Commit d5446925 authored by Ad Schellevis's avatar Ad Schellevis

(filter, scrub) use firewall_scrub.php for traffic normalization. closes...

(filter, scrub) use firewall_scrub.php for traffic normalization. closes https://github.com/opnsense/core/issues/973
parent 1aee4587
...@@ -381,14 +381,6 @@ function filter_generate_scrubing(&$FilterIflist) ...@@ -381,14 +381,6 @@ function filter_generate_scrubing(&$FilterIflist)
$scrubrules = ''; $scrubrules = '';
if (isset($config['system']['maxmss_enable'])) {
$maxmss = 1400;
if (!empty($config['system']['maxmss'])) {
$maxmss = $config['system']['maxmss'];
}
$scrubrules .= "scrub from any to <vpn_networks> max-mss {$maxmss}\n";
}
/* scrub per interface options */ /* scrub per interface options */
foreach ($FilterIflist as $scrubif => $scrubcfg) { foreach ($FilterIflist as $scrubif => $scrubcfg) {
if (isset($scrubcfg['virtual']) || empty($scrubcfg['descr'])) { if (isset($scrubcfg['virtual']) || empty($scrubcfg['descr'])) {
...@@ -574,11 +566,6 @@ function filter_generate_aliases(&$FilterIflist, &$after_filter_configure_run) ...@@ -574,11 +566,6 @@ function filter_generate_aliases(&$FilterIflist, &$after_filter_configure_run)
$aliases .= "table <bogonsv6> persist file \"/usr/local/etc/bogonsv6\"\n"; $aliases .= "table <bogonsv6> persist file \"/usr/local/etc/bogonsv6\"\n";
} }
$vpns_list = filter_get_vpns_list();
if ($vpns_list) {
$aliases .= "table <vpn_networks> { $vpns_list }\n";
}
$aliases .= "\n# User Aliases \n"; $aliases .= "\n# User Aliases \n";
/* Setup pf groups */ /* Setup pf groups */
if (isset($config['aliases']['alias'])) { if (isset($config['aliases']['alias'])) {
...@@ -735,58 +722,6 @@ function filter_generate_gateways() ...@@ -735,58 +722,6 @@ function filter_generate_gateways()
return $rules; return $rules;
} }
/* returns space separated list of vpn subnets */
function filter_get_vpns_list() {
global $config;
$vpns = "";
$vpns_arr = array();
/* ipsec */
if (isset($config['ipsec']['enable'])) {
if (isset($config['ipsec']['phase2'])) {
foreach ($config['ipsec']['phase2'] as $ph2ent) {
if ((!$ph2ent['mobile']) && ($ph2ent['mode'] != 'transport')) {
if (!is_array($ph2ent['remoteid'])) {
continue;
}
$ph2ent['remoteid']['mode'] = $ph2ent['mode'];
$vpns_subnet = ipsec_idinfo_to_cidr($ph2ent['remoteid']);
if ($vpns_subnet == "0.0.0.0/0") {
continue;
}
$vpns_arr[] = $vpns_subnet;
}
}
}
}
/* openvpn */
foreach (array('client', 'server') as $type) {
if (isset($config['openvpn']['openvpn-' . $type])) {
foreach ($config['openvpn']['openvpn-' . $type] as $settings) {
if (is_array($settings)) {
if (!isset($settings['disable'])) {
$remote_networks = explode(',', $settings['remote_network']);
foreach ($remote_networks as $remote_network) {
if (is_subnet($remote_network) && ($remote_network <> "0.0.0.0/0")) {
$vpns_arr[] = $remote_network;
}
}
if (is_subnet($settings['tunnel_network']) && $settings['tunnel_network'] <> "0.0.0.0/0") {
$vpns_arr[] = $settings['tunnel_network'];
}
}
}
}
}
}
if (!empty($vpns_arr)) {
$vpns = implode(" ", $vpns_arr);
}
return $vpns;
}
/* returns space separated list of directly connected networks /* returns space separated list of directly connected networks
* optionally returns an array instead, including friendly interface and gateway (if applicable) * optionally returns an array instead, including friendly interface and gateway (if applicable)
......
