diff options
-rw-r--r-- | etc/inc/filter.inc | 14 | ||||
-rwxr-xr-x | usr/local/www/firewall_rules_edit.php | 9 |
2 files changed, 17 insertions, 6 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index fc3af04..7b190d4 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1612,12 +1612,14 @@ function generate_user_filter_rule($rule) $aline['icmp-type'] = "icmp6-type {$rule['icmp6type']} "; } if ($type == "pass") { - if (isset($rule['tag']) && $rule['tag'] <> "") + if (!empty($rule['tag'])) $aline['tag'] = " tag " .$rule['tag']. " "; - if (isset($rule['tagged']) && $rule['tagged'] <> "") + if (!empty($rule['tagged'])) $aline['tagged'] = " tagged " .$rule['tagged'] . " "; - if (isset($rule['dscp']) && $rule['dscp'] <> "") + if (!empty($rule['dscp'])) $aline['dscp'] = " dscp " . $rule['dscp'] . " "; + if (isset($rule['allowopts'])) + $aline['allowopts'] = " allow-opts "; if( isset($rule['source-track']) or isset($rule['max-src-nodes']) or isset($rule['max-src-states']) ) if($rule['protocol'] == "tcp") $aline['flags'] = "flags S/SA "; @@ -1745,14 +1747,14 @@ function generate_user_filter_rule($rule) $vpns = " to <vpns> "; $line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $aline['interface'] . $aline['prot'] . $aline['src'] . $aline['srcport'] . $aline['os'] . $vpns . $aline['dstport']. - $aline['icmp-type'] . $aline['tag'] . $aline['tagged'] . $aline['dscp'] . $aline['flags']. + $aline['icmp-type'] . $aline['tag'] . $aline['tagged'] . $aline['dscp'] . $aline['allowopts'] . $aline['flags']. $aline['queue'] . $aline['dnpipe'] . " label \"NEGATE_ROUTE: Negate policy route for local network(s)\"\n"; /* negate directly connected networks for load balancer/gateway rules */ $direct_networks = " to <direct_networks> "; $line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $aline['interface'] . $aline['prot'] . $aline['src'] . $aline['srcport'] . $aline['os'] . $direct_networks . $aline['dstport']. - $aline['icmp-type'] . $aline['tag'] . $aline['tagged'] . $aline['dscp'] . + $aline['icmp-type'] . $aline['tag'] . $aline['tagged'] . $aline['dscp'] . $aline['allowopts'] . $aline['flags'] . $aline['queue'] . $aline['dnpipe'] . " label \"NEGATE_ROUTE: Negate policy route for local network(s)\"\n"; } @@ -1760,7 +1762,7 @@ function generate_user_filter_rule($rule) $line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $aline['interface'] . $aline['reply'] . $aline['route'] . $aline['prot'] . $aline['src'] . $aline['srcport'] . $aline['os'] . $aline['dst'] . $aline['dstport'] . $aline['divert'] . $aline['icmp-type'] . $aline['tag'] . $aline['tagged'] . $aline['dscp'] . - $aline['flags'] . $aline['queue'] . $aline['dnpipe']; + $aline['allowopts'] . $aline['flags'] . $aline['queue'] . $aline['dnpipe']; /* is a time based rule schedule attached? */ if(!empty($rule['sched'])) { diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index 0883d62..c0d0d66 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -119,6 +119,8 @@ if (isset($id) && $a_filter[$id]) { $pconfig['tagged'] = $a_filter[$id]['tagged']; if (isset($a_filter[$id]['quick']) && $a_filter[$id]['quick']) $pconfig['quick'] = $a_filter[$id]['quick']; + if (isset($a_filter[$id]['allowopts'])) + $pconfig['allowopts'] = true; /* advanced */ $pconfig['max-src-nodes'] = $a_filter[$id]['max-src-nodes']; @@ -359,6 +361,10 @@ if ($_POST) { } /* Advanced options */ + if ($_POST['allowopts'] == "yes") + $filterent['allowopts'] = true; + else + unset($filterent['allowopts']); $filterent['max-src-nodes'] = $_POST['max-src-nodes']; $filterent['max-src-states'] = $_POST['max-src-states']; $filterent['statetimeout'] = $_POST['statetimeout']; @@ -962,6 +968,9 @@ include("head.inc"); </div> <div id="aodivmain" name="aodivmain" style="display:none"> + <input type="checkbox" id="allowopts" value="yes" name="allowopts"<?php if($pconfig['allowopts'] == true) echo " checked"; ?>> + <br/><span class="vexpl"><?=gettext("This allows packets with ip options to pass otherwise they are blocked by default i.e. with multicast routing/proxing.");?> + </span><p> <input name="tag" id="tag" value="<?=htmlspecialchars($pconfig['tag']);?>"> <br /><span class="vexpl"><?=gettext("You can mark a packet matching this rule and use this mark to match on other nat/filter rules. It is called <b>Policy filtering</b>");?> </span><p> |