/src/etc/inc/easyrule.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/easyrule.inc @ c489213a

1	c0b6fdde	jim-p	<?php
2			/*
3	ac24dc24	Renato Botelho	* easyrule.inc
4			*
5			* part of pfSense (https://www.pfsense.org)
6	38809d47	Renato Botelho do Couto	* Copyright (c) 2009-2013 BSD Perimeter
7			* Copyright (c) 2013-2016 Electric Sheep Fencing
8	a68f7a3d	Luiz Otavio O Souza	* Copyright (c) 2014-2024 Rubicon Communications, LLC (Netgate)
9	ac24dc24	Renato Botelho	* Originally Sponsored By Anathematic @ pfSense Forums
10			* All rights reserved.
11			*
12	b12ea3fb	Renato Botelho	* Licensed under the Apache License, Version 2.0 (the "License");
13			* you may not use this file except in compliance with the License.
14			* You may obtain a copy of the License at
15	ac24dc24	Renato Botelho	*
16	b12ea3fb	Renato Botelho	* http://www.apache.org/licenses/LICENSE-2.0
17	ac24dc24	Renato Botelho	*
18	b12ea3fb	Renato Botelho	* Unless required by applicable law or agreed to in writing, software
19			* distributed under the License is distributed on an "AS IS" BASIS,
20			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21			* See the License for the specific language governing permissions and
22			* limitations under the License.
23	ac24dc24	Renato Botelho	*/
24	c0b6fdde	jim-p
25			$blockaliasname = 'EasyRuleBlockHosts';
26	865ff9b4	jim-p	$protocols_with_ports = array('tcp', 'udp');
27			require_once("functions.inc");
28			require_once("util.inc");
29	1d85e963	Renato Botelho	require_once("ipsec.inc");
30	865ff9b4	jim-p	require_once("config.inc");
31	4d828a9a	Ermal Lu?i
32	c0b6fdde	jim-p	function easyrule_find_rule_interface($int) {
33			global $config;
34			/* Borrowed from firewall_rules.php */
35	f593f80b	Phil Davis	$iflist = get_configured_interface_with_descr(true);
36	dadad8b3	jim-p
37	d55227f4	jim-p	/* Add interface groups */
38			foreach (config_get_path('ifgroups/ifgroupentry', []) as $ifgen) {
39			$iflist[$ifgen['ifname']] = $ifgen['ifname'];
40	83314732	Viktor G	}
41
42			if (is_pppoe_server_enabled()) {
43			$iflist['pppoe'] = gettext("PPPoE Server");
44	1e0b1727	Phil Davis	}
45	dadad8b3	jim-p
46	d55227f4	jim-p	if (config_get_path('l2tp/mode') == "server") {
47	83314732	Viktor G	$iflist['l2tp'] = gettext("L2TP VPN");
48	1e0b1727	Phil Davis	}
49	4d828a9a	Ermal Lu?i
50	d55227f4	jim-p	/* Add IPsec tunnel interface */
51	4e322e2c	Phil Davis	if (ipsec_enabled()) {
52	83314732	Viktor G	$iflist["enc0"] = gettext("IPsec");
53			}
54
55	d55227f4	jim-p	if (count(config_get_path('openvpn/openvpn-server', [])) \|\|
56			count(config_get_path('openvpn/openvpn-client', []))) {
57	83314732	Viktor G	$iflist["openvpn"] = gettext("OpenVPN");
58	4e322e2c	Phil Davis	}
59	dadad8b3	jim-p
60	d55227f4	jim-p	/* Check if the given name matches a known assigned interface id or
61			* common group name */
62			if (array_key_exists($int, $iflist)) {
63	c0b6fdde	jim-p	return $int;
64	1e0b1727	Phil Davis	}
65	c0b6fdde	jim-p
66	d55227f4	jim-p	/* Check if the user passed an interface description name instead of the
67			* internal name. */
68	c0b6fdde	jim-p	foreach ($iflist as $if => $ifd) {
69	1e0b1727	Phil Davis	if (strtolower($int) == strtolower($ifd)) {
70	c0b6fdde	jim-p	return $if;
71	1e0b1727	Phil Davis	}
72	c0b6fdde	jim-p	}
73	dadad8b3	jim-p
74	d55227f4	jim-p	/* Check for unassigned OpenVPN or IPsec and return the associated
75			* group name. */
76	1e0b1727	Phil Davis	if (substr($int, 0, 4) == "ovpn") {
