Revision ab3ebf88
Added by Ermal LUÇI about 15 years ago
| etc/inc/filter.inc | ||
|---|---|---|
| 149 | 149 |
|
| 150 | 150 |
/* reload filter sync */ |
| 151 | 151 |
function filter_configure_sync() {
|
| 152 |
global $config, $g, $after_filter_configure_run, $FilterIflist, $GatewaysList, $GatewayGroupsList;
|
|
| 152 |
global $config, $g, $after_filter_configure_run, $FilterIflist; |
|
| 153 | 153 |
global $time_based_rules, $filterdns; |
| 154 | 154 |
|
| 155 | 155 |
/* Use config lock to not allow recursion and config changes during this run. */ |
| ... | ... | |
| 171 | 171 |
if($g['booting'] == true) |
| 172 | 172 |
echo "Configuring firewall"; |
| 173 | 173 |
|
| 174 |
/* Lookup Gateways to be used in filter rules once */ |
|
| 175 |
$GatewaysList = return_gateways_array(); |
|
| 176 |
$GatewayGroupsList = return_gateway_groups_array(); |
|
| 177 |
|
|
| 178 | 174 |
/* generate aliases */ |
| 179 | 175 |
if($g['booting'] == true) |
| 180 | 176 |
echo "."; |
| 181 | 177 |
update_filter_reload_status("Creating aliases");
|
| 182 | 178 |
$aliases = filter_generate_aliases(); |
| 183 |
/* generate nat rules */
|
|
| 179 |
$gateways = filter_generate_gateways();
|
|
| 184 | 180 |
if($g['booting'] == true) |
| 185 | 181 |
echo "."; |
| 186 | 182 |
update_filter_reload_status("Generating NAT rules");
|
| 183 |
/* generate nat rules */ |
|
| 187 | 184 |
$natrules = filter_nat_rules_generate(); |
| 188 |
/* generate pfctl rules */ |
|
| 189 | 185 |
if($g['booting'] == true) |
| 190 | 186 |
echo "."; |
| 191 | 187 |
update_filter_reload_status("Generating filter rules");
|
| 188 |
/* generate pfctl rules */ |
|
| 192 | 189 |
$pfrules = filter_rules_generate(); |
| 193 | 190 |
/* generate altq, limiter */ |
| 194 | 191 |
if($g['booting'] == true) |
| ... | ... | |
| 221 | 218 |
|
| 222 | 219 |
$rules = ""; |
| 223 | 220 |
$rules .= "{$aliases} \n";
|
| 221 |
$rules .= "{$gateways} \n";
|
|
| 224 | 222 |
update_filter_reload_status("Setting up logging information");
|
| 225 | 223 |
$rules .= filter_setup_logging_interfaces(); |
| 226 | 224 |
if($config['system']['optimization'] <> "") {
|
| ... | ... | |
| 532 | 530 |
return $result; |
| 533 | 531 |
} |
| 534 | 532 |
|
| 533 |
function filter_generate_gateways() {
|
|
| 534 |
global $config, $g; |
|
| 535 |
|
|
| 536 |
$rules = "# Gateways\n"; |
|
| 537 |
|
|
| 538 |
update_filter_reload_status("Creating gateway group item...");
|
|
| 539 |
|
|
| 540 |
/* Lookup Gateways to be used in filter rules once */ |
|
| 541 |
$GatewaysList = return_gateways_array(); |
|
| 542 |
$GatewayGroupsList = return_gateway_groups_array(); |
|
| 543 |
|
|
| 544 |
if (is_array($GatewaysList)) {
|
|
| 545 |
foreach ($GatewaysList as $gwname => $gateway) {
|
|
| 546 |
$int = $gateway['interface']; |
|
| 547 |
$gwip = $gateway['gateway']; |
|
| 548 |
if (!is_ipaddr($gwip)) |
|
| 549 |
$gwip = get_interface_gateway($gateway['friendlyiface']); |
|
| 550 |
if (is_ipaddr($gwip) && !empty($int)) |
|
| 551 |
$rules .= "{$gwname} = \" route-to ( {$int} {$gwip} ) \"\n";
|
|
| 552 |
} |
|
| 553 |
} |
|
| 554 |
|
|
| 555 |
if(is_array($GatewayGroupsList)) {
|
|
| 556 |
foreach ($GatewayGroupsList as $gateway => $members) {
|
|
| 557 |
if (count($members) > 0) {
|
|
| 558 |
$foundlb = 0; |
|
| 559 |
$routeto = ""; |
|
| 560 |
foreach($members as $idx => $member) {
|
|
| 561 |
$int = $member['int']; |
|
| 562 |
$gatewayip = $member['gwip']; |
|
| 563 |
if (($int <> "") && is_ipaddr($gatewayip)) {
|
|
| 564 |
if ($g['debug']) |
|
| 565 |
log_error("Setting up route with {$gatewayip} om $int");
|
|
| 566 |
if ($idx > 1) |
|
| 567 |
$routeto .= ", "; |
|
| 568 |
$routeto .= "( {$int} {$gatewayip} ) ";
|
|
| 569 |
$foundlb = 1; |
|
| 570 |
} else |
|
| 571 |
log_error("An error occurred while trying to find the interface got $gatewayip . The rule has not been added.");
|
|
| 572 |
} |
|
| 573 |
if ($foundlb > 0) {
|
|
| 574 |
$route = " route-to { {$routeto} } ";
|
|
| 575 |
if ($idx > 1) {
|
|
| 576 |
$route .= " round-robin "; |
