summaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
authorSeth Mos <seth.mos@dds.nl>2011-05-03 10:09:06 +0200
committerSeth Mos <seth.mos@dds.nl>2011-05-03 10:09:06 +0200
commitdcb846e3cd1604ec9c0a024b6bd721d306bbce46 (patch)
tree49624a702780f2714c9141ead186bfe113043550 /etc
parent03f824a5e540cb32a025b79ddc29baba4d1ea959 (diff)
parent8c218e1d0190a218686cf2b65913be3198791206 (diff)
downloadpfsense-dcb846e3cd1604ec9c0a024b6bd721d306bbce46.zip
pfsense-dcb846e3cd1604ec9c0a024b6bd721d306bbce46.tar.gz
Merge remote branch 'upstream/master'
Conflicts: usr/local/www/status_rrd_graph_img.php
Diffstat (limited to 'etc')
-rw-r--r--etc/devd.conf5
-rw-r--r--etc/inc/filter.inc7
-rw-r--r--etc/inc/globals.inc1
-rw-r--r--etc/inc/interfaces.inc53
-rw-r--r--etc/inc/services.inc1
-rw-r--r--etc/inc/shaper.inc2
-rw-r--r--etc/inc/upgrade_config.inc4
-rw-r--r--etc/inc/vpn.inc1
-rw-r--r--etc/inc/vslb.inc3
9 files changed, 53 insertions, 24 deletions
diff --git a/etc/devd.conf b/etc/devd.conf
index 7c63591..244af48 100644
--- a/etc/devd.conf
+++ b/etc/devd.conf
@@ -39,10 +39,7 @@ detach 100 {
};
#
-# Try to start dhclient on Ethernet like interfaces when the link comes
-# up. Only devices that are configured to support DHCP will actually
-# run it. No link down rule exists because dhclient automaticly exits
-# when the link goes down.
+# Signal upper levels that an event happened on ethernet class interface
#
notify 0 {
match "system" "IFNET";
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 6ba15e7..81dbd9a 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -1989,7 +1989,7 @@ function filter_generate_user_rule($rule) {
} else
$aline['flags'] .= "keep state ";
- if($noadvoptions == false)
+ if($noadvoptions == false || $l7_present)
if( (isset($rule['source-track']) and $rule['source-track'] <> "") or
(isset($rule['max']) and $rule['max'] <> "") or
(isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") or
@@ -1998,7 +1998,7 @@ function filter_generate_user_rule($rule) {
(isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "") or
(isset($rule['max-src-states']) and $rule['max-src-states'] <> "") or
(isset($rule['statetimeout']) and $rule['statetimeout'] <> "") or
- isset($rule['sloppy'])) {
+ isset($rule['sloppy']) or $l7_present) {
$aline['flags'] .= "( ";
if (isset($rule['sloppy']))
$aline['flags'] .= "sloppy ";
@@ -2022,6 +2022,9 @@ function filter_generate_user_rule($rule) {
$aline['flags'] .= "/" . $rule['max-src-conn-rates'] . ", overload <virusprot> flush global ";
}
+ if(!empty($aline['divert']))
+ $aline['flags'] .= "max-packets 8 ";
+
$aline['flags'] .= " ) ";
}
}
diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc
index da1a87f..6993148 100644
--- a/etc/inc/globals.inc
+++ b/etc/inc/globals.inc
@@ -153,7 +153,6 @@ $sysctls = array("net.inet.ip.portrange.first" => "1024",
"net.link.bridge.pfil_member" => "1",
"net.link.bridge.pfil_bridge" => "0",
"net.link.tap.user_open" => "1",
- "kern.rndtest.verbose" => "0",
"kern.randompid" => "347",
"net.inet.ip.intr_queue_maxlen" => "1000",
"hw.syscons.kbd_reboot" => "0",
diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc
index 1ef597b..b312e67 100644
--- a/etc/inc/interfaces.inc
+++ b/etc/inc/interfaces.inc
@@ -255,6 +255,7 @@ function interface_qinq_configure(&$vlan, $fd = NULL) {
/* make sure the parent is converted to ng_vlan(4) and is up */
interfaces_bring_up($qinqif);
+ pfSense_ngctl_attach(".", $qinqif);
if (!empty($vlanif) && does_interface_exist($vlanif)) {
fwrite($fd, "shutdown {$qinqif}qinq:\n");
