/ - Diff - pfSense - pfSense bugtracker

« Previous | Next »

Revision 60120e37

Added by Ermal Luçi over 16 years ago

ID 60120e37425e3e0147bbc3a0cfe010c124ba0df6
Parent 6dc3a5c2
Child f3c8bd98

Convert schedules to pf(4).
This allows to schedule the whole feature of the rules like queues/limiters/gateways/blocks/allows/etc...
Whitespace cleaning on filter.inc
Move schedule backend logic from pfsense-utils.inc to filter.inc and prefix with filter_.
Small bugfixes here and there.

     		update_filter_reload_status("Plugins completed.");
+    	}
     	/* if time based rules are enabled then swap in the set */
     	if($time_based_rules == true) {
     		tdr_install_cron(true);
     		tdr_install_set();
     	} else {
     		tdr_install_cron(false);
+    	}
     	if ($time_based_rules == true)
     		filter_tdr_install_cron(true);
     	else
     		filter_tdr_install_cron(false);
     	/*
     	 *	we need a way to let a user run a shell cmd after each
     	 *	filter_configure() call.  run this xml command after
-...
     	 */
     	if($config['system']['afterfilterchangeshellcmd'] <> "")
     		mwexec($config['system']['afterfilterchangeshellcmd']);
     	/* sync carp entries to other firewalls */
     	update_filter_reload_status("Syncing CARP data");
     	carp_sync_client();
     	if ($g['booting'] == true)
     				echo ".";
     		echo ".";
     	system_routing_configure();
     	find_dns_aliases();
     	update_filter_reload_status("Done");
     	if ($g['booting'] == true)
     		echo "done.\n";
     	return 0;
+    }
-...
     		/* we're not using load balancing, just setup gateway */
     		else if($foundlb == 0) {
     			$gateway = $rule['gateway'];
     			if(!is_ipaddr($gateway)) {
     			if (!is_ipaddr($gateway)) {
     				$gwip = $GatewaysList[$gateway]['gateway'];
     				if ($GatewaysList[$gateway]['interface'])
     					$int = $GatewaysList[$gateway]['interface'];
-...
+    	}
     	if (isset($rule['protocol'])) {
     		if($rule['protocol'] == "tcp/udp")
     		if ($rule['protocol'] == "tcp/udp")
     			$aline['prot'] = " proto { tcp udp } ";
     		elseif($rule['protocol'] == "icmp")
     		elseif ($rule['protocol'] == "icmp")
     			$aline['prot'] = " inet proto icmp ";
     		else
     			$aline['prot'] = " proto {$rule['protocol']} ";
     	} else {
     		if($rule['source']['port'] <> "" || $rule['destination']['port'] <> "")
     		if ($rule['source']['port'] <> "" || $rule['destination']['port'] <> "")
     			$aline['prot'] = " proto tcp ";
+    	}
     	update_filter_reload_status("Creating rule {$rule['descr']}");
-...
     		else
     			$dst = "{ {$not} {$expdst} }";
+    	}
     	if (!$dst || ($dst == "/")) {
     	if (!$dst || ($dst == "/"))
     		return "# returning at dst $dst == \"/\"";
+    	}
     	$aline['dst'] = "to $dst ";
     	if (in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) {
     		if ($rule['destination']['port']) {
-...
     		$l7_structures = $l7rule->get_unique_structures();
     		$aline['divert'] = "divert " . $l7rule->GetRPort() . " ";
+    	}
     	if (($rule['protocol'] == "icmp") && $rule['icmptype']) {
     	if (($rule['protocol'] == "icmp") && $rule['icmptype'])
     		$aline['icmp-type'] = "icmp-type {$rule['icmptype']} ";
+    	}
     	if (!empty($rule['tag']))
     		$aline['tag'] = " tag " .$rule['tag']. " ";
     	if (!empty($rule['tagged']))
-...
     			if($rule['protocol'] == "tcp")
     				$aline['flags'] = "flags S/SA ";
     		/*
     			# keep state
     				works with TCP, UDP, and ICMP.
     			# modulate state
     				works only with TCP. pfSense will generate strong Initial Sequence Numbers (ISNs)
     				for packets matching this rule.
     			# synproxy state
     				proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods.
     				This option includes the functionality of keep state and modulate state combined.
     			# none
     				do not use state mechanisms to keep track. this is only useful if your doing advanced
     				queueing in certain situations. please check the faq.
     		*/
     		 *	# keep state
     		 *		works with TCP, UDP, and ICMP.
     		 *	# modulate state
     		 *		works only with TCP. pfSense will generate strong Initial Sequence Numbers (ISNs)
     		 *		for packets matching this rule.
     		 *	# synproxy state
     		 *		proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods.
     		 *		This option includes the functionality of keep state and modulate state combined.
     		 *	# none
     		 *		do not use state mechanisms to keep track. this is only useful if your doing advanced
     		 *		queueing in certain situations. please check the faq.
     		 */
     		$noadvoptions = false;
     		if (isset($rule['statetype']) && $rule['statetype'] <> "") {
     			switch($rule['statetype']) {
-...
     				default:
     					$aline['flags'] = "{$rule['statetype']} ";
+    			}
     		} else {
     		} else
     			$aline['flags'] = "keep state ";
+    		}
     		if($noadvoptions == false || $l7_present)
     		if ($noadvoptions == false || $l7_present)
     			if( isset($rule['source-track']) and $rule['source-track'] <> "" or
     			  isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "" or
     			   isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" or
     				isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "" or
     				isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" or
     				isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "" or
     				 isset($rule['max-src-states']) and $rule['max-src-states'] <> "" or
     				  isset($rule['statetimeout']) and $rule['statetimeout'] <> "" or
     				   isset($rule['l7container']) and $rule['l7container'] != "none") {
     				isset($rule['max-src-states']) and $rule['max-src-states'] <> "" or
     				isset($rule['statetimeout']) and $rule['statetimeout'] <> "" or
     				isset($rule['l7container']) and $rule['l7container'] != "none") {
     					$aline['flags'] .= "( ";
     					if(isset($rule['source-track']) and $rule['source-track'] <> "")
     						$aline['flags'] .= "source-track rule ";
-...
     					$aline['flags'] .= " ) ";
