statepolicy.patch - pfSense - pfSense bugtracker

     		$limitrules = "";
+    	}
     	$limitrules .= "set state-policy " . config_get_path('system/statepolicy', 'if-bound') . "\n";
     	/* User defined maximum table entries in Advanced menu. */
     	if (is_numeric(config_get_path('system/maximumtableentries'))) {
     		$limitrules .= sprintf("set limit table-entries %d\n", config_get_path('system/maximumtableentries'));

     require_once("util.inc");
     require_once("pfsense-utils.inc");
     $state_policy_options = [
     	'if-bound' => gettext('Interface Bound States'),
     	'floating' => gettext('Floating States'),
     ];
     // Functions included by system_advanced_firewall.php =========================
     function getSystemAdvancedFirewall($json = false) {
-...
     	$pconfig['bogonsinterval'] = config_get_path('system/bogons/interval');
     	$pconfig['bypassstaticroutes'] = isset($config['filter']['bypassstaticroutes']);
     	$pconfig['checkaliasesurlcert'] = isset($config['system']['checkaliasesurlcert']);
     	$pconfig['statepolicy'] = config_get_path('system/statepolicy');
     	$pconfig['disablefilter'] = config_get_path('system/disablefilter');
     	$pconfig['disablenatreflection'] = config_get_path('system/disablenatreflection');
     	$pconfig['disablenegate'] = isset($config['system']['disablenegate']);
-...
+    }
     function saveSystemAdvancedFirewall($post, $json = false) {
     	global $g, $config;
     	global $g, $config, $state_policy_options;
     	$rv = array();
     	/* input validation */
     	if (!empty($post['statepolicy']) &&
     	    !array_key_exists($post['statepolicy'], $state_policy_options)) {
     		$input_errors[] = gettext("Invalid Firewall State Policy value.");
+    	}
     	if ((isset($post['adaptivestart']) && !isset($post['adaptiveend'])) || (!isset($post['adaptivestart']) && isset($post['adaptiveend']))) {
     		$input_errors[] = gettext("The Firewall Adaptive values must be set together.");
+    	}
-...
     			config_del_path('system/disablefilter');
+    		}
     		config_set_path('system/statepolicy', $post['statepolicy']);
     		if ($post['disablevpnrules'] == "yes") {
     			$config['system']['disablevpnrules'] = true;
     		} else {

     	'Note: This will also turn off NAT! To only disable NAT, '.
     	'and not firewall rules, visit the %3$sOutbound NAT%4$s page.', g_get('product_label'), '<br/>', '<a href="firewall_nat_out.php">', '</a>');
     global $state_policy_options;
     $section->addInput(new Form_Select(
     	'statepolicy',
     	'Firewall State Policy',
     	$pconfig['statepolicy'],
     	$state_policy_options
     ))->setHelp(
     	'%1$sInterface Bound States are more strict and secure. States '.
     	'are bound to specific interfaces by their OS/driver name (e.g. '.
     	'igcX). If a packet attempts to takes an path through a different '.
     	'interface than the one to which it is bound, the packet is '.
     	'dropped. This policy is less likely to allow VPN or other '.
     	'traffic to egress via unexpected paths (e.g. during interface '.
     	'events). '.
     	'%2$sFloating States are less secure, more lenient in their '.
     	'checks, and are not strictly associated with any interface. The '.
     	'interface is tracked in state properties, but it is informational '.
     	'and not enforced. This policy allows HA nodes with different '.
     	'hardware to utilize state synchronization. It is also more '.
     	'forgiving of certain asymmetric routing scenarios. However, this '.
     	'relaxed policy may allow connections to be misdirected or take '.
     	'unexpected paths if the routing table can be manipulated. '.
     	'%3$sThere is no difference in the ability to view or kill states ' .
     	'between either mode.',
     	'</span><ul class="help-block"><li>', '</li><li>', '</li></ul><span class="help-block">');
     $section->addInput(new Form_Checkbox(
     	'bypassstaticroutes',
     	'Static route filtering',

Project

General

Profile

pfSense

Todo #15173 » statepolicy.patch