Revision 473d0ff0
Added by Pierre POMES over 15 years ago
| usr/local/www/firewall_nat_edit.php | ||
|---|---|---|
| 199 | 199 |
else |
| 200 | 200 |
unset($natent['nosync']); |
| 201 | 201 |
|
| 202 |
// If we used to have an associated filter rule, but no-longer should have one |
|
| 203 |
if( $a_nat[$id]>0 && ($natent['associated-filter-rule-id']>0)===false ) {
|
|
| 204 |
// Delete the previous rule |
|
| 205 |
delete_id($a_nat[$id]['associated-filter-rule-id'], $config['filter']['rule']); |
|
| 206 |
mark_subsystem_dirty('filter');
|
|
| 207 |
} |
|
| 208 |
|
|
| 202 | 209 |
$need_filter_rule = false; |
| 203 | 210 |
// Updating a rule with a filter rule associated |
| 204 | 211 |
if( $natent['associated-filter-rule-id']>0 ) |
| 205 | 212 |
$need_filter_rule = true; |
| 213 |
// Create a rule or if we want to create a new one |
|
| 214 |
if( $natent['associated-filter-rule-id']=='new' ) {
|
|
| 215 |
$need_filter_rule = true; |
|
| 216 |
unset( $natent['associated-filter-rule-id'] ); |
|
| 217 |
$_POST['filter-rule-association']='add-associated'; |
|
| 218 |
} |
|
| 206 | 219 |
// If creating a new rule, where we want to add the filter rule, associated or not |
| 207 |
else if( isset($_POST['filter-rule-association']) &&
|
|
| 208 |
($_POST['filter-rule-association']=='add-associated' ||
|
|
| 220 |
else if( isset($_POST['filter-rule-association']) && |
|
| 221 |
($_POST['filter-rule-association']=='add-associated' || |
|
| 209 | 222 |
$_POST['filter-rule-association']=='add-unassociated') ) |
| 210 | 223 |
$need_filter_rule = true; |
| 211 | 224 |
|
| 212 |
if ($need_filter_rule) {
|
|
| 225 |
// Determine NAT entry ID now, we need it for the firewall rule |
|
| 226 |
if (isset($id) && $a_nat[$id]) |
|
| 227 |
$a_nat[$id] = $natent; |
|
| 228 |
else {
|
|
| 229 |
if (is_numeric($after)) |
|
| 230 |
$id = $after + 1; |
|
| 231 |
else |
|
| 232 |
$id = count($a_nat); |
|
| 233 |
} |
|
| 213 | 234 |
|
| 214 |
// If we had a previous rule associated with this NAT rule, delete that |
|
| 215 |
if( $natent['associated-filter-rule-id'] > 0 ) |
|
| 216 |
delete_id($natent['associated-filter-rule-id'], $config['filter']['rule']); |
|
| 235 |
if ($need_filter_rule) {
|
|
| 217 | 236 |
|
| 218 | 237 |
/* auto-generate a matching firewall rule */ |
| 219 | 238 |
$filterent = array(); |
| 239 |
|
|
| 240 |
// If a rule already exists, load it |
|
| 241 |
if( $natent['associated-filter-rule-id'] > 0 ) |
|
| 242 |
$filterent = &get_id($natent['associated-filter-rule-id'], $config['filter']['rule']); |
|
| 243 |
else |
|
| 244 |
// Create the default source entry for new filter entries |
|
| 245 |
$filterent['source']['any'] = ""; |
|
| 246 |
|
|
| 247 |
// Update associated nat rule ID |
|
| 248 |
$filterent['associated-nat-rule-id'] = $id; |
|
| 249 |
|
|
| 250 |
// Update interface, protocol and destination |
|
| 220 | 251 |
$filterent['interface'] = $_POST['interface']; |
| 221 | 252 |
$filterent['protocol'] = $_POST['proto']; |
| 222 |
$filterent['source']['any'] = ""; |
|
| 223 | 253 |
$filterent['destination']['address'] = $_POST['localip']; |
| 224 | 254 |
|
| 225 | 255 |
$dstpfrom = $_POST['localbeginport']; |
| ... | ... | |
| 237 | 267 |
*/ |
| 238 | 268 |
$filterent['descr'] = substr("NAT " . $_POST['descr'], 0, 59);
|
| 239 | 269 |
|
| 240 |
// If we had a previous rule association, update this rule with that ID so we don't lose association |
|
| 241 |
if ($natent['associated-filter-rule-id'] > 0) |
|
| 242 |
$filterent['id'] = $natent['associated-filter-rule-id']; |
|
| 243 |
// If we wanted this rule to be associated, make sure the NAT entry is updated with the same ID |
|
| 244 |
else if($_POST['filter-rule-association']=='add-associated') |
|
