lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-19 19:15:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

src: style sweep on filter.lib.inc

Browse Source 
authgui.inc is the last file, it has a number of issues to be
looked at manually later on.
This commit is contained in:
Franco Fichtner 2019-05-07 07:58:54 +02:00
parent cce8982e22
commit 461508544d
1 changed files with 168 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

296
src/etc/inc/filter.lib.inc
View File

@ -147,7 +147,7 @@ function filter_core_get_antilockout()
* @return array containing ports
* @throws \OPNsense\Base\ModelException
*/
function filter_core_get_port_alias($aliasname, $aliases=array())
function filter_core_get_port_alias($aliasname, $aliases = array())
{
$response = array();
$aliases[] = $aliasname;
@ -163,7 +163,7 @@ function filter_core_get_port_alias($aliasname, $aliases=array())
}
}
} elseif ((is_port($address) || is_portrange($address)) && !in_array($address, $response)) {
$response[] = $address ;
$response[] = $address;
}
}
}
@ -205,70 +205,80 @@ function filter_core_rules_system($fw, $defaults)
global $config;
// block All IPv6 except loopback traffic
$fw->registerFilterRule(1,
array('interface' => 'loopback', 'ipprotocol'=>'inet6', 'disabled' => isset($config['system']['ipv6allow']),
$fw->registerFilterRule(
1,
array('interface' => 'loopback', 'ipprotocol'=>'inet6', 'disabled' => isset($config['system']['ipv6allow']),
'descr' => 'Pass all loopback IPv6', '#ref' => 'system_advanced_firewall.php#ipv6allow'),
$defaults['pass']
$defaults['pass']
);
$fw->registerFilterRule(1,
array('ipprotocol'=>'inet6','descr' => 'Block all IPv6', 'disabled' => isset($config['system']['ipv6allow']),
$fw->registerFilterRule(
1,
array('ipprotocol'=>'inet6','descr' => 'Block all IPv6', 'disabled' => isset($config['system']['ipv6allow']),
'#ref' => 'system_advanced_firewall.php#ipv6allow'),
$defaults['block']
$defaults['block']
);
// default Deny rule (when no other rules match)
$fw->registerFilterRule(1,
array('ipprotocol'=>'inet46', 'descr' => 'Default deny rule', 'quick' => false),
$defaults['block']
$fw->registerFilterRule(
1,
array('ipprotocol'=>'inet46', 'descr' => 'Default deny rule', 'quick' => false),
$defaults['block']
);
// IPv6 ICMP requirements
$fw->registerFilterRule(1,
array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '1,2,135,136',
$fw->registerFilterRule(
1,
array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '1,2,135,136',
'statetype' => 'keep', 'descr' => 'IPv6 requirements (ICMP)'),
$defaults['pass']
$defaults['pass']
);
// Allow only bare essential icmpv6 packets
$fw->registerFilterRule(1,
array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '129,133,134,135,136',
$fw->registerFilterRule(
1,
array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '129,133,134,135,136',
'statetype' => 'keep', 'descr' => 'IPv6 requirements (ICMP)', 'from' => '(self)',
'to' => 'fe80::/10,ff02::/16', 'direction' => 'out' ),
$defaults['pass']
$defaults['pass']
);
$fw->registerFilterRule(1,
array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136',
$fw->registerFilterRule(
1,
array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136',
'statetype' => 'keep', 'descr' => 'IPv6 requirements (ICMP)', 'from' => 'fe80::/10',
'to' => 'fe80::/10,ff02::/16', 'direction' => 'in' ),
