From 1e948bfc2f7c69d064d19af5e4e376b143443baa Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Fri, 31 May 2024 19:08:40 +0200 Subject: [PATCH] filter: safeguard direct config reads when processing the ruleset. If someone manages to add a rule tag which isn't an array, boot will fail and manual intervention is needed. Arrays feeded by a model skip these records or present them as default ones. --- src/etc/inc/filter.inc | 8 ++++++-- src/etc/inc/filter.lib.inc | 3 +++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index 6abd89314..1200b4e88 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -202,7 +202,9 @@ function filter_configure_sync($verbose = false, $load_aliases = true) ) { if (!empty($config['nat']['outbound']['rule'])) { foreach ($config['nat']['outbound']['rule'] as $rule) { - $fw->registerSNatRule(100, $rule); + if (is_array($rule)) { + $fw->registerSNatRule(100, $rule); + } } } } @@ -259,7 +261,9 @@ function filter_configure_sync($verbose = false, $load_aliases = true) if (!empty($config['nat']['rule'])) { // register user forward rules foreach ($config['nat']['rule'] as $rule) { - $fw->registerForwardRule(600, $rule); + if (is_array($rule)) { + $fw->registerForwardRule(600, $rule); + } } } diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc index 3c5923202..f340d352b 100644 --- a/src/etc/inc/filter.lib.inc +++ b/src/etc/inc/filter.lib.inc @@ -614,6 +614,9 @@ function filter_core_rules_user($fw) if (isset($config['filter']['rule'])) { // register user rules foreach ($config['filter']['rule'] as $idx => $rule) { + if (!is_array($rule)) { + continue; + } // calculate a hash for this area so we can track this rule, we should replace this // with uuid's on the rules like the new style models do eventually. $rule['label'] = OPNsense\Firewall\Util::calcRuleHash($rule);