot> flush global";
|
|
| 3614 | 3645 |
} |
| 3615 | 3646 |
|
| 3616 |
if ($noadvoptions == false) {
|
|
| 3617 |
if ((isset($rule['source-track']) and $rule['source-track'] <> "") or |
|
| 3618 |
(isset($rule['max']) and $rule['max'] <> "") or |
|
| 3619 |
(isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") or |
|
| 3620 |
(isset($rule['max-src-states']) and $rule['max-src-states'] <> "") or |
|
| 3621 |
(isset($rule['statetimeout']) and $rule['statetimeout'] <> "") or |
|
| 3622 |
((in_array($rule['protocol'], array("tcp", "tcp/udp"))) and
|
|
| 3623 |
((isset($rule['max-src-conn']) and $rule['max-src-conn'] <> "") or |
|
| 3624 |
(isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "") or |
|
| 3625 |
(isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> ""))) or |
|
| 3626 |
(isset($rule['statepolicy']) and !empty($rule['statepolicy'])) or |
|
| 3627 |
(isset($rule['sloppy'])) or |
|
| 3628 |
(isset($rule['nopfsync'])) or |
|
| 3629 |
$use_floating_states_for_ipsec) {
|
|
| 3630 |
$aline['flags'] .= "( "; |
|
| 3631 |
if (!empty($rule['statepolicy'])) {
|
|
| 3632 |
$aline['flags'] .= "{$rule['statepolicy']} ";
|
|
| 3633 |
} elseif ($use_floating_states_for_ipsec && ($rule['interface'] == 'enc0')) {
|
|
| 3634 |
// a floating state is needed for enc0 rules - see #15430 |
|
| 3635 |
$aline['flags'] .= 'floating '; |
|
| 3636 |
} |
|
| 3637 |
if (isset($rule['sloppy'])) {
|
|
| 3638 |
$aline['flags'] .= "sloppy "; |
|
| 3639 |
} |
|
| 3640 |
if (isset($rule['nopfsync'])) {
|
|
| 3641 |
$aline['flags'] .= "no-sync "; |
|
| 3642 |
} |
|
| 3643 |
if (isset($rule['source-track']) and $rule['source-track'] <> "") {
|
|
| 3644 |
$aline['flags'] .= "source-track rule "; |
|
| 3645 |
} |
|
| 3646 |
if (isset($rule['max']) and $rule['max'] <> "") {
|
|
| 3647 |
$aline['flags'] .= "max " . $rule['max'] . " "; |
|
| 3648 |
} |
|
| 3649 |
if (isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") {
|
|
| 3650 |
$aline['flags'] .= "max-src-nodes " . $rule['max-src-nodes'] . " "; |
|
| 3651 |
} |
|
| 3652 |
if ((in_array($rule['protocol'], array("tcp", "tcp/udp"))) and
|
|
| 3653 |
(isset($rule['max-src-conn'])) and |
|
| 3654 |
($rule['max-src-conn'] <> "")) {
|
|
| 3655 |
$aline['flags'] .= "max-src-conn " . $rule['max-src-conn'] . " "; |
|
| 3656 |
} |
|
| 3657 |
if (isset($rule['max-src-states']) and $rule['max-src-states'] <> "") {
|
|
| 3658 |
$aline['flags'] .= "max-src-states " . $rule['max-src-states'] . " "; |
|
| 3659 |
} |
|
| 3660 |
if (isset($rule['statetimeout']) and $rule['statetimeout'] <> "") {
|
|
| 3661 |
if (in_array($rule['protocol'], array("tcp", "tcp/udp", "sctp")) ||
|
|
| 3662 |
empty($rule['protocol'])) {
|
|
| 3663 |
$aline['flags'] .= "tcp.established " . $rule['statetimeout'] . " "; |
|
| 3664 |
} |
|
| 3665 |
if (in_array($rule['protocol'], array("udp", "tcp/udp")) ||
|
|
| 3666 |
empty($rule['protocol'])) {
|
|
| 3667 |
$aline['flags'] .= "udp.multiple " . $rule['statetimeout'] . " "; |
|
| 3668 |
} |
|
| 3669 |
if (!array_key_exists($rule['protocol'], get_ipprotocols('portsonly')) ||
|
|
| 3670 |
empty($rule['protocol'])) {
|
|
| 3671 |
$aline['flags'] .= "other.multiple " . $rule['statetimeout'] . " "; |
|
| 3672 |
} |
|
| 3673 |
} |
|
| 3674 |
if ((in_array($rule['protocol'], array("tcp", "tcp/udp"))) and
|
|
| 3675 |
(isset($rule['max-src-conn-rate'])) and |
|
| 3676 |
($rule['max-src-conn-rate'] <> "") and |
|
| 3677 |
(isset($rule['max-src-conn-rates'])) and |
|
| 3678 |
($rule['max-src-conn-rates'] <> "")) {
|
|
| 3679 |
$aline['flags'] .= "max-src-conn-rate " . $rule['max-src-conn-rate'] . " "; |
|
| 3680 |
$aline['flags'] .= "/" . $rule['max-src-conn-rates'] . ", overload <virusprot> flush global "; |
|
| 3681 |
} |
|
| 3682 |
|
|
| 3683 |
$aline['flags'] .= " ) "; |
|
| 3647 |
// timeout |
|
| 3648 |
if (!empty($rule['statetimeout'])) {
|
|
| 3649 |
if (empty($rule['protocol'])) {
|
|
| 3650 |
// no protocol set |
|
| 3651 |
$track_options[] = "tcp.established {$rule['statetimeout']} udp.multiple {$rule['statetimeout']} other.multiple {$rule['statetimeout']}";
|
|
| 3652 |
} elseif ($rule['protocol'] == 'tcp/udp') {
|
|
| 3653 |
// either tcp or udp |
|
| 3654 |
$track_options[] = "tcp.established {$rule['statetimeout']} udp.multiple {$rule['statetimeout']}";
|
|
| 3655 |
} elseif (($rule['protocol'] == 'tcp') || ($rule['protocol'] == 'sctp')) {
|
|
| 3656 |
// tcp or sctp |
|
| 3657 |
$track_options[] = "tcp.established {$rule['statetimeout']}";
|
|
| 3658 |
} elseif ($rule['protocol'] == 'udp') {
|
|
| 3659 |
// udp |
|
| 3660 |
$track_options[] = "udp.multiple {$rule['statetimeout']}";
|
|
| 3661 |
} elseif (!array_key_exists($rule['protocol'], get_ipprotocols('portsonly'))) {
|
|
| 3662 |
// set protocol is unknown |
|
| 3663 |
$track_options[] = "other.multiple {$rule['statetimeout']}";
|
|
| 3684 | 3664 |
} |
| 3685 | 3665 |
} |
| 3666 |
|
|
| 3667 |
if (!empty($track_options)) {
|
|
| 3668 |
$aline['flags'] .= '(' . implode(' ', $track_options) . ') ';
|
|
| 3669 |
} |
|
| 3686 | 3670 |
} |
| 3671 |
|
|
| 3687 | 3672 |
if ($rule['defaultqueue'] <> "") {
|
| 3688 | 3673 |
$aline['queue'] = " queue (".$rule['defaultqueue'];
|
| 3689 | 3674 |
if ($rule['ackqueue'] <> "") {
|
Also available in: Unified diff
Clean up rule generation code for state-tracking options
Improve readability and make it easier to adjust for future changes.