| 1 |
cb7d18d5
|
Renato Botelho
|
#!/usr/local/bin/php-cgi -f
|
| 2 |
46e27ea7
|
Renato Botelho
|
<?php
|
| 3 |
|
|
/*
|
| 4 |
ea27f316
|
Renato Botelho
|
* rc.kill_states
|
| 5 |
|
|
*
|
| 6 |
ac24dc24
|
Renato Botelho
|
* part of pfSense (https://www.pfsense.org)
|
| 7 |
38809d47
|
Renato Botelho do Couto
|
* Copyright (c) 2004-2013 BSD Perimeter
|
| 8 |
|
|
* Copyright (c) 2013-2016 Electric Sheep Fencing
|
| 9 |
8f2f85c3
|
Luiz Otavio O Souza
|
* Copyright (c) 2014-2022 Rubicon Communications, LLC (Netgate)
|
| 10 |
ac24dc24
|
Renato Botelho
|
* All rights reserved.
|
| 11 |
ea27f316
|
Renato Botelho
|
*
|
| 12 |
b12ea3fb
|
Renato Botelho
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
| 13 |
|
|
* you may not use this file except in compliance with the License.
|
| 14 |
|
|
* You may obtain a copy of the License at
|
| 15 |
ea27f316
|
Renato Botelho
|
*
|
| 16 |
b12ea3fb
|
Renato Botelho
|
* http://www.apache.org/licenses/LICENSE-2.0
|
| 17 |
ea27f316
|
Renato Botelho
|
*
|
| 18 |
b12ea3fb
|
Renato Botelho
|
* Unless required by applicable law or agreed to in writing, software
|
| 19 |
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
| 20 |
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
| 21 |
|
|
* See the License for the specific language governing permissions and
|
| 22 |
|
|
* limitations under the License.
|
| 23 |
ea27f316
|
Renato Botelho
|
*/
|
| 24 |
46e27ea7
|
Renato Botelho
|
|
| 25 |
|
|
/* parse the configuration and include all functions used below */
|
| 26 |
|
|
require_once("globals.inc");
|
| 27 |
|
|
require_once("config.inc");
|
| 28 |
|
|
require_once("interfaces.inc");
|
| 29 |
|
|
require_once("util.inc");
|
| 30 |
|
|
|
| 31 |
|
|
// Do not process while booting
|
| 32 |
086cf944
|
Phil Davis
|
if (platform_booting()) {
|
| 33 |
285ef132
|
Ermal LUÇI
|
return;
|
| 34 |
086cf944
|
Phil Davis
|
}
|
| 35 |
46e27ea7
|
Renato Botelho
|
|
| 36 |
|
|
/* Interface address to cleanup states */
|
| 37 |
|
|
$interface = str_replace("\n", "", $argv[1]);
|
| 38 |
|
|
|
| 39 |
|
|
/* IP address to cleanup states */
|
| 40 |
|
|
$local_ip = str_replace("\n", "", $argv[2]);
|
| 41 |
|
|
|
| 42 |
|
|
if (empty($interface) || !does_interface_exist($interface)) {
|
| 43 |
|
|
log_error("rc.kill_states: Invalid interface '{$interface}'");
|
| 44 |
8ad1ee63
|
Ermal LUÇI
|
return;
|
| 45 |
46e27ea7
|
Renato Botelho
|
}
|
| 46 |
|
|
|
| 47 |
|
|
if (!empty($local_ip)) {
|
| 48 |
|
|
list($local_ip, $subnet_bits) = explode("/", $local_ip);
|
| 49 |
|
|
|
| 50 |
e173dd74
|
Phil Davis
|
if (empty($subnet_bits)) {
|
| 51 |
46e27ea7
|
Renato Botelho
|
$subnet_bits = "32";
|
| 52 |
e173dd74
|
Phil Davis
|
}
|
| 53 |
46e27ea7
|
Renato Botelho
|
|
| 54 |
|
|
if (!is_ipaddr($local_ip)) {
|
| 55 |
|
|
log_error("rc.kill_states: Invalid IP address '{$local_ip}'");
|
| 56 |
8ad1ee63
|
Ermal LUÇI
|
return;
|
| 57 |
46e27ea7
|
Renato Botelho
|
}
|
| 58 |
|
|
}
|
| 59 |
|
|
|
| 60 |
3756fd86
|
Chris Buechler
|
if (isset($config['system']['gw_down_kill_states'])) {
|
| 61 |
46e27ea7
|
Renato Botelho
|
if (!empty($local_ip)) {
|
| 62 |
|
|
log_error("rc.kill_states: Removing states for IP {$local_ip}/{$subnet_bits}");
|
| 63 |
5142c80a
|
jim-p
|
$filter = array(
|
| 64 |
|
|
array('interface' => $interface),
|
| 65 |
|
|
array('filter' => $local_ip)
|
| 66 |
|
|
);
|
| 67 |
|
|
$states = pfSense_get_pf_states($filter);
|
| 68 |
d13b7363
|
Renato Botelho
|
$cleared_states = array();
|
| 69 |
5142c80a
|
jim-p
|
foreach ($states as $state) {
|
| 70 |
|
|
/* Locate and kill states for sources that NAT out through $local_ip */
|
| 71 |
|
|
list($src, $srcport) = explode(":", $state['src']);
|
| 72 |
|
|
list($dst, $dstport) = explode(":", $state['dst']);
|
| 73 |
|
|
list($osrc, $osrcport) = explode(":", $state['src-orig']);
|
| 74 |
|
|
/* If the local IP address isn't the source, or if this isn't
|
| 75 |
|
|
* a NAT state, or if we've already cleared this, skip it. */
|
| 76 |
|
|
if (($src != $local_ip) ||
|
| 77 |
|
|
empty($state['src-orig']) ||
|
| 78 |
|
|
in_array("{$osrc},{$dst}", $cleared_states)) {
|
| 79 |
d13b7363
|
Renato Botelho
|
continue;
|
| 80 |
e173dd74
|
Phil Davis
|
}
|
| 81 |
d13b7363
|
Renato Botelho
|
|
| 82 |
5142c80a
|
jim-p
|
$cleared_states[] = "{$osrc},{$dst}";
|
| 83 |
ef094bef
|
Renato Botelho do Couto
|
pfSense_kill_states(utf8_encode($osrc), utf8_encode($dst));
|
| 84 |
d13b7363
|
Renato Botelho
|
}
|
| 85 |
ef094bef
|
Renato Botelho do Couto
|
pfSense_kill_states("0.0.0.0/0", utf8_encode("{$local_ip}/{$subnet_bits}"));
|
| 86 |
|
|
pfSense_kill_states(utf8_encode("{$local_ip}/{$subnet_bits}"));
|
| 87 |
|
|
pfSense_kill_srcstates(utf8_encode("{$local_ip}/{$subnet_bits}"));
|
| 88 |
46e27ea7
|
Renato Botelho
|
}
|
| 89 |
|
|
log_error("rc.kill_states: Removing states for interface {$interface}");
|
| 90 |
|
|
mwexec("/sbin/pfctl -i {$interface} -Fs", true);
|
| 91 |
|
|
}
|