Ignore:
Timestamp:
Apr 3, 2020, 12:30:49 AM (5 years ago)
Author:
chronos
Message:
  • Added: IPv6 mangle firewall configuration.
Location:
trunk/Modules/NetworkConfigRouterOS/Generators
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Modules/NetworkConfigRouterOS/Generators/Common.php

    r790 r870  
    3333}
    3434
    35 function InsertToAddressTree(&$Tree, $Address, $Name, $InterSubnets = false, $ForceMark = false)
     35function InsertToAddressTreeIPv4(&$Tree, $Address, $Name, $InterSubnets = false, $ForceMark = false)
    3636{
    3737  global $Config;
     
    4242    if($Node['Address']->Contain($Address))
    4343    {
    44       InsertToAddressTree($Tree['Items'][$Index], $Address, $Name, true);
     44      InsertToAddressTreeIPv4($Tree['Items'][$Index], $Address, $Name, true);
    4545      $Found = true;
    4646    }
     
    5454      $NewAddress->Address = $Address->Address;
    5555      $NewAddress->ChangePrefix($Tree['Address']->Prefix + 1);
    56       //echo('InsertToTree('.$NewAddress->AddressToString().'/'.$NewAddress->Prefix.')'."\n");
    5756      $Tree['Items'][] = array('Address' => $NewAddress, 'Name' => $Name, 'Items' => array(), 'ForceMark' => false);
    58       InsertToAddressTree($Tree['Items'][count($Tree['Items']) - 1], $Address, $Name, true);
     57      InsertToAddressTreeIPv4($Tree['Items'][count($Tree['Items']) - 1], $Address, $Name, true);
    5958    } else
    6059    {
    61 
    6260      $NewNode = array('Address' => $Address, 'Name' => $Name, 'Items' => array(), 'ForceMark' => $ForceMark);
    6361
     
    6967        ($Node['Address']->Prefix == $NewNode['Address']->Prefix)) $Found = true;
    7068
    71         //echo($Index.',');
     69        if($Address->Contain($Node['Address']))
     70        {
     71          $NewNode['Items'][] = $Node;
     72          unset($Tree['Items'][$Index]);
     73        }
     74      }
     75      if($Found == false) $Tree['Items'][] = $NewNode;
     76    }
     77  }
     78}
     79
     80function InsertToAddressTreeIPv6(&$Tree, $Address, $Name, $InterSubnets = false, $ForceMark = false)
     81{
     82  global $Config;
     83
     84  $Found = false;
     85  foreach($Tree['Items'] as $Index => $Node)
     86  {
     87    if($Node['Address']->Contain($Address))
     88    {
     89      InsertToAddressTreeIPv6($Tree['Items'][$Index], $Address, $Name, true);
     90      $Found = true;
     91    }
     92  }
     93  if($Found == false)
     94  {
     95    if($InterSubnets and ($Tree['Address']->Prefix < $Config['MainRouter']['MangleRuleSubgroupMinPrefix']) and
     96    ($Address->Prefix > ($Tree['Address']->Prefix + 1)))
     97    {
     98      $NewAddress = new NetworkAddressIPv6();
     99      $NewAddress->Address = $Address->Address;
     100      $NewAddress->ChangePrefix($Tree['Address']->Prefix + 1);
     101      $Tree['Items'][] = array('Address' => $NewAddress, 'Name' => $Name, 'Items' => array(), 'ForceMark' => false);
     102      InsertToAddressTreeIPv6($Tree['Items'][count($Tree['Items']) - 1], $Address, $Name, true);
     103    } else
     104    {
     105      $NewNode = array('Address' => $Address, 'Name' => $Name, 'Items' => array(), 'ForceMark' => $ForceMark);
     106
     107      // Should be existed items placed under new node?
     108      $Found = false;
     109      foreach($Tree['Items'] as $Index => $Node)
     110      {
     111        if(($Node['Address']->Address == $NewNode['Address']->Address) and
     112        ($Node['Address']->Prefix == $NewNode['Address']->Prefix)) $Found = true;
     113
    72114        if($Address->Contain($Node['Address']))
    73115        {
     
