diff options
author | Ermal Luçi <eri@pfsense.org> | 2008-12-24 21:01:33 +0000 |
---|---|---|
committer | Ermal Luçi <eri@pfsense.org> | 2008-12-24 21:01:33 +0000 |
commit | bc00232f7ebf6a63442ce3adeaba1f1c41384f51 (patch) | |
tree | a3dd1befbb1fd2e6567bd5fc6e395cbd6514304a /etc | |
parent | db65ac4cbf043d588c1cae244898884fb3cb7cec (diff) | |
download | pfsense-bc00232f7ebf6a63442ce3adeaba1f1c41384f51.zip pfsense-bc00232f7ebf6a63442ce3adeaba1f1c41384f51.tar.gz |
Add layer7 options to filter rules so the new code on the traffic shaper can be useful.
I have modified somewhat the logic of it and probably a ABI breakage might be necessart with a 'needed' pf state structure change to accomodate the deficencies of divert sockets.
Merry Christmas!
Submitted-by: Helder Pereira
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 34 |
1 files changed, 32 insertions, 2 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index b597651..2378bcc 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -140,6 +140,8 @@ function filter_configure_sync() { $altq_queues = filter_generate_altq_queues(); update_filter_reload_status("Generating Limiter rules"); $dummynet_rules = filter_generate_dummynet_rules(); + update_filter_reload_status("Generating Layer7 rules"); + generate_layer7_files(); if ($g['booting'] == true) echo "."; update_filter_reload_status("Loading filter rules"); @@ -380,6 +382,8 @@ function generate_optcfg_array() $mt = microtime(); echo "generate_optcfg_array() being called $mt\n"; } + + read_layer7_config(); /* if list */ $iflist = get_configured_interface_with_descr(); foreach ($iflist as $if => $ifdetail) { @@ -1122,6 +1126,7 @@ function generate_user_filter_rule($rule) { global $config, $g, $FilterIflist, $GatewaysList, $GatewayGroupsList; global $table_cache; + global $layer7_rules_list; if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "generate_user_filter_rule() being called $mt\n"; @@ -1503,6 +1508,15 @@ function generate_user_filter_rule($rule) } } } + //Layer7 support + $l7_present = false; + $l7_structures = array(); + if(isset($rule['l7container']) && $rule['l7container'] != "none") { + $l7_present = true; + $l7rule =& $layer7_rules_list[$rule['l7container']]; + $l7_structures = $l7rule->get_unique_structures(); + $aline['divert'] = "divert " . $l7rule->GetRPort() . " "; + } if (($rule['protocol'] == "icmp") && $rule['icmptype']) { $aline['icmp-type'] = "icmp-type {$rule['icmptype']} "; } @@ -1547,13 +1561,14 @@ function generate_user_filter_rule($rule) } else { $aline['flags'] = "keep state "; } - if($noadvoptions == false) + if($noadvoptions == false || $l7_present) if( isset($rule['source-track']) and $rule['source-track'] <> "" or isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "" or isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" or isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "" or isset($rule['max-src-states']) and $rule['max-src-states'] <> "" or - isset($rule['statetimeout']) and $rule['statetimeout'] <> "") { + isset($rule['statetimeout']) and $rule['statetimeout'] <> "" or + isset($rule['l7container']) and $rule['l7container']['name'] != "none") { $aline['flags'] .= "( "; if(isset($rule['source-track']) and $rule['source-track'] <> "") $aline['flags'] .= "source-track rule "; @@ -1568,6 +1583,21 @@ function generate_user_filter_rule($rule) $aline['flags'] .= "max-src-conn-rate " . $rule['max-src-conn-rate'] . " "; $aline['flags'] .= "/" . $rule['max-src-conn-rates'] . ", overload <virusprot> flush global "; } + if(isset($rule['l7container']) && $rule['l7container']['name'] != "none" && !empty($l7_structures)) { + $aline['flags'] .= "max-packets 5, "; + if($l7_structures['action']) { + $aline['flags'] .= "overload action diverttag "; + unset($l7_structures['action']); + } + if($l7_structures['dummynet']) { + $aline['flags'] .= "overload dummynet diverttag "; + unset($l7_structures['dummynet']); + } + if($l7_structures['altq']) { + $aline['flags'] .= "overload altq diverttag "; + unset($l7_structures['altq']); + } + } $aline['flags'] .= " ) "; } } |