diff options
author | Ermal <eri@pfsense.org> | 2013-01-28 14:00:40 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2013-01-28 14:01:00 +0000 |
commit | af982472816c43827177e499011b92531ba40d72 (patch) | |
tree | 06e229949ca5c24f2efd3aea5e70393775c6a753 | |
parent | 84683e42c96455d90b4cec5545bdedb5071ac5f1 (diff) | |
download | pfsense-af982472816c43827177e499011b92531ba40d72.zip pfsense-af982472816c43827177e499011b92531ba40d72.tar.gz |
Move the definition of negate_networks/vpn_networks to its place and re-include ipsec vpns in this tables since scrub for mss clamping need this.
-rw-r--r-- | etc/inc/filter.inc | 43 |
1 files changed, 29 insertions, 14 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 212df57..6e391d9 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -557,8 +557,17 @@ function filter_generate_aliases() { $aliases .= "#Snort tables\n"; $aliases .= "table <snort2c>\n"; + $aliases .= "table <virusprot>\n"; - $aliases .= "\ntable <virusprot>\n"; + $vpns_list = filter_get_vpns_list(); + if($vpns_list) + $aliases .= "table <vpn_networks> { $vpns_list }\n"; + + /* add a Negate_networks table */ + $aliases .= "table <negate_networks> "; + if($vpns_list) + $aliases .= "{ $vpns_list }"; + $aliases .= "\n"; $aliases .= "\n# User Aliases \n"; /* Setup pf groups */ @@ -705,6 +714,22 @@ function filter_get_vpns_list() { $vpns = ""; $vpns_arr = array(); + /* ipsec */ + if (isset($config['ipsec']['enable'])) { + if (is_array($config['ipsec']['phase2'])) { + foreach ($config['ipsec']['phase2'] as $ph2ent) { + if ((!$ph2ent['mobile']) && ($ph2ent['mode'] != 'transport')) { + if (!function_exists('ipsec_idinfo_to_cidr')) + require_once("ipsec.inc"); + $vpns_subnet = ipsec_idinfo_to_cidr($ph2ent['remoteid']); + if ($vpns_subnet == "0.0.0.0/0") + continue; + $vpns_arr[] = $vpns_subnet; + } + } + } + } + /* openvpn */ foreach (array('client', 'server') as $type) { if(is_array($config['openvpn']["openvpn-$type"])) { @@ -730,9 +755,10 @@ function filter_get_vpns_list() { } } } - if(!empty($vpns_arr)) { + + if (!empty($vpns_arr)) $vpns = implode(" ", $vpns_arr); - } + return $vpns; } @@ -1619,17 +1645,6 @@ function filter_nat_rules_generate() { } } - $interface_counter = 0; - $vpns_list = filter_get_vpns_list(); - if($vpns_list) - $natrules .= "table <vpn_networks> { $vpns_list }\n"; - - /* add a Negate_networks table */ - $natrules .= "table <negate_networks> {"; - if($vpns_list) - $natrules .= " $vpns_list "; - $natrules .= "}\n"; - /* DIAG: add ipv6 NAT, if requested */ if(isset($config['diag']['ipv6nat']['enable']) && is_ipaddr($config['diag']['ipv6nat']['ipaddr']) && |