frodovdr/raspap-webgui
1
0
Fork 0
mirror of https://github.com/billz/raspap-webgui.git synced 2023-10-10 13:37:24 +02:00
Code Issues Releases Wiki Activity

Formatting: processed w/ phpcbf

Browse Source
This commit is contained in:
billz 2021-08-05 18:05:31 +01:00
parent cb2e97fdec
commit 99577938f6
1 changed files with 208 additions and 173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
includes/firewall.php
View File

@ -6,29 +6,36 @@ require_once 'includes/functions.php';
define('RASPAP_IPTABLES_SCRIPT', "/tmp/iptables_raspap.sh"); define('RASPAP_IPTABLES_SCRIPT', "/tmp/iptables_raspap.sh");
define('RASPAP_IP6TABLES_SCRIPT', "/tmp/ip6tables_raspap.sh"); define('RASPAP_IP6TABLES_SCRIPT', "/tmp/ip6tables_raspap.sh");
function getDependson(&$rule, &$conf) { function getDependson(&$rule, &$conf)
{
if (isset($rule["dependson"][0]) ) { if (isset($rule["dependson"][0]) ) {
$don = &$rule["dependson"]; $don = &$rule["dependson"];
if (!empty($don[0]) && isset($conf[$don[0]["var"]]) ) { if (!empty($don[0]) && isset($conf[$don[0]["var"]]) ) {
if ( !isset($don[0]["type"]) ) $don[0]["type"]="bool"; if (!isset($don[0]["type"]) ) { $don[0]["type"]="bool";
}
return $don; return $don;
} }
} }
return false; return false;
} }
function isRuleEnabled(&$sect, &$conf) { function isRuleEnabled(&$sect, &$conf)
{
$fw_on = isset($conf["firewall-enable"]) && $conf["firewall-enable"]; $fw_on = isset($conf["firewall-enable"]) && $conf["firewall-enable"];
$active = isset($sect["fw-state"]) && $sect["fw-state"]==1; $active = isset($sect["fw-state"]) && $sect["fw-state"]==1;
$active = $fw_on ? $active : !$active; $active = $fw_on ? $active : !$active;
$active = $active || !isset($sect["fw-state"]); $active = $active || !isset($sect["fw-state"]);
if ( ($don = getDependson($sect, $conf)) !== false && if (($don = getDependson($sect, $conf)) !== false
$don[0]["type"] == "bool" && !$conf[$don[0]["var"]] ) $active = false; && $don[0]["type"] == "bool" && !$conf[$don[0]["var"]]
) { $active = false;
}
return $active; return $active;
} }
function createRuleStr(&$sect, &$conf) { function createRuleStr(&$sect, &$conf)
if ( !is_array($sect["rules"]) ) return ""; {
if (!is_array($sect["rules"]) ) { return "";
}
$rules = $sect["rules"]; $rules = $sect["rules"];
$depon = getDependson($sect, $conf); $depon = getDependson($sect, $conf);
$rs = array(); $rs = array();
@ -40,21 +47,27 @@ function createRuleStr(&$sect, &$conf) {
$repl=$val=""; $repl=$val="";
switch ( $dep["type"] ) { switch ( $dep["type"] ) {
case "list": case "list":
if ( isset($dep["var"]) && !empty($conf[$dep["var"]]) ) $val = explode(' ', $conf[$dep["var"]]); if (isset($dep["var"]) && !empty($conf[$dep["var"]]) ) { $val = explode(' ', $conf[$dep["var"]]);
if ( !empty($val) && isset($dep["replace"]) ) $repl=$dep["replace"]; }
if (!empty($val) && isset($dep["replace"]) ) { $repl=$dep["replace"];
}
break; break;
case "string": case "string":
