From db3601f4911d66ad897f419046c39766c6b7b5bd Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Fri, 11 Mar 2016 16:46:45 +0100 Subject: [PATCH] (legacy) spaces, curly braces etc diag_logs_filter.php --- src/www/diag_logs_filter.php | 1398 +++++++++++++++++----------------- 1 file changed, 719 insertions(+), 679 deletions(-) diff --git a/src/www/diag_logs_filter.php b/src/www/diag_logs_filter.php index a98685cd8..5fb5135db 100644 --- a/src/www/diag_logs_filter.php +++ b/src/www/diag_logs_filter.php @@ -1,33 +1,33 @@ - Copyright (C) 2004-2009 Scott Ullrich - Copyright (C) 2003-2009 Manuel Kasper - Originally Sponsored By Anathematic @ pfSense Forums - All rights reserved. + Copyright (C) 2014 Deciso B.V. + Copyright (C) 2009-2010 Jim Pingle + Copyright (C) 2004-2009 Scott Ullrich + Copyright (C) 2003-2009 Manuel Kasper + Originally Sponsored By Anathematic @ pfSense Forums + All rights reserved. - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ require_once("guiconfig.inc"); @@ -42,341 +42,359 @@ require_once("interfaces.inc"); ********************************************************************************************************************/ function easyrule_find_rule_interface($int) { - global $config; - /* Borrowed from firewall_rules.php */ - $iflist = get_configured_interface_with_descr(false, true); + global $config; + /* Borrowed from firewall_rules.php */ + $iflist = get_configured_interface_with_descr(false, true); - if (isset($config['pptpd']['mode']) && $config['pptpd']['mode'] == "server") - $iflist['pptp'] = "PPTP VPN"; + if (isset($config['pptpd']['mode']) && $config['pptpd']['mode'] == "server") { + $iflist['pptp'] = "PPTP VPN"; + } - if (isset($config['pppoe']['mode']) && $config['pppoe']['mode'] == "server") - $iflist['pppoe'] = "PPPoE VPN"; + if (isset($config['pppoe']['mode']) && $config['pppoe']['mode'] == "server") { + $iflist['pppoe'] = "PPPoE VPN"; + } - if (isset($config['l2tp']['mode']) && $config['l2tp']['mode'] == "server") - $iflist['l2tp'] = "L2TP VPN"; + if (isset($config['l2tp']['mode']) && $config['l2tp']['mode'] == "server") { + $iflist['l2tp'] = "L2TP VPN"; + } - /* add ipsec interfaces */ - if (isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])){ - $iflist["enc0"] = "IPSEC"; - } + /* add ipsec interfaces */ + if (isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])){ + $iflist["enc0"] = "IPSEC"; + } - if (isset($iflist[$int])) - return $int; + if (isset($iflist[$int])) { + return $int; + } - foreach ($iflist as $if => $ifd) { - if (strtolower($int) == strtolower($ifd)) - return $if; - } + foreach ($iflist as $if => $ifd) { + if (strtolower($int) == strtolower($ifd)) { + return $if; + } + } - if (substr($int, 0, 4) == "ovpn") - return "openvpn"; + if (substr($int, 0, 4) == "ovpn") { + return "openvpn"; + } - return false; + return false; } function easyrule_block_rule_exists($int = 'wan', $ipproto = "inet") { - global $config; - $blockaliasname = 'EasyRuleBlockHosts'; - /* No rules, we we know it doesn't exist */ - if (!is_array($config['filter']['rule'])) { - return false; - } + global $config; + $blockaliasname = 'EasyRuleBlockHosts'; + /* No rules, we we know it doesn't exist */ + if (!is_array($config['filter']['rule'])) { + return false; + } - /* Search through the rules for one referencing our alias */ - foreach ($config['filter']['rule'] as $rule) { - if (!is_array($rule) || !is_array($rule['source'])) - continue; - $checkproto = isset($rule['ipprotocol']) ? $rule['ipprotocol'] : "inet"; - if ($rule['source']['address'] == $blockaliasname . strtoupper($int) && ($rule['interface'] == $int) && ($checkproto == $ipproto)) - return true; - } - return false; + /* Search through the rules for one referencing our alias */ + foreach ($config['filter']['rule'] as $rule) { + if (!is_array($rule) || !is_array($rule['source'])) { + continue; + } + $checkproto = isset($rule['ipprotocol']) ? $rule['ipprotocol'] : "inet"; + if ($rule['source']['address'] == $blockaliasname . strtoupper($int) && ($rule['interface'] == $int) && ($checkproto == $ipproto)) { + return true; + } + } + return false; } function easyrule_block_rule_create($int = 'wan', $ipproto = "inet") { - global $config; - $blockaliasname = 'EasyRuleBlockHosts'; - /* If the alias doesn't exist, exit. - * Can't create an empty alias, and we don't know a host */ - if (easyrule_block_alias_getid($int) === false) - return false; + global $config; + $blockaliasname = 'EasyRuleBlockHosts'; + /* If the alias doesn't exist, exit. + * Can't create an empty alias, and we don't know a host */ + if (easyrule_block_alias_getid($int) === false) { + return false; + } - /* If the rule already exists, no need to do it