|
||||||||||
On Sat, Nov 01, 2003 at 01:34:47AM +0100, Bart Smit wrote: > On Fri, 31 Oct 2003, Jim McBeath wrote: > > > * sequence (to order the rules within an interface group) > > * type (block or pass) > > * disabled (to disable a rule without removing it) > > Yay! Hear, hear! Nice! > > > 1. Are you interested in these changes? > > I want to have a look anyway, even if they're not going into the official > m0n0wall. This sounds pretty much like a remedy for bits I was missing > too. OK, one customer is enough for me to distribute the changes. > > 2. If so, how should I submit them? > > Well, could you post to the list? > > > 3. I have just started using m0n0 and these changes; how much/how long > > should I test them before submitting them? > > I'll gladly report any findings. Thanks. > regards, > > --Bart Below are the changes in diff -u format. The mfsroot.orig directory in the patch is the original mfsroot directory as extracted from the net45xx-pb18r522 download. -- Jim McBeath http://www.alumni.caltech.edu/~jimmc diff -aur mfsroot.orig/etc/inc/filter.inc mfsroot/etc/inc/filter.inc --- mfsroot.orig/etc/inc/filter.inc Sat Oct 11 13:46:37 2003 +++ mfsroot/etc/inc/filter.inc Thu Oct 30 15:26:05 2003 @@ -472,6 +472,10 @@ if (isset($config['filter']['rule'])) foreach ($config['filter']['rule'] as $rule) { + + /* don't include disabled rules */ + if (isset($rule['disabled'])) + continue; /* does the rule deal with a PPTP interface? */ if ($rule['interface'] == "pptp") { @@ -519,7 +523,19 @@ } } - $line = "pass in quick "; + $type = strtolower($rule['type']); + if ($type!="pass" && $type!="block") { + /* default (for older rules) is pass */ + $type = "pass"; + } + + $line = $type; + $line .= " in "; + + if (isset($rule['log'])) + $line .= "log "; + + $line .= "quick "; if ($ispptp) { $line .= "on ng" . ($iif+1) . " "; @@ -625,7 +641,8 @@ } } - $line .= "keep state "; + if ($type!="block") + $line .= "keep state "; if (isset($rule['frags'])) $line .= "keep frags "; diff -aur mfsroot.orig/usr/local/www/firewall_rules.php mfsroot/usr/local/www/firewall_rules.php --- mfsroot.orig/usr/local/www/firewall_rules.php Sat Oct 11 13:46:37 2003 +++ mfsroot/usr/local/www/firewall_rules.php Fri Oct 31 09:05:15 2003 @@ -88,11 +88,11 @@ <?php if ($filterent['interface'] != $lastif): ?> <?php if ($i): ?> <tr> - <td colspan="8" class="list" height="12"></td> + <td colspan="10" class="list" height="12"></td> </tr> <?php endif; ?> <tr> - <td colspan="7" class="listtopic"><?php + <td colspan="9" class="listtopic"><?php $iflabels = array('lan' => 'LAN interface', 'wan' => 'WAN interface', 'pptp' => 'PPTP clients'); for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) $iflabels['opt' . $j] = $config['interfaces']['opt' . $j]['descr'] . " interface"; @@ -100,18 +100,26 @@ <td class="list"></td> </tr> <tr> - <td width="10%" class="listhdrr">Proto</td> - <td width="15%" class="listhdrr">Source</td> + <td width="3%" class="listhdrr">Seq</td> + <td width="3%" class="listhdrr">Type</td> + <td width="9%" class="listhdrr">Proto</td> + <td width="14%" class="listhdrr">Source</td> <td width="10%" class="listhdrr">Port</td> - <td width="15%" class="listhdrr">Destination</td> + <td width="14%" class="listhdrr">Destination</td> <td width="10%" class="listhdrr">Port</td> - <td width="5%" class="listhdrrns">Frag</td> + <td width="3%" class="listhdrrns">Flags</td> <td width="25%" class="listhdr">Description</td> - <td width="10%" class="list"></td> + <td width="9%" class="list"></td> </tr> <?php $lastif = $filterent['interface']; endif; ?