Changeset 267

Timestamp:

Dec 21, 2009, 10:48:41 AM (15 years ago)

Author:

george

Message:

• Upraveno: Nově přepracován systém generování značkovacích pravidel mangle firewallu. Pro snížení počtu pravidel procházených při značkování packetu, jsou adresy rozdělovány do podskupin. Díky tomu je snížen rozptyl mezi nejmenším a nejvyšším početem procházených pravidel.
• Upraveno: Přepracovány funkce pro práci s IP adresami typu IPv4. Přehledněji zpracováno jako třída.
• Přidáno: Tabulka v databázi pro persistentní přiřazení Id čísla podsítě pro generování pravidel mangle firewallu.

Location:

trunk

Files:

• config.sample.php (modified) (1 diff)
• global.php (modified) (7 diffs)
• network_address.php (added)
• sql/updates/266.sql (added)
• system/generators/common.php (modified) (2 diffs)
• system/generators/firewall_mangle.php (modified) (4 diffs)

trunk/config.sample.php

@@ -50 +50 @@
    'InetInterface' => 'ether0',
    'ConnectTimeout' => 5,
+   'MangleRuleSubgroupMinPrefix' => 28,
   ),  
 );

trunk/global.php

@@ -10 +10 @@
 include('config.php');
 include('database.php');
-include('error.php');
+//include('error.php');
 include_once('code.php');
 $Database = new Database($Config['Database']['Host'], $Config['Database']['User'], $Config['Database']['Password'], $Config['Database']['Database']);
@@ -233 +233 @@
 }
 
-function ToVpnIp($Host)
-{ 
-  if($Host['external_ip'] == '') 
-  {
-    $Parts = explode('.', $Host['IP']);
-    return('172.16.'.$Parts[2].'.'.$Parts[3]);
-  } else 
-  {
-    return($Host['external_ip']);
-  }
-}
-
 function TimeToMysqlDateTime($Time)
 {
@@ -264 +252 @@
 }
 
-function ToCzfreeIp($Host)
-{ 
-  $Parts = explode('.', $Host['external_ip']);
-  if($Host['name'] == 'CENTRALA') return('10.144.1.1');
-    else return('10.144.200.'.$Parts[3]);
-}
-
 function HumanDate($Time)
 {
@@ -280 +261 @@
 
 // Zobrazení číselný seznamu stránek
-function PagesList($URL,$Page,$TotalCount,$CountPerPage)
-{
-  $Count = ceil($TotalCount/$CountPerPage);
+function PagesList($URL, $Page, $TotalCount, $CountPerPage)
+{
+  $Count = ceil($TotalCount / $CountPerPage);
   $Around = 10;
   $Result = '';
@@ -328 +309 @@
   $RemoteAddr = GetRemoteAddress();
   $RemoteAddr = explode('.', $RemoteAddr);
-  return(!(($RemoteAddr[0] == 192) and ($RemoteAddr[1] == 168)));
+  return(!(($RemoteAddr[0] == 10) and ($RemoteAddr[1] == 145)));
 }
 
@@ -351 +332 @@
 }
 
-function IPv4ToInt32($IP)
-{
-  $Parts = explode('.', $IP);
-  return(($Parts[0] << 24) | ($Parts[1] << 16) | ($Parts[2] << 8) | $Parts[3]);
-}
-
-function Int32ToIPv4($Value)
-{
-  return(implode('.', array(($Value >> 24) & 255, ($Value >> 16) & 255, ($Value >> 8) & 255, ($Value & 255))));
-}
-
-function CIDRToAddressRange($Subnet, $Mask)
-{
-  $SubnetBinary = IPv4ToInt32($Subnet);
-  $Hostmask = (1 << (32 - $Mask)) - 1;
-  $Netmask = 0xffffffff ^ $Hostmask;
-  $From = $SubnetBinary & $Netmask;
-  $To = $From + $Hostmask; 
-  return(array('From' => Int32ToIPv4($From), 'To' => Int32ToIPv4($To)));
-}
-
-function IsAddressInSubnet($Address, $Subnet, $Mask)
-{
-  $AddressBinary = IPv4ToInt32($Address);
-  $SubnetBinary = IPv4ToInt32($Subnet);
-  $Netmask = 0xffffffff ^ ((1 << (32 - $Mask)) - 1);
-  if(($AddressBinary & $Netmask) == ($SubnetBinary & $Netmask)) return(true);
-    else return(false);
-}
-
 function RouterOSIdent($Name)
 {
@@ -391 +342 @@
 function NotBlank($Text)
 {
-  if($Text == '') return('&nbsp'); else return($Text);
+  if($Text == '') return('&nbsp'); 
+    else return($Text);
 }
 