again */ - if (easyrule_block_rule_exists($int, $ipproto)) - return true; + /* If the rule already exists, no need to do it again */ + if (easyrule_block_rule_exists($int, $ipproto)) { + return true; + } - /* No rules, start a new array */ - if (!is_array($config['filter']['rule'])) { - $config['filter']['rule'] = array(); - } + /* No rules, start a new array */ + if (!is_array($config['filter']['rule'])) { + $config['filter']['rule'] = array(); + } - filter_rules_sort(); - $a_filter = &$config['filter']['rule']; + filter_rules_sort(); + $a_filter = &$config['filter']['rule']; - /* Make up a new rule */ - $filterent = array(); - $filterent['type'] = 'block'; - $filterent['interface'] = $int; - $filterent['ipprotocol'] = $ipproto; - $filterent['source']['address'] = $blockaliasname . strtoupper($int); - $filterent['destination']['any'] = ''; - $filterent['descr'] = gettext("Easy Rule: Blocked from Firewall Log View"); - $filterent['created'] = make_config_revision_entry(); + /* Make up a new rule */ + $filterent = array(); + $filterent['type'] = 'block'; + $filterent['interface'] = $int; + $filterent['ipprotocol'] = $ipproto; + $filterent['source']['address'] = $blockaliasname . strtoupper($int); + $filterent['destination']['any'] = ''; + $filterent['descr'] = gettext("Easy Rule: Blocked from Firewall Log View"); + $filterent['created'] = make_config_revision_entry(); - array_splice($a_filter, 0, 0, array($filterent)); + array_splice($a_filter, 0, 0, array($filterent)); - return true; + return true; } function easyrule_block_alias_getid($int = 'wan') { - global $config; + global $config; - $blockaliasname = 'EasyRuleBlockHosts'; + $blockaliasname = 'EasyRuleBlockHosts'; - if (!isset($config['aliases']) || !is_array($config['aliases'])) { - return false; - } + if (!isset($config['aliases']) || !is_array($config['aliases'])) { + return false; + } - /* Hunt down an alias with the name we want, return its id */ - foreach ($config['aliases']['alias'] as $aliasid => $alias) { - if ($alias['name'] == $blockaliasname . strtoupper($int)) { - return $aliasid; - } - } + /* Hunt down an alias with the name we want, return its id */ + foreach ($config['aliases']['alias'] as $aliasid => $alias) { + if ($alias['name'] == $blockaliasname . strtoupper($int)) { + return $aliasid; + } + } - return false; + return false; } function easyrule_block_alias_add($host, $int = 'wan') { - global $config; - $blockaliasname = 'EasyRuleBlockHosts'; - /* If the host isn't a valid IP address, bail */ - $host = trim($host, "[]"); - if (!is_ipaddr($host) && !is_subnet($host)) - return false; + global $config; + $blockaliasname = 'EasyRuleBlockHosts'; + /* If the host isn't a valid IP address, bail */ + $host = trim($host, "[]"); + if (!is_ipaddr($host) && !is_subnet($host)) { + return false; + } - /* If there are no aliases, start an array */ - if (!isset($config['aliases']) || !is_array($config['aliases'])) { - $config['aliases'] = array(); - } - if (!isset($config['aliases']['alias'])) { - $config['aliases']['alias'] = array(); - } - $a_aliases = &$config['aliases']['alias']; + /* If there are no aliases, start an array */ + if (!isset($config['aliases']) || !is_array($config['aliases'])) { + $config['aliases'] = array(); + } + if (!isset($config['aliases']['alias'])) { + $config['aliases']['alias'] = array(); + } + $a_aliases = &$config['aliases']['alias']; - /* Try to get the ID if the alias already exists */ - $id = easyrule_block_alias_getid($int); - if ($id === false) - unset($id); + /* Try to get the ID if the alias already exists */ + $id = easyrule_block_alias_getid($int); + if ($id === false) { + unset($id); + } - $alias = array(); - if (is_subnet($host)) { - list($host, $mask) = explode("/", $host); - } elseif (is_specialnet($host)) { - $mask = 0; - } elseif (strpos($host,':') !== false && is_ipaddrv6($host)) { - $mask = 128; - } else { - $mask = 32; - } + $alias = array(); + if (is_subnet($host)) { + list($host, $mask) = explode("/", $host); + } elseif (is_specialnet($host)) { + $mask = 0; + } elseif (strpos($host,':') !== false && is_ipaddrv6($host)) { + $mask = 128; + } else { + $mask = 32; + } - if (isset($id) && $a_aliases[$id]) { - /* Make sure this IP isn't already in the list. */ - if (in_array($host.'/'.$mask, explode(" ", $a_aliases[$id]['address']))) - return true; - /* Since the alias already exists, just add to it. */ - $alias['name'] = $a_aliases[$id]['name']; - $alias['type'] = $a_aliases[$id]['type']; - $alias['descr'] = $a_aliases[$id]['descr']; + if (isset($id) && $a_aliases[$id]) { + /* Make sure this IP isn't already in the list. */ + if (in_array($host.'/'.