exec("/usr/sbin/ngctl msg {$qinqif}qinq: gettable", $result);
@@ -364,7 +365,7 @@ function interfaces_create_wireless_clones() {
echo " done.\n";
}
-function interfaces_bridge_configure() {
+function interfaces_bridge_configure($checkmember = 0) {
global $config;
$i = 0;
@@ -372,6 +373,10 @@ function interfaces_bridge_configure() {
foreach ($config['bridges']['bridged'] as $bridge) {
if(empty($bridge['bridgeif']))
$bridge['bridgeif'] = "bridge{$i}";
+ if ($checkmember == 1 && (strstr($bridge['members'], "gif") || strstr($bridge['members'], "gre")))
+ continue;
+ if ($checkmember == 2 && !strstr($bridge['members'], "gif") && !strstr($bridge['members'], "gre"))
+ continue;
/* XXX: Maybe we should report any errors?! */
interface_bridge_configure($bridge);
$i++;
@@ -685,13 +690,17 @@ function interface_lagg_configure(&$lagg) {
return $laggif;
}
-function interfaces_gre_configure() {
+function interfaces_gre_configure($checkparent = 0) {
global $config;
if (is_array($config['gres']['gre']) && count($config['gres']['gre'])) {
foreach ($config['gres']['gre'] as $i => $gre) {
if(empty($gre['greif']))
$gre['greif'] = "gre{$i}";
+ if ($checkparent == 1 && strstr($gre['if'], "vip"))
+ continue;
+ if ($checkparent == 2 && !strstr($gre['if'], "vip"))
+ continue;
/* XXX: Maybe we should report any errors?! */
interface_gre_configure($gre);
}
@@ -743,13 +752,17 @@ function interface_gre_configure(&$gre, $grekey = "") {
return $greif;
}
-function interfaces_gif_configure() {
+function interfaces_gif_configure($checkparent = 0) {
global $config;
if (is_array($config['gifs']['gif']) && count($config['gifs']['gif'])) {
foreach ($config['gifs']['gif'] as $i => $gif) {
if(empty($gif['gifif']))
$gre['gifif'] = "gif{$i}";
+ if ($checkparent == 1 && strstr($gif['if'], "vip"))
+ continue;
+ if ($checkparent == 2 && !strstr($gif['if'], "vip"))
+ continue;
/* XXX: Maybe we should report any errors?! */
interface_gif_configure($gif);
}
@@ -854,12 +867,30 @@ function interfaces_configure() {
/* create the unconfigured wireless clones */
interfaces_create_wireless_clones();
+ /*
+ * NOTE: The following function parameter consists of
+ * 1 - Do not load gre/gif/bridge with parent/member as vip
+ * 2 - Do load gre/gif/bridge with parent/member as vip
+ */
+
/* set up GRE virtual interfaces */
- interfaces_gre_configure();
+ interfaces_gre_configure(1);
/* set up GIF virtual interfaces */
- interfaces_gif_configure();
-
+ interfaces_gif_configure(1);
+
+ /* set up BRIDGe virtual interfaces */
+ interfaces_bridge_configure(1);
+
+ /* bring up vip interfaces */
+ interfaces_vips_configure();
+
+ /* set up GRE virtual interfaces */
+ interfaces_gre_configure(2);
+
+ /* set up GIF virtual interfaces */
+ interfaces_gif_configure(2);
+
foreach ($delayed_list as $if => $ifname) {
if ($g['booting'])
echo "Configuring {$ifname} interface...";
@@ -873,7 +904,7 @@ function interfaces_configure() {
}
/* set up BRIDGe virtual interfaces */
- interfaces_bridge_configure();
+ interfaces_bridge_configure(2);
foreach ($bridge_list as $if => $ifname) {
if ($g['booting'])
@@ -887,9 +918,6 @@ function interfaces_configure() {
echo "done.\n";
}
- /* bring up vip interfaces */
- interfaces_vips_configure();
-
/* configure interface groups */
interfaces_group_setup();
@@ -2519,7 +2547,8 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven
// Need code to handle MLPPP if we ever use $realhwif for MLPPP handling
$realhwif = $realhwif_array[0];
- if (!$g['booting']) {
+
+ if (!$g['booting'] && !substr($realif, 0, 4) == "ovpn") {
/* remove all IPv4 addresses */
