aboutsummaryrefslogtreecommitdiffstats
path: root/config/pfblockerng/pfblockerng.inc
diff options
context:
space:
mode:
authorBBcan177 <bbcan177@gmail.com>2014-12-20 21:20:23 -0500
committerBBcan177 <bbcan177@gmail.com>2014-12-20 21:20:23 -0500
commit08081acca2b263a68f7f0c567cf3be50ef402c0b (patch)
tree35d3d52b406508e9be171fe08e98524e41590f3f /config/pfblockerng/pfblockerng.inc
parent0b255cfb7df9354f2037acaaa8d76868d05e6161 (diff)
downloadpfsense-packages-08081acca2b263a68f7f0c567cf3be50ef402c0b.tar.gz
pfsense-packages-08081acca2b263a68f7f0c567cf3be50ef402c0b.tar.bz2
pfsense-packages-08081acca2b263a68f7f0c567cf3be50ef402c0b.zip
Mods to INC file.
- Move $pfb['cc'] Variable to global array - Edit log_error texts. - Maxmind Update Cron task changes. Cron tasks are now launched via a php script using the 'dc' Argument. - Re-work of the XMLRPC Sync code. - Previous code did not validate IP addresses or Port. - Previous code did not use the "Replication Target" Hosts enabled checkbox setting in Replication Target Lines. - Add htmlspecialchars() to the Password entry - Previous code did not use the correct user - defined "Protocol" entry. - Previous code did not use the $username entry. - Remove the 'post Sync' Host Target code execution as this can collide with a Cron Task or User Forced Update. - Allow user to skip the sync of the "General Tab" Settings. - Clean up all the log_error() texts.. To make the system.log easier to read.
Diffstat (limited to 'config/pfblockerng/pfblockerng.inc')
-rw-r--r--config/pfblockerng/pfblockerng.inc214
1 files changed, 129 insertions, 85 deletions
diff --git a/config/pfblockerng/pfblockerng.inc b/config/pfblockerng/pfblockerng.inc
index d59a8f3a..bc2ccfe1 100644
--- a/config/pfblockerng/pfblockerng.inc
+++ b/config/pfblockerng/pfblockerng.inc
@@ -92,6 +92,8 @@ function pfb_global() {
# Max Lines in pfblockerng.log file
$pfb['logmax'] = $pfb['config']['log_maxlines'];
$pfb['iplocal'] = $config['interfaces']['lan']['ipaddr'];
+ # Disable Country Database CRON Updates
+ $pfb['cc'] = $pfb['config']['database_cc'];
# Set pfBlockerNG to Disabled on 'Re-Install'
if (isset($pfb['install']) && $pfb['install']) {
@@ -247,11 +249,11 @@ function sync_package_pfblockerng($cron = "") {
# Detect Boot Process or Update via CRON
if (isset($_POST) && $cron == "") {
if (!preg_match("/\w+/",$_POST['__csrf_magic'])) {
- log_error("No pfBlockerNG action during boot process.");
+ log_error("[pfBlockerNG] Sync terminated during boot process.");
return;
}
}
- log_error("Starting pfBlockerNG sync process.");
+ log_error("[pfBlockerNG] Starting sync process.");
# Start of pfBlockerNG Logging to 'pfblockerng.log'
if ($pfb['enable'] == "on" && !$pfb['save']) {
@@ -298,8 +300,6 @@ function sync_package_pfblockerng($cron = "") {
$pfb['min'] = $pfb['config']['pfb_min'];
# Reloads Existing Blocklists without Downloading New Lists
$pfb['reuse'] = $pfb['config']['pfb_reuse'];
- # Disable Country Database CRON Updates
- $pfb['cc'] = $pfb['config']['database_cc'];
# Enable OpenVPN AutoRules
$pfb['openvpn'] = $pfb['config']['openvpn_action'];
# Enable/Disable Floating Auto-Rules
@@ -2096,17 +2096,11 @@ function sync_package_pfblockerng($cron = "") {
}
# Clear any existing pfBlockerNG MaxMind CRON Job
- install_cron_job("geoipupdate.sh", false);
+ install_cron_job("pfblockerng.php dc", false);
if ($pfb['enable'] == "on") {
# Define pfBlockerNG MaxMind CRON Job
- # (Options - 'bu' Binary Update for Reputation/Alerts Page, 'all' for Country update and 'bu' options.
