diff options
Diffstat (limited to 'config/pf-blocker/pfblocker.inc')
| -rwxr-xr-x | config/pf-blocker/pfblocker.inc | 104 |
1 files changed, 73 insertions, 31 deletions
diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc index ec017df8..c0ea4982 100755 --- a/config/pf-blocker/pfblocker.inc +++ b/config/pf-blocker/pfblocker.inc @@ -34,6 +34,7 @@ require_once("functions.inc"); require_once("pkg-utils.inc"); require_once("globals.inc"); require_once("filter.inc"); +require_once("services.inc"); function pfb_text_area_decode($text){ return preg_replace('/\r\n/', "\n",base64_decode($text)); @@ -71,7 +72,18 @@ function pfblocker_Range2CIDR($ip_min, $ip_max) { } function sync_package_pfblocker() { - global $config; + global $g,$config; + if ($g['booting'] == true){ + print "no action during boot process...\n"; + } + else{ + conf_mount_rw(); + #apply fetch timeout to pfsense-utils.inc + $pfsense_utils=file_get_contents('/etc/inc/pfsense-utils.inc'); + $new_pfsense_utils=preg_replace("/\/usr\/bin\/fetch -q/","/usr/bin/fetch -T 5 -q",$pfsense_utils); + if ($new_pfsense_utils != $pfsense_utils) + file_put_contents('/etc/inc/pfsense-utils.inc',$new_pfsense_utils, LOCK_EX); + $pfblocker_enable=$config['installedpackages']['pfblocker']['config'][0]['enable_cb']; $pfblocker_config=$config['installedpackages']['pfblocker']['config'][0]; $table_limit =($config['system']['maximumtableentries']!= ""?$config['system']['maximumtableentries']:"100000"); @@ -89,12 +101,13 @@ function sync_package_pfblocker() { #check folders $pfbdir='/usr/local/pkg/pfblocker'; $pfb_alias_dir='/usr/local/pkg/pfblocker_aliases'; + $pfsense_alias_dir='/var/db/aliastables/'; if (!is_dir($pfbdir)) mkdir ($pfbdir,0755); if (!is_dir($pfb_alias_dir)) mkdir ($pfb_alias_dir,0755); - if (! is_dir('/var/db/aliastables/')) - mkdir ('/var/db/aliastables/',0755); + if (! is_dir($pfsense_alias_dir)) + mkdir ($pfsense_alias_dir,0755); $continents= array( "Africa" => "pfBlockerAfrica", "Antartica" => "pfBlockerAntartica", @@ -107,6 +120,7 @@ function sync_package_pfblocker() { #create rules vars and arrays $new_aliases=array(); + $new_aliases_list=array(); $permit_inbound=array(); $permit_outbound=array(); $deny_inbound=array(); @@ -132,16 +146,18 @@ function sync_package_pfblocker() { ${$continent}=""; if (is_array($config['installedpackages']['pfblocker'.strtolower(preg_replace('/ /','',$continent))]['config'])){ $continent_config=$config['installedpackages']['pfblocker'.strtolower(preg_replace('/ /','',$continent))]['config'][0]; - if ($continent_config['action'] != 'Disabled' && $continent_config['action'] != '' && $pfblocker_enable == "on") + if ($continent_config['action'] != 'Disabled' && $continent_config['action'] != '' && $pfblocker_enable == "on"){ foreach (explode(",", $continent_config['countries']) as $iso){ #var_dump ($iso); if ($iso <> "" && file_exists($pfbdir.'/'.$iso.'.txt')) ${$continent} .= file_get_contents($pfbdir.'/'.$iso.'.txt'); } if($continent_config['countries'] != "" && $pfblocker_enable == "on"){ - #write alias file + #write alias files file_put_contents($pfb_alias_dir.'/'.$pfb_alias.'.txt',${$continent},LOCK_EX); + file_put_contents($pfsense_alias_dir.'/'.$pfb_alias.'.txt',${$continent}, LOCK_EX); #Create alias config + $new_aliases_list[]=$pfb_alias; $new_aliases[]=array("name"=> $pfb_alias, "url"=> $web_local.'