while (mwexec("/sbin/ifconfig " . escapeshellarg($realif) . " -alias", true) == 0);
while (mwexec("/sbin/ifconfig " . escapeshellarg($realif) . " inet6 -alias", true) == 0);
@@ -2665,7 +2694,7 @@ function interface_configure($interface = "wan", $reloadall = false, $linkupeven
} else if (substr($realif, 0, 3) == "gif") {
if (is_array($config['gifs']['gif'])) {
foreach ($config['gifs']['gif'] as $gif)
- if($gif['gifif'] == $interface)
+ if($gif['gifif'] == $realif)
interface_gif_configure($gif);
}
} else if (substr($realif, 0, 4) == "ovpn") {
diff --git a/etc/inc/services.inc b/etc/inc/services.inc
index bc18355..266a291 100644
--- a/etc/inc/services.inc
+++ b/etc/inc/services.inc
@@ -818,6 +818,7 @@ EOD;
$realif = get_real_interface($ifn);
$igmpconf .= "phyint {$realif} disabled\n";
}
+ $igmpconf .= "\n";
$igmpfl = fopen($g['tmp_path'] . "/igmpproxy.conf", "w");
if (!$igmpfl) {
diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc
index a0fb0e4..c9f41f3 100644
--- a/etc/inc/shaper.inc
+++ b/etc/inc/shaper.inc
@@ -3743,7 +3743,7 @@ function layer7_start_l7daemon() {
mwexec("/bin/kill -HUP {$l7pid[0]}");
} else {
// XXX: Hardcoded number of packets to garbage collect and queue length..
- $ipfw_classifyd_init = "/usr/local/sbin/ipfw-classifyd -n 5 -q 700 -c {$path} -p " . $l7rules->GetRPort() . " -P /usr/local/share/protocols";
+ $ipfw_classifyd_init = "/usr/local/sbin/ipfw-classifyd -n 8 -q 700 -c {$path} -p " . $l7rules->GetRPort() . " -P /usr/local/share/protocols";
mwexec_bg($ipfw_classifyd_init);
}
}
diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc
index b3b8fb9..77a8682 100644
--- a/etc/inc/upgrade_config.inc
+++ b/etc/inc/upgrade_config.inc
@@ -685,10 +685,6 @@ function upgrade_040_to_041() {
$config['sysctl']['item'][13]['descr'] = "Allow unprivileged access to tap(4) device nodes";
$config['sysctl']['item'][13]['value'] = "default";
- $config['sysctl']['item'][14]['tunable'] = "kern.rndtest.verbose";
- $config['sysctl']['item'][14]['descr'] = "Verbosity of the rndtest driver (0: do not display results on console)";
- $config['sysctl']['item'][14]['value'] = "default";
-
$config['sysctl']['item'][15]['tunable'] = "kern.randompid";
$config['sysctl']['item'][15]['descr'] = "Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())";
$config['sysctl']['item'][15]['value'] = "default";
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index c10cb01..d08b60b 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -946,6 +946,7 @@ EOD;
file_put_contents("{$g['varetc_path']}/filterdns-ipsec.hosts", $hostnames);
killbypid("{$g['varrun_path']}/filterdns-ipsec.pid");
+ sleep(1);
mwexec("/usr/local/sbin/filterdns -p {$g['varrun_path']}/filterdns-ipsec.pid -i {$interval} -c {$g['varetc_path']}/filterdns-ipsec.hosts -d 1");
}
diff --git a/etc/inc/vslb.inc b/etc/inc/vslb.inc
index 55bcfdf..79978c0 100644
--- a/etc/inc/vslb.inc
+++ b/etc/inc/vslb.inc
@@ -241,6 +241,9 @@ function relayd_configure() {
$conf .= " listen on {$vs_a[$i]['ipaddr']} port {$vs_a[$i]['port']}\n";
$conf .= " forward to <{$vs_a[$i]['pool']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} timeout 1000\n";
+ if (isset($conf['system']['lb_use_sticky']))
+ $conf .= " sticky-address\n";
+
# sitedown MUST use the same port as the primary pool - sucks, but it's a relayd thing
if (isset($vs_a[$i]['sitedown']) && strlen($vs_a[$i]['sitedown']) > 0)
$conf .= " forward to <{$vs_a[$i]['sitedown']}> port {$pools[$vs_a[$i]['pool']]['port']} {$check_a[$pools[$vs_a[$i]['pool']]['monitor']]} timeout 1000\n";
OpenPOWER on IntegriCloud