> <tr valign="top"> <td class="listlr"> + <?php if (isset($filterent['sequence']) && $filterent['sequence']!="") echo $filterent['sequence']; else echo "0";?> + </td> + <td class="listr"> + <?php if (isset($filterent['type'])) echo strtoupper($filterent['type']); else echo "PASS";?> + </td> + <td class="listr"> <?php if (isset($filterent['protocol'])) echo strtoupper($filterent['protocol']); else echo "*"; ?> </td> <td class="listr"> @@ -127,7 +135,12 @@ <?php echo htmlspecialchars(pprint_port($filterent['destination']['port'])); ?> </td> <td class="listr"> - <?php if (isset($filterent['frags'])) echo "Y"; else echo " ";?> + <?php + $t = false; + if (isset($filterent['disabled'])) {echo "D";$t=true;} + if (isset($filterent['frags'])) {echo "F"; $t=true;} + if (isset($filterent['log'])) {echo "L"; $t=true;} + if (!$t) echo " "; ?> </td> <td class="listbg"> <?=htmlspecialchars($filterent['descr']);?> @@ -137,7 +150,9 @@ </tr> <?php $i++; endforeach; ?> <tr> - <td class="list" colspan="7"></td> + <td class="list" colspan="9"> + Flags: D=Disabled, F=Fragments, L=Log + </td> <td class="list"> <a href="firewall_rules_edit.php"><img src="plus.gif" width="17" height="17" border="0"></a></td> </tr> </table> diff -aur mfsroot.orig/usr/local/www/firewall_rules_edit.php mfsroot/usr/local/www/firewall_rules_edit.php --- mfsroot.orig/usr/local/www/firewall_rules_edit.php Sat Oct 11 13:46:37 2003 +++ mfsroot/usr/local/www/firewall_rules_edit.php Fri Oct 31 07:45:47 2003 @@ -104,6 +104,17 @@ } if (isset($id) && $a_filter[$id]) { + /* When upgrading from a previous config, set seq=0 for all rules */ + if (!isset($a_filter[$id]['sequence']) || $a_filter[$id]['sequence']=="") + $pconfig['sequence'] = "0"; + else + $pconfig['sequence'] = $a_filter[$id]['sequence']; + + if (!isset($a_filter[$id]['sequence']) || $a_filter[$id]['sequence']=="") + $pconfig['type'] = "pass"; + else + $pconfig['type'] = $a_filter[$id]['type']; + $pconfig['interface'] = $a_filter[$id]['interface']; if (isset($a_filter[$id]['protocol'])) @@ -119,13 +130,18 @@ $pconfig['dstmask'], $pconfig['dstnot'], $pconfig['dstbeginport'], $pconfig['dstendport']); + $pconfig['disabled'] = isset($a_filter[$id]['disabled']); $pconfig['frags'] = isset($a_filter[$id]['frags']); + $pconfig['log'] = isset($a_filter[$id]['log']); $pconfig['descr'] = $a_filter[$id]['descr']; } else { /* defaults */ + $pconfig['sequence'] = "0"; + $pconfig['type'] = "PASS"; $pconfig['src'] = "any"; $pconfig['dst'] = "any"; + $pconfig['disabled'] = false; } if ($_POST) { @@ -185,8 +201,8 @@ $pconfig = $_POST; /* input validation */ - $reqdfields = explode(" ", "interface proto src dst"); - $reqdfieldsn = explode(",", "Interface,Protocol,Source,Destination"); + $reqdfields = explode(" ", "type interface proto src dst"); + $reqdfieldsn = explode(",", "Type,Interface,Protocol,Source,Destination"); if (!(is_specialnet($_POST['srctype']) || ($_POST['srctype'] == "single"))) { $reqdfields[] = "srcmask"; @@ -253,6 +269,8 @@ if (!$input_errors) { $filterent = array(); + $filterent['sequence'] = $_POST['sequence']; + $filterent['type'] = $_POST['type']; $filterent['interface'] = $_POST['interface']; if ($_POST['proto'] != "any") @@ -268,7 +286,9 @@ $_POST['dstmask'], $_POST['dstnot'], $_POST['dstbeginport'], $_POST['dstendport']); + $filterent['disabled'] = $_POST['disabled'] ? true : false; $filterent['frags'] = $_POST['frags'] ? true : false; + $filterent['log'] = $_POST['log'] ? true : false; $filterent['descr'] = $_POST['descr']; if (isset($id) && $a_filter[$id]) @@ -397,6 +417,27 @@ <?php if ($savemsg) echo htmlspecialchars($savemsg); ?