From abbc294500d4bd8bbb678f187602a15535b2d42a Mon Sep 17 00:00:00 2001 From: BBcan177 Date: Tue, 9 Dec 2014 22:27:13 -0500 Subject: Mods to .inc file - Added IPv4 Filter Array to filter out Whitespaces, Loopback Addresses (27/8), 0.0.0.0 and any leading zeros in each IPv4 octet. - Edits to IPv4/6 Regex Definitions. - Changed isset() to !empty() --- config/pfblockerng/pfblockerng.inc | 111 ++++++++++++++++++++----------------- 1 file changed, 59 insertions(+), 52 deletions(-) (limited to 'config/pfblockerng/pfblockerng.inc') diff --git a/config/pfblockerng/pfblockerng.inc b/config/pfblockerng/pfblockerng.inc index 9f344353..dafdac3e 100644 --- a/config/pfblockerng/pfblockerng.inc +++ b/config/pfblockerng/pfblockerng.inc @@ -1036,16 +1036,23 @@ function sync_package_pfblockerng($cron = "") { ############################################# # IPv4 REGEX Definitions - $pfb['range'] = "/((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))-((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))/"; - $pfb['block'] = "/(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[ 0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.([0]{1})\s+/"; - $pfb['cidr'] = "/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)?\/[0-9]{2}/"; - $pfb['single'] = "/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\s+/"; - $pfb['s_html'] = "/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/"; + $pfb['range'] = '/((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))-((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))/'; + $pfb['block'] = '/(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[ 0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.([0]{1})\s+/'; + $pfb['cidr'] = '/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)?\/[0-9]{2}/'; + $pfb['single'] = '/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\s+/'; + $pfb['s_html'] = '/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/'; + + # IPv4 preg_replace Regex Filter array + $pfb_ipreg = array(); + $pfb_ipreg[0] = '/\b0+(?=\d)/'; # Remove any Leading Zeros in each Octet + $pfb_ipreg[1] = '/\s/'; # Remove any Whitespaces + $pfb_ipreg[2] = '/127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/'; # Remove any Loopback Addresses 127/8 + $pfb_ipreg[3] = '/0\.0\.0\.0/'; # Remove 0.0.0.0 # IPv6 REGEX Definitions -- ** Still Needs some Adjustment on Regex Definition for IPv6 ** # https://mebsd.com/coding-snipits/php-regex-ipv6-with-preg_match.html $pattern1 = '([A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}'; - $pattern2 = '[A-Fa-f0-9]{1,4}::([A-Fa-f0-9]{1,4}:){0,5}[A-Fa-f0-9]{1,4}'; + $pattern2 = '([A-Fa-f0-9]{1,4}::([A-Fa-f0-9]{1,4}:){0,5}[A-Fa-f0-9]{1,4}'; $pattern3 = '([A-Fa-f0-9]{1,4}:){2}:([A-Fa-f0-9]{1,4}:){0,4}[A-Fa-f0-9]{1,4}'; $pattern4 = '([A-Fa-f0-9]{1,4}:){3}:([A-Fa-f0-9]{1,4}:){0,3}[A-Fa-f0-9]{1,4}'; $pattern5 = '([A-Fa-f0-9]{1,4}:){4}:([A-Fa-f0-9]{1,4}:){0,2}[A-Fa-f0-9]{1,4}'; @@ -1260,15 +1267,15 @@ function sync_package_pfblockerng($cron = "") { #extract range lists $new_file = ""; - if (isset($url_list)) { + if (!empty($url_list)) { if ($row['format'] == "gz" && $vtype == "_v4") { foreach ($url_list as $line) { # Network range 192.168.0.0-192.168.0.254 if (preg_match($pfb['range'],$line,$matches)) { $a_cidr = ip_range_to_subnet_array($matches[1],$matches[2]); - if (isset($a_cidr)) { + if (!empty($a_cidr)) { foreach ($a_cidr as $cidr) { - $new_file .