diff options
| author | Ermal Luçi <eri@pfsense.org> | 2008-10-19 07:30:24 +0000 |
|---|---|---|
| committer | Ermal Luçi <eri@pfsense.org> | 2008-10-19 07:30:24 +0000 |
| commit | c5a568d943310286d1e14b622ada5a7745cb9dce (patch) | |
| tree | da98222b14314315f3541d5af369a4e8d4f179d3 | |
| parent | e6d436e8d099a394bf5f8a9a573579639e236a90 (diff) | |
| download | pfsense-c5a568d943310286d1e14b622ada5a7745cb9dce.zip pfsense-c5a568d943310286d1e14b622ada5a7745cb9dce.tar.gz | |
* Cleanup some logic for loading ipfw module which might improve somewhat rules speed on very large rulesets. The best option is moving this to rules generation itself which would really speed up things but i will check it later on.
* Fix scrub rules generation since it was 'broken' by generating mss-clamping for all interfaces which might be the reason for some slow transfers reported. Remove generation of mss clamping by pf in pppoe case since we handle this in mpd4 and seems to be a better fit for this.
| -rw-r--r-- | etc/inc/filter.inc | 82 |
1 files changed, 49 insertions, 33 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 7c0c4a9..611eab3 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -98,19 +98,18 @@ function filter_configure_sync() { * and if so load ipfw for later usage. */ foreach($config['filter']['rule'] as $rule) { - if($rule['sched']) - $time_based_rules = true; - } - if($time_based_rules == true) { - $status = intval(`kldstat | grep ipfw | wc -l | awk '{ print $1 }'`); - if($status == "0") { - mute_kernel_msgs(); - mwexec("/sbin/kldload ipfw"); - unmute_kernel_msgs(); + if($rule['sched']) { + $status = intval(`kldstat | grep ipfw | wc -l | awk '{ print $1 }'`); + if($status == "0") { + mute_kernel_msgs(); + mwexec("/sbin/kldload ipfw"); + unmute_kernel_msgs(); + } + exec("/sbin/ipfw delete set 9"); + exec("/sbin/ipfw delete 2"); + exec("/sbin/ipfw delete 3"); + break; } - exec("/sbin/ipfw delete set 9"); - exec("/sbin/ipfw delete 2"); - exec("/sbin/ipfw delete 3"); } /* Get interface list to work with. */ @@ -182,27 +181,8 @@ function filter_configure_sync() { $rules .= "\n"; update_filter_reload_status("Setting up SCRUB information"); - - /* disable scrub option */ - if(!isset($config['system']['disablescrub'])) { - /* set up MSS clamping */ - if ($config['interfaces']['wan']['mtu'] <> "" and is_numeric($config['interfaces']['wan']['mtu'])) - $mssclamp = "max-mss " . (intval($config['interfaces']['wan']['mtu'] - 40)); - else - if ($config['interfaces']['wan']['ipaddr'] == "pppoe") - $mssclamp = "max-mss 1452"; - else - $mssclamp = ""; - - /* configure no-df for linux nfs and others */ - if ($config['system']['scrubnodf']) - $scrubnodf = "no-df random-id"; - else - $scrubnodf = "random-id"; - $rules .= "scrub all {$scrubnodf} {$mssclamp} fragment reassemble\n"; // reassemble all directions - } else if ($config['interfaces']['wan']['mtu'] <> "" and is_numeric($config['interfaces']['wan']['mtu'])) { - $rules .= "scrub {$mssclamp}\n"; // reassemble all directions - } + $rules .= filter_generate_scrubing(); + $rules .= "\n"; $rules .= "{$dummynet_rules}\n"; $rules.= "{$altq_queues}\n"; @@ -294,6 +274,41 @@ function filter_configure_sync() { return 0; } +function filter_generate_scrubing() +{ + global $config, $FilterIflist; + + $scrubrules = ""; + + /* disable scrub option */ + foreach ($FilterIflist as $scrubif => $scrubcfg) { + /* set up MSS clamping */ + if ($scrubcfg['mtu'] <> "" and is_numeric($scrubcfg['mtu'])) + $mssclamp = "max-mss " . (intval($scrubcfg['mtu'] - 40)); + else + $mssclamp = ""; + + /* configure no-df for linux nfs and others */ + if ($config['system']['scrubnodf']) + $scrubnodf = "no-df"; + else + $scrubnodf = ""; + + if ($config['system']['scrubrnid']) + $scrubrnid = "random-id"; + else + $scrubrnid = ""; + + if (!isset($config['system']['disablescrub'])) + $scrubrules .= "scrub on \${$scrubcfg['descr']} all {$scrubnodf} {$scrubrnid} {$mssclamp} fragment reassemble\n"; // reassemble all directions + else if (!empty($mssclamp)) + $scrubrules .= "scrub on \${$scrubcfg['descr']} {$mssclamp}\n"; + + } + + return $scrubrules; +} + function filter_generate_aliases() { global $config, $FilterIflist; if(isset($config['system']['developerspew'])) { @@ -420,6 +435,7 @@ function generate_optcfg_array() $oic['ip'] = $oc['ipaddr']; $oic['sn'] = $oc['subnet']; + $oic['mtu'] = $oc['mtu']; $oic['descr'] = $ifdetail; $oic['sa'] = gen_subnet($oic['ip'], $oic['sn']); $oic['nonat'] = $oc['nonat']; |
