aboutsummaryrefslogtreecommitdiffstats
path: root/config/pf-blocker
diff options
context:
space:
mode:
authorMarcello Coutinho <marcellocoutinho@gmail.com>2012-03-26 22:50:17 -0700
committerMarcello Coutinho <marcellocoutinho@gmail.com>2012-03-26 22:50:17 -0700
commit67c822586a90f9e0f9c3801522d7f35a103ffcbe (patch)
tree6138e85959bacebb8e3d425dbf0a6ae4bb68dd43 /config/pf-blocker
parent59c61b820001e28adca65e6c1d77c161648d9396 (diff)
parentc689ec91f56104ae70293f09b27420cfb8c22fd9 (diff)
downloadpfsense-packages-67c822586a90f9e0f9c3801522d7f35a103ffcbe.tar.gz
pfsense-packages-67c822586a90f9e0f9c3801522d7f35a103ffcbe.tar.bz2
pfsense-packages-67c822586a90f9e0f9c3801522d7f35a103ffcbe.zip
Merge pull request #231 from phil-davis/master
Prevent duplicated pfblocker rules on some interfaces
Diffstat (limited to 'config/pf-blocker')
-rwxr-xr-xconfig/pf-blocker/pfblocker.inc10
1 files changed, 8 insertions, 2 deletions
diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc
index 3358e07f..f41a5136 100755
--- a/config/pf-blocker/pfblocker.inc
+++ b/config/pf-blocker/pfblocker.inc
@@ -427,8 +427,14 @@ function sync_package_pfblocker() {
$last_iface="";
$rules=$config['filter']['rule'];
$new_rules=array();
+ # The assumption is that the rules in the config come in groups by interface then priority.
+ # e.g. all rules for WAN (highest priority first), then for LAN then for OPT1 etc.
+ # Note that floating rules (interface is "") can appear mixed in the list.
foreach ($rules as $rule){
- if ($rule['interface'] <> $last_iface){
+ # If this next rule is for a non-blank interface, different to the previous interface,
+ # then add any needed pfblocker rules to the interface. This puts pfblocker rules at the
+ # top of the list for each interface, after any built-in rules (e.g. anti-lockout)
+ if (($rule['interface'] != "") && ($rule['interface'] <> $last_iface)){
$last_iface = $rule['interface'];
#apply pfblocker rules if enabled
@@ -465,7 +471,7 @@ function sync_package_pfblocker() {
}
}
}
- #include all rules that is not from pfBlocker
+ #include all rules that are not from pfBlocker
if (!preg_match("/pfBlocker.*rule/",$rule['descr']) && ($rule['interface'] != "" || $rule['floating']=="yes"))
$new_rules[]=$rule;
}