diff options
| author | Scott Ullrich <sullrich@pfsense.org> | 2006-05-27 16:34:39 +0000 |
|---|---|---|
| committer | Scott Ullrich <sullrich@pfsense.org> | 2006-05-27 16:34:39 +0000 |
| commit | 0bb1ad724ba2a82310e95ae38a373bcb25f3a22b (patch) | |
| tree | 25b7470df2eef59796840847818794c138c8872b /etc | |
| parent | b5317d079402fb270bd18bec65ad62c52c8e339f (diff) | |
| download | pfsense-0bb1ad724ba2a82310e95ae38a373bcb25f3a22b.zip pfsense-0bb1ad724ba2a82310e95ae38a373bcb25f3a22b.tar.gz | |
MFM0N0WALL
do not generate anti-spoof rules for optional interfaces that have other interfaces bridged to them (as opposed to being bridged to another interface, which was already handled properly) when the filtering bridge is on.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/filter.inc | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 8755e84..0fb53ce 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1943,10 +1943,18 @@ EOD; $ipfrules .= filter_rules_spoofcheck_generate('lan', $lanif, $lansa, $lansn, $log); /* OPT spoof check */ - foreach ($optcfg as $on => $oc) - if ($oc['ip'] && (!$oc['bridge'] || !isset($config['bridge']['filteringbridge']))) + foreach ($optcfg as $on => $oc) { + $isbridged = false; + foreach ($optcfg as $on2 => $oc2) { + if ($oc2['bridge'] && $oc2['bridge_if'] == $on) { + $isbridged = true; + break; + } + } + if ($oc['ip'] && !(($oc['bridge'] || $isbridged) && isset($config['bridge']['filteringbridge']))) $ipfrules .= filter_rules_spoofcheck_generate($on, $oc['if'], $oc['sa'], $oc['sn'], $log); - + } + /* block private networks on WAN? */ if (isset($config['interfaces']['wan']['blockpriv'])) { $ipfrules .= <<<EOD |
