From 51aaeff01ed8afa258c00956e7c6e0fccdf2d991 Mon Sep 17 00:00:00 2001 From: ShadowFlare Date: Fri, 5 Feb 2010 21:47:13 -0700 Subject: [PATCH] Only add one rdr rule and inetd entry set for each NAT reflection port. --- etc/inc/filter.inc | 172 ++++++++++++++++++++++++++------------------------- 1 files changed, 88 insertions(+), 84 deletions(-) diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 2eb644d..b088ca4 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -740,100 +740,104 @@ function filter_generate_reflection($rule, $extport, &$starting_localhost_port, update_filter_reload_status("Setting up NAT Reflection"); $natrules .= "\n# Reflection redirects\n"; + $rdr_if_list = "{"; foreach ($FilterIflist as $ifent => $ifname) { /* do not process interfaces with gateways*/ if(interface_has_gateway($ifent)) continue; - update_filter_reload_status("Creating reflection rule for {$rule['descr']}..."); + $rdr_if_list .= " {$ifname['if']}"; + } + $rdr_if_list .= " }"; - if($extport[1]) - $range_end = ($extport[1]); - else - $range_end = ($extport[0]); - $range_end++; - /* TODO: support multiple ip's in an alias. */ - if (is_alias($rule['external-address'])) - $extaddr = filter_expand_alias($rule['external-address']); - else if(is_ipaddr($rule['external-address'])) - $extaddr = $rule['external-address']; - else if (is_ipaddr($FilterIflist[$rule['interface']]['ip'])) - $extaddr = $FilterIflist[$rule['interface']]['ip']; - - if (is_alias($rule['target'])) - $target = filter_expand_alias($rule['target']); - else if(is_ipaddr($rule['target'])) - $target = $rule['target']; - else if (is_ipaddr($FilterIflist[$rule['target']]['ip'])) - $target = $FilterIflist[$rule['target']]['ip']; - - if($rule['local-port']) - $lrange_start = $rule['local-port']; - if($range_end - $extport[0] > 500) { - $range_end = $extport[0]+1; - log_error("Not installing nat reflection rules for a port range > 500"); - /* only install reflection rules for < 19991 items */ - } else if($starting_localhost_port < 19991) { - $loc_pt = $lrange_start; - $rflctnorange = true; - if(is_alias($loc_pt)) { - $loc_pt_translated = filter_expand_alias($loc_pt); - if(!$loc_pt_translated) { - log_error("Reflection processing: {$loc_pt} is not a vaild port alias."); - continue; - } - $toadd_array = split(" ", $loc_pt_translated); - $rflctnorange = false; + update_filter_reload_status("Creating reflection rule for {$rule['descr']}..."); + + if($extport[1]) + $range_end = ($extport[1]); + else + $range_end = ($extport[0]); + $range_end++; + /* TODO: support multiple ip's in an alias. */ + if (is_alias($rule['external-address'])) + $extaddr = filter_expand_alias($rule['external-address']); + else if(is_ipaddr($rule['external-address'])) + $extaddr = $rule['external-address']; + else if (is_ipaddr($FilterIflist[$rule['interface']]['ip'])) + $extaddr = $FilterIflist[$rule['interface']]['ip']; + + if (is_alias($rule['target'])) + $target = filter_expand_alias($rule['target']); + else if(is_ipaddr($rule['target'])) + $target = $rule['target']; + else if (is_ipaddr($FilterIflist[$rule['target']]['ip'])) + $target = $FilterIflist[$rule['target']]['ip']; + + if($rule['local-port']) + $lrange_start = $rule['local-port']; + if($range_end - $extport[0] > 500) { + $range_end = $extport[0]+1; + log_error("Not installing nat reflection rules for a port range > 500"); + /* only install reflection rules for < 19991 items */ + } else if($starting_localhost_port < 19991) { + $loc_pt = $lrange_start; + $rflctnorange = true; + if(is_alias($loc_pt)) { + $loc_pt_translated = filter_expand_alias($loc_pt); + if(!