| 270 |
// If this is a new rule, create an ID and add the rule |
|
| 271 |
if( $_POST['filter-rule-association']=='add-associated' ) {
|
|
| 245 | 272 |
$natent['associated-filter-rule-id'] = $filterent['id'] = get_next_id($config['filter']['rule']); |
| 246 | 273 |
|
| 247 |
$config['filter']['rule'][] = $filterent; |
|
| 274 |
$config['filter']['rule'][] = $filterent; |
|
| 275 |
} |
|
| 248 | 276 |
|
| 249 | 277 |
mark_subsystem_dirty('filter');
|
| 250 | 278 |
} |
| 251 | 279 |
|
| 252 |
// Update NAT entry after creating/updating the firewall rule, so we have it's rule ID if one was created
|
|
| 280 |
// Update the NAT entry now
|
|
| 253 | 281 |
if (isset($id) && $a_nat[$id]) |
| 254 | 282 |
$a_nat[$id] = $natent; |
| 255 | 283 |
else {
|
| ... | ... | |
| 433 | 461 |
<option value="">None</option> |
| 434 | 462 |
<option value="pass" <?php if($pconfig['associated-filter-rule-id'] == "pass") echo " SELECTED"; ?>>Pass</option> |
| 435 | 463 |
<?php foreach ($config['filter']['rule'] as $filter_rule): ?> |
| 436 |
<?php if (isset($filter_rule['id']) && $filter_rule['id']>0): ?> |
|
| 464 |
<?php if (isset($filter_rule['id']) && $filter_rule['id']>0 && ( isset($filter_rule['associated-nat-rule-id'])===false || $filter_rule['id']==$pconfig['associated-filter-rule-id'])): ?>
|
|
| 437 | 465 |
<option value="<?php echo $filter_rule['id']; ?>"<?php if($filter_rule['id']==$pconfig['associated-filter-rule-id']) echo " SELECTED"; ?>> |
| 438 | 466 |
<?php echo htmlspecialchars('Rule ' . $filter_rule['id'] . ' - ' . $filter_rule['descr']); ?>
|
| 439 | 467 |
</option> |
| 440 | 468 |
<?php endif; ?> |
| 441 | 469 |
<?php endforeach; ?> |
| 470 |
<?php if ( ($pconfig['associated-filter-rule-id']>0)===false ): ?> |
|
| 471 |
<option value="new">Create new associated filter rule</option> |
|
| 472 |
<?php endif; ?> |
|
| 442 | 473 |
</select> |
| 474 |
<?php if($pconfig['associated-filter-rule-id']>0): ?> |
|
| 475 |
<?php |
|
| 476 |
foreach( $config['filter']['rule'] as $index => $filter_rule ) {
|
|
| 477 |
if( $filter_rule['id']==$pconfig['associated-filter-rule-id'] ) {
|
|
| 478 |
?> |
|
| 479 |
<a href="firewall_rules_edit.php?id=<?=$index;?>">View the filter rule</a> |
|
| 480 |
<?php |
|
| 481 |
break; |
|
| 482 |
} |
|
| 483 |
} |
|
| 484 |
?> |
|
| 485 |
<?php endif; ?> |
|
| 443 | 486 |
</td> |
| 444 | 487 |
</tr> |
| 445 | 488 |
<?php endif; ?> |
Also available in: Unified diff
Add patch from lietu (Janne Enberg). Ticket #136
1) Multiple NAT rules can be assigned the same filter rule
-> Fixed, added assigned-nat-rule-id to filter rules to keep track of the assignment
2) when removing the link (i.e. switching to "pass" or "none", the linked rule isn't deleted (should it be? probably yes)
-> Fixed, when a NAT rule's association is removed, the filter rule is deleted. Added a "create new associated filter rule" option to the
dropdown if there is none selected.
3) The destination IP and port of linked rules can be edited in firewall_rules_edit.php and shouldn't be. Source should be editable but not
destination, since that should strictly be tied to the NAT rule.
-> Fixed, you cannot edit the destination for the filter rules that are linked to NAT rules, this has been disabled both by JavaScript and
PHP.
4) If you edit the source in a linked firewall rule, it gets overwritten when you edit the NAT rule. The NAT rule should never touch the
firewall rule source after the rule exists.
-> Fixed, previously the old rule was deleted and a new one created, now it only updates the old rule and doesn't touch the source.
Also added crosslinking from the NAT rule to the filter rule and back, so you can jump to edit the filter rule from the NAT rule and
vice-versa.