diff options
author | Ermal <eri@pfsense.org> | 2010-05-07 09:57:19 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2010-05-07 09:57:19 +0000 |
commit | fad4fae8da60daf10f439e186a0b40ceb8d41bd4 (patch) | |
tree | a05a983381a8dc117a1712a071a1cc42bbbfa367 /etc | |
parent | 75466131f5b78618311d9d23f137eb926b87dd94 (diff) | |
download | pfsense-fad4fae8da60daf10f439e186a0b40ceb8d41bd4.zip pfsense-fad4fae8da60daf10f439e186a0b40ceb8d41bd4.tar.gz |
Move auto generated rule for static routes on same subnet. Use sloppy states to speed things up and use flags any in tcp case so sloppy state does not choke.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 57 |
1 files changed, 29 insertions, 28 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 829082c..aef2b7a 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1991,34 +1991,6 @@ pass out on \$IPsec all keep state label "IPsec internal host to host" EOD; - /* pass traffic between statically routed subnets and the subnet on the - * interface in question to avoid problems with complicated routing - * topologies - */ - if(isset($config['filter']['bypassstaticroutes']) && is_array($config['staticroutes']['route']) && count($config['staticroutes']['route'])) { - $ipfrules .= "anchor \"staticrouted\" \n"; - foreach ($config['staticroutes']['route'] as $route) { - $realif = guess_interface_from_ip(lookup_gateway_ip_by_name($route['gateway'])); - $friendly = convert_real_interface_to_friendly_interface_name($realif); - if(is_array($FilterIflist[$friendly])) { - $oc = $FilterIflist[$friendly]; - if($oc['ip']) { - $sa = $oc['sa']; - $sn = $oc['sn']; - $if = $oc['if']; - } - if($sa) { - $ipfrules .= <<<EOD -pass in quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} no state label "pass traffic between statically routed subnets" -pass in quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} no state label "pass traffic between statically routed subnets" -pass out quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} no state label "pass traffic between statically routed subnets" -pass out quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} no state label "pass traffic between statically routed subnets" - -EOD; - } - } - } - } if(!isset($config['system']['webgui']['noantilockout'])) { if(count($config['interfaces']) > 1 && !empty($FilterIflist['lan']['if'])) { /* if antilockout is enabled, LAN exists and has @@ -2106,6 +2078,35 @@ EOD; } } + /* pass traffic between statically routed subnets and the subnet on the + * interface in question to avoid problems with complicated routing + * topologies + */ + if(isset($config['filter']['bypassstaticroutes']) && is_array($config['staticroutes']['route']) && count($config['staticroutes']['route'])) { + $ipfrules .= "anchor \"staticrouted\" \n"; + foreach ($config['staticroutes']['route'] as $route) { + $realif = guess_interface_from_ip(lookup_gateway_ip_by_name($route['gateway'])); + $friendly = convert_real_interface_to_friendly_interface_name($realif); + if(is_array($FilterIflist[$friendly])) { + $oc = $FilterIflist[$friendly]; + if($oc['ip']) { + $sa = $oc['sa']; + $sn = $oc['sn']; + $if = $oc['if']; + } + if($sa) { + $ipfrules .= <<<EOD +pass quick on \${$oc['descr']} proto tcp from {$sa}/{$sn} to {$route['network']} flags any keep state(sloppy) label "pass traffic between statically routed subnets" +pass quick on \${$oc['descr']} from {$sa}/{$sn} to {$route['network']} keep state(sloppy) label "pass traffic between statically routed subnets" +pass quick on \${$oc['descr']} proto tcp from {$route['network']} to {$sa}/{$sn} flags any keep state(sloppy) label "pass traffic between statically routed subnets" +pass quick on \${$oc['descr']} from {$route['network']} to {$sa}/{$sn} keep state(sloppy) label "pass traffic between statically routed subnets" + +EOD; + } + } + } + } + update_filter_reload_status("Creating IPsec rules..."); $ipfrules .= filter_generate_ipsec_rules(); |