-
- if ($pfb['cc'] == "") {
- $pfb_gcmd = "/bin/sh /usr/local/pkg/pfblockerng/geoipupdate.sh all >> {$pfb['geolog']} 2>&1";
- } else {
- $pfb_gcmd = "/bin/sh /usr/local/pkg/pfblockerng/geoipupdate.sh bu >> {$pfb['geolog']} 2>&1";
- }
+ $pfb_gcmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php dc >> {$pfb['geolog']} 2>&1";
# MaxMind GeoIP Cron Hour is randomized between 0-23 Hour to minimize effect on MaxMind Website
@@ -2246,7 +2240,7 @@ function pfblockerng_php_install_command() {
unlink_if_exists("{$pfb['ccdir']}/countrycodes.tar.bz2");
# Download MaxMind Files and Create Country Code files and Build Continent XML Files
update_output_window(gettext("Downloading MaxMind Country Databases. This may take a minute..."));
- exec("/bin/sh /usr/local/pkg/pfblockerng/geoipupdate.sh all");
+ exec("/bin/sh /usr/local/pkg/pfblockerng/geoipupdate.sh all >> {$pfb['geolog']} 2>&1");
update_output_window(gettext("MaxMind Country Database downloads completed..."));
update_output_window(gettext("Converting MaxMind Country Databases for pfBlockerNG. This may take a few minutes..."));
pfblockerng_uc_countries();
@@ -2335,44 +2329,119 @@ function pfblockerng_php_deinstall_command() {
update_output_window(gettext("pfBlockerNG has been Uninstalled"));
}
-
/* Uses XMLRPC to synchronize the changes to a remote node */
function pfblockerng_sync_on_changes() {
- global $config, $g;
- log_error("[pfBlockerNG] pfBlockerNG_xmlrpc_sync.php is starting.");
- $synconchanges = $config['installedpackages']['pfblockerngsync']['config'][0]['synconchanges'];
- if (!$synconchanges)
+ global $config, $g, $pfb_sync;
+
+ // Create Array of Sync Settings and exit if Sync is Disabled.
+ if (is_array($config['installedpackages']['pfblockerngsync']['config'][0])) {
+ $pfb_sync = $config['installedpackages']['pfblockerngsync']['config'][0];
+ if ($pfb_sync['varsynconchanges'] == "disabled" || $pfb_sync['varsynconchanges'] == "")
+ return;
+
+ $synctimeout = $pfb_sync['varsynctimeout'];
+ } else {
return;
- foreach ($config['installedpackages']['pfblockerngsync']['config'] as $rs ) {
- foreach ($rs['row'] as $sh){
- $sync_to_ip = $sh['ipaddress'];
- $password = $sh['password'];
- if ($password && $sync_to_ip) {
- pfblockerng_do_xmlrpc_sync($sync_to_ip, $password);
+ }
+
+ log_error("[pfBlockerNG] XMLRPC sync is starting.");
+
+ if (is_array($config['installedpackages']['pfblockerngsync']['config'])) {
+ switch ($pfb_sync['varsynconchanges']) {
+ case "manual":
+ if (is_array($pfb_sync[row])) {
+ $rs = $pfb_sync[row];
+ } else {
+ log_error("[pfBlockerNG] XMLRPC sync is enabled but there are no replication targets configured.");
+ return;
+ }
+ break;
+ case "auto":
+ if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){
+ $system_carp = $config['installedpackages']['carpsettings']['config'][0];
+ $rs[0]['varsyncipaddress'] = $system_carp['synchronizetoip'];
+ $rs[0]['varsyncusername'] = $system_carp['username'];
+ $rs[0]['varsyncpassword'] = $system_carp['password'];
+
+ // XMLRPC sync is currently only supported over connections using the same protocol and port as this system
+ if ($config['system']['webgui']['protocol'] == "http") {
+ $rs[0]['varsyncprotocol'] = "http";
+ } else {
+ $rs[0]['varsyncprotocol'] = "https";
+ }
+
+ if ($system_carp['synchronizetoip'] == "") {
+ log_error("[pfBlockerNG] XMLRPC sync is enabled but there are no replication targets configured.");
+ return;
+ }
+ } else {