trunk/system/generators/common.php

@@ -1 +1 @@
 <?php
+
+include_once('../../network_address.php');
 
 function GetMarkByComment($Comment)
@@ -17 +19 @@
 }
 
+function GetSubgroupByRange($AddressRange)
+{
+  global $Database;
+  
+  $DbResult = $Database->query('SELECT `Id` FROM `NetworkMangleSubgroup` WHERE `AddressRange`="'.$AddressRange.'"');
+  if($DbResult->num_rows > 0)
+  {
+    $DbRow = $DbResult->fetch_assoc();
+    return($DbRow['Id']);
+  } else
+  {
+    $DbResult = $Database->query('INSERT INTO `NetworkMangleSubgroup` (`AddressRange`) VALUES ("'.$AddressRange.'")');
+    return($Database->insert_id);
+  } 
+}
+
+function InsertToAddressTree(&$Tree, $Address, $Name, $InterSubnets = false)
+{
+  global $Config;
+  
+  $Found = false;
+  foreach($Tree['Items'] as $Index => $Node)
+  {
+    if($Node['Address']->Contain($Address))
+    {
+      InsertToAddressTree($Tree['Items'][$Index], $Address, $Name, true);
+      $Found = true;
+    }
+  }
+  if($Found == false)
+  {
+    if($InterSubnets and ($Tree['Address']->Prefix < $Config['MainRouter']['MangleRuleSubgroupMinPrefix']) and 
+    ($Address->Prefix > ($Tree['Address']->Prefix + 1)))
+    {
+      $NewAddress = new NetworkAddressIPv4();
+      $NewAddress->Address = $Address->Address;
+      $NewAddress->ChangePrefix($Tree['Address']->Prefix + 1);
+      //echo('InsertToTree('.$NewAddress->AddressToString().'/'.$NewAddress->Prefix.')'."\n");
+      $Tree['Items'][] = array('Address' => $NewAddress, 'Name' => $Name, 'Items' => array());
+      InsertToAddressTree($Tree['Items'][count($Tree['Items']) - 1], $Address, $Name, true);
+    } else
+    {
+      
+      $NewNode = array('Address' => $Address, 'Name' => $Name, 'Items' => array());
+      
+      // Should be existed items placed under new node?
+      $Found = false;
+      foreach($Tree['Items'] as $Index => $Node)
+      {
+        if(($Node['Address']->Address == $NewNode['Address']->Address) and 
+        ($Node['Address']->Prefix == $NewNode['Address']->Prefix)) $Found = true;        
+        
+        //echo($Index.',');
+        if($Address->Contain($Node['Address']))
+        {
+          $NewNode['Items'][] = $Node;
+          unset($Tree['Items'][$Index]);
+        }
+      }
+      if($Found == false) $Tree['Items'][] = $NewNode;      
+    }
+  }
+}
+
+function ShowSubnetNode($Node, $Indent = 0)
+{
+  echo(str_repeat('  ', $Indent).$Node['Address']->AddressToString().'/'.$Node['Address']->Prefix.' '.$Node['Name']."\n");
+  foreach($Node['Items'] as $Index => $Item)
+  {
+    ShowSubnetNode($Item, $Indent + 1);
+  }  
+}
+
+/*
+function Test()
+{
+  $SubnetTree = array('Address' => new NetworkAddressIPv4(), 'Items' => array());
+
+  $NewAddress = new NetworkAddressIPv4();
+  $NewAddress->AddressFromString('10.145.64.0');
+  $NewAddress->Prefix = 24;
+  InsertToAddressTree($SubnetTree, $NewAddress);
+  $NewAddress = new NetworkAddressIPv4();
+  $NewAddress->AddressFromString('10.145.64.0');
+  $NewAddress->Prefix = 29;
+  InsertToAddressTree($SubnetTree, $NewAddress);
+  $NewAddress = new NetworkAddressIPv4();
+  $NewAddress->AddressFromString('10.145.65.0');
+  $NewAddress->Prefix = 24;
+  InsertToAddressTree($SubnetTree, $NewAddress);
+  $NewAddress = new NetworkAddressIPv4();
+  $NewAddress->AddressFromString('10.145.65.156');
+  $NewAddress->Prefix = 32;
+  InsertToAddressTree($SubnetTree, $NewAddress);
+  $NewAddress = new NetworkAddressIPv4();
+  $NewAddress->AddressFromString('10.145.64.0');
+  $NewAddress->Prefix = 20;
+  InsertToAddressTree($SubnetTree, $NewAddress);
+
+
+  ShowSubnetNode($SubnetTree);
+  die();
+}
+*/
+
 ?>

