From c689ec91f56104ae70293f09b27420cfb8c22fd9 Mon Sep 17 00:00:00 2001 From: Phil Davis Date: Tue, 27 Mar 2012 10:49:34 +0545 Subject: Avoid getting pfBlocker rules duplicated on some interfaces if there are floating rules with interface="" mixed in the config filter rule list. --- config/pf-blocker/pfblocker.inc | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'config/pf-blocker') diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc index 3358e07f..f41a5136 100755 --- a/config/pf-blocker/pfblocker.inc +++ b/config/pf-blocker/pfblocker.inc @@ -427,8 +427,14 @@ function sync_package_pfblocker() { $last_iface=""; $rules=$config['filter']['rule']; $new_rules=array(); + # The assumption is that the rules in the config come in groups by interface then priority. + # e.g. all rules for WAN (highest priority first), then for LAN then for OPT1 etc. + # Note that floating rules (interface is "") can appear mixed in the list. foreach ($rules as $rule){ - if ($rule['interface'] <> $last_iface){ + # If this next rule is for a non-blank interface, different to the previous interface, + # then add any needed pfblocker rules to the interface. This puts pfblocker rules at the + # top of the list for each interface, after any built-in rules (e.g. anti-lockout) + if (($rule['interface'] != "") && ($rule['interface'] <> $last_iface)){ $last_iface = $rule['interface']; #apply pfblocker rules if enabled @@ -465,7 +471,7 @@ function sync_package_pfblocker() { } } } - #include all rules that is not from pfBlocker + #include all rules that are not from pfBlocker if (!preg_match("/pfBlocker.*rule/",$rule['descr']) && ($rule['interface'] != "" || $rule['floating']=="yes")) $new_rules[]=$rule; } -- cgit v1.2.3