diff options
author | Chris Dionissopoulos <chdio@pfsense.org> | 2005-03-05 21:08:15 +0000 |
---|---|---|
committer | Chris Dionissopoulos <chdio@pfsense.org> | 2005-03-05 21:08:15 +0000 |
commit | 257306c0e0d4e44480258c32a95bfecb9f9597fd (patch) | |
tree | 09bc5af08a4f94c93c95fea402f5a106af4a3223 /etc | |
parent | 08443c7a69308afacd4abe9764dc3842e2cd9391 (diff) | |
download | pfsense-257306c0e0d4e44480258c32a95bfecb9f9597fd.zip pfsense-257306c0e0d4e44480258c32a95bfecb9f9597fd.tar.gz |
Add Basic LB support (and altq rulenum changes)
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 125 |
1 files changed, 107 insertions, 18 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 05cc2db..b8d2163 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -72,6 +72,10 @@ function filter_configure() { /* generate altq rules */ $altq_rules = filter_generate_altq_rules(); } + if (isset($config['nat']['outgoingloadbalancing']['enable'])) + /* generate altq rules */ + $lb_rules = filter_generate_lb_rules(); + if( !isset( $config['system']['disablefilter'] ) ) { mwexec("/sbin/pfctl -e"); mwexec("/sbin/pfctl -F nat"); @@ -116,25 +120,45 @@ function filter_configure() { $rules_loading = mwexec("/sbin/pfctl -f {$g['tmp_path']}/rules.debug"); /* load ipfw+altq module */ - if (isset($config['shaper']['enable'])) { + if (isset($config['shaper']['enable']) || isset($config['nat']['outgoingloadbalancing']['enable'])) { mwexec("/sbin/kldload ipfw"); /* change one_pass to 1 so ipfw stops checking after a rule has matched */ mwexec("/sbin/sysctl net.inet.ip.fw.one_pass=1"); /* load shaper rules */ - mwexec("/sbin/ipfw -f delete set 4"); + if (isset($config['shaper']['enable'])) { + mwexec("/sbin/ipfw -f delete set 4"); /* XXX - seems like ipfw cannot accept rules directly on stdin, so we have to write them to a temporary file first */ - $fd = fopen("{$g['tmp_path']}/ipfw.rules", "w"); - if (!$fd) { - printf("Cannot open ipfw.rules in filter_configure()\n"); - return 1; + $fd = fopen("{$g['tmp_path']}/ipfw.rules", "w"); + if (!$fd) { + printf("Cannot open ipfw.rules in filter_configure()\n"); + return 1; + } + fwrite($fd, $altq_rules); + fclose($fd); + mwexec("/sbin/ipfw {$g['tmp_path']}/ipfw.rules"); + mwexec("/sbin/ipfw enable altq"); + mwexec("/bin/mv {$g['tmp_path']}/ipfw.rules {$g['tmp_path']}/ipfw.rules_old"); + } + /*load lb rules */ + if (isset($config['nat']['outgoingloadbalancing']['enable'])) { + mwexec("/sbin/ipfw -f delete set 5"); + /* this uses ~32MB for session states */ + mwexec("/sbin/sysctl net.inet.ip.fw.dyn_max=65536"); + mwexec("/sbin/sysctl net.inet.ip.fw.dyn_buckets=32768"); + /* XXX - seems like ipfw cannot accept rules directly on stdin, + so we have to write them to a temporary file first */ + $fd = fopen("{$g['tmp_path']}/ipfw_lb.rules", "w"); + if (!