?pfb='.$pfb_alias, "updatefreq"=> "32", @@ -149,15 +165,12 @@ function sync_package_pfblocker() { "descr"=> "pfBlocker country list", "type"=> "urltable", "detail"=> "DO NOT EDIT THIS ALIAS"); - #force alias file update - if (file_exists($pfb_alias_dir.'/'.$pfb_alias.'.txt')) - file_put_contents($pfb_alias_dir.'/'.$pfb_alias.'.txt',${$continent}, LOCK_EX); #Create rule if action permits switch($continent_config['action']){ case "Deny_Outbound": $rule = $base_rule; $rule["type"] = $deny_action_outbound; - $rule["descr"]= "pfBlocker Outbound rule"; + $rule["descr"]= "$pfb_alias auto rule"; $rule["source"]=array("any"=>""); $rule["destination"]= array("address"=> $pfb_alias); if ($pfblocker_config['enable_log']) @@ -167,7 +180,7 @@ function sync_package_pfblocker() { case "Deny_Inbound": $rule = $base_rule; $rule["type"] = $deny_action_inbound; - $rule["descr"]= "pfBlocker Inbound rule"; + $rule["descr"]= "$pfb_alias auto rule"; $rule["source"]= array("address"=> $pfb_alias); $rule["destination"]=array("any"=>""); if ($pfblocker_config['enable_log']) @@ -177,7 +190,7 @@ function sync_package_pfblocker() { case "Permit_Outbound": $rule = $base_rule; $rule["type"] = "pass"; - $rule["descr"]= "pfBlocker Outbound rule"; + $rule["descr"]= "$pfb_alias auto rule"; $rule["source"]=array("any"=>""); $rule["destination"]= array("address"=> $pfb_alias); if ($pfblocker_config['enable_log']) @@ -187,7 +200,7 @@ function sync_package_pfblocker() { case "Permit_Inbound": $rule = $base_rule; $rule["type"] = "pass"; - $rule["descr"]= "pfBlocker Inbound rule"; + $rule["descr"]= "$pfb_alias auto rule"; $rule["source"]= array("address"=> $pfb_alias); $rule["destination"]=array("any"=>""); if ($pfblocker_config['enable_log']) @@ -197,6 +210,12 @@ function sync_package_pfblocker() { } } + } + else{ + #unlink continent list if any + unlink_if_exists($pfb_alias_dir.'/'.$pfb_alias.'.txt'); + } + } #mark pfctl aliastable for cleanup if (!in_array($pfb_alias, $aliases_list)) @@ -254,12 +273,13 @@ function sync_package_pfblocker() { ${$alias}.=pfb_text_area_decode($list['custom'])."\n"; #save alias file if not empty if (${$alias} == ""){ - if (file_exists($pfb_alias_dir.'/'.$alias.'.txt')) - unlink($pfb_alias_dir.'/'.$alias.'.txt'); + unlink_if_exists($pfb_alias_dir.'/'.$alias.'.txt'); } else{ file_put_contents($pfb_alias_dir.'/'.$alias.'.txt',${$alias}, LOCK_EX); + file_put_contents($pfsense_alias_dir.'/'.$alias.'.txt',${$alias}, LOCK_EX); #create alias + $new_aliases_list[]=$alias; $new_aliases[]=array("name"=> $alias, "url"=> $web_local.'?pfb='.$alias, "updatefreq"=> "32", @@ -272,7 +292,7 @@ function sync_package_pfblocker() { case "Deny_Outbound": $rule = $base_rule; $rule["type"] = $deny_action_outbound; - $rule["descr"]= "pfBlocker Outbound rule"; + $rule["descr"]= "$alias auto rule"; $rule["source"]=array("any"=>""); $rule["destination"]= array("address"=> $alias); if ($pfblocker_config['enable_log']) @@ -282,7 +302,7 @@ function sync_package_pfblocker() { case "Deny_Inbound": $rule = $base_rule; $rule["type"] = $deny_action_inbound; - $rule["descr"]= "pfBlocker Inbound rule"; + $rule["descr"]= "$alias auto rule"; $rule["source"]= array("address"=> $alias); $rule["destination"]=array("any"=>""); if ($pfblocker_config['enable_log']) @@ -292,7 +312,7 @@ function