diff options
| -rw-r--r-- | packages/havp.inc | 65 | ||||
| -rw-r--r-- | packages/havp.sh | 20 | ||||
| -rw-r--r-- | packages/havp.xml | 36 | ||||
| -rw-r--r-- | packages/havp_blacklist.xml | 4 | ||||
| -rw-r--r-- | packages/havp_startup.inc | 11 | ||||
| -rw-r--r-- | packages/havp_trans_exclude.xml | 71 | ||||
| -rw-r--r-- | packages/havp_whitelist.xml | 4 |
7 files changed, 199 insertions, 12 deletions
diff --git a/packages/havp.inc b/packages/havp.inc index ce4e8e88..a7ddc37f 100644 --- a/packages/havp.inc +++ b/packages/havp.inc @@ -9,6 +9,7 @@ require_once('pfsense-utils.inc'); part of the HAVP package for pfSense Copyright (C) 2006 Rajkumar S <raj@linuxense.com> All rights reserved. + $Id$ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -58,21 +59,18 @@ function sync_package_havp() { if ($tmp['maxservers'] != "") fwrite($fd,"MAXSERVERS " . $tmp['maxservers'] . "\n"); if ($tmp['port'] != "") fwrite($fd,"PORT " . $tmp['port'] . "\n"); if ($tmp['source_address'] != "") fwrite($fd,"SOURCE_ADDRESS " . $tmp['source_address'] . " \n"); - if ($tmp['dbreload'] != "") fwrite($fd,"DBRELOAD" . $tmp['dbreload'] . " \n"); - if ($tmp['parentproxy'] != "") fwrite($fd,"PARENTPROXY" . $tmp['parentproxy'] . " \n"); - if ($tmp['parentport'] != "") fwrite($fd,"PARENTPORT" . $tmp['parentport'] . " \n"); + if ($tmp['dbreload'] != "") fwrite($fd,"DBRELOAD " . $tmp['dbreload'] . " \n"); + if ($tmp['parentproxy'] != "") fwrite($fd,"PARENTPROXY " . $tmp['parentproxy'] . " \n"); + if ($tmp['parentport'] != "") fwrite($fd,"PARENTPORT " . $tmp['parentport'] . " \n"); + if ($tmp['maxscansize'] != "") fwrite($fd,"MAXSCANSIZE " . $tmp['maxscansize'] . " \n"); + if ($tmp['trickling'] != "") fwrite($fd,"TRICKLING " . $tmp['trickling'] . " \n"); + if ($tmp['maxdownloadsize'] != "") fwrite($fd,"MAXDOWNLOADSIZE " . $tmp['maxdownloadsize'] . " \n"); /* If Transparent then, don't bother with bind address */ if ($tmp['transparent'] == "on"){ fwrite($fd,"TRANSPARENT true\n"); fwrite($fd,"BIND_ADDRESS 127.0.0.1\n"); - $trans_file = fopen("/tmp/havp_pf.rules","w"); - fwrite($trans_file, "rdr on " . $config['interfaces']['lan']['if'] . " inet proto tcp from any to ! " . $config['interfaces']['lan']['ipaddr'] . " port = http -> 127.0.0.1 port 8080 \n"); - fclose($trans_file); - $havp_pf_result = mwexec ("pfctl -a rdr-package/havp -f /tmp/havp_pf.rules"); - if($havp_pf_result <> 0) { - file_notice("HAVP", "There were error(s) loading the transparency rules", "HAVP", ""); - } + setup_transparency(); } else { fwrite($fd,"TRANSPARENT false\n"); @@ -82,6 +80,7 @@ function sync_package_havp() { fwrite($fd,"BIND_ADDRESS " . $config['interfaces']['lan']['ipaddr'] . " \n"); } $havp_pf_result = mwexec ("pfctl -a rdr-package/havp -F nat"); + $havp_pf_result = mwexec ("pfctl -t havp -T kill"); if($havp_pf_result <> 0) { file_notice("HAVP", "There were error(s) clearing the transparency rules", "HAVP", ""); } @@ -169,4 +168,50 @@ function sync_package_havp_blacklist() { conf_mount_ro(); config_unlock(); } + +function add_trans_table(){ + global $config; + conf_mount_rw(); + config_lock(); + + # Flush all entries first, and then add them. + $havp_pf_result = mwexec ('pfctl -a "rdr-package/havp" -t havp -T flush'); + if($havp_pf_result <> 0) { + file_notice("HAVP", "There were error(s) flushing the exclude table", "HAVP", ""); + } + if($config['installedpackages']['havptransexclude']['config'] != ""){ + foreach($config['installedpackages']['havptransexclude']['config'] as $tmp) { + $havp_pf_result = mwexec ('pfctl -a "rdr-package/havp" -t havp -T add ' . $tmp['ip']); + if($havp_pf_result <> 0) { + file_notice("HAVP", "There were error(s) adding the ip " . $tmp['ip'], "HAVP", ""); + } + } + } + /* signal a reload of all files */ + conf_mount_ro(); + config_unlock(); +} + +function setup_transparency(){ + global $config; + $trans_file = fopen("/tmp/havp_pf.rules","w"); + fwrite($trans_file, "table <havp> persist\n"); + fwrite($trans_file, "rdr on " . $config['interfaces']['lan']['if'] . " inet proto tcp from !