filter: safeguard direct config reads when processing the ruleset. If someone manages to add a rule tag which isn't an array, boot will fail and manual intervention is needed. Arrays feeded by a model skip these records or present them as default ones.

2026-03-15 17:14:46 +00:00 · 2024-05-31 19:08:40 +02:00 · 2024-05-31 19:08:40 +02:00 · 1e948bfc2f
commit 1e948bfc2f
parent f049be47bb
2 changed files with 9 additions and 2 deletions
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@ -202,7 +202,9 @@ function filter_configure_sync($verbose = false, $load_aliases = true)
    ) {
        if (!empty($config['nat']['outbound']['rule'])) {
            foreach ($config['nat']['outbound']['rule'] as $rule) {
-                $fw->registerSNatRule(100, $rule);
+                if (is_array($rule)) {
+                    $fw->registerSNatRule(100, $rule);
+                }
            }
        }
    }
@ -259,7 +261,9 @@ function filter_configure_sync($verbose = false, $load_aliases = true)
    if (!empty($config['nat']['rule'])) {
        // register user forward rules
        foreach ($config['nat']['rule'] as $rule) {
-            $fw->registerForwardRule(600, $rule);
+            if (is_array($rule)) {
+                $fw->registerForwardRule(600, $rule);
+            }
        }
    }

--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@ -614,6 +614,9 @@ function filter_core_rules_user($fw)
    if (isset($config['filter']['rule'])) {
        // register user rules
        foreach ($config['filter']['rule'] as $idx => $rule) {
+            if (!is_array($rule)) {
+                continue;
+            }
            // calculate a hash for this area so we can track this rule, we should replace this
            // with uuid's on the rules like the new style models do eventually.
            $rule['label'] = OPNsense\Firewall\Util::calcRuleHash($rule);