From d20a9c823688f8252b4357d846eaf209faafca77 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Mon, 19 Sep 2022 21:12:16 +0200 Subject: [PATCH] filter - refactor filter_configure_sync() to wrap user rule registration in a separate function called filter_core_rules_user() This eases re-use of the rule database from other areas of the system. --- src/etc/inc/filter.inc | 66 ++------------------------------------ src/etc/inc/filter.lib.inc | 63 ++++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+), 64 deletions(-) diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index ece1055be..bd761a5a3 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -145,28 +145,9 @@ function ifgroup_setup() } } -/** - * XXX: replace with check on interfaces section (see pf_interfaces) - */ -function is_interface_group($if) -{ - global $config; - - if (isset($config['ifgroups']['ifgroupentry'])) { - foreach ($config['ifgroups']['ifgroupentry'] as $groupentry) { - if ($groupentry['ifname'] === $if) { - return true; - } - } - } - - return false; -} - function filter_configure_sync($verbose = false, $load_aliases = true) { global $config; - $sched_kill_states = array(); // kill states for schedules if ($verbose) { echo 'Configuring firewall.'; @@ -187,51 +168,8 @@ function filter_configure_sync($verbose = false, $load_aliases = true) filter_core_bootstrap($fw); $cnfint = iterator_to_array($fw->getInterfaceMapping()); plugins_firewall($fw); - - if (isset($config['filter']['rule'])) { - // register user rules - foreach ($config['filter']['rule'] as $rule) { - // calculate a hash for this area so we can track this rule, we should replace this - // with uuid's on the rules like the new style models do eventually. - $rule_hash = OPNsense\Firewall\Util::calcRuleHash($rule); - $rule['label'] = $rule_hash; - $sched = ''; - $descr = ''; - - if (!empty($rule['sched'])) { - $sched = "({$rule['sched']})"; - } - if (!empty($rule['descr'])) { - $descr = ": {$rule['descr']}"; - } - - $rule['descr'] = "{$sched}{$descr}"; - if (isset($rule['floating'])) { - $prio = 200000; - } elseif (is_interface_group($rule['interface']) || in_array($rule['interface'], array("l2tp", "pptp", "pppoe", "enc0", "openvpn"))) { - $prio = 300000; - } else { - $prio = 400000; - } - /* is a time based rule schedule attached? */ - if (!empty($rule['sched']) && !empty($config['schedules'])) { - foreach ($config['schedules']['schedule'] as $sched) { - if ($sched['name'] == $rule['sched']) { - if (!filter_get_time_based_rule_status($sched)) { - if (!isset($config['system']['schedule_states'])) { - $sched_kill_states[] = $rule['label']; - } - /* disable rule, suffix label to mark end of schedule */ - $rule['disabled'] = true; - $rule['descr'] = "[FIN]" . $rule['descr']; - } - break; - } - } - } - $fw->registerFilterRule($prio, $rule); - } - } + // register user rules, returns kill states for schedules + $sched_kill_states = filter_core_rules_user($fw); // manual outbound nat rules if ( diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc index 017ffa1db..e0e70e981 100644 --- a/src/etc/inc/filter.lib.inc +++ b/src/etc/inc/filter.lib.inc @@ -596,3 +596,66 @@ function filter_core_rules_system($fw, $defaults) } } } + +/** + * register user rules, returns kill states for schedules + */ +function filter_core_rules_user($fw) +{ + global $config; + + $sched_kill_states = []; + + $ifgroups = ["l2tp", "pptp", "pppoe", "enc0", "openvpn"]; + if (isset($config['ifgroups']['ifgroupentry'])) { + foreach ($config['ifgroups']['ifgroupentry'] as $groupentry) { + $ifgroups[] = $groupentry['ifname']; + } + } + + if (isset($config['filter']['rule'])) { + // register user rules + foreach ($config['filter']['rule'] as $rule) { + // calculate a hash for this area so we can track this rule, we should replace this + // with uuid's on the rules like the new style models do eventually. + $rule['label'] = OPNsense\Firewall\Util::calcRuleHash($rule); + $sched = ''; + $descr = ''; + + if (!empty($rule['sched'])) { + $sched = "({$rule['sched']})"; + } + if (!empty($rule['descr'])) { + $descr = ": {$rule['descr']}"; + } + + $rule['descr'] = "{$sched}{$descr}"; + if (isset($rule['floating'])) { + $prio = 200000; + } elseif (in_array($rule['interface'], $ifgroups)) { + $prio = 300000; + } else { + $prio = 400000; + } + /* is a time based rule schedule attached? */ + if (!empty($rule['sched']) && !empty($config['schedules'])) { + foreach ($config['schedules']['schedule'] as $sched) { + if ($sched['name'] == $rule['sched']) { + if (!filter_get_time_based_rule_status($sched)) { + if (!isset($config['system']['schedule_states'])) { + $sched_kill_states[] = $rule['label']; + } + /* disable rule, suffix label to mark end of schedule */ + $rule['disabled'] = true; + $rule['descr'] = "[FIN]" . $rule['descr']; + } + break; + } + } + } + $fw->registerFilterRule($prio, $rule); + } + } + + return $sched_kill_states; +}