From b27abd7d74f7c000b65fda127773b4f2a60b7bd9 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Tue, 30 May 2017 21:50:57 +0200 Subject: [PATCH] filter, add "reply-to" to plugin model, disabled by default for bootstrapped rules. needs gateway/gatewayv6 registered in filter.inc before it can actually function. --- src/etc/inc/filter.lib.inc | 1 + .../library/OPNsense/Firewall/FilterRule.php | 33 +++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc index 1e9ca1d35..69113619e 100644 --- a/src/etc/inc/filter.lib.inc +++ b/src/etc/inc/filter.lib.inc @@ -33,6 +33,7 @@ function filter_core_bootstrap($fw) $filter_rule_defaults = array(); $filter_rule_defaults['pass'] = array("type" => "pass", "log" => !isset($config['syslog']['nologdefaultpass'])); $filter_rule_defaults['block'] = array("type" => "block", "log" => !isset($config['syslog']['nologdefaultblock'])); + $filter_rule_defaults['disablereplyto'] = 1 ; // don't generate "reply-to" tags on internal rules by default // setup system filter rules filter_core_rules_system($fw, $filter_rule_defaults); diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php index e981dd838..606bd0c7d 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php +++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php @@ -47,6 +47,7 @@ class FilterRule 'quick' => 'parseBool,quick', 'interface' => 'parseInterface', 'gateway' => 'parseRoute', + 'reply' => 'parsePlain', 'ipprotocol' => 'parsePlain', 'protocol' => 'parseReplaceSimple,tcp/udp:{tcp udp},proto ', 'from' => 'parsePlain,from {,}', @@ -251,6 +252,37 @@ class FilterRule } } + /** + * add reply-to tag when applicable + * @param array $rule rule + */ + private function convertReplyTo(&$rule) + { + if (!isset($rule['disablereplyto'])) { + $proto = $rule['ipprotocol']; + if (!empty($this->interfaceMapping[$rule['interface']]['if']) && empty($rule['gateway'])) { + $if = $this->interfaceMapping[$rule['interface']]['if']; + switch ($proto) { + case "inet6": + if (!empty($this->interfaceMapping[$rule['interface']]['gatewayv6']) + && Util::isIpAddress($this->interfaceMapping[$rule['interface']]['gatewayv6'])) { + $gw = $this->interfaceMapping[$rule['interface']]['gatewayv6']; + $rule['reply'] = "reply-to ( {$if} {$gw} ) "; + } + break; + default: + if (!empty($this->interfaceMapping[$rule['interface']]['gateway']) + && Util::isIpAddress($this->interfaceMapping[$rule['interface']]['gateway'])) { + $gw = $this->interfaceMapping[$rule['interface']]['gateway']; + $rule['reply'] = "reply-to ( {$if} {$gw} ) "; + } + break; + } + } + } + } + + /** * preprocess internal rule data to detail level of actual ruleset * handles shortcuts, like inet46 and multiple interfaces @@ -274,6 +306,7 @@ class FilterRule $tmp['interface'] = $interface; $tmp['ipprotocol'] = $ipproto; $this->convertAddress($tmp); + $this->convertReplyTo($tmp); $tmp['from'] = empty($tmp['from']) ? "any" : $tmp['from']; $tmp['to'] = empty($tmp['to']) ? "any" : $tmp['to']; // disable rule when interface not found