Revision 3afcc238
Added by Renato Botelho over 11 years ago
| etc/inc/filter.inc | ||
|---|---|---|
| 1345 | 1345 |
return $natrules; |
| 1346 | 1346 |
} |
| 1347 | 1347 |
|
| 1348 |
function filter_nat_rules_automatic_tonathosts() {
|
|
| 1349 |
global $config, $FilterIflist, $GatewaysList; |
|
| 1350 |
|
|
| 1351 |
$tonathosts = array("127.0.0.0/8", "0.0.0.0");
|
|
| 1352 |
|
|
| 1353 |
foreach (get_staticroutes() as $route) {
|
|
| 1354 |
$netip = explode("/", $route['network']);
|
|
| 1355 |
if (isset($GatewaysList[$route['gateway']])) {
|
|
| 1356 |
$gateway =& $GatewaysList[$route['gateway']]; |
|
| 1357 |
if(!interface_has_gateway($gateway['interface']) && is_private_ip($netip[0])) |
|
| 1358 |
$tonathosts[] = $route['network']; |
|
| 1359 |
} |
|
| 1360 |
} |
|
| 1361 |
|
|
| 1362 |
/* create outbound nat entries for all local networks */ |
|
| 1363 |
foreach($FilterIflist as $ocname => $oc) {
|
|
| 1364 |
if(interface_has_gateway($ocname)) |
|
| 1365 |
continue; |
|
| 1366 |
if(is_ipaddr($oc['alias-address'])) |
|
| 1367 |
$tonathosts[] = "{$oc['alias-address']}/{$oc['alias-subnet']}";
|
|
| 1368 |
if($oc['sa']) |
|
| 1369 |
$tonathosts[] = "{$oc['sa']}/{$oc['sn']}";
|
|
| 1370 |
} |
|
| 1371 |
|
|
| 1372 |
/* PPTP subnet */ |
|
| 1373 |
if(($config['pptpd']['mode'] == "server" ) && is_private_ip($config['pptpd']['remoteip'])) {
|
|
| 1374 |
if (isset($config['pptpd']['n_pptp_units']) && is_numeric($config['pptpd']['n_pptp_units'])) |
|
| 1375 |
$pptp_subnets = ip_range_to_subnet_array($config['pptpd']['remoteip'], |
|
| 1376 |
long2ip32(ip2long($config['pptpd']['remoteip'])+($config['pptpd']['n_pptp_units']-1))); |
|
| 1377 |
else |
|
| 1378 |
$pptp_subnets = ip_range_to_subnet_array($config['pptpd']['remoteip'], |
|
| 1379 |
long2ip32(ip2long($config['pptpd']['remoteip']))); |
|
| 1380 |
|
|
| 1381 |
$tonathosts = array_merge($tonathosts, $pptp_subnets); |
|
| 1382 |
} |
|
| 1383 |
|
|
| 1384 |
/* PPPoE subnet */ |
|
| 1385 |
if (is_array($FilterIflist['pppoe'])) |
|
| 1386 |
foreach ($FilterIflist['pppoe'] as $pppoe) |
|
| 1387 |
if(is_private_ip($pppoe['ip'])) |
|
| 1388 |
$tonathosts[] = "{$pppoe['sa']}/{$pppoe['sn']}";
|
|
| 1389 |
|
|
| 1390 |
/* L2TP subnet */ |
|
| 1391 |
if(isset($FilterIflist['l2tp']) && $FilterIflist['l2tp']['mode'] == "server") {
|
|
| 1392 |
$l2tp_sa = $FilterIflist['l2tp']['sa']; |
|
| 1393 |
$l2tp_sn = $FilterIflist['l2tp']['sn']; |
|
| 1394 |
if(is_private_ip($l2tp_sa) && !empty($l2tp_sn)) |
|
| 1395 |
$tonathosts[] = "{$l2tp_sa}/{$l2tp_sn}";
|
|
| 1396 |
} |
|
| 1397 |
|
|
| 1398 |
/* add openvpn interfaces */ |
|
| 1399 |
if(is_array($config['openvpn']['openvpn-server'])) |
|
| 1400 |
foreach ($config['openvpn']['openvpn-server'] as $ovpnsrv) |
|
| 1401 |
if (!empty($ovpnsrv['tunnel_network'])) |
|
| 1402 |
$tonathosts[] = $ovpnsrv['tunnel_network']; |
|
| 1403 |
|
|
| 1404 |
if(is_array($config['openvpn']['openvpn-client'])) |
