diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc index ac52eae38..7fdb10034 100644 --- a/src/etc/inc/filter.lib.inc +++ b/src/etc/inc/filter.lib.inc @@ -30,17 +30,17 @@ function filter_core_bootstrap($fw) { global $config; // set defaults - $filter_rule_defaults = array(); - $filter_rule_defaults['pass'] = array( + $filter_rule_defaults = []; + $filter_rule_defaults['pass'] = [ "type" => "pass", "log" => !isset($config['syslog']['nologdefaultpass']), "disablereplyto" => 1 // don't generate "reply-to" tags on internal rules by default - ); - $filter_rule_defaults['block'] = array( + ]; + $filter_rule_defaults['block'] = [ "type" => "block", "log" => !isset($config['syslog']['nologdefaultblock']), "disablereplyto" => 1 // don't generate "reply-to" tags on internal rules by default - ); + ]; // setup system filter rules filter_core_rules_system($fw, $filter_rule_defaults); @@ -56,7 +56,7 @@ function filter_core_get_initialized_plugin_system() $fw = new \OPNsense\Firewall\Plugin(); $ifdetails = legacy_interfaces_details(); $gateways = new \OPNsense\Routing\Gateways(); - $cnfint = legacy_config_get_interfaces(array("enable" => true)); + $cnfint = legacy_config_get_interfaces(["enable" => true]); foreach ($cnfint as $key => &$value) { // to set "reply-to" we need to know the gateway for our interface, let's collect it here and pass it on to // setInterfaceMapping() @@ -73,7 +73,7 @@ function filter_core_get_initialized_plugin_system() // In some cases we need to know if there currently are addresses configured on an interface, we pass // the relevant ifconfig data to our interfacemapping (prevents "could not parse host specification" on load) if (!empty($ifdetails[$value['if']])) { - $value['ifconfig'] = array(); + $value['ifconfig'] = []; $value['ifconfig']['ipv4'] = $ifdetails[$value['if']]['ipv4']; $value['ifconfig']['ipv6'] = $ifdetails[$value['if']]['ipv6']; } @@ -176,9 +176,9 @@ function filter_core_get_port_alias($aliasname, $aliases = [], $aliasObject = nu function filter_core_get_default_nat_outbound_networks() { global $config; - $result = array("127.0.0.0/8"); + $result = ["127.0.0.0/8"]; // Add openvpn networks - foreach (array('openvpn-server', 'openvpn-client') as $section) { + foreach (['openvpn-server', 'openvpn-client'] as $section) { if (!empty($config['openvpn'][$section])) { foreach ($config['openvpn'][$section] as $ovpn) { if (!isset($ovpn['disable']) && !empty($ovpn['tunnel_network'])) { @@ -201,6 +201,7 @@ function filter_core_get_default_nat_outbound_networks() function filter_core_rules_system($fw, $defaults) { global $config; + $ipv6_disabled = !isset($config['system']['ipv6allow']); $dhcrelay6_interfaces = plugins_run('dhcrelay_interfaces', ['inet6']); $dhcrelay6_interfaces = !empty($dhcrelay6_interfaces['dhcrelay']) ? $dhcrelay6_interfaces['dhcrelay'] : []; @@ -214,77 +215,79 @@ function filter_core_rules_system($fw, $defaults) ); $fw->registerFilterRule( 1, - array('ipprotocol' => 'inet6','descr' => 'Block all IPv6', 'disabled' => isset($config['system']['ipv6allow']), - '#ref' => 'system_advanced_network.php#ipv6allow'), + ['ipprotocol' => 'inet6','descr' => 'Block all IPv6', 'disabled' => !