From 99577938f6ce7f30aee2b042a6a1adb2e350d18f Mon Sep 17 00:00:00 2001 From: billz Date: Thu, 5 Aug 2021 18:05:31 +0100 Subject: [PATCH] Formatting: processed w/ phpcbf --- includes/firewall.php | 381 +++++++++++++++++++++++------------------- 1 file changed, 208 insertions(+), 173 deletions(-) diff --git a/includes/firewall.php b/includes/firewall.php index 1f05c9fe..63940662 100644 --- a/includes/firewall.php +++ b/includes/firewall.php @@ -3,82 +3,99 @@ require_once 'includes/status_messages.php'; require_once 'includes/functions.php'; -define('RASPAP_IPTABLES_SCRIPT',"/tmp/iptables_raspap.sh"); -define('RASPAP_IP6TABLES_SCRIPT',"/tmp/ip6tables_raspap.sh"); +define('RASPAP_IPTABLES_SCRIPT', "/tmp/iptables_raspap.sh"); +define('RASPAP_IP6TABLES_SCRIPT', "/tmp/ip6tables_raspap.sh"); -function getDependson(&$rule, &$conf) { - if ( isset($rule["dependson"][0]) ) { - $don = &$rule["dependson"]; - if ( !empty($don[0]) && isset($conf[$don[0]["var"]]) ) { - if ( !isset($don[0]["type"]) ) $don[0]["type"]="bool"; - return $don; - } - } - return false; -} - -function isRuleEnabled(&$sect, &$conf) { - $fw_on = isset($conf["firewall-enable"]) && $conf["firewall-enable"]; - $active = isset($sect["fw-state"]) && $sect["fw-state"]==1; - $active = $fw_on ? $active : !$active; - $active = $active || !isset($sect["fw-state"]); - if ( ($don = getDependson($sect, $conf)) !== false && - $don[0]["type"] == "bool" && !$conf[$don[0]["var"]] ) $active = false; - return $active; -} - -function createRuleStr(&$sect, &$conf) { - if ( !is_array($sect["rules"]) ) return ""; - $rules = $sect["rules"]; - $depon = getDependson($sect,$conf); - $rs = array(); - foreach ( $rules as $rule ) { - if ( preg_match('/\$[a-z0-9]*\$/i',$rule) ) { - $r = array($rule); - foreach ( $depon as $dep ) { - $rr = array(); - $repl=$val=""; - switch ( $dep["type"] ) { - case "list": - if ( isset($dep["var"]) && !empty($conf[$dep["var"]]) ) $val = explode(' ', $conf[$dep["var"]]); - if ( !empty($val) && isset($dep["replace"]) ) $repl=$dep["replace"]; - break; - case "string": - if ( isset($dep["var"]) ) $val=$conf[$dep["var"]]; - if ( !empty($val) && isset($dep["replace"]) ) $repl=$dep["replace"]; - break; - default: - break; +function getDependson(&$rule, &$conf) +{ + if (isset($rule["dependson"][0]) ) { + $don = &$rule["dependson"]; + if (!empty($don[0]) && isset($conf[$don[0]["var"]]) ) { + if (!isset($don[0]["type"]) ) { $don[0]["type"]="bool"; } - if ( !empty($repl) && !empty($val) ) { - if ( is_array($val) ) { - foreach ( $val as $v ) $rr = array_merge($rr,str_replace($repl, $v, $r)); - } - else $rr = array_merge($rr, str_replace($repl, $val, $r)); + return $don; + } + } + return false; +} + +function isRuleEnabled(&$sect, &$conf) +{ + $fw_on = isset($conf["firewall-enable"]) && $conf["firewall-enable"]; + $active = isset($sect["fw-state"]) && $sect["fw-state"]==1; + $active = $fw_on ? $active : !$active; + $active = $active || !isset($sect["fw-state"]); + if (($don = getDependson($sect, $conf)) !