| 740 |
740 |
update_filter_reload_status("Setting up NAT Reflection");
|
| 741 |
741 |
|
| 742 |
742 |
$natrules .= "\n# Reflection redirects\n";
|
|
743 |
$rdr_if_list = "{";
|
| 743 |
744 |
foreach ($FilterIflist as $ifent => $ifname) {
|
| 744 |
745 |
/* do not process interfaces with gateways*/
|
| 745 |
746 |
if(interface_has_gateway($ifent))
|
| 746 |
747 |
continue;
|
| 747 |
748 |
|
| 748 |
|
update_filter_reload_status("Creating reflection rule for {$rule['descr']}...");
|
|
749 |
$rdr_if_list .= " {$ifname['if']}";
|
|
750 |
}
|
|
751 |
$rdr_if_list .= " }";
|
| 749 |
752 |
|
| 750 |
|
if($extport[1])
|
| 751 |
|
$range_end = ($extport[1]);
|
| 752 |
|
else
|
| 753 |
|
$range_end = ($extport[0]);
|
| 754 |
|
$range_end++;
|
| 755 |
|
/* TODO: support multiple ip's in an alias. */
|
| 756 |
|
if (is_alias($rule['external-address']))
|
| 757 |
|
$extaddr = filter_expand_alias($rule['external-address']);
|
| 758 |
|
else if(is_ipaddr($rule['external-address']))
|
| 759 |
|
$extaddr = $rule['external-address'];
|
| 760 |
|
else if (is_ipaddr($FilterIflist[$rule['interface']]['ip']))
|
| 761 |
|
$extaddr = $FilterIflist[$rule['interface']]['ip'];
|
| 762 |
|
|
| 763 |
|
if (is_alias($rule['target']))
|
| 764 |
|
$target = filter_expand_alias($rule['target']);
|
| 765 |
|
else if(is_ipaddr($rule['target']))
|
| 766 |
|
$target = $rule['target'];
|
| 767 |
|
else if (is_ipaddr($FilterIflist[$rule['target']]['ip']))
|
| 768 |
|
$target = $FilterIflist[$rule['target']]['ip'];
|
| 769 |
|
|
| 770 |
|
if($rule['local-port'])
|
| 771 |
|
$lrange_start = $rule['local-port'];
|
| 772 |
|
if($range_end - $extport[0] > 500) {
|
| 773 |
|
$range_end = $extport[0]+1;
|
| 774 |
|
log_error("Not installing nat reflection rules for a port range > 500");
|
| 775 |
|
/* only install reflection rules for < 19991 items */
|
| 776 |
|
} else if($starting_localhost_port < 19991) {
|
| 777 |
|
$loc_pt = $lrange_start;
|
| 778 |
|
$rflctnorange = true;
|
| 779 |
|
if(is_alias($loc_pt)) {
|
| 780 |
|
$loc_pt_translated = filter_expand_alias($loc_pt);
|
| 781 |
|
if(!$loc_pt_translated) {
|
| 782 |
|
log_error("Reflection processing: {$loc_pt} is not a vaild port alias.");
|
| 783 |
|
continue;
|
| 784 |
|
}
|
| 785 |
|
$toadd_array = split(" ", $loc_pt_translated);
|
| 786 |
|
$rflctnorange = false;
|
|
753 |
update_filter_reload_status("Creating reflection rule for {$rule['descr']}...");
|
|
754 |
|
|
755 |
if($extport[1])
|
|
756 |
$range_end = ($extport[1]);
|
|
757 |
else
|
|
758 |
$range_end = ($extport[0]);
|
|
759 |
$range_end++;
|
|
760 |
/* TODO: support multiple ip's in an alias. */
|
|
761 |
if (is_alias($rule['external-address']))
|
|
762 |
$extaddr = filter_expand_alias($rule['external-address']);
|
|
763 |
else if(is_ipaddr($rule['external-address']))
|
|
764 |
$extaddr = $rule['external-address'];
|
|
765 |