77	066afaf1	jim-p	return "openvpn";
78	1e0b1727	Phil Davis	}
79	bd4c337c	jim-p	if (substr($int, 0, 5) == "ipsec") {
80			return "ipsec";
81			}
82	066afaf1	jim-p
83	d55227f4	jim-p	/* If the user passed a real interface name, attempt to map it to an
84			* assigned interface */
85			$iff = convert_real_interface_to_friendly_interface_name($int);
86			if (($iff !== NULL) && ($iff != $int)) {
87			return $iff;
88			}
89
90	c0b6fdde	jim-p	return false;
91			}
92
93	4475997e	jim-p	function easyrule_block_rule_exists($int = 'wan', $ipproto = "inet") {
94	c0b6fdde	jim-p	global $blockaliasname, $config;
95			/* No rules, we we know it doesn't exist */
96	d55227f4	jim-p	if (empty(config_get_path('filter/rule', []))) {
97	c0b6fdde	jim-p	return false;
98			}
99
100			/* Search through the rules for one referencing our alias */
101	d55227f4	jim-p	foreach (config_get_path('filter/rule', []) as $rule) {
102	1e0b1727	Phil Davis	if (!is_array($rule) \|\| !is_array($rule['source'])) {
103	f3704cb2	jim-p	continue;
104	1e0b1727	Phil Davis	}
105	4475997e	jim-p	$checkproto = isset($rule['ipprotocol']) ? $rule['ipprotocol'] : "inet";
106	d55227f4	jim-p	if ((array_get_path($rule, 'source/address') == $blockaliasname . strtoupper($int)) &&
107			($rule['interface'] == $int) &&
108			($checkproto == $ipproto)) {
109	c0b6fdde	jim-p	return true;
110	1e0b1727	Phil Davis	}
111	28a581b8	jim-p	}
112	c0b6fdde	jim-p	return false;
113			}
114
115	64eda26c	jim-p	function easyrule_block_rule_create($int = 'wan', $ipproto = "inet") {
116	abc8192b	Marcos Mendoza	global $blockaliasname;
117	c0b6fdde	jim-p	/* If the alias doesn't exist, exit.
118			* Can't create an empty alias, and we don't know a host */
119	1e0b1727	Phil Davis	if (easyrule_block_alias_getid($int) === false) {
120	d55227f4	jim-p	return "noalias";
121	1e0b1727	Phil Davis	}
122	c0b6fdde	jim-p
123			/* If the rule already exists, no need to do it again */
124	1e0b1727	Phil Davis	if (easyrule_block_rule_exists($int, $ipproto)) {
125	c0b6fdde	jim-p	return true;
126	1e0b1727	Phil Davis	}
127	c0b6fdde	jim-p
128	c6c398c6	jim-p	filter_rules_sort();
129	d55227f4	jim-p	$a_filter = config_get_path('filter/rule', []);
130	c0b6fdde	jim-p
131			/* Make up a new rule */
132			$filterent = array();
133			$filterent['type'] = 'block';
134	dadad8b3	jim-p	$filterent['interface'] = $int;
135	64eda26c	jim-p	$filterent['ipprotocol'] = $ipproto;
136	d55227f4	jim-p	$filterent['source'] = [];
137	c0b6fdde	jim-p	$filterent['source']['address'] = $blockaliasname . strtoupper($int);
138	d55227f4	jim-p	$filterent['destination'] = [];
139	c0b6fdde	jim-p	$filterent['destination']['any'] = '';
140	d55227f4	jim-p	$filterent['descr'] = gettext("Blocked via EasyRule");
141			$filterent['created'] = make_config_revision_entry(null, "EasyRule");
142	7c1aa62b	jim-p	$filterent['tracker'] = (int)microtime(true);
143	c0b6fdde	jim-p
144	abc8192b	Marcos Mendoza	// place the rule on top
145			$ridx = get_interface_ruleindex($int);
146			array_splice($a_filter, $ridx['first'], 0, array($filterent));
147	d55227f4	jim-p	config_set_path('filter/rule', $a_filter);
148	92272605	NOYB
149	abc8192b	Marcos Mendoza	// shift the separators
150			$a_separators = config_get_path('filter/separator/' . strtolower($int), []);
151			shift_separators($a_separators, -1);
152			config_set_path('filter/separator/' . strtolower($int), $a_separators);
153	c0b6fdde	jim-p
