work on https://github.com/opnsense/core/issues/993

simple start, wrap anchor registration into plugin system, use miniupnpd as an example. use registerAnchor() to register new anchors for pf into the main firewall script, we've hooked head/tail options and the different anchor types. anchorToText() will extract the registered anchors back for the specified types and place in the script (head/tail) in text format for pf. our new codebase was already hooked using legacy_bindings.inc, no additional includes needed to construct \OPNsense\Firewall\Plugin().
2026-03-18 10:35:27 +00:00 · 2016-09-30 18:14:02 +02:00 · 2016-09-30 18:14:02 +02:00 · edc4097899
commit edc4097899
parent 9a0c3839c3
4 changed files with 139 additions and 7 deletions
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@ -372,6 +372,13 @@ function filter_configure_sync()

    $FilterIflist = filter_generate_optcfg_array();

+    // initialize fw plugin object
+    $fw = new \OPNsense\Firewall\Plugin();
+
+    if (function_exists('plugins_firewall')) {
+        plugins_firewall($fw);
+    }
+
    /* Use filter lock to not allow concurrent filter reloads during this run. */
    $filterlck = lock('filter', LOCK_EX);

@ -467,8 +474,12 @@ function filter_configure_sync()
    update_filter_reload_status(gettext("Setting up SCRUB information"));
    $rules .= filter_generate_scrubing($FilterIflist);
    $rules .= "\n";
+    $rules .= $fw->anchorToText('nat,binat,rdr', 'head');
    $rules .= "{$natrules}\n";
+    $rules .= $fw->anchorToText('nat,binat,rdr', 'tail');
+    $rules .= $fw->anchorToText('fw', 'head');
    $rules .= "{$pfrules}\n";
+    $rules .= $fw->anchorToText('fw', 'tail');

    unset($aliases, $gateways, $natrules, $pfrules);

@ -1888,9 +1899,6 @@ function filter_nat_rules_generate(&$FilterIflist)
        }
    }

-    $natrules .= "\n# UPnP\n";
-    $natrules .= "rdr-anchor \"miniupnpd\"\n";
-
    if (!empty($reflection_txt)) {
        $natrules .= "\n# Reflection redirects and NAT for 1:1 mappings\n" . $reflection_txt;
    }
@ -2991,10 +2999,6 @@ EOD;

    update_filter_reload_status("Creating uPNP rules...");
    if (isset($config['installedpackages']['miniupnpd']['config'][0])) {
-        if (isset($config['installedpackages']['miniupnpd']['config'][0]['enable'])) {
-            $ipfrules .= "anchor \"miniupnpd\"\n";
-        }
-
        if (isset($config['installedpackages']['miniupnpd'][0]['config']) && is_array($config['installedpackages']['miniupnpd'][0]['config'])) {
            $upnp_interfaces = explode(",", $config['installedpackages']['miniupnpd'][0]['config']['iface_array']);
            foreach($upnp_interfaces as $upnp_if) {
--- a/src/etc/inc/plugins.inc
+++ b/src/etc/inc/plugins.inc
@ -149,6 +149,19 @@ function plugins_interfaces()
    }
 }

+function plugins_firewall($fw)
+{
+    foreach (plugins_scan() as $name => $path) {
+        require_once $path;
+        $func = sprintf('%s_firewall', $name);
+        if (function_exists($func)) {
+            $func($fw);
+        }
+    }
+
+    return $fw;
+}
+
 function plugins_configure()
 {
    foreach (plugins_scan() as $name => $path) {
--- a/src/etc/inc/plugins.inc.d/miniupnpd.inc
+++ b/src/etc/inc/plugins.inc.d/miniupnpd.inc
@ -0,0 +1,35 @@
+<?php
+/*
+    Copyright (C) 2016 Deciso B.V.
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+function miniupnpd_firewall($fw)
+{
+    global $config;
+    if (isset($config['installedpackages']['miniupnpd']['config'][0]['enable'])) {
+        $fw->registerAnchor("miniupnpd/*", "rdr");
+        $fw->registerAnchor("miniupnpd/*", "fw");
+    }
+}
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
@ -0,0 +1,80 @@
+<?php
+
+/**
+ *    Copyright (C) 2016 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+namespace OPNsense\Firewall;
+
+/**
+ * Class Plugin
+ * @package OPNsense\Firewall
+ */
+class Plugin
+{
+    private $anchors = array();
+
+    /**
+     * init firewall plugin component
+     */
+    public function __construct()
+    {
+    }
+
+    /**
+     * register anchor
+     * @param $name anchor name
+     * @param $type anchor type (fw for filter, other options are nat,rdr,binat)
+     * @param $priority sort order from low to high
+     * @return null
+     */
+    public function registerAnchor($name, $type="fw", $priority=0, $placement="tail")
+    {
+        $anchorKey = sprintf("%s.%s.%08d.%08d", $type, $placement, $priority, count($this->anchors));
+        $this->anchors[$anchorKey] = $name;
+        ksort($this->anchors);
+    }
+
+    /**
+     * fetch anchors as text (pf ruleset part)
+     * @param $types anchor types (fw for filter, other options are nat,rdr,binat. comma seperated)
+     * @param $priority sort order from low to high
+     * @return string
+     */
+    public function anchorToText($types="fw", $placement="tail")
+    {
+        $result = "";
+        foreach (explode(',', $types) as $type) {
+            foreach ($this->anchors as $anchorKey => $anchor) {
+                if (strpos($anchorKey, "{$type}.{$placement}") === 0) {
+                    $result .= $type == "fw" ? "" : "{$type}-";
+                    $result .= "anchor \"{$anchor}\"\n";
+                }
+            }
+        }
+        return $result;
+    }
+}