|
1
|
#!/usr/local/bin/php-cgi -f
|
|
2
|
<?php
|
|
3
|
/*
|
|
4
|
* rc.kill_states
|
|
5
|
*
|
|
6
|
* part of pfSense (https://www.pfsense.org)
|
|
7
|
* Copyright (c) 2004-2013 BSD Perimeter
|
|
8
|
* Copyright (c) 2013-2016 Electric Sheep Fencing
|
|
9
|
* Copyright (c) 2014-2020 Rubicon Communications, LLC (Netgate)
|
|
10
|
* All rights reserved.
|
|
11
|
*
|
|
12
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
13
|
* you may not use this file except in compliance with the License.
|
|
14
|
* You may obtain a copy of the License at
|
|
15
|
*
|
|
16
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
17
|
*
|
|
18
|
* Unless required by applicable law or agreed to in writing, software
|
|
19
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
20
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
21
|
* See the License for the specific language governing permissions and
|
|
22
|
* limitations under the License.
|
|
23
|
*/
|
|
24
|
|
|
25
|
/* parse the configuration and include all functions used below */
|
|
26
|
require_once("globals.inc");
|
|
27
|
require_once("config.inc");
|
|
28
|
require_once("interfaces.inc");
|
|
29
|
require_once("util.inc");
|
|
30
|
|
|
31
|
// Do not process while booting
|
|
32
|
if (platform_booting()) {
|
|
33
|
return;
|
|
34
|
}
|
|
35
|
|
|
36
|
/* Interface address to cleanup states */
|
|
37
|
$interface = str_replace("\n", "", $argv[1]);
|
|
38
|
|
|
39
|
/* IP address to cleanup states */
|
|
40
|
$local_ip = str_replace("\n", "", $argv[2]);
|
|
41
|
|
|
42
|
if (empty($interface) || !does_interface_exist($interface)) {
|
|
43
|
log_error("rc.kill_states: Invalid interface '{$interface}'");
|
|
44
|
return;
|
|
45
|
}
|
|
46
|
|
|
47
|
if (!empty($local_ip)) {
|
|
48
|
list($local_ip, $subnet_bits) = explode("/", $local_ip);
|
|
49
|
|
|
50
|
if (empty($subnet_bits)) {
|
|
51
|
$subnet_bits = "32";
|
|
52
|
}
|
|
53
|
|
|
54
|
if (!is_ipaddr($local_ip)) {
|
|
55
|
log_error("rc.kill_states: Invalid IP address '{$local_ip}'");
|
|
56
|
return;
|
|
57
|
}
|
|
58
|
}
|
|
59
|
|
|
60
|
if (isset($config['system']['gw_down_kill_states'])) {
|
|
61
|
if (!empty($local_ip)) {
|
|
62
|
log_error("rc.kill_states: Removing states for IP {$local_ip}/{$subnet_bits}");
|
|
63
|
$filter = array(
|
|
64
|
array('interface' => $interface),
|
|
65
|
array('filter' => $local_ip)
|
|
66
|
);
|
|
67
|
$states = pfSense_get_pf_states($filter);
|
|
68
|
$cleared_states = array();
|
|
69
|
foreach ($states as $state) {
|
|
70
|
/* Locate and kill states for sources that NAT out through $local_ip */
|
|
71
|
list($src, $srcport) = explode(":", $state['src']);
|
|
72
|
list($dst, $dstport) = explode(":", $state['dst']);
|
|
73
|
list($osrc, $osrcport) = explode(":", $state['src-orig']);
|
|
74
|
/* If the local IP address isn't the source, or if this isn't
|
|
75
|
* a NAT state, or if we've already cleared this, skip it. */
|
|
76
|
if (($src != $local_ip) ||
|
|
77
|
empty($state['src-orig']) ||
|
|
78
|
in_array("{$osrc},{$dst}", $cleared_states)) {
|
|
79
|
continue;
|
|
80
|
}
|
|
81
|
|
|
82
|
$cleared_states[] = "{$osrc},{$dst}";
|
|
83
|
pfSense_kill_states(utf8_encode($osrc), utf8_encode($dst));
|
|
84
|
}
|
|
85
|
pfSense_kill_states("0.0.0.0/0", utf8_encode("{$local_ip}/{$subnet_bits}"));
|
|
86
|
pfSense_kill_states(utf8_encode("{$local_ip}/{$subnet_bits}"));
|
|
87
|
pfSense_kill_srcstates(utf8_encode("{$local_ip}/{$subnet_bits}"));
|
|
88
|
}
|
|
89
|
log_error("rc.kill_states: Removing states for interface {$interface}");
|
|
90
|
mwexec("/sbin/pfctl -i {$interface} -Fs", true);
|
|
91
|
}
|