$mask, explode(" ", $a_aliases[$id]['address']))) { + return true; + } + /* Since the alias already exists, just add to it. */ + $alias['name'] = $a_aliases[$id]['name']; + $alias['type'] = $a_aliases[$id]['type']; + $alias['descr'] = $a_aliases[$id]['descr']; - $alias['address'] = $a_aliases[$id]['address'] . ' ' . $host . '/' . $mask; - $alias['detail'] = $a_aliases[$id]['detail'] . gettext('Entry added') . ' ' . date('r') . '||'; - } else { - /* Create a new alias with all the proper information */ - $alias['name'] = $blockaliasname . strtoupper($int); - $alias['type'] = 'network'; - $alias['descr'] = gettext("Hosts blocked from Firewall Log view"); + $alias['address'] = $a_aliases[$id]['address'] . ' ' . $host . '/' . $mask; + $alias['detail'] = $a_aliases[$id]['detail'] . gettext('Entry added') . ' ' . date('r') . '||'; + } else { + /* Create a new alias with all the proper information */ + $alias['name'] = $blockaliasname . strtoupper($int); + $alias['type'] = 'network'; + $alias['descr'] = gettext("Hosts blocked from Firewall Log view"); - $alias['address'] = $host . '/' . $mask; - $alias['detail'] = gettext('Entry added') . ' ' . date('r') . '||'; - } + $alias['address'] = $host . '/' . $mask; + $alias['detail'] = gettext('Entry added') . ' ' . date('r') . '||'; + } - /* Replace the old alias if needed, otherwise tack it on the end */ - if (isset($id) && $a_aliases[$id]) - $a_aliases[$id] = $alias; - else - $a_aliases[] = $alias; + /* Replace the old alias if needed, otherwise tack it on the end */ + if (isset($id) && $a_aliases[$id]) { + $a_aliases[$id] = $alias; + } else { + $a_aliases[] = $alias; + } - // Sort list - $a_aliases = msort($a_aliases, "name"); + // Sort list + $a_aliases = msort($a_aliases, "name"); - return true; + return true; } function easyrule_block_host_add($host, $int = 'wan', $ipproto = "inet") { - global $retval; - /* Bail if the supplied host is not a valid IP address */ - $host = trim($host, "[]"); - if (!is_ipaddr($host) && !is_subnet($host)) - return false; + global $retval; + /* Bail if the supplied host is not a valid IP address */ + $host = trim($host, "[]"); + if (!is_ipaddr($host) && !is_subnet($host)) { + return false; + } - /* Flag whether or not we need to reload the filter */ - $dirty = false; + /* Flag whether or not we need to reload the filter */ + $dirty = false; - /* Attempt to add this host to the alias */ - if (easyrule_block_alias_add($host, $int)) { - $dirty = true; - } else { - /* Couldn't add the alias, or adding the host failed. */ - return false; - } + /* Attempt to add this host to the alias */ + if (easyrule_block_alias_add($host, $int)) { + $dirty = true; + } else { + /* Couldn't add the alias, or adding the host failed. */ + return false; + } - /* Attempt to add the firewall rule if it doesn't exist. - * Failing to add the rule isn't necessarily an error, it may - * have been modified by the user in some way. Adding to the - * Alias is what's important. - */ - if (!easyrule_block_rule_exists($int, $ipproto)) { - if (easyrule_block_rule_create($int, $ipproto)) { - $dirty = true; - } else { - return false; - } - } + /* Attempt to add the firewall rule if it doesn't exist. + * Failing to add the rule isn't necessarily an error, it may + * have been modified by the user in some way. Adding to the + * Alias is what's important. + */ + if (!easyrule_block_rule_exists($int, $ipproto)) { + if (easyrule_block_rule_create($int, $ipproto)) { + $dirty = true; + } else { + return false; + } + } - /* If needed, write the config and reload the filter */ - if ($dirty) { - write_config(); - $retval = filter_configure(); - return true; - } else { - return false; - } + /* If needed, write the config and reload the filter */ + if ($dirty) { + write_config(); + $retval = filter_configure(); + return true; + } else { + return false; + } } function easyrule_pass_rule_add($int, $proto, $srchost, $dsthost, $dstport, $ipproto) { - global $config; + global $config; - /* No rules, start a new array */ - if (!is_array($config['filter']['rule'])) { - $config['filter']['rule'] = array(); - } + /* No rules, start a new array */ + if (!is_array($config['filter']['rule'])) { + $config['filter']['rule'] = array(); + } - filter_rules_sort(); - $a_filter = &$config['filter']['rule']; + filter_rules_sort(); + $a_filter = &$config['filter']['rule']; - /* Make up a new rule */ - $filterent = array(); - $filterent['type'] = 'pass'; - $filterent['interface'] = $int; - $filterent['ipprotocol'] = $ipproto; - $filterent['descr'] = gettext("Easy Rule: Passed from Firewall Log View"); + /* Make up a new rule */ + $filterent = array(); + $filterent['type'] = 'pass'; + $filterent['interface'] = $int; + $filterent['ipprotocol'] = $ipproto; + $filterent['descr'] = gettext("Easy