Changeset 267 for trunk/system/generators/firewall_mangle.php

Timestamp:

Dec 21, 2009, 10:48:41 AM (15 years ago)

Author:

george

Message:

• Upraveno: Nově přepracován systém generování značkovacích pravidel mangle firewallu. Pro snížení počtu pravidel procházených při značkování packetu, jsou adresy rozdělovány do podskupin. Díky tomu je snížen rozptyl mezi nejmenším a nejvyšším početem procházených pravidel.
• Upraveno: Přepracovány funkce pro práci s IP adresami typu IPv4. Přehledněji zpracováno jako třída.
• Přidáno: Tabulka v databázi pro persistentní přiřazení Id čísla podsítě pro generování pravidel mangle firewallu.

File:

• trunk/system/generators/firewall_mangle.php (modified) (4 diffs)

trunk/system/generators/firewall_mangle.php

@@ -16 +16 @@
 $Routerboard->Debug = true;
 
-$Finance = &$System->Modules['Finance'];
-$Finance->LoadMonthParameters(0);
-
 $InetInterface = $Config['MainRouter']['InetInterface'];
 
-$ItemsMangle = array();
 
-// Root of tree and main limit
-$ItemsFirewall[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-out', 'comment' => 'main-out');
-$ItemsFirewall[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-in', 'comment' => 'main-in');
+// Generate address tree
+$AddressTree = array('Address' => new NetworkAddressIPv4(), 'Name' => 'main', 'Items' => array());
 
 // Divide rules by subnet number
-$DbResult = $Database->query('SELECT `Id`, `Name`, `AddressRange`, `Mask` FROM `NetworkSubnet`');
+$DbResult = $Database->query('SELECT `Id`, `Name`, `AddressRange`, `Mask` FROM `NetworkSubnet` WHERE Member=0');
 while($Subnet = $DbResult->fetch_assoc())
 {
-  $SubnetParts = explode('.', $Subnet['AddressRange']);
-  $SubnetNumber = $SubnetParts[2];
-  $ItemsFirewall[] = array('chain' => 'inet-out', 'src-address' => $Subnet['AddressRange'].'/'.$Subnet['Mask'], 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-out-'.$SubnetNumber, 'comment' => 'subnet-'.RouterOSIdent($Subnet['Name']).'-out');
-  $ItemsFirewall[] = array('chain' => 'inet-in', 'dst-address' => $Subnet['AddressRange'].'/'.$Subnet['Mask'], 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-in-'.$SubnetNumber, 'comment' => 'subnet-'.RouterOSIdent($Subnet['Name']).'-in');
+  $NewAddress = new NetworkAddressIPv4();
+  $NewAddress->AddressFromString($Subnet['AddressRange']);
+  $NewAddress->Prefix = $Subnet['Mask'];
+  InsertToAddressTree($AddressTree, $NewAddress, 'subnet-'.RouterOSIdent($Subnet['Name'])); 
 }
-
-// Slow free internet
-$PacketMark = GetMarkByComment('free-out');
-$ItemsFirewall[] = array('chain' => 'inet-out', 'out-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'comment' => 'free-out', 'passthrough' => 'no');
-$PacketMark = GetMarkByComment('free-in');
-$ItemsFirewall[] = array('chain' => 'inet-in', 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'comment' => 'free-in', 'passthrough' => 'no');
 
 // Process users
@@ -49 +38 @@
   $Member['Name'] = RouterOSIdent($Member['Name'].'-'.$Member['Id'] );
   echo('Uživatel '.$Member['Name'].': ');
-
-  $DbResult2 = $Database->select('NetworkDevice', 'COUNT(*)', 'Used = 1 AND Member='.$Member['Id']);
-  $Row = $DbResult2->fetch_row();
-  $HostCount = $Row[0];
 
