Project

General

Profile

« Previous | Next » 

Revision 15f2431e

Added by Jim Pingle over 16 years ago

Add protocol options for Manual Outbound NAT rules. See ticket #1887

View differences:

etc/inc/filter.inc
494 494 
}
495 495 

  		




  496
  496
  
    
/* Generate a 'nat on' or 'no nat on' rule for given interface */


  		




  497
  
  
    
function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false) {


  		




  
  497
  
    
function filter_nat_rules_generate_if($if, $src = "any", $proto = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false) {


  		




  498
  498
  
    
	global $config;


  		




  499
  499
  
    

  		




  500
  500
  
    
	/* XXX: billm - any idea if this code is needed? */


  		




  ......




  507
  507
  
    
        else


  		




  508
  508
  
    
                $tgt = "($if)";


  		




  509
  509
  
    

  		




  
  510
  
    
	/* Add the protocol, if defined */


  		




  
  511
  
    
	if (($proto != "") && ($proto != "any"))


  		




  
  512
  
    
		$protocol = " proto {$proto}";


  		




  
  513
  
    
	else


  		




  
  514
  
    
		$protocol = "";


  		




  
  515
  
    

  		




  510
  516
  
    
	/* Add the hard set source port (useful for ISAKMP) */


  		




  511
  517
  
    
        if ($natport != "")


  		




  512
  518
  
    
		$tgt .= " port {$natport}";


  		




  ......




  546
  552
  
    

  		




  547
  553
  
    
	/* Put all the pieces together */


  		




  548
  554
  
    
	if($if_friendly)


  		




  549
  
  
    
		$natrule = "{$nat} on \${$if_friendly} from {$src} to {$dst} {$target}{$staticnatport_txt}\n";


  		




  
  555
  
    
		$natrule = "{$nat} on \${$if_friendly} {$protocol} from {$src} to {$dst} {$target}{$staticnatport_txt}\n";


  		




  550
  556
  
    

  		




  551
  557
  
    
	return $natrule;


  		




  552
  558
  
    
}


  		




  ......




  654
  660
  
    

  		




  655
  661
  
    
				$natrules .= filter_nat_rules_generate_if($natif,


  		




  656
  662
  
    
					$src,


  		




  
  663
  
    
					$obent['protocol'],


  		




  657
  664
  
    
					$obent['sourceport'],


  		




  658
  665
  
    
					$dst,


  		




  659
  666
  
    
					$obent['dstport'],


  		




  ......




  669
  676
  
    
		update_filter_reload_status("Creating outbound NAT rules");


  		




  670
  677
  
    

  		




  671
  678
  
    
		$natrules .= filter_nat_rules_generate_if($wanif,


  		




  672
  
  
    
			"{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, 500, false);


  		




  
  679
  
    
			"{$lansa}/{$lancfg['subnet']}", "any", 500, "", 500, null, 500, false);


  		




  673
  680
  
    
		$natrules .= filter_nat_rules_generate_if($wanif,


  		




  674
  
  
    
			"{$lansa}/{$lancfg['subnet']}", 5060, "", 5060, null, 5060, false);


  		




  
  681
  
    
			"{$lansa}/{$lancfg['subnet']}", "any", 5060, "", 5060, null, 5060, false);


  		




  675
  682
  
    
		$natrules .= filter_nat_rules_generate_if($wanif,


  		




  676
  683
  
    
			"{$lansa}/{$lancfg['subnet']}");


  		




  677
  684
  
    

  		




  ......




  683
  690
  
    
			$opt_interface = $oc['if'];


  		




  684
  691
  
    
			if (interface_has_gateway("$opt_interface")) {


  		




  685
  692
  
    
				$natrules .= filter_nat_rules_generate_if($opt_interface,


  		




  686
  
  
    
					"{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, 500, false);


  		




  
  693
  
    
					"{$lansa}/{$lancfg['subnet']}", "any", 500, "", 500, null, 500, false);


  		




  687
  694
  
    
				$natrules .= filter_nat_rules_generate_if($opt_interface,


  		




  688
  
  
    
					"{$lansa}/{$lancfg['subnet']}", 5060, "", 5060, null, 5060, false);


  		




  
  695
  
    
					"{$lansa}/{$lancfg['subnet']}", "any", 5060, "", 5060, null, 5060, false);


  		




  689
  696
  
    
				$natrules .= filter_nat_rules_generate_if($opt_interface,


  		




  690
  697
  
    
					"{$lansa}/{$lancfg['subnet']}");


  		




  691
  698
  
    
			}


  		




  ......