> <form action="firewall_rules_edit.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td valign="top" class="vncellreq">Sequence</td> + <td class="vtable"> <input name="sequence" type="text" class="formfld" id="sequence" size="5" value="<?=htmlspecialchars($pconfig['sequence']);?>"> + <br> <span class="vexpl">Change this value to change the + position of this rule relative to the other rules on + the same interface.</span></td> + </tr> + <tr> + <td valign="top" class="vncellreq">Rule Type</td> + <td class="vtable"><select name="type" class="formfld"> + <?php $types = explode(" ", "PASS BLOCK"); foreach ($types as $type): ?> + <option value="<?=strtolower($type);?>" <?php if (strtolower($type) == strtolower($pconfig['type'])) echo "selected"; if ($type=="PASS") echo " default"; ?>> + <?=htmlspecialchars($type);?> + </option> + <?php endforeach; ?> + </select> <br> + <span class="vexpl">Select PASS to pass data for the + criteria specified below; select BLOCK to block data + for the criteria specified below.<br> + </span></td> + </tr> <tr> <td valign="top" class="vncellreq">Interface</td> <td class="vtable"><select name="interface" class="formfld"> @@ -582,6 +623,15 @@ the destination of the packet for this rule.<br> Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port</span></td> + </tr> + <tr> + <td valign="top" class="vncellreq">Disabled</td> + <td class="vtable"><input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>> + <strong>Disabled</strong><br> + Set this option to disable this rule without removing it + from the list.<br> + </td> + </tr> <tr> <td width="100" valign="top" class="vncellreq">Fragments</td> <td class="vtable"> <input name="frags" type="checkbox" id="frags" value="yes" <?php if ($pconfig['frags']) echo "checked"; ?>> @@ -591,6 +641,17 @@ DoS attacks. In most cases, it is not needed. Try enabling it if you have troubles<br> connecting to certain sites.</span></td> + </tr> + <tr> + <td width="100" valign="top" class="vncellreq">Log</td> + <td class="vtable"> <input name="log" type="checkbox" id="log" value="yes" <?php if ($pconfig['log']) echo "checked"; ?>> + <strong>Log packets that are handled by this rule.</strong><br> + <span class="vexpl">Hint: the firewall has limited local + log space. Don't turn on logging for everything.<br> + If you want to do a lot of logging, consider using + syslog to log to a remote machine (see the + Diagnostics:System logs:Settings page). + </span></td> </tr> <tr> <td valign="top" class="vncellreq">Description</td> diff -aur mfsroot.orig/usr/local/www/guiconfig.inc mfsroot/usr/local/www/guiconfig.inc --- mfsroot.orig/usr/local/www/guiconfig.inc Sat Oct 11 13:46:37 2003 +++ mfsroot/usr/local/www/guiconfig.inc Thu Oct 30 11:28:42 2003 @@ -212,6 +212,7 @@ function filtercmp($a, $b) { if ($a['interface'] == $b['interface']) { + if ((int)$a['sequence'] == (int)$b['sequence']) { if ($a['protocol'] == $b['protocol']) { if ($a['destination']['port'] == $b['destination']['port']) { return 0; @@ -221,6 +222,9 @@ } else { return strcmp($a['protocol'], $b['protocol']); } + } else { + return (int)$a['sequence'] - (int)$b['sequence']; + } } else { return -strcmp($a['interface'], $b['interface']); } |