$ipv6_disabled, + '#ref' => 'system_advanced_network.php#ipv6allow'], $defaults['block'] ); // default Deny rule (when no other rules match) $fw->registerFilterRule( 1, - array('ipprotocol' => 'inet46', 'descr' => 'Default deny / state violation rule', 'quick' => false), + ['ipprotocol' => 'inet46', 'descr' => 'Default deny / state violation rule', 'quick' => false], $defaults['block'] ); // IPv6 ICMP requirements $fw->registerFilterRule( 1, - array('ipprotocol' => 'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '1,2,135,136', - 'statetype' => 'keep', 'descr' => 'IPv6 RFC4890 requirements (ICMP)'), + ['ipprotocol' => 'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '1,2,135,136', + 'statetype' => 'keep', 'descr' => 'IPv6 RFC4890 requirements (ICMP)', 'disabled' => $ipv6_disabled], $defaults['pass'] ); // Allow only bare essential icmpv6 packets $fw->registerFilterRule( 1, - array('ipprotocol' => 'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,129,133,134,135,136', + ['ipprotocol' => 'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,129,133,134,135,136', 'statetype' => 'keep', 'descr' => 'IPv6 RFC4890 requirements (ICMP)', 'from' => '(self)', - 'to' => 'fe80::/10,ff02::/16', 'direction' => 'out' ), + 'to' => 'fe80::/10,ff02::/16', 'direction' => 'out', 'disabled' => $ipv6_disabled], $defaults['pass'] ); $fw->registerFilterRule( 1, - array('ipprotocol' => 'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136', + ['ipprotocol' => 'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136', 'statetype' => 'keep', 'descr' => 'IPv6 RFC4890 requirements (ICMP)', 'from' => 'fe80::/10', - 'to' => 'fe80::/10,ff02::/16', 'direction' => 'in' ), + 'to' => 'fe80::/10,ff02::/16', 'direction' => 'in', 'disabled' => $ipv6_disabled ], $defaults['pass'] ); $fw->registerFilterRule( 1, - array('ipprotocol' => 'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136', + ['ipprotocol' => 'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136', 'statetype' => 'keep', 'descr' => 'IPv6 RFC4890 requirements (ICMP)', 'from' => 'ff02::/16', - 'to' => 'fe80::/10', 'direction' => 'in' ), + 'to' => 'fe80::/10', 'direction' => 'in', 'disabled' => $ipv6_disabled], $defaults['pass'] ); $fw->registerFilterRule( 1, - array('ipprotocol' => 'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136', + ['ipprotocol' => 'inet6', 'protocol' => 'ipv6-icmp', 'icmp6-type' => '128,133,134,135,136', 'statetype' => 'keep', 'descr' => 'IPv6 RFC4890 requirements (ICMP)', 'from' => '::', - 'to' => 'ff02::/16', 'direction' => 'in' ), + 'to' => 'ff02::/16', 'direction' => 'in', 'disabled' => $ipv6_disabled], $defaults['pass'] ); // block all targeting port 0 - foreach (array('from_port', 'to_port') as $target) { + foreach (['from_port', 'to_port'] as $target) { $fw->registerFilterRule( 1, - array('ipprotocol' => 'inet46', 'protocol' => 'tcp/udp', $target => '0', - 'descr' => 'block all targeting port 0'), + ['ipprotocol' => 'inet46', 'protocol' => 'tcp/udp', $target => '0', + 'descr' => 'block all targeting port 0'], $defaults['block'] ); } // CARP defaults - foreach (['ff02::12', '224.0.0.18'] as $to) { - $fw->registerFilterRule( - 1, - ['protocol' => 'carp', 'direction' => 'any', 'to' => $to, 'descr' => 'CARP defaults'], - $defaults['pass'] - ); + if ((new OPNsense\Interfaces\Vip())->isCarpEnabled()) { + foreach ($ipv6_disabled ? ['224.0.0.18'] : ['ff02::12', '224.0.0.18'] as $to) { + $fw->registerFilterRule( + 1, + ['protocol' => 'carp', 'direction' => 'any', 'to' => $to, 'descr' => 'CARP defaults'], + $defaults['pass'] + ); + } } // Lockout rules $fw->registerFilterRule( 1, - array('protocol' => 'tcp', 'from' => '', 'to' => '(self)' , 'descr' => 'sshlockout', 'direction' => 'in', - 'to_port' => !empty($config['system']['ssh']['port']) ? $config['system']['ssh']['port'] : 22), + ['protocol' => 'tcp', 'from' => '', 'to' => '(self)' , 'descr' => 'sshlockout', 'direction' => 'in', + 'to_port' => !empty($config['system']['ssh']['port']) ? $config['system']['ssh']['port'] : 22], $defaults['block'] ); $webport = '443'; @@ -295,50 +298,50 @@ function filter_core_rules_system($fw, $defaults) } $fw->registerFilterRule( 1, - array('protocol' => 'tcp', 'from' => '', 'to' => '(self)' , 'descr' => 'sshlockout', - 'direction' => 