$defaults['pass']
$defaults['pass']
);
$fw->registerFilterRule(1,
array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136',
$fw->registerFilterRule(
1,
array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136',
'statetype' => 'keep', 'descr' => 'IPv6 requirements (ICMP)', 'from' => 'ff02::/16',
'to' => 'fe80::/10', 'direction' => 'in' ),
$defaults['pass']
$defaults['pass']
);
// block all targetting port 0
foreach (array('from_port', 'to_port') as $target) {
$fw->registerFilterRule(1,
array('ipprotocol'=>'inet46', 'protocol' => 'tcp/udp', $target => '0',
$fw->registerFilterRule(
1,
array('ipprotocol'=>'inet46', 'protocol' => 'tcp/udp', $target => '0',
'descr' => 'block all targetting port 0'),
$defaults['block']
$defaults['block']
);
}
// CARP defaults
$carp_disabled = empty($config['hasync']) && empty($config['virtualip']['vip']);
$fw->registerFilterRule(1,
array('protocol' => 'carp', 'descr' => 'CARP defaults', 'ref#' => 'system_hasync.php',
$fw->registerFilterRule(
1,
array('protocol' => 'carp', 'descr' => 'CARP defaults', 'ref#' => 'system_hasync.php',
'from' => '(self)', 'direction' => 'in', 'disabled' => !$carp_disabled),
$defaults['block']
$defaults['block']
);
$fw->registerFilterRule(1,array('protocol' => 'carp'),$defaults['pass']);
$fw->registerFilterRule(1, array('protocol' => 'carp'), $defaults['pass']);
// Lockout rules
$fw->registerFilterRule(1,
array('protocol' => 'tcp', 'from' => '<sshlockout>', 'to' => '(self)' , 'descr' => 'sshlockout', 'direction' => 'in',
$fw->registerFilterRule(
1,
array('protocol' => 'tcp', 'from' => '<sshlockout>', 'to' => '(self)' , 'descr' => 'sshlockout', 'direction' => 'in',
'to_port' => !empty($config['system']['ssh']['port']) ? $config['system']['ssh']['port'] : 22),
$defaults['block']
$defaults['block']
);
$webport = '443';
if (!empty($config['system']['webgui']['port'])) {
@ -276,14 +286,15 @@ function filter_core_rules_system($fw, $defaults)
} elseif ($config['system']['webgui']['protocol'] == 'http') {
$webport = '80';
}
$fw->registerFilterRule(1,
array('protocol' => 'tcp', 'from' => '<webConfiguratorlockout>', 'to' => '(self)' , 'descr' => 'webConfiguratorlockout',
$fw->registerFilterRule(
1,
array('protocol' => 'tcp', 'from' => '<webConfiguratorlockout>', 'to' => '(self)' , 'descr' => 'webConfiguratorlockout',
'direction' => 'in','to_port' => $webport),
$defaults['block']
$defaults['block']
);
// block all in alias <virusprot>
$fw->registerFilterRule(1,array('from' => '<virusprot>', 'descr' => 'virusprot overload table'),$defaults['block']);
$fw->registerFilterRule(1, array('from' => '<virusprot>', 'descr' => 'virusprot overload table'), $defaults['block']);
// block bogons and private nets
$bogontmpl = array('type' => 'block', 'log' => !isset($config['syslog']['nologbogons']), 'disablereplyto' => 1);
@ -291,33 +302,37 @@ function filter_core_rules_system($fw, $defaults)
'from' => '10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16',
'disablereplyto' => 1);
foreach ($fw->getInterfaceMapping() as $intf => $intfinfo) {
$fw->registerFilterRule(5,
array('from' => "<bogons>", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet',
$fw->registerFilterRule(
5,
array('from' => "<bogons>", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet',
'descr' => "Block bogon IPv4 networks from ".$intfinfo['descr'],
