mirror of
https://github.com/lucaspalomodevelop/core.git
synced 2026-03-13 08:09:41 +00:00
add firewall advanced setting pf_disable_force_gw, closes https://github.com/opnsense/core/issues/1801
This commit is contained in:
Ad Schellevis
parent
b782a5a04b
commit
65a55bb1aa
@ -376,29 +376,33 @@ function filter_core_rules_system($fw, $defaults)
|
||||
);
|
||||
}
|
||||
|
||||
// out from this Firewall, using the selected gateway.
|
||||
foreach ($fw->getInterfaceMapping() as $ifdescr => $ifcfg) {
|
||||
if (!isset($ifcfg['virtual']) && $ifcfg['if'] != 'lo0') {
|
||||
$intf_has_v4 = false;
|
||||
$intf_has_v6 = false;
|
||||
foreach (legacy_getall_interface_addresses($ifcfg['if']) as $addr) {
|
||||
$intf_has_v4 = $intf_has_v4 || is_subnetv4($addr);
|
||||
$intf_has_v6 = $intf_has_v6 || is_subnetv6($addr);
|
||||
}
|
||||
foreach ($fw->getInterfaceGateways($ifcfg['if']) as $gwname) {
|
||||
$gwproto = $fw->getGateway($gwname)['proto'];
|
||||
// only try to add gateway rules for traffic leaving this interface when the correct protocol is
|
||||
// assigned to the interface (e.g. no ipv4 gateway when :network doesn't resolve to an ipv4 network)
|
||||
if (($gwproto == 'inet' && $intf_has_v4) || ($gwproto == 'inet6' && $intf_has_v6)) {
|
||||
$fw->registerFilterRule(100000,
|
||||
array('from' => $ifcfg['if'], 'direction' => 'out', 'gateway' => $gwname,
|
||||
'destination' => array('network'=> $ifdescr, "not" => true),
|
||||
'statetype' => 'keep',
|
||||
'allowopts' => true,
|
||||
'quick' => false,
|
||||
'label' => "let out anything from firewall host itself"),
|
||||
$defaults['pass']
|
||||
);
|
||||
// [out from this Firewall, using the selected gateway].
|
||||
// Our default setting has been to force traffic leaving a specific interface to use the associated gateway.
|
||||
// This behaviour can be disabled, so settings can be customized using manual firewall rules.
|
||||
if (empty($config['system']['pf_disable_force_gw'])) {
|
||||
foreach ($fw->getInterfaceMapping() as $ifdescr => $ifcfg) {
|
||||
if (!isset($ifcfg['virtual']) && $ifcfg['if'] != 'lo0') {
|
||||
$intf_has_v4 = false;
|
||||
$intf_has_v6 = false;
|
||||
foreach (legacy_getall_interface_addresses($ifcfg['if']) as $addr) {
|
||||
$intf_has_v4 = $intf_has_v4 || is_subnetv4($addr);
|
||||
$intf_has_v6 = $intf_has_v6 || is_subnetv6($addr);
|
||||
}
|
||||
foreach ($fw->getInterfaceGateways($ifcfg['if']) as $gwname) {
|
||||
$gwproto = $fw->getGateway($gwname)['proto'];
|
||||
// only try to add gateway rules for traffic leaving this interface when the correct protocol is
|
||||
// assigned to the interface (e.g. no ipv4 gateway when :network doesn't resolve to an ipv4 network)
|
||||
if (($gwproto == 'inet' && $intf_has_v4) || ($gwproto == 'inet6' && $intf_has_v6)) {
|
||||
$fw->registerFilterRule(100000,
|
||||
array('from' => $ifcfg['if'], 'direction' => 'out', 'gateway' => $gwname,
|
||||
'destination' => array('network'=> $ifdescr, "not" => true),
|
||||
'statetype' => 'keep',
|
||||
'allowopts' => true,
|
||||
'quick' => false,
|
||||
'label' => "let out anything from firewall host itself"),
|
||||
$defaults['pass']
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -60,6 +60,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
$pconfig['gw_switch_default'] = isset($config['system']['gw_switch_default']);
|
||||
$pconfig['lb_use_sticky'] = isset($config['system']['lb_use_sticky']);
|
||||
$pconfig['pf_share_forward'] = isset($config['system']['pf_share_forward']);
|
||||
$pconfig['pf_disable_force_gw'] = isset($config['system']['pf_disable_force_gw']);
|
||||
$pconfig['srctrack'] = !empty($config['system']['srctrack']) ? $config['system']['srctrack'] : null;
|
||||
if (!isset($config['system']['disablenatreflection'])) {
|
||||
$pconfig['natreflection'] = "purenat";
|
||||
@ -103,6 +104,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
unset($config['system']['pf_share_forward']);
|
||||
}
|
||||
|
||||
if (!empty($pconfig['pf_disable_force_gw'])) {
|
||||
$config['system']['pf_disable_force_gw'] = true;
|
||||
} elseif (isset($config['system']['pf_disable_force_gw'])) {
|
||||
unset($config['system']['pf_disable_force_gw']);
|
||||
}
|
||||
|
||||
if (!empty($pconfig['lb_use_sticky'])) {
|
||||
$config['system']['lb_use_sticky'] = true;
|
||||
} elseif (isset($config['system']['lb_use_sticky'])) {
|
||||
@ -410,6 +417,18 @@ include("head.inc");
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><a id="help_pf_disable_force_gw" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Disable force gateway');?> </td>
|
||||
<td>
|
||||
<input name="pf_disable_force_gw" type="checkbox" id="pf_disable_force_gw" value="yes" <?= !empty($pconfig['pf_disable_force_gw']) ? 'checked="checked"' : '' ?>/>
|
||||
<strong><?=gettext('Disable automatic rules which force local services to use the assigned interface gateway.'); ?></strong><br />
|
||||
<div class="hidden" for="help_pf_disable_force_gw">
|
||||
<?= gettext('Outgoing packets from this firewall on an interface which has a gateway ' .
|
||||
'will normally use the specified gateway for that interface. ' .
|
||||
'When this option is set, the default routing rules apply (automatic rules will be disabled).') ?>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th colspan="2" valign="top" class="listtopic"><?=gettext("Schedules"); ?></th>
|
||||
</tr>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user