...@@ -97,11 +97,9 @@ require_once("authgui.inc"); ...@@ -97,11 +97,9 @@ require_once("authgui.inc");
$reserved_table_names = array( $reserved_table_names = array(
"bogons", "bogons",
"bogonsv6", "bogonsv6",
"negate_networks",
"sshlockout", "sshlockout",
"tonatsubnets", "tonatsubnets",
"virusprot", "virusprot",
"vpn_networks",
"webConfiguratorlockout" "webConfiguratorlockout"
); );
......
...@@ -51,8 +51,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -51,8 +51,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
} }
} }
$pconfig['failoverforcereload'] = isset($config['ipsec']['failoverforcereload']); $pconfig['failoverforcereload'] = isset($config['ipsec']['failoverforcereload']);
$pconfig['maxmss_enable'] = isset($config['system']['maxmss_enable']);
$pconfig['maxmss'] = isset($config['system']['maxmss']) ? $config['system']['maxmss'] : null;
} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') { } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
// save form data // save form data
$pconfig = $_POST; $pconfig = $_POST;
...@@ -80,21 +78,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -80,21 +78,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
if (isset($pconfig['failoverforcereload']) && $pconfig['failoverforcereload'] == "yes") { if (isset($pconfig['failoverforcereload']) && $pconfig['failoverforcereload'] == "yes") {
$config['ipsec']['failoverforcereload'] = true; $config['ipsec']['failoverforcereload'] = true;
} elseif (isset($config['ipsec']['failoverforcereload'])) } elseif (isset($config['ipsec']['failoverforcereload'])) {
unset($config['ipsec']['failoverforcereload']); unset($config['ipsec']['failoverforcereload']);
if (isset($pconfig['maxmss_enable']) && $pconfig['maxmss_enable'] == "yes") {
$config['system']['maxmss_enable'] = true;
if (!empty($pconfig['maxmss']) && is_numericint($pconfig['maxmss'])) {
$config['system']['maxmss'] = $pconfig['maxmss'];
}
} else {
if (isset($config['system']['maxmss_enable'])) {
unset($config['system']['maxmss_enable']);
}
if (isset($config['system']['maxmss'])) {
unset($config['system']['maxmss']);
}
} }
write_config(); write_config();
...@@ -111,28 +96,6 @@ include("head.inc"); ...@@ -111,28 +96,6 @@ include("head.inc");
<body> <body>
<?php include("fbegin.inc"); ?> <?php include("fbegin.inc"); ?>
<script type="text/javascript">
//<![CDATA[
$( document ).ready(function() {
maxmss_checked()
});
function maxmss_checked(obj) {
if ($('#maxmss_enable').is(":checked")) {
$('#maxmss').attr('disabled',false);
$("#maxmss").addClass('show');
$("#maxmss").removeClass('hidden');
} else {
$('#maxmss').attr('disabled',true);
$("#maxmss").addClass('hidden');
$("#maxmss").removeClass('show');
}
}
//]]>
</script>
<section class="page-content-main"> <section class="page-content-main">
<div class="container-fluid"> <div class="container-fluid">
<div class="row"> <div class="row">
...@@ -219,19 +182,6 @@ endforeach; ?> ...@@ -219,19 +182,6 @@ endforeach; ?>
</div> </div>
</td> </td>
</tr> </tr>
<tr>
<td><a id="help_for_maxmss_enable" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Maximum MSS"); ?></td>
<td>
<input name="maxmss_enable" type="checkbox" id="maxmss_enable" value="yes" <?= !empty($pconfig['maxmss_enable']) ? "checked=\"checked\"" : "" ;?> onclick="maxmss_checked()" />
<strong><?=gettext("Enable MSS clamping on VPN traffic"); ?></strong>
<input name="maxmss" id="maxmss" type="text" value="<?= !empty($pconfig['maxmss']) ? $pconfig['maxmss'] : "1400";
?>" <?= !empty($pconfig['maxmss_enable']) ? "disabled=\"disabled\"" : "" ;?> />
<div class="hidden" for="help_for_maxmss_enable">
<?=gettext("Enable MSS clamping on TCP flows over VPN. " .
"This helps overcome problems with PMTUD on IPsec VPN links. If left blank, the default value is 1400 bytes."); ?>
</div>
</td>
</tr>
<tr> <tr>
<td>&nbsp;</td> <td>&nbsp;</td>
<td> <td>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment