Changeset 781 for trunk/Modules/NetworkConfigRouterOS/Generators/FirewallMangle.php

Timestamp:

Jan 8, 2016, 11:00:11 PM (9 years ago)

Author:

chronos

Message:

• Modified: Network configure actions now can be executed through cmd.php interface using "php cmd.php config <action>".

File:

• trunk/Modules/NetworkConfigRouterOS/Generators/FirewallMangle.php (modified) (1 diff)

trunk/Modules/NetworkConfigRouterOS/Generators/FirewallMangle.php

@@ -1 +1 @@
 <?php
-if(isset($_SERVER['REMOTE_ADDR'])) die();
 
-$Enabled = 1;
-$ClassesEnabled = 1;
-$SessionDisable = true;
-include_once(dirname(__FILE__).'/../../../Application/System.php');
-$System = new System();
-$System->ShowPage = false;
-$System->Run();
-$PathFirewall = array('ip', 'firewall', 'mangle');
+class ConfigRouterOSFirewallMangle extends NetworkConfigItem
+{
+  function Run()
+  {
+    $PathFirewall = array('ip', 'firewall', 'mangle');
 
-$Routerboard = new Routerboard();
-$Routerboard->UserName = $Config['MainRouter']['UserName'];
-$Routerboard->Timeout = $Config['MainRouter']['ConnectTimeout'];
-$Routerboard->HostName = $Config['MainRouter']['HostName'];
-$Routerboard->Debug = true;
+    $Routerboard = new Routerboard();
+    $Routerboard->UserName = $this->System->Config['MainRouter']['UserName'];
+    $Routerboard->Timeout = $this->System->Config['MainRouter']['ConnectTimeout'];
+    $Routerboard->HostName = $this->System->Config['MainRouter']['HostName'];
+    $Routerboard->Debug = true;
 
-$InetInterface = $Config['MainRouter']['InetInterface'];
+    $InetInterface = $Config['MainRouter']['InetInterface'];
 
 
-// Generate address tree
-$AddressTree = array('Address' => new NetworkAddressIPv4(), 'Name' => 'main', 'Items' => array(), 'ForceMark' => false);
+    // Generate address tree
+    $AddressTree = array('Address' => new NetworkAddressIPv4(), 'Name' => 'main', 'Items' => array(), 'ForceMark' => false);
 
-// Divide rules by subnet number
-$DbResult = $System->Database->query('SELECT `Id`, `Name`, `AddressRange`, `Mask` FROM `NetworkSubnet` WHERE `Member` IS NULL');
-while($Subnet = $DbResult->fetch_assoc())
-{
-  $NewAddress = new NetworkAddressIPv4();
-  $NewAddress->AddressFromString($Subnet['AddressRange']);
-  $NewAddress->Prefix = $Subnet['Mask'];
-  InsertToAddressTree($AddressTree, $NewAddress, 'subnet-'.RouterOSIdent($Subnet['Name']));
-}
+    // Divide rules by subnet number
+    $DbResult = $this->System->Database->query('SELECT `Id`, `Name`, `AddressRange`, `Mask` FROM `NetworkSubnet` WHERE `Member` IS NULL');
+    while($Subnet = $DbResult->fetch_assoc())
+    {
+      $NewAddress = new NetworkAddressIPv4();
+      $NewAddress->AddressFromString($Subnet['AddressRange']);
+      $NewAddress->Prefix = $Subnet['Mask'];
+      InsertToAddressTree($AddressTree, $NewAddress, 'subnet-'.RouterOSIdent($Subnet['Name']));
+    }
 
-// Process users
-$DbResult = $System->Database->query('SELECT `Member`.*, `Subject`.`Name` FROM `Member` '.
-  'LEFT JOIN `Subject` ON `Subject`.`Id` = `Member`.`Subject` '.
-  'WHERE `Member`.`Blocked` = 0');
-while($Member = $DbResult->fetch_assoc())
-{
-  $Member['Name'] = RouterOSIdent($Member['Name'].'-'.$Member['Id'] );
-  echo('Uživatel '.$Member['Name'].': ');
+    // Process users
+    $DbResult = $this->System->Database->query('SELECT `Member`.*, `Subject`.`Name` FROM `Member` '.
+        'LEFT JOIN `Subject` ON `Subject`.`Id` = `Member`.`Subject` '.
+        'WHERE `Member`.`Blocked` = 0');
+    while($Member = $DbResult->fetch_assoc())
+    {
+      $Member['Name'] = RouterOSIdent($Member['Name'].'-'.$Member['Id'] );
+      echo('Uživatel '.$Member['Name'].': ');
 
