source: trunk/Modules/NetworkConfigRouterOS/Generators/FirewallMangle.php@ 781

Last change on this file since 781 was 781, checked in by chronos, 9 years ago
  • Modified: Network configure actions now can be executed through cmd.php interface using "php cmd.php config <action>".
File size: 7.5 KB
Line 
1<?php
2
3class ConfigRouterOSFirewallMangle extends NetworkConfigItem
4{
5 function Run()
6 {
7 $PathFirewall = array('ip', 'firewall', 'mangle');
8
9 $Routerboard = new Routerboard();
10 $Routerboard->UserName = $this->System->Config['MainRouter']['UserName'];
11 $Routerboard->Timeout = $this->System->Config['MainRouter']['ConnectTimeout'];
12 $Routerboard->HostName = $this->System->Config['MainRouter']['HostName'];
13 $Routerboard->Debug = true;
14
15 $InetInterface = $Config['MainRouter']['InetInterface'];
16
17
18 // Generate address tree
19 $AddressTree = array('Address' => new NetworkAddressIPv4(), 'Name' => 'main', 'Items' => array(), 'ForceMark' => false);
20
21 // Divide rules by subnet number
22 $DbResult = $this->System->Database->query('SELECT `Id`, `Name`, `AddressRange`, `Mask` FROM `NetworkSubnet` WHERE `Member` IS NULL');
23 while($Subnet = $DbResult->fetch_assoc())
24 {
25 $NewAddress = new NetworkAddressIPv4();
26 $NewAddress->AddressFromString($Subnet['AddressRange']);
27 $NewAddress->Prefix = $Subnet['Mask'];
28 InsertToAddressTree($AddressTree, $NewAddress, 'subnet-'.RouterOSIdent($Subnet['Name']));
29 }
30
31 // Process users
32 $DbResult = $this->System->Database->query('SELECT `Member`.*, `Subject`.`Name` FROM `Member` '.
33 'LEFT JOIN `Subject` ON `Subject`.`Id` = `Member`.`Subject` '.
34 'WHERE `Member`.`Blocked` = 0');
35 while($Member = $DbResult->fetch_assoc())
36 {
37 $Member['Name'] = RouterOSIdent($Member['Name'].'-'.$Member['Id'] );
38 echo('Uživatel '.$Member['Name'].': ');
39
40 $DbResult2 = $this->System->Database->select('NetworkDevice', '*', '`Used` = 1 AND `Member` = '.$Member['Id']);
41 while($Device = $DbResult2->fetch_assoc())
42 {
43 $DbResult3 = $this->Database->select('NetworkInterface', '*', '`Device` = '.$Device['Id'].' AND `LocalIP` != ""');
44 while($Interface = $DbResult3->fetch_assoc())
45 {
46 $Name = $Device['Name'];
47 if($Interface['Name'] != '') $Name .= '-'.$Interface['Name'];
48 $Name = RouterOSIdent($Name);
49 echo($Name.', ');
50 $NewAddress = new NetworkAddressIPv4();
51 $NewAddress->AddressFromString($Interface['LocalIP']);
52 $NewAddress->Prefix = 32;
53 InsertToAddressTree($AddressTree, $NewAddress, $Name);
54 }
55 }
56
57 $DbResult2 = $this->Database->select('NetworkSubnet', '*', '`Member`='.$Member['Id']);
58 while($Subnet = $DbResult2->fetch_assoc())
59 {
60 $Subnet['Name'] = RouterOSIdent('subnet-'.$Subnet['Name']);
61 echo($Subnet['Name'].', ');
62 $NewAddress = new NetworkAddressIPv4();
63 $NewAddress->AddressFromString($Subnet['AddressRange']);
64 $NewAddress->Prefix = $Subnet['Mask'];
65 if($Subnet['Member'] != 0) $ForceMark = true;
66 else $ForceMark = false;
67 echo($ForceMark.', ');
68 InsertToAddressTree($AddressTree, $NewAddress, $Subnet['Name'], false, $ForceMark);
69 }
70 echo("\n");
71 }
72
73 ShowSubnetNode($AddressTree);
74
75 function ProcessNode($Node)
76 {
77 global $InetInterface, $ItemsFirewall;
78
79 foreach($Node['Items'] as $Index => $Item)
80 {
81 if(count($Item['Items']) == 0)
82 {
83 // Hosts
84 $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
85 $Address = $Item['Address']->AddressToString();
86 if($Item['Address']->Prefix != 32) $Address .= '/'.$Item['Address']->Prefix;
87
88 $PacketMark = GetMarkByComment($Item['Name'].'-out');
89 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Address, 'out-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-out');
90 $PacketMark = GetMarkByComment($Item['Name'].'-in');
91 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Address, 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-in');
92 } else
93 {
94 // Subnets
95 $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
96 $SubnetId = GetSubgroupByRange($Item['Address']->AddressToString().'/'.$Item['Address']->Prefix);
97 $PacketMark = GetMarkByComment($Item['Name'].'-out');
98
99 $Address = $Item['Address']->AddressToString();
100 if($Item['Address']->Prefix != 32) $Address .= '/'.$Item['Address']->Prefix;
101
102 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Address, 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-out', 'comment' => $Item['Name'].'-out');
103 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Address, 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-in', 'comment' => $Item['Name'].'-in');
104
105 ProcessNode($Item);
106 }
107 }
108 if($Node['ForceMark'] == true)
109 {
110 // Mark member subnets
111 $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
112
113 $PacketMark = GetMarkByComment($Node['Name'].'-out');
114 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => '', 'out-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Node['Name'].'-all-out');
115 $PacketMark = GetMarkByComment($Node['Name'].'-in');
116 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => '', 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Node['Name'].'-all-in');
117 }
118 }
119
120 // Generate firewall rules
121 $ItemsFirewall = array();
122
123 // Root of tree and main limit
124 $ItemsFirewall[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'dst-address' => '!77.92.221.0/24', 'action' => 'jump', 'jump-target' => 'inet-1-out', 'comment' => 'main-out');
125 $ItemsFirewall[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'src-address' => '!77.92.221.0/24', 'action' => 'jump', 'jump-target' => 'inet-1-in', 'comment' => 'main-in');
126
127 ProcessNode($AddressTree);
128
129 // Limited free internet
130 $PacketMark = GetMarkByComment('free-out');
131 $ItemsFirewall[] = array('chain' => 'inet-1-out', 'out-interface' => $InetInterface,
132 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'comment' => 'free-out', 'passthrough' => 'yes');
133 $PacketMark = GetMarkByComment('free-in');
134 $ItemsFirewall[] = array('chain' => 'inet-1-in', 'in-interface' => $InetInterface,
135 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'comment' => 'free-in', 'passthrough' => 'no');
136 // Unregistred clients add to address list
137 $ItemsFirewall[] = array('chain' => 'inet-1-out', 'out-interface' => $InetInterface, 'src-address' => '10.145.0.0/16',
138 'action' => 'add-src-to-address-list', 'address-list' => 'unregistred', 'address-list-timeout' => '1d',
139 'comment' => 'unregistred-clients');
140
141 //print_r($ItemsFirewall);
142 $Routerboard->ListUpdate($PathFirewall, array('chain', 'dst-address', 'in-interface', 'action', 'new-packet-mark', 'passthrough', 'comment', 'out-interface', 'src-address', 'jump-target'), $ItemsFirewall, array(), true);
143 }
144}
Note: See TracBrowser for help on using the repository browser.