    89131  }
    90132}
    91 
    92 /*
    93 function Test()
    94 {
    95   $SubnetTree = array('Address' => new NetworkAddressIPv4(), 'Items' => array());
    96 
    97   $NewAddress = new NetworkAddressIPv4();
    98   $NewAddress->AddressFromString('10.145.64.0');
    99   $NewAddress->Prefix = 24;
    100   InsertToAddressTree($SubnetTree, $NewAddress);
    101   $NewAddress = new NetworkAddressIPv4();
    102   $NewAddress->AddressFromString('10.145.64.0');
    103   $NewAddress->Prefix = 29;
    104   InsertToAddressTree($SubnetTree, $NewAddress);
    105   $NewAddress = new NetworkAddressIPv4();
    106   $NewAddress->AddressFromString('10.145.65.0');
    107   $NewAddress->Prefix = 24;
    108   InsertToAddressTree($SubnetTree, $NewAddress);
    109   $NewAddress = new NetworkAddressIPv4();
    110   $NewAddress->AddressFromString('10.145.65.156');
    111   $NewAddress->Prefix = 32;
    112   InsertToAddressTree($SubnetTree, $NewAddress);
    113   $NewAddress = new NetworkAddressIPv4();
    114   $NewAddress->AddressFromString('10.145.64.0');
    115   $NewAddress->Prefix = 20;
    116   InsertToAddressTree($SubnetTree, $NewAddress);
    117 
    118 
    119   ShowSubnetNode($SubnetTree);
    120   die();
    121 }
    122 */
  • trunk/Modules/NetworkConfigRouterOS/Generators/FirewallMangle.php

    r811 r870  
    4949  function Run()
    5050  {
     51    $this->RunIPv4();
     52    $this->RunIPv6();
     53  }
     54
     55  function RunIPv4()
     56  {
    5157    global $ItemsFirewall;
    52    
     58
    5359    $PathFirewall = array('ip', 'firewall', 'mangle');
    5460
     
    6167    $InetInterface = $this->System->Config['MainRouter']['InetInterface'];
    6268
    63 
    6469    // Generate address tree
    6570    $AddressTree = array('Address' => new NetworkAddressIPv4(), 'Name' => 'main', 'Items' => array(), 'ForceMark' => false);
     
    7277      $NewAddress->AddressFromString($Subnet['AddressRange']);
    7378      $NewAddress->Prefix = $Subnet['Mask'];
    74       InsertToAddressTree($AddressTree, $NewAddress, 'subnet-'.RouterOSIdent($Subnet['Name']));
     79      InsertToAddressTreeIPv4($AddressTree, $NewAddress, 'subnet-'.RouterOSIdent($Subnet['Name']));
    7580    }
    7681
     
    96101          $NewAddress = new NetworkAddressIPv4();
    97102          $NewAddress->AddressFromString($Interface['LocalIP']);
    98           $NewAddress->Prefix = 32;
    99           InsertToAddressTree($AddressTree, $NewAddress, $Name);
     103          $NewAddress->Prefix = IPV4_BIT_WIDTH;
     104          InsertToAddressTreeIPv4($AddressTree, $NewAddress, $Name);
    100105        }
    101106      }
    102107
    103       $DbResult2 = $this->Database->select('NetworkSubnet', '*', '`Member`='.$Member['Id']);
     108      $DbResult2 = $this->Database->select('NetworkSubnet', '*', '(`Member`='.$Member['Id'].') AND (AddressRange != "")');
    104109      while($Subnet = $DbResult2->fetch_assoc())
    105110      {
     
    112117        else $ForceMark = false;
    113118        echo($ForceMark.', ');
    114         InsertToAddressTree($AddressTree, $NewAddress, $Subnet['Name'], false, $ForceMark);
     119        InsertToAddressTreeIPv4($AddressTree, $NewAddress, $Subnet['Name'], false, $ForceMark);
    115120      }
    116121      echo("\n");
     
