Revision 7ee0f3a8
Added by Ermal LUÇI over 12 years ago
etc/inc/filter.inc | ||
---|---|---|
835 | 835 |
$oic['gatewayv6'] = $oc['gatewayv6']; |
836 | 836 |
$oic['spoofcheck'] = "yes"; |
837 | 837 |
$oic['bridge'] = link_interface_to_bridge($if); |
838 |
$vips = link_interface_to_vips($if); |
|
839 |
if (!empty($vips)) { |
|
840 |
foreach ($vips as $vipidx => $vip) { |
|
841 |
if (is_ipaddrv4($vip['subnet'])) { |
|
842 |
if (!is_array($oic['vips'])) |
|
843 |
$oic['vips'] = array(); |
|
844 |
$oic['vips'][$vipidx]['ip'] = $vip['subnet']; |
|
845 |
if (empty($vip['subnet_bits'])) |
|
846 |
$oic['vips'][$vipidx]['sn'] = 32; |
|
847 |
else |
|
848 |
$oic['vips'][$vipidx]['sn'] = $vip['subnet_bits']; |
|
849 |
} else if (is_ipaddrv6($vip['subnet'])) { |
|
850 |
if (!is_array($oic['vips6'])) |
|
851 |
$oic['vips6'] = array(); |
|
852 |
$oic['vips6'][$vipidx]['ip'] = $vip['subnet']; |
|
853 |
if (empty($vip['subnet_bits'])) |
|
854 |
$oic['vips'][$vipidx]['sn'] = 128; |
|
855 |
else |
|
856 |
$oic['vips'][$vipidx]['sn'] = $vip['subnet_bits']; |
|
857 |
} |
|
858 |
} |
|
859 |
} |
|
860 |
unset($vips); |
|
838 | 861 |
$FilterIflist[$if] = $oic; |
839 | 862 |
} |
840 | 863 |
|
... | ... | |
2683 | 2706 |
continue; |
2684 | 2707 |
|
2685 | 2708 |
$gw = get_interface_gateway($ifdescr); |
2686 |
if (is_ipaddr($gw) && is_ipaddr($ifcfg['ip'])) |
|
2709 |
if (is_ipaddr($gw) && is_ipaddr($ifcfg['ip'])) {
|
|
2687 | 2710 |
$ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n"; |
2711 |
if (is_array($ifcfg['vips'])) { |
|
2712 |
foreach ($ifcfg['vips'] as $vip) |
|
2713 |
$ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$vip['ip']}/{$vip['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n"; |
|
2714 |
} |
|
2715 |
} |
|
2688 | 2716 |
|
2689 | 2717 |
$gwv6 = get_interface_gateway_v6($ifdescr); |
2690 | 2718 |
switch($ifcfg['type6']) { |
... | ... | |
2698 | 2726 |
$pdlen = 64 - calculate_ipv6_delegation_length($ifdescr); |
2699 | 2727 |
break; |
2700 | 2728 |
} |
2701 |
if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6'])) |
|
2729 |
if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6'])) {
|
|
2702 | 2730 |
$ipfrules .= "pass out route-to ( {$stf} {$gwv6} ) inet6 from {$ifcfg['ipv6']} to !{$ifcfg['ipv6']}/{$pdlen} keep state allow-opts label \"let out anything from firewall host itself\"\n"; |
2731 |
if (is_array($ifcfg['vips6'])) { |
|
2732 |
foreach ($ifcfg['vips6'] as $vip) |
|
2733 |
$ipfrules .= "pass out route-to ( {$stf} {$gwv6} ) inet6 from {$vip['ip']} to !{$vip['ipv6']}/{$pdlen} keep state allow-opts label \"let out anything from firewall host itself\"\n"; |
|
2734 |
} |
|
2735 |
} |
|
2703 | 2736 |
} |
2704 | 2737 |
|
2705 | 2738 |
|
Also available in: Unified diff
Put outgoing policy routes even for the vips to correct sourced traffic from them. Fixes #1823