154			return true;
155			}
156
157			function easyrule_block_alias_getid($int = 'wan') {
158	d55227f4	jim-p	global $blockaliasname;
159	c0b6fdde	jim-p
160			/* Hunt down an alias with the name we want, return its id */
161	d55227f4	jim-p	foreach (config_get_path('aliases/alias', []) as $aliasid => $alias) {
162	1e0b1727	Phil Davis	if ($alias['name'] == $blockaliasname . strtoupper($int)) {
163	c0b6fdde	jim-p	return $aliasid;
164	1e0b1727	Phil Davis	}
165			}
166	c0b6fdde	jim-p
167			return false;
168			}
169
170			function easyrule_block_alias_add($host, $int = 'wan') {
171			global $blockaliasname, $config;
172	77ba3449	Marcos Mendoza	$easyrule_nettype_flags = [SPECIALNET_ANY, SPECIALNET_SELF, SPECIALNET_CLIENTS];
173	c0b6fdde	jim-p	/* If the host isn't a valid IP address, bail */
174	b4147482	jim-p	$host = trim($host, "[]");
175	1e0b1727	Phil Davis	if (!is_ipaddr($host) && !is_subnet($host)) {
176	d55227f4	jim-p	return "invalid";
177	1e0b1727	Phil Davis	}
178	c0b6fdde	jim-p
179	d55227f4	jim-p	$a_aliases = config_get_path('aliases/alias', []);
180	c0b6fdde	jim-p
181			/* Try to get the ID if the alias already exists */
182			$id = easyrule_block_alias_getid($int);
183	1e0b1727	Phil Davis	if ($id === false) {
184	d55227f4	jim-p	unset($id);
185	1e0b1727	Phil Davis	}
186	c0b6fdde	jim-p
187			$alias = array();
188
189	0c305760	jim-p	if (is_subnet($host)) {
190			list($host, $mask) = explode("/", $host);
191	77ba3449	Marcos Mendoza	} elseif (get_specialnet($host, $easyrule_nettype_flags)) {
192	0c305760	jim-p	$mask = 0;
193	b4147482	jim-p	} elseif (is_ipaddrv6($host)) {
194			$mask = 128;
195	0c305760	jim-p	} else {
196			$mask = 32;
197			}
198
199	d55227f4	jim-p	if (isset($id) &&
200			array_key_exists($id, $a_aliases) &&
201			is_array($a_aliases[$id])) {
202	e4d8943c	Oliver Welter
203			// Catch case when the list is empty
204	d55227f4	jim-p	if (empty(array_get_path($a_aliases, "{$id}/address", ""))) {
205	e4d8943c	Oliver Welter	$a_address = array();
206			$a_detail = array();
207			} else {
208	d55227f4	jim-p	$a_address = explode(" ", array_get_path($a_aliases, "{$id}/address", ""));
209	e4d8943c	Oliver Welter
210	d55227f4	jim-p	/* Make sure this IP address isn't already in the list. */
211	e4d8943c	Oliver Welter	if (in_array($host.'/'.$mask, $a_address)) {
212	d55227f4	jim-p	return "exists";
213	e4d8943c	Oliver Welter	}
214	d55227f4	jim-p	$a_detail = explode("\|\|", array_get_path($a_aliases, "{$id}/detail"));
215	e4d8943c	Oliver Welter	}
216
217	c0b6fdde	jim-p	/* Since the alias already exists, just add to it. */
218	d55227f4	jim-p	$alias['name'] = array_get_path($a_aliases, "{$id}/name");
219			$alias['type'] = array_get_path($a_aliases, "{$id}/type");
220			$alias['descr'] = array_get_path($a_aliases, "{$id}/descr");
221	c0b6fdde	jim-p
222	e4d8943c	Oliver Welter	$a_address[] = $host.'/'.$mask;
223			$a_detail[] = gettext('Entry added') . ' ' . date('r');
224
225			$alias['address'] = join(" ", $a_address);
226			$alias['detail'] = join("\|\|", $a_detail);
227
228	c0b6fdde	jim-p	} else {
229			/* Create a new alias with all the proper information */
230	1e0b1727	Phil Davis	$alias['name'] = $blockaliasname . strtoupper($int);
231			$alias['type'] = 'network';
232	d55227f4	jim-p	$alias['descr'] = gettext("Blocked via EasyRule");
233	c0b6fdde	jim-p
234	0c305760	jim-p	$alias['address'] = $host . '/' . $mask;
235	5bd033a0	Renato Botelho	$alias['detail'] = gettext('Entry added') . ' ' . date('r') . '\|\|';
236	c0b6fdde	jim-p	}
237
238			/* Replace the old alias if needed, otherwise tack it on the end */
239	1e0b1727	Phil Davis	if (isset($id) && $a_aliases[$id]) {
240	c0b6fdde	jim-p	$a_aliases[$id] = $alias;
241	1e0b1727	Phil Davis	} else {
242	c0b6fdde	jim-p	$a_aliases[] = $alias;
243	1e0b1727	Phil Davis	}
244	9bb8d542	Ermal Lu?i
245			// Sort list
246			$a_aliases = msort($a_aliases, "name");
247	c0b6fdde	jim-p
248	d55227f4	jim-p	config_set_path('aliases/alias', $a_aliases);
249	c0b6fdde	jim-p	return true;
250			}
251
252	015a4824	Viktor G	function easyrule_block_host_add($host, $int = 'wan') {
253	c0b6fdde	jim-p	global $retval;
254			/* Bail if the supplied host is not a valid IP address */
255	b4147482	jim-p	$host = trim($host, "[]");
256	1e0b1727	Phil Davis	if (!is_ipaddr($host) && !is_subnet($host)) {
257	d55227f4	jim-p	return "invalid";
258	1e0b1727	Phil Davis	}
259	c0b6fdde	jim-p
260	015a4824	Viktor G	if (is_v6($host)) {
261			$ipproto = 'inet6';
262			} else {
263			$ipproto = 'inet';
264			}
265
266	c0b6fdde	jim-p	/* Flag whether or not we need to reload the filter */
267			$dirty = false;
268
269			/* Attempt to add this host to the alias */
270	d55227f4	jim-p	$alias_add_result = easyrule_block_alias_add($host, $int);
271			if ($alias_add_result === true) {
272	c0b6fdde	jim-p	$dirty = true;
273			} else {
274			/* Couldn't add the alias, or adding the host failed. */
275	d55227f4	jim-p	return $alias_add_result;
276	c0b6fdde	jim-p	}
277
278			/* Attempt to add the firewall rule if it doesn't exist.
279			* Failing to add the rule isn't necessarily an error, it may
280			* have been modified by the user in some way. Adding to the
281			* Alias is what's important.
282			*/
283	64eda26c	jim-p	if (!easyrule_block_rule_exists($int, $ipproto)) {
284	d55227f4	jim-p	$rule_create_result = easyrule_block_rule_create($int, $ipproto);
285			if ($rule_create_result === true) {
286	c0b6fdde	jim-p	$dirty = true;
287			} else {
288	d55227f4	jim-p	return $rule_create_result;
289	c0b6fdde	jim-p	}
290			}
291
292			/* If needed, write the config and reload the filter */
293			if ($dirty) {
294	d55227f4	jim-p	write_config(sprintf(gettext("Blocked %s via EasyRule"), $host));
295	c0b6fdde	jim-p	$retval = filter_configure();
296	865ff9b4	jim-p	if (!empty($_SERVER['DOCUMENT_ROOT'])) {
297			header("Location: firewall_aliases.php");
298			exit;
299			} else {
300			return true;
301			}
302	c0b6fdde	jim-p	} else {
303			return false;
304			}
305			}
306
307	bd40781a	Seth Mos	function easyrule_pass_rule_add($int, $proto, $srchost, $dsthost, $dstport, $ipproto) {
308	c0b6fdde	jim-p	global $config;
309	77ba3449	Marcos Mendoza	$easyrule_nettype_flags = [SPECIALNET_ANY, SPECIALNET_SELF, SPECIALNET_CLIENTS];
310	c0b6fdde	jim-p
311	b55d94e8	jim-p	init_config_arr(array('filter', 'rule'));
312	c6c398c6	jim-p	filter_rules_sort();
313	d55227f4	jim-p	$a_filter = config_get_path('filter/rule', []);
314	c0b6fdde	jim-p
315			/* Make up a new rule */
316			$filterent = array();
317			$filterent['type'] = 'pass';
318			$filterent['interface'] = $int;
319	bd40781a	Seth Mos	$filterent['ipprotocol'] = $ipproto;
320	d55227f4	jim-p	$filterent['descr'] = gettext("Passed via EasyRule");
321	c0b6fdde	jim-p
322	1e0b1727	Phil Davis	if ($proto != "any") {
323	c0b6fdde	jim-p	$filterent['protocol'] = $proto;
324	1e0b1727	Phil Davis	} else {
325	c0b6fdde	jim-p	unset($filterent['protocol']);
