| 2382 |
2382 |
$aline['flags'] .= " ) ";
|
| 2383 |
2383 |
}
|
| 2384 |
2384 |
}
|
|
2385 |
if(in_array($rule['protocol'], array("icmp","udp","tcp/udp")) && ($type == "pass")) {
|
|
2386 |
/*
|
|
2387 |
* # keep state
|
|
2388 |
* works with TCP, UDP, and ICMP.
|
|
2389 |
* # modulate state
|
|
2390 |
* works only with TCP. pfSense will generate strong Initial Sequence Numbers (ISNs)
|
|
2391 |
* for packets matching this rule.
|
|
2392 |
* # synproxy state
|
|
2393 |
* proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods.
|
|
2394 |
* This option includes the functionality of keep state and modulate state combined.
|
|
2395 |
* # none
|
|
2396 |
* do not use state mechanisms to keep track. this is only useful if your doing advanced
|
|
2397 |
* queueing in certain situations. please check the faq.
|
|
2398 |
*/
|
|
2399 |
$noadvoptions = false;
|
|
2400 |
if(isset($rule['statetype']) && $rule['statetype'] <> "") {
|
|
2401 |
switch($rule['statetype']) {
|
|
2402 |
case "none":
|
|
2403 |
$noadvoptions = true;
|
|
2404 |
$aline['flags'] .= " no state ";
|
|
2405 |
break;
|
|
2406 |
case "sloppy state":
|
|
2407 |
$aline['flags'] .= "keep state ";
|
|
2408 |
$rule['sloppy'] = true;
|
|
2409 |
break;
|
|
2410 |
default:
|
|
2411 |
$aline['flags'] .= "{$rule['statetype']} ";
|
|
2412 |
break;
|
|
2413 |
}
|
|
2414 |
} else
|
|
2415 |
$aline['flags'] .= "keep state ";
|
|
2416 |
|
|
2417 |
if($noadvoptions == false || $l7_present)
|
|
2418 |
if( (isset($rule['source-track']) and $rule['source-track'] <> "") or
|
|
2419 |
(isset($rule['max']) and $rule['max'] <> "") or
|
|
2420 |
(isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") or
|
|
2421 |
(isset($rule['max-src-states']) and $rule['max-src-states'] <> "") or
|
|
2422 |
(isset($rule['statetimeout']) and $rule['statetimeout'] <> "") or
|
|
2423 |
isset($rule['sloppy']) or $l7_present) {
|
|
2424 |
$aline['flags'] .= "( ";
|
|
2425 |
if (isset($rule['sloppy']))
|
|
2426 |
$aline['flags'] .= "sloppy ";
|
|
2427 |
if(isset($rule['source-track']) and $rule['source-track'] <> "")
|
|
2428 |
$aline['flags'] .= "source-track rule ";
|
|
2429 |
if(isset($rule['max']) and $rule['max'] <> "")
|
|
2430 |
$aline['flags'] .= "max " . $rule['max'] . " ";
|
|
2431 |
if(isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "")
|
|
2432 |
$aline['flags'] .= "max-src-nodes " . $rule['max-src-nodes'] . " ";
|
|
2433 |
if(isset($rule['max-src-states']) and $rule['max-src-states'] <> "")
|
|
2434 |
$aline['flags'] .= "max-src-states " . $rule['max-src-states'] . " ";
|
|
2435 |
if(isset($rule['statetimeout']) and $rule['statetimeout'] <> "")
|
|
2436 |
$aline['flags'] .= "tcp.established " . $rule['statetimeout'] . " ";
|
|
2437 |
|
|
2438 |
if(!empty($aline['divert']))
|
|
2439 |
$aline['flags'] .= "max-packets 8 ";
|
|
2440 |
|
|
2441 |
$aline['flags'] .= " ) ";
|
|
2442 |
}
|
|
2443 |
}
|
| 2385 |
2444 |
if($rule['defaultqueue'] <> "") {
|
| 2386 |
2445 |
$aline['queue'] = " queue (".$rule['defaultqueue'];
|
| 2387 |
2446 |
if($rule['ackqueue'] <> "")
|
