Show rule state details in firewall rules.

Inspired by pull request #1901 from marcelloc/hitcount_23_02. State visualization and kill will be committed in a subsequent commit.
pfsense · Jan 28, 2016 · cc2cff0 · phil-davis · Jan 28, 2016 · rbgarga
1 parent 7ffd907
commit cc2cff0
Show file tree

Hide file tree

Showing 3 changed files with 91 additions and 13 deletions.
diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
@@ -136,8 +136,19 @@ $icmp6types = array(
 	"mtrace"	=> gettext("mtrace messages")
 );
 
-global $tracker;
-global $negate_tracker;
+/*
+ * Fixed tracker values (used to group and track usage in GUI):
+ *
+ * bogons rules:	10000
+ * anti-lockout rules:	11000
+ * RFC1918 rules:	12000
+ *
+ */
+
+define("ANTILOCKOUT_TRACKER", 10000);
+define("BOGONS_TRACKER", 11000);
+define("RFC1918_TRACKER", 12000);
+
 $tracker = 1000000000;
 $negate_tracker = 10000000;
 
@@ -3271,18 +3282,19 @@ EOD;
 		}
 
 		if (isset($config['interfaces'][$on]['blockbogons'])) {
+			$bogons_tracker = BOGONS_TRACKER;
 			$ipfrules .= <<<EOD
 # block bogon networks (IPv4)
 # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
-block in $bogonlog quick on \${$oc['descr']} from <bogons> to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("block bogon IPv4 networks from {$oc['descr']}")}"
+block in $bogonlog quick on \${$oc['descr']} from <bogons> to any tracker $bogons_tracker label "{$fix_rule_label("block bogon IPv4 networks from {$oc['descr']}")}"
 
 EOD;
 
 			if (isset($config['system']['ipv6allow'])) {
 				$ipfrules .= <<<EOD
 # block bogon networks (IPv6)
 # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
-block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("block bogon IPv6 networks from {$oc['descr']}")}"
+block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any tracker $bogons_tracker label "{$fix_rule_label("block bogon IPv6 networks from {$oc['descr']}")}"
 
 EOD;
 			}
@@ -3317,13 +3329,14 @@ EOD;
 
 		if (isset($config['interfaces'][$on]['blockpriv'])) {
 			if ($isbridged == false) {
+				$rfc1918_tracker = RFC1918_TRACKER;
 				$ipfrules .= <<<EOD
 # block anything from private networks on interfaces with the option set
-block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}"
-block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}"
-block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 172.16/12")}"
-block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 192.168/16")}"
-block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block ULA networks from {$oc['descr']} block fc00::/7")}"
+block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any tracker $rfc1918_tracker label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}"
+block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any tracker $rfc1918_tracker label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}"
+block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any tracker $rfc1918_tracker label "{$fix_rule_label("Block private networks from {$oc['descr']} block 172.16/12")}"
+block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any tracker $rfc1918_tracker label "{$fix_rule_label("Block private networks from {$oc['descr']} block 192.168/16")}"
+block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any tracker $rfc1918_tracker label "{$fix_rule_label("Block ULA networks from {$oc['descr']} block fc00::/7")}"
 
 EOD;
 			}
@@ -3533,22 +3546,23 @@ EOD;
 	if (is_array($config['system']['webgui']) && !isset($config['system']['webgui']['noantilockout'])) {
 		$alports = filter_get_antilockout_ports();
 
+		$lockout_tracker = ANTILOCKOUT_TRACKER;
 		if (count($config['interfaces']) > 1 && !empty($FilterIflist['lan']['if'])) {
 			/* if antilockout is enabled, LAN exists and has
 			 * an IP and subnet mask assigned
 			 */
 			$lanif = $FilterIflist['lan']['if'];
 			$ipfrules .= <<<EOD
 # make sure the user cannot lock himself out of the webConfigurator or SSH
-pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule"
+pass in {$log['pass']} quick on {$lanif} proto tcp from any to ({$lanif}) port { {$alports} } tracker $lockout_tracker keep state label "anti-lockout rule"
 
 EOD;
 		} else if (count($config['interfaces']) == 1) {
 			/* single-interface deployment, add to WAN	*/
 			$wanif = $FilterIflist["wan"]['if'];
 			$ipfrules .= <<<EOD
 # make sure the user cannot lock himself out of the webConfigurator or SSH
-pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } tracker {$increment_tracker($tracker)} keep state label "anti-lockout rule"
+pass in {$log['pass']} quick on {$wanif} proto tcp from any to ({$wanif}) port { {$alports} } tracker $lockout_tracker keep state label "anti-lockout rule"
 
 EOD;
 		}

diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc
@@ -1724,6 +1724,19 @@ function format_bytes($bytes) {
 	}
 }
 
