diff options
| author | jim-p <jimp@pfsense.org> | 2015-06-18 09:30:10 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2015-06-18 09:30:10 -0400 |
| commit | 9e8ce1e25b1a70fd0d9abbe8bdfdcd1a63250f46 (patch) | |
| tree | b33d4df48a703edd3f5a5cbcc9d8f8714a938c85 | |
| parent | f6a4fe06f9a45c332f4e1ca4871504b72a5d4593 (diff) | |
| download | pfsense-9e8ce1e25b1a70fd0d9abbe8bdfdcd1a63250f46.zip pfsense-9e8ce1e25b1a70fd0d9abbe8bdfdcd1a63250f46.tar.gz | |
Add a GUI field to increase the pf frag entries limit. Fixes ticket #4775
| -rw-r--r-- | etc/inc/filter.inc | 5 | ||||
| -rw-r--r-- | usr/local/www/system_advanced_firewall.php | 17 |
2 files changed, 22 insertions, 0 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 149abb7..f58cdd9 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -359,6 +359,11 @@ function filter_configure_sync($delete_states_if_needed = true) { $limitrules .= "set limit src-nodes {$max_states}\n"; } + /* Frag limit. pf default is 5000 */ + if ($config['system']['maximumfrags'] <> "" && is_numeric($config['system']['maximumfrags'])) { + $limitrules .= "set limit frags {$config['system']['maximumfrags']}\n"; + } + if (isset($config['system']['lb_use_sticky']) && is_numeric($config['system']['srctrack']) && ($config['system']['srctrack'] > 0)) $limitrules .= "set timeout src.track {$config['system']['srctrack']}\n"; diff --git a/usr/local/www/system_advanced_firewall.php b/usr/local/www/system_advanced_firewall.php index 025e441..455e68a 100644 --- a/usr/local/www/system_advanced_firewall.php +++ b/usr/local/www/system_advanced_firewall.php @@ -61,6 +61,7 @@ $pconfig['aliasesresolveinterval'] = $config['system']['aliasesresolveinterval'] $old_aliasesresolveinterval = $config['system']['aliasesresolveinterval']; $pconfig['checkaliasesurlcert'] = isset($config['system']['checkaliasesurlcert']); $pconfig['maximumtableentries'] = $config['system']['maximumtableentries']; +$pconfig['maximumfrags'] = $config['system']['maximumfrags']; $pconfig['disablereplyto'] = isset($config['system']['disablereplyto']); $pconfig['disablenegate'] = isset($config['system']['disablenegate']); $pconfig['bogonsinterval'] = $config['system']['bogons']['interval']; @@ -109,6 +110,9 @@ if ($_POST) { if ($_POST['maximumtableentries'] && !is_numericint($_POST['maximumtableentries'])) { $input_errors[] = gettext("The Firewall Maximum Table Entries value must be an integer."); } + if ($_POST['maximumfrags'] && !is_numericint($_POST['maximumfrags'])) { + $input_errors[] = gettext("The Firewall Maximum Fragment Entries value must be an integer."); + } if ($_POST['tcpidletimeout'] && !is_numericint($_POST['tcpidletimeout'])) { $input_errors[] = gettext("The TCP idle timeout must be an integer."); } @@ -205,6 +209,7 @@ if ($_POST) { $config['system']['maximumstates'] = $_POST['maximumstates']; $config['system']['aliasesresolveinterval'] = $_POST['aliasesresolveinterval']; $config['system']['maximumtableentries'] = $_POST['maximumtableentries']; + $config['system']['maximumfrags'] = $_POST['maximumfrags']; if (!empty($_POST['tcpfirsttimeout'])) { $config['system']['tcpfirsttimeout'] = $_POST['tcpfirsttimeout']; @@ -522,6 +527,18 @@ function update_description(itemnum) { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Firewall Maximum Fragment Entries");?></td> + <td width="78%" class="vtable"> + <input name="maximumfrags" type="text" id="maximumfrags" value="<?php echo htmlspecialchars($pconfig['maximumfrags']); ?>" /> + <br /> + <strong><?=gettext("Maximum number of packet fragments to hold for reassembly by scrub rules.");?></strong> + <br /> + <span class="vexpl"> + <?=gettext("Note: Leave this blank for the default (5000).");?> + </span> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Static route filtering");?></td> <td width="78%" class="vtable"> <input name="bypassstaticroutes" type="checkbox" id="bypassstaticroutes" value="yes" <?php if ($pconfig['bypassstaticroutes']) echo "checked=\"checked\""; ?> /> |
