diff options
author | BBcan177 <bbcan177@gmail.com> | 2014-12-20 21:20:23 -0500 |
---|---|---|
committer | BBcan177 <bbcan177@gmail.com> | 2014-12-20 21:20:23 -0500 |
commit | 08081acca2b263a68f7f0c567cf3be50ef402c0b (patch) | |
tree | 35d3d52b406508e9be171fe08e98524e41590f3f /config/pfblockerng/pfblockerng.inc | |
parent | 0b255cfb7df9354f2037acaaa8d76868d05e6161 (diff) | |
download | pfsense-packages-08081acca2b263a68f7f0c567cf3be50ef402c0b.tar.gz pfsense-packages-08081acca2b263a68f7f0c567cf3be50ef402c0b.tar.bz2 pfsense-packages-08081acca2b263a68f7f0c567cf3be50ef402c0b.zip |
Mods to INC file.
- Move $pfb['cc'] Variable to global array
- Edit log_error texts.
- Maxmind Update Cron task changes. Cron tasks are now launched via a
php script using the 'dc' Argument.
- Re-work of the XMLRPC Sync code.
- Previous code did not validate IP addresses or Port.
- Previous code did not use the "Replication Target" Hosts enabled
checkbox setting in Replication Target Lines.
- Add htmlspecialchars() to the Password entry
- Previous code did not use the correct user - defined "Protocol" entry.
- Previous code did not use the $username entry.
- Remove the 'post Sync' Host Target code execution as this can
collide with a Cron Task or User Forced Update.
- Allow user to skip the sync of the "General Tab" Settings.
- Clean up all the log_error() texts.. To make the system.log easier to
read.
Diffstat (limited to 'config/pfblockerng/pfblockerng.inc')
-rw-r--r-- | config/pfblockerng/pfblockerng.inc | 214 |
1 files changed, 129 insertions, 85 deletions
diff --git a/config/pfblockerng/pfblockerng.inc b/config/pfblockerng/pfblockerng.inc index d59a8f3a..bc2ccfe1 100644 --- a/config/pfblockerng/pfblockerng.inc +++ b/config/pfblockerng/pfblockerng.inc @@ -92,6 +92,8 @@ function pfb_global() { # Max Lines in pfblockerng.log file $pfb['logmax'] = $pfb['config']['log_maxlines']; $pfb['iplocal'] = $config['interfaces']['lan']['ipaddr']; + # Disable Country Database CRON Updates + $pfb['cc'] = $pfb['config']['database_cc']; # Set pfBlockerNG to Disabled on 'Re-Install' if (isset($pfb['install']) && $pfb['install']) { @@ -247,11 +249,11 @@ function sync_package_pfblockerng($cron = "") { # Detect Boot Process or Update via CRON if (isset($_POST) && $cron == "") { if (!preg_match("/\w+/",$_POST['__csrf_magic'])) { - log_error("No pfBlockerNG action during boot process."); + log_error("[pfBlockerNG] Sync terminated during boot process."); return; } } - log_error("Starting pfBlockerNG sync process."); + log_error("[pfBlockerNG] Starting sync process."); # Start of pfBlockerNG Logging to 'pfblockerng.log' if ($pfb['enable'] == "on" && !$pfb['save']) { @@ -298,8 +300,6 @@ function sync_package_pfblockerng($cron = "") { $pfb['min'] = $pfb['config']['pfb_min']; # Reloads Existing Blocklists without Downloading New Lists $pfb['reuse'] = $pfb['config']['pfb_reuse']; - # Disable Country Database CRON Updates - $pfb['cc'] = $pfb['config']['database_cc']; # Enable OpenVPN AutoRules $pfb['openvpn'] = $pfb['config']['openvpn_action']; # Enable/Disable Floating Auto-Rules @@ -2096,17 +2096,11 @@ function sync_package_pfblockerng($cron = "") { } # Clear any existing pfBlockerNG MaxMind CRON Job - install_cron_job("geoipupdate.sh", false); + install_cron_job("pfblockerng.php dc", false); if ($pfb['enable'] == "on") { # Define pfBlockerNG MaxMind CRON Job - # (Options - 'bu' Binary Update for Reputation/Alerts Page, 'all' for Country update and 'bu' options. - - if ($pfb['cc'] == "") { - $pfb_gcmd = "/bin/sh /usr/local/pkg/pfblockerng/geoipupdate.sh all >> {$pfb['geolog']} 2>&1"; - } else { - $pfb_gcmd = "/bin/sh /usr/local/pkg/pfblockerng/geoipupdate.sh bu >> {$pfb['geolog']} 2>&1"; - } + $pfb_gcmd = "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php dc >> {$pfb['geolog']} 2>&1"; # MaxMind GeoIP Cron Hour is randomized between 0-23 Hour to minimize effect on MaxMind Website @@ -2246,7 +2240,7 @@ function pfblockerng_php_install_command() { unlink_if_exists("{$pfb['ccdir']}/countrycodes.tar.bz2"); # Download MaxMind Files and Create Country Code files and Build Continent XML Files update_output_window(gettext("Downloading MaxMind Country Databases. This may take a minute...")); - exec("/bin/sh /usr/local/pkg/pfblockerng/geoipupdate.sh all"); + exec("/bin/sh /usr/local/pkg/pfblockerng/geoipupdate.sh all >> {$pfb['geolog']} 2>&1"); update_output_window(gettext("MaxMind Country Database downloads completed...")); update_output_window(gettext("Converting MaxMind Country Databases for pfBlockerNG. This may take a few minutes...")); pfblockerng_uc_countries(); @@ -2335,44 +2329,119 @@ function pfblockerng_php_deinstall_command() { update_output_window(gettext("pfBlockerNG has been Uninstalled")); } - /* Uses XMLRPC to synchronize the changes to a remote node */ function pfblockerng_sync_on_changes() { - global $config, $g; - log_error("[pfBlockerNG] pfBlockerNG_xmlrpc_sync.php is starting."); - $synconchanges = $config['installedpackages']['pfblockerngsync']['config'][0]['synconchanges']; - if (!