diff options
author | Marcello Coutinho <marcellocoutinho@gmail.com> | 2012-03-26 22:50:17 -0700 |
---|---|---|
committer | Marcello Coutinho <marcellocoutinho@gmail.com> | 2012-03-26 22:50:17 -0700 |
commit | 67c822586a90f9e0f9c3801522d7f35a103ffcbe (patch) | |
tree | 6138e85959bacebb8e3d425dbf0a6ae4bb68dd43 /config/pf-blocker | |
parent | 59c61b820001e28adca65e6c1d77c161648d9396 (diff) | |
parent | c689ec91f56104ae70293f09b27420cfb8c22fd9 (diff) | |
download | pfsense-packages-67c822586a90f9e0f9c3801522d7f35a103ffcbe.tar.gz pfsense-packages-67c822586a90f9e0f9c3801522d7f35a103ffcbe.tar.bz2 pfsense-packages-67c822586a90f9e0f9c3801522d7f35a103ffcbe.zip |
Merge pull request #231 from phil-davis/master
Prevent duplicated pfblocker rules on some interfaces
Diffstat (limited to 'config/pf-blocker')
-rwxr-xr-x | config/pf-blocker/pfblocker.inc | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/config/pf-blocker/pfblocker.inc b/config/pf-blocker/pfblocker.inc index 3358e07f..f41a5136 100755 --- a/config/pf-blocker/pfblocker.inc +++ b/config/pf-blocker/pfblocker.inc @@ -427,8 +427,14 @@ function sync_package_pfblocker() { $last_iface=""; $rules=$config['filter']['rule']; $new_rules=array(); + # The assumption is that the rules in the config come in groups by interface then priority. + # e.g. all rules for WAN (highest priority first), then for LAN then for OPT1 etc. + # Note that floating rules (interface is "") can appear mixed in the list. foreach ($rules as $rule){ - if ($rule['interface'] <> $last_iface){ + # If this next rule is for a non-blank interface, different to the previous interface, + # then add any needed pfblocker rules to the interface. This puts pfblocker rules at the + # top of the list for each interface, after any built-in rules (e.g. anti-lockout) + if (($rule['interface'] != "") && ($rule['interface'] <> $last_iface)){ $last_iface = $rule['interface']; #apply pfblocker rules if enabled @@ -465,7 +471,7 @@ function sync_package_pfblocker() { } } } - #include all rules that is not from pfBlocker + #include all rules that are not from pfBlocker if (!preg_match("/pfBlocker.*rule/",$rule['descr']) && ($rule['interface'] != "" || $rule['floating']=="yes")) $new_rules[]=$rule; } |