+    				}
+    	}
     		if ($type == "reject" && $rule['protocol'] == "tcp") {
     			/* special reject packet */
     			$aline['flags'] .= "flags S/SA ";
+    		}
     		if ($type == "pass") {
     			if ($rule['defaultqueue'] <> "") {
     				$aline['queue'] = " queue (".$rule['defaultqueue'];
     				if ($rule['ackqueue'] <> "")
     					$aline['queue'] .= ",".$rule['ackqueue'];
     				$aline['queue'] .= ") ";
+    			}
     			if ($rule['dnpipe'] <> "") {
     				if ($rule['dnpipe'][0] == "?") {
     					$aline['dnpipe'] = " dnqueue( ";
     					$aline['dnpipe'] .= substr($rule['dnpipe'],1);
     					if ($rule['pdnpipe'] <> "")
     						$aline['dnpipe'] .= ",".substr($rule['pdnpipe'], 1);
     				} else {
     					$aline['dnpipe'] = " dnpipe ( " . $rule['dnpipe'];
     					if ($rule['pdnpipe'] <> "")
     						$aline['dnpipe'] .= ", " . $rule['pdnpipe'];
+    				}
     				$aline['dnpipe'] .= ") ";
+    			}
     	if ($type == "reject" && $rule['protocol'] == "tcp") {
     		/* special reject packet */
     		$aline['flags'] .= "flags S/SA ";
+    	}
     	if ($type == "pass") {
     		if ($rule['defaultqueue'] <> "") {
     			$aline['queue'] = " queue (".$rule['defaultqueue'];
     			if ($rule['ackqueue'] <> "")
     				$aline['queue'] .= ",".$rule['ackqueue'];
     			$aline['queue'] .= ") ";
+    		}
     		/* cache entries */
     		if (isset($src_table))
     			if (isset($table_cache[$src_table])) {
     				if ($g['debug'])
     					echo "{$src_table} found in cache\n";
     			} else {
     				if ($g['debug'])
     					echo "{$src_table} NOT found in cache...adding\n";
     				$table_cache[$src_table] = $src_table_line;
+    			}
     		if (isset($dst_table))
     			if (isset($table_cache[$dst_table])) {
     				if ($g['debug'])
     					echo "{$dst_table} found in cache\n";
     		if ($rule['dnpipe'] <> "") {
     			if ($rule['dnpipe'][0] == "?") {
     				$aline['dnpipe'] = " dnqueue( ";
     				$aline['dnpipe'] .= substr($rule['dnpipe'],1);
     				if ($rule['pdnpipe'] <> "")
     					$aline['dnpipe'] .= ",".substr($rule['pdnpipe'], 1);
     			} else {
     				if ($g['debug'])
     					echo "{$dst_table} NOT found in cache...adding\n";
     				$table_cache[$dst_table] = $dst_table_line;
     				$aline['dnpipe'] = " dnpipe ( " . $rule['dnpipe'];
     				if ($rule['pdnpipe'] <> "")
     					$aline['dnpipe'] .= ", " . $rule['pdnpipe'];
+    			}
     		/* exception(s) to a user rules can go here. */
     		/* rules with a gateway or pool should create another rule for routing to local networks or vpns */
     		/* we only trigger this for a rule with the destination of any and without a gateway */
     		if (($aline['route'] <> "") && (trim($aline['type']) == "pass") && (trim($dst) == "any")) {
     			/* negate VPN/PPTP/PPPoE networks for load balancer/gateway rules */
     			$vpns = " to <vpns> ";
     			$line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $aline['interface'] . $aline['prot'] .
     				$aline['src'] . $aline['srcport'] . $aline['os'] . $vpns . $aline['dstport'].
     				$aline['icmp-type'] . $aline['tag'] . $aline['tagged'] . $aline['dscp'] . $aline['allowopts'] . $aline['flags'].
     				$aline['queue'] . $aline['dnpipe'] .
     				" label \"NEGATE_ROUTE: Negate policy route for local network(s)\"\n";
     			/* negate directly connected networks for load balancer/gateway rules */
     			$direct_networks = " to <direct_networks> ";
     			$line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $aline['interface'] . $aline['prot'] .
     				$aline['src'] . $aline['srcport'] . $aline['os'] . $direct_networks . $aline['dstport'].
     				$aline['icmp-type'] . $aline['tag'] . $aline['tagged'] . $aline['dscp'] . $aline['allowopts'] .
     				$aline['flags'] . $aline['queue'] . $aline['dnpipe'] .
     				" label \"NEGATE_ROUTE: Negate policy route for local network(s)\"\n";
     			$aline['dnpipe'] .= ") ";
+    		}
     		/* piece together the actual user rule */
     		$line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $aline['interface'] . $aline['reply'] .
     			$aline['route'] . $aline['prot'] . $aline['src'] . $aline['srcport'] . $aline['os'] . $aline['dst'] .
     			$aline['dstport'] . $aline['divert'] . $aline['icmp-type'] . $aline['tag'] . $aline['tagged'] . $aline['dscp'] .
     			$aline['allowopts'] . $aline['flags'] . $aline['queue'] . $aline['dnpipe'];
     		/* is a time based rule schedule attached? */
     		if(!empty($rule['sched'])) {
     			if($config['schedules']) {
     				$foundsched = false;
     				foreach($config['schedules']['schedule'] as $sched) {
     					if($sched['name'] == $rule['sched']) {
     						$status = get_time_based_rule_status($schedule_xml_block);
     						$foundsched = true;
     						break;
+    					}
+    				}
     				if ($foundsched == false)
     					return $line;
     			} else
     				return $line;
     			if($status) {
     				if($g['debug'])
     					log_error("[TDR DEBUG] status true -- rule type '$type'");
     				if($type == "block") {
     					// active deny rules should deny
     					$ipfw_rule = tdr_create_ipfw_rule($rule, "deny");
     					tdr_install_rule($ipfw_rule);
     				} else {
     					// active allow rules should allow
     					$ipfw_rule = tdr_create_ipfw_rule($rule, "allow");
     					tdr_install_rule($ipfw_rule);
+    				}
     				return "$line";
     			} else {
     				/*	 rule is turned off, if type == pass, deny traffic until
     				 *	 active else allow traffic until active
     				 */
     				if($type == "pass") {
     					// inactive pass rules should deny
     					$ipfw_rule = tdr_create_ipfw_rule($rule, "deny");
     					tdr_install_rule($ipfw_rule);
     				} else {
     					// inactive block rules should skipto
     					$ipfw_rule = tdr_create_ipfw_rule($rule, "skipto");
     					tdr_install_rule($ipfw_rule);
+    				}
     				return "# $line";
+    			}
+    		}
+    	}
     	/* cache entries */
     	if (isset($src_table))
     		if (isset($table_cache[$src_table])) {
     			if ($g['debug'])
