lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-16 17:44:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Firewall: Rules - add optional advanced property "State policy" to influence state creation on a per rule base. closes https://github.com/opnsense/core/issues/7294

Browse Source
This commit is contained in:
Ad Schellevis 2024-03-04 20:13:49 +01:00
parent 8623a2d4ae
commit 984ffb0ff2
2 changed files with 34 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
View File

@ -244,6 +244,9 @@ class FilterRule extends Rule
$rule['state']['options'][] = "max-src-conn-rate " . $rule['max-src-conn-rate'] . " " .
"/" . $rule['max-src-conn-rates'] . ", overload <{$otbl}> flush global ";
}
if (!empty($rule['state-policy'])) {
$rule['state']['options'][] = $rule['state-policy'];
}
}
}
// icmp-type switch (ipv4/ipv6)

33
src/www/firewall_rules_edit.php
View File

@ -49,7 +49,7 @@ $gateways = new \OPNsense\Routing\Gateways();
function FormSetAdvancedOptions(&$item) {
foreach (array("max", "max-src-nodes", "max-src-conn", "max-src-states","nopfsync", "statetimeout", "adaptivestart"
, "adaptiveend", "max-src-conn-rate","max-src-conn-rates", "tag", "tagged", "allowopts", "reply-to","tcpflags1"
,"tcpflags2", "tos") as $fieldname) {
,"tcpflags2", "tos", "state-policy") as $fieldname) {
if (strlen($item[$fieldname]) > 0) {
return true;
@ -126,6 +126,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
'set-prio-low',
'statetimeout',
'statetype',
'state-policy',
'tag',
'tagged',
'tcpflags1',
@ -421,6 +422,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$input_errors[] = gettext("Both maximum new connections per host and the interval (per second(s)) must be specified");
}
if (!empty($pconfig['state-policy']) && !in_array($pconfig['state-policy'], ['if-bound', 'floating'])) {
$input_errors[] = sprintf(gettext("Invalid state policy type %s"), $pconfig['state-policy']);
}
if (empty($pconfig['max']) && ($pconfig['adaptivestart'] === "0" || $pconfig['adaptiveend'] === "0")) {
$input_errors[] = gettext("Disabling adaptive timeouts is only supported in combination with a configured maximum number of states for the same rule.");
} elseif ($pconfig['adaptivestart'] === "0" xor $pconfig['adaptiveend'] === "0") {
@ -467,7 +472,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
// 1-on-1 copy of form values
$copy_fields = array('type', 'interface', 'ipprotocol', 'tag', 'tagged', 'max', 'max-src-nodes'
, 'max-src-conn', 'max-src-states', 'statetimeout', 'statetype', 'os', 'descr', 'gateway'
, 'sched', 'associated-rule-id', 'direction'
, 'sched', 'associated-rule-id', 'direction', 'state-policy'
, 'max-src-conn-rate', 'max-src-conn-rates', 'category') ;
@ -1716,6 +1721,30 @@ endforeach;?>
</div>
</td>
</tr>
<tr class="opt_advanced hidden">
<td><a id="help_for_state_policy" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("State policy");?></td>
<td>
<select name="state-policy" class="selectpicker" data-live-search="true" data-size="5" >
<?php
$statepolicies = [
'' => gettext('Default'),
'if-bound' => gettext('Bind states to interface'),
'floating' => gettext('Floating states')
];
foreach ($statepolicies as $policy => $pol_descr): ?>
<option value="<?=$policy;?>" <?= $policy == $pconfig['state-policy'] ? "selected=\"selected\"" : "" ?>>
<?=$pol_descr;?>
</option>
<?php
endforeach; ?>
</select>
<div class="hidden" data-for="help_for_state_policy">
<?=gettext("Choose how states created by this rule are treated, default (as defined in advanced), ".
"floating in which case states are valid on all interfaces or ".
"interface bound. Interface bound states are more secure, floating more flexible") ?>
</div>
</td>
<tr>
<?php
$has_created_time = (isset($a_filter[$id]['created']) && is_array($a_filter[$id]['created']));
$has_updated_time = (isset($a_filter[$id]['updated']) && is_array($a_filter[$id]['updated']));