Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1392 → Rev 1393

/alcasar.sh
1164,9 → 1164,13
groupadd -f havp
useradd -r -g havp -s /bin/false -c "system user for havp" havp
mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
mkdir -p /var/tmp/havp2 /var/log/havp2
chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
chown -R havp /var/tmp/havp2 /var/log/havp2
[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090
$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
1175,6 → 1179,11
$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
cp /etc/havp/havp.config /etc/havp/havp2.config
$SED "s?^PIDFILE.*?PIDFILE /var/run/havp/havp2.pid?g" /etc/havp/havp2.config # pidfile
$SED "s?^TRANSPARENT.*?TRANSPARENT true?g" /etc/havp/havp2.config # transparent mode
$SED "s?^PORT.*?PORT 8091?g" /etc/havp/havp2.config # datas come on 8091
$SED "s?^BIND_ADDRESS.*?BIND_ADDRESS 192.168.182.1?g" /etc/havp/havp2.config # we listen only on tun0
# skip checking of youtube flow (too heavy load / risk too low)
[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1182,6 → 1191,21
# replacement of init script
[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
cp -f $DIR_CONF/havp-init /etc/init.d/havp
cp /etc/init.d/havp /etc/init.d/havp2
$SED "s?^# description.*?# description: starts HAVP2 the High Availability Antivirus Proxy?g" /etc/init.d/havp2 # description
$SED "s?^HAVP_CONFIG.*?HAVP_CONFIG=/etc/havp/havp2.config?g" /etc/init.d/havp2 # config file
$SED "s?^PIDFILE.*?PIDFILE=/var/run/havp/havp2.pid?g" /etc/init.d/havp2 # pidfile
$SED "s?^NAME.*?NAME=havp2?g" /etc/init.d/havp2 # name
$SED "s?^DESC.*?DESC=havp2?g" /etc/init.d/havp2 # desc
#$SED "s?if [ -f /etc/sysconfig/havp ] ; then.*?if [ -f /etc/sysconfig/havp2 ] ; then?g" /etc/init.d/havp2 # defaults
#$SED "s?. /etc/sysconfig/havp.*?. /etc/sysconfig/havp2?g" /etc/init.d/havp2 # defaults
$SED "s?^havp_mountpoint.*?havp_mountpoint=/var/tmp/havp2?g" /etc/init.d/havp2 # mountpoint
$SED "s?echo \"Reloading HAVP ...\".*?echo \"Reloading HAVP2 ...\"?g" /etc/init.d/havp2 # reloading havp
$SED "s?echo \"Error: HAVP not running\".*?echo \"Error : HAVP2 not running\"?g" /etc/init.d/havp2 # error havp
$SED "s?echo \"Error: HAVP not running or PIDFILE not readable\".*?echo \"Error : HAVP2 not running or PIDFILE not readable\"?g" /etc/init.d/havp2 # error havp
$SED "s?echo \"Error: HAVP not running or PIDFILE unreadable\".*?echo \"Error : HAVP2 not running or PIDFILE unreadable\"?g" /etc/init.d/havp2 # error havp
$SED "s?echo \"Shutting down HAVP ...\".*?echo \"Shutting down HAVP2 ...\"?g" /etc/init.d/havp2 # shutting down havp
$SED "s?status havp.*?status havp2?g" /etc/init.d/havp2 # status havp
# replace of the intercept page (template)
cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1230,15 → 1254,16
##########################################################
nfsen()
{
tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
tar xzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
# Create a specific user and group
[ `grep "^www-data:" /etc/group | wc -l` == 1 ] || groupadd www-data
[ `grep "^nfsen:" /etc/passwd | wc -l` == 1 ] || useradd -r -g nfsen -s /bin/false -c "system user for the grapher nfsen" nfsen
[ `grep "^apache:" /etc/group | wc -l` == 1 ] || groupadd apache
#[ `grep "^nfsen:" /etc/passwd | wc -l` == 1 ] || useradd -r -g nfsen -s /bin/false -c "system user for the grapher nfsen" nfsen
groupadd -f chilli
# Add PortTracker plugin
mkdir -p /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
chown -R nfsen:www-data /var/www/nfsen
chown -R apache:apache /var/www/nfsen
chown -R apache:apache /usr/share/nfsen
chown -R apache:apache /var/log/netflow
cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
# use of our conf file and init unit
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1251,7 → 1276,7
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
[ -d /var/log/netflow/porttracker ] || sudo -u apache nftrack -I -d /var/log/netflow/porttracker
chown -R apache:www-data /var/log/netflow/porttracker/
chown -R apache:apache /var/log/netflow/porttracker/
chmod -R 775 /var/log/netflow/porttracker
# Apache conf file
rm -f /etc/httpd/conf/conf.d/nfsen.conf
1285,9 → 1310,12
[Service]
Type=oneshot
RemainAfterExit=yes
PIDFile=/var/run/nfsen/nfsen.pid
ExecStartPre=/bin/mkdir -p /var/run/nfsen
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
ExecStart=/usr/bin/nfsen start
ExecStop=/usr/bin/nfsen stop
ExecRestart=/usr/bin/nfsen restart
ExecReload=/usr/bin/nfsen restart
TimeoutSec=0
 
