Revision c066ea8a
Added by Seth Mos almost 14 years ago
| etc/inc/filter.inc | ||
|---|---|---|
| 427 | 427 |
if (!empty($config['system']['maxmss'])) |
| 428 | 428 |
$maxmss = $config['system']['maxmss']; |
| 429 | 429 |
|
| 430 |
$scrubrules .= "scrub in from any to <vpns> max-mss {$maxmss}\n";
|
|
| 430 |
$scrubrules .= "scrub in from any to <vpn_networks> max-mss {$maxmss}\n";
|
|
| 431 | 431 |
} |
| 432 | 432 |
/* disable scrub option */ |
| 433 | 433 |
foreach ($FilterIflist as $scrubif => $scrubcfg) {
|
| ... | ... | |
| 743 | 743 |
$networks_arr[] = $subnet; |
| 744 | 744 |
} |
| 745 | 745 |
} |
| 746 |
if(is_array($config['staticroutes']['route'])) {
|
|
| 747 |
foreach($config['staticroutes']['route'] as $netent) {
|
|
| 748 |
if(is_ipaddr($netent['network'])) {
|
|
| 749 |
$networks_arr[] = $netent['network']; |
|
| 750 |
} |
|
| 751 |
} |
|
| 752 |
} |
|
| 746 | 753 |
if(!empty($networks_arr)) {
|
| 747 | 754 |
$networks = implode(" ", $networks_arr);
|
| 748 | 755 |
} |
| ... | ... | |
| 1451 | 1458 |
$vpns_list = filter_get_vpns_list(); |
| 1452 | 1459 |
$direct_networks_list = filter_get_direct_networks_list(); |
| 1453 | 1460 |
if($vpns_list) |
| 1454 |
$natrules .= "table <vpns> { $vpns_list }\n";
|
|
| 1461 |
$natrules .= "table <vpn_networks> { $vpns_list }\n";
|
|
| 1462 |
|
|
| 1463 |
/* add a Negate_networks table */ |
|
| 1464 |
$natrules .= "table <negate_networks> {";
|
|
| 1455 | 1465 |
if($direct_networks_list) |
| 1456 |
$natrules .= "table <direct_networks> { $direct_networks_list }\n";
|
|
| 1466 |
$natrules .= " $direct_networks_list "; |
|
| 1467 |
if($vpns_list) |
|
| 1468 |
$natrules .= " $vpns_list "; |
|
| 1469 |
$natrules .= "}\n"; |
|
| 1457 | 1470 |
|
| 1458 | 1471 |
/* DIAG: add ipv6 NAT, if requested */ |
| 1459 | 1472 |
if(isset($config['diag']['ipv6nat']['enable']) && |
| ... | ... | |
| 2033 | 2046 |
/* exception(s) to a user rules can go here. */ |
| 2034 | 2047 |
/* rules with a gateway or pool should create another rule for routing to vpns */ |
| 2035 | 2048 |
if(($aline['route'] <> "") && (trim($aline['type']) == "pass") && strstr($dst, "any")) {
|
| 2036 |
/* negate VPN/PPTP/PPPoE networks for load balancer/gateway rules */ |
|
| 2037 |
$vpns = " to <vpns> ";
|
|
| 2049 |
/* negate VPN/PPTP/PPPoE/Static Route networks for load balancer/gateway rules */
|
|
| 2050 |
$negate_networks = " to <negate_networks> ";
|
|
| 2038 | 2051 |
$line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . |
| 2039 | 2052 |
$aline['interface'] . $aline['prot'] . $aline['src'] . $aline['os'] . |
| 2040 |
$vpns . $aline['icmp-type'] . $aline['tag'] . $aline['tagged'] .
|
|
| 2053 |
$negate_networks . $aline['icmp-type'] . $aline['tag'] . $aline['tagged'] .
|
|
| 2041 | 2054 |
$aline['dscp'] . $aline['allowopts'] . $aline['flags'] . |
| 2042 | 2055 |
$aline['queue'] . $aline['dnpipe'] . $aline['schedlabel'] . |
| 2043 |
" label \"NEGATE_ROUTE: Negate policy route for vpn(s)\"\n";
|
|
| 2056 |
" label \"NEGATE_ROUTE: Negate policy routing for vpn, static routes and direct networks\"\n";
|
|
| 2044 | 2057 |
|
| 2045 | 2058 |
} |
| 2046 | 2059 |
/* piece together the actual user rule */ |
Also available in: Unified diff
Remove the old direct_networks table which is not used throughout the filter code. Instead we now create a negate_networks table which contains both vpns, directly connected networks (static routes) which should never be tagged for policy routing which breaks traffic.
This fixes Ticket #1950 and needs to be MFC to 2.0 for 2.0.1
Conflicts: