diff options
| author | smos <seth.mos@dds.nl> | 2011-10-13 20:47:09 +0200 |
|---|---|---|
| committer | smos <seth.mos@dds.nl> | 2011-10-13 20:47:09 +0200 |
| commit | c066ea8aabd79bee354d7c9449b0b431398e2aa9 (patch) | |
| tree | 796888772deee23021c0a355891b1a1bb6963b31 | |
| parent | 378b298774bfa785006b41c61aae4793bdbef4c2 (diff) | |
| download | pfsense-c066ea8aabd79bee354d7c9449b0b431398e2aa9.zip pfsense-c066ea8aabd79bee354d7c9449b0b431398e2aa9.tar.gz | |
Remove the old direct_networks table which is not used throughout the filter code. Instead we now create a negate_networks table which contains both vpns, directly connected networks (static routes) which should never be tagged for policy routing which breaks traffic.
This fixes Ticket #1950 and needs to be MFC to 2.0 for 2.0.1
Conflicts:
etc/inc/filter.inc
| -rw-r--r-- | etc/inc/filter.inc | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index aaac24b..e983635 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -427,7 +427,7 @@ function filter_generate_scrubing() { if (!empty($config['system']['maxmss'])) $maxmss = $config['system']['maxmss']; - $scrubrules .= "scrub in from any to <vpns> max-mss {$maxmss}\n"; + $scrubrules .= "scrub in from any to <vpn_networks> max-mss {$maxmss}\n"; } /* disable scrub option */ foreach ($FilterIflist as $scrubif => $scrubcfg) { @@ -743,6 +743,13 @@ function filter_get_direct_networks_list() { $networks_arr[] = $subnet; } } + if(is_array($config['staticroutes']['route'])) { + foreach($config['staticroutes']['route'] as $netent) { + if(is_ipaddr($netent['network'])) { + $networks_arr[] = $netent['network']; + } + } + } if(!empty($networks_arr)) { $networks = implode(" ", $networks_arr); } @@ -1451,9 +1458,15 @@ function filter_nat_rules_generate() { $vpns_list = filter_get_vpns_list(); $direct_networks_list = filter_get_direct_networks_list(); if($vpns_list) - $natrules .= "table <vpns> { $vpns_list }\n"; + $natrules .= "table <vpn_networks> { $vpns_list }\n"; + + /* add a Negate_networks table */ + $natrules .= "table <negate_networks> {"; if($direct_networks_list) - $natrules .= "table <direct_networks> { $direct_networks_list }\n"; + $natrules .= " $direct_networks_list "; + if($vpns_list) + $natrules .= " $vpns_list "; + $natrules .= "}\n"; /* DIAG: add ipv6 NAT, if requested */ if(isset($config['diag']['ipv6nat']['enable']) && @@ -2033,14 +2046,14 @@ function filter_generate_user_rule($rule) { /* exception(s) to a user rules can go here. */ /* rules with a gateway or pool should create another rule for routing to vpns */ if(($aline['route'] <> "") && (trim($aline['type']) == "pass") && strstr($dst, "any")) { - /* negate VPN/PPTP/PPPoE networks for load balancer/gateway rules */ - $vpns = " to <vpns> "; + /* negate VPN/PPTP/PPPoE/Static Route networks for load balancer/gateway rules */ + $negate_networks = " to <negate_networks> "; $line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $aline['interface'] . $aline['prot'] . $aline['src'] . $aline['os'] . - $vpns . $aline['icmp-type'] . $aline['tag'] . $aline['tagged'] . + $negate_networks . $aline['icmp-type'] . $aline['tag'] . $aline['tagged'] . $aline['dscp'] . $aline['allowopts'] . $aline['flags'] . $aline['queue'] . $aline['dnpipe'] . $aline['schedlabel'] . - " label \"NEGATE_ROUTE: Negate policy route for vpn(s)\"\n"; + " label \"NEGATE_ROUTE: Negate policy routing for vpn, static routes and direct networks\"\n"; } /* piece together the actual user rule */ |
