Revision 8563e5de
Added by Scott Ullrich over 20 years ago
| etc/inc/filter.inc | ||
|---|---|---|
| 72 | 72 |
/* generate altq rules */ |
| 73 | 73 |
$altq_rules = filter_generate_altq_rules(); |
| 74 | 74 |
} |
| 75 |
if (isset($config['nat']['outgoingloadbalancing']['enable'])) |
|
| 76 |
/* generate altq rules */ |
|
| 77 |
$lb_rules = filter_generate_lb_rules(); |
|
| 78 |
|
|
| 79 | 75 |
if( !isset( $config['system']['disablefilter'] ) ) {
|
| 80 | 76 |
mwexec("/sbin/pfctl -e");
|
| 81 | 77 |
mwexec("/sbin/pfctl -F nat");
|
| ... | ... | |
| 120 | 116 |
$rules_loading = mwexec("/sbin/pfctl -f {$g['tmp_path']}/rules.debug");
|
| 121 | 117 |
|
| 122 | 118 |
/* load ipfw+altq module */ |
| 123 |
if (isset($config['shaper']['enable']) || isset($config['nat']['outgoingloadbalancing']['enable'])) {
|
|
| 119 |
if (isset($config['shaper']['enable'])) {
|
|
| 124 | 120 |
mwexec("/sbin/kldload ipfw");
|
| 125 | 121 |
/* change one_pass to 1 so ipfw stops checking after |
| 126 | 122 |
a rule has matched */ |
| 127 | 123 |
mwexec("/sbin/sysctl net.inet.ip.fw.one_pass=1");
|
| 128 | 124 |
/* load shaper rules */ |
| 129 |
if (isset($config['shaper']['enable'])) {
|
|
| 130 |
mwexec("/sbin/ipfw -f delete set 4");
|
|
| 125 |
mwexec("/sbin/ipfw -f delete set 4");
|
|
| 131 | 126 |
/* XXX - seems like ipfw cannot accept rules directly on stdin, |
| 132 | 127 |
so we have to write them to a temporary file first */ |
| 133 |
$fd = fopen("{$g['tmp_path']}/ipfw.rules", "w");
|
|
| 134 |
if (!$fd) {
|
|
| 135 |
printf("Cannot open ipfw.rules in filter_configure()\n");
|
|
| 136 |
return 1; |
|
| 137 |
} |
|
| 138 |
fwrite($fd, $altq_rules); |
|
| 139 |
fclose($fd); |
|
| 140 |
mwexec("/sbin/ipfw {$g['tmp_path']}/ipfw.rules");
|
|
| 141 |
mwexec("/sbin/ipfw enable altq");
|
|
| 142 |
mwexec("/bin/mv {$g['tmp_path']}/ipfw.rules {$g['tmp_path']}/ipfw.rules_old");
|
|
| 143 |
} |
|
| 144 |
/*load lb rules */ |
|
| 145 |
if (isset($config['nat']['outgoingloadbalancing']['enable'])) {
|
|
| 146 |
mwexec("/sbin/ipfw -f delete set 5");
|
|
| 147 |
/* this uses ~32MB for session states */ |
|
| 148 |
mwexec("/sbin/sysctl net.inet.ip.fw.dyn_max=65536");
|
|
| 149 |
mwexec("/sbin/sysctl net.inet.ip.fw.dyn_buckets=32768");
|
|
| 150 |
/* XXX - seems like ipfw cannot accept rules directly on stdin, |
|
| 151 |
so we have to write them to a temporary file first */ |
|
| 152 |
$fd = fopen("{$g['tmp_path']}/ipfw_lb.rules", "w");
|
|
| 153 |
if (!$fd) {
|
|
| 154 |
printf("Cannot open ipfw.rules in filter_configure()\n");
|
|
| 155 |
