Project

General

Profile

« Previous | Next » 

Revision e047c72a

Added by Ermal LUÇI over 11 years ago

Correct the generation of antifpoof rules with tracker. Also honor the log directive. While here remove a duplicate antispoof declaration further down

View differences:

etc/inc/filter.inc
2835 2835 
		}
2836 2836 

  		




  2837
  2837
  
    
		if($oc['ip'] && !($isbridged) && isset($oc['spoofcheck']))


  		




  2838
  
  
    
			$ipfrules .= filter_rules_spoofcheck_generate($on, $oc['if'], $oc['sa'], $oc['sn'], $log);


  		




  
  2838
  
    
			$ipfrules .= filter_rules_spoofcheck_generate($on, $oc, $log);


  		




  2839
  2839
  
    

  		




  2840
  2840
  
    
		/* block private networks ? */


  		




  2841
  2841
  
    
		if(!isset($config['syslog']['nologprivatenets']))


  		




  ......




  2850
  2850
  
    
			if($isbridged == false) {


  		




  2851
  2851
  
    
				$ipfrules .= <<<EOD


  		




  2852
  2852
  
    
# block anything from private networks on interfaces with the option set


  		




  2853
  
  
    
antispoof for \${$oc['descr']}


  		




  2854
  2853
  
    
block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}"


  		




  2855
  2854
  
    
block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}"


  		




  2856
  2855
  
    
block in $privnetlog quick on \${$oc['descr']} from 100.64.0.0/10 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 100.64/10")}"


  		




  ......




  3260
  3259
  
    
	return $ipfrules;


  		




  3261
  3260
  
    
}


  		




  3262
  3261
  
    

  		




  3263
  
  
    
function filter_rules_spoofcheck_generate($ifname, $if, $sa, $sn, $log) {


  		




  
  3262
  
    
function filter_rules_spoofcheck_generate($ifname, $ifcfg, $log) {


  		




  3264
  3263
  
    
	global $g, $config, $tracker;


  		




  3265
  3264
  
    
	if(isset($config['system']['developerspew'])) {


  		




  3266
  3265
  
    
		$mt = microtime();


  		




  3267
  3266
  
    
		echo "filter_rules_spoofcheck_generate() being called $mt\n";


  		




  3268
  3267
  
    
	}


  		




  3269
  
  
    
	$ipfrules = "antispoof for {$if}\n";


  		




  
  3268
  
    
	$ipfrules = "antispoof {$log} for \${$oc['descr']} tracker {$tracker}\n";


  		




  3270
  3269
  
    
	$tracker++;


  		




  3271
  3270
  
    

  		




  3272
  3271
  
    
	return $ipfrules;


  		












Also available in:  Unified diff