|
| 577 |
if (isset($config['system']['lb_use_sticky'])) |
|
| 578 |
$route .= " sticky-address "; |
|
| 579 |
} |
|
| 580 |
$rules .= "{$gateway} = \" {$route} \"\n";
|
|
| 581 |
} |
|
| 582 |
} |
|
| 583 |
} |
|
| 584 |
} |
|
| 585 |
|
|
| 586 |
$rules .= "\n"; |
|
| 587 |
|
|
| 588 |
return $rules; |
|
| 589 |
} |
|
| 590 |
|
|
| 535 | 591 |
/* returns space separated list of vpn subnets */ |
| 536 | 592 |
function filter_get_vpns_list() {
|
| 537 | 593 |
global $config; |
| ... | ... | |
| 1347 | 1403 |
} |
| 1348 | 1404 |
|
| 1349 | 1405 |
function filter_generate_user_rule($rule) {
|
| 1350 |
global $config, $g, $FilterIflist, $GatewaysList, $GatewayGroupsList;
|
|
| 1406 |
global $config, $g, $FilterIflist; |
|
| 1351 | 1407 |
global $layer7_rules_list; |
| 1352 | 1408 |
|
| 1353 | 1409 |
if(isset($config['system']['developerspew'])) {
|
| ... | ... | |
| 1437 | 1493 |
} |
| 1438 | 1494 |
/* if user has selected a custom gateway, lets work with it */ |
| 1439 | 1495 |
else if($rule['gateway'] <> "") {
|
| 1440 |
$foundlb = 0; |
|
| 1441 |
$routeto = " route-to { ";
|
|
| 1442 |
update_filter_reload_status("Creating gateway group item...");
|
|
| 1443 |
if(is_array($GatewayGroupsList[$rule['gateway']])) {
|
|
| 1444 |
$gateway = $rule['gateway']; |
|
| 1445 |
$members = $GatewayGroupsList[$rule['gateway']]; |
|
| 1446 |
$member_count = count($members); |
|
| 1447 |
foreach($members as $member) {
|
|
| 1448 |
$int = $member['int']; |
|
| 1449 |
$gatewayip = $member['gwip']; |
|
| 1450 |
if(($int <> "") && is_ipaddr($gatewayip)) {
|
|
| 1451 |
if($g['debug']) |
|
| 1452 |
log_error("Setting up route with {$gatewayip} om $int");
|
|
| 1453 |
if($foundlb == 1) |
|
| 1454 |
$routeto .= ", "; |
|
| 1455 |
$routeto .= "( {$int} {$gatewayip} ) ";
|
|
| 1456 |
$foundlb = 1; |
|
| 1457 |
} else {
|
|
| 1458 |
log_error("An error occurred while trying to find the interface got $gatewayip . The rule has not been added.");
|
|
| 1459 |
} |
|
| 1460 |
} |
|
| 1461 |
/* If we want failover just use route-to else round-robin */ |
|
| 1462 |
if($member_count == 1) {
|
|
| 1463 |
$routeto .= "} "; |
|
| 1464 |
} else {
|
|
| 1465 |
$routeto .= "} round-robin "; |
|
| 1466 |
if(isset($config['system']['lb_use_sticky'])) |
|
| 1467 |
$routeto .= " sticky-address "; |
|
| 1468 |
} |
|
| 1469 |
} |
|
| 1470 | 1496 |
/* Add the load balanced gateways */ |
| 1471 |
if($foundlb == 1) |
|
| 1472 |
$aline['route'] = $routeto; |
|
| 1473 |
|
|
| 1474 |
/* we're not using load balancing, just setup gateway */ |
|
| 1475 |
else if($foundlb == 0) {
|
|
| 1476 |
$gateway = $rule['gateway']; |
|
| 1477 |
if(!is_ipaddr($gateway)) {
|
|
| 1478 |
$gwip = $GatewaysList[$gateway]['gateway']; |
|
| 1479 |
if($GatewaysList[$gateway]['interface']) |
|
| 1480 |
$int = $GatewaysList[$gateway]['interface']; |
|
| 1481 |
else |
|
| 1482 |
$int = ""; |
|
| 1483 |
} else {
|
|
| 1484 |
$gwip = $gateway; |
|
| 1485 |
$int = guess_interface_from_ip($gwip); |
|
| 1486 |
} |
|
| 1487 |
if((is_ipaddr($gwip)) && ($int <> "")) {
|
|
| 1488 |
$aline['route'] = " route-to ( {$int} {$gwip} ) ";
|
|
| 1489 |
} else {
|
|
| 1490 |
log_error("Could not find gateway ({$rule['gateway']}) for rule {$rule['descr']} - {$rule['interface']}.");
|
|
| 1491 |
} |
|
| 1492 |
} |
|
| 1497 |
$aline['route'] = " \${$rule['gateway']} ";
|
|
| 1493 | 1498 |
} |
| 1494 | 1499 |
|
| 1495 | 1500 |
if(isset($rule['protocol'])) {
|
| ... | ... | |
| 2337 | 2342 |
|
| 2338 | 2343 |
/* Generate IPSEC Filter Items */ |
| 2339 | 2344 |
function filter_generate_ipsec_rules() {
|
| 2340 |
global $config, $g, $FilterIflist, $GatewaysList;
|
|
| 2345 |
global $config, $g, $FilterIflist; |
|
| 2341 | 2346 |
|
| 2342 | 2347 |
if(isset($config['system']['developerspew'])) {
|
| 2343 | 2348 |
$mt = microtime(); |
Also available in: Unified diff
Generate gateways as macros and then just substitute them during the rules. This allows optimizations and features as repeating the same gateway more than one to be done.