[ previous ] [ next ] [ threads ]
 
 From:  Kris Maglione <bsdaemon at comcast dot net>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] Reject with 'tcp/udp'
 Date:  Sun, 11 Sep 2005 15:20:12 -0400
Peter Allgeyer wrote:

>IMHO, it's never bad to have a small piece of code where one can see
>what exactly you have in mind.
>  
>
This is just an example. It reprocesses each rule after it modifies it. 
An unfortunate result of that is that one would have to be extremely 
careful in coding it to avoid infinite loops. I don't know if this code 
runs.


$rulelist = $config['filter']['rule'];
foreach ($rulelist as $rule) {
    if (isset($rule['disabled'])) {
    splice($rulelist,key($rulelist),1);
    prev($rulelist);
    continue;
    }

    if ($rule['type']     == 'reject' &&
    $rule['protocol'] == 'tcp/udp') {

    $ruleTCP = $rule;
    $ruleTCP['protocol'] = 'tcp';
    $ruleUDP = $rule;
    $ruleTCP['protocol'] = 'udp';

    splice($rulelist,key($rulelist),1,array($ruleTCP,$ruleUDP));
    prev($rulelist);
    continue;
    }
    // This is probably not the best way to do this,
    //   since one has to loop through the NAT rules
    //   for each firewall rule mapping.
    // If we add 'natmap' and 'ruleid' (-type) attributes,
    //   it may be better to just loop through the entire
    //   set of NAT rules once and make an array of rules
    //   which contain 'natmap' attributes
    if (isset($rule['natmap'])) {
    $natmap = $rule['natmap'];
    $natmaprule = 0; // Not sure about scoping in PHP...
    foreach ($config['nat']['rule'] as $natrule) {
        if ($natrule['ruleid'] == $natmap) {
        $natmaprule = $natrule;
        break;
        }
    }
    unset($rule['natmap']);
    $rule['interface']   = $natmaprule['interface'];
    $rule['protocol']    = $natmaprule['protocol'];
    $rule['destination'] = array('address' => $natmaprule['target'],
                     'port'    => $natmaprule['local-port']);
    $rulelist[key($rulelist)] = $rule;
    prev($rulelist);
    continue;
    }
}
foreach ($rulelist as $rule) {
    // spit out ipf ruleset
    ...
}

>I would prefer a hidden option. Experts searching for such a thing will
>find the documentation of hidden options. Others won't need it ;-)
>  
>
I agree entirely, just so long as it doesn't require an extrenuous 
amount of extra effort to set it... i.e. one shouldn't have to download 
config.xml, exit it, upload it, and reboot the firewall, just to change 
the way the packet filter rejects a matching packet.