== false + && $don[0]["type"] == "bool" && !$conf[$don[0]["var"]] + ) { $active = false; + } + return $active; +} + +function createRuleStr(&$sect, &$conf) +{ + if (!is_array($sect["rules"]) ) { return ""; + } + $rules = $sect["rules"]; + $depon = getDependson($sect, $conf); + $rs = array(); + foreach ( $rules as $rule ) { + if (preg_match('/\$[a-z0-9]*\$/i', $rule) ) { + $r = array($rule); + foreach ( $depon as $dep ) { + $rr = array(); + $repl=$val=""; + switch ( $dep["type"] ) { + case "list": + if (isset($dep["var"]) && !empty($conf[$dep["var"]]) ) { $val = explode(' ', $conf[$dep["var"]]); + } + if (!empty($val) && isset($dep["replace"]) ) { $repl=$dep["replace"]; + } + break; + case "string": + if (isset($dep["var"]) ) { $val=$conf[$dep["var"]]; + } + if (!empty($val) && isset($dep["replace"]) ) { $repl=$dep["replace"]; + } + break; + default: + break; + } + if (!empty($repl) && !empty($val) ) { + if (is_array($val) ) { + foreach ( $val as $v ) { $rr = array_merge($rr, str_replace($repl, $v, $r)); + } + } + else { $rr = array_merge($rr, str_replace($repl, $val, $r)); + } + } + $r = !empty($rr) ? $rr : $r; } - $r = !empty($rr) ? $rr : $r; - } - $rs = array_merge($rs,$rr); - } else { - $rs[] = $rule; - } - } - $str=""; - foreach ( $rs as $r ) { - if ( !preg_match('/\$[a-z0-9]*\$/i',$r) ) $str .= '$IPT '.$r."\n"; - } - return $str; + $rs = array_merge($rs, $rr); + } else { + $rs[] = $rule; + } + } + $str=""; + foreach ( $rs as $r ) { + if (!preg_match('/\$[a-z0-9]*\$/i', $r) ) { $str .= '$IPT '.$r."\n"; + } + } + return $str; } -function isIPv4(&$rule) { - return !isset($rule["ip-version"]) || strstr($rule["ip-version"],"4") !== false; +function isIPv4(&$rule) +{ + return !isset($rule["ip-version"]) || strstr($rule["ip-version"], "4") !== false; } -function isIPv6(&$rule) { - return !isset($rule["ip-version"]) || strstr($rule["ip-version"],"6") !== false; +function isIPv6(&$rule) +{ + return !isset($rule["ip-version"]) || strstr($rule["ip-version"], "6") !== false; } -function configureFirewall() { +function configureFirewall() +{ $json = file_get_contents(RASPAP_IPTABLES_CONF); $ipt = json_decode($json, true); $conf = ReadFirewallConf(); @@ -92,55 +109,61 @@ function configureFirewall() { $txt .= "\$IPT -t nat -F\n"; file_put_contents(RASPAP_IPTABLES_SCRIPT, $txt, FILE_APPEND); file_put_contents(RASPAP_IP6TABLES_SCRIPT, $txt, FILE_APPEND); - if ( empty($conf) || empty($ipt) ) return false; + if (empty($conf) || empty($ipt) ) { return false; + } $count=0; foreach ( $ipt["order"] as $idx ) { - if ( isset($ipt[$idx]) ) { - foreach ( $ipt[$idx] as $i => $sect ) { - if ( isRuleEnabled($sect, $conf) ) { - $str_rules= createRuleStr($sect, $conf); - if ( !empty($str_rules) ) { - if ( isIPv4($sect) ) file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND); - if ( isIPv6($sect) ) file_put_contents(RASPAP_IP6TABLES_SCRIPT, $str_rules, FILE_APPEND); - ++$count; - } - } - } - } + if (isset($ipt[$idx]) ) { + foreach ( $ipt[$idx] as $i => $sect ) { + if (isRuleEnabled($sect, $conf) ) { + $str_rules= createRuleStr($sect, $conf); + if (!empty($str_rules) ) { + if (isIPv4($sect) ) { file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND); + } + if (isIPv6($sect) ) { file_put_contents(RASPAP_IP6TABLES_SCRIPT, $str_rules, FILE_APPEND); + } + ++$count; + } + } + } + } } - if ( $count > 0 ) { - exec("chmod +x ".RASPAP_IPTABLES_SCRIPT); - exec("sudo ".RASPAP_IPTABLES_SCRIPT); -// exec("sudo iptables-save > /etc/iptables/rules.v4"); -// unlink(RASPAP_IPTABLES_SCRIPT); - exec("chmod +x ".RASPAP_IP6TABLES_SCRIPT); - exec("sudo ".RASPAP_IP6TABLES_SCRIPT); -// exec("sudo iptables-save > /etc/iptables/rules.v6"); -// unlink(RASPAP_IP6TABLES_SCRIPT); + if ($count > 0 ) { + exec("chmod +x ".RASPAP_IPTABLES_SCRIPT); + exec("sudo ".RASPAP_IPTABLES_SCRIPT); + // exec("sudo iptables-save > /etc/iptables/rules.v4"); + // unlink(RASPAP_IPTABLES_SCRIPT); + exec("chmod +x ".RASPAP_IP6TABLES_SCRIPT); + exec("sudo ".RASPAP_IP6TABLES_SCRIPT); + // exec("sudo iptables-save > /etc/iptables/rules.v6"); + // unlink(RASPAP_IP6TABLES_SCRIPT); } return ($count > 0); } -function WriteFirewallConf($conf) { +function WriteFirewallConf($conf) +{ $ret = false; - if ( is_array($conf) ) write_php_ini($conf,RASPAP_FIREWALL_CONF); + if (is_array($conf) ) { write_php_ini($conf, RASPAP_FIREWALL_CONF); + } return $ret; } -function ReadFirewallConf() { - if ( file_exists(RASPAP_FIREWALL_CONF) ) { - $conf = parse_ini_file(RASPAP_FIREWALL_CONF); +function ReadFirewallConf() +{ + if (file_exists(RASPAP_FIREWALL_CONF) ) { + $conf = parse_ini_file(RASPAP_FIREWALL_CONF); } else { - $conf = array(); - $conf["firewall-enable"] = false; - $conf["ssh-enable"] = false; - $conf["http-enable"] = false; - $conf["excl-devices"] = ""; - $conf["excluded-ips"] = ""; - $conf["ap-device"] = ""; - $conf["client-device"] = ""; - $conf["restricted-ips"] = ""; + $conf = array(); + $conf["firewall-enable"] = false; + $conf["ssh-enable"] = false; + $conf["http-enable"] = false; + $conf["excl-devices"] = ""; + $conf["excluded-ips"] = ""; + $conf["ap-device"] = ""; + $conf["client-device"] = ""; + $conf["restricted-ips"] = ""; } exec('ifconfig | grep -E -i "^tun[0-9]"', $ret); $conf["openvpn-enable"] = !empty($ret); @@ -150,39 +173,42 @@ function ReadFirewallConf() { return $conf; } -function getVPN_IPs() { +function getVPN_IPs() +{ $ips = ""; - # get openvpn and wireguard server IPs - if ( RASPI_OPENVPN_ENABLED && ($fconf = glob(RASPI_OPENVPN_CLIENT_PATH ."/*.conf")) !== false && !empty($fconf) ) { - foreach ( $fconf as $f ) { - unset($result); - exec('cat '.$f.' | sed -rn "s/^remote\s*([a-z0-9\.\-\_:]*)\s*([0-9]*)\s*$/\1 \2/ip" ', $result); - if ( !empty($result) ) { - $result = explode(" ",$result[0]); - $ip = (isset($result[0])) ? $result[0] : ""; - $port = (isset($result[1])) ? $result[1] : ""; - if ( !empty($ip) ) { - $ip = gethostbyname($ip); - if ( filter_var($ip,FILTER_VALIDATE_IP) && strpos($ips, $ip) === false ) $ips .= " $ip"; - } + // get openvpn and wireguard server IPs + if (RASPI_OPENVPN_ENABLED && ($fconf = glob(RASPI_OPENVPN_CLIENT_PATH ."