$fd) { + printf("Cannot open ipfw.rules in filter_configure()\n"); + return 1; + } + fwrite($fd, $lb_rules); + fclose($fd); + mwexec("/sbin/ipfw {$g['tmp_path']}/ipfw_lb.rules"); + mwexec("/bin/mv {$g['tmp_path']}/ipfw_lb.rules {$g['tmp_path']}/ipfw_lb.rules_old"); } - fwrite($fd, $altq_rules); - fclose($fd); - mwexec("/sbin/ipfw {$g['tmp_path']}/ipfw.rules"); - mwexec("/sbin/ipfw enable altq"); - mwexec("/bin/mv {$g['tmp_path']}/ipfw.rules {$g['tmp_path']}/ipfw.rules_old"); } else { mwexec("/sbin/ipfw -f flush"); if(!isset($config['captiveportal']['enable'])) @@ -359,6 +383,74 @@ function filter_generate_aliases() { return $aliases; } +function filter_generate_lb_rules() { + global $config, $g; + + $wancfg = $config['interfaces']['wan']; + $lancfg = $config['interfaces']['lan']; + + $lanif = $lancfg['if']; + $wanif = get_real_wan_interface(); + + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + $ruleconf = &$config['nat']['outgoingloadbalancing']['rule']; + + /* Lets turn away some rule writting */ + $out_flow = ' ip from '.$lancfg['ipaddr'].'/'.$lancfg['subnet'].' to not '. $lancfg['ipaddr'].'/'.$lancfg['subnet']; + $in_flow = 'ip from not '.$lancfg['ipaddr'].'/'.$lancfg['subnet'].' to '.$lancfg['ipaddr'].'/'.$lancfg['subnet']; + + /* LB Rules Return Script */ + $lbrules = ""; +// print_r($ruleconf); + /* generate rules */ + if (isset($ruleconf)) { + + $i = 0; + $gatenum = count($ruleconf); + reset($ruleconf); + foreach ($ruleconf as $rule) { + + $gwmac = arp_get_mac_by_ip($rule['gatewayip']); + print_r($rule); + print_r($gwmac); + /* don't include disabled rules and non reachable gateways*/ + if (($rule['enabled']===0) || ($gwmac===false)) { + $i++; + continue; + } + + $rulelines = ""; + $in_num = 10000 + $i; + $out_num = 11000 + $i; + $skipto_num = 50000 + $i*10; + + /* Compute denominator of probability value + (consist of enabled|reachable gateways) */ + $denom[$i] = 0; + for($j=$i;$j<$gatenum;$j++) + if (($ruleconf[$j]['enabled']==1) && (arp_get_mac_by_ip($ruleconf[$j]['gatewayip'])!==false)) $denom[$i]++; + + $prob = round(1/$denom[$i],2); + + $rulelines .= "add $in_num set 5 skipto $skipto_num $in_flow mac any $gwmac in recv $wanif keep-state\n"; + + $rulelines .= "add $out_num set 5 prob $prob skipto $skipto_num $out_flow in recv $lanif keep-state\n"; + + $rulelines .= "add $skipto_num set 5 fwd ".$rule['gatewayip']." $out_flow in recv $lanif\n"; + $skipto_num++; + $rulelines .= "add $skipto_num set 5 skipto 65535 ip from any to any\n"; + + $lbrules .=$rulelines; + $i++; + } // foreach + + } // if + return $lbrules; +} + function filter_generate_altq_rules() { global $config, $g; @@ -396,13 +488,12 @@ function filter_generate_altq_rules() { $pptpsn = $g['pptp_subnet']; } - $rulei = 50000; + $rulei = 1000; /* add a rule to pass all traffic from/to the firewall, so the user cannot lock himself out of the webGUI */ $shaperrules = "add $rulei set 4 pass all from $lanip to any\n"; $rulei++; $shaperrules .= "add $rulei set 4 pass all from any to $lanip\n"; $rulei++; - $shaperrules .= "add $rulei set 4 pass carp from any to any\n"; $rulei++; /* generate rules */ if (isset($config['shaper']['rule'])) @@ -608,12 +699,10 @@ function filter_generate_altq_rules() { if ($ispptp) { $line .= "via ng" . ($iif+1); } else { - $if = $config['interfaces'][$rule['interface']]['if']; - if ($rule['interface'] == "wan") $if = $wanif; - else if($rule['interface'] == "lan") - $if = $wanif; + else + $if = $config['interfaces'][$rule['interface']]['if']; $line .= "via {$if}"; } @@ -1675,4 +1764,4 @@ function create_firewall_outgoing_rules_to_itself() { return $rule; } -?>
\ No newline at end of file +?> |