-  $DbResult2 = $System->Database->select('NetworkDevice', '*', '`Used` = 1 AND `Member` = '.$Member['Id']);
-  while($Device = $DbResult2->fetch_assoc())
-  {
-    $DbResult3 = $System->Database->select('NetworkInterface', '*', '`Device` = '.$Device['Id'].' AND `LocalIP` != ""');
-    while($Interface = $DbResult3->fetch_assoc())
+      $DbResult2 = $this->System->Database->select('NetworkDevice', '*', '`Used` = 1 AND `Member` = '.$Member['Id']);
+      while($Device = $DbResult2->fetch_assoc())
+      {
+        $DbResult3 = $this->Database->select('NetworkInterface', '*', '`Device` = '.$Device['Id'].' AND `LocalIP` != ""');
+        while($Interface = $DbResult3->fetch_assoc())
+        {
+          $Name = $Device['Name'];
+          if($Interface['Name'] != '') $Name .= '-'.$Interface['Name'];
+          $Name = RouterOSIdent($Name);
+          echo($Name.', ');
+          $NewAddress = new NetworkAddressIPv4();
+          $NewAddress->AddressFromString($Interface['LocalIP']);
+          $NewAddress->Prefix = 32;
+          InsertToAddressTree($AddressTree, $NewAddress, $Name);
+        }
+      }
+
+      $DbResult2 = $this->Database->select('NetworkSubnet', '*', '`Member`='.$Member['Id']);
+      while($Subnet = $DbResult2->fetch_assoc())
+      {
+        $Subnet['Name'] = RouterOSIdent('subnet-'.$Subnet['Name']);
+        echo($Subnet['Name'].', ');
+        $NewAddress = new NetworkAddressIPv4();
+        $NewAddress->AddressFromString($Subnet['AddressRange']);
+        $NewAddress->Prefix = $Subnet['Mask'];
+        if($Subnet['Member'] != 0) $ForceMark = true;
+        else $ForceMark = false;
+        echo($ForceMark.', ');
+        InsertToAddressTree($AddressTree, $NewAddress, $Subnet['Name'], false, $ForceMark);
+      }
+      echo("\n");
+    }
+
+    ShowSubnetNode($AddressTree);
+
+    function ProcessNode($Node)
     {
-      $Name = $Device['Name'];
-      if($Interface['Name'] != '') $Name .= '-'.$Interface['Name'];
-      $Name = RouterOSIdent($Name);
-      echo($Name.', ');
-      $NewAddress = new NetworkAddressIPv4();
-      $NewAddress->AddressFromString($Interface['LocalIP']);
-      $NewAddress->Prefix = 32;
-      InsertToAddressTree($AddressTree, $NewAddress, $Name);
+      global $InetInterface, $ItemsFirewall;
+
+      foreach($Node['Items'] as $Index => $Item)
+      {
+        if(count($Item['Items']) == 0)
+        {
+          // Hosts
+          $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
+          $Address = $Item['Address']->AddressToString();
+          if($Item['Address']->Prefix != 32) $Address .= '/'.$Item['Address']->Prefix;
+
+          $PacketMark = GetMarkByComment($Item['Name'].'-out');
+          $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Address, 'out-interface' =>  $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-out');
+          $PacketMark = GetMarkByComment($Item['Name'].'-in');
+          $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Address, 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-in');
+        } else
+        {
+          // Subnets
+          $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
+          $SubnetId = GetSubgroupByRange($Item['Address']->AddressToString().'/'.$Item['Address']->Prefix);
+          $PacketMark = GetMarkByComment($Item['Name'].'-out');
+
+          $Address = $Item['Address']->AddressToString();
+          if($Item['Address']->Prefix != 32) $Address .= '/'.$Item['Address']->Prefix;
+
+          $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Address, 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-out', 'comment' => $Item['Name'].'-out');
+          $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Address, 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-in', 'comment' => $Item['Name'].'-in');
+
+          ProcessNode($Item);
+        }
+      }
+      if($Node['ForceMark'] == true)
+      {
+        // Mark member subnets
+        $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
+
+        $PacketMark = GetMarkByComment($Node['Name'].'-out');
+        $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => '', 'out-interface' =>  $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Node['Name'].'-all-out');
+        $PacketMark = GetMarkByComment($Node['Name'].'-in');
+        $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => '', 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Node['Name'].'-all-in');
+      }
     }
-  }
 
-  $DbResult2 = $System->Database->select('NetworkSubnet', '*', '`Member`='.$Member['Id']);
-  while($Subnet = $DbResult2->fetch_assoc())
-  {
-    $Subnet['Name'] = RouterOSIdent('subnet-'.$Subnet['Name']);
-    echo($Subnet['Name'].', ');
-    $NewAddress = new NetworkAddressIPv4();
-    $NewAddress->AddressFromString($Subnet['AddressRange']);
-    $NewAddress->Prefix = $Subnet['Mask'];
-    if($Subnet['Member'] != 0) $ForceMark = true;
-      else $ForceMark = false;
-    echo($ForceMark.', ');
-    InsertToAddressTree($AddressTree, $NewAddress, $Subnet['Name'], false, $ForceMark);
-  }
-  echo("\n");
-}
+    // Generate firewall rules
+    $ItemsFirewall = array();
 
