lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-14 00:24:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Firewall : Advanced - Add support for syncookies, closes https://github.com/opnsense/core/issues/5561

Browse Source
This commit is contained in:
Ad Schellevis 2022-02-10 17:58:52 +01:00
parent 68e86cca21
commit 3ccd5dfca1
2 changed files with 98 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/etc/inc/filter.inc
View File

@ -421,6 +421,14 @@ function filter_configure_sync($verbose = false, $load_aliases = true)
$limitrules .= "set timeout src.track {$config['system']['srctrack']}\n";
}
if (!empty($config['system']['syncookies'])) {
$arange = "";
if ($config['system']['syncookies'] == "adaptive") {
$arange = "(start {$config['system']['syncookies_adaptstart']}%, end {$config['system']['syncookies_adaptend']}%)";
}
$limitrules .= "set syncookies {$config['system']['syncookies']} {$arange}\n";
}
$rules = "{$limitrules}\n";
$rules .= "{$aliases} \n";
$rules .= filter_setup_logging_interfaces($cnfint);

90
src/www/system_advanced_firewall.php
View File

@ -60,6 +60,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['enablenatreflectionhelper'] = isset($config['system']['enablenatreflectionhelper']) ? $config['system']['enablenatreflectionhelper'] : null;
$pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']);
$pconfig['ip_change_kill_states'] = isset($config['system']['ip_change_kill_states']);
$pconfig['syncookies'] = isset($config['system']['syncookies']) ? $config['system']['syncookies'] : null;
$pconfig['syncookies_adaptstart'] = isset($config['system']['syncookies_adaptstart']) ? $config['system']['syncookies_adaptstart'] : null;
$pconfig['syncookies_adaptend'] = isset($config['system']['syncookies_adaptend']) ? $config['system']['syncookies_adaptend'] : null;
} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
$pconfig = $_POST;
$input_errors = array();
@ -86,6 +89,24 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
if (!empty($pconfig['maximumtableentries']) && !is_numericint($pconfig['maximumtableentries'])) {
$input_errors[] = gettext("The Firewall Maximum Table Entries value must be an integer.");
}
if (!empty($pconfig['syncookies'])) {
if (!in_array($pconfig['syncookies'], ['always', 'adaptive'])) {
$input_errors[] = sprintf(gettext("Unknown syncookie type %s.", $pconfig['syncookies']));
}
if ((empty($pconfig['syncookies_adaptstart']) && !empty($pconfig['syncookies_adaptstart'])) || (!empty($pconfig['syncookies_adaptstart']) && empty($pconfig['syncookies_adaptend']))) {
$input_errors[] = gettext("Syncookie Adaptive values must be set together.");
}
if (!empty($pconfig['syncookies_adaptstart']) && !is_numericint($pconfig['syncookies_adaptstart'])) {
$input_errors[] = gettext("Syncookie Adaptive Start value must be an integer.");
}
if (!empty($pconfig['syncookies_adaptend']) && !is_numericint($pconfig['syncookies_adaptend'])) {
$input_errors[] = gettext("Syncookie Adaptive End value must be an integer.");
}
if (!empty($pconfig['syncookies_adaptend']) && !empty($pconfig['syncookies_adaptstart']) && $pconfig['syncookies_adaptstart'] < $pconfig['syncookies_adaptend']) {
$input_errors[] = gettext("Syncookie Adaptive Start must be a higher value than End.");
}
}
if (count($input_errors) == 0) {
if (!empty($pconfig['pf_share_forward'])) {
$config['system']['pf_share_forward'] = true;
@ -211,6 +232,16 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
unset($config['system']['ip_change_kill_states']);
}
if (!empty($pconfig['syncookies'])) {
$config['system']['syncookies'] = $pconfig['syncookies'];
$config['system']['syncookies_adaptstart'] = $pconfig['syncookies_adaptstart'];
$config['system']['syncookies_adaptend'] = $pconfig['syncookies_adaptend'];
} else {
unset($config['system']['syncookies']);
unset($config['system']['syncookies_adaptstart']);
unset($config['system']['syncookies_adaptend']);
}
write_config();
$savemsg = get_std_save_message();
@ -228,6 +259,14 @@ include("head.inc");
<script>
$( document ).ready(function() {
window_highlight_table_option();
$("#syncookies").change(function(){
if ($(this).val() == 'adaptive') {
$("#syncookies_adaptive").show();
} else {
$("#syncookies_adaptive").hide();
}
});
$("#syncookies").change();
});
</script>
<body>
@ -641,6 +680,57 @@ include("head.inc");
</tr>
</table>
</div>
<div class="content-box tab-content table-responsive __mb">
<table class="table table-striped opnsense_standard_table_form">
<tr>
<td style="width:22%"><strong><?= gettext('Anti DDOS') ?></strong></td>
<td style="width:78%"></td>
</tr>
<tr>
<td><a id="help_for_syncookies" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Enable syncookies");?></td>
<td>
<select name="syncookies" id="syncookies" class="selectpicker">
<option value="" <?= empty($pconfig['syncookies']) ? "selected=\"selected\"" : ""; ?>>
<?=gettext("never (default)");?>
</option>
<option value="always" <?=$pconfig['syncookies']=="always" ? "selected=\"selected\"" : ""; ?>>
<?=gettext("always");?>
</option>
<option value="adaptive" <?=$pconfig['syncookies']=="adaptive" ? "selected=\"selected\"" : ""; ?>>
<?=gettext("adaptive");?>
</option>
</select>
<div id="syncookies_adaptive">
<br/>
<table class="table table-condensed" style="width:348px;">
<thead>
<tr>
<th colspan="2"><?=gettext("Statetable usage");?><th>
</tr>
<tr>
<th><?=gettext("Start (%)");?></th>
<th><?=gettext("End (%)");?></th>
</tr>
</thead>
<tbody>
<tr>
<td>
<input name="syncookies_adaptstart" type="text" value="<?=$pconfig['syncookies_adaptstart']; ?>" />
</td>
<td>
<input name="syncookies_adaptend" type="text" value="<?=$pconfig['syncookies_adaptend']; ?>" />
</td>
</tr>
</tbody>
</table>
</div>
<div class="hidden" data-for="help_for_syncookies">
<?=gettext("When syncookies are active, pf will answer each incoming TCP SYN with a syncookie SYNACK, without allocating any resources.");?>
</div>
</td>
</tr>
</table>
</div>
<div class="content-box tab-content table-responsive">
<table class="table table-striped opnsense_standard_table_form">
<tr>