[Install]
1294,9 → 1322,10
WantedBy=multi-user.target
EOF
# Add the listen port to collect netflow packet (nfcapd)
$SED s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1";'?g /usr/libexec/NfSenRC.pm
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
# expire delay for the profile "live"
nfsen -m live -e 62d 2>/dev/null
systemctl start nfsen
/bin/nfsen -m live -e 62d 2>/dev/null
# clear the installation
cd $DirTmp
rm -rf /tmp/nfsen-1.3.6p1/
1695,7 → 1724,7
/sbin/chkconfig --add $i
done
# processes launched at boot time (Systemctl)
for i in alcasar-load_balancing nfsen mysqld httpd ntpd iptables ulogd dnsmasq dnsmasq-blacklist dnsmasq-whitelist radiusd dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban
for i in alcasar-load_balancing mysqld httpd ntpd iptables ulogd dnsmasq dnsmasq-blacklist dnsmasq-whitelist radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban
do
systemctl -q enable $i.service
done
/conf/nfsen/nfsen.conf
47,7 → 47,7
$VARDIR="/var";
 
# directory for all pid files
$PIDDIR="$VARDIR/run";
$PIDDIR="$VARDIR/run/nfsen";
#
# Filter directory
$FILTERDIR="$VARDIR/filters";
/scripts/alcasar-daemon.sh
10,7 → 10,7
conf_file="/usr/local/etc/alcasar.conf"
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
SSH=${SSH:=off}
SERVICE="sshd dnsmasq httpd chilli radiusd mysqld dansguardian dnsmasq havp freshclam ntpd squid master squid"
SERVICE="sshd dnsmasq httpd chilli radiusd mysqld dansguardian dnsmasq havp havp2 freshclam ntpd squid master squid"
 
function ServiceTest () {
CMD=`pidof $s`
/scripts/alcasar-iptables.sh
30,6 → 30,7
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty
WL_IP_OSSI="/usr/local/share/ossi-ip-wl" # ip of the whitelist
DNSMASQ_WL_ENABLED="/usr/local/share/dnsmasq-wl-enabled" # enabled domain names for the Whitelist
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
QOS=`grep ^QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
92,13 → 93,12
 
# Calcul de la taille du set de la blacklist
# Compute the blacklist set length
cd $BL_IP_CAT
set_bl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
bl_set_length=$(($(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
 
# Création du fichier set temporaire, remplissage, chargement et suppression
# Creating the temporary set file, filling, loading and deleting
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $set_bl_length" > $TMP_set_save
for category in `ls -1 | cut -d '@' -f1`
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save
for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1`
do
cat $BL_IP_CAT/$category >> $TMP_set_save
done
113,9 → 113,13
ipset del blacklist_ip_blocked $ip
done
 
