filter, add "reply-to" to plugin model, disabled by default for bootstrapped rules. needs gateway/gatewayv6 registered in filter.inc before it can actually function.

2026-03-19 19:15:22 +00:00 · 2017-05-30 21:50:57 +02:00 · 2017-05-30 21:50:57 +02:00 · b27abd7d74
commit b27abd7d74
parent e3d6b13981
2 changed files with 34 additions and 0 deletions
--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@ -33,6 +33,7 @@ function filter_core_bootstrap($fw)
    $filter_rule_defaults = array();
    $filter_rule_defaults['pass'] = array("type" => "pass", "log" => !isset($config['syslog']['nologdefaultpass']));
    $filter_rule_defaults['block'] = array("type" => "block", "log" => !isset($config['syslog']['nologdefaultblock']));
+    $filter_rule_defaults['disablereplyto'] = 1 ; // don't generate "reply-to" tags on internal rules by default

    // setup system filter rules
    filter_core_rules_system($fw, $filter_rule_defaults);
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php
@ -47,6 +47,7 @@ class FilterRule
        'quick' => 'parseBool,quick',
        'interface' => 'parseInterface',
        'gateway' => 'parseRoute',
+        'reply' =>  'parsePlain',
        'ipprotocol' => 'parsePlain',
        'protocol' => 'parseReplaceSimple,tcp/udp:{tcp udp},proto ',
        'from' => 'parsePlain,from {,}',
@ -251,6 +252,37 @@ class FilterRule
        }
    }

+    /**
+     * add reply-to tag when applicable
+     * @param array $rule rule
+     */
+    private function convertReplyTo(&$rule)
+    {
+        if (!isset($rule['disablereplyto'])) {
+            $proto = $rule['ipprotocol'];
+            if (!empty($this->interfaceMapping[$rule['interface']]['if']) && empty($rule['gateway'])) {
+                $if = $this->interfaceMapping[$rule['interface']]['if'];
+                switch ($proto) {
+                    case "inet6":
+                        if (!empty($this->interfaceMapping[$rule['interface']]['gatewayv6'])
+                           && Util::isIpAddress($this->interfaceMapping[$rule['interface']]['gatewayv6'])) {
+                            $gw = $this->interfaceMapping[$rule['interface']]['gatewayv6'];
+                            $rule['reply'] = "reply-to ( {$if} {$gw} ) ";
+                        }
+                        break;
+                    default:
+                        if (!empty($this->interfaceMapping[$rule['interface']]['gateway'])
+                           && Util::isIpAddress($this->interfaceMapping[$rule['interface']]['gateway'])) {
+                            $gw = $this->interfaceMapping[$rule['interface']]['gateway'];
+                            $rule['reply'] = "reply-to ( {$if} {$gw} ) ";
+                        }
+                        break;
+                }
+            }
+        }
+    }
+
+
    /**
     * preprocess internal rule data to detail level of actual ruleset
     * handles shortcuts, like inet46 and multiple interfaces
@ -274,6 +306,7 @@ class FilterRule
                $tmp['interface'] = $interface;
                $tmp['ipprotocol'] = $ipproto;
                $this->convertAddress($tmp);
+                $this->convertReplyTo($tmp);
                $tmp['from'] = empty($tmp['from']) ? "any" : $tmp['from'];
                $tmp['to'] = empty($tmp['to']) ? "any" : $tmp['to'];
                // disable rule when interface not found