aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRajkumar S <raj@pfsense.org>2006-06-16 16:07:43 +0000
committerRajkumar S <raj@pfsense.org>2006-06-16 16:07:43 +0000
commit08cb1970c5e44cc203439521fe231d8540ad8b8a (patch)
tree4ec09383a40912431583365d5a457b5cb79efed4
parent87ab2f973453f53aa972e366995d0909bf77f638 (diff)
downloadpfsense-packages-08cb1970c5e44cc203439521fe231d8540ad8b8a.tar.gz
pfsense-packages-08cb1970c5e44cc203439521fe231d8540ad8b8a.tar.bz2
pfsense-packages-08cb1970c5e44cc203439521fe231d8540ad8b8a.zip
Added maxdownloadsize, trickling and maxscansize options, Added Transparency exclude functionality, updated havp to new version, bumped package version
-rw-r--r--packages/havp.inc65
-rw-r--r--packages/havp.sh20
-rw-r--r--packages/havp.xml36
-rw-r--r--packages/havp_blacklist.xml4
-rw-r--r--packages/havp_startup.inc11
-rw-r--r--packages/havp_trans_exclude.xml71
-rw-r--r--packages/havp_whitelist.xml4
7 files changed, 199 insertions, 12 deletions
diff --git a/packages/havp.inc b/packages/havp.inc
index ce4e8e88..a7ddc37f 100644
--- a/packages/havp.inc
+++ b/packages/havp.inc
@@ -9,6 +9,7 @@ require_once('pfsense-utils.inc');
part of the HAVP package for pfSense
Copyright (C) 2006 Rajkumar S <raj@linuxense.com>
All rights reserved.
+ $Id$
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
@@ -58,21 +59,18 @@ function sync_package_havp() {
if ($tmp['maxservers'] != "") fwrite($fd,"MAXSERVERS " . $tmp['maxservers'] . "\n");
if ($tmp['port'] != "") fwrite($fd,"PORT " . $tmp['port'] . "\n");
if ($tmp['source_address'] != "") fwrite($fd,"SOURCE_ADDRESS " . $tmp['source_address'] . " \n");
- if ($tmp['dbreload'] != "") fwrite($fd,"DBRELOAD" . $tmp['dbreload'] . " \n");
- if ($tmp['parentproxy'] != "") fwrite($fd,"PARENTPROXY" . $tmp['parentproxy'] . " \n");
- if ($tmp['parentport'] != "") fwrite($fd,"PARENTPORT" . $tmp['parentport'] . " \n");
+ if ($tmp['dbreload'] != "") fwrite($fd,"DBRELOAD " . $tmp['dbreload'] . " \n");
+ if ($tmp['parentproxy'] != "") fwrite($fd,"PARENTPROXY " . $tmp['parentproxy'] . " \n");
+ if ($tmp['parentport'] != "") fwrite($fd,"PARENTPORT " . $tmp['parentport'] . " \n");
+ if ($tmp['maxscansize'] != "") fwrite($fd,"MAXSCANSIZE " . $tmp['maxscansize'] . " \n");
+ if ($tmp['trickling'] != "") fwrite($fd,"TRICKLING " . $tmp['trickling'] . " \n");
+ if ($tmp['maxdownloadsize'] != "") fwrite($fd,"MAXDOWNLOADSIZE " . $tmp['maxdownloadsize'] . " \n");
/* If Transparent then, don't bother with bind address */
if ($tmp['transparent'] == "on"){
fwrite($fd,"TRANSPARENT true\n");
fwrite($fd,"BIND_ADDRESS 127.0.0.1\n");
- $trans_file = fopen("/tmp/havp_pf.rules","w");
- fwrite($trans_file, "rdr on " . $config['interfaces']['lan']['if'] . " inet proto tcp from any to ! " . $config['interfaces']['lan']['ipaddr'] . " port = http -> 127.0.0.1 port 8080 \n");
- fclose($trans_file);
- $havp_pf_result = mwexec ("pfctl -a rdr-package/havp -f /tmp/havp_pf.rules");
- if($havp_pf_result <> 0) {
- file_notice("HAVP", "There were error(s) loading the transparency rules", "HAVP", "");
- }
+ setup_transparency();
}
else {
fwrite($fd,"TRANSPARENT false\n");
@@ -82,6 +80,7 @@ function sync_package_havp() {
fwrite($fd,"BIND_ADDRESS " . $config['interfaces']['lan']['ipaddr'] . " \n");
}
$havp_pf_result = mwexec ("pfctl -a rdr-package/havp -F nat");
+ $havp_pf_result = mwexec ("pfctl -t havp -T kill");
if($havp_pf_result <> 0) {
file_notice("HAVP", "There were error(s) clearing the transparency rules", "HAVP", "");
}
@@ -169,4 +168,50 @@ function sync_package_havp_blacklist() {
conf_mount_ro();
config_unlock();
}
+
+function add_trans_table(){
+ global $config;
+ conf_mount_rw();
+ config_lock();
+
+ # Flush all entries first, and then add them.