|
| 1405 |
foreach ($config['openvpn']['openvpn-client'] as $ovpncli) |
|
| 1406 |
if (!empty($ovpncli['tunnel_network'])) |
|
| 1407 |
$tonathosts[] = $ovpncli['tunnel_network']; |
|
| 1408 |
|
|
| 1409 |
/* IPsec mode_cfg subnet */ |
|
| 1410 |
if (isset($config['ipsec']['client']['enable']) && |
|
| 1411 |
!empty($config['ipsec']['client']['pool_address']) && |
|
| 1412 |
!empty($config['ipsec']['client']['pool_netbits'])) |
|
| 1413 |
$tonathosts[] = "{$config['ipsec']['client']['pool_address']}/{$config['ipsec']['client']['pool_netbits']}";
|
|
| 1414 |
|
|
| 1415 |
return $tonathosts; |
|
| 1416 |
} |
|
| 1417 |
|
|
| 1418 |
function filter_nat_rules_outbound_automatic($src) {
|
|
| 1419 |
global $config, $FilterIflist; |
|
| 1420 |
|
|
| 1421 |
$rules = array(); |
|
| 1422 |
foreach ($FilterIflist as $if => $ifcfg) {
|
|
| 1423 |
if (substr($ifcfg['if'], 0, 4) == "ovpn") |
|
| 1424 |
continue; |
|
| 1425 |
if (!interface_has_gateway($if)) |
|
| 1426 |
continue; |
|
| 1427 |
|
|
| 1428 |
$natent = array(); |
|
| 1429 |
$natent['interface'] = $if; |
|
| 1430 |
$natent['source']['network'] = $src; |
|
| 1431 |
$natent['dstport'] = "500"; |
|
| 1432 |
$natent['target'] = $ifcfg['ip']; |
|
| 1433 |
$natent['destination']['any'] = true; |
|
| 1434 |
$natent['staticnatport'] = true; |
|
| 1435 |
$natent['descr'] = gettext('Auto created rule for ISAKMP');
|
|
| 1436 |
$rules[] = $natent; |
|
| 1437 |
|
|
| 1438 |
$natent = array(); |
|
| 1439 |
$natent['interface'] = $if; |
|
| 1440 |
$natent['source']['network'] = $src; |
|
| 1441 |
$natent['sourceport'] = ""; |
|
| 1442 |
$natent['target'] = $ifcfg['ip']; |
|
| 1443 |
$natent['destination']['any'] = true; |
|
| 1444 |
$natent['natport'] = ""; |
|
| 1445 |
$natent['descr'] = gettext('Auto created rule');
|
|
| 1446 |
if (isset($ifcfg['nonat'])) |
|
| 1447 |
$natent['nonat'] = true; |
|
| 1448 |
$rules[] = $natent; |
|
| 1449 |
} |
|
| 1450 |
|
|
| 1451 |
return $rules; |
|
| 1452 |
} |
|
| 1453 |
|
|
| 1348 | 1454 |
/* Generate a 'nat on' or 'no nat on' rule for given interface */ |
| 1349 | 1455 |
function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false, $proto = "", $poolopts = "") {
|
| 1350 | 1456 |
global $config, $FilterIflist; |
| ... | ... | |
| 1617 | 1723 |
$natrules .= "\n# Outbound NAT rules (automatic)\n"; |
| 1618 | 1724 |
/* standard outbound rules (one for each interface) */ |
| 1619 | 1725 |
update_filter_reload_status(gettext("Creating outbound NAT rules"));
|
| 1620 |
$tonathosts = ""; |
|
| 1621 |
$numberofnathosts = 0; |
|
| 1726 |
$tonathosts_array = filter_nat_rules_automatic_tonathosts(); |
|
| 1727 |
$tonathosts = implode(" ", $tonathosts_array);
|
|
| 1728 |
$numberofnathosts = count($tonathosts_array); |
|
| 1622 | 1729 |
|
| 1623 |
foreach (get_staticroutes() as $route) {
|
|
| 1624 |
$netip = explode("/", $route['network']);
|
|
| 1625 |
if (isset($GatewaysList[$route['gateway']])) {