     				echo "{$src_table} found in cache\n";
     		} else {
     			if ($g['debug'])
     				echo "{$src_table} NOT found in cache...adding\n";
     			$table_cache[$src_table] = $src_table_line;
+    		}
     	if (isset($dst_table))
     		if (isset($table_cache[$dst_table])) {
     			if ($g['debug'])
     				echo "{$dst_table} found in cache\n";
     		} else {
     			if ($g['debug'])
     				echo "{$dst_table} NOT found in cache...adding\n";
     			$table_cache[$dst_table] = $dst_table_line;
+    		}
     	/* is a time based rule schedule attached? */
             if(!empty($rule['sched']) && !empty($config['schedules'])) {
     		$aline['schedlabel'] = "";
                     foreach ($config['schedules']['schedule'] as $sched) {
                             if ($sched['name'] == $rule['sched']) {
                                     if (!filter_get_time_based_rule_status($sched)) {
                                             mwexec("/sbin/pfctl -y \"{$sched['schedlabel']}\"");
                                             $line = "# schedule finished - {$rule}";
                                     } else if ($g['debug'])
                                             log_error("[TDR DEBUG] status true -- rule type '$type'");
     				$aline['schedlabel'] = " schedule \"{$sched['schedlabel']}\" ";
                                     break;
+                            }
+                    }
+            }
     		return $line;
     	/* exception(s) to a user rules can go here. */
     	/* rules with a gateway or pool should create another rule for routing to vpns */
     	if (($aline['route'] <> "") && (trim($aline['type']) == "pass") && (trim($dst) == "any")) {
     		/* negate VPN/PPTP/PPPoE networks for load balancer/gateway rules */
     		$vpns = " to <vpns> ";
     		$line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] .
     			$aline['interface'] . $aline['prot'] . $aline['src'] . $aline['srcport'] .
     			$aline['os'] . $vpns . $aline['dstport'] . $aline['icmp-type'] . $aline['tag'] .
     			$aline['tagged'] . $aline['dscp'] . $aline['allowopts'] . $aline['flags'] .
     			$aline['queue'] . $aline['dnpipe'] . $aline['schedlabel'] .
     			" label \"NEGATE_ROUTE: Negate policy route for vpn(s)\"\n";
+    	}
     	/* piece together the actual user rule */
     	$line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $aline['interface'] .
     		$aline['reply'] . $aline['route'] . $aline['prot'] . $aline['src'] . $aline['srcport'] .
     		$aline['os'] . $aline['dst'] . $aline['dstport'] . $aline['divert'] . $aline['icmp-type'] .
     		$aline['tag'] . $aline['tagged'] . $aline['dscp'] .  $aline['allowopts'] . $aline['flags'] .
     		$aline['queue'] . $aline['dnpipe'] . $aline['schedlabel'];
     	return $line;
+    }
     function filter_rules_generate()
-...
     EOD;
             if(!isset($config['system']['ipv6allow'])) {
             if (!isset($config['system']['ipv6allow'])) {
                     $ipfrules .= "# Block all IPv6\n";
                     $ipfrules .= "block in quick inet6 all\n";
                     $ipfrules .= "block out quick inet6 all\n";
-...
     EOD;
     	if (isset($config['filter']['rule'])) {
     		$load_ipfw_module = false;
     		/* Pre-cache all our rules so we only have to generate them once */
     		$rule_arr1 = array();
     		$rule_arr2 = array();
-...
     					$rule_arr2[] = generate_user_filter_rule_arr($rule);
+    				}
     				if ($rule['sched'])
     					$load_ipfw_module = true;
     					$time_based_rules = true;
+    			}
+    		}
     		$rule_arr = array_merge($rule_arr1,$rule_arr2);
     		/*
     		 * check to see if any rules reference a schedule
     		 * or if CP is enabled
     		 * check to see if CP is enabled
     		 * and if so load ipfw for later usage.
     		 */
     		if (isset($config['captiveportal']['enable']) && isset($config['interfaces'][$config['captiveportal']['interface']]['enable'])) {
     			$load_ipfw_module = true;
+    		}
     		if ($load_ipfw_module == true) {
     			filter_load_ipfw();
     			$time_based_rules = true;
     			exec("/sbin/ipfw delete set 9");
     			exec("/sbin/ipfw delete 2");
     			exec("/sbin/ipfw delete 3");
     			mwexec("/sbin/ipfw delete set 3");
     			mwexec("/sbin/ipfw delete set 2");
+    		}
     		$ipfrules .= "\n# User-defined aliases follow\n";
     		/* tables for aliases */
-...
     	return $ipfrules;
+    }
     /****f* filter/filter_tdr_install_cron
      * NAME
      *   filter_tdr_install_cron
      * INPUTS
      *   $should_install true if the cron entry should be installed, false
      *   if the entry should be removed if it is present
      * RESULT
      *   none
      ******/
     function filter_tdr_install_cron($should_install) {
             global $config, $g;
             if ($g['booting']==true)
                     return;
             $is_installed = false;
             if(!$config['cron']['item'])
                     return;
             $x=0;
             foreach($config['cron']['item'] as $item) {
                     if (strstr($item['command'], "filter_configure_sync")) {
                             $is_installed = true;
                             break;
+                    }
                     $x++;
+            }
             switch($should_install) {
                     case true:
                             if(!$is_installed) {
                                     $cron_item = array();
                                     $cron_item['minute'] = "0,15,30,45";
                                     $cron_item['hour'] = "*";
                                     $cron_item['mday'] = "*";
                                     $cron_item['month'] = "*";
                                     $cron_item['wday'] = "*";
                                     $cron_item['who'] = "root";
                                     $cron_item['command'] = "/etc/rc.filter_configure_sync";
                                     $config['cron']['item'][] = $cron_item;
                                     write_config("Installed 15 minute filter reload for Time Based Rules");