'#ref' => "interfaces.php?if=" . $intf . "#blockbogons",
'disabled' => !isset($intfinfo['blockbogons'])),
$bogontmpl
$bogontmpl
);
$fw->registerFilterRule(5,
array('from' => "<bogonsv6>", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet6',
$fw->registerFilterRule(
5,
array('from' => "<bogonsv6>", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet6',
'disabled' => !isset($config['system']['ipv6allow']) || !isset($intfinfo['blockbogons']),
'#ref' => "interfaces.php?if=" . $intf . "#blockbogons",
'descr' => "Block bogon IPv6 networks from ".$intfinfo['descr']),
$bogontmpl
$bogontmpl
);
$fw->registerFilterRule(5,
array('direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet',
$fw->registerFilterRule(
5,
array('direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet',
'#ref' => "interfaces.php?if=" . $intf . "#blockpriv",
'descr' => "Block private networks from ".$intfinfo['descr'],
'disabled' => !isset($intfinfo['blockpriv'])),
$privtmpl
$privtmpl
);
$fw->registerFilterRule(5,
array('direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet6',
$fw->registerFilterRule(
5,
array('direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet6',
'#ref' => "interfaces.php?if=" . $intf . "#blockpriv",
'descr' => "Block private networks from ".$intfinfo['descr'], 'from' => 'fc00::/7',
'disabled' => !isset($intfinfo['blockpriv'])),
$privtmpl
$privtmpl
);
}
@ -325,17 +340,19 @@ function filter_core_rules_system($fw, $defaults)
foreach ($fw->getInterfaceMapping() as $intf => $intfinfo) {
// allow DHCPv6 client out, before adding bogons (sequence 1, bogons @ 5)
if (isset($config['system']['ipv6allow']) && in_array($intfinfo['ipaddrv6'], array("slaac","dhcp6"))) {
$fw->registerFilterRule(1,
array('protocol' => 'udp', 'from' => 'fe80::/10', 'from_port' => 546, 'to' => 'fe80::/10',
$fw->registerFilterRule(
1,
array('protocol' => 'udp', 'from' => 'fe80::/10', 'from_port' => 546, 'to' => 'fe80::/10',
'interface' => $intf, 'to_port' => 546, 'descr' =>'allow dhcpv6 client in ' . $intfinfo['descr'],
'#ref' => 'system_advanced_firewall.php#ipv6allow'),
$defaults['pass']
$defaults['pass']
);
$fw->registerFilterRule(1,
array('protocol' => 'udp', 'from_port' => 547,'to_port' => 546, 'direction' => 'in',
$fw->registerFilterRule(
1,
array('protocol' => 'udp', 'from_port' => 547,'to_port' => 546, 'direction' => 'in',
'interface' => $intf, 'descr' =>'allow dhcpv6 client in ' . $intfinfo['descr'],
'#ref' => 'system_advanced_firewall.php#ipv6allow'),
$defaults['pass']
$defaults['pass']
);
$dhcpv6_opts = array(
'descr' => 'allow dhcpv6 client in ' . $intfinfo['descr'],
@ -354,150 +371,170 @@ function filter_core_rules_system($fw, $defaults)
// IPv4
switch (empty($intfinfo['ipaddr']) ? "" : $intfinfo['ipaddr']) {
case "pptp":
$fw->registerFilterRule(5,
array('protocol' => 'tcp','to_port' => 1723, 'direction' => 'in', 'statetype' => 'modulate', 'quick' => false,
$fw->registerFilterRule(
5,
array('protocol' => 'tcp','to_port' => 1723, 'direction' => 'in', 'statetype' => 'modulate', 'quick' => false,
'#ref' => "interfaces.php?if=" . $intf . "#type",
'interface' => $intf, 'flags' => 'S/SA', 'descr' =>'allow PPTP client on ' . $intfinfo['descr']),
$defaults['pass']
$defaults['pass']
);
$fw->registerFilterRule(5,
array('protocol' => 'gre', 'direction' => 'in', 'statetype' => 'keep', 'quick' => false,
$fw->registerFilterRule(