|
|
| 1626 |
$gateway =& $GatewaysList[$route['gateway']]; |
|
| 1627 |
if(!interface_has_gateway($gateway['interface']) && is_private_ip($netip[0])) {
|
|
| 1628 |
$numberofnathosts++; |
|
| 1629 |
$tonathosts .= "{$route['network']} ";
|
|
| 1630 |
} |
|
| 1631 |
} |
|
| 1632 |
} |
|
| 1633 |
/* create outbound nat entries for all local networks */ |
|
| 1634 |
foreach($FilterIflist as $ocname => $oc) {
|
|
| 1635 |
if(!interface_has_gateway($ocname)) {
|
|
| 1636 |
if(is_ipaddr($oc['alias-address'])) {
|
|
| 1637 |
$numberofnathosts++; |
|
| 1638 |
$tonathosts .= "{$oc['alias-address']}/{$oc['alias-subnet']} ";
|
|
| 1639 |
} |
|
| 1640 |
if($oc['sa']) {
|
|
| 1641 |
$tonathosts .= "{$oc['sa']}/{$oc['sn']} ";
|
|
| 1642 |
$numberofnathosts++; |
|
| 1643 |
} |
|
| 1644 |
} |
|
| 1645 |
} |
|
| 1646 |
/* PPTP subnet */ |
|
| 1647 |
if(($config['pptpd']['mode'] == "server" ) && is_private_ip($config['pptpd']['remoteip'])) {
|
|
| 1648 |
if (isset($config['pptpd']['n_pptp_units']) && is_numeric($config['pptpd']['n_pptp_units'])) |
|
| 1649 |
$pptp_subnets = ip_range_to_subnet_array($config['pptpd']['remoteip'], long2ip32(ip2long($config['pptpd']['remoteip'])+($config['pptpd']['n_pptp_units']-1))); |
|
| 1650 |
else |
|
| 1651 |
$pptp_subnets = ip_range_to_subnet_array($config['pptpd']['remoteip'], long2ip32(ip2long($config['pptpd']['remoteip']))); |
|
| 1652 |
$numberofnathosts += count($pptp_subnets); |
|
| 1653 |
$tonathosts .= implode(" ", $pptp_subnets) . " ";
|
|
| 1654 |
} |
|
| 1655 |
/* PPPoE subnet */ |
|
| 1656 |
if (is_array($FilterIflist['pppoe'])) {
|
|
| 1657 |
foreach ($FilterIflist['pppoe'] as $pppoe) {
|
|
| 1658 |
if(is_private_ip($pppoe['ip'])) {
|
|
| 1659 |
$numberofnathosts++; |
|
| 1660 |
$tonathosts .= "{$pppoe['sa']}/{$pppoe['sn']} ";
|
|
| 1661 |
} |
|
| 1662 |
} |
|
| 1663 |
} |
|
| 1664 |
/* L2TP subnet */ |
|
| 1665 |
if(isset($FilterIflist['l2tp']) && $FilterIflist['l2tp']['mode'] == "server") {
|
|
| 1666 |
$l2tp_subnet = $FilterIflist['l2tp']['sn']; |
|
| 1667 |
if(is_private_ip($FilterIflist['l2tp']['sa']) && !empty($l2tp_subnet)) {
|
|
| 1668 |
$numberofnathosts++; |
|
| 1669 |
$tonathosts .= "{$FilterIflist['l2tp']['sa']}/{$l2tp_subnet} ";
|
|
| 1670 |
} |
|
| 1671 |
} |
|
| 1672 |
/* add openvpn interfaces */ |
|
| 1673 |
if(is_array($config['openvpn']['openvpn-server'])) {
|
|
| 1674 |
foreach ($config['openvpn']['openvpn-server'] as $ovpnsrv) {
|
|
| 1675 |
if (!empty($ovpnsrv['tunnel_network'])) {
|
|
| 1676 |
$numberofnathosts++; |
|
| 1677 |
$tonathosts .= "{$ovpnsrv['tunnel_network']} ";
|
|
| 1678 |
} |
|
| 1679 |
} |
|
| 1680 |
} |
|
| 1681 |
if(is_array($config['openvpn']['openvpn-client'])) {
|
|
| 1682 |
foreach ($config['openvpn']['openvpn-client'] as $ovpnsrv) {
|
|
| 1683 |
if (!empty($ovpnsrv['tunnel_network'])) {
|
|
| 1684 |
$numberofnathosts++; |
|
| 1685 |
$tonathosts .= "{$ovpnsrv['tunnel_network']} ";
