From e714e996899c305398cafc2af50f8d56630e2ca5 Mon Sep 17 00:00:00 2001 From: phildd Date: Sun, 24 Mar 2013 18:28:11 +0545 Subject: Do not bother with bogonsv6 if IPv6 allow is off The rules already block all IPv6 when IPv6 allow is off, so it is a waste of 70,000+ table entries of V6 bogons. On small systems this matters, and I sometimes get errors loading rules with the default table entries limit even though I don't care for V6 stuff. --- etc/inc/filter.inc | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index a4c1773..b56afac 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -326,6 +326,10 @@ function filter_configure_sync($delete_states_if_needed = true) { } } + # If allow IPv6 has been unchecked then we can remove any bogonsv6 table (if the table is not there, the kill is still fine). + if (!isset($config['system']['ipv6allow'])) + $_grbg = exec("/sbin/pfctl -t bogonsv6 -T kill"); + update_filter_reload_status(gettext("Starting up layer7 daemon")); layer7_start_l7daemon(); @@ -557,7 +561,8 @@ function filter_generate_aliases() { if (!file_exists("/etc/bogonsv6")) @file_put_contents("/etc/bogonsv6", ""); $aliases .= "table persist file \"/etc/bogons\"\n"; - $aliases .= "table persist file \"/etc/bogonsv6\"\n"; + if (isset($config['system']['ipv6allow'])) + $aliases .= "table persist file \"/etc/bogonsv6\"\n"; $vpns_list = filter_get_vpns_list(); if($vpns_list) @@ -2595,9 +2600,14 @@ EOD; # http://www.cymru.com/Documents/bogon-bn-nonagg.txt # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt block in $log quick on \${$oc['descr']} from to any label "block bogon IPv4 networks from {$oc['descr']}" + +EOD; + if(isset($config['system']['ipv6allow'])) { + $ipfrules .= << to any label "block bogon IPv6 networks from {$oc['descr']}" EOD; + } } $isbridged = false; if(is_array($config['bridges']['bridged'])) { -- cgit v1.1