From fffcede4e1f63ca17f8a00efb6e67bbf9f0428aa Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Sat, 7 May 2016 18:06:24 +0200 Subject: [PATCH] cron: migrate the time-based rules cron job to autocron o Gets rid of cron save/flush in the filter reload path. o Gets rid of cron job injection into config. o Move configure_cron() to the rules edit where it can be flipped in case of schedule changes. To be totally frank, a 15 minute hook to deploy a time based system is hardly accurate. But what worries me more is that we still have this patch in the kernel, totally unsure of what it actually does when we have a schedule-based reload on top anyway: https://github.com/opnsense/src/commit/0a19f813177d18e569a457eff50a07c2e42abe04 --- src/etc/inc/filter.inc | 74 --------------------------------- src/etc/inc/services.inc | 16 +++++-- src/www/firewall_rules_edit.php | 1 + 3 files changed, 14 insertions(+), 77 deletions(-) diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index 30843535c..9c2672718 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -164,9 +164,6 @@ function filter_configure_sync() /* holds the tables to be flushed *AFTER* the filter is fully loaded */ $after_filter_configure_run = array(); - /* For installing cron job of schedules */ - $time_based_rules = false; - $FilterIflist = filter_generate_optcfg_array(); /* Use filter lock to not allow concurrent filter reloads during this run. */ @@ -363,17 +360,6 @@ function filter_configure_sync() mwexecf('/sbin/pfctl -T flush -t %s', $afcr); } - /* if time based rules are enabled then swap in the set */ - if (isset($config['filter']['rule'])) { - foreach ($config['filter']['rule'] as $rule) { - if (isset($rule['sched']) && !empty($rule['sched'])) { - $time_based_rules = true; - break; - } - } - filter_tdr_install_cron($time_based_rules); - } - if (file_exists("/var/run/booting")) { echo "."; } @@ -3371,66 +3357,6 @@ function filter_rules_spoofcheck_generate($ifname, $ifcfg, $log) return $ipfrules; } -/****f* filter/filter_tdr_install_cron - * NAME - * filter_tdr_install_cron - * INPUTS - * $should_install true if the cron entry should be installed, false - * if the entry should be removed if it is present - * RESULT - * none - ******/ -function filter_tdr_install_cron($should_install) -{ - global $config; - - if (file_exists("/var/run/booting")) { - return; - } - - if (!is_array($config['cron'])) { - $config['cron'] = array(); - } - if (!is_array($config['cron']['item'])) { - $config['cron']['item'] = array(); - } - - $x=0; - $is_installed = false; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "filter_configure_sync")) { - $is_installed = true; - break; - } - $x++; - } - - switch($should_install) { - case true: - if (!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "0,15,30,45"; - $cron_item['hour'] = "*"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/local/etc/rc.filter_configure_sync"; - $config['cron']['item'][] = $cron_item; - write_config(gettext("Installed 15 minute filter reload for Time Based Rules")); - configure_cron(); - } - break; - case false: - if ($is_installed == true) { - unset($config['cron']['item'][$x]); - write_config(gettext("Removed 15 minute filter reload for Time Based Rules")); - configure_cron(); - } - break; - } -} - /****f* filter/filter_get_time_based_rule_status * NAME * filter_get_time_based_rule_status diff --git a/src/etc/inc/services.inc b/src/etc/inc/services.inc index 672fa6c82..8f8b60f5e 100644 --- a/src/etc/inc/services.inc +++ b/src/etc/inc/services.inc @@ -2349,6 +2349,7 @@ function configure_cron() '/usr/local/etc/rc.backup_dhcpleases', '/usr/local/etc/rc.backup_netflow', '/usr/local/etc/rc.backup_rrd', + '/usr/local/etc/rc.filter_configure_sync', '/usr/local/etc/rc.dyndns.update', '/usr/local/etc/rc.update_bogons', '/usr/local/etc/rc.update_urltables', @@ -2398,21 +2399,30 @@ function configure_cron() $autocron[] = generate_cron_job('/usr/local/etc/rc.update_urltables', '30', '12'); if (!empty($config['system']['rrdbackup'])) { - $autocron[] = generate_cron_job('/usr/local/etc/rc.backup_rrd', $minute = '0', '*/' . $config['system']['rrdbackup']); + $autocron[] = generate_cron_job('/usr/local/etc/rc.backup_rrd', '0', '*/' . $config['system']['rrdbackup']); } if (!empty($config['system']['dhcpbackup'])) { - $autocron[] = generate_cron_job('/usr/local/etc/rc.backup_dhcpleases', $minute = '0', '*/' . $config['system']['dhcpbackup']); + $autocron[] = generate_cron_job('/usr/local/etc/rc.backup_dhcpleases', '0', '*/' . $config['system']['dhcpbackup']); } if (!empty($config['system']['netflowbackup'])) { - $autocron[] = generate_cron_job('/usr/local/etc/rc.backup_netflow', $minute = '0', '*/' . $config['system']['netflowbackup']); + $autocron[] = generate_cron_job('/usr/local/etc/rc.backup_netflow', '0', '*/' . $config['system']['netflowbackup']); } if (!empty($config['system']['remotebackup']['GDriveEnabled'])) { $autocron[] = generate_cron_job('/usr/local/opnsense/scripts/remote_backup.php', 0, 1); } + if (isset($config['filter']['rule'])) { + foreach ($config['filter']['rule'] as $rule) { + if (!empty($rule['sched'])) { + $autocron[] = generate_cron_job('/usr/local/etc/rc.filter_configure_sync', '0,15,30,45'); + break; + } + } + } + /* bogons fetch always set in default config.xml */ switch ($config['system']['bogons']['interval']) { case 'daily': diff --git a/src/www/firewall_rules_edit.php b/src/www/firewall_rules_edit.php index c02c302d0..8e846d058 100644 --- a/src/www/firewall_rules_edit.php +++ b/src/www/firewall_rules_edit.php @@ -517,6 +517,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { } // sort filter items per interface, not really necessary but leaves a bit nicer sorted config.xml behind. filter_rules_sort(); + configure_cron(); // write to config if (write_config()) { mark_subsystem_dirty('filter');