# Calcul de la taille du set de la whitelist
# Compute the whitelist set length
wl_set_length=$(($(wc -l $DNSMASQ_WL_ENABLED/* | awk '{print $1}' | tail -n 1)*3))
 
# Création du fichier set temporaire, remplissage, chargement et suppression
# Creating the temporary set file, filling, loading and deleting
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024" > $TMP_set_save
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
cat $WL_IP_OSSI >> $TMP_set_save
ipset -! restore < $TMP_set_save
rm -f $TMP_set_save
158,18 → 162,22
# Mark (and log) the 8091 direct attempts to REJECT them in INPUT rules
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8091 -j MARK --set-mark 5
 
# Aiguillage des flux DNS
# Switching DNS streams
# havp_bl_set --> redirection vers le port 54
# havp_bl_set --> redirect to port 54
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
 
# havp_wl_set --> redirection vers le port 55
# havp_wl_set --> redirect to port 55
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55
 
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set
# Redirect outbound HTTP requests from blacklist IP to ALCASAR ('access denied' page) for the set havp_bl_set
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Redirection des requêtes HTTP des IP qui ne sont pas dans la whitelist vers ALCASAR (page 'accès interdit') pour le set havp_wl_set
# Redirect outbound HTTP requests from IP which are not in the whitelist to ALCASAR ('access denied' page) for the set havp_wl_set
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
286,7 → 294,7
$IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
 
# interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté).
# Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté).
# Reject INTIF access (only when chilli is down)
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT "
$IPTABLES -A INPUT -i $INTIF -j REJECT
/scripts/sbin/alcasar-havp.sh
File deleted
Property changes:
Deleted: svn:eol-style
-LF
\ No newline at end of property
Deleted: svn:executable
-*
\ No newline at end of property
Deleted: svn:keywords
-Id Author Date
\ No newline at end of property
/scripts/sbin/alcasar-bl.sh
38,18 → 38,23
 
# enable/disable the BL & WL categories
function cat_choice (){
# saving ip files and ossi category
# saving ossi category
mkdir $DIR_tmp
if [ $(find $DIR_IP_BL_ENABLED -name "ossi-*" | wc -l) -ne 0 ]
cp $DIR_IP_BL/ossi $DIR_tmp
if [ -d $DIR_IP_BL_ENABLED ]
then
cp $DIR_IP_BL_ENABLED/ossi-* $DIR_tmp
for file in `ls -1 $DIR_IP_BL_ENABLED | grep -v "^ossi-*"`
do
rm -f $DIR_IP_BL_ENABLED/$file
done
else
mkdir $DIR_IP_BL_ENABLED
chown apache $DIR_IP_BL_ENABLED
fi
cp $DIR_IP_BL/ossi $DIR_tmp
rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED # cleaning for dnsmasq and iptables
rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED # cleaning for dnsmasq and iptables
$SED "/\.Include/d" $DIR_DG/bannedsitelist $DIR_DG/bannedurllist # cleaning for DG
$SED "s?^[^#]?#&?g" $BL_CATEGORIES $WL_CATEGORIES # cleaning BL & WL categories file (comment all lines)
mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED
chown apache $DIR_IP_BL_ENABLED
mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED
# process the file $BL_CATEGORIES with the choice of categories
for ENABLE_CATEGORIE in `cat $BL_CATEGORIES_ENABLED`
do
74,10 → 79,6
# restoring ip files and ossi category
mv $DIR_tmp/ossi $DIR_IP_BL
chown apache $DIR_IP_BL/ossi
if [ $(find $DIR_tmp -name "ossi-*" | wc -l) -ne 0 ]
then
mv $DIR_tmp/ossi-* $DIR_IP_BL_ENABLED
fi
rm -rf $DIR_tmp
}
function bl_enable (){
/scripts/sbin/alcasar-uninstall.sh
107,14 → 107,16
sleep 1
 
