}
}
+ $out_kf = "";
+ if (isset($config['filter']['allowipsecfrags']))
+ $out_kf = "keep frags";
+
/* XXX - the first section is only needed because ipf refuses to
parse rules that have "flags S/SAFR" and proto "tcp/udp" set because
UDP does not have flags, but we still want to offer the TCP/UDP protocol
block in $log quick on $lanif all head 100
# let out anything from the firewall host itself and decrypted IPsec traffic
-pass out quick on $lanif all keep state
+pass out quick on $lanif all keep state $out_kf
#---------------------------------------------------------------------------
# group head 200 - WAN interface
block in $log quick on $wanif all head 200
# let out anything from the firewall host itself and decrypted IPsec traffic
-pass out quick on $wanif all keep state
+pass out quick on $wanif all keep state $out_kf
EOD;
block in $log quick on {$oc['if']} all head {$ingroup}
# let out anything from the firewall host itself and decrypted IPsec traffic
-pass out quick on {$oc['if']} all keep state
+pass out quick on {$oc['if']} all keep state $out_kf
EOD;
$pconfig['key'] = base64_decode($config['system']['webgui']['private-key']);
$pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
$pconfig['disablefirmwarecheck'] = isset($config['system']['disablefirmwarecheck']);
+$pconfig['allowipsecfrags'] = isset($config['filter']['allowipsecfrags']);
$pconfig['expanddiags'] = isset($config['system']['webgui']['expanddiags']);
if ($g['platform'] == "generic-pc")
$pconfig['harddiskstandby'] = $config['system']['harddiskstandby'];
$config['system']['webgui']['private-key'] = base64_encode($_POST['key']);
$config['system']['disableconsolemenu'] = $_POST['disableconsolemenu'] ? true : false;
$config['system']['disablefirmwarecheck'] = $_POST['disablefirmwarecheck'] ? true : false;
+ $config['filter']['allowipsecfrags'] = $_POST['allowipsecfrags'] ? true : false;
$config['system']['webgui']['expanddiags'] = $_POST['expanddiags'] ? true : false;
if ($g['platform'] == "generic-pc") {
$oldharddiskstandby = $config['system']['harddiskstandby'];
This will cause m0n0wall not to check for newer firmware versions when the <a href="system_firmware.php">System: Firmware</a> page is viewed.</span></td>
</tr>
<tr>
+ <td valign="top" class="vncell">IPsec fragmented packets</td>
+ <td class="vtable">
+ <input name="allowipsecfrags" type="checkbox" id="allowipsecfrags" value="yes" <?php if ($pconfig['allowipsecfrags']) echo "checked"; ?>>
+ <strong>Allow fragmented IPsec packets</strong><span class="vexpl"><br>
+ This will cause m0n0wall to allow fragmented IP packets that are encapsulated in IPsec ESP packets.</span></td>
+ </tr>
+ <tr>
<td valign="top" class="vncell">TCP idle timeout </td>
<td class="vtable"> <span class="vexpl">
<input name="tcpidletimeout" type="text" class="formfld" id="tcpidletimeout" size="8" value="<?=htmlspecialchars($pconfig['tcpidletimeout']);?>">
projects / m0n0chwall.git / commitdiff