Rule: Passed from Firewall Log View"); - if ($proto != "any") - $filterent['protocol'] = $proto; - else - unset($filterent['protocol']); + if ($proto != "any") { + $filterent['protocol'] = $proto; + } else { + unset($filterent['protocol']); + } - /* Default to only allow echo requests, since that's what most people want and - * it should be a safe choice. */ - if ($proto == "icmp") - $filterent['icmptype'] = 'echoreq'; + /* Default to only allow echo requests, since that's what most people want and + * it should be a safe choice. */ + if ($proto == "icmp") { + $filterent['icmptype'] = 'echoreq'; + } - if ((strtolower($proto) == "icmp6") || (strtolower($proto) == "icmpv6")) - $filterent['protocol'] = "icmp"; + if ((strtolower($proto) == "icmp6") || (strtolower($proto) == "icmpv6")) { + $filterent['protocol'] = "icmp"; + } - if (is_subnet($srchost)) { - list($srchost, $srcmask) = explode("/", $srchost); - } elseif (is_specialnet($srchost)) { - $srcmask = 0; - } elseif (is_ipaddrv6($srchost)) { - $srcmask = 128; - } else { - $srcmask = 32; - } + if (is_subnet($srchost)) { + list($srchost, $srcmask) = explode("/", $srchost); + } elseif (is_specialnet($srchost)) { + $srcmask = 0; + } elseif (is_ipaddrv6($srchost)) { + $srcmask = 128; + } else { + $srcmask = 32; + } - if (is_subnet($dsthost)) { - list($dsthost, $dstmask) = explode("/", $dsthost); - } elseif (is_specialnet($dsthost)) { - $dstmask = 0; - } elseif (is_ipaddrv6($dsthost)) { - $dstmask = 128; - } else { - $dstmask = 32; - } + if (is_subnet($dsthost)) { + list($dsthost, $dstmask) = explode("/", $dsthost); + } elseif (is_specialnet($dsthost)) { + $dstmask = 0; + } elseif (is_ipaddrv6($dsthost)) { + $dstmask = 128; + } else { + $dstmask = 32; + } - pconfig_to_address($filterent['source'], $srchost, $srcmask); - pconfig_to_address($filterent['destination'], $dsthost, $dstmask, '', $dstport, $dstport); + pconfig_to_address($filterent['source'], $srchost, $srcmask); + pconfig_to_address($filterent['destination'], $dsthost, $dstmask, '', $dstport, $dstport); - $filterent['created'] = make_config_revision_entry(); - $a_filter[] = $filterent; + $filterent['created'] = make_config_revision_entry(); + $a_filter[] = $filterent; - write_config($filterent['descr']); - $retval = filter_configure(); - return true; + write_config($filterent['descr']); + $retval = filter_configure(); + return true; } function easyrule_parse_block($int, $src, $ipproto = "inet") { - if (!empty($src) && !empty($int)) { - $src = trim($src, "[]"); - if (!is_ipaddr($src) && !is_subnet($src)) { - return gettext("Tried to block invalid IP:") . ' ' . htmlspecialchars($src); - } - $int = easyrule_find_rule_interface($int); - if ($int === false) { - return gettext("Invalid interface for block rule:") . ' ' . htmlspecialchars($int); - } - if (easyrule_block_host_add($src, $int, $ipproto)) { - return gettext("Host added successfully"); - } else { - return gettext("Failed to create block rule, alias, or add host."); - } - } else { - return gettext("Tried to block but had no host IP or interface"); - } - return gettext("Unknown block error."); + if (!empty($src) && !empty($int)) { + $src = trim($src, "[]"); + if (!is_ipaddr($src) && !is_subnet($src)) { + return gettext("Tried to block invalid IP:") . ' ' . htmlspecialchars($src); + } + $int = easyrule_find_rule_interface($int); + if ($int === false) { + return gettext("Invalid interface for block rule:") . ' ' . htmlspecialchars($int); + } + if (easyrule_block_host_add($src, $int, $ipproto)) { + return gettext("Host added successfully"); + } else { + return gettext("Failed to create block rule, alias, or add host."); + } + } else { + return gettext("Tried to block but had no host IP or interface"); + } + return gettext("Unknown block error."); } function easyrule_parse_pass($int, $proto, $src, $dst, $dstport = 0, $ipproto = "inet") { - /* Check for valid int, srchost, dsthost, dstport, and proto */ - $protocols_with_ports = array('tcp', 'udp'); - $src = trim($src, "[]"); - $dst = trim($dst, "[]"); + /* Check for valid int, srchost, dsthost, dstport, and proto */ + $protocols_with_ports = array('tcp', 'udp'); + $src = trim($src, "[]"); + $dst = trim($dst, "[]"); - if (!empty($int) && !empty($proto) && !empty($src) && !empty($dst)) { - $int = easyrule_find_rule_interface($int); - if ($int === false) { - return gettext("Invalid interface for pass rule:") . ' ' . htmlspecialchars($int); - } - if (getprotobyname($proto) == -1) { - return gettext("Invalid protocol for pass rule:") . ' ' . htmlspecialchars($proto); - } - if (!is_ipaddr($src) && !is_subnet($src) && !is_ipaddroralias($src) && !is_specialnet($src)) { - return gettext("Tried