firewall: shared forwarding is off by default, config option

src/etc/inc/filter.inc

@@ -577,7 +577,14 @@ function filter_configure_sync($verbose = false)
         return;
     }
 
-    # If we are not using bogonsv6 then we can remove any bogonsv6 table from the running pf (if the table is not there, the kill is still fine).
+    /* set shared forwarding according to config option */
+    set_single_sysctl('net.pf.share_forward', !empty($config['system']['pf_share_forward']) ? '1' : '0');
+
+    /*
+     * If we are not using bogonsv6 then we can remove any
+     * bogonsv6 table from the running pf (if the table is
+     * not there, the kill is still fine).
+     */
     if (!is_bogonsv6_used()) {
         $_grbg = exec('/sbin/pfctl -t bogonsv6 -T kill 2>/dev/null');
     }

src/etc/inc/system.inc

@@ -1521,7 +1521,7 @@ function system_kernel_configure($verbose = false)
         log_error(sprintf('Loading %s cryptographic accelerator module.', $config['system']['crypto_hardware']));
         $mods[] = $config['system']['crypto_hardware'];
     }
-    if (isset($config['system']['cryptodev_enable'])) {
+    if (!empty($config['system']['cryptodev_enable'])) {
         log_error('Loading cryptodev kernel module.');
         $mods[] = 'cryptodev';
     }

src/www/system_advanced_firewall.php

@@ -57,6 +57,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig['kill_states'] = isset($config['system']['kill_states']);
     $pconfig['skip_rules_gw_down'] = isset($config['system']['skip_rules_gw_down']);
     $pconfig['lb_use_sticky'] = isset($config['system']['lb_use_sticky']);
+    $pconfig['pf_share_forward'] = isset($config['system']['pf_share_forward']);
     $pconfig['srctrack'] = !empty($config['system']['srctrack']) ? $config['system']['srctrack'] : null;
     if (!isset($config['system']['disablenatreflection'])) {
         $pconfig['natreflection'] = "purenat";
@@ -94,6 +95,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $input_errors[] = gettext("The Firewall Maximum Table Entries value must be an integer.");
     }
     if (count($input_errors) == 0) {
+        if (!empty($pconfig['pf_share_forward'])) {
+            $config['system']['pf_share_forward'] = true;
+        } elseif (isset($config['system']['pf_share_forward'])) {
+            unset($config['system']['pf_share_forward']);
+        }
 
         if (!empty($pconfig['lb_use_sticky'])) {
             $config['system']['lb_use_sticky'] = true;
@@ -372,6 +378,19 @@ include("head.inc");
                     </div>
                   </td>
                 </tr>
+                <tr>
+                  <td><a id="help_for_pf_share_forward" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext('Shared forwarding');?> </td>
+                  <td>
+                    <input name="pf_share_forward" type="checkbox" id="pf_share_forward" value="yes" <?= !empty($pconfig['pf_share_forward']) ? 'checked="checked"' : '' ?>/>
+                    <strong><?=gettext('Use shared forwarding between filter and traffic shaper / captive portal'); ?></strong><br />
+                    <div class="hidden" for="help_for_pf_share_forward">
+                      <?= gettext('Using policy routing in the filter rules causes packets to skip ' .
+                                  'processing for the traffic shaper and captive portal tasks. ' .
+                                  'Using this option enables the sharing of such forwarding decisions ' .
+                                  'between all components to accomodate complex setups. Use with care.') ?>
+                    </div>
+                  </td>
+                </tr>
                 <tr>
                   <th colspan="2" valign="top" class="listtopic"><?=gettext("Schedules"); ?></th>
                 </tr>