(filter) move out some more static rules

2026-03-16 01:24:38 +00:00 · 2016-10-31 19:03:07 +01:00 · 2016-10-31 19:03:07 +01:00 · 5319b8e53b
commit 5319b8e53b
parent 700e351477
3 changed files with 41 additions and 28 deletions
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@ -2503,27 +2503,6 @@ function filter_rules_generate(&$FilterIflist)
    $log['pass'] = !isset($config['syslog']['nologdefaultpass']) ? "log" : "";

    $ipfrules .= <<<EOD
-
-
-# IPv6 ICMP is not auxilary, it is required for operation
-# See man icmp6(4)
-# 1    unreach         Destination unreachable
-# 2    toobig          Packet too big
-# 128  echoreq         Echo service request
-# 129  echorep         Echo service reply
-# 133  routersol       Router solicitation
-# 134  routeradv       Router advertisement
-# 135  neighbrsol      Neighbor solicitation
-# 136  neighbradv      Neighbor advertisement
-pass {$log['pass']} quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136}  keep state
-
-# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
-pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136}  keep state
-pass out {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136}  keep state
-pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136}  keep state
-pass in {$log['pass']} quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136}  keep state
-pass in {$log['pass']} quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136}  keep state
-
 # We use the mighty pf, we cannot be fooled.
 block {$log['block']} quick inet proto { tcp, udp } from any port = 0 to any
 block {$log['block']} quick inet proto { tcp, udp } from any to any port = 0
--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@ -62,4 +62,31 @@ function filter_core_rules_system($fw, $defaults)
      array('ipprotocol'=>'inet46', 'label' => 'Default deny rule', 'quick' => false),
      $defaults['block']
    );
+
+    // IPv6 ICMP requirements
+    $fw->registerFilterRule(1,
+      array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '1,2,135,136',
+            'statetype' => 'keep', 'label' => 'IPv6 requirements (ICMP)'),
+      $defaults['pass']
+    );
+    // Allow only bare essential icmpv6 packets
+    $fw->registerFilterRule(1,
+      array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '129,133,134,135,136',
+            'statetype' => 'keep', 'label' => 'IPv6 requirements (ICMP)', 'from' => 'fe80::/10',
+            'to' => 'fe80::/10,ff02::/16', 'direction' => 'out' ),
+      $defaults['pass']
+    );
+    $fw->registerFilterRule(1,
+      array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136',
+            'statetype' => 'keep', 'label' => 'IPv6 requirements (ICMP)', 'from' => 'fe80::/10',
+            'to' => 'fe80::/10,ff02::/16', 'direction' => 'in' ),
+      $defaults['pass']
+    );
+    $fw->registerFilterRule(1,
+      array('ipprotocol'=>'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136',
+            'statetype' => 'keep', 'label' => 'IPv6 requirements (ICMP)', 'from' => 'ff02::/16',
+            'to' => 'fe80::/10', 'direction' => 'in' ),
+      $defaults['pass']
+    );
+
 }
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
@ -41,14 +41,15 @@ class FilterRule
    private $procorder = array(
        'disabled' => 'parseIsComment',
        'type' => 'parseType',
+        'direction' => 'parseReplaceSimple,any:',
        'log' => 'parseBool,log',
        'quick' => 'parseBool,quick',
        'interface' => 'parseInterface',
        'ipprotocol' => 'parsePlain',
-        'protocol' => 'parseReplaceSimple,tcp/udp:{tcp udp}',
-        'from' => 'parsePlain',
-        'to' => 'parsePlain',
-        'icmp6-type' => 'parsePlain,{,}',
+        'protocol' => 'parseReplaceSimple,tcp/udp:{tcp udp},proto ',
+        'from' => 'parsePlain,from {,}',
+        'to' => 'parsePlain,to {,}',
+        'icmp6-type' => 'parsePlain,icmp6-type {,}',
        'state' => 'parseState',
        'label' => 'parsePlain,label ","'
    );
@ -79,15 +80,21 @@ class FilterRule
     * @param string $map
     * @return string
     */
-    private function parseReplaceSimple($value, $map)
+    private function parseReplaceSimple($value, $map, $prefix="", $suffix="")
    {
+        $retval = $value;
        foreach (explode('|', $map) as $item) {
            $tmp = explode(':', $item);
            if ($tmp[0] == $value) {
-                return $tmp[1] . " ";
+                $retval = $tmp[1] . " ";
+                break;
            }
        }
-        return $value . " ";
+        if (!empty($retval)) {
+            return $prefix . $retval . $suffix . " ";
+        } else {
+            return "";
+        }
    }

    /**