From 08cb1970c5e44cc203439521fe231d8540ad8b8a Mon Sep 17 00:00:00 2001 From: Rajkumar S Date: Fri, 16 Jun 2006 16:07:43 +0000 Subject: Added maxdownloadsize, trickling and maxscansize options, Added Transparency exclude functionality, updated havp to new version, bumped package version --- packages/havp.inc | 65 +++++++++++++++++++++++++++++++------ packages/havp.sh | 20 ++++++++++-- packages/havp.xml | 36 +++++++++++++++++++++ packages/havp_blacklist.xml | 4 +++ packages/havp_startup.inc | 11 +++++++ packages/havp_trans_exclude.xml | 71 +++++++++++++++++++++++++++++++++++++++++ packages/havp_whitelist.xml | 4 +++ 7 files changed, 199 insertions(+), 12 deletions(-) create mode 100644 packages/havp_startup.inc create mode 100644 packages/havp_trans_exclude.xml diff --git a/packages/havp.inc b/packages/havp.inc index ce4e8e88..a7ddc37f 100644 --- a/packages/havp.inc +++ b/packages/havp.inc @@ -9,6 +9,7 @@ require_once('pfsense-utils.inc'); part of the HAVP package for pfSense Copyright (C) 2006 Rajkumar S All rights reserved. + $Id$ Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -58,21 +59,18 @@ function sync_package_havp() { if ($tmp['maxservers'] != "") fwrite($fd,"MAXSERVERS " . $tmp['maxservers'] . "\n"); if ($tmp['port'] != "") fwrite($fd,"PORT " . $tmp['port'] . "\n"); if ($tmp['source_address'] != "") fwrite($fd,"SOURCE_ADDRESS " . $tmp['source_address'] . " \n"); - if ($tmp['dbreload'] != "") fwrite($fd,"DBRELOAD" . $tmp['dbreload'] . " \n"); - if ($tmp['parentproxy'] != "") fwrite($fd,"PARENTPROXY" . $tmp['parentproxy'] . " \n"); - if ($tmp['parentport'] != "") fwrite($fd,"PARENTPORT" . $tmp['parentport'] . " \n"); + if ($tmp['dbreload'] != "") fwrite($fd,"DBRELOAD " . $tmp['dbreload'] . " \n"); + if ($tmp['parentproxy'] != "") fwrite($fd,"PARENTPROXY " . $tmp['parentproxy'] . " \n"); + if ($tmp['parentport'] != "") fwrite($fd,"PARENTPORT " . $tmp['parentport'] . " \n"); + if ($tmp['maxscansize'] != "") fwrite($fd,"MAXSCANSIZE " . $tmp['maxscansize'] . " \n"); + if ($tmp['trickling'] != "") fwrite($fd,"TRICKLING " . $tmp['trickling'] . " \n"); + if ($tmp['maxdownloadsize'] != "") fwrite($fd,"MAXDOWNLOADSIZE " . $tmp['maxdownloadsize'] . " \n"); /* If Transparent then, don't bother with bind address */ if ($tmp['transparent'] == "on"){ fwrite($fd,"TRANSPARENT true\n"); fwrite($fd,"BIND_ADDRESS 127.0.0.1\n"); - $trans_file = fopen("/tmp/havp_pf.rules","w"); - fwrite($trans_file, "rdr on " . $config['interfaces']['lan']['if'] . " inet proto tcp from any to ! " . $config['interfaces']['lan']['ipaddr'] . " port = http -> 127.0.0.1 port 8080 \n"); - fclose($trans_file); - $havp_pf_result = mwexec ("pfctl -a rdr-package/havp -f /tmp/havp_pf.rules"); - if($havp_pf_result <> 0) { - file_notice("HAVP", "There were error(s) loading the transparency rules", "HAVP", ""); - } + setup_transparency(); } else { fwrite($fd,"TRANSPARENT false\n"); @@ -82,6 +80,7 @@ function sync_package_havp() { fwrite($fd,"BIND_ADDRESS " . $config['interfaces']['lan']['ipaddr'] . " \n"); } $havp_pf_result = mwexec ("pfctl -a rdr-package/havp -F nat"); + $havp_pf_result = mwexec ("pfctl -t havp -T kill"); if($havp_pf_result <> 0) { file_notice("HAVP", "There were error(s) clearing the transparency rules", "HAVP", ""); } @@ -169,4 +168,50 @@ function sync_package_havp_blacklist() { conf_mount_ro(); config_unlock(); } + +function add_trans_table(){ + global $config; + conf_mount_rw(); + config_lock(); + + # Flush all entries first, and then add them. + $havp_pf_result = mwexec ('pfctl -a "rdr-package/havp" -t havp -T flush'); + if($havp_pf_result <> 0) { + file_notice("HAVP", "There were error(s) flushing the exclude table", "HAVP", ""); + } + if($config['installedpackages']['havptransexclude']['config'] != ""){ + foreach($config['installedpackages']['havptransexclude']['config'] as $tmp) { + $havp_pf_result = mwexec ('pfctl -a "rdr-package/havp" -t havp -T add ' . $tmp['ip']); + if($havp_pf_result <> 0) { + file_notice("HAVP", "There were error(s) adding the ip " . $tmp['ip'], "HAVP", ""); + } + } + } + /* signal a reload of all files */ + conf_mount_ro(); + config_unlock(); +} + +function setup_transparency(){ + global $config; + $trans_file = fopen("/tmp/havp_pf.rules","w"); + fwrite($trans_file, "table persist\n"); + fwrite($trans_file, "rdr on " . $config['interfaces']['lan']['if'] . " inet proto tcp from ! to ! " . $config['interfaces']['lan']['ipaddr'] . " port = http -> 127.0.0.1 port 8080 \n"); + fclose($trans_file); + $havp_pf_result = mwexec ('pfctl -a "rdr-package/havp" -f /tmp/havp_pf.rules'); + if($havp_pf_result <> 0) { + file_notice("HAVP", "There were error(s) loading the transparency rules", "HAVP", ""); + } + add_trans_table(); +} + +function transparency_init(){ + global $config; + if($config['installedpackages']['havp']['config'] != "") { + if($config['installedpackages']['havp']['config'][0]['transparent'] == "on") { + setup_transparency(); + } + } +} + ?> diff --git a/packages/havp.sh b/packages/havp.sh index 5cc8c179..316fdcc1 100644 --- a/packages/havp.sh +++ b/packages/havp.sh @@ -1,14 +1,27 @@ #!/bin/sh # HAVP Init script # 6/23/06 - Gary Buckmaster - +# Modified by Rajkumar S. +# pidfile=/var/run/havp/havp.pid +piddir=/var/run/havp/ +logdir=/var/log/havp/ required_dirs=/var/tmp/havp required_files=/usr/local/etc/havp/havp.config rc_start() { + if [ ! -d $piddir ] + then + mkdir -p $piddir + chown havp:havp $piddir + fi + if [ ! -d $logdir ] + then + mkdir -p $logdir + chown havp:havp $logdir + fi if [ ! -f $required_files ] then echo "FATAL: Missing HAVP config file: $required_files" @@ -17,7 +30,8 @@ rc_start() if [ ! -d $required_dirs ] then echo "FATAL: Missing HAVP working director: $required_dirs" - return + mkdir -p $required_dirs + chown havp:havp $required_dirs fi if [ -f $pidfile ] then @@ -28,6 +42,7 @@ rc_start() echo "Starting HAVP Antivirus HTTP Proxy" /usr/local/sbin/havp & sleep 4 + /usr/local/pkg/havp_startup.inc if [ -f $pidfile ] then pid=$(sed 's/ //g' $pidfile) @@ -49,6 +64,7 @@ rc_stop() else echo "Stopping HAVP pid: $pid" kill $pid + rm -f $required_dirs/* fi } diff --git a/packages/havp.xml b/packages/havp.xml index c024e369..64e13287 100644 --- a/packages/havp.xml +++ b/packages/havp.xml @@ -32,6 +32,10 @@ Blacklist /pkg.php?xml=havp_blacklist.xml + + Exclude from Transparent Proxy + /pkg.php?xml=havp_trans_exclude.xml + @@ -49,6 +53,16 @@ 0755 http://agni.linuxense.com/packages/config/havp_blacklist.xml + + /usr/local/pkg/ + 0755 + http://agni.linuxense.com/packages/config/havp_startup.inc + + + /usr/local/pkg/ + 0755 + http://agni.linuxense.com/packages/config/havp_trans_exclude.xml + /usr/local/pkg/ 0755 @@ -117,6 +131,7 @@ dbreload Specify here the number of minutes to wait for reloading. Default 60 Minutes. input + 60 Parent Proxy Host @@ -130,6 +145,27 @@ Specify the parent proxy port input + + Max size of temporary files on disk + maxscansize + Temporary file will grow only up to this size. This means scanner will scan data until this limit is reached. The value is in BYTES, not kb or mb. 0 is Unlimited. + input + 0 + + + Trickling Time + trickling + After Trickling Time (seconds), some bytes are sent to browser to keep the connection alive. Trickling is not needed if timeouts are not expected. Default is 5 seconds. + input + 5 + + + Absolute Maximum Download Size + maxdownloadsize + Downloads larger than this will be blocked, Unless whitelisted. 0 is unlimited. + input + 0 + havp_install_command(); diff --git a/packages/havp_blacklist.xml b/packages/havp_blacklist.xml index 38388628..51ac3fd2 100644 --- a/packages/havp_blacklist.xml +++ b/packages/havp_blacklist.xml @@ -25,6 +25,10 @@ /pkg.php?xml=havp_blacklist.xml + + Exclude from Transparent Proxy + /pkg.php?xml=havp_trans_exclude.xml + diff --git a/packages/havp_startup.inc b/packages/havp_startup.inc new file mode 100644 index 00000000..fe5cec2c --- /dev/null +++ b/packages/havp_startup.inc @@ -0,0 +1,11 @@ +#!/usr/local/bin/php + + diff --git a/packages/havp_trans_exclude.xml b/packages/havp_trans_exclude.xml new file mode 100644 index 00000000..473d6e55 --- /dev/null +++ b/packages/havp_trans_exclude.xml @@ -0,0 +1,71 @@ + + + havp_trans_exclude + 0.1.0 + HAVP: Exclude from Transparent Proxy + /usr/local/pkg/havp.inc + + + Transparency Exclude + +
Services
+ havp.xml + + + + Settings + /pkg_edit.php?xml=havp.xml&act=edit&id=0 + + + Whitelist + /pkg.php?xml=havp_whitelist.xml + + + Blacklist + /pkg.php?xml=havp_blacklist.xml + + + Exclude from Transparent Proxy + /pkg.php?xml=havp_trans_exclude.xml + + + + + + /usr/local/pkg/ + 0755 + http://agni.linuxense.com/packages/config/havp.inc + + + ['installedpackages']['havptransexclude']['config'] + + + + Exempted IP + ip + + + Description + description + + + + + + Exempted IP + ip + Enter the IP to exempt from transparent proxy + input + + + Description + description + Enter the description for this item + input + + + + add_trans_table(); + add_trans_table(); + add_trans_table(); + diff --git a/packages/havp_whitelist.xml b/packages/havp_whitelist.xml index 429d957e..f7b394ff 100644 --- a/packages/havp_whitelist.xml +++ b/packages/havp_whitelist.xml @@ -25,6 +25,10 @@ Blacklist /pkg.php?xml=havp_blacklist.xml + + Exclude from Transparent Proxy + /pkg.php?xml=havp_trans_exclude.xml + -- cgit v1.2.3