5,
array('protocol' => 'gre', 'direction' => 'in', 'statetype' => 'keep', 'quick' => false,
'#ref' => "interfaces.php?if=" . $intf . "#type",
'interface' => $intf, 'descr' =>'allow PPTP client on ' . $intfinfo['descr']),
$defaults['pass']
$defaults['pass']
);
break;
case "dhcp":
$fw->registerFilterRule(5,
array('protocol' => 'udp', 'direction' => 'in', 'quick' => false, 'from_port' => 67, 'to_port' => 68,
$fw->registerFilterRule(
5,
array('protocol' => 'udp', 'direction' => 'in', 'quick' => false, 'from_port' => 67, 'to_port' => 68,
'#ref' => "interfaces.php?if=" . $intf . "#type",
'interface' => $intf, 'descr' =>'allow DHCP client on ' . $intfinfo['descr']),
$defaults['pass']
$defaults['pass']
);
$fw->registerFilterRule(5,
array('protocol' => 'udp', 'direction' => 'out', 'quick' => false, 'from_port' => 68, 'to_port' => 67,
$fw->registerFilterRule(
5,
array('protocol' => 'udp', 'direction' => 'out', 'quick' => false, 'from_port' => 68, 'to_port' => 67,
'#ref' => "interfaces.php?if=" . $intf . "#type",
'interface' => $intf, 'descr' =>'allow DHCP client on ' . $intfinfo['descr']),
$defaults['pass']
$defaults['pass']
);
break;
default:
if (isset($config['dhcpd'][$intf]['enable'])) {
$fw->registerFilterRule(5,
array('protocol' => 'udp', 'direction' => 'in', 'from_port' => 68, 'to' => '255.255.255.255',
$fw->registerFilterRule(
5,
array('protocol' => 'udp', 'direction' => 'in', 'from_port' => 68, 'to' => '255.255.255.255',
'#ref' => "services_dhcp.php?if=" . $intf . "#enable",
'to_port' => 67, 'interface' => $intf, 'descr' =>'allow access to DHCP server'),
$defaults['pass']
$defaults['pass']
);
$fw->registerFilterRule(5,
array('protocol' => 'udp', 'direction' => 'in', 'from_port' => 68, 'to' => '(self)',
$fw->registerFilterRule(
5,
array('protocol' => 'udp', 'direction' => 'in', 'from_port' => 68, 'to' => '(self)',
'#ref' => "services_dhcp.php?if=" . $intf . "#enable",
'to_port' => 67, 'interface' => $intf, 'descr' =>'allow access to DHCP server'),
$defaults['pass']
$defaults['pass']
);
$fw->registerFilterRule(5,
array('protocol' => 'udp', 'direction' => 'out', 'from_port' => 67, 'from' => '(self)',
$fw->registerFilterRule(
5,
array('protocol' => 'udp', 'direction' => 'out', 'from_port' => 67, 'from' => '(self)',
'#ref' => "services_dhcp.php?if=" . $intf . "#enable",
'to_port' => 68, 'interface' => $intf, 'descr' =>'allow access to DHCP server'),
$defaults['pass']
$defaults['pass']
);
if (!empty($config['dhcpd'][$intf]['failover_peerip'])) {
$fw->registerFilterRule(5,
array('protocol' => 'tcp/udp', 'direction' => 'in', 'to' => '(self)', 'to_port' => '519,520',
$fw->registerFilterRule(
5,
array('protocol' => 'tcp/udp', 'direction' => 'in', 'to' => '(self)', 'to_port' => '519,520',
'#ref' => "services_dhcp.php?if=" . $intf . "#failover_peerip",
'from' => $config['dhcpd'][$intf]['failover_peerip'],
'interface' => $intf, 'descr' =>'allow access to DHCP failover'),
$defaults['pass']
$defaults['pass']
);
}
}
break;
}
// IPv6
switch(isset($intfinfo['ipaddrv6']) ? $intfinfo['ipaddrv6'] : null ) {
switch (isset($intfinfo['ipaddrv6']) ? $intfinfo['ipaddrv6'] : null) {
case "6rd":
$fw->registerFilterRule(5,
array('protocol' => '41', 'direction' => 'in', 'from' => $config['interfaces'][$intf]['gateway-6rd'],
$fw->registerFilterRule(
5,
array('protocol' => '41', 'direction' => 'in', 'from' => $config['interfaces'][$intf]['gateway-6rd'],
