Skip to content

Commit 630ab19

Browse files
committed
Firewall: Settings: Normalization - change default traffic normalization behavior and choose "in" as standard direction for manual rules. closes #7203
1 parent c7d6f53 commit 630ab19

File tree

2 files changed

+15
-19
lines changed

2 files changed

+15
-19
lines changed

src/etc/inc/filter.inc

Lines changed: 14 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -562,30 +562,25 @@ function filter_generate_scrubbing(&$FilterIflist)
562562

563563
/* scrub per interface options */
564564
if (empty($config['system']['scrub_interface_disable'])) {
565+
/* scrub generic options, appended to all default rules */
566+
$scrub_gen_opts = !empty($config['system']['scrubnodf']) ? ' no-df ' : '';
567+
$scrub_gen_opts .= (!empty($config['system']['scrubrnid']) ? ' random-id ' : '');
565568
foreach ($FilterIflist as $scrubcfg) {
566-
if (isset($scrubcfg['virtual']) || empty($scrubcfg['descr'])) {
567-
continue;
568-
}
569-
570-
$mssclampv4 = '';
571-
$mssclampv6 = '';
572-
if (
573-
!empty($scrubcfg['mss']) && is_numeric($scrubcfg['mss']) &&
574-
!in_array($scrubcfg['if'], array('pppoe', 'pptp', 'l2tp'))
575-
) {
569+
if (is_numeric($scrubcfg['mss'] ?? '') && !in_array($scrubcfg['if'], ['pppoe', 'pptp', 'l2tp'])) {
570+
/**
571+
* Legacy MSS clamping on interface expects outbound packets to be scrubbed in order to work.
572+
* https://github.com/pfsense/pfsense/commit/7c382a8
573+
*
574+
* In a future release we might want to consider to move the MSS option from the interface into a
575+
* manual scrubbing rule, this is a bit intransparant.
576+
*/
576577
$mssclampv4 = 'max-mss ' . (intval($scrubcfg['mss'] - 40));
577578
$mssclampv6 = 'max-mss ' . (intval($scrubcfg['mss'] - 60));
578-
}
579-
580-
$scrubnodf = !empty($config['system']['scrubnodf']) ? 'no-df' : '';
581-
$scrubrnid = !empty($config['system']['scrubrnid']) ? 'random-id' : '';
582-
if (!empty($mssclampv4)) {
583-
$scrubrules .= "scrub on {$scrubcfg['if']} inet all {$scrubnodf} {$scrubrnid} {$mssclampv4}\n";
584-
$scrubrules .= "scrub on {$scrubcfg['if']} inet6 all {$scrubnodf} {$scrubrnid} {$mssclampv6}\n";
585-
} else {
586-
$scrubrules .= "scrub on {$scrubcfg['if']} all {$scrubnodf} {$scrubrnid}\n";
579+
$scrubrules .= "scrub on {$scrubcfg['if']} inet all {$scrub_gen_opts} {$mssclampv4}\n";
580+
$scrubrules .= "scrub on {$scrubcfg['if']} inet6 all {$scrub_gen_opts} {$mssclampv6}\n";
587581
}
588582
}
583+
$scrubrules .= "scrub in all {$scrub_gen_opts}\n";
589584
}
590585

591586
return $scrubrules;

src/www/firewall_scrub_edit.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,7 @@ function formNetworks()
7373
/* defaults */
7474
$pconfig['src'] = 'any';
7575
$pconfig['dst'] = 'any';
76+
$pconfig['direction'] = 'in';
7677
}
7778

7879
// initialize empty fields

0 commit comments

Comments
 (0)