summaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorErmal <eri@pfsense.org>2012-06-11 21:53:32 +0000
committerErmal <eri@pfsense.org>2012-06-11 21:53:32 +0000
commit5c8558097a9ec9498d175325a66a6b942c9b12b1 (patch)
treed78a40c033b00d04f5f12465e3c40339f4b8b914 /etc
parent364e4f74c3b89f95cd37523f59d32fd410f65fec (diff)
downloadpfsense-5c8558097a9ec9498d175325a66a6b942c9b12b1.zip
pfsense-5c8558097a9ec9498d175325a66a6b942c9b12b1.tar.gz
Put configured limits on rules.limits file and load them before loading the ruleset. To avoid any issues with large rulests and options being loaded not first
Diffstat (limited to 'etc')
-rw-r--r--etc/inc/filter.inc60
1 files changed, 26 insertions, 34 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 13ea115..cec7a7c 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -248,43 +248,42 @@ function filter_configure_sync($delete_states_if_needed = true) {
}
// Copy rules.debug to rules.debug.old
- if(file_exists("{$g['tmp_path']}/rules.debug"))
+ if (file_exists("{$g['tmp_path']}/rules.debug"))
copy("{$g['tmp_path']}/rules.debug", "{$g['tmp_path']}/rules.debug.old");
- $rules = "";
+ $limitrules = "";
/* Define the maximum number of tables the system can handle (should be at least aliases*2+some spare) */
$maxtables = is_numeric($config['system']['maximumtables']) ? $config['system']['maximumtables'] : "3000";
- $rules .= "set limit tables {$maxtables}\n";
- if($config['system']['maximumtableentries'] <> "" && is_numeric($config['system']['maximumtableentries'])) {
- /* User defined maximum table entries in Advanced menu. */
+ $limitrules .= "set limit tables {$maxtables}\n";
+ /* User defined maximum table entries in Advanced menu. */
+ if ($config['system']['maximumtableentries'] <> "" && is_numeric($config['system']['maximumtableentries']))
$rules .= "set limit table-entries {$config['system']['maximumtableentries']}\n";
- }
- $rules .= "{$aliases} \n";
- $rules .= "{$gateways} \n";
- update_filter_reload_status("Setting up logging information");
- $rules .= filter_setup_logging_interfaces();
- if($config['system']['optimization'] <> "") {
- $rules .= "set optimization {$config['system']['optimization']}\n";
- if($config['system']['optimization'] == "conservative") {
- $rules .= "set timeout { udp.first 300, udp.single 150, udp.multiple 900 }\n";
- }
- } else {
- $rules .= "set optimization normal\n";
- }
- if($config['system']['maximumstates'] <> "" && is_numeric($config['system']['maximumstates'])) {
+ if ($config['system']['optimization'] <> "") {
+ $limitrules .= "set optimization {$config['system']['optimization']}\n";
+ if ($config['system']['optimization'] == "conservative")
+ $limitrules .= "set timeout { udp.first 300, udp.single 150, udp.multiple 900 }\n";
+ } else
+ $limitrules .= "set optimization normal\n";
+
+ if ($config['system']['maximumstates'] <> "" && is_numeric($config['system']['maximumstates'])) {
/* User defined maximum states in Advanced menu. */
- $rules .= "set limit states {$config['system']['maximumstates']}\n";
- $rules .= "set limit src-nodes {$config['system']['maximumstates']}\n";
+ $limitrules .= "set limit states {$config['system']['maximumstates']}\n";
+ $limitrules .= "set limit src-nodes {$config['system']['maximumstates']}\n";
} else {
$max_states = pfsense_default_state_size();
- $rules .= "set limit states {$max_states}\n";
- $rules .= "set limit src-nodes {$max_states}\n";
+ $limitrules .= "set limit states {$max_states}\n";
+ $limitrules .= "set limit src-nodes {$max_states}\n";
}
// Configure flowtable support if enabled.
flowtable_configure();
+ $rules = "";
+ $rules .= "{$aliases} \n";
+ $rules .= "{$gateways} \n";
+ update_filter_reload_status("Setting up logging information");
+ $rules .= filter_setup_logging_interfaces();
$rules .= "\n";
$rules .= "set skip on pfsync0\n";
$rules .= "\n";
@@ -299,23 +298,16 @@ function filter_configure_sync($delete_states_if_needed = true) {
$rules .= discover_pkg_rules("filter");
+ /* Load the options first and than the other rules */
+ @file_put_contents("{$g['tmp_path']}/rules.limits", $limitrules);
+ mwexec("/sbin/pfctl -O -f {$g['tmp_path']}/rules.limits");
+
if(!file_put_contents("{$g['tmp_path']}/rules.debug", $rules, LOCK_EX)) {
log_error("WARNING: Could not write new rules!");
unlock($filterlck);
return;
}
- /*
- * XXX: This are not being used for now so just comment them out.
- $rules = "1"; // force to be diff from oldrules
- $oldrules = "2"; // force to be diff from rules
-
- if(file_exists("{$g['tmp_path']}/rules.debug"))
- $rules = file_get_contents("{$g['tmp_path']}/rules.debug");
- if(file_exists("{$g['tmp_path']}/rules.debug.old"))
- $oldrules = file_get_contents("{$g['tmp_path']}/rules.debug.old");
- *
- */
if(isset($config['system']['developerspew'])) {
$mt = microtime();
echo "pfctl being called at $mt\n";
OpenPOWER on IntegriCloud