'#ref' => "interfaces.php?if=" . $intf . "#type6",
'quick'=>false, 'interface' => $intf, 'descr' =>'Allow 6in4 traffic in for 6rd on '.$intfinfo['descr']),
$defaults['pass']
$defaults['pass']
);
$fw->registerFilterRule(5,
array('protocol' => '41', 'direction' => 'out', 'to' => $config['interfaces'][$intf]['gateway-6rd'],
$fw->registerFilterRule(
5,
array('protocol' => '41', 'direction' => 'out', 'to' => $config['interfaces'][$intf]['gateway-6rd'],
'#ref' => "interfaces.php?if=" . $intf . "#type6",
'quick'=>false, 'interface' => $intf, 'descr' =>'Allow 6in4 traffic out for 6rd on '.$intfinfo['descr']),
$defaults['pass']
$defaults['pass']
);
break;
case "6to4":
$fw->registerFilterRule(5,
array('protocol' => '41', 'direction' => 'in', 'to' => '(self)','interface' => $intf,
$fw->registerFilterRule(
5,
array('protocol' => '41', 'direction' => 'in', 'to' => '(self)','interface' => $intf,
'#ref' => "interfaces.php?if=" . $intf . "#type6",
'quick'=>false, 'descr' =>'Allow 6in4 traffic in for 6to4 on '.$intfinfo['descr']),
$defaults['pass']
$defaults['pass']
);
$fw->registerFilterRule(5,
array('protocol' => '41', 'direction' => 'out', 'from' => '(self)','interface' => $intf,
$fw->registerFilterRule(
5,
array('protocol' => '41', 'direction' => 'out', 'from' => '(self)','interface' => $intf,
'#ref' => "interfaces.php?if=" . $intf . "#type6",
'quick'=>false, 'descr' =>'Allow 6in4 traffic out for 6to4 on '.$intfinfo['descr']),
$defaults['pass']
$defaults['pass']
);
break;
default:
if (isset($config['dhcpdv6'][$intf]['enable']) || isset($intfinfo['track6-interface'])
if (isset($config['dhcpdv6'][$intf]['enable']) || isset($intfinfo['track6-interface'])
|| (!empty($config['dhcrelay6']['interface']) && in_array($intf, explode(',', $config['dhcrelay6']['interface'])))) {
$fw->registerFilterRule(1,
array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => 'fe80::/10,ff02::/16',
$fw->registerFilterRule(
1,
array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => 'fe80::/10,ff02::/16',
'to_port' => 546, 'interface' => $intf,
'descr' =>'allow access to DHCPv6 server on '.$intfinfo['descr']),
$defaults['pass']
$defaults['pass']
);
$fw->registerFilterRule(1,
array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => 'ff02::/16',
$fw->registerFilterRule(
1,
array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => 'ff02::/16',
'to_port' => 547, 'interface' => $intf,
'descr' =>'allow access to DHCPv6 server on '.$intfinfo['descr']),
$defaults['pass']
);
$fw->registerFilterRule(1,
array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'ff02::/16', 'to' => 'fe80::/10',
$defaults['pass']
);
$fw->registerFilterRule(
1,
array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'ff02::/16', 'to' => 'fe80::/10',
'to_port' => 547, 'interface' => $intf,
'descr' =>'allow access to DHCPv6 server on '.$intfinfo['descr']),
$defaults['pass']
);
$fw->registerFilterRule(1,
array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => '(self)',
$defaults['pass']
);
$fw->registerFilterRule(
1,
array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => '(self)',
'to_port' => 546, 'interface' => $intf, 'direction' => 'in',
'descr' =>'allow access to DHCPv6 server on '.$intfinfo['descr']),
$defaults['pass']
);
$fw->registerFilterRule(1,
