From fd12c6682a1aa47feece308e85d6039cb5ff12fc Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Sun, 30 Oct 2016 12:34:11 +0100
Subject: [PATCH] (filter) more refactoring, as discussed with @fichtner move
 core rules out of plugin scope

---
 src/etc/inc/filter.inc                        |  4 +-
 src/etc/inc/filter.lib.inc                    | 59 +++++++++++++++++++
 src/etc/inc/plugins.inc.d/core_fw.inc         | 18 ------
 .../app/library/OPNsense/Firewall/Plugin.php  |  6 +-
 4 files changed, 67 insertions(+), 20 deletions(-)
 create mode 100644 src/etc/inc/filter.lib.inc
 delete mode 100644 src/etc/inc/plugins.inc.d/core_fw.inc

diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index f791dd647..8cb6ae64f 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -1,5 +1,4 @@
 <?php
-
 /*
     Copyright (C) 2004-2007 Scott Ullrich
     Copyright (C) 2005 Bill Marquette
@@ -30,6 +29,8 @@
     POSSIBILITY OF SUCH DAMAGE.
 */
 
+require_once('filter.lib.inc');
+
 /* Create a global array to avoid errors on rulesets. */
 $GatewaysList = array();
 
@@ -375,6 +376,7 @@ function filter_configure_sync()
     // initialize fw plugin object
     $fw = new \OPNsense\Firewall\Plugin();
     $fw->setInterfaceMapping($FilterIflist);
+    filter_core_bootstrap($fw);
 
     if (function_exists('plugins_firewall')) {
         plugins_firewall($fw);
diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc
new file mode 100644
index 000000000..0a306808b
--- /dev/null
+++ b/src/etc/inc/filter.lib.inc
@@ -0,0 +1,59 @@
+<?php
+/**
+ *    Copyright (C) 2016 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+function filter_core_bootstrap($fw)
+{
+    global $config;
+    // set defaults
+    $filter_rule_defaults = array();
+    $filter_rule_defaults['pass'] = array("type" => "pass", "log" => !isset($config['syslog']['nologdefaultpass']));
+    $filter_rule_defaults['block'] = array("type" => "block", "log" => !isset($config['syslog']['nologdefaultblock']));
+
+    // setup system filter rules
+    filter_core_rules_system($fw, $filter_rule_defaults);
+}
+
+/**
+ *  core system rules
+ */
+function filter_core_rules_system($fw, $defaults)
+{
+    global $config;
+
+    // block All IPv6 except loopback traffic
+    $fw->registerFilterRule(1,
+      array('interface' => 'loopback', 'ipprotocol'=>'inet6', 'disabled' => isset($config['system']['ipv6allow']),
+          'label' => 'Pass all loopback IPv6'),
+      $defaults['pass']
+    );
+    $fw->registerFilterRule(1,
+      array('ipprotocol'=>'inet6','label' => 'Block all IPv6', 'disabled' => isset($config['system']['ipv6allow'])),
+      $defaults['block']
+    );
+}
diff --git a/src/etc/inc/plugins.inc.d/core_fw.inc b/src/etc/inc/plugins.inc.d/core_fw.inc
deleted file mode 100644
index e459f6e25..000000000
--- a/src/etc/inc/plugins.inc.d/core_fw.inc
+++ /dev/null
@@ -1,18 +0,0 @@
-<?php
-
-function core_fw_firewall($fw)
-{
-    global $config;
-    $log_block = !isset($config['syslog']['nologdefaultblock']);
-    $log_pass = !isset($config['syslog']['nologdefaultpass']);
-
-    if (!isset($config['system']['ipv6allow'])) {
-        // block All IPv6 except loopback traffic
-        $fw->registerFilterRule(0,
-          array('type'=>'pass','log'=>$log_pass, 'interface' => 'loopback', 'ipprotocol'=>'inet6')
-        );
-        $fw->registerFilterRule(0,
-          array('type'=>'block','log'=>$log_block, 'ipprotocol'=>'inet6', 'label' => 'Block all IPv6')
-        );
-    }
-}
diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
index bb775a878..c2bffdffa 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
@@ -98,9 +98,13 @@ class Plugin
      * register a filter rule
      * @param int $prio priority
      * @param array $conf configuration
+     * @param array $defaults merge these defaults when provided
      */
-    public function registerFilterRule($prio, $conf)
+    public function registerFilterRule($prio, $conf, $defaults=null)
     {
+        if ($defaults != null) {
+            $conf = array_merge($defaults, $conf);
+        }
         $rule = new FilterRule($this->interfaceMapping, $conf);
         if (empty($this->filterRules[$prio])) {
             $this->filterRules[$prio] = array();