if ( isset($dep["var"]) ) $val=$conf[$dep["var"]]; if (isset($dep["var"]) ) { $val=$conf[$dep["var"]];
if ( !empty($val) && isset($dep["replace"]) ) $repl=$dep["replace"]; }
if (!empty($val) && isset($dep["replace"]) ) { $repl=$dep["replace"];
}
break; break;
default: default:
break; break;
} }
if (!empty($repl) && !empty($val) ) { if (!empty($repl) && !empty($val) ) {
if (is_array($val) ) { if (is_array($val) ) {
foreach ( $val as $v ) $rr = array_merge($rr,str_replace($repl, $v, $r)); foreach ( $val as $v ) { $rr = array_merge($rr, str_replace($repl, $v, $r));
}
}
else { $rr = array_merge($rr, str_replace($repl, $val, $r));
} }
else $rr = array_merge($rr, str_replace($repl, $val, $r));
} }
$r = !empty($rr) ? $rr : $r; $r = !empty($rr) ? $rr : $r;
} }
@ -65,20 +78,24 @@ function createRuleStr(&$sect, &$conf) {
} }
$str=""; $str="";
foreach ( $rs as $r ) { foreach ( $rs as $r ) {
if ( !preg_match('/\$[a-z0-9]*\$/i',$r) ) $str .= '$IPT '.$r."\n"; if (!preg_match('/\$[a-z0-9]*\$/i', $r) ) { $str .= '$IPT '.$r."\n";
}
} }
return $str; return $str;
} }
function isIPv4(&$rule) { function isIPv4(&$rule)
{
return !isset($rule["ip-version"]) || strstr($rule["ip-version"], "4") !== false; return !isset($rule["ip-version"]) || strstr($rule["ip-version"], "4") !== false;
} }
function isIPv6(&$rule) { function isIPv6(&$rule)
{
return !isset($rule["ip-version"]) || strstr($rule["ip-version"], "6") !== false; return !isset($rule["ip-version"]) || strstr($rule["ip-version"], "6") !== false;
} }
function configureFirewall() { function configureFirewall()
{
$json = file_get_contents(RASPAP_IPTABLES_CONF); $json = file_get_contents(RASPAP_IPTABLES_CONF);
$ipt = json_decode($json, true); $ipt = json_decode($json, true);
$conf = ReadFirewallConf(); $conf = ReadFirewallConf();
@ -92,7 +109,8 @@ function configureFirewall() {
$txt .= "\$IPT -t nat -F\n"; $txt .= "\$IPT -t nat -F\n";
file_put_contents(RASPAP_IPTABLES_SCRIPT, $txt, FILE_APPEND); file_put_contents(RASPAP_IPTABLES_SCRIPT, $txt, FILE_APPEND);
file_put_contents(RASPAP_IP6TABLES_SCRIPT, $txt, FILE_APPEND); file_put_contents(RASPAP_IP6TABLES_SCRIPT, $txt, FILE_APPEND);
if ( empty($conf) || empty($ipt) ) return false; if (empty($conf) || empty($ipt) ) { return false;
}
$count=0; $count=0;
foreach ( $ipt["order"] as $idx ) { foreach ( $ipt["order"] as $idx ) {
if (isset($ipt[$idx]) ) { if (isset($ipt[$idx]) ) {
@ -100,8 +118,10 @@ function configureFirewall() {
if (isRuleEnabled($sect, $conf) ) { if (isRuleEnabled($sect, $conf) ) {
$str_rules= createRuleStr($sect, $conf); $str_rules= createRuleStr($sect, $conf);
if (!empty($str_rules) ) { if (!empty($str_rules) ) {
if ( isIPv4($sect) ) file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND); if (isIPv4($sect) ) { file_put_contents(RASPAP_IPTABLES_SCRIPT, $str_rules, FILE_APPEND);
if ( isIPv6($sect) ) file_put_contents(RASPAP_IP6TABLES_SCRIPT, $str_rules, FILE_APPEND); }