                                     configure_cron();
+                            }
                     break;
                     case false:
                             if($is_installed == true) {
                                     if($x > 0) {
                                             unset($config['cron']['item'][$x]);
                                             write_config();
+                                    }
                                     configure_cron();
+                            }
                     break;
+            }
+    }
     /****f* filter/filter_get_time_based_rule_status
      * NAME
      *   filter_get_time_based_rule_status
      * INPUTS
      *   xml schedule block
      * RESULT
      *   true/false - true if the rule should be installed
      ******/
     /*
      <schedules>
        <schedule>
          <name>ScheduleMultipleTime</name>
          <descr>main descr</descr>
          <time>
            <position>0,1,2</position>
            <hour>0:0-24:0</hour>
            <desc>time range 2</desc>
          </time>
          <time>
            <position>4,5,6</position>
            <hour>0:0-24:0</hour>
            <desc>time range 1</desc>
          </time>
        </schedule>
      </schedules>
     */
     function filter_get_time_based_rule_status($schedule) {
             $should_add_rule = false;
             /* no schedule? rule should be installed */
             if (empty($schedule))
                     return true;
             /*
              * iterate through time blocks and deterimine
              * if the rule should be installed or not.
              */
             foreach($schedule['timerange'] as $timeday) {
                     if($timeday['month'])
                             $month = $timeday['month'];
                     else
                             $week = "";
                     if($timeday['day'])
                             $day = $timeday['day'];
                     else
                             $day = "";
                     if($timeday['hour'])
                             $hour = $timeday['hour'];
                     else
                             $hour = "";
                     if($timeday['position'])
                             $position = $timeday['position'];
                     else
                             $position = "";
                     if($timeday['desc'])
                             $desc = $timeday['desc'];
                     else
                             $desc = "";
                     if($month) {
                             $monthstatus = filter_tdr_month($month);
                     } else {
                             $monthstatus = true;
+                    }
                     if($day) {
                             $daystatus = filter_tdr_day($day);
                     } else {
                             $daystatus = true;
+                    }
                     if($hour) {
                             $hourstatus = filter_tdr_hour($hour);
                     } else {
                             $hourstatus = true;
+                    }
                     if($position) {
                             $positionstatus = filter_tdr_position($position);
                     } else {
                             $positionstatus = true;
+                    }
                     if ($monthstatus == true && $daystatus == true && $positionstatus == true && $hourstatus == true)
     			$should_add_rule = true;
+            }
             return $should_add_rule;
+    }
     function filter_tdr_day($schedule) {
             /*
              * Calculate day of month.
              * IE: 29th of may
              */
             $weekday        = date("w");
             if ($weekday == 0)
                     $weekday = 7;
             $date           = date("d");
             $defined_days = split(",", $schedule);
             log_error("[TDR DEBUG] filter_tdr_day($schedule)");
             foreach($defined_days as $dd) {
                     if($date == $dd)
                             return true;
+            }
             return false;
+    }
     function filter_tdr_hour($schedule) {
             /* $schedule should be a string such as 16:00-19:00 */
             $tmp = split("-", $schedule);
             $starting_time = strtotime($tmp[0]);
             $ending_time = strtotime($tmp[1]);
             $now = strtotime("now");
             log_error("[TDR DEBUG] S: $starting_time E: $ending_time N: $now");
             if ($now >= $starting_time and $now <= $ending_time)
                     return true;
             return false;
+    }
     function filter_tdr_position($schedule) {
             /*
              * Calculate possition, ie: day of week.
              * Sunday = 7, Monday = 1, Tuesday = 2
              * Weds = 3, Thursday = 4, Friday = 5,
              * Saturday = 6
              * ...
              */
             $weekday = date("w");
             log_error("[TDR DEBUG] filter_tdr_position($schedule) $weekday");
             if ($weekday == 0)
                     $weekday = 7;
             $schedule_days = split(",", $schedule);
             foreach($schedule_days as $day) {
                     if ($day == $weekday)
                             return true;
+            }
             return false;
+    }
     function filter_tdr_month($schedule) {
             /*
              * Calculate month
              */
             $todays_month = date("n");
             $months = split(",", $schedule);
             log_error("[TDR DEBUG] filter_tdr_month($schedule)");
             foreach($months as $month) {
                     if ($month == $todays_month)
                             return true;
+            }
             return false;
+    }
     function setup_logging_interfaces()
+    {
     	global $config;
-...
     	foreach ($ifdescrs as $ifdescr => $ifname) {
     		/* do not work with tun interfaces */
     		$int = get_real_interface($ifname);
     		if(stristr($int, "tun") == true)
     			continue;
     		$rules .= "set loginterface {$int}\n";
+    	}
     	return $rules;