sync_package_pfblocker() { case "Permit_Outbound": $rule = $base_rule; $rule["type"] = "pass"; - $rule["descr"]= "pfBlocker Outbound rule"; + $rule["descr"]= "$alias auto rule"; $rule["source"]=array("any"=>""); $rule["destination"]= array("address"=> $alias); if ($pfblocker_config['enable_log']) @@ -302,7 +322,7 @@ function sync_package_pfblocker() { case "Permit_Inbound": $rule = $base_rule; $rule["type"] = "pass"; - $rule["descr"]= "pfBlocker Inbound rule"; + $rule["descr"]= "$alias auto rule"; $rule["source"]= array("address"=> $alias); $rule["destination"]=array("any"=>""); if ($pfblocker_config['enable_log']) @@ -317,8 +337,7 @@ function sync_package_pfblocker() { } else{ #unlink previous pfblocker alias list if any - if (file_exists($pfb_alias_dir.'/'.$alias.'.txt')) - unlink($pfb_alias_dir.'/'.$alias.'.txt'); + unlink_if_exists($pfb_alias_dir.'/'.$alias.'.txt'); } } #update pfsense alias table @@ -328,10 +347,9 @@ function sync_package_pfblocker() { #mark pfctl aliastable for cleaning if (!in_array($cbalias['name'], $aliases_list)) $aliases_list[]=$cbalias['name']; #mark aliastable for cleaning - #remove previous aliastable file if exist - $aliastablefile="/var/db/aliastables/".$cbalias['name'].".txt"; - if (file_exists($aliastablefile)) - unlink($aliastablefile); + #remove previous aliastable file if alias is not defined any more + if (!in_array($cbalias['name'], $new_aliases_list)) + unlink_if_exists("/var/db/aliastables/".$cbalias['name'].".txt"); } else{ $new_aliases[]= $cbalias; @@ -423,10 +441,29 @@ function sync_package_pfblocker() { } $config['filter']['rule']=$new_rules; } - + if ($message == ""){ - #save and apply all changes - + #check cron + $cron_found=0; + if (is_array($config['cron']['item'])){ + $new_cron=array(); + foreach($config['cron']['item'] as $cron){ + if ($cron["command"] == "/usr/local/www/pfblocker.php cron") + $cron_found=1; + $new_cron['item'][]=$cron; + } + if ($cron_found == 0){ + $new_cron['item'][]=array( "minute" => "0", + "hour" => "*", + "mday" => "*", + "month" => "*", + "wday" => "*", + "who" => "root", + "command"=> "/usr/local/www/pfblocker.php cron"); + $config['cron']=$new_cron; + } + } + # to be removed in final version $aliases_list[]="pfBlockerInbound"; #remove previous version lists $aliases_list[]="pfBlockerOutbound";#remove previous version lists @@ -435,11 +472,15 @@ function sync_package_pfblocker() { #update pfctrl tables foreach ($aliases_list as $table) exec("/sbin/pfctl -t " . escapeshellarg($table) . " -T kill 2>&1", $result_pfb); - + #write config write_config(); - #load filter file after editing + #update cron + if ($cron_found == 0) + configure_cron(); + + #load filter file after editing filter_configure(); #sync config @@ -449,14 +490,15 @@ function sync_package_pfblocker() { log_error("[pfBlocker] ".$message); file_notice("pfBlocker", $message, "pfblocker rule apply", ""); } + conf_mount_ro(); + } } function pfblocker_validate_input($post, &$input_errors) { + global $config; foreach ($post as $key => $value) { if (empty($value)) continue; - if($key == "greet_time" && !preg_match("/(\d+),(\d+)(s|m|h|w)/",$value)) - $input_errors[] = "Wrong greet time sintax."; if($key == "message_size_limit" && !is_numeric($value)) $input_errors[] = "Message size limit must be numeric."; if($key == "process_limit" && !is_numeric($value)) |