if (isIPv6($sect) ) { file_put_contents(RASPAP_IP6TABLES_SCRIPT, $str_rules, FILE_APPEND);
}
++$count; ++$count;
} }
} }
@ -121,14 +141,17 @@ function configureFirewall() {
return ($count > 0); return ($count > 0);
} }
function WriteFirewallConf($conf) { function WriteFirewallConf($conf)
{
$ret = false; $ret = false;
if ( is_array($conf) ) write_php_ini($conf,RASPAP_FIREWALL_CONF); if (is_array($conf) ) { write_php_ini($conf, RASPAP_FIREWALL_CONF);
}
return $ret; return $ret;
} }
function ReadFirewallConf() { function ReadFirewallConf()
{
if (file_exists(RASPAP_FIREWALL_CONF) ) { if (file_exists(RASPAP_FIREWALL_CONF) ) {
$conf = parse_ini_file(RASPAP_FIREWALL_CONF); $conf = parse_ini_file(RASPAP_FIREWALL_CONF);
} else { } else {
@ -150,9 +173,10 @@ function ReadFirewallConf() {
return $conf; return $conf;
} }
function getVPN_IPs() { function getVPN_IPs()
{
$ips = ""; $ips = "";
# get openvpn and wireguard server IPs // get openvpn and wireguard server IPs
if (RASPI_OPENVPN_ENABLED && ($fconf = glob(RASPI_OPENVPN_CLIENT_PATH ."/*.conf")) !== false && !empty($fconf) ) { if (RASPI_OPENVPN_ENABLED && ($fconf = glob(RASPI_OPENVPN_CLIENT_PATH ."/*.conf")) !== false && !empty($fconf) ) {
foreach ( $fconf as $f ) { foreach ( $fconf as $f ) {
unset($result); unset($result);
@ -163,12 +187,13 @@ function getVPN_IPs() {
$port = (isset($result[1])) ? $result[1] : ""; $port = (isset($result[1])) ? $result[1] : "";
if (!empty($ip) ) { if (!empty($ip) ) {
$ip = gethostbyname($ip); $ip = gethostbyname($ip);
if ( filter_var($ip,FILTER_VALIDATE_IP) && strpos($ips, $ip) === false ) $ips .= " $ip"; if (filter_var($ip, FILTER_VALIDATE_IP) && strpos($ips, $ip) === false ) { $ips .= " $ip";
} }
} }
} }
} }
# get wireguard server IPs }
// get wireguard server IPs
if (RASPI_WIREGUARD_ENABLED && ($fconf = glob(RASPI_WIREGUARD_PATH ."/*.conf")) !== false && !empty($fconf) ) { if (RASPI_WIREGUARD_ENABLED && ($fconf = glob(RASPI_WIREGUARD_PATH ."/*.conf")) !== false && !empty($fconf) ) {
foreach ( $fconf as $f ) { foreach ( $fconf as $f ) {
unset($result); unset($result);
@ -179,7 +204,8 @@ function getVPN_IPs() {
$port = (isset($result[1])) ? $result[1] : ""; $port = (isset($result[1])) ? $result[1] : "";
if (!empty($ip) ) { if (!empty($ip) ) {
$ip = gethostbyname($ip); $ip = gethostbyname($ip);
if ( filter_var($ip,FILTER_VALIDATE_IP) && strpos($ips, $ip) === false ) $ips .= " $ip"; if (filter_var($ip, FILTER_VALIDATE_IP) && strpos($ips, $ip) === false ) { $ips .= " $ip";
}
} }
} }
} }
@ -201,22 +227,28 @@ function DisplayFirewallConfig()
$str_clients = ""; $str_clients = "";
foreach( $clients["device"] as $dev ) { foreach( $clients["device"] as $dev ) {
if (!$dev["isAP"] ) { if (!$dev["isAP"] ) {
if ( !empty($str_clients) ) $str_clients .= ", "; if (!empty($str_clients) ) { $str_clients .= ", ";
}
$str_clients .= $dev["name"]; $str_clients .= $dev["name"];
} }
} }
$fw_conf = ReadFirewallConf(); $fw_conf = ReadFirewallConf();