     	"product_email" => "coreteam@pfsense.org",
     	"hideplatform" => false,
     	"debug" => false,
     	"latest_config" => "5.8",
     	"latest_config" => "5.9",
     	"nopkg_platforms" => array("cdrom"),
     	"minimum_ram_warning" => "115",
     	"minimum_ram_warning_text" => "128 megabytes",

     	return "/tmp/tmp-" . time();
+    }
     /****f* pfsense-utils/tdr_install_cron
      * NAME
      *   tdr_install_cron
      * INPUTS
      *   $should_install true if the cron entry should be installed, false
      *   if the entry should be removed if it is present
      * RESULT
      *   none
      ******/
     function tdr_install_cron($should_install) {
     	global $config, $g;
     	if($g['booting']==true)
     		return;
     	$is_installed = false;
     	if(!$config['cron']['item'])
     		return;
     	$x=0;
     	foreach($config['cron']['item'] as $item) {
     		if(strstr($item['command'], "filter_configure_sync")) {
     			$is_installed = true;
     			break;
+    		}
     		$x++;
+    	}
     	switch($should_install) {
     		case true:
     			if(!$is_installed) {
     				$cron_item = array();
     				$cron_item['minute'] = "0,15,30,45";
     				$cron_item['hour'] = "*";
     				$cron_item['mday'] = "*";
     				$cron_item['month'] = "*";
     				$cron_item['wday'] = "*";
     				$cron_item['who'] = "root";
     				$cron_item['command'] = "/etc/rc.filter_configure_sync";
     				$config['cron']['item'][] = $cron_item;
     				write_config("Installed 15 minute filter reload for Time Based Rules");
     				configure_cron();
+    			}
     		break;
     		case false:
     			if($is_installed == true) {
     				if($x > 0) {
     					unset($config['cron']['item'][$x]);
     					write_config();
+    				}
     				configure_cron();
+    			}
     		break;
+    	}
+    }
     /****f* pfsense-utils/tdr_create_ipfw_rule
      * NAME
      *   tdr_create_ipfw_rule
      * INPUTS
      *   $rule xml firewall rule array, $type allow or deny
      * RESULT
      *   text string with ipfw rule already formatted
      ******/
     function tdr_create_ipfw_rule($rule, $type) {
     	global $config, $g, $tdr_get_next_ipfw_rule, $FilterIflist;
     	if (isset($rule['disabled']))
     		return "";
     	$int = "";
     	/* Check to see if the interface is in our list */
     	if (isset($rule['floating'])) {
     		if (isset($rule['interface']) && $rule['interface'] <> "")
     			$aline['interface'] = "multiple"; /* XXX */
     		else
     			$aline['interface'] = "";
     	} else if (!array_key_exists($rule['interface'], $FilterIflist))
     			return "# {$rule['interface']} does not exist or is disabled for " . $rule['descr'];
     	else {
     		if ($rule['interface'] == "pptp" || $rule['interface'] == "pppoe" || $rule['interface'] == "l2tp")
     			$aline['interface'] = "ng*";
     		else
     			$aline['interface'] = " " . $FilterIflist[$rule['interface']]['if'] . " ";
+    	}
     	$ifcfg = $FilterIflist[$rule['interface']];
     	if ($pptpdcfg['mode'] != "server") {
     		if (($rule['source']['network'] == "pptp") ||
     			($rule['destination']['network'] == "pptp"))
     				return "# source network or destination network == pptp on " . $rule['descr'];
+    	}
     	if ($rule['source']['network'] && strstr($rule['source']['network'], "opt")) {
     		if (!array_key_exists($rule['source']['network'], $FilterIflist)) {
     			$optmatch = "";
     			if (preg_match("/opt([0-999])/", $rule['source']['network'], $optmatch)) {
     				$opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ip'];
     				if(!is_ipaddr($opt_ip))
     					return "# unresolvable optarray $optmatch[0] - $opt_ip";
     			} else {
     				return "# tdr {$rule['source']['network']} !array_key_exists source network " . $rule['descr'];
+    			}
+    		}
+    	}
     	if ($rule['destination']['network'] && strstr($rule['destination']['network'], "opt")) {
     		if (!array_key_exists($rule['destination']['network'], $FilterIflist)) {
     			if(preg_match("/opt([0-999])/", $rule['destination']['network'], $optmatch)) {
     				$opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ip'];
     				if(!is_ipaddr($opt_ip))
     					return "# unresolvable oparray $optmatch[0] - $opt_ip";
     			} else {
     				return "# tdr {$item} {$rule['destination']['network']} !array_key_exists dest network " . $rule['descr'];
+    			}
+    		}
+    	}
     	/* check for unresolvable aliases */
     	if ($rule['source']['address'] && !alias_expand($rule['source']['address'])) {
     		file_notice("Filter_Reload", "# unresolvable source aliases {$rule['descr']}");
     		return "# tdr unresolvable source aliases {$rule['descr']}";
+    	}
     	if ($rule['destination']['address'] && !alias_expand($rule['destination']['address'])) {
     		file_notice("Filter_Reload", "# unresolvable dest aliases {$rule['descr']}");
     		return "# tdr unresolvable dest aliases {$rule['descr']}";
+    	}
     	if (isset($rule['protocol'])) {
     		if($rule['protocol'] == "tcp/udp")
     			$aline['prot'] = "ip ";
     		else if($rule['protocol'] == "icmp")
     			$aline['prot'] = "icmp ";
     		else
     			$aline['prot'] = "{$rule['protocol']} ";
     	} else {
     		if($rule['source']['port'] <> "" || $rule['destination']['port'] <> "")
     			$aline['prot'] = "tcp ";
+    	}
     	/* source address */
     	if (isset($rule['source']['any']))
     		$src = "any";
     	else if ($rule['source']['network']) {
     		if (strstr($rule['source']['network'], "opt")) {
     			$src = $FilterIflist[$rule['source']['network']]['sa'] . "/" .
     				$FilterIflist[$rule['source']['network']]['sn'];
     			if (isset($rule['source']['not']))
     				$src = " not {$src}";
     			/* check for opt$NUMip here */
     			$matches = "";
     			if (preg_match("/opt([0-9999])ip/", $rule['source']['network'], $matches)) {
     				$optnum = $matches[1];
     				$src = $FilterIflist["opt{$optnum}"]['ip'];
+    			}
     		} else {
     			switch ($rule['source']['network']) {
     				case 'wanip':
     					$src = $FilterIflist["wan"]['ip'];
     					break;
     				case 'lanip':
     					$src = $FilterIflist["lan"]['ip'];
     					break;
     				case 'lan':
     					$lansa = $FilterIflist['lan']['sa'];
     					$lansn = $FilterIflist['lan']['sn'];
     					$src = "{$lansa}/{$lansn}";
     					break;
     				case 'pptp':
     					$pptpsa = gen_subnet($FilterIflist['pptp']['ip'], $FilterIflist['pptp']['sn']);
     					$pptpsn = $FilterIflist['pptp']['sn'];
     					$src = "{$pptpsa}/{$pptpsn}";
     					break;
     				case 'pppoe':
     					$pppoesa = gen_subnet($FilterIflist['pppoe']['ip'], $FilterIflist['pppoe']['sn']);
