Project

General

Profile

« Previous | Next » 

Revision 7ee0f3a8

Added by Ermal LUÇI over 12 years ago

Put outgoing policy routes even for the vips to correct sourced traffic from them. Fixes #1823

View differences:

etc/inc/filter.inc
835 835 
		$oic['gatewayv6'] = $oc['gatewayv6'];
836 836 
		$oic['spoofcheck'] = "yes";
837 837 
		$oic['bridge'] = link_interface_to_bridge($if);
838 
		$vips = link_interface_to_vips($if);
839 
		if (!empty($vips)) {
840 
			foreach ($vips as $vipidx => $vip) {
841 
				if (is_ipaddrv4($vip['subnet'])) {
842 
					if (!is_array($oic['vips']))
843 
						$oic['vips'] = array();
844 
					$oic['vips'][$vipidx]['ip'] = $vip['subnet'];
845 
					if (empty($vip['subnet_bits']))
846 
						$oic['vips'][$vipidx]['sn'] = 32;
847 
					else
848 
						$oic['vips'][$vipidx]['sn'] = $vip['subnet_bits'];
849 
				} else if (is_ipaddrv6($vip['subnet'])) {
850 
					if (!is_array($oic['vips6']))
851 
						$oic['vips6'] = array();
852 
					$oic['vips6'][$vipidx]['ip'] = $vip['subnet'];
853 
					if (empty($vip['subnet_bits']))
854 
						$oic['vips'][$vipidx]['sn'] = 128;
855 
					else
856 
						$oic['vips'][$vipidx]['sn'] = $vip['subnet_bits'];
857 
				}
858 
			}
859 
		}
860 
		unset($vips);
838 861 
		$FilterIflist[$if] = $oic;
839 862 
	}
840 863 

  		




  ......




  2683
  2706
  
    
			continue;


  		




  2684
  2707
  
    

  		




  2685
  2708
  
    
		$gw = get_interface_gateway($ifdescr);


  		




  2686
  
  
    
		if (is_ipaddr($gw) && is_ipaddr($ifcfg['ip']))


  		




  
  2709
  
    
		if (is_ipaddr($gw) && is_ipaddr($ifcfg['ip'])) {


  		




  2687
  2710
  
    
                	$ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n";


  		




  
  2711
  
    
			if (is_array($ifcfg['vips'])) {


  		




  
  2712
  
    
				foreach ($ifcfg['vips'] as $vip)


  		




  
  2713
  
    
					$ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$vip['ip']}/{$vip['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n";


  		




  
  2714
  
    
			}


  		




  
  2715
  
    
		}


  		




  2688
  2716
  
    

  		




  2689
  2717
  
    
		$gwv6 = get_interface_gateway_v6($ifdescr);


  		




  2690
  2718
  
    
		switch($ifcfg['type6']) {


  		




  ......




  2698
  2726
  
    
				$pdlen = 64 - calculate_ipv6_delegation_length($ifdescr);


  		




  2699
  2727
  
    
			break;


  		




  2700
  2728
  
    
		}


  		




  2701
  
  
    
		if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6']))


  		




  
  2729
  
    
		if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6'])) {


  		




  2702
  2730
  
    
                	$ipfrules .= "pass out route-to ( {$stf} {$gwv6} ) inet6 from {$ifcfg['ipv6']} to !{$ifcfg['ipv6']}/{$pdlen} keep state allow-opts label \"let out anything from firewall host itself\"\n";


  		




  
  2731
  
    
			if (is_array($ifcfg['vips6'])) {


  		




  
  2732
  
    
				foreach ($ifcfg['vips6'] as $vip)


  		




  
  2733
  
    
					$ipfrules .= "pass out route-to ( {$stf} {$gwv6} ) inet6 from {$vip['ip']} to !{$vip['ipv6']}/{$pdlen} keep state allow-opts label \"let out anything from firewall host itself\"\n";


  		




  
  2734
  
    
			}


  		




  
  2735
  
    
		}


  		




  2703
  2736
  
    
	}


  		




  2704
  2737
  
    
	


  		




  2705
  2738
  
    

  		












Also available in:  Unified diff