diff options
| author | Scott Ullrich <sullrich@pfsense.org> | 2006-03-10 22:52:26 +0000 |
|---|---|---|
| committer | Scott Ullrich <sullrich@pfsense.org> | 2006-03-10 22:52:26 +0000 |
| commit | 0f0c6a9edb8a5bd44dfb0cfdce316f6224fbd1f7 (patch) | |
| tree | 211d8ff56c7fc6495c3d12198f1d2fb2703753cd /etc | |
| parent | f46fe44676c1b86037e937bf40d656e3ef1f200b (diff) | |
| download | pfsense-0f0c6a9edb8a5bd44dfb0cfdce316f6224fbd1f7.zip pfsense-0f0c6a9edb8a5bd44dfb0cfdce316f6224fbd1f7.tar.gz | |
MFC 10496
Improve traffic shaper rules for assigning packets to queues (special consideration for NAT): MFC for next snapshot.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/filter.inc | 4 | ||||
| -rw-r--r-- | etc/inc/shaper.inc | 323 |
2 files changed, 161 insertions, 166 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index f3a3e95..5b6885d 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -99,7 +99,7 @@ function filter_configure_sync() { * we'll match only unshaped packets in the shaper code later * this allows the shaper to be first match */ - $pf_altq_rules = "block all tag unshaped label \"SHAPER: first match rule\"\n"; + $pf_altq_rules = "block in all tag unshaped label \"SHAPER: first match rule\"\n"; $pf_altq_rules .= filter_generate_pf_altq_rules(); } @@ -2259,4 +2259,4 @@ function return_vpn_subnet($adr) { return " # error - {$adr['network']} "; } -?>
\ No newline at end of file +?> diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc index 667f6d5..31dae4b 100644 --- a/etc/inc/shaper.inc +++ b/etc/inc/shaper.inc @@ -418,200 +418,195 @@ function filter_generate_pf_altq_rules() { } for ($iif = 0; $iif < $nif; $iif++) { - foreach ( array('in', 'out') as $direction) { - - $line = "pass {$direction} on "; + $direction = 'in'; + $line = "pass {$direction} on "; + + if ($ispptp) { + $line .= " ng" . ($iif+1); + } + else if($ispppoe) { + $line .= " ng" . ($iif+1); + } + else { + $line .= " \${$rule['in-interface']} "; + } + + /* get protocol */ + $proto = $rule['protocol']; + if (isset($proto)) { + $line .= "proto {$proto} "; + } - if ($ispptp) { - $line .= " ng" . ($iif+1); + /* get source address */ + if (isset($rule['source']['any'])) { + $src = "any"; + } else if ($rule['source']['network']) { + if (strstr($rule['source']['network'], "opt")) { + $src = $optcfg[$rule['source']['network']]['sa'] . "/" . + $optcfg[$rule['source']['network']]['sn']; } else { - if($ispppoe) { - $line .= " ng" . ($iif+1); - } else { - $if = $config['interfaces'][$rule['in-interface']]['if']; - } - - if ($rule['in-interface'] == "wan") { - if($direction=="in") { - $if = $wanif; - } else { - $if = $lanif; - } - } else { - if($rule['in-interface'] == "lan") { - if($direction=="in") { - $if = $lanif; - } else { - $if = $wanif; - } - } + switch ($rule['source']['network']) { + case 'lan': + $src = "$lansa/$lansn"; + break; + case 'pptp': + $src = "$pptpsa/$pptpsn"; + break; + case 'pppoe': + $src = "$pppoesa/$pppoesn"; + break; } - - $line .= " {$if} "; } + } else if ($rule['source']['address']) { + $src = alias_expand($rule['source']['address']); + if(!$src) + $src = $rule['source']['address']; + } - if (isset($rule['protocol'])) { - $line .= "proto {$rule['protocol']} "; - } + if (!$src) { + printf("No source address found in rule $i\n"); + break; + } - /* source address */ - /* Using any for source on 'out' is due to not knowing what - * the packet looks like after NAT occurs - */ - if (isset($rule['source']['any']) || $direction == "out") { - $src = "any"; - } else if ($rule['source']['network']) { - if (strstr($rule['source']['network'], "opt")) { - $src = $optcfg[$rule['source']['network']]['sa'] . "/" . - $optcfg[$rule['source']['network']]['sn']; + if (isset($rule['source']['not'])) { + $src = " ! {$src} "; + } + $line .