return 1; |
|
| 156 |
} |
|
| 157 |
fwrite($fd, $lb_rules); |
|
| 158 |
fclose($fd); |
|
| 159 |
mwexec("/sbin/ipfw {$g['tmp_path']}/ipfw_lb.rules");
|
|
| 160 |
mwexec("/bin/mv {$g['tmp_path']}/ipfw_lb.rules {$g['tmp_path']}/ipfw_lb.rules_old");
|
|
| 128 |
$fd = fopen("{$g['tmp_path']}/ipfw.rules", "w");
|
|
| 129 |
if (!$fd) {
|
|
| 130 |
printf("Cannot open ipfw.rules in filter_configure()\n");
|
|
| 131 |
return 1; |
|
| 161 | 132 |
} |
| 133 |
fwrite($fd, $altq_rules); |
|
| 134 |
fclose($fd); |
|
| 135 |
mwexec("/sbin/ipfw {$g['tmp_path']}/ipfw.rules");
|
|
| 136 |
mwexec("/sbin/ipfw enable altq");
|
|
| 137 |
mwexec("/bin/mv {$g['tmp_path']}/ipfw.rules {$g['tmp_path']}/ipfw.rules_old");
|
|
| 162 | 138 |
} else {
|
| 163 | 139 |
mwexec("/sbin/ipfw -f flush");
|
| 164 | 140 |
if(!isset($config['captiveportal']['enable'])) |
| ... | ... | |
| 383 | 359 |
return $aliases; |
| 384 | 360 |
} |
| 385 | 361 |
|
| 386 |
function filter_generate_lb_rules() {
|
|
| 387 |
global $config, $g; |
|
| 388 |
|
|
| 389 |
$wancfg = $config['interfaces']['wan']; |
|
| 390 |
$lancfg = $config['interfaces']['lan']; |
|
| 391 |
|
|
| 392 |
$lanif = $lancfg['if']; |
|
| 393 |
$wanif = get_real_wan_interface(); |
|
| 394 |
|
|
| 395 |
$lanip = $lancfg['ipaddr']; |
|
| 396 |
$lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); |
|
| 397 |
$lansn = $lancfg['subnet']; |
|
| 398 |
|
|
| 399 |
$ruleconf = &$config['nat']['outgoingloadbalancing']['rule']; |
|
| 400 |
|
|
| 401 |
/* Lets turn away some rule writting */ |
|
| 402 |
$out_flow = ' ip from '.$lancfg['ipaddr'].'/'.$lancfg['subnet'].' to not '. $lancfg['ipaddr'].'/'.$lancfg['subnet']; |
|
| 403 |
$in_flow = 'ip from not '.$lancfg['ipaddr'].'/'.$lancfg['subnet'].' to '.$lancfg['ipaddr'].'/'.$lancfg['subnet']; |
|
| 404 |
|
|
| 405 |
/* LB Rules Return Script */ |
|
| 406 |
$lbrules = ""; |
|
| 407 |
// print_r($ruleconf); |
|
| 408 |
/* generate rules */ |
|
| 409 |
if (isset($ruleconf)) {
|
|
| 410 |
|
|
| 411 |
$i = 0; |
|
| 412 |
$gatenum = count($ruleconf); |
|
| 413 |
reset($ruleconf); |
|
| 414 |
foreach ($ruleconf as $rule) {
|
|
| 415 |
|
|
| 416 |
$gwmac = arp_get_mac_by_ip($rule['gatewayip']); |
|
| 417 |
print_r($rule); |
|
| 418 |
print_r($gwmac); |
|
| 419 |
/* don't include disabled rules and non reachable gateways*/ |
|
| 420 |
if (($rule['enabled']===0) || ($gwmac===false)) {
|
|
| 421 |
$i++; |
|
| 422 |
continue; |
|
| 423 |
} |
|
| 424 |
|
|
| 425 |
$rulelines = ""; |
|
| 426 |
$in_num = 10000 + $i; |
|
| 427 |
$out_num = 11000 + $i; |
|