+function format_number($num, $precision = 3) {
+	$units = array('', 'K', 'M', 'G', 'T');
+
+	$i = 0;
+	while ($num > 1000 && $i < count($units)) {
+		$num /= 1000;
+		$i++;
+	}
+	round($num, $precision);
+
+	return ("$num {$units[$i]}");
+}
+
 function update_filter_reload_status($text) {
 	global $g;
 

diff --git a/src/usr/local/www/firewall_rules.php b/src/usr/local/www/firewall_rules.php
@@ -72,6 +72,51 @@
 $pgtitle = array(gettext("Firewall"), gettext("Rules"));
 $shortcut_section = "firewall";
 
+function get_pf_rules($rules, $tracker) {
+
+	if ($rules == NULL || !is_array($rules))
+		return (NULL);
+
+	$arr = array();
+	for ($i = 0; $i < count($rules); $i++) {
+		if ($rules[$i]['tracker'] === $tracker)
+			$arr[] = $rules[$i];
+	}
+
+	if (count($arr) == 0)
+		return (NULL);
+
+	return ($arr);
+}
+
+function print_states($tracker) {
+	global $rulescnt;
+
+	$rulesid = "";
+	$bytes = 0;
+	$states = 0;
+	$packets = 0;
+	$evaluations = 0;
+	$stcreations = 0;
+	$rules = get_pf_rules($rulescnt, $tracker);
+	for ($j = 0; is_array($rules) && $j < count($rules); $j++) {
+		$bytes += $rules[$j]['bytes'];
+		$states += $rules[$j]['states'];
+		$packets += $rules[$j]['packets'];
+		$evaluations += $rules[$j]['evaluations'];
+		$stcreations += $rules[$j]['state creations'];
+		if (strlen($rulesid) > 0)
+			$rulesid .= ",";
+		$rulesid .= "{$rules[$j]['id']}";
+	}
+	printf("<a href=\"diag_dump_states.php?ruleid=%s\" data-toggle=\"popover\" data-trigger=\"hover focus\" title=\"%s\" ",
+	    $rulesid, gettext("States details"));
+	printf("data-content=\"evaluations: %s<br>packets: %s<br>bytes: %s<br>states: %s<br>state creations: %s\" data-html=\"true\">",
+	    format_number($evaluations), format_number($packets), format_bytes($bytes),
+	    format_number($states), format_number($stcreations));
+	printf("%d/%s</a><br>", format_number($states), format_bytes($bytes));
+}
+
 function delete_nat_association($id) {
 	global $config;
 
@@ -300,8 +345,10 @@ function delete_nat_association($id) {
 	$showblockbogons = true;
 }
 
-?>
+/* Load the counter data of each pf rule. */
+$rulescnt = pfSense_get_pf_rules();
 
+?>
 <form method="post">
 	<div class="panel panel-default">
 		<div class="panel-heading"><h2 class="panel-title"><?=gettext("Rules (Drag to change order)")?></h2></div>
@@ -311,6 +358,7 @@ function delete_nat_association($id) {
 					<tr>
 						<th><!-- checkbox --></th>
 						<th><!-- status icons --></th>
+						<th><?=gettext("States")?></th>
 						<th><?=gettext("Protocol")?></th>
 						<th><?=gettext("Source")?></th>
 						<th><?=gettext("Port")?></th>
@@ -335,6 +383,7 @@ function delete_nat_association($id) {
 					<tr id="antilockout">
 						<td></td>
 						<td title="<?=gettext("traffic is passed")?>"><i class="fa fa-check text-success"></i></td>
+						<td><? print_states(intval(ANTILOCKOUT_TRACKER)); ?></td>
 						<td>*</td>
 						<td>*</td>
 						<td>*</td>
@@ -353,6 +402,7 @@ function delete_nat_association($id) {
 					<tr id="frrfc1918">
 						<td></td>
 						<td title="<?=gettext("traffic is blocked")?>"><i class="fa fa-times text-danger"></i></td>
+						<td><? print_states(intval(RFC1918_TRACKER)); ?></td>
 						<td>*</td>
 						<td><?=gettext("RFC 1918 networks");?></td>
 						<td>*</td>
@@ -371,6 +421,7 @@ function delete_nat_association($id) {
 					<tr id="frrfc1918">
 					<td></td>
 						<td title="<?=gettext("traffic is blocked")?>"><i class="fa fa-times text-danger"></i></td>
+						<td><? print_states(intval(BOGONS_TRACKER)); ?></td>
 						<td>*</td>
 						<td><?=gettext("Reserved/not assigned by IANA");?></td>
 						<td>*</td>
@@ -592,6 +643,7 @@ function delete_nat_association($id) {
 			}
 		}
 	?>
+				<td><? print_states(intval($filterent['tracker'])); ?></td>
 				<td>
 	<?php
 		if (isset($filterent['ipprotocol'])) {
@@ -975,4 +1027,3 @@ function escapeHtml(text) {
 </script>
 
 <?php include("foot.inc");?>
-