to pass invalid source IP:") . ' ' . htmlspecialchars($src); - } - if (!is_ipaddr($dst) && !is_subnet($dst) && !is_ipaddroralias($dst) && !is_specialnet($dst)) { - return gettext("Tried to pass invalid destination IP:") . ' ' . htmlspecialchars($dst); - } - if (in_array($proto, $protocols_with_ports)) { - if (empty($dstport)) { - return gettext("Missing destination port:") . ' ' . htmlspecialchars($dstport); - } - if (!is_port($dstport) && ($dstport != "any")) { - return gettext("Tried to pass invalid destination port:") . ' ' . htmlspecialchars($dstport); - } - } else { - $dstport = 0; - } - /* Should have valid input... */ - if (easyrule_pass_rule_add($int, $proto, $src, $dst, $dstport, $ipproto)) { - return gettext("Successfully added pass rule!"); - } else { - return gettext("Failed to add pass rule."); - } - } else { - return gettext("Missing parameters for pass rule."); - } - return gettext("Unknown pass error."); + if (!empty($int) && !empty($proto) && !empty($src) && !empty($dst)) { + $int = easyrule_find_rule_interface($int); + if ($int === false) { + return gettext("Invalid interface for pass rule:") . ' ' . htmlspecialchars($int); + } + if (getprotobyname($proto) == -1) { + return gettext("Invalid protocol for pass rule:") . ' ' . htmlspecialchars($proto); + } + if (!is_ipaddr($src) && !is_subnet($src) && !is_ipaddroralias($src) && !is_specialnet($src)) { + return gettext("Tried to pass invalid source IP:") . ' ' . htmlspecialchars($src); + } + if (!is_ipaddr($dst) && !is_subnet($dst) && !is_ipaddroralias($dst) && !is_specialnet($dst)) { + return gettext("Tried to pass invalid destination IP:") . ' ' . htmlspecialchars($dst); + } + if (in_array($proto, $protocols_with_ports)) { + if (empty($dstport)) { + return gettext("Missing destination port:") . ' ' . htmlspecialchars($dstport); + } + if (!is_port($dstport) && ($dstport != "any")) { + return gettext("Tried to pass invalid destination port:") . ' ' . htmlspecialchars($dstport); + } + } else { + $dstport = 0; + } + /* Should have valid input... */ + if (easyrule_pass_rule_add($int, $proto, $src, $dst, $dstport, $ipproto)) { + return gettext("Successfully added pass rule!"); + } else { + return gettext("Failed to add pass rule."); + } + } else { + return gettext("Missing parameters for pass rule."); + } + return gettext("Unknown pass error."); } /******************************************************************************************************************** @@ -384,102 +402,105 @@ function easyrule_parse_pass($int, $proto, $src, $dst, $dstport = 0, $ipproto = ********************************************************************************************************************/ function get_port_with_service($port, $proto) { - if (!$port) - return ''; + if (!$port) { + return ''; + } - $service = getservbyport($port, $proto); - $portstr = ""; - if ($service) { - $portstr = sprintf('' . htmlspecialchars($port) . '', $port, $proto, $service); - } else { - $portstr = htmlspecialchars($port); - } - return ':' . $portstr; + $service = getservbyport($port, $proto); + $portstr = ""; + if ($service) { + $portstr = sprintf('' . htmlspecialchars($port) . '', $port, $proto, $service); + } else { + $portstr = htmlspecialchars($port); + } + return ':' . $portstr; } function find_rule_by_number($rulenum, $type = 'block') { - /* Passing arbitrary input to grep could be a Very Bad Thing(tm) */ - if (!is_numeric($rulenum) || !in_array($type, array('pass', 'block', 'match', 'rdr'))) - return; + /* Passing arbitrary input to grep could be a Very Bad Thing(tm) */ + if (!is_numeric($rulenum) || !in_array($type, array('pass', 'block', 'match', 'rdr'))) { + return; + } - $lookup_pattern = "^@{$rulenum}[[:space:]]{$type}[[:space:]].*[[:space:]]log[[:space:]]"; - /* At the moment, miniupnpd is the only thing I know of that - generates logging rdr rules */ - unset($buffer); - if ($type == "rdr") - $_gb = exec("/sbin/pfctl -vvPsn -a \"miniupnpd\" | /usr/bin/egrep " . escapeshellarg("^@{$rulenum}"), $buffer); - else { - if (file_exists('/tmp/rules.debug')) { - $_gb = exec('/sbin/pfctl -vvPnf /tmp/rules.debug 2>/dev/null | /usr/bin/egrep ' . escapeshellarg($lookup_pattern), $buffer); - } else { - $_gb = exec('/sbin/pfctl -vvPsr | /usr/bin/egrep ' . escapeshellarg($lookup_pattern), $buffer); - } - } - if (is_array($buffer)) - return $buffer[0]; + $lookup_pattern = "^@{$rulenum}[[:space:]]{$type}[[:space:]].