diff options
author | Ermal <eri@pfsense.org> | 2014-03-26 20:28:10 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2014-03-26 20:28:10 +0000 |
commit | e047c72a70da3a367e7c2538b4780f40fbc41e8b (patch) | |
tree | fc4227d2c72d2883fe3155b40adc29017f24a6a0 /etc | |
parent | 2553d943aa813aa846a5e3ee7ebba2d2d8592065 (diff) | |
download | pfsense-e047c72a70da3a367e7c2538b4780f40fbc41e8b.zip pfsense-e047c72a70da3a367e7c2538b4780f40fbc41e8b.tar.gz |
Correct the generation of antifpoof rules with tracker. Also honor the log directive. While here remove a duplicate antispoof declaration further down
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 8d9e6bb..5fd549c 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2835,7 +2835,7 @@ EOD; } if($oc['ip'] && !($isbridged) && isset($oc['spoofcheck'])) - $ipfrules .= filter_rules_spoofcheck_generate($on, $oc['if'], $oc['sa'], $oc['sn'], $log); + $ipfrules .= filter_rules_spoofcheck_generate($on, $oc, $log); /* block private networks ? */ if(!isset($config['syslog']['nologprivatenets'])) @@ -2850,7 +2850,6 @@ EOD; if($isbridged == false) { $ipfrules .= <<<EOD # block anything from private networks on interfaces with the option set -antispoof for \${$oc['descr']} block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 10/8")}" block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 127/8")}" block in $privnetlog quick on \${$oc['descr']} from 100.64.0.0/10 to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Block private networks from {$oc['descr']} block 100.64/10")}" @@ -3260,13 +3259,13 @@ EOD; return $ipfrules; } -function filter_rules_spoofcheck_generate($ifname, $if, $sa, $sn, $log) { +function filter_rules_spoofcheck_generate($ifname, $ifcfg, $log) { global $g, $config, $tracker; if(isset($config['system']['developerspew'])) { $mt = microtime(); echo "filter_rules_spoofcheck_generate() being called $mt\n"; } - $ipfrules = "antispoof for {$if}\n"; + $ipfrules = "antispoof {$log} for \${$oc['descr']} tracker {$tracker}\n"; $tracker++; return $ipfrules; |