-ShowSubnetNode($AddressTree);
+    // Root of tree and main limit
+    $ItemsFirewall[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'dst-address' => '!77.92.221.0/24', 'action' => 'jump', 'jump-target' => 'inet-1-out', 'comment' => 'main-out');
+    $ItemsFirewall[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'src-address' => '!77.92.221.0/24', 'action' => 'jump', 'jump-target' => 'inet-1-in', 'comment' => 'main-in');
 
-function ProcessNode($Node)
-{
-  global $InetInterface, $ItemsFirewall;
+    ProcessNode($AddressTree);
 
-  foreach($Node['Items'] as $Index => $Item)
-  {
-    if(count($Item['Items']) == 0)
-    {
-      // Hosts
-      $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
-      $Address = $Item['Address']->AddressToString();
-      if($Item['Address']->Prefix != 32) $Address .= '/'.$Item['Address']->Prefix;
+    // Limited free internet
+    $PacketMark = GetMarkByComment('free-out');
+    $ItemsFirewall[] = array('chain' => 'inet-1-out', 'out-interface' => $InetInterface,
+        'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'comment' => 'free-out', 'passthrough' => 'yes');
+    $PacketMark = GetMarkByComment('free-in');
+    $ItemsFirewall[] = array('chain' => 'inet-1-in', 'in-interface' => $InetInterface,
+        'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'comment' => 'free-in', 'passthrough' => 'no');
+    // Unregistred clients add to address list
+    $ItemsFirewall[] = array('chain' => 'inet-1-out', 'out-interface' => $InetInterface, 'src-address' => '10.145.0.0/16',
+        'action' => 'add-src-to-address-list', 'address-list' => 'unregistred', 'address-list-timeout' => '1d',
+        'comment' => 'unregistred-clients');
 
-      $PacketMark = GetMarkByComment($Item['Name'].'-out');
-      $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Address, 'out-interface' =>  $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-out');
-      $PacketMark = GetMarkByComment($Item['Name'].'-in');
-      $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Address, 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-in');
-    } else
-    {
-      // Subnets
-      $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
-      $SubnetId = GetSubgroupByRange($Item['Address']->AddressToString().'/'.$Item['Address']->Prefix);
-      $PacketMark = GetMarkByComment($Item['Name'].'-out');
-
-      $Address = $Item['Address']->AddressToString();
-      if($Item['Address']->Prefix != 32) $Address .= '/'.$Item['Address']->Prefix;
-
-      $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Address, 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-out', 'comment' => $Item['Name'].'-out');
-      $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Address, 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-in', 'comment' => $Item['Name'].'-in');
-
-      ProcessNode($Item);
-    }
-  }
-  if($Node['ForceMark'] == true)
-  {
-    // Mark member subnets
-    $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
-
-    $PacketMark = GetMarkByComment($Node['Name'].'-out');
-    $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => '', 'out-interface' =>  $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Node['Name'].'-all-out');
-    $PacketMark = GetMarkByComment($Node['Name'].'-in');
-    $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => '', 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Node['Name'].'-all-in');
+    //print_r($ItemsFirewall);
+    $Routerboard->ListUpdate($PathFirewall, array('chain', 'dst-address', 'in-interface', 'action', 'new-packet-mark', 'passthrough', 'comment', 'out-interface', 'src-address', 'jump-target'), $ItemsFirewall, array(), true);
   }
 }
-
-// Generate firewall rules
-$ItemsFirewall = array();
-
-// Root of tree and main limit
-$ItemsFirewall[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'dst-address' => '!77.92.221.0/24', 'action' => 'jump', 'jump-target' => 'inet-1-out', 'comment' => 'main-out');
-$ItemsFirewall[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'src-address' => '!77.92.221.0/24', 'action' => 'jump', 'jump-target' => 'inet-1-in', 'comment' => 'main-in');
-
-ProcessNode($AddressTree);
-
-// Limited free internet
-$PacketMark = GetMarkByComment('free-out');
-$ItemsFirewall[] = array('chain' => 'inet-1-out', 'out-interface' => $InetInterface,
-  'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'comment' => 'free-out', 'passthrough' => 'yes');
-$PacketMark = GetMarkByComment('free-in');
-$ItemsFirewall[] = array('chain' => 'inet-1-in', 'in-interface' => $InetInterface,
-  'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'comment' => 'free-in', 'passthrough' => 'no');
-// Unregistred clients add to address list
-$ItemsFirewall[] = array('chain' => 'inet-1-out', 'out-interface' => $InetInterface, 'src-address' => '10.145.0.0/16',
-  'action' => 'add-src-to-address-list', 'address-list' => 'unregistred', 'address-list-timeout' => '1d',
-  'comment' => 'unregistred-clients');
-
-//print_r($ItemsFirewall);
-$Routerboard->ListUpdate($PathFirewall, array('chain', 'dst-address', 'in-interface', 'action', 'new-packet-mark', 'passthrough', 'comment', 'out-interface', 'src-address', 'jump-target'), $ItemsFirewall, array(), true);