= preg_replace('/\s/', '',$cidr) . "\n"; + $new_file .= preg_replace($pfb_ipreg,'',$cidr) . "\n"; } } } @@ -1279,7 +1286,7 @@ function sync_package_pfblockerng($cron = "") { foreach ($url_list as $line) { # Block Type '218.77.79.0 218.77.79.255 24' if (preg_match($pfb['block'],$line,$matches)) { - $new_file .= preg_replace('/\s/', '',$matches[0]) . "/24\n"; + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "/24\n"; } } } @@ -1288,11 +1295,11 @@ function sync_package_pfblockerng($cron = "") { foreach ($url_list as $line) { # CIDR format 192.168.0.0/16 if (preg_match($pfb['cidr'],$line,$matches)) { - $new_file .= preg_replace('/\s/', '',$matches[0]) . "\n"; + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } # Single ip addresses elseif (preg_match($pfb['s_html'],$line,$matches)) { - $new_file .= preg_replace('/\s/', '',$matches[0]) . "\n"; + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } } } @@ -1301,7 +1308,7 @@ function sync_package_pfblockerng($cron = "") { foreach ($url_list as $line) { # IPv6 Regex Match if (preg_match($pfb['ipv6'],$line,$matches)) { - $new_file .= preg_replace('/\s/', '',$matches[0]) . "\n"; + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } } } @@ -1310,11 +1317,11 @@ function sync_package_pfblockerng($cron = "") { foreach ($url_list as $line) { # CIDR format 192.168.0.0/16 if (preg_match($pfb['cidr'],$line,$matches)) { - $new_file .= preg_replace('/\s/', '',$matches[0]) . "\n"; + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } # Single ip addresses elseif (preg_match($pfb['single'],$line,$matches)) { - $new_file .= preg_replace('/\s/', '',$matches[0]) . "\n"; + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } } } @@ -1470,30 +1477,30 @@ function sync_package_pfblockerng($cron = "") { $url_list = @file($pfb['origdir'] . '/' . $aliascustom . '.orig'); $new_file = ""; - if (isset($url_list)) { + if (!empty($url_list)) { foreach ($url_list as $line) { if ($vtype == "_v4") { # CIDR format 192.168.0.0/16 if (preg_match($pfb['cidr'],$line,$matches)) { - $new_file .= preg_replace('/\s/', '',$matches[0]) . "\n"; + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } # Single ip addresses elseif (preg_match($pfb['s_html'],$line,$matches)) { - $new_file .= preg_replace('/\s/', '',$matches[0]) . "\n"; + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } # Network range 192.168.0.0-192.168.0.254 elseif (preg_match($pfb['range'],$line,$matches)) { $a_cidr = ip_range_to_subnet_array($matches[1],$matches[2]); - if (isset($a_cidr)) { + if (!empty($a_cidr)) { foreach ($a_cidr as $cidr) { - $new_file .= preg_replace('/\s/', '',$cidr) . "\n"; + $new_file .= preg_replace($pfb_ipreg, '',$cidr) . "\n"; } } } } else { # IPv6 Regex if (preg_match($pfb['ipv6'],$line,$matches)) { - $new_file .= preg_replace('/\s/', '',$matches[0]) . "\n"; + $new_file .= preg_replace($pfb_ipreg, '',$matches[0]) . "\n"; } } } @@ -1820,7 +1827,7 @@ function sync_package_pfblockerng($cron = "") { # Collect All Existing Rules $rules = $config['filter']['rule']; # Collect Existing pfSense Rules 'Pass', 'Match' and 'Other' pfSense rules into new Arrays. - if (isset($rules)) { + if (!empty($rules)) { foreach ($rules as $rule) { if (!preg_match("/pfB_.