(filter) move some more static rules

2026-03-18 18:44:44 +00:00 · 2016-10-31 21:38:54 +01:00 · 2016-10-31 21:38:54 +01:00 · 7bc5bf4d1f
commit 7bc5bf4d1f
parent 5319b8e53b
3 changed files with 20 additions and 27 deletions
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@ -2502,19 +2502,6 @@ function filter_rules_generate(&$FilterIflist)
    $log['block'] = !isset($config['syslog']['nologdefaultblock']) ? "log" : "";
    $log['pass'] = !isset($config['syslog']['nologdefaultpass']) ? "log" : "";

-    $ipfrules .= <<<EOD
-# We use the mighty pf, we cannot be fooled.
-block {$log['block']} quick inet proto { tcp, udp } from any port = 0 to any
-block {$log['block']} quick inet proto { tcp, udp } from any to any port = 0
-block {$log['block']} quick inet6 proto { tcp, udp } from any port = 0 to any
-block {$log['block']} quick inet6 proto { tcp, udp } from any to any port = 0
-
-EOD;
-
-
-    $ipfrules .= filter_process_carp_rules($log);
-
-
    $ipfrules .= "\n# SSH lockout\n";
    if (!empty($config['system']['ssh']['port'])) {
        $ipfrules .= "block in {$log['block']} quick proto tcp from <sshlockout> to (self) port ";
@ -3111,19 +3098,6 @@ function filter_setup_logging_interfaces(&$FilterIflist)
    return $rules;
 }

-function filter_process_carp_rules($log)
-{
-    global $config;
-
-    $lines = '';
-    /* return if there are no carp configured items */
-    if (!empty($config['hasync']) || !empty($config['virtualip']['vip'])) {
-        $lines .= "block in {$log['block']} quick proto carp from (self) to any \n";
-        $lines .= "pass {$log['pass']} quick proto carp \n";
-    }
-    return $lines;
-}
-
 /* Generate IPsec Filter Items */
 function filter_generate_ipsec_rules(&$FilterIflist, $log = array())
 {
--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@ -88,5 +88,20 @@ function filter_core_rules_system($fw, $defaults)
            'to' => 'fe80::/10', 'direction' => 'in' ),
      $defaults['pass']
    );
+    // block all targetting port 0
+    foreach (array('from_port', 'to_port') as $target) {
+        $fw->registerFilterRule(1,
+          array('ipprotocol'=>'inet46', 'protocol' => 'tcp/udp', $target => '0'),
+          $defaults['block']
+        );
+    }
+    // CARP defaults
+    $carp_disabled = empty($config['hasync']) && empty($config['virtualip']['vip']);
+    $fw->registerFilterRule(1,
+      array('protocol' => 'carp', 'from' => '(self)', 'direction' => 'in', 'disabled' => $carp_disabled),
+      $defaults['block']
+    );
+    $fw->registerFilterRule(1,array('protocol' => 'carp'),$defaults['pass']);
+

 }
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
@ -48,7 +48,9 @@ class FilterRule
        'ipprotocol' => 'parsePlain',
        'protocol' => 'parseReplaceSimple,tcp/udp:{tcp udp},proto ',
        'from' => 'parsePlain,from {,}',
+        'from_port' => 'parsePlain, port {,}',
        'to' => 'parsePlain,to {,}',
+        'to_port' => 'parsePlain, port {,}',
        'icmp6-type' => 'parsePlain,icmp6-type {,}',
        'state' => 'parseState',
        'label' => 'parsePlain,label ","'
@ -71,7 +73,7 @@ class FilterRule
     */
    private function parsePlain($value, $prefix="", $suffix="")
    {
-        return empty($value) ? "" : $prefix . $value . $suffix . " ";
+        return $value == '' ? "" : $prefix . $value . $suffix . " ";
    }

    /**
@ -183,6 +185,8 @@ class FilterRule
                $tmp = $this->rule;
                $tmp['interface'] = $interface;
                $tmp['ipprotocol'] = $ipproto;
+                $tmp['from'] = empty($tmp['from']) ? "any" : $tmp['from'];
+                $tmp['to'] = empty($tmp['to']) ? "any" : $tmp['to'];
                // disable rule when interface not found
                if (!empty($interface) && empty($this->interfaceMapping[$interface]['if'])) {
                    $tmp['disabled'] = true;