| 428 |
$skipto_num = 50000 + $i*10; |
|
| 429 |
|
|
| 430 |
/* Compute denominator of probability value |
|
| 431 |
(consist of enabled|reachable gateways) */ |
|
| 432 |
$denom[$i] = 0; |
|
| 433 |
for($j=$i;$j<$gatenum;$j++) |
|
| 434 |
if (($ruleconf[$j]['enabled']==1) && (arp_get_mac_by_ip($ruleconf[$j]['gatewayip'])!==false)) $denom[$i]++; |
|
| 435 |
|
|
| 436 |
$prob = round(1/$denom[$i],2); |
|
| 437 |
|
|
| 438 |
$rulelines .= "add $in_num set 5 skipto $skipto_num $in_flow mac any $gwmac in recv $wanif keep-state\n"; |
|
| 439 |
|
|
| 440 |
$rulelines .= "add $out_num set 5 prob $prob skipto $skipto_num $out_flow in recv $lanif keep-state\n"; |
|
| 441 |
|
|
| 442 |
$rulelines .= "add $skipto_num set 5 fwd ".$rule['gatewayip']." $out_flow in recv $lanif\n"; |
|
| 443 |
$skipto_num++; |
|
| 444 |
$rulelines .= "add $skipto_num set 5 skipto 65535 ip from any to any\n"; |
|
| 445 |
|
|
| 446 |
$lbrules .=$rulelines; |
|
| 447 |
$i++; |
|
| 448 |
} // foreach |
|
| 449 |
|
|
| 450 |
} // if |
|
| 451 |
return $lbrules; |
|
| 452 |
} |
|
| 453 |
|
|
| 454 | 362 |
function filter_generate_altq_rules() {
|
| 455 | 363 |
global $config, $g; |
| 456 | 364 |
|
| ... | ... | |
| 488 | 396 |
$pptpsn = $g['pptp_subnet']; |
| 489 | 397 |
} |
| 490 | 398 |
|
| 491 |
$rulei = 1000;
|
|
| 399 |
$rulei = 50000;
|
|
| 492 | 400 |
|
| 493 | 401 |
/* add a rule to pass all traffic from/to the firewall, |
| 494 | 402 |
so the user cannot lock himself out of the webGUI */ |
| 495 | 403 |
$shaperrules = "add $rulei set 4 pass all from $lanip to any\n"; $rulei++; |
| 496 | 404 |
$shaperrules .= "add $rulei set 4 pass all from any to $lanip\n"; $rulei++; |
| 405 |
$shaperrules .= "add $rulei set 4 pass carp from any to any\n"; $rulei++; |
|
| 497 | 406 |
|
| 498 | 407 |
/* generate rules */ |
| 499 | 408 |
if (isset($config['shaper']['rule'])) |
| ... | ... | |
| 699 | 608 |
if ($ispptp) {
|
| 700 | 609 |
$line .= "via ng" . ($iif+1); |
| 701 | 610 |
} else {
|
| 611 |
$if = $config['interfaces'][$rule['interface']]['if']; |
|
| 612 |
|
|
| 702 | 613 |
if ($rule['interface'] == "wan") |
| 703 | 614 |
$if = $wanif; |
| 704 |
else |
|
| 705 |
$if = $config['interfaces'][$rule['interface']]['if'];
|
|
| 615 |
else if($rule['interface'] == "lan")
|
|
| 616 |
$if = $wanif;
|
|
| 706 | 617 |
|
| 707 | 618 |
$line .= "via {$if}";
|
| 708 | 619 |
} |
| ... | ... | |
| 1764 | 1675 |
return $rule; |
| 1765 | 1676 |
} |
| 1766 | 1677 |
|
| 1767 |
?> |
|
| 1678 |
?> |
|
Also available in: Unified diff
Revert this commit. It broke ALTQ!