mirror of
https://github.com/lucaspalomodevelop/core.git
synced 2026-03-13 16:14:40 +00:00
firewall: reset states on IPv4 change; closes #2414
This commit is contained in:
Franco Fichtner
parent
68ac728d1f
commit
9572345477
@ -61,7 +61,6 @@ if (empty($argument)) {
|
||||
}
|
||||
}
|
||||
|
||||
/* If the interface is configured and not enabled, bail. We do not need to change settings for disabled interfaces. #3313 */
|
||||
if (!isset($config['interfaces'][$interface]['enable'])) {
|
||||
log_error("Interface '{$interface}' is disabled or empty, nothing to do.");
|
||||
return;
|
||||
@ -72,8 +71,9 @@ $interface_descr = convert_friendly_interface_to_friendly_descr($interface);
|
||||
log_error("On (IP address: {$ip}) (interface: {$interface_descr}[{$interface}]) (real interface: {$interface_real}).");
|
||||
|
||||
/*
|
||||
* NOTE: Take care of openvpn and similar if you generate the event to reconfigure an interface.
|
||||
* i.e. OpenVPN might be in tap mode and not have an ip.
|
||||
* Take care of OpenVPN and similar if you generate the event
|
||||
* to reconfigure an interface. OpenVPN might be in tap(4)
|
||||
* mode and not have an IP address.
|
||||
*/
|
||||
if ((empty($ip) || !is_ipaddr($ip)) && substr($interface_real, 0, 4) != 'ovpn') {
|
||||
log_error("Failed to detect IP for {$interface_descr}[{$interface}]");
|
||||
@ -85,7 +85,6 @@ $configip = $config['interfaces'][$interface]['ipaddr'];
|
||||
$cacheip_file = "/var/db/{$interface}_cacheip";
|
||||
$ip_file = "/var/db/{$interface}_ip";
|
||||
|
||||
/* write the current interface IP to file */
|
||||
if (is_ipaddr($ip)) {
|
||||
@file_put_contents($ip_file, $ip);
|
||||
}
|
||||
@ -115,7 +114,6 @@ if (!empty($bridgetmp)) {
|
||||
system_resolvconf_generate();
|
||||
system_hosts_generate();
|
||||
|
||||
/* check tunneled IPv6 interface tracking */
|
||||
if (isset($config['interfaces'][$interface]['ipaddrv6'])) {
|
||||
switch($config['interfaces'][$interface]['ipaddrv6']) {
|
||||
case "6to4":
|
||||
@ -133,7 +131,6 @@ if (isset($config['interfaces'][$interface]['ipaddrv6'])) {
|
||||
}
|
||||
}
|
||||
|
||||
/* Check Gif tunnels */
|
||||
if (isset($config['gifs']['gif']) && is_array($config['gifs']['gif'])){
|
||||
foreach ($config['gifs']['gif'] as $gif) {
|
||||
if ($gif['if'] == $interface) {
|
||||
@ -153,17 +150,12 @@ if (isset($config['gifs']['gif']) && is_array($config['gifs']['gif'])){
|
||||
|
||||
$cacheip = @file_get_contents($cacheip_file);
|
||||
|
||||
/*
|
||||
* We need to force sync VPNs on such even when the IP is the same for dynamic interfaces.
|
||||
* Even with the same IP the VPN software is unhappy with the IP disappearing, and we
|
||||
* could be failing back in which case we need to switch IPs back anyhow.
|
||||
*/
|
||||
if (!is_ipaddr($cacheip) || $ip != $cacheip || !is_ipaddr($configip)) {
|
||||
@unlink($cacheip_file);
|
||||
|
||||
system_routing_configure(false, $interface);
|
||||
setup_gateways_monitor(false);
|
||||
filter_configure_sync(false, false /* XXX */);
|
||||
filter_configure_sync(false, isset($config['system']['ip_change_kill_states']));
|
||||
|
||||
if (is_ipaddr($ip)) {
|
||||
@file_put_contents($cacheip_file, $ip);
|
||||
|
||||
@ -58,7 +58,6 @@ if (empty($argument)) {
|
||||
$ip = get_interface_ipv6($interface);
|
||||
}
|
||||
|
||||
/* If the interface is configured and not enabled, bail. We do not need to change settings for disabled interfaces. #3313 */
|
||||
if (!isset($config['interfaces'][$interface]['enable'])) {
|
||||
log_error("Interface '{$interface}' is disabled or empty, nothing to do.");
|
||||
return;
|
||||
@ -69,8 +68,9 @@ $interface_descr = convert_friendly_interface_to_friendly_descr($interface);
|
||||
log_error("On (IP address: {$ip}) (interface: {$interface_descr}[{$interface}]) (real interface: {$interface_real}).");
|
||||
|
||||
/*
|
||||
* NOTE: Take care of openvpn and similar if you generate the event to reconfigure an interface.