*[[:space:]]log[[:space:]]"; + /* At the moment, miniupnpd is the only thing I know of that + generates logging rdr rules */ + unset($buffer); + if ($type == "rdr") { + $_gb = exec("/sbin/pfctl -vvPsn -a \"miniupnpd\" | /usr/bin/egrep " . escapeshellarg("^@{$rulenum}"), $buffer); + } else { + if (file_exists('/tmp/rules.debug')) { + $_gb = exec('/sbin/pfctl -vvPnf /tmp/rules.debug 2>/dev/null | /usr/bin/egrep ' . escapeshellarg($lookup_pattern), $buffer); + } else { + $_gb = exec('/sbin/pfctl -vvPsr | /usr/bin/egrep ' . escapeshellarg($lookup_pattern), $buffer); + } + } + if (is_array($buffer)) { + return $buffer[0]; + } - return ""; + return ""; } function buffer_rules_load() { - global $buffer_rules_rdr, $buffer_rules_normal; - unset($buffer, $buffer_rules_rdr, $buffer_rules_normal); - /* Redeclare globals after unset to work around PHP */ - global $buffer_rules_rdr, $buffer_rules_normal; - $buffer_rules_rdr = array(); - $buffer_rules_normal = array(); + global $buffer_rules_rdr, $buffer_rules_normal; + unset($buffer, $buffer_rules_rdr, $buffer_rules_normal); + /* Redeclare globals after unset to work around PHP */ + global $buffer_rules_rdr, $buffer_rules_normal; + $buffer_rules_rdr = array(); + $buffer_rules_normal = array(); - $_gb = exec("/sbin/pfctl -vvPsn -a \"miniupnpd\" | grep '^@'", $buffer); - if (is_array($buffer)) { - foreach ($buffer as $line) { - list($key, $value) = explode (" ", $line, 2); - $buffer_rules_rdr[$key] = $value; - } - } - unset($buffer, $_gb); - if (file_exists('/tmp/rules.debug')) { - $_gb = exec("/sbin/pfctl -vvPnf /tmp/rules.debug 2>/dev/null | /usr/bin/egrep '^@[0-9]+\([0-9]+\)[[:space:]].*[[:space:]]log[[:space:]]' | /usr/bin/egrep -v '^@[0-9]+\([0-9]+\)[[:space:]](nat|rdr|binat|no|scrub)'", $buffer); - } else { - $_gb = exec("/sbin/pfctl -vvPsr | /usr/bin/egrep '^@[0-9]+\([0-9]+\)[[:space:]].*[[:space:]]log[[:space:]]'", $buffer); - } + $_gb = exec("/sbin/pfctl -vvPsn -a \"miniupnpd\" | grep '^@'", $buffer); + if (is_array($buffer)) { + foreach ($buffer as $line) { + list($key, $value) = explode (" ", $line, 2); + $buffer_rules_rdr[$key] = $value; + } + } + unset($buffer, $_gb); + if (file_exists('/tmp/rules.debug')) { + $_gb = exec("/sbin/pfctl -vvPnf /tmp/rules.debug 2>/dev/null | /usr/bin/egrep '^@[0-9]+\([0-9]+\)[[:space:]].*[[:space:]]log[[:space:]]' | /usr/bin/egrep -v '^@[0-9]+\([0-9]+\)[[:space:]](nat|rdr|binat|no|scrub)'", $buffer); + } else { + $_gb = exec("/sbin/pfctl -vvPsr | /usr/bin/egrep '^@[0-9]+\([0-9]+\)[[:space:]].*[[:space:]]log[[:space:]]'", $buffer); + } - if (is_array($buffer)) { - foreach ($buffer as $line) { - list($key, $value) = explode (" ", $line, 2); - $matches = array(); - if (preg_match('/\@(?P\d+)\)/', $key, $matches) == 1) { - $key = "@{$matches['rulenum']}"; - } - $buffer_rules_normal[$key] = $value; - } - } - unset($_gb, $buffer); + if (is_array($buffer)) { + foreach ($buffer as $line) { + list($key, $value) = explode (" ", $line, 2); + $matches = array(); + if (preg_match('/\@(?P\d+)\)/', $key, $matches) == 1) { + $key = "@{$matches['rulenum']}"; + } + $buffer_rules_normal[$key] = $value; + } + } + unset($_gb, $buffer); } function buffer_rules_clear() { - unset($GLOBALS['buffer_rules_normal']); - unset($GLOBALS['buffer_rules_rdr']); + unset($GLOBALS['buffer_rules_normal']); + unset($GLOBALS['buffer_rules_rdr']); } function find_rule_by_number_buffer($rulenum, $type) { - global $buffer_rules_rdr, $buffer_rules_normal; + global $buffer_rules_rdr, $buffer_rules_normal; - $lookup_key = "@{$rulenum}"; + $lookup_key = "@{$rulenum}"; - if ($type == "rdr") { - $ruleString = $buffer_rules_rdr[$lookup_key]; - //TODO: get the correct 'description' part of a RDR log line. currently just first 30 characters.. - $rulename = substr($ruleString,0,30); - } else { - $ruleString = $buffer_rules_normal[$lookup_key]; - list(,$rulename,) = explode("\"",$ruleString); - $rulename = str_replace("USER_RULE: ",'',$rulename); - } - return "{$rulename} ({$lookup_key})"; + if ($type == "rdr") { + $ruleString = $buffer_rules_rdr[$lookup_key]; + //TODO: get the correct 'description' part of a RDR log line. currently just first 30 characters.. + $rulename = substr($ruleString,0,30); + } else { + $ruleString = $buffer_rules_normal[$lookup_key]; + list(,$rulename,) = explode("\"",$ruleString); + $rulename = str_replace("USER_RULE: ",'',$rulename); + } + return "{$rulename} ({$lookup_key})"; } @@ -490,164 +511,175 @@ function find_rule_by_number_buffer($rulenum, $type) # --- AJAX RESOLVE --- if (isset($_POST['resolve'])) { - $ip = strtolower($_POST['resolve']); - $res = (is_ipaddr($ip) ? gethostbyaddr($ip) : ''); + $ip = strtolower($_POST['resolve']); + $res = (is_ipaddr($ip) ? gethostbyaddr($ip) : ''); - if ($res && $res != $ip) - $response = array('resolve_ip' => $ip, 'resolve_text' => $res); - else - $response = array('resolve_ip' => $ip, 'resolve_text' => gettext("Cannot resolve")); - - echo json_encode(str_replace("\\","\\\\", $response)); // single