|
|
| 1686 |
} |
|
| 1687 |
} |
|
| 1688 |
} |
|
| 1689 |
/* IPsec mode_cfg subnet */ |
|
| 1690 |
if (isset($config['ipsec']['client']['enable']) && |
|
| 1691 |
!empty($config['ipsec']['client']['pool_address']) && |
|
| 1692 |
!empty($config['ipsec']['client']['pool_netbits'])) {
|
|
| 1693 |
$tonathosts .= "{$config['ipsec']['client']['pool_address']}/{$config['ipsec']['client']['pool_netbits']} ";
|
|
| 1694 |
} |
|
| 1695 | 1730 |
$natrules .= "\n# Subnets to NAT \n"; |
| 1696 |
$tonathosts .= "127.0.0.0/8 0.0.0.0 "; |
|
| 1697 |
if($numberofnathosts > 4) {
|
|
| 1698 |
$natrules .= "table <tonatsubnets> { {$tonathosts} }\n";
|
|
| 1699 |
$macroortable = "<tonatsubnets>"; |
|
| 1700 |
} else if($numberofnathosts > 0) {
|
|
| 1701 |
$natrules .= "tonatsubnets = \"{ {$tonathosts} }\"\n";
|
|
| 1702 |
$macroortable = "\$tonatsubnets"; |
|
| 1703 |
} |
|
| 1704 |
if($numberofnathosts > 0) {
|
|
| 1705 |
foreach ($FilterIflist as $if => $ifcfg) {
|
|
| 1706 |
if (substr($ifcfg['if'], 0, 4) == "ovpn") |
|
| 1707 |
continue; |
|
| 1708 |
update_filter_reload_status(sprintf(gettext('Creating outbound rules %1$s - (%2$s)'), $if, $ifcfg['descr']));
|
|
| 1709 |
if(interface_has_gateway($if)) {
|
|
| 1710 |
$target = $ifcfg['ip']; |
|
| 1711 |
/* create outbound nat entries for all local networks */ |
|
| 1712 |
$natrules .= filter_nat_rules_generate_if($if, |
|
| 1713 |
"{$macroortable}", 500, "", 500, $target, 500, false);
|
|
| 1714 |
$natrules .= filter_nat_rules_generate_if($if, |
|
| 1715 |
"{$macroortable}", null, "", null, $target, null, isset($ifcfg['nonat']));
|
|
| 1716 |
} |
|
| 1731 |
if ($numberofnathosts > 0) {
|
|
| 1732 |
update_filter_reload_status(gettext('Creating automatic outbound rules'));
|
|
| 1733 |
|
|
| 1734 |
if ($numberofnathosts > 4) {
|
|
| 1735 |
$natrules .= "table <tonatsubnets> { {$tonathosts} }\n";
|
|
| 1736 |
$macroortable = "<tonatsubnets>"; |
|
| 1737 |
} else {
|
|
| 1738 |
$natrules .= "tonatsubnets = \"{ {$tonathosts} }\"\n";
|
|
| 1739 |
$macroortable = "\$tonatsubnets"; |
|
| 1740 |
} |
|
| 1741 |
|
|
| 1742 |
$a_outs = filter_nat_rules_outbound_automatic($macroortable); |
|
| 1743 |
foreach ($a_outs as $a_out) {
|
|
| 1744 |
$natrules .= filter_nat_rules_generate_if($a_out['interface'], |
|
| 1745 |
$a_out['source']['network'], |
|
| 1746 |
$a_out['sourceport'], |
|
| 1747 |
$a_out['destination']['address'], |
|
| 1748 |
$a_out['dstport'], |
|
| 1749 |
$a_out['target'], |
|
| 1750 |
$a_out['natport'], |
|
| 1751 |
isset($a_out['nonat']), |
|
| 1752 |
isset($a_out['staticnatport'])); |
|
| 1717 | 1753 |
} |
| 1718 | 1754 |
} |
| 1755 |
unset($tonathosts, $tonathosts_array, $numberofnathosts); |
|
| 1719 | 1756 |
} |
| 1720 | 1757 |
|
| 1721 | 1758 |
/* load balancer anchor */ |
Also available in: Unified diff
Split automatic to nat hosts fill into a function to be able to call it from other place, ticket #2416