trunk/system/generators/firewall_mangle.php

@@ -16 +16 @@
 $Routerboard->Debug = true;
 
-$Finance = &$System->Modules['Finance'];
-$Finance->LoadMonthParameters(0);
-
 $InetInterface = $Config['MainRouter']['InetInterface'];
 
-$ItemsMangle = array();
 
-// Root of tree and main limit
-$ItemsFirewall[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-out', 'comment' => 'main-out');
-$ItemsFirewall[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-in', 'comment' => 'main-in');
+// Generate address tree
+$AddressTree = array('Address' => new NetworkAddressIPv4(), 'Name' => 'main', 'Items' => array());
 
 // Divide rules by subnet number
-$DbResult = $Database->query('SELECT `Id`, `Name`, `AddressRange`, `Mask` FROM `NetworkSubnet`');
+$DbResult = $Database->query('SELECT `Id`, `Name`, `AddressRange`, `Mask` FROM `NetworkSubnet` WHERE Member=0');
 while($Subnet = $DbResult->fetch_assoc())
 {
-  $SubnetParts = explode('.', $Subnet['AddressRange']);
-  $SubnetNumber = $SubnetParts[2];
-  $ItemsFirewall[] = array('chain' => 'inet-out', 'src-address' => $Subnet['AddressRange'].'/'.$Subnet['Mask'], 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-out-'.$SubnetNumber, 'comment' => 'subnet-'.RouterOSIdent($Subnet['Name']).'-out');
-  $ItemsFirewall[] = array('chain' => 'inet-in', 'dst-address' => $Subnet['AddressRange'].'/'.$Subnet['Mask'], 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-in-'.$SubnetNumber, 'comment' => 'subnet-'.RouterOSIdent($Subnet['Name']).'-in');
+  $NewAddress = new NetworkAddressIPv4();
+  $NewAddress->AddressFromString($Subnet['AddressRange']);
+  $NewAddress->Prefix = $Subnet['Mask'];
+  InsertToAddressTree($AddressTree, $NewAddress, 'subnet-'.RouterOSIdent($Subnet['Name'])); 
 }
-
-// Slow free internet
-$PacketMark = GetMarkByComment('free-out');
-$ItemsFirewall[] = array('chain' => 'inet-out', 'out-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'comment' => 'free-out', 'passthrough' => 'no');
-$PacketMark = GetMarkByComment('free-in');
-$ItemsFirewall[] = array('chain' => 'inet-in', 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'comment' => 'free-in', 'passthrough' => 'no');
 
 // Process users
@@ -49 +38 @@
   $Member['Name'] = RouterOSIdent($Member['Name'].'-'.$Member['Id'] );
   echo('Uživatel '.$Member['Name'].': ');
-
-  $DbResult2 = $Database->select('NetworkDevice', 'COUNT(*)', 'Used = 1 AND Member='.$Member['Id']);
-  $Row = $DbResult2->fetch_row();
-  $HostCount = $Row[0];
 