= "from {$src} "; + + /* get source port */ + if (!isset($rule['protocol']) || in_array($rule['protocol'], array("tcp","udp"))) { + if ($rule['source']['port']) { + /* + * Check to see if port is a alias. If so grab it and + * enclose it in { } to pass to pf. + * + * Otherwise combine the portrange into one if its only + * one item. + */ + $src = alias_expand($rule['source']['port']); + if($src <> "") { + $line .= "port {$src}"; } else { - switch ($rule['source']['network']) { - case 'lan': - $src = "$lansa/$lansn"; - break; - case 'pptp': - $src = "$pptpsa/$pptpsn"; - break; - case 'pppoe': - $src = "$pppoesa/$pppoesn"; - break; + $srcport = explode("-", $rule['source']['port']); + if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) { + $line .= "port {$srcport[0]} "; + } else { + $line .= "port {$srcport[0]}:{$srcport[1]} "; } } - } else if ($rule['source']['address']) { - $src = alias_expand($rule['source']['address']); - if(!$src) - $src = $rule['source']['address']; } + } - if (!$src) { - printf("No source address found in rule $i\n"); - break; - } + /* destination address */ + if (isset($rule['destination']['any'])) { + $dst = "any"; + } else if ($rule['destination']['network']) { - if (isset($rule['source']['not'])) { - $line .= "from ! $src "; + if (strstr($rule['destination']['network'], "opt")) { + $dst = $optcfg[$rule['destination']['network']]['sa'] . "/" . + $optcfg[$rule['destination']['network']]['sn']; } else { - $line .= "from $src "; - } - - if (!isset($rule['protocol']) || in_array($rule['protocol'], array("tcp","udp"))) { - if ($rule['source']['port']) { - /* - * Check to see if port is a alias. If so grab it and - * enclose it in { } to pass to pf. - * - * Otherwise combine the portrange into one if its only - * one item. - */ - $src = alias_expand($rule['source']['port']); - if($src <> "") { - $line .= "port {$src}"; - } else { - $srcport = explode("-", $rule['source']['port']); - if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) { - $line .= "port {$srcport[0]} "; - } else { - $line .= "port {$srcport[0]}:{$srcport[1]} "; - } - } + switch ($rule['destination']['network']) { + case 'lan': + $dst = "$lansa/$lansn"; + break; + case 'pptp': + $dst = "$pptpsa/$pptpsn"; + break; + case 'pppoe': + $dst = "$pppoesa/$pppoesn"; + break; } } + } else if ($rule['destination']['address']) { + $dst = alias_expand($rule['destination']['address']); + if(!$dst) + $dst = $rule['destination']['address']; + } - /* destination address */ - if (isset($rule['destination']['any'])) { - $dst = "any"; - } else if ($rule['destination']['network']) { + if (!$dst) { + printf("No destination address found in rule $i\n"); + break; + } - if (strstr($rule['destination']['network'], "opt")) { - $dst = $optcfg[$rule['destination']['network']]['sa'] . "/" . - $optcfg[$rule['destination']['network']]['sn']; + if (isset($rule['destination']['not'])) { + $dst .= " ! {$dst} "; + } + $line .= "to {$dst} "; + + if (!isset($rule['protocol']) || in_array($rule['protocol'], array("tcp","udp"))) { + if ($rule['destination']['port']) { + $dstport = alias_expand($rule['destination']['port']); + /* + * Check to see if port is a alias. If so grab it and + * enclose it in { } to pass to pf. + * + * Otherwise combine the portrange into one if its only + * one item. + */ + if($dstport <> "") { + $line .