diff options
author | bmeeks8 <bmeeks8@bellsouth.net> | 2014-08-27 18:15:44 -0400 |
---|---|---|
committer | bmeeks8 <bmeeks8@bellsouth.net> | 2014-08-27 18:15:44 -0400 |
commit | ce07b15de33b4847df5498f9bbae93e2b1e893ca (patch) | |
tree | 9d78a73c101f5b8d0fde9535c314e2fa64e14211 | |
parent | 0d2f8f00a6a442f5672e5fe8f62a1f4d21da6a9b (diff) | |
download | pfsense-packages-ce07b15de33b4847df5498f9bbae93e2b1e893ca.tar.gz pfsense-packages-ce07b15de33b4847df5498f9bbae93e2b1e893ca.tar.bz2 pfsense-packages-ce07b15de33b4847df5498f9bbae93e2b1e893ca.zip |
Improve HOME_NET and EXTERNAL_NET variable generation.
-rw-r--r-- | config/suricata/suricata.inc | 36 | ||||
-rw-r--r-- | config/suricata/suricata_generate_yaml.php | 6 | ||||
-rw-r--r-- | config/suricata/suricata_interfaces_edit.php | 6 | ||||
-rw-r--r-- | config/suricata/suricata_list_view.php | 5 |
4 files changed, 34 insertions, 19 deletions
diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 2626f70a..59c620b4 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -257,7 +257,7 @@ function suricata_find_list($find_name, $type = 'passlist') { return array(); } -function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { +function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $externallist = false) { /***********************************************************/ /* The default is to build a HOME_NET variable unless */ @@ -267,9 +267,13 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { global $config, $g, $aliastable, $filterdns; $home_net = array(); - if ($listname == 'default' || empty($listname)) { + if (!$externallist && ($listname == 'default' || empty($listname))) { $localnet = 'yes'; $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes'; - } else { + } + elseif ($externallist && $listname == 'default') { + return array( "any" ); + } + else { $list = suricata_find_list($listname); if (empty($list)) return $list; @@ -283,11 +287,13 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { $home_net = explode(" ", trim(filter_expand_alias($list['address']))); } - // Always add loopback to HOME_NET and passlist (ftphelper) - if (!in_array("127.0.0.1", $home_net)) - $home_net[] = "127.0.0.1"; - if (!in_array("::1", $home_net)) - $home_net[] = "::1"; + // Always add loopback to HOME_NET and passlist + if (!externallist) { + if (!in_array("127.0.0.1", $home_net)) + $home_net[] = "127.0.0.1"; + if (!in_array("::1", $home_net)) + $home_net[] = "::1"; + } /********************************************************************/ /* Always put the interface running Suricata in HOME_NET and */ @@ -298,7 +304,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { /* IP for Suricata, though, to prevent locking out the firewall. */ /********************************************************************/ $suricataip = get_interface_ip($suricatacfg['interface']); - if (!$passlist || $localnet == 'yes' || empty($localnet)) { + if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { if (is_ipaddr($suricataip)) { if ($suricatacfg['interface'] <> "wan") { $sn = get_interface_subnet($suricatacfg['interface']); @@ -308,7 +314,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { } } } - else { + elseif (!externallist && $localnet != 'yes') { if (is_ipaddr($suricataip)) { if (!in_array($suricataip, $home_net)) $home_net[] = $suricataip; @@ -319,7 +325,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { // Trim off the interface designation (e.g., %em1) if present if (strpos($suricataip, "%") !== FALSE) $suricataip = substr($suricataip, 0, strpos($suricataip, "%")); - if (!$passlist || $localnet == 'yes' || empty($localnet)) { + if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { if (is_ipaddrv6($suricataip)) { if ($suricatacfg['interface'] <> "wan") { $sn = get_interface_subnetv6($suricatacfg['interface']); @@ -329,16 +335,16 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { } } } - else { + elseif (!externallist && $localnet != 'yes') { if (is_ipaddrv6($suricataip)) { if (!in_array($suricataip, $home_net)) $home_net[] = $suricataip; } } - // Add link-local address + // Add link-local address if user included locally-attached networks $suricataip = get_interface_linklocal($suricatacfg['interface']); - if (!empty($suricataip)) { + if (!empty($suricataip) && $localnet == 'yes') { // Trim off the interface designation (e.g., %em1) if present if (strpos($suricataip, "%") !== FALSE) $suricataip = substr($suricataip, 0, strpos($suricataip, "%")); @@ -346,7 +352,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { $home_net[] = $suricataip; } - if (!$passlist || $localnet == 'yes' || empty($localnet)) { + if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { /*************************************************************************/ /* Iterate through the interface list and write out pass list items and */ /* also compile a HOME_NET list of all local interfaces for suricata. */ diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php index 91dc06a5..05d6dea8 100644 --- a/config/suricata/suricata_generate_yaml.php +++ b/config/suricata/suricata_generate_yaml.php @@ -68,11 +68,11 @@ foreach ($suricata_files as $file) { $home_net_list = suricata_build_list($suricatacfg, $suricatacfg['homelistname']); $home_net = implode(",", $home_net_list); $home_net = trim($home_net); -$external_net = '!$HOME_NET'; +$external_net = 'any'; if (!empty($suricatacfg['externallistname']) && $suricatacfg['externallistname'] != 'default') { - $external_net_list = suricata_build_list($suricatacfg, $suricatacfg['externallistname']); + $external_net_list = suricata_build_list($suricatacfg, $suricatacfg['externallistname'], false, true); $external_net = implode(",", $external_net_list); - $external_net = trim($external_net); + $external_net = '[' . trim($external_net) . ']'; } // Set the PASS LIST and write its contents to disk diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index 1bef338a..55c97efc 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -937,7 +937,11 @@ if ($savemsg) { } } ?> - </select> + </select> + <input type="button" class="formbtns" value="View List" + onclick="viewList('<?=$id;?>','externallistname','externalnet')" id="btnExternalNet" + title="<?php echo gettext("Click to view currently selected External Net contents"); ?>"/> + <br/> <?php echo gettext("Choose the External Net you want this interface " . "to use."); ?> <br/><br/> <span class="red"><?php echo gettext("Note:"); ?></span> <?php echo gettext("Default " . diff --git a/config/suricata/suricata_list_view.php b/config/suricata/suricata_list_view.php index 722bf47a..dc5a2b04 100644 --- a/config/suricata/suricata_list_view.php +++ b/config/suricata/suricata_list_view.php @@ -58,6 +58,11 @@ if (isset($id) && isset($wlist)) { $contents = str_replace("\r", "", base64_decode($list['suppresspassthru'])); $title = "Suppress List"; } + elseif ($type == "externalnet") { + $list = suricata_build_list($a_rule, $wlist, false, true); + $contents = implode("\n", $list); + $title = "EXTERNAL_NET"; + } else $contents = gettext("\n\nERROR -- Requested List Type entity is not valid!"); } |