   $DbResult2 = $Database->select('NetworkDevice', '*', '`Used` = 1 AND `Member` = '.$Member['Id']);
@@ -64 +49 @@
       $Name = RouterOSIdent($Name);
       echo($Name.', ');
-      $IPParts = explode('.', $Interface['LocalIP']);
-      $Subnet = $IPParts[2];
-      $PacketMark = GetMarkByComment($Name.'-out');
-      $ItemsFirewall[] = array('chain' => 'inet-out-'.$Subnet, 'src-address' => $Interface['LocalIP'], 'out-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Name.'-out');
-      $PacketMark = GetMarkByComment($Name.'-in');
-      $ItemsFirewall[] = array('chain' => 'inet-in-'.$Subnet, 'dst-address' => $Interface['LocalIP'], 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Name.'-in');
+      $NewAddress = new NetworkAddressIPv4();
+      $NewAddress->AddressFromString($Interface['LocalIP']);
+      $NewAddress->Prefix = 32;
+      InsertToAddressTree($AddressTree, $NewAddress, $Name);
     }
   }
@@ -78 +61 @@
     $Subnet['Name'] = RouterOSIdent('subnet-'.$Subnet['Name']);
     echo($Subnet['Name'].', ');
-    $IPParts = explode('.', $Subnet['AddressRange']);
-    $SubnetNumber = $IPParts[2];
-    $PacketMark = GetMarkByComment($Subnet['Name'].'-out');
-    $ItemsFirewall[] = array('chain' => 'inet-out-'.$SubnetNumber, 'src-address' => $Subnet['AddressRange'].'/'.$Subnet['Mask'], 'out-interface' =>  $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Subnet['Name'].'-out');
-    $PacketMark = GetMarkByComment($Subnet['Name'].'-in');
-    $ItemsFirewall[] = array('chain' => 'inet-in-'.$SubnetNumber, 'dst-address' => $Subnet['AddressRange'].'/'.$Subnet['Mask'], 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Subnet['Name'].'-in');
+    $NewAddress = new NetworkAddressIPv4();
+    $NewAddress->AddressFromString($Subnet['AddressRange']);
+    $NewAddress->Prefix = $Subnet['Mask'];
+    InsertToAddressTree($AddressTree, $NewAddress, $Subnet['Name']);
   }
   echo("\n");
 }
 
-//print_r($ItemsFirewall);
-$Routerboard->ListUpdate($PathFirewall, array('chain', 'dst-address', 'in-interface', 'action', 'new-packet-mark', 'passthrough', 'comment', 'out-interface', 'src-address', 'jump-target'), $ItemsFirewall, array(), true);
+ShowSubnetNode($AddressTree);
+
+function ProcessNode($Node)
+{
+  global $InetInterface, $ItemsFirewall;
+  
+  foreach($Node['Items'] as $Index => $Item)
+  {
+    if(count($Item['Items']) == 0)
+    {
+      // Hosts
+      $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
+      $PacketMark = GetMarkByComment($Item['Name'].'-out');
+      $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Item['Address']->AddressToString().'/'.$Item['Address']->Prefix, 'out-interface' =>  $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-out');
+      $PacketMark = GetMarkByComment($Item['Name'].'-in');
+      $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Item['Address']->AddressToString().'/'.$Item['Address']->Prefix, 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-in');
+    } else
+    {
+      // Subnets
+      $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
+      $SubnetId = GetSubgroupByRange($Item['Address']->AddressToString().'/'.$Item['Address']->Prefix);
+      $PacketMark = GetMarkByComment($Item['Name'].'-out');
+      
+      $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Item['Address']->AddressToString().'/'.$Item['Address']->Prefix, 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-out', 'comment' => $Item['Name'].'-out');    
+      $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Item['Address']->AddressToString().'/'.$Item['Address']->Prefix, 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-in', 'comment' => $Item['Name'].'-in');   
+      
+      ProcessNode($Item);      
+    }    
+  }
+}
+
+// Generate firewall rules
+$ItemsFirewall = array();
+
+// Root of tree and main limit
+$ItemsFirewall[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-1-out', 'comment' => 'main-out');
+$ItemsFirewall[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-1-in', 'comment' => 'main-in');
+
+ProcessNode($AddressTree);
+
+// Slow free internet
+$PacketMark = GetMarkByComment('free-out');
+$ItemsFirewall[] = array('chain' => 'inet-1-out', 'out-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'comment' => 'free-out', 'passthrough' => 'no');
+$PacketMark = GetMarkByComment('free-in');
+$ItemsFirewall[] = array('chain' => 'inet-1-in', 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'comment' => 'free-in', 'passthrough' => 'no');
+
+
+print_r($ItemsFirewall);
+//$Routerboard->ListUpdate($PathFirewall, array('chain', 'dst-address', 'in-interface', 'action', 'new-packet-mark', 'passthrough', 'comment', 'out-interface', 'src-address', 'jump-target'), $ItemsFirewall, array(), true);
 
 ?>