| 190 |
190 |
}
|
| 191 |
191 |
|
| 192 |
192 |
function is_bogonsv6_used($force = false) {
|
| 193 |
|
global $config, $g;
|
|
193 |
global $config;
|
| 194 |
194 |
# Only use bogonsv6 table if IPv6 Allow is on, and at least 1 enabled interface also has "blockbogons" enabled.
|
| 195 |
195 |
$usebogonsv6 = false;
|
| 196 |
196 |
if (config_path_enabled('system','ipv6allow') || $force) {
|
| ... | ... | |
| 204 |
204 |
return $usebogonsv6;
|
| 205 |
205 |
}
|
| 206 |
206 |
|
| 207 |
|
function filter_pflog_start($kill_first = false) {
|
|
207 |
function filter_pflog_start() {
|
| 208 |
208 |
global $config, $g;
|
| 209 |
209 |
|
| 210 |
210 |
if (isset($config['system']['developerspew'])) {
|
| ... | ... | |
| 219 |
219 |
|
| 220 |
220 |
/* reload filter async */
|
| 221 |
221 |
function filter_configure() {
|
| 222 |
|
global $g;
|
| 223 |
|
|
| 224 |
222 |
if (isset($config['system']['developerspew'])) {
|
| 225 |
223 |
$mt = microtime();
|
| 226 |
224 |
echo "filter_configure() being called $mt\n";
|
| ... | ... | |
| 240 |
238 |
|
| 241 |
239 |
$any_gateway_down = false;
|
| 242 |
240 |
$a_gateways = return_gateways_status();
|
|
241 |
$gateway = "";
|
| 243 |
242 |
if (is_array($GatewaysList)) {
|
| 244 |
|
foreach ($GatewaysList as $gwname => $gateway) {
|
|
243 |
foreach ($GatewaysList as $gateway) {
|
| 245 |
244 |
/* Skip irrelevant or invalid gateway entries */
|
| 246 |
245 |
$last_gw = '';
|
| 247 |
246 |
if (empty($gateway['monitor']) ||
|
| ... | ... | |
| 312 |
311 |
|
| 313 |
312 |
/* reload filter sync */
|
| 314 |
313 |
function filter_configure_sync($delete_states_if_needed = true) {
|
| 315 |
|
global $config, $g, $after_filter_configure_run, $FilterIflist;
|
|
314 |
global $config, $g, $after_filter_configure_run;
|
| 316 |
315 |
global $time_based_rules, $filterdns, $aliases, $dummynet_name_list;
|
| 317 |
316 |
global $tracker, $negate_tracker, $vpns_list;
|
| 318 |
317 |
$tracker = TRACKER_DEFAULT;
|
| ... | ... | |
| 349 |
348 |
echo ".";
|
| 350 |
349 |
}
|
| 351 |
350 |
update_filter_reload_status(gettext("Generating Limiter rules"));
|
| 352 |
|
$dummynet_rules = filter_generate_dummynet_rules();
|
|
351 |
filter_generate_dummynet_rules();
|
| 353 |
352 |
$dummynet_name_list = get_unique_dnqueue_list();
|
| 354 |
353 |
update_filter_reload_status(gettext("Generating NAT rules"));
|
| 355 |
354 |
/* generate nat rules */
|
| ... | ... | |
| 727 |
726 |
}
|
| 728 |
727 |
|
| 729 |
728 |
/* disable scrub option */
|
| 730 |
|
foreach ($FilterIflist as $scrubif => $scrubcfg) {
|
|
729 |
foreach ($FilterIflist as $scrubcfg) {
|
| 731 |
730 |
if (isset($scrubcfg['virtual']) || empty($scrubcfg['descr'])) {
|
| 732 |
731 |
continue;
|
| 733 |
732 |
}
|
| ... | ... | |
| 1059 |
1058 |
}
|
| 1060 |
1059 |
/* see "Load balancing fails when one gateway has a weight of 1
|
| 1061 |
1060 |
* and another gateway has a weight >1", https://redmine.pfsense.org/issues/6025 */
|
| 1062 |
|
foreach ($members as $idx => $member) {
|
|
1061 |
foreach ($members as $member) {
|
| 1063 |
1062 |
if ((int) $member['weight'] == 1) {
|
| 1064 |
1063 |
$weight1 = true;
|
| 1065 |
1064 |
} elseif ((int) $member['weight'] > 1) {
|
| ... | ... | |
| 1071 |
1070 |
} else {
|
| 1072 |
1071 |
$mult = 1;
|
| 1073 |
1072 |
}
|
| 1074 |
|
foreach ($members as $idx => $member) {
|
|
1073 |
foreach ($members as $member) {
|
| 1075 |
1074 |
$int = $member['int'];
|
| 1076 |
1075 |
$gatewayip = $member['gwip'];
|
| 1077 |
1076 |
if (!empty($int) && is_ipaddr($gatewayip) &&
|
| ... | ... | |
| 1232 |
1231 |
* optionally returns an array instead, including friendly interface and gateway (if applicable)
