lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-14 16:44:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

filter, replace macro with internal name, for https://github.com/opnsense/core/issues/1702

Browse Source 
In the longrun all macro entries should go, but for now a replace should be sufficient.
This commit is contained in:
Ad Schellevis 2017-07-04 20:22:17 +02:00
parent d57dbf5a07
commit e5711dfb25
1 changed files with 15 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
src/etc/inc/filter.inc
View File

@ -765,7 +765,7 @@ function filter_generate_scrubing(&$FilterIflist)
}
$scrubnodf = !empty($config['system']['scrubnodf']) ? "no-df" : "";
$scrubrnid = !empty($config['system']['scrubrnid']) ? "random-id" : "";
$scrubrules .= "scrub on \${$scrubcfg['descr']} all {$scrubnodf} {$scrubrnid} {$mssclamp}\n";
$scrubrules .= "scrub on \${$scrubif} all {$scrubnodf} {$scrubrnid} {$mssclamp}\n";
}
}
}
@ -860,13 +860,13 @@ function filter_generate_aliases(&$FilterIflist)
$aliases .= "loopback = \"{ lo0 }\"\n";
foreach ($FilterIflist as $if => $ifcfg) {
if (!empty($ifcfg['descr']) && !empty($ifcfg['if'])) {
if (!empty($ifcfg['if'])) {
if (isset($ifcfg['type6']) && $ifcfg['type6'] == '6rd') {
$aliases .= "{$ifcfg['descr']} = \"{ {$ifcfg['if']} {$if}_stf";
$aliases .= "{$if} = \"{ {$ifcfg['if']} {$if}_stf";
} elseif (isset($ifcfg['type6']) && $ifcfg['type6'] == '6to4') {
$aliases .= "{$ifcfg['descr']} = \"{ {$ifcfg['if']} {$if}_stf";
$aliases .= "{$if} = \"{ {$ifcfg['if']} {$if}_stf";
} else {
$aliases .= "{$ifcfg['descr']} = \"{ {$ifcfg['if']}";
$aliases .= "{$if} = \"{ {$ifcfg['if']}";
if (isset($ifcfg['type']) && $ifcfg['type'] == 'pptp') {
foreach (get_parent_interface($ifcfg['if']) as $parent_if) {
if ($parent_if != $ifcfg['if']) {
@ -1479,13 +1479,9 @@ function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcpor
$nat = "nat";
$target = "-> {$tgt}";
}
$if_friendly = $FilterIflist[$if]['descr'];
/* Put all the pieces together */
if ($if_friendly) {
$natrule = "{$nat} {$logtag} on \${$if_friendly}{$ipprotocol}{$protocol} from {$src} to {$dst}${tagging} {$target} {$poolopts} {$staticnatport_txt}\n";
} else {
$natrule .= "# Could not convert {$if} to friendly name(alias)\n";
}
$natrule = "{$nat} {$logtag} on \${$if}{$ipprotocol}{$protocol} from {$src} to {$dst}${tagging} {$target} {$poolopts} {$staticnatport_txt}\n";
return $natrule;
}
@ -1584,8 +1580,6 @@ function filter_nat_rules_generate(&$FilterIflist)
$srcaddr = trim($srcaddr);
$dstaddr = trim($dstaddr);
$natif = $FilterIflist[$natif]['descr'];
$natrules .= "binat on \${$natif} from {$srcaddr} to any -> {$dstaddr}\n";
$natrules .= "binat on \${$natif} from {$dstaddr} to any -> {$srcaddr}\n";
}
@ -2223,30 +2217,30 @@ function filter_generate_ipsec_rules(&$FilterIflist)
/* Add rules to allow IKE to pass */
$shorttunneldescr = substr($descr, 0, 35);
$ipfrules .= <<<EOD
pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 500 keep state label "IPsec: {$shorttunneldescr} - outbound isakmp"
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 500 keep state label "IPsec: {$shorttunneldescr} - inbound isakmp"
pass out {$log['pass']} on \${$parentinterface} $route_to proto udp from any to {$rgip} port = 500 keep state label "IPsec: {$shorttunneldescr} - outbound isakmp"
pass in {$log['pass']} on \${$parentinterface} $reply_to proto udp from {$rgip} to any port = 500 keep state label "IPsec: {$shorttunneldescr} - inbound isakmp"
EOD;
/* If NAT-T is enabled, add additional rules */
if ($ph1ent['nat_traversal'] != "off" ) {
$ipfrules .= <<<EOD
pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto udp from any to {$rgip} port = 4500 keep state label "IPsec: {$shorttunneldescr} - outbound nat-t"
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto udp from {$rgip} to any port = 4500 keep state label "IPsec: {$shorttunneldescr} - inbound nat-t"
pass out {$log['pass']} on \${$parentinterface} $route_to proto udp from any to {$rgip} port = 4500 keep state label "IPsec: {$shorttunneldescr} - outbound nat-t"
pass in {$log['pass']} on \${$parentinterface} $reply_to proto udp from {$rgip} to any port = 4500 keep state label "IPsec: {$shorttunneldescr} - inbound nat-t"
EOD;
}
/* Add rules to allow the protocols in use */
if ($prot_used_esp == true) {
$ipfrules .= <<<EOD
pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto esp from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto"
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto esp from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound esp proto"
pass out {$log['pass']} on \${$parentinterface} $route_to proto esp from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound esp proto"
pass in {$log['pass']} on \${$parentinterface} $reply_to proto esp from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound esp proto"
EOD;
}
if ($prot_used_ah == true) {
$ipfrules .= <<<EOD
pass out {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $route_to proto ah from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto"
pass in {$log['pass']} on \${$FilterIflist[$parentinterface]['descr']} $reply_to proto ah from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound ah proto"
pass out {$log['pass']} on \${$parentinterface} $route_to proto ah from any to {$rgip} keep state label "IPsec: {$shorttunneldescr} - outbound ah proto"
pass in {$log['pass']} on \${$parentinterface} $reply_to proto ah from {$rgip} to any keep state label "IPsec: {$shorttunneldescr} - inbound ah proto"
EOD;
}