+ $havp_pf_result = mwexec ('pfctl -a "rdr-package/havp" -t havp -T flush');
+ if($havp_pf_result <> 0) {
+ file_notice("HAVP", "There were error(s) flushing the exclude table", "HAVP", "");
+ }
+ if($config['installedpackages']['havptransexclude']['config'] != ""){
+ foreach($config['installedpackages']['havptransexclude']['config'] as $tmp) {
+ $havp_pf_result = mwexec ('pfctl -a "rdr-package/havp" -t havp -T add ' . $tmp['ip']);
+ if($havp_pf_result <> 0) {
+ file_notice("HAVP", "There were error(s) adding the ip " . $tmp['ip'], "HAVP", "");
+ }
+ }
+ }
+ /* signal a reload of all files */
+ conf_mount_ro();
+ config_unlock();
+}
+
+function setup_transparency(){
+ global $config;
+ $trans_file = fopen("/tmp/havp_pf.rules","w");
+ fwrite($trans_file, "table <havp> persist\n");
+ fwrite($trans_file, "rdr on " . $config['interfaces']['lan']['if'] . " inet proto tcp from !<havp> to ! " . $config['interfaces']['lan']['ipaddr'] . " port = http -> 127.0.0.1 port 8080 \n");
+ fclose($trans_file);
+ $havp_pf_result = mwexec ('pfctl -a "rdr-package/havp" -f /tmp/havp_pf.rules');
+ if($havp_pf_result <> 0) {
+ file_notice("HAVP", "There were error(s) loading the transparency rules", "HAVP", "");
+ }
+ add_trans_table();
+}
+
+function transparency_init(){
+ global $config;
+ if($config['installedpackages']['havp']['config'] != "") {
+ if($config['installedpackages']['havp']['config'][0]['transparent'] == "on") {
+ setup_transparency();
+ }
+ }
+}
+
?>
diff --git a/packages/havp.sh b/packages/havp.sh
index 5cc8c179..316fdcc1 100644
--- a/packages/havp.sh
+++ b/packages/havp.sh
@@ -1,14 +1,27 @@
#!/bin/sh
# HAVP Init script
# 6/23/06 - Gary Buckmaster
-
+# Modified by Rajkumar S.
+#
pidfile=/var/run/havp/havp.pid
+piddir=/var/run/havp/
+logdir=/var/log/havp/
required_dirs=/var/tmp/havp
required_files=/usr/local/etc/havp/havp.config
rc_start()
{
+ if [ ! -d $piddir ]
+ then
+ mkdir -p $piddir
+ chown havp:havp $piddir
+ fi
+ if [ ! -d $logdir ]
+ then
+ mkdir -p $logdir
+ chown havp:havp $logdir
+ fi
if [ ! -f $required_files ]
then
echo "FATAL: Missing HAVP config file: $required_files"
@@ -17,7 +30,8 @@ rc_start()
if [ ! -d $required_dirs ]
then
echo "FATAL: Missing HAVP working director: $required_dirs"
- return
+ mkdir -p $required_dirs
+ chown havp:havp $required_dirs
fi
if [ -f $pidfile ]
then
@@ -28,6 +42,7 @@ rc_start()
echo "Starting HAVP Antivirus HTTP Proxy"
/usr/local/sbin/havp &
sleep 4
+ /usr/local/pkg/havp_startup.inc
if [ -f $pidfile ]
then
pid=$(sed 's/ //g' $pidfile)
@@ -49,6 +64,7 @@ rc_stop()
else
echo "Stopping HAVP pid: $pid"
kill $pid
+ rm -f $required_dirs/*
fi
}
diff --git a/packages/havp.xml b/packages/havp.xml
index c024e369..64e13287 100644
--- a/packages/havp.xml
+++ b/packages/havp.xml
@@ -32,6 +32,10 @@
<text>Blacklist</text>
<url>/pkg.php?xml=havp_blacklist.xml</url>
</tab>
+ <tab>
+ <text>Exclude from Transparent Proxy</text>
+ <url>/pkg.php?xml=havp_trans_exclude.xml</url>
+ </tab>
</tabs>
<additional_files_needed>
@@ -52,6 +56,16 @@
<additional_files_needed>
<prefix>/usr/local/pkg/</prefix>
<chmod>0755</chmod>
+ <item>http://agni.linuxense.com/packages/config/havp_startup.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://agni.linuxense.com/packages/config/havp_trans_exclude.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
<item>http://agni.linuxense.com/packages/config/havp.sh</item>
</additional_files_needed>
@@ -117,6 +131,7 @@
<fieldname>dbreload</fieldname>
<description>Specify here the number of minutes to wait for reloading. Default 60 Minutes.</description>
<type>input</type>
+ <default_value>60</default_value>
</field>
<field>
<fielddescr>Parent Proxy Host</fielddescr>
@@ -130,6 +145,27 @@
<description>Specify the parent proxy port</description>
<type>input</type>
</field>
+ <field>
+ <fielddescr>Max size of temporary files on disk</fielddescr>
+ <fieldname>maxscansize</fieldname>
+ <description>Temporary file will grow only up to this size. This means scanner will scan data until this limit is reached. The value is in BYTES, not kb or mb. 0 is Unlimited.</description>
+ <type>input</type>
+ <default_value>0</default_value>
