diff options
author | Seth Mos <seth.mos@dds.nl> | 2011-05-03 10:09:06 +0200 |
---|---|---|
committer | Seth Mos <seth.mos@dds.nl> | 2011-05-03 10:09:06 +0200 |
commit | dcb846e3cd1604ec9c0a024b6bd721d306bbce46 (patch) | |
tree | 49624a702780f2714c9141ead186bfe113043550 /etc | |
parent | 03f824a5e540cb32a025b79ddc29baba4d1ea959 (diff) | |
parent | 8c218e1d0190a218686cf2b65913be3198791206 (diff) | |
download | pfsense-dcb846e3cd1604ec9c0a024b6bd721d306bbce46.zip pfsense-dcb846e3cd1604ec9c0a024b6bd721d306bbce46.tar.gz |
Merge remote branch 'upstream/master'
Conflicts:
usr/local/www/status_rrd_graph_img.php
Diffstat (limited to 'etc')
-rw-r--r-- | etc/devd.conf | 5 | ||||
-rw-r--r-- | etc/inc/filter.inc | 7 | ||||
-rw-r--r-- | etc/inc/globals.inc | 1 | ||||
-rw-r--r-- | etc/inc/interfaces.inc | 53 | ||||
-rw-r--r-- | etc/inc/services.inc | 1 | ||||
-rw-r--r-- | etc/inc/shaper.inc | 2 | ||||
-rw-r--r-- | etc/inc/upgrade_config.inc | 4 | ||||
-rw-r--r-- | etc/inc/vpn.inc | 1 | ||||
-rw-r--r-- | etc/inc/vslb.inc | 3 |
9 files changed, 53 insertions, 24 deletions
diff --git a/etc/devd.conf b/etc/devd.conf index 7c63591..244af48 100644 --- a/etc/devd.conf +++ b/etc/devd.conf @@ -39,10 +39,7 @@ detach 100 { }; # -# Try to start dhclient on Ethernet like interfaces when the link comes -# up. Only devices that are configured to support DHCP will actually -# run it. No link down rule exists because dhclient automaticly exits -# when the link goes down. +# Signal upper levels that an event happened on ethernet class interface # notify 0 { match "system" "IFNET"; diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 6ba15e7..81dbd9a 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1989,7 +1989,7 @@ function filter_generate_user_rule($rule) { } else $aline['flags'] .= "keep state "; - if($noadvoptions == false) + if($noadvoptions == false || $l7_present) if( (isset($rule['source-track']) and $rule['source-track'] <> "") or (isset($rule['max']) and $rule['max'] <> "") or (isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") or @@ -1998,7 +1998,7 @@ function filter_generate_user_rule($rule) { (isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "") or (isset($rule['max-src-states']) and $rule['max-src-states'] <> "") or (isset($rule['statetimeout']) and $rule['statetimeout'] <> "") or - isset($rule['sloppy'])) { + isset($rule['sloppy']) or $l7_present) { $aline['flags'] .= "( "; if (isset($rule['sloppy'])) $aline['flags'] .= "sloppy "; @@ -2022,6 +2022,9 @@ function filter_generate_user_rule($rule) { $aline['flags'] .= "/" . $rule['max-src-conn-rates'] . ", overload <virusprot> flush global "; } + if(!empty($aline['divert'])) + $aline['flags'] .= "max-packets 8 "; + $aline['flags'] .= " ) "; } } diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index da1a87f..6993148 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -153,7 +153,6 @@ $sysctls = array("net.inet.ip.portrange.first" => "1024", "net.link.bridge.pfil_member" => "1", "net.link.bridge.pfil_bridge" => "0", "net.link.tap.user_open" => "1", - "kern.rndtest.verbose" => "0", "kern.randompid" => "347", "net.inet.ip.intr_queue_maxlen" => "1000", "hw.syscons.kbd_reboot" => "0", diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 1ef597b..b312e67 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -255,6 +255,7 @@ function interface_qinq_configure(&$vlan, $fd = NULL) { /* make sure the parent is converted to ng_vlan(4) and is up */ interfaces_bring_up($qinqif); + pfSense_ngctl_attach(".", $qinqif); if (!empty($vlanif) && does_interface_exist($vlanif)) { fwrite($fd, "shutdown {$qinqif}qinq:\n"); exec("/usr/sbin/ngctl msg {$qinqif}qinq: gettable", $result); @@ -364,7 +365,7 @@ function interfaces_create_wireless_clones() { echo " done.