|
| 1233 |
1232 |
*/
|
| 1234 |
1233 |
function filter_get_direct_networks_list($returnsubnetsonly = true) {
|
| 1235 |
|
global $config, $FilterIflist, $GatewaysList;
|
|
1234 |
global $FilterIflist, $GatewaysList;
|
| 1236 |
1235 |
/* build list of directly connected interfaces and networks */
|
| 1237 |
1236 |
$networks = "";
|
| 1238 |
1237 |
$networks_arr = array();
|
| ... | ... | |
| 1264 |
1263 |
}
|
| 1265 |
1264 |
}
|
| 1266 |
1265 |
$viplist = get_configured_vip_list();
|
| 1267 |
|
foreach ($viplist as $vid => $address) {
|
|
1266 |
foreach (array_keys($viplist) as $vid) {
|
| 1268 |
1267 |
$vip = get_configured_vip($vid);
|
| 1269 |
1268 |
$subnet = "{$vip['subnet']}/{$vip['subnet_bits']}";
|
| 1270 |
1269 |
if (is_subnet($subnet) && !(is_subnetv4($subnet) && $vip['subnet_bits'] == 32) && !(is_subnetv6($subnet) && $vip['subnet_bits'] == 128)) {
|
| ... | ... | |
| 1453 |
1452 |
}
|
| 1454 |
1453 |
|
| 1455 |
1454 |
function filter_flush_nat_table() {
|
| 1456 |
|
global $config, $g;
|
|
1455 |
global $config;
|
| 1457 |
1456 |
if (isset($config['system']['developerspew'])) {
|
| 1458 |
1457 |
$mt = microtime();
|
| 1459 |
1458 |
echo "filter_flush_nat_table() being called $mt\n";
|
| ... | ... | |
| 1970 |
1969 |
}
|
| 1971 |
1970 |
|
| 1972 |
1971 |
function filter_nat_rules_outbound_automatic($src) {
|
| 1973 |
|
global $config, $FilterIflist;
|
|
1972 |
global $FilterIflist;
|
| 1974 |
1973 |
|
| 1975 |
1974 |
$rules = array();
|
| 1976 |
1975 |
foreach ($FilterIflist as $if => $ifcfg) {
|
| ... | ... | |
| 2011 |
2010 |
|
| 2012 |
2011 |
/* Generate a 'nat on' or 'no nat on' rule for given interface */
|
| 2013 |
2012 |
function filter_nat_rules_generate_if ($if, $descr = "", $ipprotocol = "", $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false, $proto = "", $poolopts = "") {
|
| 2014 |
|
global $config, $FilterIflist;
|
|
2013 |
global $FilterIflist;
|
| 2015 |
2014 |
|
| 2016 |
2015 |
/* XXX: billm - any idea if this code is needed? */
|
| 2017 |
2016 |
if ($src == "/32" || $src == "/128" || $src[0] == "/") {
|
| ... | ... | |
| 2181 |
2180 |
}
|
| 2182 |
2181 |
|
| 2183 |
2182 |
function filter_nat_rules_generate() {
|
| 2184 |
|
global $config, $g, $after_filter_configure_run, $FilterIflist, $GatewaysList, $aliases;
|
|
2183 |
global $config, $g, $FilterIflist;
|
| 2185 |
2184 |
|
| 2186 |
2185 |
init_config_arr(array('ipsec', 'client'));
|
| 2187 |
2186 |
$ipsec_client = $config['ipsec']['client'];
|
| ... | ... | |
| 2830 |
2829 |
}
|
| 2831 |
2830 |
|
| 2832 |
2831 |
function filter_generate_user_rule_arr($rule) {
|
| 2833 |
|
global $config, $vpns_list;
|
| 2834 |
2832 |
update_filter_reload_status(sprintf(gettext("Creating filter rule %s ..."), $rule['descr']));
|
| 2835 |
2833 |
$ret = array();
|
| 2836 |
2834 |
$extralabels = "";
|
| ... | ... | |
| 2939 |
2937 |
}
|
| 2940 |
2938 |
|
| 2941 |
2939 |
function filter_generate_address(& $rule, $target = "source", $isnat = false) {
|
| 2942 |
|
global $FilterIflist, $config;
|
|
2940 |
global $FilterIflist;
|
| 2943 |
2941 |
$src = "";
|
| 2944 |
2942 |
|
| 2945 |
2943 |
if (isset($rule[$target]['any'])) {
|
| ... | ... | |
| 3118 |
3116 |
return "# rule " . $rule['descr'] . " disabled \n";
|
| 3119 |
3117 |
}
|
| 3120 |
3118 |
update_filter_reload_status(sprintf(gettext("Creating filter rules %s ..."), $rule['descr']));
|
| 3121 |
|
$int = "";
|
| 3122 |
3119 |
$aline = array();
|
| 3123 |
3120 |
|
| 3124 |
3121 |
/* Check to see if the interface is in our list */
|
| ... | ... | |
| 3578 |
3575 |
}
|
| 3579 |
3576 |
|
| 3580 |
3577 |
function filter_rules_generate() {
|
| 3581 |