= "port {$dstport}"; } else { - switch ($rule['destination']['network']) { - case 'lan': - $dst = "$lansa/$lansn"; - break; - case 'pptp': - $dst = "$pptpsa/$pptpsn"; - break; - case 'pppoe': - $dst = "$pppoesa/$pppoesn"; - break; - } - } - } else if ($rule['destination']['address']) { - $dst = alias_expand($rule['destination']['address']); - if(!$dst) - $dst = $rule['destination']['address']; - } - - if (!$dst) { - printf("No destination address found in rule $i\n"); - break; - } - - if (isset($rule['destination']['not'])) { - $line .= "to ! $dst "; - } else { - $line .= "to $dst "; - } - - if (!isset($rule['protocol']) || in_array($rule['protocol'], array("tcp","udp"))) { - if ($rule['destination']['port']) { - $dst = alias_expand($rule['destination']['port']); - /* - * Check to see if port is a alias. If so grab it and - * enclose it in { } to pass to pf. - * - * Otherwise combine the portrange into one if its only - * one item. - */ - if($dst <> "") { - $line .= "port {$dst}"; + $dstport = explode("-", $rule['destination']['port']); + if ((!$dstport[1]) || ($dstport[0] == $dstport[1])) { + $dstport = $dstport[0]; + $line .= "port {$dstport} "; } else { - $dstport = explode("-", $rule['destination']['port']); - if ((!$dstport[1]) || ($dstport[0] == $dstport[1])) { - $line .= "port {$dstport[0]} "; - } else { - $line .= "port {$dstport[0]}:{$dstport[1]} "; - } + $dstport = "{$dstport[0]}:{$dstport[1]}"; + $line .= "port {$dstport} "; } } } + } - if ($rule['iptos']) - $line .= "tos {$rule['iptos']} "; + if ($rule['iptos']) + $line .= "tos {$rule['iptos']} "; - $inflags = explode(",", $rule['tcpflags']); - $flags = " flags "; - foreach ($tcpflags as $tcpflag) { - if (array_search($tcpflag, $inflags) !== false) { - $flags .= strtoupper(substr($tcpflag, 0, 1)); - } + $inflags = explode(",", $rule['tcpflags']); + $flags = " flags "; + foreach ($tcpflags as $tcpflag) { + if (array_search($tcpflag, $inflags) !== false) { + $flags .= strtoupper(substr($tcpflag, 0, 1)); } - if($flags <> " flags ") - $line .= "{$flags}/SAFRPU "; - - $qtag = "{$direction}queue"; - $line .= " keep state tagged unshaped tag {$rule[$qtag]} "; - - $line .= "\n"; - $shaperrules .= $line; - /* setup the outbound queue on the other interface */ - switch($direction) { - case 'in': - $qouttag = "outqueue"; - break; - case 'out': - $qouttag = "inqueue"; - break; - } - $shaperrules .= "pass out on \${$rule['out-interface']} all keep state tagged {$rule[$qtag]} tag {$rule[$qouttag]}\n"; } + if($flags <> " flags ") + $line .= "{$flags}/SAFRPU "; + + $qtag = "{$direction}queue"; + $line .= " keep state tagged unshaped tag {$rule[$qtag]} "; + + $line .= "\n"; + $shaperrules .= $line; + + /* setup the outbound queue on the other interface */ + $direction = 'out'; + $qouttag = "{$direction}queue"; + + $shaperrules .= "pass out on \${$rule['out-interface']}"; + if(isset($proto) && $proto != "") { + $shaperrules .= " proto {$proto}"; + } + $shaperrules .= " from any to {$dst}"; + if(isset($dstport) && $dstport != "") { + $shaperrules .= " port {$dstport}"; + } + if ($rule['iptos']) { + $shaperrules .= " tos {$rule['iptos']}"; + } + if($flags <> " flags ") { + $shaperrules .= "{$flags}/SAFRPU"; + } + + $shaperrules .= " keep state tagged {$rule[$qtag]} tag {$rule[$qouttag]}\n"; + + unset($src); + unset($dst); + unset($srcport); + unset($dstport); } $i++; } - return $shaperrules; } |
