diff options
| author | Renato Botelho <garga@FreeBSD.org> | 2013-11-21 13:57:34 -0200 |
|---|---|---|
| committer | Renato Botelho <garga@FreeBSD.org> | 2013-11-21 13:57:53 -0200 |
| commit | 82d1a33e4a0a9e1988277fcd4f9401355a9b4fee (patch) | |
| tree | 1f1f84385738185caf60ce2606b3f9b7d7de505a /etc | |
| parent | 1ad6ad279f44676f149f3f2a35ed641b739f4dfd (diff) | |
| download | pfsense-82d1a33e4a0a9e1988277fcd4f9401355a9b4fee.zip pfsense-82d1a33e4a0a9e1988277fcd4f9401355a9b4fee.tar.gz | |
Fix #3331. Set interface subnet as destination when VIP is in the same subnet, otherwise use VIP subnet instead of IP address
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/filter.inc | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index d3abf12..0507cfc 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2867,7 +2867,10 @@ EOD; $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n"; if (is_array($ifcfg['vips'])) { foreach ($ifcfg['vips'] as $vip) - $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$vip['ip']}/{$vip['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n"; + if (ip_in_subnet($vip['ip'], "{$ifcfg['sa']}/{$ifcfg['sn']}")) + $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n"; + else + $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !" . gen_subnet($vip['ip'], $vip['sn']) . "/{$vip['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n"; } } |
