summaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorScott Ullrich <sullrich@pfsense.org>2006-03-10 22:52:26 +0000
committerScott Ullrich <sullrich@pfsense.org>2006-03-10 22:52:26 +0000
commit0f0c6a9edb8a5bd44dfb0cfdce316f6224fbd1f7 (patch)
tree211d8ff56c7fc6495c3d12198f1d2fb2703753cd /etc
parentf46fe44676c1b86037e937bf40d656e3ef1f200b (diff)
downloadpfsense-0f0c6a9edb8a5bd44dfb0cfdce316f6224fbd1f7.zip
pfsense-0f0c6a9edb8a5bd44dfb0cfdce316f6224fbd1f7.tar.gz
MFC 10496
Improve traffic shaper rules for assigning packets to queues (special consideration for NAT): MFC for next snapshot.
Diffstat (limited to 'etc')
-rw-r--r--etc/inc/filter.inc4
-rw-r--r--etc/inc/shaper.inc323
2 files changed, 161 insertions, 166 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index f3a3e95..5b6885d 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -99,7 +99,7 @@ function filter_configure_sync() {
* we'll match only unshaped packets in the shaper code later
* this allows the shaper to be first match
*/
- $pf_altq_rules = "block all tag unshaped label \"SHAPER: first match rule\"\n";
+ $pf_altq_rules = "block in all tag unshaped label \"SHAPER: first match rule\"\n";
$pf_altq_rules .= filter_generate_pf_altq_rules();
}
@@ -2259,4 +2259,4 @@ function return_vpn_subnet($adr) {
return " # error - {$adr['network']} ";
}
-?> \ No newline at end of file
+?>
diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc
index 667f6d5..31dae4b 100644
--- a/etc/inc/shaper.inc
+++ b/etc/inc/shaper.inc
@@ -418,200 +418,195 @@ function filter_generate_pf_altq_rules() {
}
for ($iif = 0; $iif < $nif; $iif++) {
- foreach ( array('in', 'out') as $direction) {
-
- $line = "pass {$direction} on ";
+ $direction = 'in';
+ $line = "pass {$direction} on ";
+
+ if ($ispptp) {
+ $line .= " ng" . ($iif+1);
+ }
+ else if($ispppoe) {
+ $line .= " ng" . ($iif+1);
+ }
+ else {
+ $line .= " \${$rule['in-interface']} ";
+ }
+
+ /* get protocol */
+ $proto = $rule['protocol'];
+ if (isset($proto)) {
+ $line .= "proto {$proto} ";
+ }
- if ($ispptp) {
- $line .= " ng" . ($iif+1);
+ /* get source address */
+ if (isset($rule['source']['any'])) {
+ $src = "any";
+ } else if ($rule['source']['network']) {
+ if (strstr($rule['source']['network'], "opt")) {
+ $src = $optcfg[$rule['source']['network']]['sa'] . "/" .
+ $optcfg[$rule['source']['network']]['sn'];
} else {
- if($ispppoe) {
- $line .= " ng" . ($iif+1);
- } else {
- $if = $config['interfaces'][$rule['in-interface']]['if'];
- }
-
- if ($rule['in-interface'] == "wan") {
- if($direction=="in") {
- $if = $wanif;
- } else {
- $if = $lanif;
- }
- } else {
- if($rule['in-interface'] == "lan") {
- if($direction=="in") {
- $if = $lanif;
- } else {
- $if = $wanif;
- }
- }
+ switch ($rule['source']['network']) {
+ case 'lan':
+ $src = "$lansa/$lansn";
+ break;
+ case 'pptp':
+ $src = "$pptpsa/$pptpsn";
+ break;
+ case 'pppoe':
+ $src = "$pppoesa/$pppoesn";
+ break;
}
-
- $line .= " {$if} ";
}
+ } else if ($rule['source']['address']) {
+ $src = alias_expand($rule['source']['address']);
+ if(!$src)
+ $src = $rule['source']['address'];
+ }
- if (isset($rule['protocol'])) {
- $line .= "proto {$rule['protocol']} ";
- }
+ if (!$src) {
+ printf("No source address found in rule $i\n");
+ break;
+ }
- /* source address */
- /* Using any for source on 'out' is due to not knowing what
- * the packet looks like after NAT occurs
- */
- if (isset($rule['source']['any']) || $direction == "out") {
- $src = "any";
- } else if ($rule['source']['network']) {
- if (strstr($rule['source']['network'], "opt")) {
- $src = $optcfg[$rule['source']['network']]['sa'] . "/" .