|
global $config, $g, $FilterIflist, $time_based_rules, $GatewaysList,
|
| 3582 |
|
$tracker, $vlanprio_values, $antilockout_tracker,
|
| 3583 |
|
$bogons_tracker, $rfc1918_tracker, $vpn_and_ppp_ifs;
|
|
3578 |
global $config, $FilterIflist, $time_based_rules, $GatewaysList,
|
|
3579 |
$tracker, $vlanprio_values, $vpn_and_ppp_ifs;
|
| 3584 |
3580 |
|
| 3585 |
3581 |
$fix_rule_label = 'fix_rule_label';
|
| 3586 |
3582 |
$increment_tracker = 'filter_rule_tracker';
|
| ... | ... | |
| 4264 |
4260 |
}
|
| 4265 |
4261 |
|
| 4266 |
4262 |
function filter_rules_spoofcheck_generate($ifname, $ifcfg, $log) {
|
| 4267 |
|
global $g, $config, $tracker;
|
|
4263 |
global $config, $tracker;
|
| 4268 |
4264 |
if (isset($config['system']['developerspew'])) {
|
| 4269 |
4265 |
$mt = microtime();
|
| 4270 |
|
echo "filter_rules_spoofcheck_generate() being called $mt\n";
|
|
4266 |
echo "filter_rules_spoofcheck_generate() being called for ${ifname} at {$mt}\n";
|
| 4271 |
4267 |
}
|
| 4272 |
4268 |
$ipfrules = "antispoof {$log['block']} for \${$ifcfg['descr']} ridentifier {$tracker}\n";
|
| 4273 |
4269 |
$tracker++;
|
| ... | ... | |
| 4285 |
4281 |
* none
|
| 4286 |
4282 |
******/
|
| 4287 |
4283 |
function filter_tdr_install_cron($should_install) {
|
| 4288 |
|
global $config, $g;
|
|
4284 |
global $config;
|
| 4289 |
4285 |
|
| 4290 |
4286 |
if (platform_booting() == true) {
|
| 4291 |
4287 |
return;
|
| ... | ... | |
| 4500 |
4496 |
}
|
| 4501 |
4497 |
|
| 4502 |
4498 |
function filter_process_carp_rules($log) {
|
| 4503 |
|
global $g, $config, $tracker;
|
|
4499 |
global $config;
|
| 4504 |
4500 |
|
| 4505 |
4501 |
if (isset($config['system']['developerspew'])) {
|
| 4506 |
4502 |
$mt = microtime();
|
| ... | ... | |
| 4520 |
4516 |
|
| 4521 |
4517 |
/* Generate IPsec Filter Items */
|
| 4522 |
4518 |
function filter_generate_ipsec_rules($log = array()) {
|
| 4523 |
|
global $config, $g, $FilterIflist, $tracker;
|
|
4519 |
global $config, $FilterIflist, $tracker;
|
| 4524 |
4520 |
|
| 4525 |
4521 |
if (isset($config['system']['developerspew'])) {
|
| 4526 |
4522 |
$mt = microtime();
|
| ... | ... | |
| 4788 |
4784 |
|
| 4789 |
4785 |
$i = $ifridx = 0;
|
| 4790 |
4786 |
if (is_array($config['filter']['rule'])) {
|
| 4791 |
|
foreach ($config['filter']['rule'] as $rulen => $filterent) {
|
|
4787 |
foreach ($config['filter']['rule'] as $filterent) {
|
| 4792 |
4788 |
if (($filterent['interface'] == $if && !isset($filterent['floating'])) || (isset($filterent['floating']) && "FloatingRules" == $if)) {
|
| 4793 |
4789 |
if ($i == $ridx) {
|
| 4794 |
4790 |
return $ifridx;
|
| ... | ... | |
| 4804 |
4800 |
/* display rules separators */
|
| 4805 |
4801 |
function display_separator($separators, $nrules, $columns_in_table) {
|
| 4806 |
4802 |
if (is_array($separators)) {
|
| 4807 |
|
foreach ($separators as $sepn => $separator) {
|
|
4803 |
foreach ($separators as $separator) {
|
| 4808 |
4804 |
if ($separator['row'][0] == "fr" . $nrules) {
|
| 4809 |
4805 |
$cellcolor = $separator['color'];
|
| 4810 |
4806 |
print('<tr class="ui-sortable-handle separator">' .
|
| ... | ... | |
| 4818 |
4814 |
|
| 4819 |
4815 |
/* Return a list of separator rows */
|
| 4820 |
4816 |
function separator_rows($separators) {
|
| 4821 |
|
$seprowns = array();
|
| 4822 |
4817 |
if (is_array($separators)) {
|
| 4823 |
|
foreach ($separators as $sepn => $separator) {
|
|
4818 |
foreach ($separators as $separator) {
|
| 4824 |
4819 |
$seprows[substr($separator['row']['0'], 2)] = true;
|
| 4825 |
4820 |
}
|
| 4826 |
4821 |
}
|
Added by Reid Linnemann almost 3 years ago
Silence unused/undef'd variable warnings in filter.inc