Hello,
I have to patch how static routes are applied in pfsense 1.2.3,
because it falls over when there are already lots of routes (e.g. on a
bgp-speaking router). Specifically, in /etc/inc/system.inc:234 it
reads netstat -rn into memory, exhausting the default php memory
limit.
I would propose to compare the "old" {$g['vardb_path']}/routes.db to
the current set of configured static routes and "route delete" the
superfluous routes. Any comments/objections ?
While being at it, I saw $config['staticroutes']['enablefastrouting']
(setting "sysctl net.inet.ip.fastforwarding=1") could only be
activated when $config['system']['disablefilter'] was set. AFAIK
(http://redmine.pfsense.org/search/index/pfsense?q=fastforward,
http://www.mail-archive.com/[email protected]/msg07871.html) fast
forwarding interferes with IPSec and ICMP redirect/source quench
generation (http://www.mail-archive.com/[email protected]/msg07862.html),
but basic packet filtering should still work. Notably, there is a
hardcoded hack in vpn.inc to set net.inet.ip.fastforwarding=0 if ipsec
is enabled. I would propose to document it at both ends in the GUI
(VPN/IPSec (disallow enabling if fastforwarding is set) and
System/Static Routes (disable enabling if ipsec is enabled)), but let
the user still enable fastforwarding even though disablefilter is not
set. Comments/objections ?
-Aarno
--
Aarno Aukia
Atrila GmbH
Switzerland
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
