aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xconfig/pf-blocker/pfblocker.inc10
1 files changed, 8 insertions, 2 deletions
diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc
index 3358e07f..f41a5136 100755
--- a/config/pf-blocker/pfblocker.inc
+++ b/config/pf-blocker/pfblocker.inc
@@ -427,8 +427,14 @@ function sync_package_pfblocker() {
$last_iface="";
$rules=$config['filter']['rule'];
$new_rules=array();
+ # The assumption is that the rules in the config come in groups by interface then priority.
+ # e.g. all rules for WAN (highest priority first), then for LAN then for OPT1 etc.
+ # Note that floating rules (interface is "") can appear mixed in the list.
foreach ($rules as $rule){
- if ($rule['interface'] <> $last_iface){
+ # If this next rule is for a non-blank interface, different to the previous interface,
+ # then add any needed pfblocker rules to the interface. This puts pfblocker rules at the
+ # top of the list for each interface, after any built-in rules (e.g. anti-lockout)
+ if (($rule['interface'] != "") && ($rule['interface'] <> $last_iface)){
$last_iface = $rule['interface'];
#apply pfblocker rules if enabled
@@ -465,7 +471,7 @@ function sync_package_pfblocker() {
}
}
}
- #include all rules that is not from pfBlocker
+ #include all rules that are not from pfBlocker
if (!preg_match("/pfBlocker.*rule/",$rule['descr']) && ($rule['interface'] != "" || $rule['floating']=="yes"))
$new_rules[]=$rule;
}