escape chars can break JSON decode - exit; + if ($res && $res != $ip) { + $response = array('resolve_ip' => $ip, 'resolve_text' => $res); + } else { + $response = array('resolve_ip' => $ip, 'resolve_text' => gettext("Cannot resolve")); + } + echo json_encode(str_replace("\\","\\\\", $response)); // single escape chars can break JSON decode + exit; } if (isset($_POST['easyrule'])) { + $response = array("status"=>"unknown") ; + switch ($_POST['easyrule']) { + case 'block': + easyrule_parse_block($_POST['intf'], $_POST['srcip'], $_POST['ipproto']); + $response["status"] = "block" ; + break; + case 'pass': + easyrule_parse_pass($_POST['intf'], $_POST['proto'], $_POST['srcip'], $_POST['dstip'], $_POST['dstport'], $_POST['ipproto']); + $response["status"] = "pass" ; + break; + } - $response = array("status"=>"unknown") ; - switch ($_POST['easyrule']) { - case 'block': - easyrule_parse_block($_POST['intf'], $_POST['srcip'], $_POST['ipproto']); - $response["status"] = "block" ; - break; - case 'pass': - easyrule_parse_pass($_POST['intf'], $_POST['proto'], $_POST['srcip'], $_POST['dstip'], $_POST['dstport'], $_POST['ipproto']); - $response["status"] = "pass" ; - break; - } - - - echo json_encode(str_replace("\\","\\\\", $response)); - exit; + echo json_encode(str_replace("\\","\\\\", $response)); + exit; } function getGETPOSTsettingvalue($settingname, $default) { - $settingvalue = $default; - if(isset($_GET[$settingname])) - $settingvalue = $_GET[$settingname]; - if(isset($_POST[$settingname])) - $settingvalue = $_POST[$settingname]; - return $settingvalue; + $settingvalue = $default; + if (isset($_GET[$settingname])) { + $settingvalue = $_GET[$settingname]; + } + if (isset($_POST[$settingname])) { + $settingvalue = $_POST[$settingname]; + } + return $settingvalue; } $rulenum = getGETPOSTsettingvalue('getrulenum', null); -if($rulenum) { - list($rulenum, $type) = explode(',', $rulenum); - $rule = find_rule_by_number($rulenum, $type); - echo gettext("The rule that triggered this action is") . ":\n\n{$rule}"; - exit; +if ($rulenum) { + list($rulenum, $type) = explode(',', $rulenum); + $rule = find_rule_by_number($rulenum, $type); + echo gettext("The rule that triggered this action is") . ":\n\n{$rule}"; + exit; } $filterfieldsarray = array(); $filtersubmit = getGETPOSTsettingvalue('filtersubmit', null); if ($filtersubmit) { - $interfacefilter = getGETPOSTsettingvalue('interface', null); - $filtertext = getGETPOSTsettingvalue('filtertext', ""); - $filterlogentries_qty = getGETPOSTsettingvalue('filterlogentries_qty', null); + $interfacefilter = getGETPOSTsettingvalue('interface', null); + $filtertext = getGETPOSTsettingvalue('filtertext', ""); + $filterlogentries_qty = getGETPOSTsettingvalue('filterlogentries_qty', null); - $actpass = getGETPOSTsettingvalue('actpass', null); - $actblock = getGETPOSTsettingvalue('actblock', null); + $actpass = getGETPOSTsettingvalue('actpass', null); + $actblock = getGETPOSTsettingvalue('actblock', null); - $filterfieldsarray['act'] = str_replace(" ", " ", trim($actpass . " " . $actblock)); - $filterfieldsarray['act'] = $filterfieldsarray['act'] != "" ? $filterfieldsarray['act'] : 'All'; - $filterfieldsarray['time'] = getGETPOSTsettingvalue('filterlogentries_time', null); - $filterfieldsarray['interface'] = getGETPOSTsettingvalue('filterlogentries_interfaces', null); - $filterfieldsarray['srcip'] = getGETPOSTsettingvalue('filterlogentries_sourceipaddress', null); - $filterfieldsarray['srcport'] = getGETPOSTsettingvalue('filterlogentries_sourceport', null); - $filterfieldsarray['dstip'] = getGETPOSTsettingvalue('filterlogentries_destinationipaddress', null); - $filterfieldsarray['dstport'] = getGETPOSTsettingvalue('filterlogentries_destinationport', null); - $filterfieldsarray['proto'] = getGETPOSTsettingvalue('filterlogentries_protocol', null); - $filterfieldsarray['tcpflags'] = getGETPOSTsettingvalue('filterlogentries_protocolflags', null); - $filterfieldsarray['version'] = getGETPOSTsettingvalue('filterlogentries_version', null); - $filterlogentries_qty = getGETPOSTsettingvalue('filterlogentries_qty', null); + $filterfieldsarray['act'] = str_replace(" ", " ", trim($actpass . " " . $actblock)); + $filterfieldsarray['act'] = $filterfieldsarray['act'] != "" ? $filterfieldsarray['act'] : 