     					$pppoesn = $FilterIflist['pppoe']['sn'];
     					$src = "{$pppoesa}/{$pppoesn}";
     					break;
+    			}
     			if (isset($rule['source']['not']))
     				$src = " not {$src}";
+    		}
     	} else if ($rule['source']['address']) {
     		$expsrc = alias_expand_value($rule['source']['address']);
     		if(!$expsrc)
     			$expsrc = $rule['source']['address'];
     		if (isset($rule['source']['not']))
     			$not = " not";
     		else
     			$not = "";
     		if (alias_expand_value($rule['source']['address'])) {
     			$src = "{";
     			$first_item = true;
     			foreach(preg_split("/[\s]+/", alias_expand_value($rule['source']['address'])) as $item) {
     				if($item != "") {
     					if(!$first_item)
     						$src .= " or";
     						$src .= " {$not}{$item}";
     						$first_item = false;
+    					}
+    				}
     					$src .= " }";
     		} else
     			$src = "{$not}" . $expsrc;
+    	}
     	if (!$src || ($src == "/"))
     		return "# tdr at the break!";
     	$aline['src'] = "from $src ";
     	$srcporta = "";
     	if (in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) {
     		if ($rule['source']['port']) {
     			$srcport = explode("-", $rule['source']['port']);
     			if(alias_expand($srcport[0])) {
     				$first_time = true;
     				foreach(preg_split("/[\s]+/", alias_expand_value($srcport[0])) as $item) {
     					if(!$first_time)
     						$srcporta .= ",";
     					$srcporta .= $item;
     					$first_time = false;
+    				}
     			} else
     				$srcporta = $srcport[0];
     			if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) {
     				if(alias_expand($srcport[0]))
     					$aline['srcport'] = "{$srcporta} ";
     				else
     					$aline['srcport'] = "{$srcporta} ";
     			} else if (($srcport[0] == 1) && ($srcport[1] == 65535)) {
     				/* no need for a port statement here */
     			} else if ($srcport[1] == 65535)
     				$aline['srcport'] = ">={$srcport[0]} ";
     			else if ($srcport[0] == 1)
     				$aline['srcport']= "<={$srcport[1]} ";
     			else
     				$aline['srcport'] = "{$srcport[0]}-{$srcport[1]} ";
+    		}
+    	}
     	/* destination address */
     	if (isset($rule['destination']['any']))
     		$dst = "any";
     	else if ($rule['destination']['network']) {
     		if (strstr($rule['destination']['network'], "opt")) {
     			$dst = $FilterIflist[$rule['destination']['network']]['sa'] . "/" .
     				$FilterIflist[$rule['destination']['network']]['sn'];
     			if (isset($rule['destination']['not']))
     				$dst = " not {$dst}";
     			/* check for opt$NUMip here */
     			$matches = "";
     			if (preg_match("/opt([0-9999])ip/", $rule['destination']['network'], $matches)) {
     				$optnum = $matches[1];
     				$dst = $FilterIflist["opt{$optnum}"]['ip'];
+    			}
     		} else {
     			switch ($rule['source']['network']) {
     				case 'wanip':
     					$dst = $FilterIflist["wan"]['ip'];
     					break;
     				case 'lanip':
     					$dst = $FilterIflist["lan"]['ip'];
     					break;
     				case 'lan':
     					$lansa = $FilterIflist['lan']['sa'];
     					$lansn = $FilterIflist['lan']['sn'];
     					$dst = "{$lansa}/{$lansn}";
     					break;
     				case 'pptp':
     					$pptpsa = gen_subnet($FilterIflist['pptp']['ip'], $FilterIflist['pptp']['sn']);
     					$pptpsn = $FilterIflist['pptp']['sn'];
     					$dst = "{$pptpsa}/{$pptpsn}";
     					break;
     				case 'pppoe':
     					$pppoesa = gen_subnet($FilterIflist['pppoe']['ip'], $FilterIflist['pppoe']['sn']);
     					$pppoesn = $FilterIflist['pppoe']['sn'];
     					$dst = "{$pppoesa}/{$pppoesn}";
     					break;
+    			}
     			if (isset($rule['destination']['not']))
     				$dst = " not {$dst}";
+    		}
     	} else if ($rule['destination']['address']) {
     		$expdst = alias_expand_value($rule['destination']['address']);
     		if(!$expdst)
     			$expdst = $rule['destination']['address'];
     		if (isset($rule['destination']['not']))
     			$not = " not";
     		else
     			$not = "";
     		if (alias_expand_value($rule['destination']['address'])) {
     			$dst = "{";
     			$first_item = true;
     			foreach(preg_split("/[\s]+/", alias_expand_value($rule['destination']['address'])) as $item) {
     				if($item != "") {
     					if(!$first_item)
     						$dst .= " or";
     						$dst .= " {$not}{$item}";
     						$first_item = false;
+    					}
+    				}
     					$dst .= " }";
     		} else
     			$dst = "{$not}" . $expdst;
+    	}
     	if (!$dst || ($dst == "/"))
     		return "# returning at dst $dst == \"/\"";
     	$aline['dst'] = "to $dst ";
     	$dstporta = "";
     	if (in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) {
     		if ($rule['destination']['port']) {
     			$dstport = explode("-", $rule['destination']['port']);
     			if(alias_expand($dstport[0])) {
     				$first_time = true;
     				foreach(preg_split("/[\s]+/", alias_expand_value($dstport[0])) as $item) {
     					if(!$first_time)
     				 		$dstporta .= ",";
     					$dstporta .= $item;
     					$first_time = false;
+    				}
     			} else
     				$dstporta = $dstport[0];
     			if ((!$dstport[1]) || ($dstport[0] == $dstport[1])) {
     				if(alias_expand($dstport[0]))
     					$aline['dstport'] = "{$dstporta} ";
     				else
     					$aline['dstport'] = "{$dstporta} ";
     			} else if (($dstport[0] == 1) && ($dstport[1] == 65535)) {
     				/* no need for a port statement here */
     			} else if ($dstport[1] == 65535)
     				$aline['dstport'] = ">= {$dstport[0]} ";
     			else if ($dstport[0] == 1)
     				$aline['dstport'] = "<= {$dstport[1]} ";
     			else
     				$aline['dstport'] = "{$dstport[0]}-{$dstport[1]} ";
+    		}
+    	}
     	if($aline['prot'] == "")
     		$aline['prot'] = "ip ";
     	tdr_get_next_ipfw_rule();
      	/* piece together the actual user rule */
     	if($type == "skipto") {
     		$next_rule = tdr_get_next_ipfw_rule();
     		$next_rule = $next_rule+1;
     		$type = "skipto $next_rule";
+    	}
     	/* piece together the actual user rule */
     	if ($aline['interface'] == "multiple") {
     		$tmpline = $type . " " . $aline['prot'] . $aline['src'] .
     			$aline['srcport'] . $aline['dst'] . $aline['dstport'] . " in recv ";
     		$interfaces = explode(",", $rule['interface']);
     		$ifliste = "";
     		foreach ($interfaces as $iface) {
     			if (array_key_exists($iface, $FilterIflist))
     				$line .= "{$tmpline} " . $FilterIflist[$iface]['if'] . "; ";/* XXX */
+    		}
     	} else if ($aline['interface'] == "")
     		$line .= $type . " " . $aline['prot'] . $aline['src'] .