326	1e0b1727	Phil Davis	}
327	c0b6fdde	jim-p
328	be6d4417	jim-p	if ((strtolower($proto) == "icmp6") \|\| (strtolower($proto) == "icmpv6")) {
329			$filterent['protocol'] = "icmp";
330			}
331
332	c0b6fdde	jim-p	/* Default to only allow echo requests, since that's what most people want and
333			* it should be a safe choice. */
334	1e0b1727	Phil Davis	if ($proto == "icmp") {
335	c0b6fdde	jim-p	$filterent['icmptype'] = 'echoreq';
336	1e0b1727	Phil Davis	}
337	c0b6fdde	jim-p
338	0c305760	jim-p	if (is_subnet($srchost)) {
339			list($srchost, $srcmask) = explode("/", $srchost);
340	77ba3449	Marcos Mendoza	} elseif (get_specialnet($srchost, $easyrule_nettype_flags)) {
341	0c305760	jim-p	$srcmask = 0;
342	aea83400	Thomas Rieschl	} elseif (is_ipaddrv6($srchost)) {
343			$srcmask = 128;
344	0c305760	jim-p	} else {
345			$srcmask = 32;
346			}
347
348			if (is_subnet($dsthost)) {
349			list($dsthost, $dstmask) = explode("/", $dsthost);
350	77ba3449	Marcos Mendoza	} elseif (get_specialnet($dsthost, $easyrule_nettype_flags)) {
351	0c305760	jim-p	$dstmask = 0;
352	aea83400	Thomas Rieschl	} elseif (is_ipaddrv6($dsthost)) {
353			$dstmask = 128;
354	0c305760	jim-p	} else {
355			$dstmask = 32;
356			}
357
358	e729ecf8	Marcos Mendoza	pconfig_to_address($filterent['source'], $srchost, $srcmask, false, 0, 0, false, $easyrule_nettype_flags);
359			pconfig_to_address($filterent['destination'], $dsthost, $dstmask, '', $dstport, $dstport, false, $easyrule_nettype_flags);
360	c0b6fdde	jim-p
361	d55227f4	jim-p	$filterent['created'] = make_config_revision_entry(null, "EasyRule");
362	7c1aa62b	jim-p	$filterent['tracker'] = (int)microtime(true);
363	c0b6fdde	jim-p	$a_filter[] = $filterent;
364	d55227f4	jim-p	config_set_path('filter/rule', $a_filter);
365	c0b6fdde	jim-p
366	998f77a8	jim-p	write_config($filterent['descr']);
367	c0b6fdde	jim-p	$retval = filter_configure();
368	865ff9b4	jim-p	if (!empty($_SERVER['DOCUMENT_ROOT'])) {
369			header("Location: firewall_rules.php?if={$int}");
370			exit;
371			} else {
372			return true;
373			}
374			}
375
376	015a4824	Viktor G	function easyrule_parse_block($int, $src) {
377	865ff9b4	jim-p	if (!empty($src) && !empty($int)) {
378	b4147482	jim-p	$src = trim($src, "[]");
379	0c305760	jim-p	if (!is_ipaddr($src) && !is_subnet($src)) {
380	d55227f4	jim-p	return gettext("Tried to block invalid address:") . ' ' . htmlspecialchars($src);
381	865ff9b4	jim-p	}
382			$int = easyrule_find_rule_interface($int);
383			if ($int === false) {
384	d55227f4	jim-p	return gettext("Invalid interface for block rule.");
385	865ff9b4	jim-p	}
386	d55227f4	jim-p	switch ((string)easyrule_block_host_add($src, $int)) {
387			case "exists":
388			return gettext("Block entry already exists.");
389			break;
390			case "invalid":
391			return gettext("Invalid address.");
392			break;
393			case "1":
394			return gettext("Block added successfully");
395			break;
396			case "":
397			default:
398			return gettext("Failed to create block rule, alias, or add entry.");
399			break;
400	865ff9b4	jim-p	}
401			} else {
402	d55227f4	jim-p	return gettext("Tried to block but had no address or interface");
403	865ff9b4	jim-p	}
404	5bd033a0	Renato Botelho	return gettext("Unknown block error.");
405	865ff9b4	jim-p	}
406	4dedce6d	Oliver Welter
407	015a4824	Viktor G	function easyrule_parse_unblock($int, $host) {
408	4dedce6d	Oliver Welter	global $blockaliasname, $config;
