diff options
| author | Renato Botelho <garga@FreeBSD.org> | 2013-11-21 13:57:34 -0200 |
|---|---|---|
| committer | Renato Botelho <garga@FreeBSD.org> | 2013-11-21 13:57:34 -0200 |
| commit | d3b17c9a0b111ce20869f226322365324e0da4ce (patch) | |
| tree | ae9d6477416f6003f0aaac8f268717d70c6eeca1 | |
| parent | f7ec7bf9d1bb95f39f6b7ca8e83b82f76643f61d (diff) | |
| download | pfsense-d3b17c9a0b111ce20869f226322365324e0da4ce.zip pfsense-d3b17c9a0b111ce20869f226322365324e0da4ce.tar.gz | |
Fix #3331. Set interface subnet as destination when VIP is in the same subnet, otherwise use VIP subnet instead of IP address
| -rw-r--r-- | etc/inc/filter.inc | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 21a5019..bd1221b 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2951,7 +2951,10 @@ EOD; $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n"; if (is_array($ifcfg['vips'])) { foreach ($ifcfg['vips'] as $vip) - $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$vip['ip']}/{$vip['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n"; + if (ip_in_subnet($vip['ip'], "{$ifcfg['sa']}/{$ifcfg['sn']}")) + $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n"; + else + $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !" . gen_subnet($vip['ip'], $vip['sn']) . "/{$vip['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n"; } } |