\n"; } -function interfaces_bridge_configure() { +function interfaces_bridge_configure($checkmember = 0) { global $config; $i = 0; @@ -372,6 +373,10 @@ function interfaces_bridge_configure() { foreach ($config['bridges']['bridged'] as $bridge) { if(empty($bridge['bridgeif'])) $bridge['bridgeif'] = "bridge{$i}"; + if ($checkmember == 1 && (strstr($bridge['members'], "gif") || strstr($bridge['members'], "gre"))) + continue; + if ($checkmember == 2 && !strstr($bridge['members'], "gif") && !strstr($bridge['members'], "gre")) + continue; /* XXX: Maybe we should report any errors?! */ interface_bridge_configure($bridge); $i++; @@ -685,13 +690,17 @@ function interface_lagg_configure(&$lagg) { return $laggif; } -function interfaces_gre_configure() { +function interfaces_gre_configure($checkparent = 0) { global $config; if (is_array($config['gres']['gre']) && count($config['gres']['gre'])) { foreach ($config['gres']['gre'] as $i => $gre) { if(empty($gre['greif'])) $gre['greif'] = "gre{$i}"; + if ($checkparent == 1 && strstr($gre['if'], "vip")) + continue; + if ($checkparent == 2 && !strstr($gre['if'], "vip")) + continue; /* XXX: Maybe we should report any errors?! */ interface_gre_configure($gre); } @@ -743,13 +752,17 @@ function interface_gre_configure(&$gre, $grekey = "") { return $greif; } -function interfaces_gif_configure() { +function interfaces_gif_configure($checkparent = 0) { global $config; if (is_array($config['gifs']['gif']) && count($config['gifs']['gif'])) { foreach ($config['gifs']['gif'] as $i => $gif) { if(empty($gif['gifif'])) $gre['gifif'] = "gif{$i}"; + if ($checkparent == 1 && strstr($gif['if'], "vip")) + continue; + if ($checkparent == 2 && !strstr($gif['if'], "vip")) + continue; /* XXX: Maybe we should report any errors?! */ interface_gif_configure($gif); } @@ -854,12 +867,30 @@ function interfaces_configure() { /* create the unconfigured wireless clones */ interfaces_create_wireless_clones(); + /* + * NOTE: The following function parameter consists of + * 1 - Do not load gre/gif/bridge with parent/member as vip + * 2 - Do load gre/gif/bridge with parent/member as vip + */ + /* set up GRE virtual interfaces */ - interfaces_gre_configure(); + interfaces_gre_configure(1); /* set up GIF virtual interfaces */ - interfaces_gif_configure(); - + interfaces_gif_configure(1); + + /* set up BRIDGe virtual interfaces */ + interfaces_bridge_configure(1); + + /* bring up vip interfaces */ + interfaces_vips_configure(); + + /* set up GRE virtual interfaces */ + interfaces_gre_configure(2); + + /* set up GIF virtual interfaces */ + interfaces_gif_configure(2); + foreach ($delayed_list as $if => $ifname) { if ($g['booting']) echo "Configuring {$ifname} interface..."; @@ -873,7 +904,7 @@ function interfaces_configure() { } /* set up BRIDGe virtual interfaces */ - interfaces_bridge_configure(); + interfaces_bridge_configure(2); foreach ($bridge_list as $if => $ifname) { if ($g['booting']) @@ -887,9 +918,6 @@ function interfaces_configure() { echo "done.\n"; } - /* bring up vip interfaces */ - interfaces_vips_configure(); - /* configure interface groups */ interfaces_group_setup(); @@ -2519,7 +2547,8 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven // Need code to handle MLPPP if we ever use $realhwif for MLPPP handling $realhwif = $realhwif_array[0]; - if (!