409	77ba3449	Marcos Mendoza	$easyrule_nettype_flags = [SPECIALNET_ANY, SPECIALNET_SELF, SPECIALNET_CLIENTS];
410	4dedce6d	Oliver Welter
411			if (!empty($host) && !empty($int)) {
412			$host = trim($host, "[]");
413			if (!is_ipaddr($host) && !is_subnet($host)) {
414	d55227f4	jim-p	return gettext("Tried to unblock invalid address:") . ' ' . htmlspecialchars($host);
415	4dedce6d	Oliver Welter	}
416			$real_int = easyrule_find_rule_interface($int);
417			if ($real_int === false) {
418			return gettext("Invalid interface for block rule:") . ' ' . htmlspecialchars($int);
419			}
420
421			/* Try to get the ID - will fail if there are no rules/alias on this interface */
422			$id = easyrule_block_alias_getid($real_int);
423	d55227f4	jim-p	if ($id === false \|\|
424			empty(config_get_path("aliases/alias/{$id}", [])) \|\|
425			empty(config_get_path("aliases/alias/{$id}")['address'])) {
426			return gettext("No entries are blocked on interface:") . ' ' . htmlspecialchars($int);
427	4dedce6d	Oliver Welter	}
428
429	d55227f4	jim-p	$alias = config_get_path("aliases/alias/{$id}", []);
430	4dedce6d	Oliver Welter
431			if (is_subnet($host)) {
432			list($host, $mask) = explode("/", $host);
433	77ba3449	Marcos Mendoza	} elseif (get_specialnet($host, $easyrule_nettype_flags)) {
434	4dedce6d	Oliver Welter	$mask = 0;
435			} elseif (is_ipaddrv6($host)) {
436			$mask = 128;
437			} else {
438			$mask = 32;
439			}
440
441			// Create the expected string representation
442			$unblock = $host.'/'.$mask;
443
444	d55227f4	jim-p	$a_address = explode(" ", $alias['address']);
445			$a_detail = explode("\|\|", $alias['detail']);
446	4dedce6d	Oliver Welter
447	086cf944	Phil Davis	if (($key = array_search($unblock, $a_address)) !== false) {
448	4dedce6d	Oliver Welter	unset($a_address[$key]);
449			unset($a_detail[$key]);
450			// Write back the result to the config array
451	d55227f4	jim-p	$alias['address'] = join(" ", $a_address);
452			$alias['detail'] = join("\|\|", $a_detail);
453			config_set_path("aliases/alias/{$id}", $alias);
454	4dedce6d	Oliver Welter
455			// Update config
456	d55227f4	jim-p	write_config(sprintf(gettext("Unblocked %s via EasyRule"), $host));
457	4dedce6d	Oliver Welter	$retval = filter_configure();
458			if (!empty($_SERVER['DOCUMENT_ROOT'])) {
459			header("Location: firewall_aliases.php");
460			exit;
461			} else {
462	d55227f4	jim-p	return gettext("Entry unblocked successfully");
463	4dedce6d	Oliver Welter	}
464			} else {
465	d55227f4	jim-p	return gettext("Entry is not on block list: " . $host);
466	4dedce6d	Oliver Welter	}
467			}
468
469	d55227f4	jim-p	return gettext("Tried to unblock but had no address or interface");
470	4dedce6d	Oliver Welter
471			}
472
473			function easyrule_parse_getblock($int = 'wan', $sep = "\n") {
474			global $blockaliasname, $config;
475
476			$real_int = easyrule_find_rule_interface($int);
477			if ($real_int === false) {
478			return gettext("Invalid interface for block rule:") . ' ' . htmlspecialchars($int);
479			}
480
481			/* Try to get the ID - will fail if there are no rules/alias on this interface */
482			$id = easyrule_block_alias_getid($real_int);
483
484	d55227f4	jim-p	if ($id === false \|\|
485			empty(config_get_path("aliases/alias/{$id}", [])) \|\|
486			empty(config_get_path("aliases/alias/{$id}")['address'])) {
487			return gettext("No entries are blocked on interface:") . ' ' . htmlspecialchars($int);
488	4dedce6d	Oliver Welter	}
