diff options
| author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-19 09:53:18 -0500 |
|---|---|---|
| committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-19 10:06:07 -0500 |
| commit | 28c54319caab5374fd87973e304ef083aa46653e (patch) | |
| tree | 374753b008d3224eaafbd75069d1d4e39e9c2275 /etc | |
| parent | c9c31047004c4ac3e584a434917c4ae1be7cbe40 (diff) | |
| download | pfsense-28c54319caab5374fd87973e304ef083aa46653e.zip pfsense-28c54319caab5374fd87973e304ef083aa46653e.tar.gz | |
Cherry-pick 98bf4991dc31f97fc7315a6b8aba433de9d39cea:
Fixes #4150. Move to tables to accomodate unlimited number of interfaces.
Cherry-pick 52fe0465b463dd8b8f4b2099d562254da320e704:
Fix the captive portal rules after 98bf4991dc31f97fc7315a6b8aba433de9d39cea.
The malformed rules breaks the parsing of initialisation rules.
Issue: #4746
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/captiveportal.inc | 34 |
1 files changed, 14 insertions, 20 deletions
diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index c533942..8e20ceb 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -520,10 +520,12 @@ function captiveportal_init_rules($reinit = false) { if ($reinit == false) $captiveportallck = lock("captiveportal{$cpzone}"); - $cprules = "add 65291 allow pfsync from any to any\n"; - $cprules .= "add 65292 allow carp from any to any\n"; + $cprules = <<<EOD + +flush +add 65291 allow pfsync from any to any +add 65292 allow carp from any to any - $cprules .= <<<EOD # layer 2: pass ARP add 65301 pass layer2 mac-type arp,rarp # pfsense requires for WPA @@ -537,25 +539,18 @@ add 65307 deny layer2 not mac-type ip,ipv6 EOD; $rulenum = 65310; - $ipcount = 0; - $ips = ""; - foreach ($cpips as $cpip) { - if($ipcount == 0) { - $ips = "{$cpip} "; - } else { - $ips .= "or {$cpip} "; - } - $ipcount++; - } - $ips = "{ 255.255.255.255 or {$ips} }"; - $cprules .= "add {$rulenum} pass ip from any to {$ips} in\n"; + /* These tables contain host ips */ + $cprules .= "add {$rulenum} pass ip from any to table(100) in\n"; $rulenum++; - $cprules .= "add {$rulenum} pass ip from {$ips} to any out\n"; + $cprules .= "add {$rulenum} pass ip from table(100) to any out\n"; $rulenum++; - $cprules .= "add {$rulenum} pass icmp from {$ips} to any out icmptype 0\n"; + foreach ($cpips as $cpip) + $cprules .= "table 100 add {$cpip}\n"; + $cprules .= "add {$rulenum} pass ip from any to 255.255.255.255 in\n"; $rulenum++; - $cprules .= "add {$rulenum} pass icmp from any to {$ips} in icmptype 8 \n"; + $cprules .= "add {$rulenum} pass ip from 255.255.255.255 to any out\n"; $rulenum++; + /* Allowed ips */ $cprules .= "add {$rulenum} pipe tablearg ip from table(3) to any in\n"; $rulenum++; @@ -609,11 +604,10 @@ EOD; $cprules .= captiveportal_allowedhostname_configure(); /* load rules */ - $cprules = "flush\n{$cprules}"; file_put_contents("{$g['tmp_path']}/ipfw_{$cpzone}.cp.rules", $cprules); mwexec("/sbin/ipfw -x {$cpzoneid} -q {$g['tmp_path']}/ipfw_{$cpzone}.cp.rules", true); //@unlink("{$g['tmp_path']}/ipfw_{$cpzone}.cp.rules"); - unset($cprules, $tmprules); + unset($cprules); if ($reinit == false) unlock($captiveportallck); |