   $DbResult2 = $Database->select('NetworkDevice', '*', '`Used` = 1 AND `Member` = '.$Member['Id']);
@@ -64 +49 @@
       $Name = RouterOSIdent($Name);
       echo($Name.', ');
-      $IPParts = explode('.', $Interface['LocalIP']);
-      $Subnet = $IPParts[2];
-      $PacketMark = GetMarkByComment($Name.'-out');
-      $ItemsFirewall[] = array('chain' => 'inet-out-'.$Subnet, 'src-address' => $Interface['LocalIP'], 'out-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Name.'-out');
-      $PacketMark = GetMarkByComment($Name.'-in');
-      $ItemsFirewall[] = array('chain' => 'inet-in-'.$Subnet, 'dst-address' => $Interface['LocalIP'], 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Name.'-in');
+      $NewAddress = new NetworkAddressIPv4();
+      $NewAddress->AddressFromString($Interface['LocalIP']);
+      $NewAddress->Prefix = 32;
+      InsertToAddressTree($AddressTree, $NewAddress, $Name);
     }
   }
@@ -78 +61 @@
     $Subnet['Name'] = RouterOSIdent('subnet-'.$Subnet['Name']);
     echo($Subnet['Name'].', ');
-    $IPParts = explode('.', $Subnet['AddressRange']);
-    $SubnetNumber = $IPParts[2];
-    $PacketMark = GetMarkByComment($Subnet['Name'].'-out');
-    $ItemsFirewall[] = array('chain' => 'inet-out-'.$SubnetNumber, 'src-address' => $Subnet['AddressRange'].'/'.$Subnet['Mask'], 'out-interface' =>  $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Subnet['Name'].'-out');
-    $PacketMark = GetMarkByComment($Subnet['Name'].'-in');
-    $ItemsFirewall[] = array('chain' => 'inet-in-'.$SubnetNumber, 'dst-address' => $Subnet['AddressRange'].'/'.$Subnet['Mask'], 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Subnet['Name'].'-in');
+    $NewAddress = new NetworkAddressIPv4();
+    $NewAddress->AddressFromString($Subnet['AddressRange']);
+    $NewAddress->Prefix = $Subnet['Mask'];
+    InsertToAddressTree($AddressTree, $NewAddress, $Subnet['Name']);
   }
   echo("\n");
 }
 
-//print_r($ItemsFirewall);
-$Routerboard->ListUpdate($PathFirewall, array('chain', 'dst-address', 'in-interface', 'action', 'new-packet-mark', 'passthrough', 'comment', 'out-interface', 'src-address', 'jump-target'), $ItemsFirewall, array(), true);
+ShowSubnetNode($AddressTree);
+
+function ProcessNode($Node)
+{
+  global $InetInterface, $ItemsFirewall;
+  
+  foreach($Node['Items'] as $Index => $Item)
+  {
+    if(count($Item['Items']) == 0)
+    {
+      // Hosts
+      $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
+      $PacketMark = GetMarkByComment($Item['Name'].'-out');
+      $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Item['Address']->AddressToString().'/'.$Item['Address']->Prefix, 'out-interface' =>  $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-out');
+      $PacketMark = GetMarkByComment($Item['Name'].'-in');
+      $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Item['Address']->AddressToString().'/'.$Item['Address']->Prefix, 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-in');
+    } else
+    {
+      // Subnets
+      $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
+      $SubnetId = GetSubgroupByRange($Item['Address']->AddressToString().'/'.$Item['Address']->Prefix);
+      $PacketMark = GetMarkByComment($Item['Name'].'-out');
+      
+      $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Item['Address']->AddressToString().'/'.$Item['Address']->Prefix, 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-out', 'comment' => $Item['Name'].'-out');    
+      $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Item['Address']->AddressToString().'/'.$Item['Address']->Prefix, 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-in', 'comment' => $Item['Name'].'-in');   
+      
+      ProcessNode($Item);      
+    }    
+  }
+}
+
+// Generate firewall rules
+$ItemsFirewall = array();
+
+// Root of tree and main limit
+$ItemsFirewall[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-1-out', 'comment' => 'main-out');
+$ItemsFirewall[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-1-in', 'comment' => 'main-in');
+
+ProcessNode($AddressTree);
+
+// Slow free internet
+$PacketMark = GetMarkByComment('free-out');
+$ItemsFirewall[] = array('chain' => 'inet-1-out', 'out-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'comment' => 'free-out', 'passthrough' => 'no');
+$PacketMark = GetMarkByComment('free-in');
+$ItemsFirewall[] = array('chain' => 'inet-1-in', 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'comment' => 'free-in', 'passthrough' => 'no');
+
+
+print_r($ItemsFirewall);
+//$Routerboard->ListUpdate($PathFirewall, array('chain', 'dst-address', 'in-interface', 'action', 'new-packet-mark', 'passthrough', 'comment', 'out-interface', 'src-address', 'jump-target'), $ItemsFirewall, array(), true);
 
 ?>