<havp> to ! " . $config['interfaces']['lan']['ipaddr'] . " port = http -> 127.0.0.1 port 8080 \n"); + fclose($trans_file); + $havp_pf_result = mwexec ('pfctl -a "rdr-package/havp" -f /tmp/havp_pf.rules'); + if($havp_pf_result <> 0) { + file_notice("HAVP", "There were error(s) loading the transparency rules", "HAVP", ""); + } + add_trans_table(); +} + +function transparency_init(){ + global $config; + if($config['installedpackages']['havp']['config'] != "") { + if($config['installedpackages']['havp']['config'][0]['transparent'] == "on") { + setup_transparency(); + } + } +} + ?> diff --git a/packages/havp.sh b/packages/havp.sh index 5cc8c179..316fdcc1 100644 --- a/packages/havp.sh +++ b/packages/havp.sh @@ -1,14 +1,27 @@ #!/bin/sh # HAVP Init script # 6/23/06 - Gary Buckmaster - +# Modified by Rajkumar S. +# pidfile=/var/run/havp/havp.pid +piddir=/var/run/havp/ +logdir=/var/log/havp/ required_dirs=/var/tmp/havp required_files=/usr/local/etc/havp/havp.config rc_start() { + if [ ! -d $piddir ] + then + mkdir -p $piddir + chown havp:havp $piddir + fi + if [ ! -d $logdir ] + then + mkdir -p $logdir + chown havp:havp $logdir + fi if [ ! -f $required_files ] then echo "FATAL: Missing HAVP config file: $required_files" @@ -17,7 +30,8 @@ rc_start() if [ ! -d $required_dirs ] then echo "FATAL: Missing HAVP working director: $required_dirs" - return + mkdir -p $required_dirs + chown havp:havp $required_dirs fi if [ -f $pidfile ] then @@ -28,6 +42,7 @@ rc_start() echo "Starting HAVP Antivirus HTTP Proxy" /usr/local/sbin/havp & sleep 4 + /usr/local/pkg/havp_startup.inc if [ -f $pidfile ] then pid=$(sed 's/ //g' $pidfile) @@ -49,6 +64,7 @@ rc_stop() else echo "Stopping HAVP pid: $pid" kill $pid + rm -f $required_dirs/* fi } diff --git a/packages/havp.xml b/packages/havp.xml index c024e369..64e13287 100644 --- a/packages/havp.xml +++ b/packages/havp.xml @@ -32,6 +32,10 @@ <text>Blacklist</text> <url>/pkg.php?xml=havp_blacklist.xml</url> </tab> + <tab> + <text>Exclude from Transparent Proxy</text> + <url>/pkg.php?xml=havp_trans_exclude.xml</url> + </tab> </tabs> <additional_files_needed> @@ -52,6 +56,16 @@ <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> + <item>http://agni.linuxense.com/packages/config/havp_startup.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://agni.linuxense.com/packages/config/havp_trans_exclude.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> <item>http://agni.linuxense.com/packages/config/havp.sh</item> </additional_files_needed> @@ -117,6 +131,7 @@ <fieldname>dbreload</fieldname> <description>Specify here the number of minutes to wait for reloading. Default 60 Minutes.</description> <type>input</type> + <default_value>60</default_value> </field> <field> <fielddescr>Parent Proxy Host</fielddescr> @@ -130,6 +145,27 @@ <description>Specify the parent proxy port</description> <type>input</type> </field> + <field> + <fielddescr>Max size of temporary files on disk</fielddescr> + <fieldname>maxscansize</fieldname> + <description>Temporary file will grow only up to this size. This means scanner will scan data until this limit is reached. The value is in BYTES, not kb or mb. 0 is Unlimited.