    143148    $Routerboard->ListUpdate($PathFirewall, array('chain', 'dst-address', 'in-interface', 'action', 'new-packet-mark', 'passthrough', 'comment', 'out-interface', 'src-address', 'jump-target'), $ItemsFirewall, array(), true);
    144149  }
     150
     151  function RunIPv6()
     152  {
     153    global $ItemsFirewall;
     154
     155    $PathFirewall = array('ipv6', 'firewall', 'mangle');
     156
     157    $Routerboard = new Routerboard();
     158    $Routerboard->UserName = $this->System->Config['MainRouter']['UserName'];
     159    $Routerboard->Timeout = $this->System->Config['MainRouter']['ConnectTimeout'];
     160    $Routerboard->HostName = $this->System->Config['MainRouter']['HostName'];
     161    $Routerboard->Debug = true;
     162
     163    $InetInterface = $this->System->Config['MainRouter']['InetInterface'];
     164
     165    // Generate address tree
     166    $AddressTree = array('Address' => new NetworkAddressIPv4(), 'Name' => 'main', 'Items' => array(), 'ForceMark' => false);
     167
     168    // Divide rules by subnet number
     169    $DbResult = $this->System->Database->query('SELECT `Id`, `Name`, `AddressRangeIPv6`, `MaskIPv6` FROM `NetworkSubnet` '.
     170      'WHERE (`Member` IS NULL) AND (`AddressRangeIPv6` != "")');
     171    while($Subnet = $DbResult->fetch_assoc())
     172    {
     173      $NewAddress = new NetworkAddressIPv6();
     174      $NewAddress->AddressFromString($Subnet['AddressRangeIPv6']);
     175      $NewAddress->Prefix = $Subnet['MaskIPv6'];
     176      InsertToAddressTreeIPv6($AddressTree, $NewAddress, 'subnet-'.RouterOSIdent($Subnet['Name']));
     177    }
     178
     179    // Process users
     180    $DbResult = $this->System->Database->query('SELECT `Member`.*, `Subject`.`Name` FROM `Member` '.
     181        'LEFT JOIN `Subject` ON `Subject`.`Id` = `Member`.`Subject` '.
     182        'WHERE `Member`.`Blocked` = 0');
     183    while($Member = $DbResult->fetch_assoc())
     184    {
     185      $Member['Name'] = RouterOSIdent($Member['Name'].'-'.$Member['Id'] );
     186      echo('Uživatel '.$Member['Name'].': ');
     187
     188      $DbResult2 = $this->System->Database->select('NetworkDevice', '*', '`Used` = 1 AND `Member` = '.$Member['Id']);
     189      while($Device = $DbResult2->fetch_assoc())
     190      {
     191        $DbResult3 = $this->Database->select('NetworkInterface', '*', '`Device` = '.$Device['Id'].' AND `IPv6` != ""');
     192        while($Interface = $DbResult3->fetch_assoc())
     193        {
     194          $Name = $Device['Name'];
     195          if($Interface['Name'] != '') $Name .= '-'.$Interface['Name'];
     196          $Name = RouterOSIdent($Name);
     197          echo($Name.', ');
     198          $NewAddress = new NetworkAddressIPv6();
     199          $NewAddress->AddressFromString($Interface['IPv6']);
     200          $NewAddress->Prefix = IPV6_BIT_WIDTH;
     201          InsertToAddressTreeIPv6($AddressTree, $NewAddress, $Name);
     202        }
     203      }
     204
     205      $DbResult2 = $this->Database->select('NetworkSubnet', '*', '(`Member`='.$Member['Id'].') AND (AddressRangeIPv6 != "")');
     206      while($Subnet = $DbResult2->fetch_assoc())
     207      {
     208        $Subnet['Name'] = RouterOSIdent('subnet-'.$Subnet['Name']);
     209        echo($Subnet['Name'].', ');
     210        $NewAddress = new NetworkAddressIPv6();
     211        $NewAddress->AddressFromString($Subnet['AddressRangeIPv6']);
     212        $NewAddress->Prefix = $Subnet['MaskIPv6'];
     213        if($Subnet['Member'] != 0) $ForceMark = true;
     214        else $ForceMark = false;
     215        echo($ForceMark.', ');
     216        InsertToAddressTreeIPv6($AddressTree, $NewAddress, $Subnet['Name'], false, $ForceMark);
     217      }
     218      echo("\n");
     219    }
     220
     221    ShowSubnetNode($AddressTree);
     222
     223    // Generate firewall rules
     224    $ItemsFirewall = array();
     225
     226    // Root of tree and main limit
     227    $ItemsFirewall[] = array('chain' => 'forward', 'out-interface' => $InetInterface, 'dst-address' => '!2a00:e580:244::/48',
     228      'action' => 'jump', 'jump-target' => 'inet-1-out', 'comment' => 'main-out');
     229    $ItemsFirewall[] = array('chain' => 'forward', 'in-interface' => $InetInterface, 'src-address' => '!2a00:e580:244::/48',
     230      'action' => 'jump', 'jump-target' => 'inet-1-in', 'comment' => 'main-in');
     231
     232    $this->ProcessNode($AddressTree);
     233
     234    // Limited free internet
     235    $PacketMark = GetMarkByComment('free-out');
     236    $ItemsFirewall[] = array('chain' => 'inet-1-out', 'out-interface' => $InetInterface,
     237        'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'comment' => 'free-out', 'passthrough' => 'yes');
     238    $PacketMark = GetMarkByComment('free-in');
     239    $ItemsFirewall[] = array('chain' => 'inet-1-in', 'in-interface' => $InetInterface,
     240        'action' => 'mark-packet', 'new-packet-mark' => $PacketMark, 'comment' => 'free-in', 'passthrough' => 'no');
     241    // Unregistred clients add to address list
     242    $ItemsFirewall[] = array('chain' => 'inet-1-out', 'out-interface' => $InetInterface, 'src-address' => '2a00:e580:244::/48',
     243        'action' => 'add-src-to-address-list', 'address-list' => 'unregistred', 'address-list-timeout' => '1d',
     244        'comment' => 'unregistred-clients');
     245
     246    //print_r($ItemsFirewall);
     247    $Routerboard->ListUpdate($PathFirewall, array('chain', 'dst-address', 'in-interface', 'action', 'new-packet-mark',
     248      'passthrough', 'comment', 'out-interface', 'src-address', 'jump-target'), $ItemsFirewall, array(), true);
     249  }
    145250}
Note: See TracChangeset for help on using the changeset viewer.