'in','to_port' => $webport), + ['protocol' => 'tcp', 'from' => '', 'to' => '(self)' , 'descr' => 'sshlockout', + 'direction' => 'in','to_port' => $webport], $defaults['block'] ); // block all in alias - $fw->registerFilterRule(1, array('from' => '', 'descr' => 'virusprot overload table'), $defaults['block']); + $fw->registerFilterRule(1, ['from' => '', 'descr' => 'virusprot overload table'], $defaults['block']); // block bogons and private nets - $bogontmpl = array('type' => 'block', 'log' => !isset($config['syslog']['nologbogons']), 'disablereplyto' => 1); - $privtmpl = array('type' => 'block', 'log' => !isset($config['syslog']['nologprivatenets']), + $bogontmpl = ['type' => 'block', 'log' => !isset($config['syslog']['nologbogons']), 'disablereplyto' => 1]; + $privtmpl = ['type' => 'block', 'log' => !isset($config['syslog']['nologprivatenets']), 'from' => '10.0.0.0/8,127.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16', - 'disablereplyto' => 1); + 'disablereplyto' => 1]; foreach ($fw->getInterfaceMapping() as $intf => $intfinfo) { $fw->registerFilterRule( 5, - array('from' => "", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet', + ['from' => "", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet', 'descr' => "Block bogon IPv4 networks from " . $intfinfo['descr'], '#ref' => "interfaces.php?if=" . $intf . "#blockbogons", - 'disabled' => !isset($intfinfo['blockbogons'])), + 'disabled' => !isset($intfinfo['blockbogons'])], $bogontmpl ); $fw->registerFilterRule( 5, - array('from' => "", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet6', - 'disabled' => !isset($config['system']['ipv6allow']) || !isset($intfinfo['blockbogons']), + ['from' => "", 'direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet6', + 'disabled' => $ipv6_disabled || !isset($intfinfo['blockbogons']), '#ref' => "interfaces.php?if=" . $intf . "#blockbogons", - 'descr' => "Block bogon IPv6 networks from " . $intfinfo['descr']), + 'descr' => "Block bogon IPv6 networks from " . $intfinfo['descr']], $bogontmpl ); $fw->registerFilterRule( 5, - array('direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet', + ['direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet', '#ref' => "interfaces.php?if=" . $intf . "#blockpriv", 'descr' => "Block private networks from " . $intfinfo['descr'], - 'disabled' => !isset($intfinfo['blockpriv'])), + 'disabled' => !isset($intfinfo['blockpriv'])], $privtmpl ); $fw->registerFilterRule( 5, - array('direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet6', + ['direction' => 'in', 'interface' => $intf, 'ipprotocol' => 'inet6', '#ref' => "interfaces.php?if=" . $intf . "#blockpriv", 'descr' => "Block private networks from " . $intfinfo['descr'], 'from' => 'fc00::/7', - 'disabled' => !isset($intfinfo['blockpriv'])), + 'disabled' => $ipv6_disabled || !isset($intfinfo['blockpriv'])], $privtmpl ); } @@ -346,7 +349,7 @@ function filter_core_rules_system($fw, $defaults) // interface configuration per type foreach ($fw->getInterfaceMapping() as $intf => $intfinfo) { // allow DHCPv6 client out, before adding bogons (sequence 1, bogons @ 5) - if (isset($config['system']['ipv6allow']) && in_array($intfinfo['ipaddrv6'], array("slaac","dhcp6"))) { + if (!