Project

General

Profile

« Previous | Next » 

Revision 7ee0f3a8

Added by Ermal LUÇI over 12 years ago

Put outgoing policy routes even for the vips to correct sourced traffic from them. Fixes #1823

View differences:

etc/inc/filter.inc
835 835
		$oic['gatewayv6'] = $oc['gatewayv6'];
836 836
		$oic['spoofcheck'] = "yes";
837 837
		$oic['bridge'] = link_interface_to_bridge($if);
838
		$vips = link_interface_to_vips($if);
839
		if (!empty($vips)) {
840
			foreach ($vips as $vipidx => $vip) {
841
				if (is_ipaddrv4($vip['subnet'])) {
842
					if (!is_array($oic['vips']))
843
						$oic['vips'] = array();
844
					$oic['vips'][$vipidx]['ip'] = $vip['subnet'];
845
					if (empty($vip['subnet_bits']))
846
						$oic['vips'][$vipidx]['sn'] = 32;
847
					else
848
						$oic['vips'][$vipidx]['sn'] = $vip['subnet_bits'];
849
				} else if (is_ipaddrv6($vip['subnet'])) {
850
					if (!is_array($oic['vips6']))
851
						$oic['vips6'] = array();
852
					$oic['vips6'][$vipidx]['ip'] = $vip['subnet'];
853
					if (empty($vip['subnet_bits']))
854
						$oic['vips'][$vipidx]['sn'] = 128;
855
					else
856
						$oic['vips'][$vipidx]['sn'] = $vip['subnet_bits'];
857
				}
858
			}
859
		}
860
		unset($vips);
838 861
		$FilterIflist[$if] = $oic;
839 862
	}
840 863

  
......
2683 2706
			continue;
2684 2707

  
2685 2708
		$gw = get_interface_gateway($ifdescr);
2686
		if (is_ipaddr($gw) && is_ipaddr($ifcfg['ip']))
2709
		if (is_ipaddr($gw) && is_ipaddr($ifcfg['ip'])) {
2687 2710
                	$ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n";
2711
			if (is_array($ifcfg['vips'])) {
2712
				foreach ($ifcfg['vips'] as $vip)
2713
					$ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$vip['ip']} to !{$vip['ip']}/{$vip['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n";
2714
			}
2715
		}
2688 2716

  
2689 2717
		$gwv6 = get_interface_gateway_v6($ifdescr);
2690 2718
		switch($ifcfg['type6']) {
......
2698 2726
				$pdlen = 64 - calculate_ipv6_delegation_length($ifdescr);
2699 2727
			break;
2700 2728
		}
2701
		if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6']))
2729
		if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6'])) {
2702 2730
                	$ipfrules .= "pass out route-to ( {$stf} {$gwv6} ) inet6 from {$ifcfg['ipv6']} to !{$ifcfg['ipv6']}/{$pdlen} keep state allow-opts label \"let out anything from firewall host itself\"\n";
2731
			if (is_array($ifcfg['vips6'])) {
2732
				foreach ($ifcfg['vips6'] as $vip)
2733
					$ipfrules .= "pass out route-to ( {$stf} {$gwv6} ) inet6 from {$vip['ip']} to !{$vip['ipv6']}/{$pdlen} keep state allow-opts label \"let out anything from firewall host itself\"\n";
2734
			}
2735
		}
2703 2736
	}
2704 2737
	
2705 2738

  

Also available in: Unified diff