'All'; + $filterfieldsarray['time'] = getGETPOSTsettingvalue('filterlogentries_time', null); + $filterfieldsarray['interface'] = getGETPOSTsettingvalue('filterlogentries_interfaces', null); + $filterfieldsarray['srcip'] = getGETPOSTsettingvalue('filterlogentries_sourceipaddress', null); + $filterfieldsarray['srcport'] = getGETPOSTsettingvalue('filterlogentries_sourceport', null); + $filterfieldsarray['dstip'] = getGETPOSTsettingvalue('filterlogentries_destinationipaddress', null); + $filterfieldsarray['dstport'] = getGETPOSTsettingvalue('filterlogentries_destinationport', null); + $filterfieldsarray['proto'] = getGETPOSTsettingvalue('filterlogentries_protocol', null); + $filterfieldsarray['tcpflags'] = getGETPOSTsettingvalue('filterlogentries_protocolflags', null); + $filterfieldsarray['version'] = getGETPOSTsettingvalue('filterlogentries_version', null); + $filterlogentries_qty = getGETPOSTsettingvalue('filterlogentries_qty', null); } else { - $interfacefilter = null; - $filterlogentries_qty = null ; - $filtertext = null; - foreach (array('act','time','interface','srcip','srcport','dstip','dstport','proto','tcpflags', 'version') as $tag) { - $filterfieldsarray[$tag] = null; - } + $interfacefilter = null; + $filterlogentries_qty = null ; + $filtertext = null; + foreach (array('act','time','interface','srcip','srcport','dstip','dstport','proto','tcpflags', 'version') as $tag) { + $filterfieldsarray[$tag] = null; + } } $filter_logfile = '/var/log/filter.log'; if (isset($config['syslog']['nentries'])) { - $nentries = $config['syslog']['nentries']; -} else { - $nentries = 50; + $nentries = $config['syslog']['nentries']; +} else { + $nentries = 50; } # Override Display Quantity if (isset($filterlogentries_qty) && $filterlogentries_qty != null) { - $nentries = $filterlogentries_qty; + $nentries = $filterlogentries_qty; } if (isset($_POST['clear'])) { - clear_clog($filter_logfile); + clear_clog($filter_logfile); } include("head.inc"); - ?> - - - - - - -
-
-
- - - 0) print_input_errors($input_errors); ?> - -
-
-
- -
- - - - - - - - - - - - - - - - - - - - - - - - - - + + +
+
+
+ + 0) print_input_errors($input_errors); ?> +
+
+ + +
+
- -
- -
+ + + + + + + + + + + + + + + + + + + + + + + + + - - -
+ + + + + + + + + + + +
+ + + + + + + + + +
- TCP Flags: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, W - CWR + TCP Flags: F - FIN, S - SYN, A or . - ACK, R - RST, P - PSH, U - URG, E - ECE, W - CWR
" /> -
- " /> -
+
+ " /> +
-
+ + + +
+ +
+
+
+
+
+ + + + + + + + + + + + + + + + + + + + + +".find_rule_by_number_buffer($filterent['rulenum'],$filterent['act']).""); + } - - - -
- -
- -
-
"> + + + +
+ ', outputrule);" title=""> + "> + + + + + + + +
- - - - - - - - - - - - - - - - - - - - - - - - ".find_rule_by_number_buffer($filterent['rulenum'],$filterent['act']).""); - - $int = strtolower($filterent['interface']); - $proto = strtolower($filterent['proto']); - if($filterent['version'] == '6') { - $ipproto = "inet6"; - $filterent['srcip'] = "[{$filterent['srcip']}]"; - $filterent['dstip'] = "[{$filterent['dstip']}]"; - } else { - $ipproto = "inet"; - } - if (!isset($filterent['srcport'])) $filterent['srcport'] = null ; - $srcstr = $filterent['srcip'] . get_port_with_service($filterent['srcport'], $proto); - $src_htmlclass = str_replace(array('.', ':'), '-', $filterent['srcip']); - if (!isset($filterent['dstport'])) $filterent['dstport'] = null ; - $dststr = $filterent['dstip'] . get_port_with_service($filterent['dstport'], $proto); - $dst_htmlclass = str_replace(array('.', ':'), '-', $filterent['dstip']); - ?> - - - - - - - - - - - -
" class="listtopic"> - - - -
- ', outputrule);" title="">"> - - - - - ');" title="" class="ICON-" alt="Icon Reverse Resolve with DNS"> - - " href="#blockEasy" class="btn btn-danger btn-xs easy_block"> - - - - - ';?> - - ');" title="" class="ICON-" alt="Icon Reverse Resolve with DNS"> - " href="#blockEasy" class="btn btn-success btn-xs easy_pass"> - - - - - - - - ';?> -
-
-
- - - -
-
- - - + $int = strtolower($filterent['interface']); + $proto = strtolower($filterent['proto']); + if($filterent['version'] == '6') { + $ipproto = "inet6"; + $filterent['srcip'] = "[{$filterent['srcip']}]"; + $filterent['dstip'] = "[{$filterent['dstip']}]"; + } else { + $ipproto = "inet"; + } + if (!isset($filterent['srcport'])) { + $filterent['srcport'] = null ; + } + $srcstr = $filterent['srcip'] . get_port_with_service($filterent['srcport'], $proto); + $src_htmlclass = str_replace(array('.', ':'), '-', $filterent['srcip']); + if (!isset($filterent['dstport'])) { + $filterent['dstport'] = null ; + } + $dststr = $filterent['dstip'] . get_port_with_service($filterent['dstport'], $proto); + $dst_htmlclass = str_replace(array('.', ':'), '-', $filterent['dstip']); +?> + + ');" title="" class="ICON-" alt="Icon Reverse Resolve with DNS"> + " href="#blockEasy" class="btn btn-danger btn-xs easy_block"> + + + + + ';?> + + + ');" title="" class="ICON-" alt="Icon Reverse Resolve with DNS"> + " href="#blockEasy" class="btn btn-success btn-xs easy_pass"> + + + + + + + + ';?> + + + + + + + + + + + + + + + + + + +