else if (is_ipaddr($FilterIflist[$rule['interface']]['ip']))
|
|
766 |
$extaddr = $FilterIflist[$rule['interface']]['ip'];
|
|
767 |
|
|
768 |
if (is_alias($rule['target']))
|
|
769 |
$target = filter_expand_alias($rule['target']);
|
|
770 |
else if(is_ipaddr($rule['target']))
|
|
771 |
$target = $rule['target'];
|
|
772 |
else if (is_ipaddr($FilterIflist[$rule['target']]['ip']))
|
|
773 |
$target = $FilterIflist[$rule['target']]['ip'];
|
|
774 |
|
|
775 |
if($rule['local-port'])
|
|
776 |
$lrange_start = $rule['local-port'];
|
|
777 |
if($range_end - $extport[0] > 500) {
|
|
778 |
$range_end = $extport[0]+1;
|
|
779 |
log_error("Not installing nat reflection rules for a port range > 500");
|
|
780 |
/* only install reflection rules for < 19991 items */
|
|
781 |
} else if($starting_localhost_port < 19991) {
|
|
782 |
$loc_pt = $lrange_start;
|
|
783 |
$rflctnorange = true;
|
|
784 |
if(is_alias($loc_pt)) {
|
|
785 |
$loc_pt_translated = filter_expand_alias($loc_pt);
|
|
786 |
if(!$loc_pt_translated) {
|
|
787 |
log_error("Reflection processing: {$loc_pt} is not a vaild port alias.");
|
|
788 |
continue;
|
| 787 |
789 |
}
|
|
790 |
$toadd_array = split(" ", $loc_pt_translated);
|
|
791 |
$rflctnorange = false;
|
|
792 |
}
|
|
793 |
|
|
794 |
$inetdport = $starting_localhost_port;
|
|
795 |
if(($range_end - 1) > $extport[0]) {
|
|
796 |
$rflctrange = "{$starting_localhost_port}";
|
|
797 |
$delta = $range_end - $extport[0] - 1;
|
|
798 |
if(($starting_localhost_port + $delta) > 19990) {
|
|
799 |
log_error("Installing partial nat reflection rules. Maximum 1,000 reached.");
|
|
800 |
$delta = 19990 - $starting_localhost_port;
|
|
801 |
}
|
|
802 |
$starting_localhost_port = $starting_localhost_port + $delta;
|
|
803 |
$rflctrange .= ":{$starting_localhost_port}";
|
|
804 |
$rflctintrange = "{$extport[0]}:{$range_end}";
|
|
805 |
if($rflctnorange)
|
|
806 |
$toadd_array = range($loc_pt, $loc_pt + $delta);
|
|
807 |
} else {
|
|
808 |
$rflctrange = $starting_localhost_port;
|
|
809 |
$rflctintrange = $extport[0];
|
|
810 |
if($rflctnorange)
|
|
811 |
$toadd_array = array($loc_pt);
|
|
812 |
$starting_localhost_port++;
|
|
813 |
}
|
| 788 |
814 |
|
| 789 |
|
$inetdport = $starting_localhost_port;
|
| 790 |
|
if(($range_end - 1) > $extport[0]) {
|
| 791 |
|
$rflctrange = "{$starting_localhost_port}";
|
| 792 |
|
$delta = $range_end - $extport[0] - 1;
|
| 793 |
|
if(($starting_localhost_port + $delta) > 19990) {
|
| 794 |
|
log_error("Installing partial nat reflection rules. Maximum 1,000 reached.");
|
| 795 |
|
$delta = 19990 - $starting_localhost_port;
|
| 796 |
|
}
|
| 797 |
|
$starting_localhost_port = $starting_localhost_port + $delta;
|
| 798 |
|
$rflctrange .= ":{$starting_localhost_port}";
|
| 799 |
|
$rflctintrange = "{$extport[0]}:{$range_end}";
|
| 800 |
|
if($rflctnorange)
|
| 801 |
|
