firewall: auto-increase table size for IPv6 bogons

While here, kill the $GatewaysList side-effect that is no longer necessary. PR: https://forum.opnsense.org/index.php?topic=7194.0
opnsense · Apr 8, 2018 · fc0c66e · fc0c66e
1 parent eaf1927
commit fc0c66e
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 26 deletions.
diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
@@ -33,10 +33,6 @@
 
 require_once('filter.lib.inc');
 
-/* Create a global array to avoid errors on rulesets. */
-$GatewaysList = array();
-
-
 function fix_rule_label($descr)
 {
     $descr = str_replace('"', '', $descr);
@@ -144,10 +140,10 @@ function filter_configure()
 
 function filter_delete_states_for_down_gateways()
 {
-    global $config, $GatewaysList;
-
-    $any_gateway_down = false;
+    $GatewaysList = return_gateways_array(false, true) + return_gateway_groups_array();
     $a_gateways = return_gateways_status();
+    $any_gateway_down = false;
+
     if (is_array($GatewaysList)) {
         foreach ($GatewaysList as $gwname => $gateway) {
           if (empty($gateway['monitor'])) {
@@ -159,25 +155,24 @@ function filter_delete_states_for_down_gateways()
           } elseif (empty($a_gateways[$gateway['monitor']])) {
               continue;
           }
-          $gwstatus =& $a_gateways[$gateway['monitor']];
+          $gwstatus = &$a_gateways[$gateway['monitor']];
           if (strstr($gwstatus['status'], "down")) {
               $any_gateway_down = true;
               break;
           }
         }
     }
+
     if ($any_gateway_down == true) {
         mwexec("/sbin/pfctl -Fs");
     }
 }
 
 function filter_configure_sync($verbose = false)
 {
-    global $config, $GatewaysList;
-    $sched_kill_states = array(); // kill states for schedules
+    global $config;
 
-    // Temporary fill $GatewaysList, the global is still used by some old functions
-    $GatewaysList = return_gateways_array(false, true) + return_gateway_groups_array();
+    $sched_kill_states = array(); // kill states for schedules
 
     /* Use filter lock to not allow concurrent filter reloads during this run. */
     $filterlck = lock('filter', LOCK_EX);
@@ -363,10 +358,15 @@ function filter_configure_sync($verbose = false)
         flush();
     }
 
-    $limitrules = "";
-    /* User defined maximum table entries in Advanced menu. */
-    if (!empty($config['system']['maximumtableentries']) && is_numeric($config['system']['maximumtableentries'])) {
+    $limitrules = '';
+
+    if (!empty($config['system']['maximumtableentries'])) {
         $limitrules .= "set limit table-entries {$config['system']['maximumtableentries']}\n";
+    } elseif (is_bogonsv6_used()) {
+        $max_table_entries = default_table_entries_size();
+        if ($max_table_entries < 500000) {
+            $limitrules .= "set limit table-entries 500000\n";
+        }
     }
 
     if (!empty($config['system']['rulesetoptimization'])) {
@@ -390,8 +390,7 @@ function filter_configure_sync($verbose = false)
         $limitrules .= "set timeout { adaptive.start 0, adaptive.end 0 }\n";
     }
 
-    if (!empty($config['system']['maximumstates']) && is_numeric($config['system']['maximumstates'])) {
-        /* User defined maximum states in Advanced menu. */
+    if (!empty($config['system']['maximumstates'])) {
         $limitrules .= "set limit states {$config['system']['maximumstates']}\n";
         $limitrules .= "set limit src-nodes {$config['system']['maximumstates']}\n";
     } else {
@@ -799,17 +798,24 @@ function filter_tdr_month($schedule)
 
 function filter_setup_logging_interfaces(&$FilterIflist)
 {
-    global $config;
-
     $rules = '';
+
     if (isset($FilterIflist['lan'])) {
         $rules .= "set loginterface {$FilterIflist['lan']['if']}\n";
     } elseif (isset($FilterIflist['wan'])) {
         $rules .= "set loginterface {$FilterIflist['wan']['if']}\n";
     }
+
     return $rules;
 }
 
+function default_table_entries_size()
+{
+    $current = `pfctl -sm | grep table-entries | awk '{print $4};'`;
+
+    return $current;
+}
+
 function default_state_size()
 {
     /* get system memory amount */

diff --git a/src/www/system_advanced_firewall.php b/src/www/system_advanced_firewall.php
@@ -33,12 +33,6 @@
 require_once("filter.inc");
 require_once("system.inc");
 
-function default_table_entries_size()
-{
-    $current = `pfctl -sm | grep table-entries | awk '{print $4};'`;
-    return $current;
-}
-
 if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig = array();
     $pconfig['ipv6allow'] = isset($config['system']['ipv6allow']);
@@ -600,7 +594,7 @@ function default_table_entries_size()
                 <td>
                   <input name="maximumtableentries" type="text" id="maximumtableentries" value="<?= html_safe($pconfig['maximumtableentries']) ?>"/>
                   <div class="hidden" data-for="help_for_maximumtableentries">
-                    <?=gettext("Maximum number of table entries for systems such as aliases, sshlockout, snort, etc, combined.");?><br/>
+                    <?= gettext('Maximum number of table entries for systems such as aliases, sshlockout, bogons, etc, combined.') ?><br/>
                     <?=gettext("Note: Leave this blank for the default.");?>
 <?php
                      if (empty($pconfig['maximumtableentries'])) :?>