diff options
author | jim-p <jimp@pfsense.org> | 2013-11-12 12:35:23 -0500 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2013-11-12 12:36:42 -0500 |
commit | 63d03dab164bb44ce4747629f14a022086aac3ec (patch) | |
tree | f0ddc99af496b84db8225d0a50c85a2a455aaebe /config | |
parent | 1c1d9328979a48c10320831d284c41b149b629e7 (diff) | |
download | pfsense-packages-63d03dab164bb44ce4747629f14a022086aac3ec.tar.gz pfsense-packages-63d03dab164bb44ce4747629f14a022086aac3ec.tar.bz2 pfsense-packages-63d03dab164bb44ce4747629f14a022086aac3ec.zip |
Teach Quagga about accept filtering, either custom or a per-interface settign to deny certain routes delivered from remote OSPF peers. This should finally solve the Multi-WAN+VPN issue with learned routes for interconnects preventing a VPN from restarting. Fixes #2712
Diffstat (limited to 'config')
-rw-r--r-- | config/quagga_ospfd/quagga_ospfd.inc | 14 | ||||
-rw-r--r-- | config/quagga_ospfd/quagga_ospfd.xml | 9 | ||||
-rw-r--r-- | config/quagga_ospfd/quagga_ospfd_interfaces.xml | 6 |
3 files changed, 28 insertions, 1 deletions
diff --git a/config/quagga_ospfd/quagga_ospfd.inc b/config/quagga_ospfd/quagga_ospfd.inc index aabd27a8..b2f800eb 100644 --- a/config/quagga_ospfd/quagga_ospfd.inc +++ b/config/quagga_ospfd/quagga_ospfd.inc @@ -73,6 +73,8 @@ function quagga_ospfd_install_conf() { // Since we need to embed this in a string, copy to a var. Can't embed constnats. $quagga_config_base = PKG_QUAGGA_CONFIG_BASE; + $noaccept = ""; + if ($config['installedpackages']['quaggaospfd']['rawconfig'] && $config['installedpackages']['quaggaospfd']['rawconfig']['item']) { // if there is a raw config specifyed in tthe config.xml use that instead of the assisted config $conffile = implode("\n",$config['installedpackages']['quaggaospfd']['rawconfig']['item']); @@ -132,6 +134,9 @@ function quagga_ospfd_install_conf() { if ($interface_subnet == 32) $interface_subnet = 30; $subnet = gen_subnet($interface_ip, $interface_subnet); + if (!empty($conf['acceptfilter'])) { + $noaccept .= "ip prefix-list ACCEPTFILTER deny {$subnet}/{$interface_subnet}\n"; + } if (!empty($conf['interfacearea'])) { $interface_networks[] = array( "subnet" => "{$subnet}/{$interface_subnet}", "area" => $conf['interfacearea']); } @@ -151,6 +156,9 @@ function quagga_ospfd_install_conf() { foreach ($ospfd_conf['row'] as $redistr) { if (empty($redistr['routevalue'])) continue; + if (isset($redistr['acceptfilter'])) { + $noaccept .= "ip prefix-list ACCEPTFILTER deny {$redistr['routevalue']}\n"; + } if (isset($redistr['redistribute'])) { $noredist .= " access-list dnr-list deny {$redistr['routevalue']}\n"; } else { @@ -239,6 +247,12 @@ function quagga_ospfd_install_conf() { $zebraconffile .= "password {$ospfd_conf['password']}\n"; if ($ospfd_conf['logging']) $zebraconffile .= "log syslog\n"; + if (!empty($noaccept)) { + $zebraconffile .= $noaccept; + $zebraconffile .= "route-map ACCEPTFILTER permit 10\n"; + $zebraconffile .= "match ip address prefix-list ACCEPTFILTER\n"; + $zebraconffile .= "ip protocol ospf route-map ACCEPTFILTER\n"; + } $fd = fopen("{$quagga_config_base}/zebra.conf", "w"); fwrite($fd, $zebraconffile); fclose($fd); diff --git a/config/quagga_ospfd/quagga_ospfd.xml b/config/quagga_ospfd/quagga_ospfd.xml index 61bf3e94..86baaefb 100644 --- a/config/quagga_ospfd/quagga_ospfd.xml +++ b/config/quagga_ospfd/quagga_ospfd.xml @@ -1,6 +1,6 @@ <packagegui> <name>quagga_ospfd</name> - <version>0.5.4</version> + <version>0.6</version> <title>Services: Quagga OSPFd</title> <include_file>/usr/local/pkg/quagga_ospfd.inc</include_file> <aftersaveredirect>pkg_edit.php?xml=quagga_ospfd.xml&id=0</aftersaveredirect> @@ -165,6 +165,13 @@ <size>20</size> </rowhelperfield> <rowhelperfield> + <fielddescr>Disable <br/>Acceptance</fielddescr> + <fieldname>acceptfilter</fieldname> + <description>Accept Filter</description> + <type>checkbox</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> <fielddescr>Subnet to Route</fielddescr> <fieldname>routevalue</fieldname> <type>input</type> diff --git a/config/quagga_ospfd/quagga_ospfd_interfaces.xml b/config/quagga_ospfd/quagga_ospfd_interfaces.xml index 21bc877f..beb6f2b0 100644 --- a/config/quagga_ospfd/quagga_ospfd_interfaces.xml +++ b/config/quagga_ospfd/quagga_ospfd_interfaces.xml @@ -87,6 +87,12 @@ <type>checkbox</type> </field> <field> + <fielddescr>Accept Filter</fielddescr> + <fieldname>acceptfilter</fieldname> + <description>Do not add routes for this interface subnet from OSPF into the routing table. (Suggested for Multi-WAN environments).</description> + <type>checkbox</type> + </field> + <field> <fielddescr>Enable MD5 password for this Quagga OSPFd interface (default no)</fielddescr> <fieldname>md5password</fieldname> <description>Enables the use of an MD5 password to on this instance</description> |