diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index 2e3ce9835..0b066758e 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -570,26 +570,7 @@ function filter_generate_scrubing(&$FilterIflist) $scrubrules = ''; - /* scrub per interface options */ - if (empty($config['system']['scrub_interface_disable'])) { - foreach ($FilterIflist as $scrubif => $scrubcfg) { - if (isset($scrubcfg['virtual']) || empty($scrubcfg['descr'])) { - continue; - } else { - /* set up MSS clamping */ - if (!empty($scrubcfg['mss']) && is_numeric($scrubcfg['mss']) && - !in_array($scrubcfg['if'], array('pppoe', 'pptp', 'l2tp'))) { - $mssclamp = "max-mss " . (intval($scrubcfg['mss'] - 40)); - } else { - $mssclamp = ''; - } - $scrubnodf = !empty($config['system']['scrubnodf']) ? "no-df" : ""; - $scrubrnid = !empty($config['system']['scrubrnid']) ? "random-id" : ""; - $scrubrules .= "scrub on \${$scrubcfg['descr']} all {$scrubnodf} {$scrubrnid} {$mssclamp}\n"; - } - } - } - + /* custom rules must be first */ if (!empty($config['filter']['scrub']['rule'])) { foreach ($config['filter']['scrub']['rule'] as $scrub_rule) { if (!isset($scrub_rule['disabled'])) { @@ -634,6 +615,26 @@ function filter_generate_scrubing(&$FilterIflist) } } + /* scrub per interface options */ + if (empty($config['system']['scrub_interface_disable'])) { + foreach ($FilterIflist as $scrubif => $scrubcfg) { + if (isset($scrubcfg['virtual']) || empty($scrubcfg['descr'])) { + continue; + } else { + /* set up MSS clamping */ + if (!empty($scrubcfg['mss']) && is_numeric($scrubcfg['mss']) && + !in_array($scrubcfg['if'], array('pppoe', 'pptp', 'l2tp'))) { + $mssclamp = "max-mss " . (intval($scrubcfg['mss'] - 40)); + } else { + $mssclamp = ''; + } + $scrubnodf = !empty($config['system']['scrubnodf']) ? "no-df" : ""; + $scrubrnid = !empty($config['system']['scrubrnid']) ? "random-id" : ""; + $scrubrules .= "scrub on \${$scrubcfg['descr']} all {$scrubnodf} {$scrubrnid} {$mssclamp}\n"; + } + } + } + return $scrubrules; }