Revision 473d0ff0
Added by Pierre POMES over 15 years ago
| usr/local/www/firewall_rules_edit.php | ||
|---|---|---|
| 156 | 156 |
|
| 157 | 157 |
//schedule support |
| 158 | 158 |
$pconfig['sched'] = $a_filter[$id]['sched']; |
| 159 |
$pconfig['associated-nat-rule-id'] = $a_filter[$id]['associated-nat-rule-id']; |
|
| 159 | 160 |
|
| 160 | 161 |
} else {
|
| 161 | 162 |
/* defaults */ |
| ... | ... | |
| 243 | 244 |
} |
| 244 | 245 |
|
| 245 | 246 |
/* input validation */ |
| 246 |
$reqdfields = explode(" ", "type proto src dst");
|
|
| 247 |
$reqdfieldsn = explode(",", "Type,Protocol,Source,Destination");
|
|
| 247 |
$reqdfields = explode(" ", "type proto src");
|
|
| 248 |
if ( isset($a_filter[$id]['associated-nat-rule-id'])===false ) |
|
| 249 |
$redqfields[] = "dst"; |
|
| 250 |
$reqdfieldsn = explode(",", "Type,Protocol,Source");
|
|
| 251 |
if ( isset($a_filter[$id]['associated-nat-rule-id'])===false ) |
|
| 252 |
$reqdfieldsn[] = "Destination"; |
|
| 248 | 253 |
|
| 249 | 254 |
if($_POST['statetype'] == "modulate state" or $_POST['statetype'] == "synproxy state") {
|
| 250 | 255 |
if( $_POST['proto'] != "tcp" ) |
| ... | ... | |
| 257 | 262 |
$reqdfields[] = "srcmask"; |
| 258 | 263 |
$reqdfieldsn[] = "Source bit count"; |
| 259 | 264 |
} |
| 260 |
if (!(is_specialnet($_POST['dsttype']) || ($_POST['dsttype'] == "single"))) {
|
|
| 265 |
if ( isset($a_filter[$id]['associated-nat-rule-id'])===false && |
|
| 266 |
(!(is_specialnet($_POST['dsttype']) || ($_POST['dsttype'] == "single"))) ) {
|
|
| 261 | 267 |
$reqdfields[] = "dstmask"; |
| 262 | 268 |
$reqdfieldsn[] = "Destination bit count"; |
| 263 | 269 |
} |
| ... | ... | |
| 454 | 460 |
$filterent['sched'] = $_POST['sched']; |
| 455 | 461 |
} |
| 456 | 462 |
|
| 463 |
// If we have an associated nat rule, make sure the destination doesn't change |
|
| 464 |
if( isset($a_filter[$id]['associated-nat-rule-id']) ) {
|
|
| 465 |
$filterent['destination'] = $a_filter[$id]['destination']; |
|
| 466 |
$filterent['associated-nat-rule-id'] = $a_filter[$id]['associated-nat-rule-id']; |
|
| 467 |
} |
|
| 468 |
|
|
| 457 | 469 |
if (isset($id) && $a_filter[$id]) |
| 458 | 470 |
$a_filter[$id] = $filterent; |
| 459 | 471 |
else {
|
| ... | ... | |
| 746 | 758 |
<tr> |
| 747 | 759 |
<td width="22%" valign="top" class="vncellreq">Destination</td> |
| 748 | 760 |
<td width="78%" class="vtable"> |
| 749 |
<input name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>> |
|
| 761 |
<?php $dst_disabled=false; ?> |
|
| 762 |
<?php if( isset($pconfig['associated-nat-rule-id']) ): ?> |
|
| 763 |
<span class="red"><strong>NOTE: </strong></span> This is an associated to a NAT rule.<br /> |
|
| 764 |
You cannot edit the destination of associated filter rules.<br /> |
|
| 765 |
<br /> |
|
| 766 |
<a href="firewall_nat_edit.php?id=<?=$pconfig['associated-nat-rule-id'];?>">View the NAT rule</a><br /> |
|
| 767 |
<br /> |
|
| 768 |
<?php $dst_disabled=true; ?> |
|
| 769 |
<script type="text/javascript"> |
|
| 770 |
dstenabled = 0; |
|
| 771 |
</script> |
|
| 772 |
<?php endif; ?> |
|
| 773 |
<input<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>> |
|
| 750 | 774 |
<strong>not</strong> |
| 751 | 775 |
<br /> |
| 752 | 776 |
Use this option to invert the sense of the match. |
