aboutsummaryrefslogtreecommitdiffstats
path: root/config/pf-blocker/pfblocker.inc
diff options
context:
space:
mode:
authorPhil Davis <phil.davis@world.inf.org>2012-03-27 10:49:34 +0545
committerPhil Davis <phil.davis@world.inf.org>2012-03-27 10:49:34 +0545
commitc689ec91f56104ae70293f09b27420cfb8c22fd9 (patch)
tree3b0748a4975581c64b922173c3fb5e3bb4d59f02 /config/pf-blocker/pfblocker.inc
parenta9bf63038c3edf50c167294858f6676af0ed7c6a (diff)
downloadpfsense-packages-c689ec91f56104ae70293f09b27420cfb8c22fd9.tar.gz
pfsense-packages-c689ec91f56104ae70293f09b27420cfb8c22fd9.tar.bz2
pfsense-packages-c689ec91f56104ae70293f09b27420cfb8c22fd9.zip
Avoid getting pfBlocker rules duplicated on some interfaces if there are floating rules with interface="" mixed in the config filter rule list.
Diffstat (limited to 'config/pf-blocker/pfblocker.inc')
-rwxr-xr-xconfig/pf-blocker/pfblocker.inc10
1 files changed, 8 insertions, 2 deletions
diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc
index 3358e07f..f41a5136 100755
--- a/config/pf-blocker/pfblocker.inc
+++ b/config/pf-blocker/pfblocker.inc
@@ -427,8 +427,14 @@ function sync_package_pfblocker() {
$last_iface="";
$rules=$config['filter']['rule'];
$new_rules=array();
+ # The assumption is that the rules in the config come in groups by interface then priority.
+ # e.g. all rules for WAN (highest priority first), then for LAN then for OPT1 etc.
+ # Note that floating rules (interface is "") can appear mixed in the list.
foreach ($rules as $rule){
- if ($rule['interface'] <> $last_iface){
+ # If this next rule is for a non-blank interface, different to the previous interface,
+ # then add any needed pfblocker rules to the interface. This puts pfblocker rules at the
+ # top of the list for each interface, after any built-in rules (e.g. anti-lockout)
+ if (($rule['interface'] != "") && ($rule['interface'] <> $last_iface)){
$last_iface = $rule['interface'];
#apply pfblocker rules if enabled
@@ -465,7 +471,7 @@ function sync_package_pfblocker() {
}
}
}
- #include all rules that is not from pfBlocker
+ #include all rules that are not from pfBlocker
if (!preg_match("/pfBlocker.*rule/",$rule['descr']) && ($rule['interface'] != "" || $rule['floating']=="yes"))
$new_rules[]=$rule;
}