Add DUP capability to create new Suricata instance based on existing one.

2 files changed, 90 insertions, 10 deletions

diff --git a/config/suricata/suricata_interfaces.php b/config/suricata/suricata_interfaces.php
index 26d57b71..205a872b 100644
--- a/config/suricata/suricata_interfaces.php
+++ b/config/suricata/suricata_interfaces.php
@@ -57,6 +57,10 @@ if (!is_array($config['installedpackages']['suricata']['rule']))
 $a_nat = &$config['installedpackages']['suricata']['rule'];
 $id_gen = count($config['installedpackages']['suricata']['rule']);
 
+// Get list of configured firewall interfaces
+$ifaces = get_configured_interface_list();
+
+
 if ($_POST['del_x']) {
 	/* delete selected interfaces */
 	if (is_array($_POST['rule'])) {
@@ -207,9 +211,22 @@ include_once("head.inc");
 			<th class="listhdrr"><?php echo gettext("Block"); ?></th>
 			<th class="listhdrr"><?php echo gettext("Barnyard2"); ?></th>
 			<th class="listhdr"><?php echo gettext("Description"); ?></th>
-			<th class="list"><a href="suricata_interfaces_edit.php?id=<?php echo $id_gen;?>">
-				<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif"
-				width="17" height="17" border="0" title="<?php echo gettext('Add Suricata interface mapping');?>"></a>
+			<th class="list">
+				<?php if ($id_gen < count($ifaces)): ?>
+					<a href="suricata_interfaces_edit.php?id=<?php echo $id_gen;?>">
+					<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif"
+					width="17" height="17" border="0" title="<?php echo gettext('Add Suricata interface mapping');?>"></a>
+				<?php else: ?>
+					<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus_d.gif" width="17" height="17" border="0" 
+					title="<?php echo gettext('No available interfaces for a new Suricata mapping');?>">
+				<?php endif; ?>
+				<?php if ($id_gen == 0): ?>
+					<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" " border="0">
+				<?php else: ?>
+					<input name="del" type="image" src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" 
+					width="17" height="17" title="<?php echo gettext("Delete selected Suricata interface mapping(s)"); ?>"
+					onclick="return intf_del()">
+				<?php endif; ?>
 			</th>
 		</tr>
 		</thead>
@@ -342,7 +359,15 @@ include_once("head.inc");
 			<td valign="middle" class="list" nowrap>
 				<a href="suricata_interfaces_edit.php?id=<?=$i;?>">
 				<img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif"
-				width="17" height="17" border="0" title="<?php echo gettext('Edit Suricata interface mapping'); ?>"></a>
+				width="17" height="17" border="0" title="<?php echo gettext('Edit this Suricata interface mapping'); ?>"></a>
+				<?php if ($id_gen < count($ifaces)): ?>
+					<a href="suricata_interfaces_edit.php?id=<?=$i;?>&action=dup">
+					<img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif"
+					width="17" height="17" border="0" title="<?php echo gettext('Add new interface mapping based on this one'); ?>"></a>
+				<?php else: ?>
+					<img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus_d.gif" width="17" height="17" border="0" 
+					title="<?php echo gettext('No available interfaces for a new Suricata mapping');?>">
+				<?php endif; ?>
 			</td>	
 		</tr>
 		<?php $i++; $nnats++; endforeach; ob_end_flush(); ?>
@@ -354,8 +379,16 @@ include_once("head.inc");
 				<?php else: ?>&nbsp;
 				<?php endif; ?>					 
 			</td>
-			<td class="list" valign="middle" nowrap>
-				<?php if ($nnats == 0): ?>
+			<td class="list">
+				<?php if ($id_gen < count($ifaces)): ?>
+					<a href="suricata_interfaces_edit.php?id=<?php echo $id_gen;?>">
+					<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif"
+					width="17" height="17" border="0" title="<?php echo gettext('Add Suricata interface mapping');?>"></a>
+				<?php else: ?>
+					<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus_d.gif" width="17" height="17" border="0" 
+					title="<?php echo gettext('No available interfaces for a new Suricata mapping');?>">
+				<?php endif; ?>
+				<?php if ($id_gen == 0): ?>
 					<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" " border="0">
 				<?php else: ?>
 					<input name="del" type="image" src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" 
diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php
index 3b61755c..dcf6fe3f 100644
--- a/config/suricata/suricata_interfaces_edit.php
+++ b/config/suricata/suricata_interfaces_edit.php
@@ -62,6 +62,13 @@ elseif (isset($_GET['id']) && is_numericint($_GET['id']));
 if (is_null($id))
 	$id = 0;
 