</description> + <type>input</type> + <default_value>0</default_value> + </field> + <field> + <fielddescr>Trickling Time</fielddescr> + <fieldname>trickling</fieldname> + <description>After Trickling Time (seconds), some bytes are sent to browser to keep the connection alive. Trickling is not needed if timeouts are not expected. Default is 5 seconds. </description> + <type>input</type> + <default_value>5</default_value> + </field> + <field> + <fielddescr>Absolute Maximum Download Size</fielddescr> + <fieldname>maxdownloadsize</fieldname> + <description>Downloads larger than this will be blocked, Unless whitelisted. 0 is unlimited.</description> + <type>input</type> + <default_value>0</default_value> + </field> </fields> <custom_php_install_command> havp_install_command(); </custom_php_install_command> diff --git a/packages/havp_blacklist.xml b/packages/havp_blacklist.xml index 38388628..51ac3fd2 100644 --- a/packages/havp_blacklist.xml +++ b/packages/havp_blacklist.xml @@ -25,6 +25,10 @@ <url>/pkg.php?xml=havp_blacklist.xml</url> <active/> </tab> + <tab> + <text>Exclude from Transparent Proxy</text> + <url>/pkg.php?xml=havp_trans_exclude.xml</url> + </tab> </tabs> <additional_files_needed> diff --git a/packages/havp_startup.inc b/packages/havp_startup.inc new file mode 100644 index 00000000..fe5cec2c --- /dev/null +++ b/packages/havp_startup.inc @@ -0,0 +1,11 @@ +#!/usr/local/bin/php +<?php +require_once('globals.inc'); +require_once('config.inc'); +require_once('service-utils.inc'); +require_once('pkg-utils.inc'); +require_once('pfsense-utils.inc'); +require_once('/usr/local/pkg/havp.inc'); +transparency_init(); +?> + diff --git a/packages/havp_trans_exclude.xml b/packages/havp_trans_exclude.xml new file mode 100644 index 00000000..473d6e55 --- /dev/null +++ b/packages/havp_trans_exclude.xml @@ -0,0 +1,71 @@ +<?xml version="1.0" encoding="utf-8" ?> +<packagegui> + <name>havp_trans_exclude</name> + <version>0.1.0</version> + <title>HAVP: Exclude from Transparent Proxy</title> + <include_file>/usr/local/pkg/havp.inc</include_file> + + <menu> + <name>Transparency Exclude</name> + <tooltiptext></tooltiptext> + <section>Services</section> + <configfile>havp.xml</configfile> + </menu> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=havp.xml&act=edit&id=0</url> + </tab> + <tab> + <text>Whitelist</text> + <url>/pkg.php?xml=havp_whitelist.xml</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/pkg.php?xml=havp_blacklist.xml</url> + </tab> + <tab> + <text>Exclude from Transparent Proxy</text> + <url>/pkg.php?xml=havp_trans_exclude.xml</url> + <active/> + </tab> + </tabs> + + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://agni.linuxense.com/packages/config/havp.inc</item> + </additional_files_needed> + + <configpath>['installedpackages']['havptransexclude']['config']</configpath> + + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Exempted IP</fielddescr> + <fieldname>ip</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + + <fields> + <field> + <fielddescr>Exempted IP</fielddescr> + <fieldname>ip</fieldname> + <description>Enter the IP to exempt from transparent proxy</description> + <type>input</type> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter the description for this item</description> + <type>input</type> + </field> + </fields> + + <custom_php_command_before_form>add_trans_table();</custom_php_command_before_form> + <custom_delete_php_command>add_trans_table();</custom_delete_php_command> + <custom_php_resync_config_command>add_trans_table();</custom_php_resync_config_command> +</packagegui> diff --git a/packages/havp_whitelist.xml b/packages/havp_whitelist.xml index 429d957e..f7b394ff 100644 --- a/packages/havp_whitelist.xml +++ b/packages/havp_whitelist.xml @@ -25,6 +25,10 @@ <text>Blacklist</text> <url>/pkg.php?xml=havp_blacklist.xml</url> </tab> + <tab> + <text>Exclude from Transparent Proxy</text> + <url>/pkg.php?xml=havp_trans_exclude.xml</url> + </tab> </tabs> <additional_files_needed> |