  701
  708
  
    

  		




  702
  709
  
    
				/* create outbound nat entries for primary wan */


  		




  703
  710
  
    
				$natrules .= filter_nat_rules_generate_if($wanif,


  		




  704
  
  
    
					"{$optsa}/{$optcfg['subnet']}", 500, "", 500, null, 500, false);


  		




  
  711
  
    
					"{$optsa}/{$optcfg['subnet']}", "any", 500, "", 500, null, 500, false);


  		




  705
  712
  
    
				$natrules .= filter_nat_rules_generate_if($wanif,


  		




  706
  
  
    
					"{$optsa}/{$optcfg['subnet']}", 5060, "", 5060, null, 5060, false);


  		




  
  713
  
    
					"{$optsa}/{$optcfg['subnet']}", "any", 5060, "", 5060, null, 5060, false);


  		




  707
  714
  
    
				$natrules .= filter_nat_rules_generate_if($wanif,


  		




  708
  
  
    
					"{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat']));


  		




  
  715
  
    
					"{$optsa}/{$optcfg['subnet']}", "any", null, "", null, null, null, isset($optcfg['nonat']));


  		




  709
  716
  
    

  		




  710
  717
  
    
				/* create outbound nat entries for all opt wans */


  		




  711
  718
  
    
				foreach($optints as $oc) {


  		




  712
  719
  
    
					$opt_interface = $oc['if'];


  		




  713
  720
  
    
					if (interface_has_gateway("$opt_interface")) {


  		




  714
  721
  
    
						$natrules .= filter_nat_rules_generate_if($opt_interface,


  		




  715
  
  
    
							"{$optsa}/{$optcfg['subnet']}", 500, "", 500, null, 500, false);


  		




  
  722
  
    
							"{$optsa}/{$optcfg['subnet']}", "any", 500, "", 500, null, 500, false);


  		




  716
  723
  
    
						$natrules .= filter_nat_rules_generate_if($opt_interface,


  		




  717
  
  
    
							"{$optsa}/{$optcfg['subnet']}", 5060, "", 5060, null, 5060, false);


  		




  
  724
  
    
							"{$optsa}/{$optcfg['subnet']}", "any", 5060, "", 5060, null, 5060, false);


  		




  718
  725
  
    
						$natrules .= filter_nat_rules_generate_if($opt_interface,


  		




  719
  
  
    
							"{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat']));


  		




  
  726
  
    
							"{$optsa}/{$optcfg['subnet']}", "any", null, "", null, null, null, isset($optcfg['nonat']));


  		




  720
  727
  
    
					}


  		




  721
  728
  
    
				}


  		




  722
  729
  
    
			}


  		




  ......




  728
  735
  
    
			if($config['pptp']['pptp_subnet'] <> "")


  		




  729
  736
  
    
				$pptp_subnet = $config['pptp']['pptp_subnet'];


  		




  730
  737
  
    
			$natrules .= filter_nat_rules_generate_if($wanif,


  		




  731
  
  
    
				"{$pptpdcfg['remoteip']}/{$pptp_subnet}", 500, "", 500, null, 500, false);


  		




  
  738
  
    
				"{$pptpdcfg['remoteip']}/{$pptp_subnet}", "any", 500, "", 500, null, 500, false);


  		




  732
  739
  
    
			$natrules .= filter_nat_rules_generate_if($wanif,


  		




  733
  
  
    
				"{$pptpdcfg['remoteip']}/{$pptp_subnet}", 5060, "", 5060, null, 5060, false);


  		




  
  740
  
    
				"{$pptpdcfg['remoteip']}/{$pptp_subnet}", "any", 5060, "", 5060, null, 5060, false);


  		




  734
  741
  
    
			$natrules .= filter_nat_rules_generate_if($wanif,


  		




  735
  742
  
    
				"{$pptpdcfg['remoteip']}/{$pptp_subnet}");


  		




  736
  743
  
    

  		




  ......




