Changeset 811
- Timestamp:
- Mar 9, 2016, 8:34:07 AM (9 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Modules/NetworkConfigRouterOS/Generators/FirewallMangle.php
r781 r811 3 3 class ConfigRouterOSFirewallMangle extends NetworkConfigItem 4 4 { 5 function ProcessNode($Node) 6 { 7 global $InetInterface, $ItemsFirewall; 8 9 foreach($Node['Items'] as $Index => $Item) 10 { 11 if(count($Item['Items']) == 0) 12 { 13 // Hosts 14 $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix); 15 $Address = $Item['Address']->AddressToString(); 16 if($Item['Address']->Prefix != 32) $Address .= '/'.$Item['Address']->Prefix; 17 18 $PacketMark = GetMarkByComment($Item['Name'].'-out'); 19 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Address, 'out-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-out'); 20 $PacketMark = GetMarkByComment($Item['Name'].'-in'); 21 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Address, 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-in'); 22 } else 23 { 24 // Subnets 25 $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix); 26 $SubnetId = GetSubgroupByRange($Item['Address']->AddressToString().'/'.$Item['Address']->Prefix); 27 $PacketMark = GetMarkByComment($Item['Name'].'-out'); 28 29 $Address = $Item['Address']->AddressToString(); 30 if($Item['Address']->Prefix != 32) $Address .= '/'.$Item['Address']->Prefix; 31 32 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Address, 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-out', 'comment' => $Item['Name'].'-out'); 33 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Address, 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-in', 'comment' => $Item['Name'].'-in'); 34 35 $this->ProcessNode($Item); 36 } 37 } 38 if($Node['ForceMark'] == true) 39 { 40 // Mark member subnets 41 $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix); 42 $PacketMark = GetMarkByComment($Node['Name'].'-out'); 43 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => '', 'out-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Node['Name'].'-all-out'); 44 $PacketMark = GetMarkByComment($Node['Name'].'-in'); 45 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => '', 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Node['Name'].'-all-in'); 46 } 47 } 48 5 49 function Run() 6 50 { 51 global $ItemsFirewall; 52 7 53 $PathFirewall = array('ip', 'firewall', 'mangle'); 8 54 … … 13 59 $Routerboard->Debug = true; 14 60 15 $InetInterface = $ Config['MainRouter']['InetInterface'];61 $InetInterface = $this->System->Config['MainRouter']['InetInterface']; 16 62 17 63 … … 73 119 ShowSubnetNode($AddressTree); 74 120 75 function ProcessNode($Node)76 {77 global $InetInterface, $ItemsFirewall;78 79 foreach($Node['Items'] as $Index => $Item)80 {81 if(count($Item['Items']) == 0)82 {83 // Hosts84 $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);85 $Address = $Item['Address']->AddressToString();86 if($Item['Address']->Prefix != 32) $Address .= '/'.$Item['Address']->Prefix;87 88 $PacketMark = GetMarkByComment($Item['Name'].'-out');89 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Address, 'out-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-out');90 $PacketMark = GetMarkByComment($Item['Name'].'-in');91 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Address, 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Item['Name'].'-in');92 } else93 {94 // Subnets95 $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);96 $SubnetId = GetSubgroupByRange($Item['Address']->AddressToString().'/'.$Item['Address']->Prefix);97 $PacketMark = GetMarkByComment($Item['Name'].'-out');98 99 $Address = $Item['Address']->AddressToString();100 if($Item['Address']->Prefix != 32) $Address .= '/'.$Item['Address']->Prefix;101 102 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => $Address, 'out-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-out', 'comment' => $Item['Name'].'-out');103 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => $Address, 'in-interface' => $InetInterface, 'action' => 'jump', 'jump-target' => 'inet-'.$SubnetId.'-in', 'comment' => $Item['Name'].'-in');104 105 ProcessNode($Item);106 }107 }108 if($Node['ForceMark'] == true)109 {110 // Mark member subnets111 $ParentSubnetId = GetSubgroupByRange($Node['Address']->AddressToString().'/'.$Node['Address']->Prefix);112 113 $PacketMark = GetMarkByComment($Node['Name'].'-out');114 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-out', 'src-address' => '', 'out-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Node['Name'].'-all-out');115 $PacketMark = GetMarkByComment($Node['Name'].'-in');116 $ItemsFirewall[] = array('chain' => 'inet-'.$ParentSubnetId.'-in', 'dst-address' => '', 'in-interface' => $InetInterface, 'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'passthrough' => 'no', 'comment' => $Node['Name'].'-all-in');117 }118 }119 120 121 // Generate firewall rules 121 122 $ItemsFirewall = array(); … … 125 126 $ItemsFirewall[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'src-address' => '!77.92.221.0/24', 'action' => 'jump', 'jump-target' => 'inet-1-in', 'comment' => 'main-in'); 126 127 127 ProcessNode($AddressTree);128 $this->ProcessNode($AddressTree); 128 129 129 130 // Limited free internet
Note:
See TracChangeset
for help on using the changeset viewer.