*" . $pfb['suffix'] . "/",$rule['descr']) && ($rule['interface'] != "")) { // Floating rules collection 'Floating Pass/Match'. Balance to 'other' @@ -1876,76 +1883,76 @@ function sync_package_pfblockerng($cron = "") { ################################################################################# if ($pfb['float'] == "") { - if (isset($fother_rules)) { + if (!empty($fother_rules)) { foreach ($fother_rules as $cb_rules) { $new_rules[] = $cb_rules; } } } - if (isset($fpermit_rules) && $pfb['order'] == "order_1") { + if (!empty($fpermit_rules) && $pfb['order'] == "order_1") { foreach ($fpermit_rules as $cb_rules) { $new_rules[] = $cb_rules; } } - if (isset($fmatch_rules) && $pfb['order'] == "order_1") { + if (!empty($fmatch_rules) && $pfb['order'] == "order_1") { foreach ($fmatch_rules as $cb_rules) { $new_rules[] = $cb_rules; } } # Define Inbound Interface Rules - if (isset($pfb['inbound_interfaces'])) { + if (!empty($pfb['inbound_interfaces'])) { $counter = 0; foreach ($pfb['inbound_interfaces'] as $inbound_interface) { - if (isset($permit_rules) && $pfb['order'] == "order_1") { + if (!empty($permit_rules) && $pfb['order'] == "order_1") { foreach ($permit_rules as $cb_rules) { if ($cb_rules['interface'] == $inbound_interface) $new_rules[] = $cb_rules; } } - if (isset($match_rules) && $pfb['order'] == "order_1") { + if (!empty($match_rules) && $pfb['order'] == "order_1") { foreach ($match_rules as $cb_rules) { if ($cb_rules['interface'] == $inbound_interface) $new_rules[] = $cb_rules; } } # Match Inbound Rules defined as Floating Only. - if (isset($match_inbound) && $counter == 0) { + if (!empty($match_inbound) && $counter == 0) { foreach ($match_inbound as $cb_rules) { $cb_rules['interface'] = $pfb['inbound_floating']; $new_rules[] = $cb_rules; $counter ++; } } - if (isset($permit_inbound)) { + if (!empty($permit_inbound)) { foreach ($permit_inbound as $cb_rules) { $cb_rules['interface'] = $inbound_interface; $new_rules[] = $cb_rules; } } - if (isset($fpermit_rules) && $pfb['order'] == "order_2") { + if (!empty($fpermit_rules) && $pfb['order'] == "order_2") { foreach ($fpermit_rules as $cb_rules) { $new_rules[] = $cb_rules; } } - if (isset($fmatch_rules) && $pfb['order'] == "order_2") { + if (!empty($fmatch_rules) && $pfb['order'] == "order_2") { foreach ($fmatch_rules as $cb_rules) { $new_rules[] = $cb_rules; } } - if (isset($permit_rules) && $pfb['order'] == "order_2") { + if (!empty($permit_rules) && $pfb['order'] == "order_2") { foreach ($permit_rules as $cb_rules) { if ($cb_rules['interface'] == $inbound_interface) $new_rules[] = $cb_rules; } } - if (isset($match_rules) && $pfb['order'] == "order_2") { + if (!empty($match_rules) && $pfb['order'] == "order_2") { foreach ($match_rules as $cb_rules) { if ($cb_rules['interface'] == $inbound_interface) $new_rules[] = $cb_rules; } } - if (isset($deny_inbound)) { + if (!empty($deny_inbound)) { foreach ($deny_inbound as $cb_rules) { $cb_rules['interface'] = $inbound_interface; $new_rules[] = $cb_rules; @@ -1955,48 +1962,48 @@ function sync_package_pfblockerng($cron = "") { } # Define Outbound Interface Rules - if (isset($pfb['outbound_interfaces'])) { + if (!empty($pfb['outbound_interfaces'])) { $counter = 0; foreach ($pfb['outbound_interfaces'] as $outbound_interface) { - if (isset($permit_rules) && $pfb['order'] == "order_1") { + if (!empty($permit_rules) && $pfb['order'] == "order_1") { foreach ($permit_rules as $cb_rules) { if ($cb_rules['interface'] == $outbound_interface) $new_rules[] = $cb_rules; } } - if (isset($match_rules) && $pfb['order'] == "order_1") { + if (!empty($match_rules) && $pfb['order'] == "order_1") { foreach ($match_rules as $cb_rules) { if ($cb_rules['interface'] == $outbound_interface) $new_rules[] = $cb_rules; } } # Match Outbound Rules defined as Floating Only. - if (isset($match_outbound) && $counter == 0) { + if (!empty($match_outbound) && $counter == 0) { foreach ($match_outbound as $cb_rules) { $cb_rules['interface'] = $pfb['outbound_floating']; $new_rules[] = $cb_rules; $counter++; } } - if (isset($permit_outbound)) { + if (!empty($permit_outbound)) { foreach ($permit_outbound as $cb_rules) { $cb_rules['interface'] = $outbound_interface; $new_rules[] = $cb_rules; } } - if (isset($permit_rules) && $pfb['order'] == "order_2") { + if (!empty($permit_rules) && $pfb['order'] == "order_2") { foreach ($permit_rules as $cb_rules) { if ($cb_rules['interface'] == $outbound_interface) $new_rules[] = $cb_rules; } } - if (isset($match_rules) && $pfb['order'] == "order_2") { + if (!empty($match_rules) && $pfb['order'] == "order_2") { foreach ($match_rules as $cb_rules) { if ($cb_rules['interface'] == $outbound_interface) $new_rules[] = $cb_rules; } } - if (isset($deny_outbound)) { + if (!empty($deny_outbound)) { foreach ($deny_outbound as $cb_rules) { $cb_rules['interface'] = $outbound_interface; $new_rules[] = $cb_rules; @@ -2005,44 +2012,44 @@ function sync_package_pfblockerng($cron = "") { } } - if (isset($fpermit_rules) && $pfb['order'] == "order_0") { + if (!empty($fpermit_rules) && $pfb['order'] == "order_0") { foreach ($fpermit_rules as $cb_rules) { $new_rules[] = $cb_rules; } } - if (isset($fmatch_rules) && $pfb['order'] == "order_0") { + if (!empty($fmatch_rules) && $pfb['order'] == "order_0") { foreach ($fmatch_rules as $cb_rules) { $new_rules[] = $cb_rules; } } - if (isset($fpermit_rules) && $pfb['order'] == "order_3") { + if (!empty($fpermit_rules) && $pfb['order'] == "order_3") { foreach ($fpermit_rules as $cb_rules) { $new_rules[] = $cb_rules; } } - if (isset($fmatch_rules) && $pfb['order'] == "order_3") { + if (!empty($fmatch_rules) && $pfb['order'] == "order_3") { foreach ($fmatch_rules as $cb_rules) { $new_rules[] = $cb_rules; } } - if (isset($permit_rules) && $pfb['order'] == "order_3") { + if (!empty($permit_rules) && $pfb['order'] == "order_3") { foreach ($permit_rules as $cb_rules) { $new_rules[] = $cb_rules; } } - if (isset($match_rules) && $pfb['order'] == "order_3") { + if (!empty($match_rules) && $pfb['order'] == "order_3") { foreach ($match_rules as $cb_rules) { $new_rules[] = $cb_rules; } } if ($pfb['float'] == "on") { - if (isset($fother_rules)) { + if (!empty($fother_rules)) { foreach ($fother_rules as $cb_rules) { $new_rules[] = $cb_rules; } } } - if (isset($other_rules)) { + if (!empty($other_rules)) { foreach ($other_rules as $cb_rules) { $new_rules[] = $cb_rules; } @@ -2128,7 +2135,7 @@ function sync_package_pfblockerng($cron = "") { pfb_logger("{$log}","1"); # Remove all pfBlockerNG Alias tables - if (isset($aliases_list)) { + if (!empty($aliases_list)) { foreach ($aliases_list as $table) { exec ("/sbin/pfctl -t " . escapeshellarg($table) . " -T kill 2>&1", $pfb_null); } -- cgit v1.2.3