/*.conf")) !== false && !empty($fconf) ) { + foreach ( $fconf as $f ) { + unset($result); + exec('cat '.$f.' | sed -rn "s/^remote\s*([a-z0-9\.\-\_:]*)\s*([0-9]*)\s*$/\1 \2/ip" ', $result); + if (!empty($result) ) { + $result = explode(" ", $result[0]); + $ip = (isset($result[0])) ? $result[0] : ""; + $port = (isset($result[1])) ? $result[1] : ""; + if (!empty($ip) ) { + $ip = gethostbyname($ip); + if (filter_var($ip, FILTER_VALIDATE_IP) && strpos($ips, $ip) === false ) { $ips .= " $ip"; + } + } + } } - } } - # get wireguard server IPs - if ( RASPI_WIREGUARD_ENABLED && ($fconf = glob(RASPI_WIREGUARD_PATH ."/*.conf")) !== false && !empty($fconf) ) { - foreach ( $fconf as $f ) { - unset($result); - exec('sudo /bin/cat '.$f.' | sed -rn "s/^endpoint\s*=\s*\[?([a-z0-9\.\-\_:]*)\]?:([0-9]*)\s*$/\1 \2/ip" ', $result); - if ( !empty($result) ) { - $result = explode(" ",$result[0]); - $ip = (isset($result[0])) ? $result[0] : ""; - $port = (isset($result[1])) ? $result[1] : ""; - if ( !empty($ip) ) { - $ip = gethostbyname($ip); - if ( filter_var($ip,FILTER_VALIDATE_IP) && strpos($ips, $ip) === false ) $ips .= " $ip"; - } + // get wireguard server IPs + if (RASPI_WIREGUARD_ENABLED && ($fconf = glob(RASPI_WIREGUARD_PATH ."/*.conf")) !== false && !empty($fconf) ) { + foreach ( $fconf as $f ) { + unset($result); + exec('sudo /bin/cat '.$f.' | sed -rn "s/^endpoint\s*=\s*\[?([a-z0-9\.\-\_:]*)\]?:([0-9]*)\s*$/\1 \2/ip" ', $result); + if (!empty($result) ) { + $result = explode(" ", $result[0]); + $ip = (isset($result[0])) ? $result[0] : ""; + $port = (isset($result[1])) ? $result[1] : ""; + if (!empty($ip) ) { + $ip = gethostbyname($ip); + if (filter_var($ip, FILTER_VALIDATE_IP) && strpos($ips, $ip) === false ) { $ips .= " $ip"; + } + } + } } - } } return trim($ips); } @@ -200,60 +226,69 @@ function DisplayFirewallConfig() $clients = getClients(); $str_clients = ""; foreach( $clients["device"] as $dev ) { - if ( !$dev["isAP"] ) { - if ( !empty($str_clients) ) $str_clients .= ", "; - $str_clients .= $dev["name"]; - } + if (!$dev["isAP"] ) { + if (!empty($str_clients) ) { $str_clients .= ", "; + } + $str_clients .= $dev["name"]; + } } $fw_conf = ReadFirewallConf(); $fw_conf["ap-device"] = $ap_device; $id=findCurrentClientIndex($clients); - if ( $id >= 0 ) $fw_conf["client-device"] = $clients["device"][$id]["name"]; + if ($id >= 0 ) { $fw_conf["client-device"] = $clients["device"][$id]["name"]; + } if (!empty($_POST)) { $fw_conf["ssh-enable"] = isset($_POST['ssh-enable']); $fw_conf["http-enable"] = isset($_POST['http-enable']); $fw_conf["firewall-enable"] = isset($_POST['firewall-enable']) || isset($_POST['apply-firewall']); - if ( isset($_POST['firewall-enable']) ) $status->addMessage(_('Firewall is now enabled'), 'success'); - if ( isset($_POST['apply-firewall']) ) $status->addMessage(_('Firewall settings changed'), 'success'); - if ( isset($_POST['firewall-disable']) ) $status->addMessage(_('Firewall is now disabled'), 'warning'); - if ( isset($_POST['save-firewall']) ) $status->addMessage(_('Firewall settings saved. Firewall is still disabled.'), 'success'); - if ( isset($_POST['excl-devices']) ) { - $excl = filter_var($_POST['excl-devices'], FILTER_SANITIZE_STRING); - $excl = str_replace(',', ' ', $excl); - $excl = trim(preg_replace('/\s+/', ' ', $excl)); - if ( $fw_conf["excl-devices"] != $excl ) { - $status->addMessage(_('Exclude devices '. $excl), 'success'); - $fw_conf["excl-devices"] = $excl; - } + if (isset($_POST['firewall-enable']) ) { $status->addMessage(_('Firewall is now enabled'), 'success'); } - if ( isset($_POST['excluded-ips']) ) { - $excl = filter_var($_POST['excluded-ips'], FILTER_SANITIZE_STRING); - $excl = str_replace(',', ' ', $excl); - $excl = trim(preg_replace('/\s+/', ' ', $excl)); - if ( !empty($excl) ) { - $excl = explode(' ',$excl); - $str_excl = ""; - foreach ( $excl as $ip ) { - if ( filter_var($ip,FILTER_VALIDATE_IP) ) $str_excl .= "$ip "; - else $status->addMessage(_('Exclude IP address '. $ip . ' failed - not a valid IP address'), 'warning'); - } - } - $str_excl = trim($str_excl); - if ( $fw_conf["excluded-ips"] != $str_excl ) { - $status->addMessage(_('Exclude IP address(es) '. $str_excl ), 'success'); - $fw_conf["excluded-ips"] = $str_excl; - } + if (isset($_POST['apply-firewall']) ) { $status->addMessage(_('Firewall settings changed'), 'success'); + } + if (isset($_POST['firewall-disable']) ) { $status->addMessage(_('Firewall is now disabled'), 'warning'); + } + if (isset($_POST['save-firewall']) ) { $status->addMessage(_('Firewall settings saved. Firewall is still disabled.'), 'success'); + } + if (isset($_POST['excl-devices']) ) { + $excl = filter_var($_POST['excl-devices'], FILTER_SANITIZE_STRING); + $excl = str_replace(',', ' ', $excl); + $excl = trim(preg_replace('/\s+/', ' ', $excl)); + if ($fw_conf["excl-devices"] != $excl ) { + $status->addMessage(_('Exclude devices '. $excl), 'success'); + $fw_conf["excl-devices"] = $excl; + } + } + if (isset($_POST['excluded-ips']) ) { + $excl = filter_var($_POST['excluded-ips'], FILTER_SANITIZE_STRING); + $excl = str_replace(',', ' ', $excl); + $excl = trim(preg_replace('/\s+/', ' ', $excl)); + if (!empty($excl) ) { + $excl = explode(' ', $excl); + $str_excl = ""; + foreach ( $excl as $ip ) { + if (filter_var($ip, FILTER_VALIDATE_IP) ) { $str_excl .= "$ip "; + } else { $status->addMessage(_('Exclude IP address '. $ip . ' failed - not a valid IP address'), 'warning'); + } + } + } + $str_excl = trim($str_excl); + if ($fw_conf["excluded-ips"] != $str_excl ) { + $status->addMessage(_('Exclude IP address(es) '. $str_excl), 'success'); + $fw_conf["excluded-ips"] = $str_excl; + } } WriteFirewallConf($fw_conf); configureFirewall(); } $vpn_ips = getVPN_IPs(); - echo renderTemplate("firewall", compact( - "status", - "ap_device", - "str_clients", - "fw_conf", - "ipt_rules", - "vpn_ips") + echo renderTemplate( + "firewall", compact( + "status", + "ap_device", + "str_clients", + "fw_conf", + "ipt_rules", + "vpn_ips" + ) ); }