array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => '(self)', 'to' => 'fe80::/10',
$defaults['pass']
);
$fw->registerFilterRule(
1,
array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => '(self)', 'to' => 'fe80::/10',
'from_port' => 547, 'interface' => $intf, 'direction' => 'out',
'descr' =>'allow access to DHCPv6 server on '.$intfinfo['descr']),
$defaults['pass']
);
$defaults['pass']
);
}
break;
}
}
// loopback
$fw->registerFilterRule(5,array('interface' => 'loopback', 'descr' =>'pass loopback'),$defaults['pass']);
$fw->registerFilterRule(5, array('interface' => 'loopback', 'descr' =>'pass loopback'), $defaults['pass']);
// out from this Firewall
$fw->registerFilterRule(5,array('direction' => 'out', 'statetype' =>'keep', 'allowopts' => true,
'quick' => false, "descr" => "let out anything from firewall host itself"),
$fw->registerFilterRule(
5,
array('direction' => 'out', 'statetype' =>'keep', 'allowopts' => true,
'quick' => false, "descr" => "let out anything from firewall host itself"),
$defaults['pass']
);
// ipsec
if (!empty(iterator_to_array($fw->getInterfaceMapping())['enc0'])) {
$fw->registerFilterRule(5,
array('direction' => 'out', 'statetype' => 'keep', 'quick' => false, 'interface' => 'enc0',
$fw->registerFilterRule(
5,
array('direction' => 'out', 'statetype' => 'keep', 'quick' => false, 'interface' => 'enc0',
'#ref' => 'vpn_ipsec.php#enable',
'descr' =>'IPsec internal host to host'),
$defaults['pass']
$defaults['pass']
);
}
foreach(filter_core_get_antilockout() as $lockoutif => $lockoutprts) {
foreach (filter_core_get_antilockout() as $lockoutif => $lockoutprts) {
$fw->registerFilterRule(
5,
array(
@ -517,15 +554,17 @@ function filter_core_rules_system($fw, $defaults)
// TODO: move to pptpd plugin when filter.lib.inc is part of the standard release
$pptpdcfg = $config['pptpd'];
if (isset($pptpdcfg['mode']) && $pptpdcfg['mode'] == 'server') {
$fw->registerFilterRule(5,
array('direction' => 'in', 'interface' => 'wan', 'statetype' => 'modulate','protocol' => 'tcp',
$fw->registerFilterRule(
5,
array('direction' => 'in', 'interface' => 'wan', 'statetype' => 'modulate','protocol' => 'tcp',
'to' => '(self)', 'to_port' => '1723', 'quick' => false, 'descr' =>'allow pptpd'),
$defaults['pass']
$defaults['pass']
);
$fw->registerFilterRule(5,
array('direction' => 'in', 'interface' => 'wan', 'statetype' => 'modulate',
$fw->registerFilterRule(
5,
array('direction' => 'in', 'interface' => 'wan', 'statetype' => 'modulate',
'protocol' => 'gre', 'descr' =>'allow pptpd', 'quick' => false),
$defaults['pass']
$defaults['pass']
);
}
@ -546,15 +585,16 @@ function filter_core_rules_system($fw, $defaults)
// only try to add gateway rules for traffic leaving this interface
// when the correct protocol is assigned to the interface
if (($gwproto == 'inet' && $intf_has_v4) || ($gwproto == 'inet6' && $intf_has_v6)) {
$fw->registerFilterRule(100000,
array('from' => $ifcfg['if'], 'direction' => 'out', 'gateway' => $gwname,
$fw->registerFilterRule(
100000,
array('from' => $ifcfg['if'], 'direction' => 'out', 'gateway' => $gwname,
'destination' => array('network'=> $ifdescr, "not" => true),
'statetype' => 'keep',
'allowopts' => true,
'quick' => false,
'#ref' => 'system_advanced_firewall.php#pf_disable_force_gw',
'descr' => "let out anything from firewall host itself (force gw)"),
$defaults['pass']
$defaults['pass']
);
}
}