- $optcfg[$rule['source']['network']]['sn'];
+ if (isset($rule['source']['not'])) {
+ $src = " ! {$src} ";
+ }
+ $line .= "from {$src} ";
+
+ /* get source port */
+ if (!isset($rule['protocol']) || in_array($rule['protocol'], array("tcp","udp"))) {
+ if ($rule['source']['port']) {
+ /*
+ * Check to see if port is a alias. If so grab it and
+ * enclose it in { } to pass to pf.
+ *
+ * Otherwise combine the portrange into one if its only
+ * one item.
+ */
+ $src = alias_expand($rule['source']['port']);
+ if($src <> "") {
+ $line .= "port {$src}";
} else {
- switch ($rule['source']['network']) {
- case 'lan':
- $src = "$lansa/$lansn";
- break;
- case 'pptp':
- $src = "$pptpsa/$pptpsn";
- break;
- case 'pppoe':
- $src = "$pppoesa/$pppoesn";
- break;
+ $srcport = explode("-", $rule['source']['port']);
+ if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) {
+ $line .= "port {$srcport[0]} ";
+ } else {
+ $line .= "port {$srcport[0]}:{$srcport[1]} ";
}
}
- } else if ($rule['source']['address']) {
- $src = alias_expand($rule['source']['address']);
- if(!$src)
- $src = $rule['source']['address'];
}
+ }
- if (!$src) {
- printf("No source address found in rule $i\n");
- break;
- }
+ /* destination address */
+ if (isset($rule['destination']['any'])) {
+ $dst = "any";
+ } else if ($rule['destination']['network']) {
- if (isset($rule['source']['not'])) {
- $line .= "from ! $src ";
+ if (strstr($rule['destination']['network'], "opt")) {
+ $dst = $optcfg[$rule['destination']['network']]['sa'] . "/" .
+ $optcfg[$rule['destination']['network']]['sn'];
} else {
- $line .= "from $src ";
- }
-
- if (!isset($rule['protocol']) || in_array($rule['protocol'], array("tcp","udp"))) {
- if ($rule['source']['port']) {
- /*
- * Check to see if port is a alias. If so grab it and
- * enclose it in { } to pass to pf.
- *
- * Otherwise combine the portrange into one if its only
- * one item.
- */
- $src = alias_expand($rule['source']['port']);
- if($src <> "") {
- $line .= "port {$src}";
- } else {
- $srcport = explode("-", $rule['source']['port']);
- if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) {
- $line .= "port {$srcport[0]} ";
- } else {
- $line .= "port {$srcport[0]}:{$srcport[1]} ";
- }
- }
+ switch ($rule['destination']['network']) {
+ case 'lan':
+ $dst = "$lansa/$lansn";
+ break;
+ case 'pptp':
+ $dst = "$pptpsa/$pptpsn";
+ break;
+ case 'pppoe':
+ $dst = "$pppoesa/$pppoesn";
+ break;
}
}
+ } else if ($rule['destination']['address']) {
+ $dst = alias_expand($rule['destination']['address']);
+ if(!$dst)
+ $dst = $rule['destination']['address'];
+ }
- /* destination address */
- if (isset($rule['destination']['any'])) {
- $dst = "any";
- } else if ($rule['destination']['network']) {
+ if (!$dst) {
+ printf("No destination address found in rule $i\n");
+ break;
+ }
- if (strstr($rule['destination']['network'], "opt")) {
- $dst = $optcfg[$rule['destination']['network']]['sa'] . "/" .
- $optcfg[$rule['destination']['network']]['sn'];
+ if (isset($rule['destination']['not'])) {
+ $dst .= " ! {$dst} ";
+ }
+ $line .= "to {$dst} ";
+
+ if (!isset($rule['protocol']) || in_array($rule['protocol'], array("tcp","udp"))) {
+ if ($rule['destination']['port']) {
+ $dstport = alias_expand($rule['destination']['port']);
+ /*
+ * Check to see if port is a alias. If so grab it and
+ * enclose it in { } to pass to pf.
+ *
+ * Otherwise combine the portrange into one if its only
+ * one item.