$synconchanges) + global $config, $g, $pfb_sync; + + // Create Array of Sync Settings and exit if Sync is Disabled. + if (is_array($config['installedpackages']['pfblockerngsync']['config'][0])) { + $pfb_sync = $config['installedpackages']['pfblockerngsync']['config'][0]; + if ($pfb_sync['varsynconchanges'] == "disabled" || $pfb_sync['varsynconchanges'] == "") + return; + + $synctimeout = $pfb_sync['varsynctimeout']; + } else { return; - foreach ($config['installedpackages']['pfblockerngsync']['config'] as $rs ) { - foreach ($rs['row'] as $sh){ - $sync_to_ip = $sh['ipaddress']; - $password = $sh['password']; - if ($password && $sync_to_ip) { - pfblockerng_do_xmlrpc_sync($sync_to_ip, $password); + } + + log_error("[pfBlockerNG] XMLRPC sync is starting."); + + if (is_array($config['installedpackages']['pfblockerngsync']['config'])) { + switch ($pfb_sync['varsynconchanges']) { + case "manual": + if (is_array($pfb_sync[row])) { + $rs = $pfb_sync[row]; + } else { + log_error("[pfBlockerNG] XMLRPC sync is enabled but there are no replication targets configured."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + $system_carp = $config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['varsyncipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['varsyncusername'] = $system_carp['username']; + $rs[0]['varsyncpassword'] = $system_carp['password']; + + // XMLRPC sync is currently only supported over connections using the same protocol and port as this system + if ($config['system']['webgui']['protocol'] == "http") { + $rs[0]['varsyncprotocol'] = "http"; + } else { + $rs[0]['varsyncprotocol'] = "https"; + } + + if ($system_carp['synchronizetoip'] == "") { + log_error("[pfBlockerNG] XMLRPC sync is enabled but there are no replication targets configured."); + return; + } + } else { + log_error("[pfBlockerNG] XMLRPC sync is enabled but there are no replication targets configured."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)) { + foreach ($rs as $sh) { + // Only Sync Enabled Replication Targets + if ($sh['varsyncdestinenable'] == "ON") { + $sync_to_ip = $sh['varsyncipaddress']; + $port = $sh['varsyncport']; + $password = htmlspecialchars($sh['varsyncpassword']); + $protocol = $sh['varsyncprotocol']; + + if (!empty($sh['varsyncusername'])) { + $username = $sh['varsyncusername']; + } else { + $username = "admin"; + } + + pfblockerng_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout); + } } + if ($success) + log_error("[pfBlockerNG] XMLRPC sync completed successfully."); } } - log_error("[pfblockerng] pfBlockerNG_xmlrpc_sync.php is ending."); } /* Do the actual XMLRPC sync */ -function pfblockerng_do_xmlrpc_sync($sync_to_ip, $password) { - global $config, $g; - - if (!$password) - return; +function pfblockerng_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout) { + global $config, $g, $pfb_sync; + $success = TRUE; + + /* Exit on missing parameters */ + if (empty($sync_to_ip) || empty($password)) { + log_error("[pfBlockerNG] XMLRPC sync parameter missing (host IP or password) ... aborting xmlrpc sync"); + $success = FALSE; + return $success; + } - if (!$sync_to_ip) - return; + /* Do not attempt a package sync while booting up or installing package */ + if ($g['booting'] || $g['pfblockerng_postinstall']) { + log_error("[pfBlockerNG] XMLRPC sync to Replication targets terminated during boot up or during package reinstallation."); + $success = FALSE; + return $success; + } - $xmlrpc_sync_neighbor = $sync_to_ip; - if ($config['system']['webgui']['protocol'] != "") { - $synchronizetoip = $config['system']['webgui']['protocol']; - $synchronizetoip .