diff options
author | Renato Botelho <garga@FreeBSD.org> | 2013-02-25 12:40:42 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2013-02-25 12:40:42 -0300 |
commit | 06182467540b978ef7dccdf311c7677014c04beb (patch) | |
tree | 047ae708ff39793309420f8a0ddc5a5b81d8d457 /etc/inc | |
parent | 133d754e5ca517db1ea6dfa7d7cdfb8c270716af (diff) | |
download | pfsense-06182467540b978ef7dccdf311c7677014c04beb.zip pfsense-06182467540b978ef7dccdf311c7677014c04beb.tar.gz |
Create rules for grouped interfaces before regular ones. Fixes #2837
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/filter.inc | 23 | ||||
-rw-r--r-- | etc/inc/interfaces.inc | 12 |
2 files changed, 31 insertions, 4 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index a82bc05..18589a3 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2845,8 +2845,9 @@ EOD; /* Pre-cache all our rules so we only have to generate them once */ $rule_arr1 = array(); $rule_arr2 = array(); + $rule_arr3 = array(); /* - * NB: Floating rules need to be written before regular once. + * NB: The order must be: Floating rules, then interface group and then regular ones. */ foreach ($config['filter']['rule'] as $rule) { update_filter_reload_status("Pre-caching {$rule['descr']}..."); @@ -2859,18 +2860,25 @@ EOD; $rule_arr1[] = filter_generate_user_rule_arr($rule); $rule['ipprotocol'] = "inet6"; $rule_arr1[] = filter_generate_user_rule_arr($rule); - } else { + } else if (is_interface_group($rule['interface'])) { $rule['ipprotocol'] = "inet"; $rule_arr2[] = filter_generate_user_rule_arr($rule); $rule['ipprotocol'] = "inet6"; $rule_arr2[] = filter_generate_user_rule_arr($rule); + } else { + $rule['ipprotocol'] = "inet"; + $rule_arr3[] = filter_generate_user_rule_arr($rule); + $rule['ipprotocol'] = "inet6"; + $rule_arr3[] = filter_generate_user_rule_arr($rule); } $rule['ipprotocol'] = "inet46"; } else { if (isset($rule['floating'])) $rule_arr1[] = filter_generate_user_rule_arr($rule); - else + else if (is_interface_group($rule['interface'])) $rule_arr2[] = filter_generate_user_rule_arr($rule); + else + $rule_arr3[] = filter_generate_user_rule_arr($rule); } if ($rule['sched']) $time_based_rules = true; @@ -2893,7 +2901,14 @@ EOD; continue; $ipfrules .= "{$rule['rule']} {$rule['descr']}\n"; } - unset($rule_arr1, $rule_arr2); + foreach($rule_arr3 as $rule) { + if (isset($rule['disabled'])) + continue; + if (!$rule['rule']) + continue; + $ipfrules .= "{$rule['rule']} {$rule['descr']}\n"; + } + unset($rule_arr1, $rule_arr2, $rule_arr3); } $ipfrules .= "\n# Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients\n"; diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 1ec6acc..499344e 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -3533,6 +3533,18 @@ function interface_group_setup(&$groupname /* The parameter is an array */) { return; } +function is_interface_group($if) { + global $config; + + if (is_array($config['ifgroups']['ifgroupentry'])) + foreach ($config['ifgroups']['ifgroupentry'] as $groupentry) { + if ($groupentry['ifname'] === $if) + return true; + } + + return false; +} + function interface_group_add_member($interface, $groupname) { $interface = get_real_interface($interface); mwexec("/sbin/ifconfig {$interface} group {$groupname}", true); |