$ipv6_disabled && in_array($intfinfo['ipaddrv6'], ["slaac","dhcp6"])) { $fw->registerFilterRule(1, [ 'descr' => 'allow dhcpv6 client in ' . $intfinfo['descr'], '#ref' => 'system_advanced_network.php#ipv6allow', @@ -378,25 +381,25 @@ function filter_core_rules_system($fw, $defaults) case "pptp": $fw->registerFilterRule( 1, - array('protocol' => 'tcp','to_port' => 1723, 'direction' => 'in', 'statetype' => 'modulate', 'quick' => false, + ['protocol' => 'tcp','to_port' => 1723, 'direction' => 'in', 'statetype' => 'modulate', 'quick' => false, '#ref' => "interfaces.php?if=" . $intf . "#type", - 'interface' => $intf, 'flags' => 'S/SA', 'descr' => 'allow PPTP client on ' . $intfinfo['descr']), + 'interface' => $intf, 'flags' => 'S/SA', 'descr' => 'allow PPTP client on ' . $intfinfo['descr']], $defaults['pass'] ); $fw->registerFilterRule( 1, - array('protocol' => 'gre', 'direction' => 'in', 'statetype' => 'keep', 'quick' => false, + ['protocol' => 'gre', 'direction' => 'in', 'statetype' => 'keep', 'quick' => false, '#ref' => "interfaces.php?if=" . $intf . "#type", - 'interface' => $intf, 'descr' => 'allow PPTP client on ' . $intfinfo['descr']), + 'interface' => $intf, 'descr' => 'allow PPTP client on ' . $intfinfo['descr']], $defaults['pass'] ); break; case "dhcp": $fw->registerFilterRule( 1, - array('protocol' => 'udp', 'direction' => 'in', 'from_port' => 67, 'to_port' => 68, + ['protocol' => 'udp', 'direction' => 'in', 'from_port' => 67, 'to_port' => 68, '#ref' => "interfaces.php?if=" . $intf . "#type", - 'interface' => $intf, 'descr' => 'allow DHCP client on ' . $intfinfo['descr']), + 'interface' => $intf, 'descr' => 'allow DHCP client on ' . $intfinfo['descr']], $defaults['pass'] ); $dhcpv4_opts = [ @@ -413,32 +416,32 @@ function filter_core_rules_system($fw, $defaults) if (isset($config['dhcpd'][$intf]['enable'])) { $fw->registerFilterRule( 1, - array('protocol' => 'udp', 'direction' => 'in', 'from_port' => 68, 'to' => '255.255.255.255', + ['protocol' => 'udp', 'direction' => 'in', 'from_port' => 68, 'to' => '255.255.255.255', '#ref' => "services_dhcp.php?if=" . $intf . "#enable", - 'to_port' => 67, 'interface' => $intf, 'descr' => 'allow access to DHCP server'), + 'to_port' => 67, 'interface' => $intf, 'descr' => 'allow access to DHCP server'], $defaults['pass'] ); $fw->registerFilterRule( 1, - array('protocol' => 'udp', 'direction' => 'in', 'from_port' => 68, 'to' => '(self)', + ['protocol' => 'udp', 'direction' => 'in', 'from_port' => 68, 'to' => '(self)', '#ref' => "services_dhcp.php?if=" . $intf . "#enable", - 'to_port' => 67, 'interface' => $intf, 'descr' => 'allow access to DHCP server'), + 'to_port' => 67, 'interface' => $intf, 'descr' => 'allow access to DHCP server'], $defaults['pass'] ); $fw->registerFilterRule( 1, - array('protocol' => 'udp', 'direction' => 'out', 'from_port' => 67, 'from' => '(self)', + ['protocol' => 'udp', 'direction' => 'out', 'from_port' => 67, 'from' => '(self)', '#ref' => "services_dhcp.php?if=" . $intf . "#enable", - 'to_port' => 68, 'interface' => $intf, 'descr' => 'allow access to DHCP server'), + 'to_port' => 68, 'interface' => $intf, 'descr' => 'allow access to DHCP server'], $defaults['pass'] ); if (!empty($config['dhcpd'][$intf]['failover_peerip'])) { $fw->registerFilterRule( 1, - array('protocol' => 'tcp/udp', 'direction' => 'in', 'to' => '(self)', 'to_port' => '519,520', + ['protocol' => 'tcp/udp', 'direction' => 'in', 'to' => '(self)', 'to_port' => '519,520', '#ref' => "services_dhcp.php?if=" . $intf . "#failover_peerip", 'from' => $config['dhcpd'][$intf]['failover_peerip'], - 'interface' => $intf, 'descr' => 'allow access to DHCP failover'), + 'interface' => $intf, 'descr' => 'allow access to DHCP failover'], $defaults['pass'] ); } @@ -446,36 +449,39 @@ function filter_core_rules_system($fw, $defaults) break; } // IPv6 + if ($ipv6_disabled) { + continue; + } switch (isset($intfinfo['ipaddrv6']) ? $intfinfo['ipaddrv6'] : null) { case "6rd": $fw->registerFilterRule( 1, - array('protocol' => '41', 'direction' => 'in', 'from' => $config['interfaces'][$intf]['gateway-6rd'], + ['protocol' => '41', 'direction' => 'in', 'from' => $config['interfaces'][$intf]['gateway-6rd'], '#ref' => "interfaces.php?if=" . $intf . "#type6", - 'quick' => false, 'interface' => $intf, 'descr' => 'Allow 6in4 traffic in for 6rd on ' . $intfinfo['descr']), + 'quick' => false, 'interface' => $intf, 'descr' => 'Allow 6in4 traffic in for 6rd on ' . $intfinfo['descr']], $defaults['pass'] ); $fw->registerFilterRule( 1, - array('protocol' => '41', 'direction' => 'out', 'to' => $config['interfaces'][$intf]['gateway-6rd'], + ['protocol' => '41', 'direction' => 'out', 'to' => $config['interfaces'][$intf]['gateway-6rd'], '#ref' => "interfaces.php?if=" . $intf . "#type6", - 'quick' => false, 'interface' => $intf, 'descr' => 'Allow 6in4 traffic out for 6rd on ' . $intfinfo['descr']), + 'quick' => false, 'interface' => $intf, 'descr' => 'Allow 6in4 traffic out for 6rd on ' . $intfinfo['descr']], $defaults['pass'] ); break; case "6to4": $fw->registerFilterRule( 1, - array('protocol' => '41', 'direction' => 'in', 'to' => '(self)','interface' => $intf, + ['protocol' => '41', 'direction' => 'in', 'to' => '(self)','interface' => $intf, '#ref' => "interfaces.php?if=" . $intf . "#type6", - 'quick' => false, 'descr' => 'Allow 6in4 traffic in for 6to4 on ' . $intfinfo['descr']), + 'quick' => false, 'descr' => 'Allow 6in4 traffic in for 6to4 on ' . $intfinfo['descr']], $defaults['pass'] ); $fw->registerFilterRule( 1, - array('protocol' => '41', 'direction' => 'out', 'from' => '(self)','interface' => $intf, + ['protocol' => '41', 'direction' => 'out', 'from' => '(self)','interface' => $intf, '#ref' => "interfaces.php?if=" . $intf . "#type6", - 'quick' => false, 'descr' => 'Allow 6in4 traffic out for 6to4 on ' . $intfinfo['descr']), + 'quick' => false, 'descr' => 'Allow 6in4 traffic out for 6to4 on ' . $intfinfo['descr']], $defaults['pass'] ); break; @@ -486,43 +492,44 @@ function filter_core_rules_system($fw, $defaults) if ($dhcpdv6_enabled || $track6_enabled || in_array($intf, $dhcrelay6_interfaces)) { $fw->registerFilterRule( 1, - array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => 'fe80::/10,ff02::/16', + ['protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => 'fe80::/10,ff02::/16', 'to_port' => 546, 'interface' => $intf, - 'descr' => 'allow access to DHCPv6 server on ' . $intfinfo['descr']), + 'descr' => 'allow access to DHCPv6 server on ' . $intfinfo['descr']], $defaults['pass'] ); $fw->registerFilterRule( 1, - array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => 'ff02::/16', + ['protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => 'ff02::/16', 'to_port' => 547, 'interface' => $intf, - 'descr' => 'allow access to DHCPv6 server on ' . $intfinfo['descr']), + 'descr' => 'allow access to DHCPv6 server on ' . $intfinfo['descr']], $defaults['pass'] ); $fw->registerFilterRule( 1, - array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'ff02::/16', 'to' => 'fe80::/10', + ['protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'ff02::/16', 'to' => 'fe80::/10', 'to_port' => 547, 'interface' => $intf, - 'descr' => 'allow access to DHCPv6 server on ' . $intfinfo['descr']), + 'descr' => 'allow access to DHCPv6 server on ' . $intfinfo['descr']], $defaults['pass'] ); $fw->registerFilterRule( 1, - array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => '(self)', + ['protocol' => 'udp','ipprotocol' => 'inet6', 'from' => 'fe80::/10', 'to' => '(self)', 'to_port' => 546, 'interface' => $intf, 'direction' => 'in', - 'descr' => 'allow access to DHCPv6 server on ' . $intfinfo['descr']), + 'descr' => 'allow access to DHCPv6 server on ' . $intfinfo['descr']], $defaults['pass'] ); $fw->registerFilterRule( 1, - array('protocol' => 'udp','ipprotocol' => 'inet6', 'from' => '(self)', 'to' => 'fe80::/10', + ['protocol' => 'udp','ipprotocol' => 'inet6', 'from' => '(self)', 'to' => 'fe80::/10', 