lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-20 03:16:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

firewall: remove kill_states et al; closes #5045

Browse Source
This commit is contained in:
Franco Fichtner 2021-07-02 10:22:39 +02:00
parent 58dfb05dca
commit ba70f141e6
5 changed files with 9 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/etc/config.xml.sample
View File

@ -256,7 +256,6 @@
<crypto_hardware>aesni</crypto_hardware>
<pf_share_forward>1</pf_share_forward>
<lb_use_sticky>1</lb_use_sticky>
<kill_states>1</kill_states>
<ssh>
<group>admins</group>
</ssh>

34
src/etc/inc/filter.inc
View File

@ -123,29 +123,6 @@ function filter_configure()
}
}
function filter_should_trigger_kill_states()
{
global $config;
if (empty($config['system']['kill_states'])) {
$a_gateways = return_gateways_status();
$ifdetails = legacy_interfaces_details();
$any_gateway_down = false;
foreach ((new \OPNsense\Routing\Gateways($ifdetails))->gatewaysIndexedByName(false, true) as $gateway) {
if (empty($gateway['monitor']) || empty($a_gateways[$gateway['name']])) {
continue;
} elseif (!is_ipaddr($gateway['monitor']) || strstr($gateway['monitor'], '127.0.0.')) {
continue;
}
if (stristr($a_gateways[$gateway['name']]['status'], 'down')) {
$any_gateway_down = true;
break;
}
}
return $any_gateway_down;
}
return false;
}
/**
* sync interface groups, but leave the ones not managed by us intact.
*/
@ -207,7 +184,7 @@ function is_interface_group($if)
return false;
}
function filter_configure_sync($verbose = false, $flush_states = false, $load_aliases = true)
function filter_configure_sync($verbose = false, $load_aliases = true)
{
global $config;
$sched_kill_states = array(); // kill states for schedules
@ -562,15 +539,6 @@ function filter_configure_sync($verbose = false, $flush_states = false, $load_al
flush();
}
if ($flush_states) {
mwexec('/sbin/pfctl -Fs');
}
if ($verbose) {
echo '.';
flush();
}
if ($load_aliases) {
configd_run('template reload OPNsense/Filter');
configd_run('filter refresh_aliases', true);

18
src/etc/rc.filter_configure
View File

@ -33,20 +33,6 @@ require_once("filter.inc");
require_once("system.inc");
require_once("interfaces.inc");
$event_arg = count($argv) >= 1 ? $argv[1] : "";
$event_arg = count($argv) >= 1 ? $argv[1] : '';
if ($event_arg == 'skip_alias' ) {
filter_configure_sync(true, false, false);
} else {
if ($event_arg == 'gateway' && filter_should_trigger_kill_states()) {
/**
* XXX: When "Kill states" on gateway monitoring is used, we should reset states after this event.
* Originally filter_configure_sync() reset states after each event. Although the feature isn't great
* in terms of what it does (not really fine grained, just kill all), for historic reasons we probably should
* leave it in.
*/
filter_configure_sync(true, true);
} else {
filter_configure_sync(true);
}
}
filter_configure_sync(true, $event_arg != 'skip_alias');

9
src/etc/rc.newwanip
View File

@ -152,10 +152,13 @@ if (!is_ipaddr($cacheip) || $ip != $cacheip || !is_ipaddr($configip)) {
system_routing_configure(false, $interface);
plugins_configure('monitor');
filter_configure_sync(false, isset($config['system']['ip_change_kill_states']));
if (is_ipaddr($cacheip) && $ip != $cacheip && !isset($config['system']['ip_change_kill_states'])) {
filter_configure_sync();
if (isset($config['system']['ip_change_kill_states'])) {
log_error('IP address renew, killing all previous states');
mwexec('/sbin/pfctl -Fs');
} else if (is_ipaddr($cacheip) && $ip != $cacheip) {
log_error("IP address change detected, killing states of old ip $cacheip");
mwexec('/sbin/pfctl -k ' . $cacheip);
mwexecf('/sbin/pfctl -k %s', $cacheip);
}
if (is_ipaddr($ip)) {

17
src/www/system_advanced_firewall.php
View File

@ -51,7 +51,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig['disablereplyto'] = isset($config['system']['disablereplyto']);
$pconfig['bogonsinterval'] = !empty($config['system']['bogons']['interval']) ? $config['system']['bogons']['interval'] : null;
$pconfig['schedule_states'] = isset($config['system']['schedule_states']);
$pconfig['kill_states'] = !empty($config['system']['kill_states']);
$pconfig['skip_rules_gw_down'] = isset($config['system']['skip_rules_gw_down']);
$pconfig['lb_use_sticky'] = isset($config['system']['lb_use_sticky']);
$pconfig['pf_share_forward'] = isset($config['system']['pf_share_forward']);
@ -202,12 +201,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
unset($config['system']['schedule_states']);
}
if (!empty($pconfig['kill_states'])) {
$config['system']['kill_states'] = true;
} elseif (isset($config['system']['kill_states'])) {
unset($config['system']['kill_states']);
}
if (!empty($pconfig['skip_rules_gw_down'])) {
$config['system']['skip_rules_gw_down'] = true;
} elseif (isset($config['system']['skip_rules_gw_down'])) {
@ -348,16 +341,6 @@ include("head.inc");
<td style="width:22%"><strong><?= gettext('Gateway Monitoring') ?></strong></td>
<td style="width:78%"></td>
</tr>
<tr>
<td><a id="help_for_kill_states" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Kill states");?> </td>
<td>
<input name="kill_states" type="checkbox" id="kill_states" value="yes" <?= !empty($pconfig['kill_states']) ? "checked=\"checked\"" : "";?> />
<?=gettext("Disable State Killing on Gateway Failure"); ?>
<div class="hidden" data-for="help_for_kill_states">
<?=gettext("The monitoring process will flush states for a gateway that goes down if this box is not checked. Check this box to disable this behavior."); ?>
</div>
</td>
</tr>
<tr>
<td><a id="help_for_skip_rules_gw_down" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Skip rules");?> </td>
<td>