  739
  746
  
    
				$opt_interface = $oc['if'];


  		




  740
  747
  
    
				if ((is_private_ip($pptpdcfg['remoteip'])) && (interface_has_gateway($opt_interface))) {


  		




  741
  748
  
    
					$natrules .= filter_nat_rules_generate_if($opt_interface,


  		




  742
  
  
    
						"{$pptpdcfg['remoteip']}/{$pptp_subnet}", 500, "", 500, null, 500, false);


  		




  
  749
  
    
						"{$pptpdcfg['remoteip']}/{$pptp_subnet}", "any", 500, "", 500, null, 500, false);


  		




  743
  750
  
    
					$natrules .= filter_nat_rules_generate_if($opt_interface,


  		




  744
  
  
    
						"{$pptpdcfg['remoteip']}/{$pptp_subnet}", 5060, "", 5060, null, 5060, false);


  		




  
  751
  
    
						"{$pptpdcfg['remoteip']}/{$pptp_subnet}", "any", 5060, "", 5060, null, 5060, false);


  		




  745
  752
  
    
					$natrules .= filter_nat_rules_generate_if($opt_interface,


  		




  746
  753
  
    
						"{$pptpdcfg['remoteip']}/{$pptp_subnet}");


  		




  747
  754
  
    
				}


  		




  ......




  754
  761
  
    
			if($config['pppoe']['pppoe_subnet'] <> "")


  		




  755
  762
  
    
				$pppoe_subnet = $config['pppoe']['pppoe_subnet'];


  		




  756
  763
  
    
			$natrules .= filter_nat_rules_generate_if($wanif,


  		




  757
  
  
    
				"{$pppoecfg['remoteip']}/{$pppoe_subnet}", 500, "", 500, null, 500, false);


  		




  
  764
  
    
				"{$pppoecfg['remoteip']}/{$pppoe_subnet}", "any", 500, "", 500, null, 500, false);


  		




  758
  765
  
    
			$natrules .= filter_nat_rules_generate_if($wanif,


  		




  759
  
  
    
				"{$pppoecfg['remoteip']}/{$pppoe_subnet}", 5060, "", 5060, null, 5060, false);


  		




  
  766
  
    
				"{$pppoecfg['remoteip']}/{$pppoe_subnet}", "any", 5060, "", 5060, null, 5060, false);


  		




  760
  767
  
    
			$natrules .= filter_nat_rules_generate_if($wanif,


  		




  761
  
  
    
				"{$pppoecfg['remoteip']}/{$pppoe_subnet}");


  		




  
  768
  
    
				"{$pppoecfg['remoteip']}/{$pppoe_subnet}", "any");


  		




  762
  769
  
    

  		




  763
  770
  
    
			/* generate nat mappings for opts with a gateway opts */


  		




  764
  771
  
    
			foreach($optints as $oc) {


  		




  765
  772
  
    
				$opt_interface = $oc['if'];


  		




  766
  773
  
    
				if ((is_private_ip($pppoecfg['remoteip'])) && (interface_has_gateway($opt_interface))) {


  		




  767
  774
  
    
					$natrules .= filter_nat_rules_generate_if($opt_interface,


  		




  768
  
  
    
						"{$pppoecfg['remoteip']}/{$pppoe_subnet}", 500, "", 500, null, 500, false);


  		




  
  775
  
    
						"{$pppoecfg['remoteip']}/{$pppoe_subnet}", "any", 500, "", 500, null, 500, false);


  		




  769
  776
  
    
					$natrules .= filter_nat_rules_generate_if($opt_interface,


  		




  770
  
  
    
						"{$pppoecfg['remoteip']}/{$pppoe_subnet}", 5060, "", 5060, null, 5060, false);


  		




  
  777
  
    
						"{$pppoecfg['remoteip']}/{$pppoe_subnet}", "any", 5060, "", 5060, null, 5060, false);


  		




  771
  778
  
    
					$natrules .= filter_nat_rules_generate_if($opt_interface,


  		




  772
  779
  
    
						"{$pppoecfg['remoteip']}/{$pppoe_subnet}");


  		




  773
  780
  
    
				}


  		




  ......