|
||||
* i.e. OpenVPN might be in tap mode and not have an ip.
|
||||
* Take care of OpenVPN and similar if you generate the event
|
||||
* to reconfigure an interface. OpenVPN might be in tap(4)
|
||||
* mode and not have an IP address.
|
||||
*/
|
||||
if ((empty($ip) || !is_ipaddr($ip)) && substr($interface_real, 0, 4) != 'ovpn') {
|
||||
log_error("Failed to detect IP for {$interface_descr}[{$interface}]");
|
||||
@ -104,12 +104,10 @@ if (!empty($new_domain_name)) {
|
||||
@file_put_contents($searchdomain_file, $new_domain_name);
|
||||
}
|
||||
|
||||
/* write current WAN IPv6 to file */
|
||||
if (is_ipaddr($ip)) {
|
||||
@file_put_contents($ip_file, $ip);
|
||||
}
|
||||
|
||||
|
||||
$grouptmp = link_interface_to_group($interface);
|
||||
if (!empty($grouptmp)) {
|
||||
array_walk($grouptmp, 'interface_group_add_member');
|
||||
@ -121,11 +119,6 @@ system_hosts_generate();
|
||||
|
||||
$cacheip = @file_get_contents($cacheip_file);
|
||||
|
||||
/*
|
||||
* We need to force sync VPNs on such even when the IP is the same for dynamic interfaces.
|
||||
* Even with the same IP the VPN software is unhappy with the IP disappearing, and we
|
||||
* could be failing back in which case we need to switch IPs back anyhow.
|
||||
*/
|
||||
if (!is_ipaddr($cacheip) || $ip != $cacheip || !is_ipaddr($configip)) {
|
||||
if (is_ipaddr($ip)) {
|
||||
if ($ip == $cacheip) {
|
||||
|
||||
@ -64,6 +64,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
$pconfig['enablenatreflectionhelper'] = isset($config['system']['enablenatreflectionhelper']) ? $config['system']['enablenatreflectionhelper'] : null;
|
||||
$pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']);
|
||||
$pconfig['prefer_dpinger'] = isset($config['system']['prefer_dpinger']);
|
||||
$pconfig['ip_change_kill_states'] = isset($config['system']['ip_change_kill_states']);
|
||||
} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
|
||||
$pconfig = $_POST;
|
||||
$input_errors = array();
|
||||
@ -224,6 +225,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
unset($config['system']['prefer_dpinger']);
|
||||
}
|
||||
|
||||
if (!empty($pconfig['ip_change_kill_states'])) {
|
||||
$config['system']['ip_change_kill_states'] = true;
|
||||
} elseif (isset($config['system']['ip_change_kill_states'])) {
|
||||
unset($config['system']['ip_change_kill_states']);
|
||||
}
|
||||
|
||||
write_config();
|
||||
|
||||
$savemsg = get_std_save_message();
|
||||
@ -693,6 +700,16 @@ include("head.inc");
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a id="help_for_ip_change_kill_states" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Dynamic state reset') ?></td>
|
||||
<td>
|
||||
<input name="ip_change_kill_states" type="checkbox" value="yes" <?=!empty($pconfig['ip_change_kill_states']) ? 'checked="checked"' : '' ?> />
|
||||
<?= gettext('Reset all states when a dynamic IP address changes.') ?>
|
||||
<div class="hidden" data-for="help_for_ip_change_kill_states">
|
||||
<?=gettext("This option flushes the entire state table on IPv4 address changes in dynamic setups to e.g. allow VoIP servers to re-register.");?>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
<div class="content-box tab-content table-responsive">
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user