diff options
author | Marcello Coutinho <marcellocoutinho@gmail.com> | 2012-09-28 14:11:12 -0700 |
---|---|---|
committer | Marcello Coutinho <marcellocoutinho@gmail.com> | 2012-09-28 14:11:12 -0700 |
commit | bd05ac364e83d5ad826e56ab94b0a650a76d007b (patch) | |
tree | 77c5dd4aff8d247217b0b78e9a01a1ebd5d62786 /config | |
parent | 91f7d1ef9ee32bb3a237574be636fb02274328fe (diff) | |
parent | 90acaa6951653a8c40a4a14f9f0629e74ba47b81 (diff) | |
download | pfsense-packages-bd05ac364e83d5ad826e56ab94b0a650a76d007b.tar.gz pfsense-packages-bd05ac364e83d5ad826e56ab94b0a650a76d007b.tar.bz2 pfsense-packages-bd05ac364e83d5ad826e56ab94b0a650a76d007b.zip |
Merge pull request #323 from phil-davis/master
Stop pfblocker rules being added twice
Diffstat (limited to 'config')
-rwxr-xr-x | config/pf-blocker/pfblocker.inc | 27 |
1 files changed, 18 insertions, 9 deletions
diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc index c0391fcc..24ffa5b9 100755 --- a/config/pf-blocker/pfblocker.inc +++ b/config/pf-blocker/pfblocker.inc @@ -468,23 +468,32 @@ function sync_package_pfblocker($cron="") { } if ($message == ""){ - $last_iface=""; $rules=$config['filter']['rule']; $new_rules=array(); - # The assumption is that the rules in the config come in groups by interface then priority. - # e.g. all rules for WAN (highest priority first), then for LAN then for OPT1 etc. - # Note that floating rules (interface is "") can appear mixed in the list. + $interfaces_processed=array(); + # The rules in the config come in priority order, + # but the interface to which each rule applies can be all mixed up in the list. + # e.g. some WAN rules, then some LAN rules, then some floating rules, then more + # LAN rules, some OPT1 rules, some more LAN rules and so on. + # So we have to allow for this, and only add pfBlocker rules the first time an + # interface is found in the rules list. foreach ($rules as $rule){ - # If this next rule is for a non-blank interface, different to the previous interface, + # If this next rule is for a non-blank interface, different from any interface already processed, # then add any needed pfblocker rules to the interface. This puts pfblocker rules at the # top of the list for each interface, after any built-in rules (e.g. anti-lockout) - if (($rule['interface'] != "") && ($rule['interface'] <> $last_iface)){ - $last_iface = $rule['interface']; + $found_new_interface = TRUE; + foreach ($interfaces_processed as $processed_interface){ + if ($processed_interface = $rule['interface']){ + $found_new_interface = FALSE; + } + } + if (($rule['interface'] != "") && ($found_new_interface)){ + $interfaces_processed[] = $rule['interface']; #apply pfblocker rules if enabled #Inbound foreach ($inbound_interfaces as $inbound_interface){ - if ($inbound_interface==$last_iface){ + if ($inbound_interface==$rule['interface']){ #permit rules if (is_array($permit_inbound)){ foreach ($permit_inbound as $cb_rules){ @@ -503,7 +512,7 @@ function sync_package_pfblocker($cron="") { } #Outbound foreach ($outbound_interfaces as $outbound_interface){ - if ($outbound_interface==$last_iface){ + if ($outbound_interface==$rule['interface']){ #permit rules if (is_array($permit_outbound)){ foreach ($permit_outbound as $cb_rules){ |