+ log_error("[pfBlockerNG] XMLRPC sync is enabled but there are no replication targets configured.");
+ return;
+ }
+ break;
+ default:
+ return;
+ break;
+ }
+ if (is_array($rs)) {
+ foreach ($rs as $sh) {
+ // Only Sync Enabled Replication Targets
+ if ($sh['varsyncdestinenable'] == "ON") {
+ $sync_to_ip = $sh['varsyncipaddress'];
+ $port = $sh['varsyncport'];
+ $password = htmlspecialchars($sh['varsyncpassword']);
+ $protocol = $sh['varsyncprotocol'];
+
+ if (!empty($sh['varsyncusername'])) {
+ $username = $sh['varsyncusername'];
+ } else {
+ $username = "admin";
+ }
+
+ pfblockerng_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout);
+ }
}
+ if ($success)
+ log_error("[pfBlockerNG] XMLRPC sync completed successfully.");
}
}
- log_error("[pfblockerng] pfBlockerNG_xmlrpc_sync.php is ending.");
}
/* Do the actual XMLRPC sync */
-function pfblockerng_do_xmlrpc_sync($sync_to_ip, $password) {
- global $config, $g;
-
- if (!$password)
- return;
+function pfblockerng_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout) {
+ global $config, $g, $pfb_sync;
+ $success = TRUE;
+
+ /* Exit on missing parameters */
+ if (empty($sync_to_ip) || empty($password)) {
+ log_error("[pfBlockerNG] XMLRPC sync parameter missing (host IP or password) ... aborting xmlrpc sync");
+ $success = FALSE;
+ return $success;
+ }
- if (!$sync_to_ip)
- return;
+ /* Do not attempt a package sync while booting up or installing package */
+ if ($g['booting'] || $g['pfblockerng_postinstall']) {
+ log_error("[pfBlockerNG] XMLRPC sync to Replication targets terminated during boot up or during package reinstallation.");
+ $success = FALSE;
+ return $success;
+ }
- $xmlrpc_sync_neighbor = $sync_to_ip;
- if ($config['system']['webgui']['protocol'] != "") {
- $synchronizetoip = $config['system']['webgui']['protocol'];
- $synchronizetoip .= "://";
+ // Validate Replication Target IP Address and Port Settings
+ if (!is_ipaddr($sync_to_ip) || !is_port($port)) {
+ log_error("[pfBlockerNG] XMLRPC sync terminated due to mis-configured Replication Target IP Address or Port settings.");
+ $success = FALSE;
+ return $success;
}
- $port = $config['system']['webgui']['port'];
- /* if port is empty lets rely on the protocol selection */
+
+ /* Test key variables and set defaults if empty */
+ if (empty($synctimeout))
+ $synctimeout = 150;
+
+ $url = "{$protocol}://{$sync_to_ip}";
+
+ if ($port == "") { $port = $config['system']['webgui']['port']; };
+ /* If port is empty lets rely on the protocol selection */
if ($port == "") {
if ($config['system']['webgui']['protocol'] == "http") {
$port = "80";
@@ -2380,11 +2449,11 @@ function pfblockerng_do_xmlrpc_sync($sync_to_ip, $password) {
$port = "443";
}
}
- $synchronizetoip .= $sync_to_ip;
-
/* xml will hold the sections to sync */
$xml = array();
- $xml['pfblockerng'] = $config['installedpackages']['pfblockerng'];
+ // If User Disabled, remove 'General Tab Customizations' from Sync
+ if ($config['installedpackages']['pfblockerngsync']['config'][0]['syncinterfaces'] == "")
+ $xml['pfblockerng'] = $config['installedpackages']['pfblockerng'];
$xml['pfblockerngreputation'] = $config['installedpackages']['pfblockerngreputation'];
$xml['pfblockernglistsv4'] = $config['installedpackages']['pfblockernglistsv4'];
$xml['pfblockernglistsv6'] = $config['installedpackages']['pfblockernglistsv6'];
@@ -2396,66 +2465,41 @@ function pfblockerng_do_xmlrpc_sync($sync_to_ip, $password) {
$xml['pfblockerngnorthamerica'] = $config['installedpackages']['pfblockerngnorthamerica'];
