From 3fc136b7bd921639a5271be3d5eb134ebc129bcc Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Tue, 21 Sep 2021 09:21:58 +0200 Subject: [PATCH] firewall: add automatic outbound NAT logging option This is largely for testing our NAT log patch, but might be useful for someone. Inline filterlog restart since it uses syslog() and does not need to be restarted when syslog settings change. --- src/etc/inc/filter.inc | 46 ++++++++++++++-------------------- src/www/diag_logs_settings.php | 13 ++++++++-- 2 files changed, 30 insertions(+), 29 deletions(-) diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index 88a4434a9..f2945a92f 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -92,25 +92,6 @@ function filter_rules_sort() } } -function filter_pflog_start($verbose = false) -{ - if ($verbose) { - echo 'Starting PFLOG...'; - flush(); - } - - killbypid('/var/run/filterlog.pid', 'TERM', true); - - /* enable permanent promiscuous mode to avoid dmesg noise */ - mwexec('/sbin/ifconfig pflog0 promisc'); - - mwexec('/usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid'); - - if ($verbose) { - echo "done.\n"; - } -} - function filter_configure() { /* @@ -282,12 +263,13 @@ function filter_configure_sync($verbose = false, $load_aliases = true) if (substr($ifcfg['if'], 0, 4) != 'ovpn' && !empty($ifcfg['gateway'])) { foreach (array(500, null) as $dstport) { $rule = array( - "interface" => $intf, - "dstport" => $dstport, - "staticnatport" => !empty($dstport), - "destination" => array("any" => true), - "ipprotocol" => 'inet', - "descr" => "Automatic outbound rule" + 'descr' => 'Automatic outbound rule', + 'destination' => array('any' => true), + 'dstport' => $dstport, + 'interface' => $intf, + 'ipprotocol' => 'inet', + 'log' => !empty($config['syslog']['logoutboundnat']), + 'staticnatport' => !empty($dstport), ); foreach ($intfv4 as $network) { $rule['source'] = array("network" => $network); @@ -544,10 +526,20 @@ function filter_configure_sync($verbose = false, $load_aliases = true) } if ($verbose) { - echo "done.\n"; + echo '.'; + flush(); } - filter_pflog_start($verbose); + /* enable permanent promiscuous mode to avoid dmesg noise */ + mwexec('/sbin/ifconfig pflog0 promisc'); + + /* bring up new instance of filterlog to load new rules */ + killbypid('/var/run/filterlog.pid', 'TERM', true); + mwexec('/usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid'); + + if ($verbose) { + echo "done.\n"; + } unlock($filterlck); } diff --git a/src/www/diag_logs_settings.php b/src/www/diag_logs_settings.php index 9df516a08..866f8c1da 100644 --- a/src/www/diag_logs_settings.php +++ b/src/www/diag_logs_settings.php @@ -65,6 +65,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $pconfig['logdefaultpass'] = empty($config['syslog']['nologdefaultpass']); $pconfig['logbogons'] = empty($config['syslog']['nologbogons']); $pconfig['logprivatenets'] = empty($config['syslog']['nologprivatenets']); + $pconfig['logoutboundnat'] = !empty($config['syslog']['logoutboundnat']); $pconfig['loglighttpd'] = empty($config['syslog']['nologlighttpd']); $pconfig['disablelocallogging'] = isset($config['syslog']['disablelocallogging']); } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') { @@ -110,10 +111,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $oldnologbogons = isset($config['syslog']['nologbogons']); $oldnologprivatenets = isset($config['syslog']['nologprivatenets']); $oldnologlighttpd = isset($config['syslog']['nologlighttpd']); + $oldlogoutboundnat = isset($config['syslog']['logoutboundnat']); $config['syslog']['nologdefaultblock'] = empty($pconfig['logdefaultblock']); $config['syslog']['nologdefaultpass'] = empty($pconfig['logdefaultpass']); $config['syslog']['nologbogons'] = empty($pconfig['logbogons']); $config['syslog']['nologprivatenets'] = empty($pconfig['logprivatenets']); + $config['syslog']['logoutboundnat'] = !empty($pconfig['logoutboundnat']); $config['syslog']['nologlighttpd'] = empty($pconfig['loglighttpd']); write_config(); @@ -123,6 +126,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { if (($oldnologdefaultblock !== isset($config['syslog']['nologdefaultblock'])) || ($oldnologdefaultpass !== isset($config['syslog']['nologdefaultpass'])) || ($oldnologbogons !== isset($config['syslog']['nologbogons'])) + || ($oldlogoutboundnat !== isset($config['syslog']['logoutboundnat'])) || ($oldnologprivatenets !== isset($config['syslog']['nologprivatenets']))) { filter_configure(); } @@ -134,8 +138,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { configd_run('webgui restart 2', true); $savemsg .= "
" . gettext("WebGUI process is restarting."); } - - filter_pflog_start(); } } } @@ -261,6 +263,13 @@ $(document).ready(function() { + + + + /> + + +