= "://"; + // Validate Replication Target IP Address and Port Settings + if (!is_ipaddr($sync_to_ip) || !is_port($port)) { + log_error("[pfBlockerNG] XMLRPC sync terminated due to mis-configured Replication Target IP Address or Port settings."); + $success = FALSE; + return $success; } - $port = $config['system']['webgui']['port']; - /* if port is empty lets rely on the protocol selection */ + + /* Test key variables and set defaults if empty */ + if (empty($synctimeout)) + $synctimeout = 150; + + $url = "{$protocol}://{$sync_to_ip}"; + + if ($port == "") { $port = $config['system']['webgui']['port']; }; + /* If port is empty lets rely on the protocol selection */ if ($port == "") { if ($config['system']['webgui']['protocol'] == "http") { $port = "80"; @@ -2380,11 +2449,11 @@ function pfblockerng_do_xmlrpc_sync($sync_to_ip, $password) { $port = "443"; } } - $synchronizetoip .= $sync_to_ip; - /* xml will hold the sections to sync */ $xml = array(); - $xml['pfblockerng'] = $config['installedpackages']['pfblockerng']; + // If User Disabled, remove 'General Tab Customizations' from Sync + if ($config['installedpackages']['pfblockerngsync']['config'][0]['syncinterfaces'] == "") + $xml['pfblockerng'] = $config['installedpackages']['pfblockerng']; $xml['pfblockerngreputation'] = $config['installedpackages']['pfblockerngreputation']; $xml['pfblockernglistsv4'] = $config['installedpackages']['pfblockernglistsv4']; $xml['pfblockernglistsv6'] = $config['installedpackages']['pfblockernglistsv6']; @@ -2396,66 +2465,41 @@ function pfblockerng_do_xmlrpc_sync($sync_to_ip, $password) { $xml['pfblockerngnorthamerica'] = $config['installedpackages']['pfblockerngnorthamerica']; $xml['pfblockerngoceania'] = $config['installedpackages']['pfblockerngoceania']; $xml['pfblockerngsouthamerica'] = $config['installedpackages']['pfblockerngsouthamerica']; + /* assemble xmlrpc payload */ $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); /* set a few variables needed for sync code borrowed from filter.inc */ - $url = $synchronizetoip; - log_error("Beginning pfBlockerNG XMLRPC sync to {$url}:{$port}."); + log_error("[pfBlockerNG] XMLRPC syncing to {$url}:{$port}."); $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); + $cli->setCredentials($username, $password); if ($g['debug']) { $cli->setDebug(1); } - /* send our XMLRPC message and timeout after 250 seconds */ - $resp = $cli->send($msg, "250"); - if (!$resp) { - $error = "A communications error occurred while attempting pfBlockerNG XMLRPC sync with {$url}:{$port}."; - log_error($error); - file_notice("sync_settings", $error, "pfBlockerNG Settings Sync", ""); - } elseif ($resp->faultCode()) { - $cli->setDebug(1); - $resp = $cli->send($msg, "250"); - $error = "An error code was received while attempting pfBlockerNG XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); - file_notice("sync_settings", $error, "pfBlockerNG Settings Sync", ""); - } else { - log_error("pfBlockerNG XMLRPC sync successfully completed with {$url}:{$port}."); - } - - /* tell pfblockerNG to reload our settings on the destination sync host. */ - $method = 'pfsense.exec_php'; - $execcmd = "require_once('/usr/local/pkg/pfblockerng.inc');\n"; - $execcmd .= "sync_package_pfblockerng();"; - - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($execcmd) - ); - log_error("pfBlockerNG XMLRPC reload data {$url}:{$port}."); - $msg = new XML_RPC_Message($method, $params); - $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - $resp = $cli->send($msg, "250"); + /* send our XMLRPC message and timeout after defined sync timeout value */ + $resp = $cli->send($msg, $synctimeout); + $error = ""; if (!$resp) { - $error = "A communications error occurred while attempting pfBlockerNG XMLRPC sync with {$url}:{$port} (exec_php)."; - log_error($error); + log_error("[pfBlockerNG] XMLRPC communications error occurred while attempting sync with {$url}:{$port}."); file_notice("sync_settings", $error, "pfBlockerNG Settings Sync", ""); - } elseif($resp->faultCode()) { + $success = FALSE; + return $success; + } elseif ($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); - $error = "An error code was received while attempting pfBlockerNG XMLRPC exec with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + $resp = $cli->send($msg, $synctimeout); + log_error("[pfBlockerNG] XMLRPC Error received while attempting sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString()); file_notice("sync_settings", $error, "pfBlockerNG Settings Sync", ""); + $success = FALSE; + return $success; } else { - log_error("pfBlockerNG XMLRPC reload data success with {$url}:{$port} (exec_php)."); + log_error("[pfBlockerNG] XMLRPC sync successfully completed with {$url}:{$port}."); } + return $success; } ?>
\ No newline at end of file |