diff options
| author | jim-p <jimp@pfsense.org> | 2013-11-12 12:35:23 -0500 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2013-11-12 12:36:42 -0500 |
| commit | 63d03dab164bb44ce4747629f14a022086aac3ec (patch) | |
| tree | f0ddc99af496b84db8225d0a50c85a2a455aaebe /config/quagga_ospfd/quagga_ospfd.inc | |
| parent | 1c1d9328979a48c10320831d284c41b149b629e7 (diff) | |
| download | pfsense-packages-63d03dab164bb44ce4747629f14a022086aac3ec.tar.gz pfsense-packages-63d03dab164bb44ce4747629f14a022086aac3ec.tar.bz2 pfsense-packages-63d03dab164bb44ce4747629f14a022086aac3ec.zip | |
Teach Quagga about accept filtering, either custom or a per-interface settign to deny certain routes delivered from remote OSPF peers. This should finally solve the Multi-WAN+VPN issue with learned routes for interconnects preventing a VPN from restarting. Fixes #2712
Diffstat (limited to 'config/quagga_ospfd/quagga_ospfd.inc')
| -rw-r--r-- | config/quagga_ospfd/quagga_ospfd.inc | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/config/quagga_ospfd/quagga_ospfd.inc b/config/quagga_ospfd/quagga_ospfd.inc index aabd27a8..b2f800eb 100644 --- a/config/quagga_ospfd/quagga_ospfd.inc +++ b/config/quagga_ospfd/quagga_ospfd.inc @@ -73,6 +73,8 @@ function quagga_ospfd_install_conf() { // Since we need to embed this in a string, copy to a var. Can't embed constnats. $quagga_config_base = PKG_QUAGGA_CONFIG_BASE; + $noaccept = ""; + if ($config['installedpackages']['quaggaospfd']['rawconfig'] && $config['installedpackages']['quaggaospfd']['rawconfig']['item']) { // if there is a raw config specifyed in tthe config.xml use that instead of the assisted config $conffile = implode("\n",$config['installedpackages']['quaggaospfd']['rawconfig']['item']); @@ -132,6 +134,9 @@ function quagga_ospfd_install_conf() { if ($interface_subnet == 32) $interface_subnet = 30; $subnet = gen_subnet($interface_ip, $interface_subnet); + if (!empty($conf['acceptfilter'])) { + $noaccept .= "ip prefix-list ACCEPTFILTER deny {$subnet}/{$interface_subnet}\n"; + } if (!empty($conf['interfacearea'])) { $interface_networks[] = array( "subnet" => "{$subnet}/{$interface_subnet}", "area" => $conf['interfacearea']); } @@ -151,6 +156,9 @@ function quagga_ospfd_install_conf() { foreach ($ospfd_conf['row'] as $redistr) { if (empty($redistr['routevalue'])) continue; + if (isset($redistr['acceptfilter'])) { + $noaccept .= "ip prefix-list ACCEPTFILTER deny {$redistr['routevalue']}\n"; + } if (isset($redistr['redistribute'])) { $noredist .= " access-list dnr-list deny {$redistr['routevalue']}\n"; } else { @@ -239,6 +247,12 @@ function quagga_ospfd_install_conf() { $zebraconffile .= "password {$ospfd_conf['password']}\n"; if ($ospfd_conf['logging']) $zebraconffile .= "log syslog\n"; + if (!empty($noaccept)) { + $zebraconffile .= $noaccept; + $zebraconffile .= "route-map ACCEPTFILTER permit 10\n"; + $zebraconffile .= "match ip address prefix-list ACCEPTFILTER\n"; + $zebraconffile .= "ip protocol ospf route-map ACCEPTFILTER\n"; + } $fd = fopen("{$quagga_config_base}/zebra.conf", "w"); fwrite($fd, $zebraconffile); fclose($fd); |