$g['booting']) { + + if (!$g['booting'] && !substr($realif, 0, 4) == "ovpn") { /* remove all IPv4 addresses */ while (mwexec("/sbin/ifconfig " . escapeshellarg($realif) . " -alias", true) == 0); while (mwexec("/sbin/ifconfig " . escapeshellarg($realif) . " inet6 -alias", true) == 0); @@ -2665,7 +2694,7 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven } else if (substr($realif, 0, 3) == "gif") { if (is_array($config['gifs']['gif'])) { foreach ($config['gifs']['gif'] as $gif) - if($gif['gifif'] == $interface) + if($gif['gifif'] == $realif) interface_gif_configure($gif); } } else if (substr($realif, 0, 4) == "ovpn") { diff --git a/etc/inc/services.inc b/etc/inc/services.inc index bc18355..266a291 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -818,6 +818,7 @@ EOD; $realif = get_real_interface($ifn); $igmpconf .= "phyint {$realif} disabled\n"; } + $igmpconf .= "\n"; $igmpfl = fopen($g['tmp_path'] . "/igmpproxy.conf", "w"); if (!$igmpfl) { diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc index a0fb0e4..c9f41f3 100644 --- a/etc/inc/shaper.inc +++ b/etc/inc/shaper.inc @@ -3743,7 +3743,7 @@ function layer7_start_l7daemon() { mwexec("/bin/kill -HUP {$l7pid[0]}"); } else { // XXX: Hardcoded number of packets to garbage collect and queue length.. - $ipfw_classifyd_init = "/usr/local/sbin/ipfw-classifyd -n 5 -q 700 -c {$path} -p " . $l7rules->GetRPort() . " -P /usr/local/share/protocols"; + $ipfw_classifyd_init = "/usr/local/sbin/ipfw-classifyd -n 8 -q 700 -c {$path} -p " . $l7rules->GetRPort() . " -P /usr/local/share/protocols"; mwexec_bg($ipfw_classifyd_init); } } diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index b3b8fb9..77a8682 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -685,10 +685,6 @@ function upgrade_040_to_041() { $config['sysctl']['item'][13]['descr'] = "Allow unprivileged access to tap(4) device nodes"; $config['sysctl']['item'][13]['value'] = "default"; - $config['sysctl']['item'][14]['tunable'] = "kern.rndtest.verbose"; - $config['sysctl']['item'][14]['descr'] = "Verbosity of the rndtest driver (0: do not display results on console)"; - $config['sysctl']['item'][14]['value'] = "default"; - $config['sysctl']['item'][15]['tunable'] = "kern.randompid"; $config['sysctl']['item'][15]['descr'] = "Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())"; $config['sysctl']['item'][15]['value'] = "default"; diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index c10cb01..d08b60b 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -946,6 +946,7 @@ EOD; file_put_contents("{$g['varetc_path']}/filterdns-ipsec.hosts", $hostnames); killbypid("{$g['varrun_path']}/filterdns-ipsec.pid"); + sleep(1); mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/filterdns-ipsec.hosts -d 1"); } diff --git a/etc/inc/vslb.inc b/etc/inc/vslb.inc index 55bcfdf..79978c0 100644 --- a/etc/inc/vslb.inc +++ b/etc/inc/vslb.inc @@ -241,6 +241,9 @@ function relayd_configure() { $conf .= " listen on {$vs_a[$i]['ipaddr']} port {$vs_a[$i]['port']}\n"; $conf .= " forward to <{$vs_a[$i]['pool']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} timeout 1000\n"; + if (isset($conf['system']['lb_use_sticky'])) + $conf .= " sticky-address\n"; + # sitedown MUST use the same port as the primary pool - sucks, but it's a relayd thing if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0) $conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} timeout 1000\n"; |