diff options
| author | Ermal Luçi <eri@pfsense.org> | 2013-03-25 08:02:48 -0700 |
|---|---|---|
| committer | Ermal Luçi <eri@pfsense.org> | 2013-03-25 08:02:48 -0700 |
| commit | 2269e286f4d4bb4b6fca59c6383f05a46ddbc464 (patch) | |
| tree | b7b329a6c991b58732999ea28232c903c7875238 | |
| parent | 939cc57a9780388ea7ab1df632fe46ae9532fb6b (diff) | |
| parent | 8550a21c2bb336dba3e992754f5fa241e3b0ad2d (diff) | |
| download | pfsense-2269e286f4d4bb4b6fca59c6383f05a46ddbc464.zip pfsense-2269e286f4d4bb4b6fca59c6383f05a46ddbc464.tar.gz | |
Merge pull request #497 from phildd/master
Do not bother with bogonsv6 if IPv6 allow is off
| -rw-r--r-- | etc/inc/filter.inc | 12 | ||||
| -rwxr-xr-x | etc/rc.update_bogons.sh | 22 |
2 files changed, 27 insertions, 7 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index a4c1773..b56afac 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -326,6 +326,10 @@ function filter_configure_sync($delete_states_if_needed = true) { } } + # If allow IPv6 has been unchecked then we can remove any bogonsv6 table (if the table is not there, the kill is still fine). + if (!isset($config['system']['ipv6allow'])) + $_grbg = exec("/sbin/pfctl -t bogonsv6 -T kill"); + update_filter_reload_status(gettext("Starting up layer7 daemon")); layer7_start_l7daemon(); @@ -557,7 +561,8 @@ function filter_generate_aliases() { if (!file_exists("/etc/bogonsv6")) @file_put_contents("/etc/bogonsv6", ""); $aliases .= "table <bogons> persist file \"/etc/bogons\"\n"; - $aliases .= "table <bogonsv6> persist file \"/etc/bogonsv6\"\n"; + if (isset($config['system']['ipv6allow'])) + $aliases .= "table <bogonsv6> persist file \"/etc/bogonsv6\"\n"; $vpns_list = filter_get_vpns_list(); if($vpns_list) @@ -2595,9 +2600,14 @@ EOD; # http://www.cymru.com/Documents/bogon-bn-nonagg.txt # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt block in $log quick on \${$oc['descr']} from <bogons> to any label "block bogon IPv4 networks from {$oc['descr']}" + +EOD; + if(isset($config['system']['ipv6allow'])) { + $ipfrules .= <<<EOD block in $log quick on \${$oc['descr']} from <bogonsv6> to any label "block bogon IPv6 networks from {$oc['descr']}" EOD; + } } $isbridged = false; if(is_array($config['bridges']['bridged'])) { diff --git a/etc/rc.update_bogons.sh b/etc/rc.update_bogons.sh index 0ecd46a..64b9075 100755 --- a/etc/rc.update_bogons.sh +++ b/etc/rc.update_bogons.sh @@ -113,15 +113,25 @@ if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ] || [ "$BOGON_V6_CKSUM" = "$ON_DIS fi if [ "$BOGON_V6_CKSUM" = "$ON_DISK_V6_CKSUM" ]; then + BOGONS_V6_TABLE_COUNT=`pfctl -sTables | grep ^bogonsv6$ | wc -l | awk '{ print $1 }'` ENTRIES_TOT=`pfctl -vvsTables | awk '/Addresses/ {s+=$2}; END {print s}'` - ENTRIES_V6=`pfctl -vvsTables | awk '/-\tbogonsv6$/ {getline; print $2}'` LINES_V6=`wc -l /tmp/bogonsv6 | awk '{ print $1 }'` - if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V6:-0}+LINES_V6)) ]; then - egrep -v "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6 - RESULT=`/sbin/pfctl -t bogonsv6 -T replace -f /etc/bogonsv6 2>&1` - echo "$RESULT" | awk '{ print "Bogons V6 file downloaded: " $0 }' | logger + if [ $BOGONS_V6_TABLE_COUNT -gt 0 ]; then + ENTRIES_V6=`pfctl -vvsTables | awk '/-\tbogonsv6$/ {getline; print $2}'` + if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V6:-0}+LINES_V6)) ]; then + egrep -v "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6 + RESULT=`/sbin/pfctl -t bogonsv6 -T replace -f /etc/bogonsv6 2>&1` + echo "$RESULT" | awk '{ print "Bogons V6 file downloaded: " $0 }' | logger + else + echo "Not saving or updating IPv6 bogons (increase table-entries limit)" | logger + fi else - echo "Not updating IPv6 bogons (increase table-entries limit)" | logger + if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT+LINES_V6)) ]; then + egrep -v "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6 + echo "Bogons V6 file downloaded but not updating IPv6 bogons table because IPv6 Allow is off" | logger + else + echo "Not saving IPv6 bogons table (IPv6 Allow is off and table-entries limit is potentially too low)" | logger + fi fi rm /tmp/bogonsv6 else |