$toadd_array = range($loc_pt, $loc_pt + $delta);
|
|
815 |
switch($rule['protocol']) {
|
|
816 |
case "tcp/udp":
|
|
817 |
$protocol = "{ tcp udp }";
|
|
818 |
foreach($toadd_array as $tda) {
|
|
819 |
$reflection_txt[] = "{$inetdport}\tstream\ttcp\tnowait/0\tnobody\t/usr/bin/nc\tnc -w {$reflectiontimeout} {$target} {$tda}\n";
|
|
820 |
$reflection_txt[] = "{$inetdport}\tdgram\tudp\tnowait/0\tnobody\t/usr/bin/nc\tnc -u -w {$reflectiontimeout} {$target} {$tda}\n";
|
|
821 |
$inetdport++;
|
|
822 |
}
|
|
823 |
$natrules .= "rdr on {$rdr_if_list} proto {$protocol} from any to {$extaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n";
|
|
824 |
break;
|
|
825 |
case "tcp":
|
|
826 |
case "udp":
|
|
827 |
$protocol = $rule['protocol'];
|
|
828 |
if($protocol == "udp") {
|
|
829 |
$socktype = "dgram";
|
|
830 |
$dash_u = "-u ";
|
| 802 |
831 |
} else {
|
| 803 |
|
$rflctrange = $starting_localhost_port;
|
| 804 |
|
$rflctintrange = $extport[0];
|
| 805 |
|
if($rflctnorange)
|
| 806 |
|
$toadd_array = array($loc_pt);
|
| 807 |
|
$starting_localhost_port++;
|
|
832 |
$socktype = "stream";
|
|
833 |
$dash_u = "";
|
| 808 |
834 |
}
|
| 809 |
|
|
| 810 |
|
switch($rule['protocol']) {
|
| 811 |
|
case "tcp/udp":
|
| 812 |
|
$protocol = "{ tcp udp }";
|
| 813 |
|
foreach($toadd_array as $tda) {
|
| 814 |
|
$reflection_txt[] = "{$inetdport}\tstream\ttcp\tnowait/0\tnobody\t/usr/bin/nc\tnc -w {$reflectiontimeout} {$target} {$tda}\n";
|
| 815 |
|
$reflection_txt[] = "{$inetdport}\tdgram\tudp\tnowait/0\tnobody\t/usr/bin/nc\tnc -u -w {$reflectiontimeout} {$target} {$tda}\n";
|
| 816 |
|
$inetdport++;
|
| 817 |
|
}
|
| 818 |
|
$natrules .= "rdr on { {$ifname['if']} } proto {$protocol} from any to {$extaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n";
|
| 819 |
|
break;
|
| 820 |
|
case "tcp":
|
| 821 |
|
case "udp":
|
| 822 |
|
$protocol = $rule['protocol'];
|
| 823 |
|
if($protocol == "udp") {
|
| 824 |
|
$socktype = "dgram";
|
| 825 |
|
$dash_u = "-u ";
|
| 826 |
|
} else {
|
| 827 |
|
$socktype = "stream";
|
| 828 |
|
$dash_u = "";
|
| 829 |
|
}
|
| 830 |
|
foreach($toadd_array as $tda){
|
| 831 |
|
$reflection_txt[] = "{$inetdport}\t{$socktype}\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$target} {$tda}\n";
|
| 832 |
|
$inetdport++;
|
| 833 |
|
}
|
| 834 |
|
$natrules .= "rdr on { {$ifname['if']} } proto {$protocol} from any to {$extaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n";
|
| 835 |
|
break;
|
|
835 |
foreach($toadd_array as $tda){
|
|
836 |
$reflection_txt[] = "{$inetdport}\t{$socktype}\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$target} {$tda}\n";
|
|
837 |
$inetdport++;
|
| 836 |
838 |
}
|
|
839 |
$natrules .= "rdr on {$rdr_if_list} proto {$protocol} from any to {$extaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n";
|
|
840 |
break;
|
| 837 |
841 |
}
|
| 838 |
842 |
}
|
| 839 |
843 |
|