$xml['pfblockerngoceania'] = $config['installedpackages']['pfblockerngoceania'];
$xml['pfblockerngsouthamerica'] = $config['installedpackages']['pfblockerngsouthamerica'];
+
/* assemble xmlrpc payload */
$params = array(
- XML_RPC_encode($password),
- XML_RPC_encode($xml)
- );
+ XML_RPC_encode($password),
+ XML_RPC_encode($xml)
+ );
/* set a few variables needed for sync code borrowed from filter.inc */
- $url = $synchronizetoip;
- log_error("Beginning pfBlockerNG XMLRPC sync to {$url}:{$port}.");
+ log_error("[pfBlockerNG] XMLRPC syncing to {$url}:{$port}.");
$method = 'pfsense.merge_installedpackages_section_xmlrpc';
$msg = new XML_RPC_Message($method, $params);
$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
- $cli->setCredentials('admin', $password);
+ $cli->setCredentials($username, $password);
if ($g['debug']) {
$cli->setDebug(1);
}
- /* send our XMLRPC message and timeout after 250 seconds */
- $resp = $cli->send($msg, "250");
- if (!$resp) {
- $error = "A communications error occurred while attempting pfBlockerNG XMLRPC sync with {$url}:{$port}.";
- log_error($error);
- file_notice("sync_settings", $error, "pfBlockerNG Settings Sync", "");
- } elseif ($resp->faultCode()) {
- $cli->setDebug(1);
- $resp = $cli->send($msg, "250");
- $error = "An error code was received while attempting pfBlockerNG XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
- log_error($error);
- file_notice("sync_settings", $error, "pfBlockerNG Settings Sync", "");
- } else {
- log_error("pfBlockerNG XMLRPC sync successfully completed with {$url}:{$port}.");
- }
-
- /* tell pfblockerNG to reload our settings on the destination sync host. */
- $method = 'pfsense.exec_php';
- $execcmd = "require_once('/usr/local/pkg/pfblockerng.inc');\n";
- $execcmd .= "sync_package_pfblockerng();";
-
- /* assemble xmlrpc payload */
- $params = array(
- XML_RPC_encode($password),
- XML_RPC_encode($execcmd)
- );
- log_error("pfBlockerNG XMLRPC reload data {$url}:{$port}.");
- $msg = new XML_RPC_Message($method, $params);
- $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
- $cli->setCredentials('admin', $password);
- $resp = $cli->send($msg, "250");
+ /* send our XMLRPC message and timeout after defined sync timeout value */
+ $resp = $cli->send($msg, $synctimeout);
+ $error = "";
if (!$resp) {
- $error = "A communications error occurred while attempting pfBlockerNG XMLRPC sync with {$url}:{$port} (exec_php).";
- log_error($error);
+ log_error("[pfBlockerNG] XMLRPC communications error occurred while attempting sync with {$url}:{$port}.");
file_notice("sync_settings", $error, "pfBlockerNG Settings Sync", "");
- } elseif($resp->faultCode()) {
+ $success = FALSE;
+ return $success;
+ } elseif ($resp->faultCode()) {
$cli->setDebug(1);
- $resp = $cli->send($msg, "250");
- $error = "An error code was received while attempting pfBlockerNG XMLRPC exec with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
- log_error($error);
+ $resp = $cli->send($msg, $synctimeout);
+ log_error("[pfBlockerNG] XMLRPC Error received while attempting sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString());
file_notice("sync_settings", $error, "pfBlockerNG Settings Sync", "");
+ $success = FALSE;
+ return $success;
} else {
- log_error("pfBlockerNG XMLRPC reload data success with {$url}:{$port} (exec_php).");
+ log_error("[pfBlockerNG] XMLRPC sync successfully completed with {$url}:{$port}.");
}
+ return $success;
}
?> \ No newline at end of file