     			$aline['srcport'] . $aline['dst'] . $aline['dstport'] . " in ";
     	else
     		$line .= $type . " " . $aline['prot'] . $aline['src'] .
     			$aline['srcport'] . $aline['dst'] . $aline['dstport'] . " in recv " .
     			$aline['interface'];
     	return $line;
+    }
     /****f* pfsense-utils/tdr_install_rule
      * NAME
      *   tdr_install_rule
      * INPUTS
      *   $rule - ascii string containing the ifpw rule to add
      * RESULT
      *   none
      ******/
     function tdr_install_rule($rule) {
     	global $tdr_next_ipfw_rule, $g;
     	log_error("installing {$rule}");
     	$lines = explode(";", $rule);
     	if (count($lines) > 1) {
     		foreach ($lines as $line) {
     			if ($g['debug'])
     				log_error("Executing /sbin/ipfw -f add {$tdr_next_ipfw_rule} set 9 $line");
     			mwexec("/sbin/ipfw -f add {$tdr_next_ipfw_rule} set 9 $line");
     			$tdr_next_ipfw_rule++;
+    		}
     	} else {
     		if ($g['debug'])
     			log_error("Executing /sbin/ipfw -f add {$tdr_next_ipfw_rule} set 9 $rules");
     		mwexec("/sbin/ipfw -f add $tdr_next_ipfw_rule set 9 $rule");
+    	}
     	$tdr_next_ipfw_rule++;
+    }
     /****f* pfsense-utils/tdr_get_next_ipfw_rule
      * NAME
      *   tdr_get_next_ipfw_rule
      * INPUTS
      *  none
      * RESULT
      *   returns the next available ipfw rule number
      ******/
     function tdr_get_next_ipfw_rule() {
     	global $tdr_next_ipfw_rule;
     	if(intval($tdr_next_ipfw_rule) < 2)
     		$tdr_next_ipfw_rule = 2;
     	return $tdr_next_ipfw_rule;
+     }
     /****f* pfsense-utils/tdr_install_set
      * NAME
      *   tdr_install_set
      * INPUTS
      *  none
      * RESULT
      *   swaps in the temporary ipfw time based rule set
      ******/
     function tdr_install_set() {
     	global $config;
     	mwexec("/sbin/ipfw delete 1");
     	mwexec("/sbin/ipfw add 1 check-state");
     	mwexec("/sbin/ipfw delete 65534");
     	mwexec("/sbin/ipfw add 1 allow all from me to any keep-state");
     	if (!isset ($config['system']['webgui']['noantilockout']) && count($config['interfaces']) > 1) {
     		/* lan ip lockout */
     		$lanip = get_interface_ip("lan");
     		$lansn = get_interface_subnet("lan");
     		$lansa = gen_subnet($lanip, $lansn);
     		mwexec("/sbin/ipfw add 1 allow all from {$lansa}/{$lansn} to $lanip keep-state");
+    	}
     	mwexec("/sbin/ipfw add 65534 check-state");
     	/* set 8 contains time based rules */
     	mwexec("/sbin/ipfw -f delete set 8");
     	mwexec("/sbin/ipfw -f set swap 9 8");
+    }
     /****f* pfsense-utils/get_time_based_rule_status
      * NAME
      *   get_time_based_rule_status
      * INPUTS
      *   xml schedule block
      * RESULT
      *   true/false - true if the rule should be installed
      ******/
     /*
      <schedules>
        <schedule>
          <name>ScheduleMultipleTime</name>
          <descr>main descr</descr>
          <time>
            <position>0,1,2</position>
            <hour>0:0-24:0</hour>
            <desc>time range 2</desc>
          </time>
          <time>
            <position>4,5,6</position>
            <hour>0:0-24:0</hour>
            <desc>time range 1</desc>
          </time>
        </schedule>
      </schedules>
     */
     function get_time_based_rule_status($schedule) {
     	$should_add_rule = false;
     	/* no schedule? rule should be installed */
     	if($schedule == "")
     		return true;
     	/*
     	 * iterate through time blocks and deterimine
     	 * if the rule should be installed or not.
     	 */
     	foreach($schedule['timerange'] as $timeday) {
     		if($timeday['month'])
     			$month = $timeday['month'];
     		else
     			$week = "";
     		if($timeday['day'])
     			$day = $timeday['day'];
     		else
     			$day = "";
     		if($timeday['hour'])
     			$hour = $timeday['hour'];
     		else
     			$hour = "";
     		if($timeday['position'])
     			$position = $timeday['position'];
     		else
     			$position = "";
     		if($timeday['desc'])
     			$desc = $timeday['desc'];
     		else
     			$desc = "";
     		if($month) {
     			$monthstatus = tdr_month($month);
     		} else {
     			$monthstatus = true;
+    		}
     		if($day) {
     			$daystatus = tdr_day($day);
     		} else {
     			$daystatus = true;
+    		}
     		if($hour) {
     			$hourstatus = tdr_hour($hour);
     		} else {
     			$hourstatus = true;
+    		}
     		if($position) {
     			$positionstatus = tdr_position($position);
     		} else {
     			$positionstatus = true;
+    		}
     		if($monthstatus == true)
     			if($daystatus == true)
     				if($positionstatus == true)
     					if($hourstatus == true) {
     						$should_add_rule = true;
+    					}
+    	}
     	return $should_add_rule;
+    }
     function tdr_day($schedule) {
     	/*
     	 * Calculate day of month.
     	 * IE: 29th of may
     	 */
     	$weekday	= date("w");
     	if ($weekday == 0)
     		$weekday = 7;
     	$date	 	= date("d");
     	$defined_days = split(",", $schedule);
     	log_error("[TDR DEBUG] tdr_day($schedule)");
     	foreach($defined_days as $dd) {
     		if($date == $dd) {
     			return true;
+    		}
+    	}
     	return false;
+    }
     function tdr_hour($schedule) {
     	/* $schedule should be a string such as 16:00-19:00 */
     	$tmp = split("-", $schedule);
     	$starting_time = strtotime($tmp[0]);
     	$ending_time = strtotime($tmp[1]);
     	$now = strtotime("now");
     	log_error("[TDR DEBUG] S: $starting_time E: $ending_time N: $now");
     	if($now >= $starting_time and $now <= $ending_time) {
     		return true;
+    	}
     	return false;
+    }
     function tdr_position($schedule) {
     	/*
     	 * Calculate possition, ie: day of week.
     	 * Sunday = 7, Monday = 1, Tuesday = 2
     	 * Weds = 3, Thursday = 4, Friday = 5,
     	 * Saturday = 6
     	 * ...
     	 */
     	$weekday	= date("w");
     	log_error("[TDR DEBUG] tdr_position($schedule) $weekday");
     	if ($weekday == 0)
     		$weekday = 7;
     	$schedule_days = split(",", $schedule);
     	foreach($schedule_days as $day) {
     		if($day == $weekday) {
     			return true;
+    		}
+    	}
     	return false;
+    }
     function tdr_month($schedule) {
     	/*
     	 * Calculate month
     	 */
     	$todays_month = date("n");
     	$months = split(",", $schedule);
     	log_error("[TDR DEBUG] tdr_month($schedule)");
     	foreach($months as $month) {
     		if($month == $todays_month) {
     			return true;
+    		}
+    	}
     	return false;
+    }
     /****f* pfsense-utils/find_number_of_needed_carp_interfaces
      * NAME
      *   find_number_of_needed_carp_interfaces