#antivirus
echo -en "\n- antivirus(4) : "
echo -en "\n- antivirus(6) : "
if [ -e /etc/init.d/havp ]
then
[ -e /etc/havp/havp.config.default ] && mv /etc/havp/havp.config.default /etc/havp/havp.config && echo -n "1, "
userdel -r havp 2>/dev/null && echo -n "2, "
[ -e /etc/havp/havp2.config ] && rm -f /etc/havp/havp2.config && echo -n "2, "
userdel -r havp 2>/dev/null && echo -n "3, "
[ `grep havp /etc/fstab|wc -l` -ne "0" ] && $SED "/havp/d" /etc/fstab # anciennes versions (mémoire tampon sur disque)
[ -e /etc/init.d/havp.default ] && mv /etc/init.d/havp.default /etc/init.d/havp && echo -n "3, "
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "4"
[ -e /etc/init.d/havp.default ] && mv /etc/init.d/havp.default /etc/init.d/havp && echo -n "4, "
[ -e /etc/init.d/havp2 ] && rm -f /etc/init.d/havp2 && echo -n "5, "
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "6"
else echo -n "uninstalled"
fi
sleep 1
127,7 → 129,7
i=`expr $i + 1`
[ -e /etc/ulogd-$log_type.conf ] && rm -f /etc/ulogd-$log_type.conf && echo -n "$i, "
i=`expr $i + 1`
[ -e /lib/systemd/system/ulogd-$log_type.service ] && rm -f /lib/systemd/system/ulogd-$log_type.service && echo -n "$i"
[ -e /lib/systemd/system/ulogd-$log_type.service ] && rm -f /lib/systemd/system/ulogd-$log_type.service && echo -n "$i, "
done
sleep 1
 
144,7 → 146,7
echo -en "\n- dnsmasq(6) : "
if [ -e /lib/systemd/system/dnsmasq.service ]
then
[ -e /etc/sysconfig/dnsmasq.default ] && mv /etc/sysconfig/dnsmasq.default /etc/sysconfig/dnsmasq && echo -n "1 ,"
[ -e /etc/sysconfig/dnsmasq.default ] && mv /etc/sysconfig/dnsmasq.default /etc/sysconfig/dnsmasq && echo -n "1, "
[ -e /etc/dnsmasq.conf.default ] && mv /etc/dnsmasq.conf.default /etc/dnsmasq.conf && echo -n "2, "
[ -e /etc/dnsmasq-blacklist.conf ] && rm /etc/dnsmasq-blacklist.conf && echo -n "3, "
[ -e /etc/dnsmasq-whitelist.conf ] && rm /etc/dnsmasq-whitelist.conf && echo -n "4, "
157,7 → 159,7
 
#BL
echo -en "\n- BL(1) : "
[ -e /lib/systemd/system/iptables.service.default ] && mv /lib/systemd/system/iptables.service.default /lib/systemd/system/iptables.service && echo "1"
[ -e /lib/systemd/system/iptables.service.default ] && mv /lib/systemd/system/iptables.service.default /lib/systemd/system/iptables.service && echo -n "1"
sleep 1
 