+if (isset($_POST['action']))
+	$action = htmlspecialchars($_POST['action'], ENT_QUOTES | ENT_HTML401);
+elseif (isset($_GET['action']))
+	$action = htmlspecialchars($_GET['action'], ENT_QUOTES | ENT_HTML401);
+else
+	$action = "";
+
 $pconfig = array();
 if (empty($suricataglob['rule'][$id]['uuid'])) {
 	/* Adding new interface, so flag rules to build. */
@@ -142,7 +149,37 @@ if (empty($pconfig['max_pcap_log_size']))
 if (empty($pconfig['max_pcap_log_files']))
 	$pconfig['max_pcap_log_files'] = "1000";
 
-if ($_POST["save"]) {
+// See if creating a new interface by duplicating an existing one
+if (strcasecmp($action, 'dup') == 0) {
+
+	// Try to pick the next available physical interface to use
+	$ifaces = get_configured_interface_list();
+	$ifrules = array();
+	foreach($a_rule as $r)
+		$ifrules[] = $r['interface'];
+	foreach ($ifaces as $i) {
+		if (!in_array($i, $ifrules)) {
+			$pconfig['interface'] = $i;
+			$pconfig['enable'] = 'on';
+			$pconfig['descr'] = strtoupper($i);
+			$pconfig['inspect_recursion_limit'] = '3000';
+			break;
+		}
+	}
+	if (count($ifrules) == count($ifaces)) {
+		$input_errors[] = gettext("No more available interfaces to configure for Suricata!");
+		$interfaces = array();
+		$pconfig = array();
+	}
+
+	// Set Home Net, External Net, Suppress List and Pass List to defaults
+	unset($pconfig['suppresslistname']);
+	unset($pconfig['passlistname']);
+	unset($pconfig['homelistname']);
+	unset($pconfig['externallistname']);
+}
+
+if ($_POST["save"] && !$input_errors) {
 	// If the interface is not enabled, stop any running Suricata
 	// instance on it, save the new state and exit.
 	if (!isset($_POST['enable'])) {
@@ -237,7 +274,7 @@ if ($_POST["save"]) {
 		if ($_POST['configpassthru']) $natent['configpassthru'] = base64_encode($_POST['configpassthru']); else unset($natent['configpassthru']);
 
 		$if_real = get_real_interface($natent['interface']);
-		if (isset($id) && $a_rule[$id]) {
+		if (isset($id) && $a_rule[$id] && $action == '') {
 			// See if moving an existing Suricata instance to another physical interface
 			if ($natent['interface'] != $a_rule[$id]['interface']) {
 				$oif_real = get_real_interface($a_rule[$id]['interface']);
@@ -253,7 +290,15 @@ if ($_POST["save"]) {
 				conf_mount_ro();
 			}
 			$a_rule[$id] = $natent;
-		} else {
+		}
+		elseif (strcasecmp($action, 'dup') == 0) {
+			// Duplicating a new interface, so set flag to build new rules
+			$rebuild_rules = true;
+
+			// Add the new duplicated interface configuration to the [rule] array in config
+			$a_rule[] = $natent;
+		}
+		else {
 			// Adding new interface, so set interface configuration parameter defaults
 			$natent['ip_max_frags'] = "65535";
 			$natent['ip_frag_timeout'] = "60";
@@ -358,6 +403,9 @@ if ($savemsg) {
 ?>
 
 <form action="suricata_interfaces_edit.php<?php echo "?id=$id";?>" method="post" name="iform" id="iform">
+<input name="id" type="hidden" value="<?=$id;?>"/>
+<input name="action" type="hidden" value="<?=$action;?>"/>
+
 <table width="100%" border="0" cellpadding="0" cellspacing="0">
 <tr><td>
 <?php
@@ -773,7 +821,6 @@ if ($savemsg) {
 <tr>
 	<td colspan="2" align="center" valign="middle"><input name="save" type="submit" class="formbtn" value="Save" title="<?php echo 
 			gettext("Click to save settings and exit"); ?>"/>
-			<input name="id" type="hidden" value="<?=$id;?>"/>
 	</td>
 </tr>
 <tr>