Changeset 811


Ignore:
Timestamp:
Mar 9, 2016, 8:34:07 AM (9 years ago)
Author:
chronos
Message:
  • Fixed: RouterOS firewall mangle configuration.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Modules/NetworkConfigRouterOS/Generators/FirewallMangle.php

    r781 r811  
    33class ConfigRouterOSFirewallMangle extends NetworkConfigItem
    44{
     5  function ProcessNode($Node)
     6  {
     7    global $InetInterface, $ItemsFirewall;
     8
     9    foreach($Node['Items'] as $Index => $Item)
     10    {
     11      if(count($Item['Items']) == 0)
     12      {
     13        // Hosts
     14        $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
     15        $Address = $Item['Address']->AddressToString();
     16        if($Item['Address']->Prefix != 32) $Address .= '/'.$Item['Address']->Prefix;
     17
     18        $PacketMark = GetMarkByComment($Item['Name'].'-out');
     19        $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Address, 'out-interface' =>  $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-out');
     20        $PacketMark = GetMarkByComment($Item['Name'].'-in');
     21        $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Address, 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-in');
     22      } else
     23      {
     24        // Subnets
     25        $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
     26        $SubnetId = GetSubgroupByRange($Item['Address']->AddressToString().'/'.$Item['Address']->Prefix);
     27        $PacketMark = GetMarkByComment($Item['Name'].'-out');
     28
     29        $Address = $Item['Address']->AddressToString();
     30        if($Item['Address']->Prefix != 32) $Address .= '/'.$Item['Address']->Prefix;
     31
     32        $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Address, 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-out', 'comment' => $Item['Name'].'-out');
     33        $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Address, 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-in', 'comment' => $Item['Name'].'-in');
     34
     35        $this->ProcessNode($Item);
     36      }
     37    }
     38    if($Node['ForceMark'] == true)
     39    {
     40      // Mark member subnets
     41      $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
     42      $PacketMark = GetMarkByComment($Node['Name'].'-out');
     43      $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => '', 'out-interface' =>  $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Node['Name'].'-all-out');
     44      $PacketMark = GetMarkByComment($Node['Name'].'-in');
     45      $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => '', 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Node['Name'].'-all-in');
     46    }
     47  }
     48
    549  function Run()
    650  {
     51    global $ItemsFirewall;
     52   
    753    $PathFirewall = array('ip', 'firewall', 'mangle');
    854
     
    1359    $Routerboard->Debug = true;
    1460
    15     $InetInterface = $Config['MainRouter']['InetInterface'];
     61    $InetInterface = $this->System->Config['MainRouter']['InetInterface'];
    1662
    1763
     
    73119    ShowSubnetNode($AddressTree);
    74120
    75     function ProcessNode($Node)
    76     {
    77       global $InetInterface, $ItemsFirewall;
    78 
    79       foreach($Node['Items'] as $Index => $Item)
    80       {
    81         if(count($Item['Items']) == 0)
    82         {
    83           // Hosts
    84           $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
    85           $Address = $Item['Address']->AddressToString();
    86           if($Item['Address']->Prefix != 32) $Address .= '/'.$Item['Address']->Prefix;
    87 
    88           $PacketMark = GetMarkByComment($Item['Name'].'-out');
    89           $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Address, 'out-interface' =>  $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-out');
    90           $PacketMark = GetMarkByComment($Item['Name'].'-in');
    91           $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Address, 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-in');
    92         } else
    93         {
    94           // Subnets
    95           $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
    96           $SubnetId = GetSubgroupByRange($Item['Address']->AddressToString().'/'.$Item['Address']->Prefix);
    97           $PacketMark = GetMarkByComment($Item['Name'].'-out');
    98 
    99           $Address = $Item['Address']->AddressToString();
    100           if($Item['Address']->Prefix != 32) $Address .= '/'.$Item['Address']->Prefix;
    101 
    102           $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Address, 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-out', 'comment' => $Item['Name'].'-out');
    103           $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Address, 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-in', 'comment' => $Item['Name'].'-in');
    104 
    105           ProcessNode($Item);
    106         }
    107       }
    108       if($Node['ForceMark'] == true)
    109       {
    110         // Mark member subnets
    111         $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);
    112 
    113         $PacketMark = GetMarkByComment($Node['Name'].'-out');
    114         $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => '', 'out-interface' =>  $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Node['Name'].'-all-out');
    115         $PacketMark = GetMarkByComment($Node['Name'].'-in');
    116         $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => '', 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Node['Name'].'-all-in');
    117       }
    118     }
    119 
    120121    // Generate firewall rules
    121122    $ItemsFirewall = array();
     
    125126    $ItemsFirewall[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'src-address' => '!77.92.221.0/24', 'action' => 'jump', 'jump-target' => 'inet-1-in', 'comment' => 'main-in');
    126127
    127     ProcessNode($AddressTree);
     128    $this->ProcessNode($AddressTree);
    128129
    129130    // Limited free internet
Note: See TracChangeset for help on using the changeset viewer.