(filter) more refactoring, as discussed with @fichtner move core rules out of plugin scope

2026-03-15 17:14:46 +00:00 · 2016-10-30 12:34:11 +01:00 · 2016-10-30 12:34:11 +01:00 · fd12c6682a
commit fd12c6682a
parent 2c2192d70d
4 changed files with 67 additions and 20 deletions
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@ -1,5 +1,4 @@
 <?php
-
 /*
    Copyright (C) 2004-2007 Scott Ullrich
    Copyright (C) 2005 Bill Marquette
@ -30,6 +29,8 @@
    POSSIBILITY OF SUCH DAMAGE.
 */

+require_once('filter.lib.inc');
+
 /* Create a global array to avoid errors on rulesets. */
 $GatewaysList = array();

@ -375,6 +376,7 @@ function filter_configure_sync()
    // initialize fw plugin object
    $fw = new \OPNsense\Firewall\Plugin();
    $fw->setInterfaceMapping($FilterIflist);
+    filter_core_bootstrap($fw);

    if (function_exists('plugins_firewall')) {
        plugins_firewall($fw);
--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@ -0,0 +1,59 @@
+<?php
+/**
+ *    Copyright (C) 2016 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+function filter_core_bootstrap($fw)
+{
+    global $config;
+    // set defaults
+    $filter_rule_defaults = array();
+    $filter_rule_defaults['pass'] = array("type" => "pass", "log" => !isset($config['syslog']['nologdefaultpass']));
+    $filter_rule_defaults['block'] = array("type" => "block", "log" => !isset($config['syslog']['nologdefaultblock']));
+
+    // setup system filter rules
+    filter_core_rules_system($fw, $filter_rule_defaults);
+}
+
+/**
+ *  core system rules
+ */
+function filter_core_rules_system($fw, $defaults)
+{
+    global $config;
+
+    // block All IPv6 except loopback traffic
+    $fw->registerFilterRule(1,
+      array('interface' => 'loopback', 'ipprotocol'=>'inet6', 'disabled' => isset($config['system']['ipv6allow']),
+          'label' => 'Pass all loopback IPv6'),
+      $defaults['pass']
+    );
+    $fw->registerFilterRule(1,
+      array('ipprotocol'=>'inet6','label' => 'Block all IPv6', 'disabled' => isset($config['system']['ipv6allow'])),
+      $defaults['block']
+    );
+}
--- a/src/etc/inc/plugins.inc.d/core_fw.inc
+++ b/src/etc/inc/plugins.inc.d/core_fw.inc
@ -1,18 +0,0 @@
-<?php
-
-function core_fw_firewall($fw)
-{
-    global $config;
-    $log_block = !isset($config['syslog']['nologdefaultblock']);
-    $log_pass = !isset($config['syslog']['nologdefaultpass']);
-
-    if (!isset($config['system']['ipv6allow'])) {
-        // block All IPv6 except loopback traffic
-        $fw->registerFilterRule(0,
-          array('type'=>'pass','log'=>$log_pass, 'interface' => 'loopback', 'ipprotocol'=>'inet6')
-        );
-        $fw->registerFilterRule(0,
-          array('type'=>'block','log'=>$log_block, 'ipprotocol'=>'inet6', 'label' => 'Block all IPv6')
-        );
-    }
-}
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
@ -98,9 +98,13 @@ class Plugin
     * register a filter rule
     * @param int $prio priority
     * @param array $conf configuration
+     * @param array $defaults merge these defaults when provided
     */
-    public function registerFilterRule($prio, $conf)
+    public function registerFilterRule($prio, $conf, $defaults=null)
    {
+        if ($defaults != null) {
+            $conf = array_merge($defaults, $conf);
+        }
        $rule = new FilterRule($this->interfaceMapping, $conf);
        if (empty($this->filterRules[$prio])) {
            $this->filterRules[$prio] = array();