+ */
+ if($dstport <> "") {
+ $line .= "port {$dstport}";
} else {
- switch ($rule['destination']['network']) {
- case 'lan':
- $dst = "$lansa/$lansn";
- break;
- case 'pptp':
- $dst = "$pptpsa/$pptpsn";
- break;
- case 'pppoe':
- $dst = "$pppoesa/$pppoesn";
- break;
- }
- }
- } else if ($rule['destination']['address']) {
- $dst = alias_expand($rule['destination']['address']);
- if(!$dst)
- $dst = $rule['destination']['address'];
- }
-
- if (!$dst) {
- printf("No destination address found in rule $i\n");
- break;
- }
-
- if (isset($rule['destination']['not'])) {
- $line .= "to ! $dst ";
- } else {
- $line .= "to $dst ";
- }
-
- if (!isset($rule['protocol']) || in_array($rule['protocol'], array("tcp","udp"))) {
- if ($rule['destination']['port']) {
- $dst = alias_expand($rule['destination']['port']);
- /*
- * Check to see if port is a alias. If so grab it and
- * enclose it in { } to pass to pf.
- *
- * Otherwise combine the portrange into one if its only
- * one item.
- */
- if($dst <> "") {
- $line .= "port {$dst}";
+ $dstport = explode("-", $rule['destination']['port']);
+ if ((!$dstport[1]) || ($dstport[0] == $dstport[1])) {
+ $dstport = $dstport[0];
+ $line .= "port {$dstport} ";
} else {
- $dstport = explode("-", $rule['destination']['port']);
- if ((!$dstport[1]) || ($dstport[0] == $dstport[1])) {
- $line .= "port {$dstport[0]} ";
- } else {
- $line .= "port {$dstport[0]}:{$dstport[1]} ";
- }
+ $dstport = "{$dstport[0]}:{$dstport[1]}";
+ $line .= "port {$dstport} ";
}
}
}
+ }
- if ($rule['iptos'])
- $line .= "tos {$rule['iptos']} ";
+ if ($rule['iptos'])
+ $line .= "tos {$rule['iptos']} ";
- $inflags = explode(",", $rule['tcpflags']);
- $flags = " flags ";
- foreach ($tcpflags as $tcpflag) {
- if (array_search($tcpflag, $inflags) !== false) {
- $flags .= strtoupper(substr($tcpflag, 0, 1));
- }
+ $inflags = explode(",", $rule['tcpflags']);
+ $flags = " flags ";
+ foreach ($tcpflags as $tcpflag) {
+ if (array_search($tcpflag, $inflags) !== false) {
+ $flags .= strtoupper(substr($tcpflag, 0, 1));
}
- if($flags <> " flags ")
- $line .= "{$flags}/SAFRPU ";
-
- $qtag = "{$direction}queue";
- $line .= " keep state tagged unshaped tag {$rule[$qtag]} ";
-
- $line .= "\n";
- $shaperrules .= $line;
- /* setup the outbound queue on the other interface */
- switch($direction) {
- case 'in':
- $qouttag = "outqueue";
- break;
- case 'out':
- $qouttag = "inqueue";
- break;
- }
- $shaperrules .= "pass out on \${$rule['out-interface']} all keep state tagged {$rule[$qtag]} tag {$rule[$qouttag]}\n";
}
+ if($flags <> " flags ")
+ $line .= "{$flags}/SAFRPU ";
+
+ $qtag = "{$direction}queue";
+ $line .= " keep state tagged unshaped tag {$rule[$qtag]} ";
+
+ $line .= "\n";
+ $shaperrules .= $line;
+
+ /* setup the outbound queue on the other interface */
+ $direction = 'out';
+ $qouttag = "{$direction}queue";
+
+ $shaperrules .= "pass out on \${$rule['out-interface']}";
+ if(isset($proto) && $proto != "") {
+ $shaperrules .= " proto {$proto}";
+ }
+ $shaperrules .= " from any to {$dst}";
+ if(isset($dstport) && $dstport != "") {
+ $shaperrules .= " port {$dstport}";
+ }
+ if ($rule['iptos']) {
+ $shaperrules .= " tos {$rule['iptos']}";
+ }
+ if($flags <> " flags ") {
+ $shaperrules .= "{$flags}/SAFRPU";
+ }
+
+ $shaperrules .= " keep state tagged {$rule[$qtag]} tag {$rule[$qouttag]}\n";
+
+ unset($src);
+ unset($dst);
+ unset($srcport);
+ unset($dstport);
}
$i++;
}
-
return $shaperrules;
}
OpenPOWER on IntegriCloud