diff options
author | Ermal Luçi <eri@pfsense.org> | 2014-02-17 08:35:17 +0100 |
---|---|---|
committer | Ermal Luçi <eri@pfsense.org> | 2014-02-17 08:35:17 +0100 |
commit | 01434bbdb83f14546eb39fb96760708a5a4322e3 (patch) | |
tree | acc50fe85102f35db59bb9994d5429d22e1aad07 | |
parent | d600815f517a8d937a3dc2c468f1c5e5ee305124 (diff) | |
parent | 51961aaedd4d090ff15fcd36c3ebe07f2b9b1ce7 (diff) | |
download | pfsense-packages-01434bbdb83f14546eb39fb96760708a5a4322e3.tar.gz pfsense-packages-01434bbdb83f14546eb39fb96760708a5a4322e3.tar.bz2 pfsense-packages-01434bbdb83f14546eb39fb96760708a5a4322e3.zip |
Merge pull request #588 from PiBa-NL/hap_floating_rule
haproxy-devel, add floating rule for transparent backends
-rw-r--r-- | config/haproxy-devel/haproxy.inc | 56 |
1 files changed, 43 insertions, 13 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index 934834bf..d4b2ab2c 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -936,16 +936,9 @@ function use_transparent_clientip_proxying() { return false; } -function load_ipfw_rules() { - // On FreeBSD 8 pf does not support "divert-reply" so ipfw is needed. - global $g, $config; - $ipfw_zone_haproxy = "haproxy"; - +function haproxy_get_transparent_backends(){ + global $config; $a_backends = &$config['installedpackages']['haproxy']['ha_pools']['item']; - - haproxy_load_modules(); - - $transparent_interfaces = array(); $transparent_backends = array(); foreach ($a_backends as $backend) { if ($backend["transparent_clientip"] != 'yes') @@ -961,15 +954,51 @@ function load_ipfw_rules() { if (!is_ipaddr($be['address'])) continue; $item = array(); + $item['name'] = $be['name']; + $item['interface'] = $real_if; $item['address'] = $be['address']; $item['port'] = $be['port']; - $item['interface'] = $real_if; $transparent_backends[] = $item; - $transparent_interfaces[$real_if] = 1; } } } } + return $transparent_backends; +} + +function haproxy_generate_rules($type) { + // called by filter.inc when pfSense rules generation happens + global $g, $config; + $rules = ""; + switch($type) { + case 'filter': + $transparent_backends = haproxy_get_transparent_backends(); + foreach($transparent_backends as $tb){ + // This sloppy rule is needed because of ipfw is used to 'catch' return traffic. + $rules .= "# allow HAProxy transparent traffic\n"; + $rules .= "pass out quick on {$tb['interface']} inet proto tcp from any to {$tb['address']} port {$tb['port']} flags S/SA keep state ( sloppy ) label \"HAPROXY_transparent_rule_{$tb['name']}\"\n"; + } + break; + } + return $rules; +} + +function load_ipfw_rules() { + // On FreeBSD 8 pf does not support "divert-reply" so ipfw is needed. + global $g, $config; + $ipfw_zone_haproxy = "haproxy"; + + $a_backends = &$config['installedpackages']['haproxy']['ha_pools']['item']; + + haproxy_load_modules(); + + $transparent_backends = haproxy_get_transparent_backends(); + + $transparent_interfaces = array(); + foreach($transparent_backends as $transparent_backend){ + $interface = $transparent_backend['interface']; + $transparent_interfaces[$interface] = 1; + } mwexec("/usr/local/sbin/ipfw_context -a $ipfw_zone_haproxy", true); foreach($transparent_interfaces as $transparent_if => $value) { @@ -997,9 +1026,10 @@ function haproxy_check_run($reload) { exec("/usr/bin/limits -n 300014"); - if(use_transparent_clientip_proxying()) + if(use_transparent_clientip_proxying()) { + filter_configure(); load_ipfw_rules(); - else + } else mwexec("/usr/local/sbin/ipfw_context -d haproxy", true); if(isset($a_global['enable'])) { |