firewall: reset states on IPv4 change

(cherry picked from commit 8844e72) (cherry picked from commit 9572345)
opnsense · May 20, 2018 · c5b9f67 · c5b9f67
1 parent ea6a2ba
commit c5b9f67
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 32 deletions.
diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
@@ -168,7 +168,7 @@ function filter_delete_states_for_down_gateways()
     }
 }
 
-function filter_configure_sync($verbose = false)
+function filter_configure_sync($verbose = false, $flush_states = false)
 {
     global $config;
 
@@ -308,7 +308,6 @@ function filter_configure_sync($verbose = false)
         }
     }
 
-
     filter_pflog_start();
 
     if ($verbose) {
@@ -441,7 +440,6 @@ function filter_configure_sync($verbose = false)
         mwexecf('/sbin/pfctl -k label -k %s', $label);
     }
 
-
     /*
      * check for a error while loading the rules file.  if an error has occurred
      * then output the contents of the error to the caller
@@ -494,7 +492,7 @@ function filter_configure_sync($verbose = false)
      * not there, the kill is still fine).
      */
     if (!is_bogonsv6_used()) {
-        exec('/sbin/pfctl -t bogonsv6 -T kill 2>/dev/null');
+        mwexec('/sbin/pfctl -t bogonsv6 -T kill');
     }
 
     if ($verbose) {
@@ -511,6 +509,15 @@ function filter_configure_sync($verbose = false)
         flush();
     }
 
+    if ($flush_states) {
+        mwexec('/sbin/pfctl -Fs');
+    }
+
+    if ($verbose) {
+        echo '.';
+        flush();
+    }
+
     configd_run('template reload OPNsense/Filter');
     configd_run('filter refresh_aliases', true);
 
@@ -519,7 +526,6 @@ function filter_configure_sync($verbose = false)
     }
 
     unlock($filterlck);
-    return 0;
 }
 
 function filter_generate_scrubing(&$FilterIflist)

diff --git a/src/etc/rc.newwanip b/src/etc/rc.newwanip
@@ -61,7 +61,6 @@ if (empty($argument)) {
     }
 }
 
-/* If the interface is configured and not enabled, bail. We do not need to change settings for disabled interfaces. #3313 */
 if (!isset($config['interfaces'][$interface]['enable'])) {
     log_error("Interface '{$interface}' is disabled or empty, nothing to do.");
     return;
@@ -72,8 +71,9 @@ $interface_descr = convert_friendly_interface_to_friendly_descr($interface);
 log_error("On (IP address: {$ip}) (interface: {$interface_descr}[{$interface}]) (real interface: {$interface_real}).");
 
 /*
- * NOTE: Take care of openvpn and similar if you generate the event to reconfigure an interface.
- *    i.e. OpenVPN might be in tap mode and not have an ip.
+ * Take care of OpenVPN and similar if you generate the event
+ * to reconfigure an interface.  OpenVPN might be in tap(4)
+ * mode and not have an IP address.
  */
 if ((empty($ip) || !is_ipaddr($ip)) && substr($interface_real, 0, 4) != 'ovpn') {
     log_error("Failed to detect IP for {$interface_descr}[{$interface}]");
@@ -85,7 +85,6 @@ $configip = $config['interfaces'][$interface]['ipaddr'];
 $cacheip_file = "/var/db/{$interface}_cacheip";
 $ip_file = "/var/db/{$interface}_ip";
 
-/* write the current interface IP to file */
 if (is_ipaddr($ip)) {
     @file_put_contents($ip_file, $ip);
 }
@@ -115,7 +114,6 @@ if (!empty($bridgetmp)) {
 system_resolvconf_generate();
 system_hosts_generate();
 
-/* check tunneled IPv6 interface tracking */
 if (isset($config['interfaces'][$interface]['ipaddrv6'])) {
     switch($config['interfaces'][$interface]['ipaddrv6']) {
         case "6to4":
@@ -133,7 +131,6 @@ if (isset($config['interfaces'][$interface]['ipaddrv6'])) {
     }
 }
 
-/* Check Gif tunnels */
 if (isset($config['gifs']['gif']) && is_array($config['gifs']['gif'])){
     foreach ($config['gifs']['gif'] as $gif) {
         if ($gif['if'] == $interface) {
@@ -153,23 +150,18 @@ if (isset($config['gifs']['gif']) && is_array($config['gifs']['gif'])){
 
 $cacheip = @file_get_contents($cacheip_file);
 
-/*
- * We need to force sync VPNs on such even when the IP is the same for dynamic interfaces.
- * Even with the same IP the VPN software is unhappy with the IP disappearing, and we
- * could be failing back in which case we need to switch IPs back anyhow.
- */
 if (!is_ipaddr($cacheip) || $ip != $cacheip || !is_ipaddr($configip)) {
     @unlink($cacheip_file);
 
     system_routing_configure(false, $interface);
-    setup_gateways_monitor();
-    filter_configure_sync();
+    setup_gateways_monitor(false);
+    filter_configure_sync(false, isset($config['system']['ip_change_kill_states']));
 
     if (is_ipaddr($ip)) {
         @file_put_contents($cacheip_file, $ip);
     }
 
     plugins_configure('vpn', false, array($interface));
     plugins_configure('newwanip', false, array($interface));
-    rrd_configure();
+    rrd_configure(false);
 }
diff --git a/src/etc/rc.newwanipv6 b/src/etc/rc.newwanipv6
@@ -58,7 +58,6 @@ if (empty($argument)) {
     $ip = get_interface_ipv6($interface);
 }
 