  780
  787
  
    
				$netip = explode("/", $route['network']);


  		




  781
  788
  
    
				if ((! interface_has_gateway($route['interface'])) && (is_private_ip($netip[0]))) {


  		




  782
  789
  
    
					$natrules .= filter_nat_rules_generate_if($wanif,


  		




  783
  
  
    
						"{$route['network']}", 500, "", 500, null, 500, false);


  		




  
  790
  
    
						"{$route['network']}", "any", 500, "", 500, null, 500, false);


  		




  784
  791
  
    
					$natrules .= filter_nat_rules_generate_if($wanif,


  		




  785
  
  
    
						"{$route['network']}", 5060, "", 5060, null, 5060, false);


  		




  
  792
  
    
						"{$route['network']}", "any", 5060, "", 5060, null, 5060, false);


  		




  786
  793
  
    
					$natrules .= filter_nat_rules_generate_if($wanif,


  		




  787
  
  
    
						"{$route['network']}", "", null);


  		




  
  794
  
    
						"{$route['network']}", "any", "", null);


  		




  788
  795
  
    
				}


  		




  789
  796
  
    
				/* generate nat mapping for static routes on opts */


  		




  790
  797
  
    
				foreach($optints as $oc) {


  		




  791
  798
  
    
					$opt_interface = $oc['if'];


  		




  792
  799
  
    
					if ((! interface_has_gateway($route['interface'])) && (is_private_ip($netip[0])) && (interface_has_gateway($opt_interface))) {


  		




  793
  800
  
    
						$natrules .= filter_nat_rules_generate_if($opt_interface,


  		




  794
  
  
    
							"{$route['network']}", 500, "", 500, null, 500, false);


  		




  
  801
  
    
							"{$route['network']}", "any", 500, "", 500, null, 500, false);


  		




  795
  802
  
    
						$natrules .= filter_nat_rules_generate_if($opt_interface,


  		




  796
  
  
    
							"{$route['network']}", 5060, "", 5060, null, 5060, false);


  		




  
  803
  
    
							"{$route['network']}", "any", 5060, "", 5060, null, 5060, false);


  		




  797
  804
  
    
						$natrules .= filter_nat_rules_generate_if($opt_interface,


  		




  798
  
  
    
							"{$route['network']}", "", null);


  		




  
  805
  
    
							"{$route['network']}", "any", "", null);


  		




  799
  806
  
    
					}


  		




  800
  807
  
    
				}


  		




  801
  808
  
    

  		












  

    
      usr/local/www/firewall_nat_out.php
    
  





  102
  102
  
    
				$natent['interface'] = "wan";


  		




  103
  103
  
    
				$natent['destination']['any'] = true;


  		




  104
  104
  
    
				$natent['natport'] = "";


  		




  
  105
  
    
				$natent['protocol'] = "any";


  		




  105
  106
  
    
				$a_out[] = $natent;


  		




  106
  107
  
    
			}


  		




  107
  108
  
    
			$savemsg = "Default rules for each interface have been created.";


  		




  ......




  265
  266
  
    
                                                 echo "LAN";                                                


  		




  266
  267
  
    
					else


  		




  267
  268
  
    
						echo htmlspecialchars($config['interfaces'][$natent['interface']]['descr']);


  		




  
  269
  
    

  		




  
  270
  
    
					if (($natent['protocol'] != "any") && ($natent['protocol'] != ""))


  		




  
  271
  
    
						$proto = $natent['protocol'] . "/";


  		




  
  272
  
    
					else


  		




  
  273
  
    
						$proto = "";


  		




  268
  274
  
    
					?>


  		




  269
  275
  
    
                                        &nbsp;


  		




  270
  276
  
    
                  </td>


  		




  ......




  273
  279
  
    
                  </td>


  		




  274
  280
  
    
                  <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_out_edit.php?id=<?=$nnats;?>';">


  		




  275
  281
  
    
                    <?php


  		




  
  282
  
    

  		




  276
  283
  
    
                      if (!$natent['sourceport'])


  		




  277
  
  
    
                          echo "*";


  		




  
  284
  
    
                          echo  $proto . "*";


  		




  278
  285
  
    
                      else


  		




  279
  
  
    
                          echo $natent['sourceport'];


  		




  
  286
  
    
                          echo $proto . $natent['sourceport'];


  		




  280
  287
  
    
                    ?>


  		




  281
  288
  
    
                  </td>


  		




  282
  289
  
    
                  <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_out_edit.php?id=<?=$nnats;?>';">


  		




  ......




