diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2007-05-29 22:08:19 +0000 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2007-05-29 22:08:19 +0000 |
commit | 7a22b7a104511e24606950086d437c75065beb81 (patch) | |
tree | 644bd31e93ad4053f22fd93a8b2cfb62019d5690 /etc | |
parent | 676d63fc8901538ee92b5c84d33b4ff9b5db1ef5 (diff) | |
download | pfsense-7a22b7a104511e24606950086d437c75065beb81.zip pfsense-7a22b7a104511e24606950086d437c75065beb81.tar.gz |
Only allow adavanced tunables when some kind of state tracking is enabled.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 45 |
1 files changed, 23 insertions, 22 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 26748cf..2f53a6c 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1981,28 +1981,29 @@ function generate_user_filter_rule($rule, $ngcounter) { } else { $aline['flags'] = "keep state "; } - if( isset($rule['source-track']) and $rule['source-track'] <> "" or - isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "" or - isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" or - isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "" or - isset($rule['max-src-states']) and $rule['max-src-states'] <> "" or - isset($rule['statetimeout']) and $rule['statetimeout'] <> "") { - $aline['flags'] .= "( "; - if(isset($rule['source-track']) and $rule['source-track'] <> "") - $aline['flags'] .= "source-track rule "; - if(isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") - $aline['flags'] .= "max-src-nodes " . $rule['max-src-nodes'] . " "; - if(isset($rule['max-src-states']) and $rule['max-src-states'] <> "") - $aline['flags'] .= "max-src-states " . $rule['max-src-states'] . " "; - if(isset($rule['statetimeout']) and $rule['statetimeout'] <> "") - $aline['flags'] .= "tcp.established " . $rule['statetimeout'] . " "; - if(isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" - and isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "") { - $aline['flags'] .= "max-src-conn-rate " . $rule['max-src-conn-rate'] . " "; - $aline['flags'] .= "/" . $rule['max-src-conn-rates'] . ", overload <virusprot> flush global "; - } - $aline['flags'] .= " ) "; - } + if($aline['flags']) + if( isset($rule['source-track']) and $rule['source-track'] <> "" or + isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "" or + isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" or + isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "" or + isset($rule['max-src-states']) and $rule['max-src-states'] <> "" or + isset($rule['statetimeout']) and $rule['statetimeout'] <> "") { + $aline['flags'] .= "( "; + if(isset($rule['source-track']) and $rule['source-track'] <> "") + $aline['flags'] .= "source-track rule "; + if(isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") + $aline['flags'] .= "max-src-nodes " . $rule['max-src-nodes'] . " "; + if(isset($rule['max-src-states']) and $rule['max-src-states'] <> "") + $aline['flags'] .= "max-src-states " . $rule['max-src-states'] . " "; + if(isset($rule['statetimeout']) and $rule['statetimeout'] <> "") + $aline['flags'] .= "tcp.established " . $rule['statetimeout'] . " "; + if(isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" + and isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "") { + $aline['flags'] .= "max-src-conn-rate " . $rule['max-src-conn-rate'] . " "; + $aline['flags'] .= "/" . $rule['max-src-conn-rates'] . ", overload <virusprot> flush global "; + } + $aline['flags'] .= " ) "; + } } if ($type == "reject" && $rule['protocol'] == "tcp") { /* special reject packet */ |