#dhcpd
170,10 → 172,10
sleep 1
 
#fail2ban
echo -en "\n- fail2ban(7) :"
echo -en "\n- fail2ban(7) : "
[ -e /etc/fail2ban/fail2ban.conf.default ] && mv /etc/fail2ban/fail2ban.conf.default /etc/fail2ban/fail2ban.conf && echo -n "1, "
[ -e /etc/fail2ban/jail.conf.default ] && mv /etc/fail2ban/jail.conf.default /etc/fail2ban/jail.conf && echo -n "2, "
[ -e /etc/fail2ban/action.d/iptables-allports.conf.default ] && mv /etc/fail2ban/action.d/iptables-allports.conf.default /etc/fail2ban/action.d/iptables-allports.conf && echo -n " 3, "
[ -e /etc/fail2ban/action.d/iptables-allports.conf.default ] && mv /etc/fail2ban/action.d/iptables-allports.conf.default /etc/fail2ban/action.d/iptables-allports.conf && echo -n "3, "
[ -e /etc/fail2ban/filter.d/alcasar_mod-evasive.conf ] && rm /etc/fail2ban/filter.d/alcasar_mod-evasive.conf && echo -n "4, "
[ -e /etc/fail2ban/filter.d/alcasar_htdigest.conf ] && rm /etc/fail2ban/filter.d/alcasar_htdigest.conf && echo -n "5, "
[ -e /etc/fail2ban/filter.d/alcasar_intercept.conf ] && rm /etc/fail2ban/filter.d/alcasar_intercept.conf && echo -n "6, "
196,7 → 198,7
sleep 1
 
#gammu-smsd
echo -en "\n- gammu-smsd(3) :"
echo -en "\n- gammu-smsd(3) : "
[ -e /etc/gammu_smsd_conf ] && rm -f /etc/gammu_smsd_conf && echo -n "1, "
[ -e /etc/udev/rules.d/66-huawei.rules ] && rm -f /etc/udev/rules.d/66-huawei.rules && echo -n "2, "
[ -e /var/log/gammu-smsd ] && rm -rf /var/log/gammu-smsd && echo -n "3"
222,7 → 224,6
[ -e /etc/sysconfig/iptables ] && rm -f /etc/sysconfig/iptables && echo -n "8, "
[ -e /etc/modprobe.preload.default ] && mv /etc/modprobe.preload.default /etc/modprobe.preload && echo -n "9"
 
echo
/sbin/ifup $EXTIF
sleep 1
 
/web/acc/admin/bl_filter.php
211,6 → 211,7
fputs($fichier, form_filter($_POST['BL_rehabilited_ip']));
fclose($fichier);
unset($_POST['BL_rehabilited_ip']);
exec ("sudo /usr/local/sbin/alcasar-bl.sh --reload");
break;
case 'MAJ_cat_wl' :
$tab=file($wl_categories_enabled);
/web/acc/phpsysinfo/includes/XPath.class.php
3849,7 → 3849,7
$step = '.';
$axis['axis'] = 'self';
$axis['node-test'] = '*';
break $parseBlock;
break;
}
 
if ($step == '..') {
3856,7 → 3856,7
// Select the parent axis.
$axis['axis'] = 'parent';
$axis['node-test'] = '*';
break $parseBlock;
break;
}
 
///////////////////////////////////////////////////
3908,7 → 3908,7
if ($step == '*') {
// Use the child axis and select all children.
$axis['node-test'] = '*';
break $parseBlock;
break;
}
 
// ### I'm pretty sure our current handling of cdata is a fudge, and we should
3916,7 → 3916,7
if ($step == "text()") {
// Handle the text node
$axis["node-test"] = "cdata";
break $parseBlock;
break;
}
 
// There are a few node tests that we match verbatim.
3925,7 → 3925,7
|| $step == "text()"
|| $step == "processing-instruction") {
$axis["node-test"] = $step;
break $parseBlock;
break;
}
 
// processing-instruction() is allowed to take an argument, but if it does, the argument
3932,7 → 3932,7
// is a literal, which we will have parsed out to $[number].
if (preg_match(":processing-instruction\(\$\d*\):", $step)) {
$axis["node-test"] = $step;
break $parseBlock;
break;
}
 
// The only remaining way this can be a step, is if the remaining string is a simple name
3961,7 → 3961,7
// Not currently recursing
$LastFailedStep = '';
$LastFailedContext = '';
break $parseBlock;
break;
}
 
// It's not a node then, we must treat it as a PrimaryExpr