  293
  300
  
    
                  <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_out_edit.php?id=<?=$nnats;?>';">


  		




  294
  301
  
    
                    <?php


  		




  295
  302
  
    
                      if (!$natent['dstport'])


  		




  296
  
  
    
                          echo "*";


  		




  
  303
  
    
                          echo $proto . "*";


  		




  297
  304
  
    
                      else


  		




  298
  
  
    
                          echo $natent['dstport'];


  		




  
  305
  
    
                          echo $proto . $natent['dstport'];


  		




  299
  306
  
    
                    ?>


  		




  300
  307
  
    
                  </td>


  		




  301
  308
  
    
                  <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_out_edit.php?id=<?=$nnats;?>';">


  		












  

    
      usr/local/www/firewall_nat_out_edit.php
    
  





  49
  49
  
    
}


  		




  50
  50
  
    

  		




  51
  51
  
    
if (isset($id) && $a_out[$id]) {


  		




  
  52
  
    
    $pconfig['proto'] = $a_out[$id]['protocol'];


  		




  52
  53
  
    
    list($pconfig['source'],$pconfig['source_subnet']) = explode('/', $a_out[$id]['source']['network']);


  		




  53
  54
  
    
    $pconfig['sourceport'] = $a_out[$id]['sourceport'];


  		




  54
  55
  
    
    address_to_pconfig($a_out[$id]['destination'], $pconfig['destination'],


  		




  ......




  170
  171
  
    
		if (!$natent['interface'])


  		




  171
  172
  
    
			$natent['interface'] == "wan";


  		




  172
  173
  
    

  		




  
  174
  
    
		if ($natent['proto'] != $_POST['proto'])


  		




  
  175
  
    
			continue;			


  		




  
  176
  
    

  		




  173
  177
  
    
		if (($natent['interface'] == $_POST['interface']) && ($natent['source']['network'] == $osn)) {


  		




  174
  178
  
    
			if (isset($natent['destination']['not']) == isset($_POST['destination_not'])) {


  		




  175
  179
  
    
				if ((isset($natent['destination']['any']) && ($ext == "any")) ||


  		




  ......




  188
  192
  
    
        $natent['descr'] = $_POST['descr'];


  		




  189
  193
  
    
        $natent['target'] = $_POST['target'];


  		




  190
  194
  
    
        $natent['interface'] = $_POST['interface'];


  		




  
  195
  
    
        $natent['protocol'] = $_POST['proto'];


  		




  191
  196
  
    

  		




  192
  197
  
    
		/* static-port */


  		




  193
  198
  
    
		if(isset($_POST['staticnatport']))


  		




  ......




  315
  320
  
    
                     <span class="vexpl">Choose which interface this rule applies to.<br>


  		




  316
  321
  
    
                     Hint: in most cases, you'll want to use WAN here.</span></td>


  		




  317
  322
  
    
                </tr>


  		




  
  323
  
    
                <tr>


  		




  
  324
  
    
                  <td width="22%" valign="top" class="vncellreq">Protocol</td>


  		




  
  325
  
    
                  <td width="78%" class="vtable">


  		




  
  326
  
    
                    <select name="proto" class="formfld" onChange="proto_change(); check_for_aliases();">


  		




  
  327
  
    
                      <?php $protocols = explode(" ", "any TCP UDP GRE ESP AH L2TP ICMP"); foreach ($protocols as $proto): ?>


  		




  
  328
  
    
                      <option value="<?=strtolower($proto);?>" <?php if (strtolower($proto) == $pconfig['proto']) echo "selected"; ?>><?=htmlspecialchars($proto);?></option>


  		




  
  329
  
    
                      <?php endforeach; ?>


  		




  
  330
  
    
                    </select> <br> <span class="vexpl">Choose which IP protocol


  		




  
  331
  
    
                    this rule should match.<br>


  		




  
  332
  
    
                    Hint: in most cases, you should specify <em>any</em> &nbsp;here.</span></td>


  		




  
  333
  
    
                </tr>


  		




  318
  334
  
    
                <tr>


  		




  319
  335
  
    
                  <td width="22%" valign="top" class="vncellreq">Source</td>


  		




  320
  336
  
    
                  <td width="78%" class="vtable">


  		












Also available in:  Unified diff