aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2013-11-12 12:35:23 -0500
committerjim-p <jimp@pfsense.org>2013-11-12 12:36:42 -0500
commit63d03dab164bb44ce4747629f14a022086aac3ec (patch)
treef0ddc99af496b84db8225d0a50c85a2a455aaebe /config
parent1c1d9328979a48c10320831d284c41b149b629e7 (diff)
downloadpfsense-packages-63d03dab164bb44ce4747629f14a022086aac3ec.tar.gz
pfsense-packages-63d03dab164bb44ce4747629f14a022086aac3ec.tar.bz2
pfsense-packages-63d03dab164bb44ce4747629f14a022086aac3ec.zip
Teach Quagga about accept filtering, either custom or a per-interface settign to deny certain routes delivered from remote OSPF peers. This should finally solve the Multi-WAN+VPN issue with learned routes for interconnects preventing a VPN from restarting. Fixes #2712
Diffstat (limited to 'config')
-rw-r--r--config/quagga_ospfd/quagga_ospfd.inc14
-rw-r--r--config/quagga_ospfd/quagga_ospfd.xml9
-rw-r--r--config/quagga_ospfd/quagga_ospfd_interfaces.xml6
3 files changed, 28 insertions, 1 deletions
diff --git a/config/quagga_ospfd/quagga_ospfd.inc b/config/quagga_ospfd/quagga_ospfd.inc
index aabd27a8..b2f800eb 100644
--- a/config/quagga_ospfd/quagga_ospfd.inc
+++ b/config/quagga_ospfd/quagga_ospfd.inc
@@ -73,6 +73,8 @@ function quagga_ospfd_install_conf() {
// Since we need to embed this in a string, copy to a var. Can't embed constnats.
$quagga_config_base = PKG_QUAGGA_CONFIG_BASE;
+ $noaccept = "";
+
if ($config['installedpackages']['quaggaospfd']['rawconfig'] && $config['installedpackages']['quaggaospfd']['rawconfig']['item']) {
// if there is a raw config specifyed in tthe config.xml use that instead of the assisted config
$conffile = implode("\n",$config['installedpackages']['quaggaospfd']['rawconfig']['item']);
@@ -132,6 +134,9 @@ function quagga_ospfd_install_conf() {
if ($interface_subnet == 32)
$interface_subnet = 30;
$subnet = gen_subnet($interface_ip, $interface_subnet);
+ if (!empty($conf['acceptfilter'])) {
+ $noaccept .= "ip prefix-list ACCEPTFILTER deny {$subnet}/{$interface_subnet}\n";
+ }
if (!empty($conf['interfacearea'])) {
$interface_networks[] = array( "subnet" => "{$subnet}/{$interface_subnet}", "area" => $conf['interfacearea']);
}
@@ -151,6 +156,9 @@ function quagga_ospfd_install_conf() {
foreach ($ospfd_conf['row'] as $redistr) {
if (empty($redistr['routevalue']))
continue;
+ if (isset($redistr['acceptfilter'])) {
+ $noaccept .= "ip prefix-list ACCEPTFILTER deny {$redistr['routevalue']}\n";
+ }
if (isset($redistr['redistribute'])) {
$noredist .= " access-list dnr-list deny {$redistr['routevalue']}\n";
} else {
@@ -239,6 +247,12 @@ function quagga_ospfd_install_conf() {
$zebraconffile .= "password {$ospfd_conf['password']}\n";
if ($ospfd_conf['logging'])
$zebraconffile .= "log syslog\n";
+ if (!empty($noaccept)) {
+ $zebraconffile .= $noaccept;
+ $zebraconffile .= "route-map ACCEPTFILTER permit 10\n";
+ $zebraconffile .= "match ip address prefix-list ACCEPTFILTER\n";
+ $zebraconffile .= "ip protocol ospf route-map ACCEPTFILTER\n";
+ }
$fd = fopen("{$quagga_config_base}/zebra.conf", "w");
fwrite($fd, $zebraconffile);
fclose($fd);
diff --git a/config/quagga_ospfd/quagga_ospfd.xml b/config/quagga_ospfd/quagga_ospfd.xml
index 61bf3e94..86baaefb 100644
--- a/config/quagga_ospfd/quagga_ospfd.xml
+++ b/config/quagga_ospfd/quagga_ospfd.xml
@@ -1,6 +1,6 @@
<packagegui>
<name>quagga_ospfd</name>
- <version>0.5.4</version>
+ <version>0.6</version>
<title>Services: Quagga OSPFd</title>
<include_file>/usr/local/pkg/quagga_ospfd.inc</include_file>
<aftersaveredirect>pkg_edit.php?xml=quagga_ospfd.xml&amp;id=0</aftersaveredirect>
@@ -165,6 +165,13 @@
<size>20</size>
</rowhelperfield>
<rowhelperfield>
+ <fielddescr>Disable &lt;br/&gt;Acceptance</fielddescr>
+ <fieldname>acceptfilter</fieldname>
+ <description>Accept Filter</description>
+ <type>checkbox</type>
+ <size>20</size>
+ </rowhelperfield>
+ <rowhelperfield>
<fielddescr>Subnet to Route</fielddescr>
<fieldname>routevalue</fieldname>
<type>input</type>
diff --git a/config/quagga_ospfd/quagga_ospfd_interfaces.xml b/config/quagga_ospfd/quagga_ospfd_interfaces.xml
index 21bc877f..beb6f2b0 100644
--- a/config/quagga_ospfd/quagga_ospfd_interfaces.xml
+++ b/config/quagga_ospfd/quagga_ospfd_interfaces.xml
@@ -87,6 +87,12 @@
<type>checkbox</type>
</field>
<field>
+ <fielddescr>Accept Filter</fielddescr>
+ <fieldname>acceptfilter</fieldname>
+ <description>Do not add routes for this interface subnet from OSPF into the routing table. (Suggested for Multi-WAN environments).</description>
+ <type>checkbox</type>
+ </field>
+ <field>
<fielddescr>Enable MD5 password for this Quagga OSPFd interface (default no)</fielddescr>
<fieldname>md5password</fieldname>
<description>Enables the use of an MD5 password to on this instance</description>