+ </field>
+ <field>
+ <fielddescr>Trickling Time</fielddescr>
+ <fieldname>trickling</fieldname>
+ <description>After Trickling Time (seconds), some bytes are sent to browser to keep the connection alive. Trickling is not needed if timeouts are not expected. Default is 5 seconds. </description>
+ <type>input</type>
+ <default_value>5</default_value>
+ </field>
+ <field>
+ <fielddescr>Absolute Maximum Download Size</fielddescr>
+ <fieldname>maxdownloadsize</fieldname>
+ <description>Downloads larger than this will be blocked, Unless whitelisted. 0 is unlimited.</description>
+ <type>input</type>
+ <default_value>0</default_value>
+ </field>
</fields>
<custom_php_install_command> havp_install_command(); </custom_php_install_command>
diff --git a/packages/havp_blacklist.xml b/packages/havp_blacklist.xml
index 38388628..51ac3fd2 100644
--- a/packages/havp_blacklist.xml
+++ b/packages/havp_blacklist.xml
@@ -25,6 +25,10 @@
<url>/pkg.php?xml=havp_blacklist.xml</url>
<active/>
</tab>
+ <tab>
+ <text>Exclude from Transparent Proxy</text>
+ <url>/pkg.php?xml=havp_trans_exclude.xml</url>
+ </tab>
</tabs>
<additional_files_needed>
diff --git a/packages/havp_startup.inc b/packages/havp_startup.inc
new file mode 100644
index 00000000..fe5cec2c
--- /dev/null
+++ b/packages/havp_startup.inc
@@ -0,0 +1,11 @@
+#!/usr/local/bin/php
+<?php
+require_once('globals.inc');
+require_once('config.inc');
+require_once('service-utils.inc');
+require_once('pkg-utils.inc');
+require_once('pfsense-utils.inc');
+require_once('/usr/local/pkg/havp.inc');
+transparency_init();
+?>
+
diff --git a/packages/havp_trans_exclude.xml b/packages/havp_trans_exclude.xml
new file mode 100644
index 00000000..473d6e55
--- /dev/null
+++ b/packages/havp_trans_exclude.xml
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<packagegui>
+ <name>havp_trans_exclude</name>
+ <version>0.1.0</version>
+ <title>HAVP: Exclude from Transparent Proxy</title>
+ <include_file>/usr/local/pkg/havp.inc</include_file>
+
+ <menu>
+ <name>Transparency Exclude</name>
+ <tooltiptext></tooltiptext>
+ <section>Services</section>
+ <configfile>havp.xml</configfile>
+ </menu>
+ <tabs>
+ <tab>
+ <text>Settings</text>
+ <url>/pkg_edit.php?xml=havp.xml&amp;act=edit&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Whitelist</text>
+ <url>/pkg.php?xml=havp_whitelist.xml</url>
+ </tab>
+ <tab>
+ <text>Blacklist</text>
+ <url>/pkg.php?xml=havp_blacklist.xml</url>
+ </tab>
+ <tab>
+ <text>Exclude from Transparent Proxy</text>
+ <url>/pkg.php?xml=havp_trans_exclude.xml</url>
+ <active/>
+ </tab>
+ </tabs>
+
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://agni.linuxense.com/packages/config/havp.inc</item>
+ </additional_files_needed>
+
+ <configpath>['installedpackages']['havptransexclude']['config']</configpath>
+
+ <adddeleteeditpagefields>
+ <columnitem>
+ <fielddescr>Exempted IP</fielddescr>
+ <fieldname>ip</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Description</fielddescr>
+ <fieldname>description</fieldname>
+ </columnitem>
+ </adddeleteeditpagefields>
+
+ <fields>
+ <field>
+ <fielddescr>Exempted IP</fielddescr>
+ <fieldname>ip</fieldname>
+ <description>Enter the IP to exempt from transparent proxy</description>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>Description</fielddescr>
+ <fieldname>description</fieldname>
+ <description>Enter the description for this item</description>
+ <type>input</type>
+ </field>
+ </fields>
+
+ <custom_php_command_before_form>add_trans_table();</custom_php_command_before_form>
+ <custom_delete_php_command>add_trans_table();</custom_delete_php_command>
+ <custom_php_resync_config_command>add_trans_table();</custom_php_resync_config_command>
+</packagegui>
diff --git a/packages/havp_whitelist.xml b/packages/havp_whitelist.xml
index 429d957e..f7b394ff 100644
--- a/packages/havp_whitelist.xml
+++ b/packages/havp_whitelist.xml
@@ -25,6 +25,10 @@
<text>Blacklist</text>
<url>/pkg.php?xml=havp_blacklist.xml</url>
</tab>
+ <tab>
+ <text>Exclude from Transparent Proxy</text>
+ <url>/pkg.php?xml=havp_trans_exclude.xml</url>
+ </tab>
</tabs>
<additional_files_needed>