$loc_pt_translated) { + log_error("Reflection processing: {$loc_pt} is not a vaild port alias."); + continue; } + $toadd_array = split(" ", $loc_pt_translated); + $rflctnorange = false; + } + + $inetdport = $starting_localhost_port; + if(($range_end - 1) > $extport[0]) { + $rflctrange = "{$starting_localhost_port}"; + $delta = $range_end - $extport[0] - 1; + if(($starting_localhost_port + $delta) > 19990) { + log_error("Installing partial nat reflection rules. Maximum 1,000 reached."); + $delta = 19990 - $starting_localhost_port; + } + $starting_localhost_port = $starting_localhost_port + $delta; + $rflctrange .= ":{$starting_localhost_port}"; + $rflctintrange = "{$extport[0]}:{$range_end}"; + if($rflctnorange) + $toadd_array = range($loc_pt, $loc_pt + $delta); + } else { + $rflctrange = $starting_localhost_port; + $rflctintrange = $extport[0]; + if($rflctnorange) + $toadd_array = array($loc_pt); + $starting_localhost_port++; + } - $inetdport = $starting_localhost_port; - if(($range_end - 1) > $extport[0]) { - $rflctrange = "{$starting_localhost_port}"; - $delta = $range_end - $extport[0] - 1; - if(($starting_localhost_port + $delta) > 19990) { - log_error("Installing partial nat reflection rules. Maximum 1,000 reached."); - $delta = 19990 - $starting_localhost_port; - } - $starting_localhost_port = $starting_localhost_port + $delta; - $rflctrange .= ":{$starting_localhost_port}"; - $rflctintrange = "{$extport[0]}:{$range_end}"; - if($rflctnorange) - $toadd_array = range($loc_pt, $loc_pt + $delta); + switch($rule['protocol']) { + case "tcp/udp": + $protocol = "{ tcp udp }"; + foreach($toadd_array as $tda) { + $reflection_txt[] = "{$inetdport}\tstream\ttcp\tnowait/0\tnobody\t/usr/bin/nc\tnc -w {$reflectiontimeout} {$target} {$tda}\n"; + $reflection_txt[] = "{$inetdport}\tdgram\tudp\tnowait/0\tnobody\t/usr/bin/nc\tnc -u -w {$reflectiontimeout} {$target} {$tda}\n"; + $inetdport++; + } + $natrules .= "rdr on {$rdr_if_list} proto {$protocol} from any to {$extaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n"; + break; + case "tcp": + case "udp": + $protocol = $rule['protocol']; + if($protocol == "udp") { + $socktype = "dgram"; + $dash_u = "-u "; } else { - $rflctrange = $starting_localhost_port; - $rflctintrange = $extport[0]; - if($rflctnorange) - $toadd_array = array($loc_pt); - $starting_localhost_port++; + $socktype = "stream"; + $dash_u = ""; } - - switch($rule['protocol']) { - case "tcp/udp": - $protocol = "{ tcp udp }"; - foreach($toadd_array as $tda) { - $reflection_txt[] = "{$inetdport}\tstream\ttcp\tnowait/0\tnobody\t/usr/bin/nc\tnc -w {$reflectiontimeout} {$target} {$tda}\n"; - $reflection_txt[] = "{$inetdport}\tdgram\tudp\tnowait/0\tnobody\t/usr/bin/nc\tnc -u -w {$reflectiontimeout} {$target} {$tda}\n"; - $inetdport++; - } - $natrules .= "rdr on { {$ifname['if']} } proto {$protocol} from any to {$extaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n"; - break; - case "tcp": - case "udp": - $protocol = $rule['protocol']; - if($protocol == "udp") { - $socktype = "dgram"; - $dash_u = "-u "; - } else { - $socktype = "stream"; - $dash_u = ""; - } - foreach($toadd_array as $tda){ - $reflection_txt[] = "{$inetdport}\t{$socktype}\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$target} {$tda}\n"; - $inetdport++; - } - $natrules .= "rdr on { {$ifname['if']} } proto {$protocol} from any to {$extaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n"; - break; + foreach($toadd_array as $tda){ + $reflection_txt[] = "{$inetdport}\t{$socktype}\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$target} {$tda}\n"; + $inetdport++; } + $natrules .= "rdr on {$rdr_if_list} proto {$protocol} from any to {$extaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n"; + break; } } -- 1.6.2.2.1669.g7eaf8