489	d55227f4	jim-p	return join($sep, explode(" ", config_get_path("aliases/alias/{$id}")['address']));
490	4dedce6d	Oliver Welter	}
491
492	64eda26c	jim-p	function easyrule_parse_pass($int, $proto, $src, $dst, $dstport = 0, $ipproto = "inet") {
493	865ff9b4	jim-p	/* Check for valid int, srchost, dsthost, dstport, and proto */
494			global $protocols_with_ports;
495	77ba3449	Marcos Mendoza	$easyrule_nettype_flags = [SPECIALNET_ANY, SPECIALNET_SELF, SPECIALNET_CLIENTS];
496	b4147482	jim-p	$src = trim($src, "[]");
497			$dst = trim($dst, "[]");
498	865ff9b4	jim-p
499			if (!empty($int) && !empty($proto) && !empty($src) && !empty($dst)) {
500			$int = easyrule_find_rule_interface($int);
501			if ($int === false) {
502	5bd033a0	Renato Botelho	return gettext("Invalid interface for pass rule:") . ' ' . htmlspecialchars($int);
503	865ff9b4	jim-p	}
504	be6d4417	jim-p	if ((strtolower($proto) == "icmp6") \|\| (strtolower($proto) == "icmpv6")) {
505			$proto = "icmp";
506			}
507	d55227f4	jim-p	if (($proto != 'any') &&
508			(getprotobyname($proto) === false) &&
509	be6d4417	jim-p	(!is_numericint($proto) \|\| (getprotobynumber($proto) === false))) {
510	5bd033a0	Renato Botelho	return gettext("Invalid protocol for pass rule:") . ' ' . htmlspecialchars($proto);
511	865ff9b4	jim-p	}
512	77ba3449	Marcos Mendoza	if (!is_ipaddr($src) && !is_subnet($src) && !is_ipaddroralias($src) && !get_specialnet($src, $easyrule_nettype_flags)) {
513	d55227f4	jim-p	return gettext("Tried to pass invalid source IP address:") . ' ' . htmlspecialchars($src);
514	865ff9b4	jim-p	}
515	77ba3449	Marcos Mendoza	if (!is_ipaddr($dst) && !is_subnet($dst) && !is_ipaddroralias($dst) && !get_specialnet($dst, $easyrule_nettype_flags)) {
516	d55227f4	jim-p	return gettext("Tried to pass invalid destination IP address:") . ' ' . htmlspecialchars($dst);
517	865ff9b4	jim-p	}
518	015a4824	Viktor G	if ((is_v6($src) && is_v4($dst)) \|\| (is_v4($src) && is_v6($dst))) {
519			return gettext("The source IP address family has to match the family of the destination IP address.");
520			}
521			if (is_v6($src)) {
522			$ipproto = 'inet6';
523			} else {
524			$ipproto = 'inet';
525			}
526	d55227f4	jim-p	/* If the protocol is by number, change it to a name */
527			if (($proto != 'any') &&
528			(getprotobyname($proto) === false)) {
529			$proto = getprotobynumber($proto);
530			}
531	865ff9b4	jim-p	if (in_array($proto, $protocols_with_ports)) {
532			if (empty($dstport)) {
533	d55227f4	jim-p	return gettext("Missing destination port.");
534	865ff9b4	jim-p	}
535	0c305760	jim-p	if (!is_port($dstport) && ($dstport != "any")) {
536	5bd033a0	Renato Botelho	return gettext("Tried to pass invalid destination port:") . ' ' . htmlspecialchars($dstport);
537	865ff9b4	jim-p	}
538			} else {
539			$dstport = 0;
540			}
541			/* Should have valid input... */
542	bd40781a	Seth Mos	if (easyrule_pass_rule_add($int, $proto, $src, $dst, $dstport, $ipproto)) {
543	5bd033a0	Renato Botelho	return gettext("Successfully added pass rule!");
544	865ff9b4	jim-p	} else {
545	5bd033a0	Renato Botelho	return gettext("Failed to add pass rule.");
546	865ff9b4	jim-p	}
547			} else {
548	5bd033a0	Renato Botelho	return gettext("Missing parameters for pass rule.");
549	865ff9b4	jim-p	}
550	5bd033a0	Renato Botelho	return gettext("Unknown pass error.");
551	c0b6fdde	jim-p	}
552	9734b054	Scott Ullrich
553	bd40781a	Seth Mos	?>

Project

General

Profile

pfSense