$fw_conf["ap-device"] = $ap_device; $fw_conf["ap-device"] = $ap_device;
$id=findCurrentClientIndex($clients); $id=findCurrentClientIndex($clients);
if ( $id >= 0 ) $fw_conf["client-device"] = $clients["device"][$id]["name"]; if ($id >= 0 ) { $fw_conf["client-device"] = $clients["device"][$id]["name"];
}
if (!empty($_POST)) { if (!empty($_POST)) {
$fw_conf["ssh-enable"] = isset($_POST['ssh-enable']); $fw_conf["ssh-enable"] = isset($_POST['ssh-enable']);
$fw_conf["http-enable"] = isset($_POST['http-enable']); $fw_conf["http-enable"] = isset($_POST['http-enable']);
$fw_conf["firewall-enable"] = isset($_POST['firewall-enable']) || isset($_POST['apply-firewall']); $fw_conf["firewall-enable"] = isset($_POST['firewall-enable']) || isset($_POST['apply-firewall']);
if ( isset($_POST['firewall-enable']) ) $status->addMessage(_('Firewall is now enabled'), 'success'); if (isset($_POST['firewall-enable']) ) { $status->addMessage(_('Firewall is now enabled'), 'success');
if ( isset($_POST['apply-firewall']) ) $status->addMessage(_('Firewall settings changed'), 'success'); }
if ( isset($_POST['firewall-disable']) ) $status->addMessage(_('Firewall is now disabled'), 'warning'); if (isset($_POST['apply-firewall']) ) { $status->addMessage(_('Firewall settings changed'), 'success');
if ( isset($_POST['save-firewall']) ) $status->addMessage(_('Firewall settings saved. Firewall is still disabled.'), 'success'); }
if (isset($_POST['firewall-disable']) ) { $status->addMessage(_('Firewall is now disabled'), 'warning');
}
if (isset($_POST['save-firewall']) ) { $status->addMessage(_('Firewall settings saved. Firewall is still disabled.'), 'success');
}
if (isset($_POST['excl-devices']) ) { if (isset($_POST['excl-devices']) ) {
$excl = filter_var($_POST['excl-devices'], FILTER_SANITIZE_STRING); $excl = filter_var($_POST['excl-devices'], FILTER_SANITIZE_STRING);
$excl = str_replace(',', ' ', $excl); $excl = str_replace(',', ' ', $excl);
@ -234,8 +266,9 @@ function DisplayFirewallConfig()
$excl = explode(' ', $excl); $excl = explode(' ', $excl);
$str_excl = ""; $str_excl = "";
foreach ( $excl as $ip ) { foreach ( $excl as $ip ) {
if ( filter_var($ip,FILTER_VALIDATE_IP) ) $str_excl .= "$ip "; if (filter_var($ip, FILTER_VALIDATE_IP) ) { $str_excl .= "$ip ";
else $status->addMessage(_('Exclude IP address '. $ip . ' failed - not a valid IP address'), 'warning'); } else { $status->addMessage(_('Exclude IP address '. $ip . ' failed - not a valid IP address'), 'warning');
}
} }
} }
$str_excl = trim($str_excl); $str_excl = trim($str_excl);
@ -248,12 +281,14 @@ function DisplayFirewallConfig()
configureFirewall(); configureFirewall();
} }
$vpn_ips = getVPN_IPs(); $vpn_ips = getVPN_IPs();
echo renderTemplate("firewall", compact( echo renderTemplate(
"firewall", compact(
"status", "status",
"ap_device", "ap_device",
"str_clients", "str_clients",
"fw_conf", "fw_conf",
"ipt_rules", "ipt_rules",
"vpn_ips") "vpn_ips"
)
); );
} }