     		foreach($config['ipsec']['phase2'] as & $ph2ent)
     			$ph2ent['mode'] = 'tunnel';
+    }
     function upgrade_058_to_059() {
     	global $config;
     	if (is_array($config['schedules']['schedule'])) {
     		foreach ($config['schedules']['schedule'] as & $schedl)
     			$schedl['schedlabel'] = uniqid();
+    	}
+    }
     ?>

     					foreach ($a_schedules as $schedule)
+    					{
     						if ($schedule['name'] == $filterent['sched'] ){
     							$schedstatus = get_time_based_rule_status($schedule);
     							$schedstatus = filter_get_time_based_rule_status($schedule);
     							foreach($schedule['timerange'] as $timerange) {
     								$tempFriendlyTime = "";

usr/local/www/firewall_rules_edit.php
979	979	}?>
980	980	</select>
981	981	<p>Leave as 'none' to leave the rule enabled all the time.</p>
982		<strong>NOTE: schedule logic can be a bit different. Click <a target="_new" href='firewall_rules_schedule_logic.php'>here</a> for more information.</strong>
983	982	</td>
984	983	</tr>
985	984

     <pre>
     When working with {$g['product_name']} based schedules, the logic is a bit different from the normal {$g['product_name']} rules.
     For example, the rules are evaluated from top to bottom.
     If you have a pass rule and the rule is outside of the schedule, the traffic will be BLOCKED regardless
     of pass rules that occur after this rule.
     In these cases you will want to change the pass rule to a block style rule to get the needed functionality.
     </pre>

     	<tr>
     	   <td class="listlr" ondblclick="document.location='firewall_schedule_edit.php?id=<?=$i;?>';">
     			<?=htmlspecialchars($schedule['name']);
     			  	 $schedstatus = get_time_based_rule_status($schedule);
     					$schedstatus = filter_get_time_based_rule_status($schedule);
     					 if ($schedstatus) { ?>
     					 	&nbsp;<img src="./themes/<?= $g['theme']; ?>/images/icons/icon_frmfld_time.png" title="Schedule is currently active" width="17" height="17" border="0">
     					 <?php } ?>

     	$pconfig['name'] = $a_schedules[$id]['name'];
     	$pconfig['descr'] = html_entity_decode($a_schedules[$id]['descr']);
     	$pconfig['timerange'] = $a_schedules[$id]['timerange'];
     	$pconfig['schedlabel'] = $a_schedules[$id]['schedlabel'];
     	$getSchedule = true;
+    }
-...
     	if (!$input_errors) {
     		if (!empty($pconfig['schedlabel']))
     			$schedule['schedlabel'] = $pconfig['schedlabel'];
     		else
     			$schedule['schedlabel'] = uniqid();
     		if (isset($id) && $a_schedules[$id]){
     			$a_schedules[$id] = $schedule;
+    		}

Also available in: Unified diff

Project

General

Profile

pfSense

Revision 60120e37

Added by Ermal Luçi over 16 years ago