-/* If the interface is configured and not enabled, bail. We do not need to change settings for disabled interfaces. #3313 */
 if (!isset($config['interfaces'][$interface]['enable'])) {
     log_error("Interface '{$interface}' is disabled or empty, nothing to do.");
     return;
@@ -69,8 +68,9 @@ $interface_descr = convert_friendly_interface_to_friendly_descr($interface);
 log_error("On (IP address: {$ip}) (interface: {$interface_descr}[{$interface}]) (real interface: {$interface_real}).");
 
 /*
- * NOTE: Take care of openvpn and similar if you generate the event to reconfigure an interface.
- *    i.e. OpenVPN might be in tap mode and not have an ip.
+ * Take care of OpenVPN and similar if you generate the event
+ * to reconfigure an interface.  OpenVPN might be in tap(4)
+ * mode and not have an IP address.
  */
 if ((empty($ip) || !is_ipaddr($ip)) && substr($interface_real, 0, 4) != 'ovpn') {
     log_error("Failed to detect IP for {$interface_descr}[{$interface}]");
@@ -104,12 +104,10 @@ if (!empty($new_domain_name)) {
     @file_put_contents($searchdomain_file, $new_domain_name);
 }
 
-/* write current WAN IPv6 to file */
 if (is_ipaddr($ip)) {
     @file_put_contents($ip_file, $ip);
 }
 
-
 $grouptmp = link_interface_to_group($interface);
 if (!empty($grouptmp)) {
     array_walk($grouptmp, 'interface_group_add_member');
@@ -121,11 +119,6 @@ system_hosts_generate();
 
 $cacheip = @file_get_contents($cacheip_file);
 
-/*
- * We need to force sync VPNs on such even when the IP is the same for dynamic interfaces.
- * Even with the same IP the VPN software is unhappy with the IP disappearing, and we
- * could be failing back in which case we need to switch IPs back anyhow.
- */
 if (!is_ipaddr($cacheip) || $ip != $cacheip || !is_ipaddr($configip)) {
     if (is_ipaddr($ip)) {
         if ($ip == $cacheip) {
@@ -143,14 +136,14 @@ if (!is_ipaddr($cacheip) || $ip != $cacheip || !is_ipaddr($configip)) {
     @unlink($cacheip_file);
 
     system_routing_configure(false, $interface);
-    setup_gateways_monitor();
-    filter_configure_sync();
+    setup_gateways_monitor(false);
+    filter_configure_sync(false);
 
     if (is_ipaddr($ip)) {
         @file_put_contents($cacheip_file, $ip);
     }
 
     plugins_configure('vpn', false, array($interface));
     plugins_configure('newwanip', false, array($interface));
-    rrd_configure();
+    rrd_configure(false);
 }
diff --git a/src/www/system_advanced_firewall.php b/src/www/system_advanced_firewall.php
@@ -61,6 +61,7 @@
     $pconfig['enablebinatreflection'] = !empty($config['system']['enablebinatreflection']);
     $pconfig['enablenatreflectionhelper'] = isset($config['system']['enablenatreflectionhelper']) ? $config['system']['enablenatreflectionhelper'] : null;
     $pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']);
+    $pconfig['ip_change_kill_states'] = isset($config['system']['ip_change_kill_states']);
 } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
     $pconfig = $_POST;
     $input_errors = array();
@@ -213,6 +214,12 @@
             unset($config['system']['gw_switch_default']);
         }
 
+        if (!empty($pconfig['ip_change_kill_states'])) {
+            $config['system']['ip_change_kill_states'] = true;
+        } elseif (isset($config['system']['ip_change_kill_states'])) {
+            unset($config['system']['ip_change_kill_states']);
+        }
+
         write_config();
 
         $savemsg = get_std_save_message();
@@ -641,6 +648,16 @@
                     </div>
                   </td>
                 </tr>
+                <tr>
+                  <td><a id="help_for_ip_change_kill_states" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Dynamic state reset') ?></td>
+                  <td>
+                    <input name="ip_change_kill_states" type="checkbox" value="yes" <?=!empty($pconfig['ip_change_kill_states']) ? 'checked="checked"' : '' ?> />
+                    <strong><?= gettext('Reset all states when a dynamic IP address changes.') ?></strong>
+                    <div class="hidden" data-for="help_for_ip_change_kill_states">
+                      <?=gettext("This option flushes the entire state table on IPv4 address changes in dynamic setups to e.g. allow VoIP servers to re-register.");?>
+                    </div>
+                  </td>
+                </tr>
                 <tr>
                   <td></td>
                   <td><input name="Submit" type="submit" class="btn btn-primary" value="<?=gettext("Save");?>" /></td>