'from_port' => 547, 'interface' => $intf, 'direction' => 'out', - 'descr' => 'allow access to DHCPv6 server on ' . $intfinfo['descr']), + 'descr' => 'allow access to DHCPv6 server on ' . $intfinfo['descr']], $defaults['pass'] ); } break; } } + // loopback. dont log internal communications /* temporary work-around, syncookies require states to avoid dropping traffic */ $fw->registerFilterRule(5, array('interface' => 'lo0', 'log' => false, 'descr' => 'pass loopback'), $defaults['pass']); @@ -530,17 +537,17 @@ function filter_core_rules_system($fw, $defaults) // out from this Firewall $fw->registerFilterRule( 5, - array('direction' => 'out', 'statetype' => 'keep', 'allowopts' => true, - 'quick' => false, "descr" => "let out anything from firewall host itself"), + ['direction' => 'out', 'statetype' => 'keep', 'allowopts' => true, + 'quick' => false, "descr" => "let out anything from firewall host itself"], $defaults['pass'] ); // ipsec if (!empty(iterator_to_array($fw->getInterfaceMapping())['enc0'])) { $fw->registerFilterRule( 5, - array('direction' => 'out', 'statetype' => 'keep', 'quick' => false, 'interface' => 'enc0', + ['direction' => 'out', 'statetype' => 'keep', 'quick' => false, 'interface' => 'enc0', '#ref' => 'ui/ipsec/tunnels', - 'descr' => 'IPsec internal host to host'), + 'descr' => 'IPsec internal host to host'], $defaults['pass'] ); } @@ -548,7 +555,7 @@ function filter_core_rules_system($fw, $defaults) foreach (filter_core_get_antilockout() as $lockoutif => $lockoutprts) { $fw->registerFilterRule( 5, - array( + [ 'direction' => 'in', 'interface' => $lockoutif, 'statetype' => 'keep', @@ -557,7 +564,7 @@ function filter_core_rules_system($fw, $defaults) 'to_port' => implode(' ', $lockoutprts), 'descr' => 'anti-lockout rule', '#ref' => 'system_advanced_firewall.php#noantilockout' - ), + ], $defaults['pass'] ); } @@ -571,7 +578,7 @@ function filter_core_rules_system($fw, $defaults) $protos_found = []; $address_check = ['inet' => 'is_subnetv4', 'inet6' => 'is_subnetv6']; foreach (array_keys(interfaces_addresses($ifcfg['if'], true, $fw->getIfconfigDetails())) as $addr) { - foreach (['inet', 'inet6'] as $inet) { + foreach ($ipv6_disabled ? ['inet'] : ['inet', 'inet6'] as $inet) { if (!in_array($inet, $protos_found) && $address_check[$inet]($addr)) { $gwname = $fw->getGateways()->getInterfaceGateway($ifdescr, $inet, true, 'name'); if (!empty($gwname)) { @@ -579,13 +586,13 @@ function filter_core_rules_system($fw, $defaults) // when the correct protocol is assigned to the interface $fw->registerFilterRule( 100000, - array('from' => "({$ifcfg['if']})", 'direction' => 'out', 'gateway' => $gwname, - 'destination' => array('network' => $ifdescr, "not" => true), + ['from' => "({$ifcfg['if']})", 'direction' => 'out', 'gateway' => $gwname, + 'destination' => ['network' => $ifdescr, "not" => true], 'statetype' => 'keep', 'allowopts' => true, 'quick' => false, '#ref' => 'system_advanced_firewall.php#pf_disable_force_gw', - 'descr' => "let out anything from firewall host itself (force gw)"), + 'descr' => "let out anything from firewall host itself (force gw)"], $defaults['pass'] ); } diff --git a/src/opnsense/mvc/app/models/OPNsense/Interfaces/Vip.php b/src/opnsense/mvc/app/models/OPNsense/Interfaces/Vip.php index 66dfc734d..41b9fa148 100644 --- a/src/opnsense/mvc/app/models/OPNsense/Interfaces/Vip.php +++ b/src/opnsense/mvc/app/models/OPNsense/Interfaces/Vip.php @@ -244,4 +244,17 @@ class Vip extends BaseModel } return $usages; } + + /** + * @return bool true if any of the configured vips is a carp type + */ + public function isCarpEnabled() + { + foreach ($this->vip->iterateItems() as $vip) { + if ($vip->mode == 'carp') { + return true; + } + } + return false; + } }