diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2007-05-29 22:07:57 +0000 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2007-05-29 22:07:57 +0000 |
commit | be4237b0ee003ad089476bc6ea536a78fcf4e825 (patch) | |
tree | f2a844f2c0893dbf0fc5782e3bdc3c72d5a6bb95 /etc | |
parent | ea089c29ddf30b2f4179306c2e0cd77d77ec549d (diff) | |
download | pfsense-be4237b0ee003ad089476bc6ea536a78fcf4e825.zip pfsense-be4237b0ee003ad089476bc6ea536a78fcf4e825.tar.gz |
Only allow adavanced tunables when some kind of state tracking is enabled.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 45 |
1 files changed, 23 insertions, 22 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index b1b138d..6d1d208 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1974,28 +1974,29 @@ function generate_user_filter_rule($rule, $ngcounter) { } else { $aline['flags'] = "keep state "; } - if( isset($rule['source-track']) and $rule['source-track'] <> "" or - isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "" or - isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" or - isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "" or - isset($rule['max-src-states']) and $rule['max-src-states'] <> "" or - isset($rule['statetimeout']) and $rule['statetimeout'] <> "") { - $aline['flags'] .= "( "; - if(isset($rule['source-track']) and $rule['source-track'] <> "") - $aline['flags'] .= "source-track rule "; - if(isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") - $aline['flags'] .= "max-src-nodes " . $rule['max-src-nodes'] . " "; - if(isset($rule['max-src-states']) and $rule['max-src-states'] <> "") - $aline['flags'] .= "max-src-states " . $rule['max-src-states'] . " "; - if(isset($rule['statetimeout']) and $rule['statetimeout'] <> "") - $aline['flags'] .= "tcp.established " . $rule['statetimeout'] . " "; - if(isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" - and isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "") { - $aline['flags'] .= "max-src-conn-rate " . $rule['max-src-conn-rate'] . " "; - $aline['flags'] .= "/" . $rule['max-src-conn-rates'] . ", overload <virusprot> flush global "; - } - $aline['flags'] .= " ) "; - } + if($aline['flags']) + if( isset($rule['source-track']) and $rule['source-track'] <> "" or + isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "" or + isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" or + isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "" or + isset($rule['max-src-states']) and $rule['max-src-states'] <> "" or + isset($rule['statetimeout']) and $rule['statetimeout'] <> "") { + $aline['flags'] .= "( "; + if(isset($rule['source-track']) and $rule['source-track'] <> "") + $aline['flags'] .= "source-track rule "; + if(isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") + $aline['flags'] .= "max-src-nodes " . $rule['max-src-nodes'] . " "; + if(isset($rule['max-src-states']) and $rule['max-src-states'] <> "") + $aline['flags'] .= "max-src-states " . $rule['max-src-states'] . " "; + if(isset($rule['statetimeout']) and $rule['statetimeout'] <> "") + $aline['flags'] .= "tcp.established " . $rule['statetimeout'] . " "; + if(isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" + and isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "") { + $aline['flags'] .= "max-src-conn-rate " . $rule['max-src-conn-rate'] . " "; + $aline['flags'] .= "/" . $rule['max-src-conn-rates'] . ", overload <virusprot> flush global "; + } + $aline['flags'] .= " ) "; + } } if ($type == "reject" && $rule['protocol'] == "tcp") { /* special reject packet */ |