| ... | ... | |
| 756 | 780 |
<tr> |
| 757 | 781 |
<td>Type: </td> |
| 758 | 782 |
<td> |
| 759 |
<select name="dsttype" class="formselect" onChange="typesel_change()"> |
|
| 783 |
<select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dsttype" class="formselect" onChange="typesel_change()">
|
|
| 760 | 784 |
<?php |
| 761 | 785 |
$sel = is_specialnet($pconfig['dst']); ?> |
| 762 | 786 |
<option value="any" <?php if ($pconfig['dst'] == "any") { echo "selected"; } ?>>any</option>
|
| ... | ... | |
| 786 | 810 |
<tr> |
| 787 | 811 |
<td>Address: </td> |
| 788 | 812 |
<td> |
| 789 |
<input name="dst" type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>"> |
|
| 813 |
<input<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dst" type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>">
|
|
| 790 | 814 |
/ |
| 791 |
<select name="dstmask" class="formselect" id="dstmask"> |
|
| 815 |
<select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstmask" class="formselect" id="dstmask">
|
|
| 792 | 816 |
<?php |
| 793 | 817 |
for ($i = 31; $i > 0; $i--): ?> |
| 794 | 818 |
<option value="<?=$i;?>" <?php if ($i == $pconfig['dstmask']) echo "selected"; ?>><?=$i;?></option> |
| ... | ... | |
| 806 | 830 |
<tr> |
| 807 | 831 |
<td>from: </td> |
| 808 | 832 |
<td> |
| 809 |
<select name="dstbeginport" class="formselect" onchange="dst_rep_change();ext_change()"> |
|
| 833 |
<select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstbeginport" class="formselect" onchange="dst_rep_change();ext_change()">
|
|
| 810 | 834 |
<option value="">(other)</option> |
| 811 | 835 |
<option value="any" <?php $bfound = 0; if ($pconfig['dstbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
| 812 | 836 |
<?php foreach ($wkports as $wkport => $wkportdesc): ?> |
| 813 | 837 |
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstbeginport']) { echo "selected"; $bfound = 1; }?>><?=htmlspecialchars($wkportdesc);?></option>
|
| 814 | 838 |
<?php endforeach; ?> |
| 815 | 839 |
</select> |
| 816 |
<input autocomplete='off' class="formfldalias" name="dstbeginport_cust" id="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>"> |
|
| 840 |
<input<?php echo ($dst_disabled===true?' DISABLED':''); ?> autocomplete='off' class="formfldalias" name="dstbeginport_cust" id="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>">
|
|
| 817 | 841 |
</td> |
| 818 | 842 |
</tr> |
| 819 | 843 |
<tr> |
| 820 | 844 |
<td>to:</td> |
| 821 | 845 |
<td> |
| 822 |
<select name="dstendport" class="formselect" onchange="ext_change()"> |
|
| 846 |
<select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstendport" class="formselect" onchange="ext_change()">
|
|
| 823 | 847 |
<option value="">(other)</option> |
| 824 | 848 |
<option value="any" <?php $bfound = 0; if ($pconfig['dstendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
|
| 825 | 849 |
<?php foreach ($wkports as $wkport => $wkportdesc): ?> |
| 826 | 850 |
<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
|
| 827 | 851 |
<?php endforeach; ?> |
| 828 | 852 |
</select> |
| 829 |
<input autocomplete='off' class="formfldalias" name="dstendport_cust" id="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>"> |
|
| 853 |
<input<?php echo ($dst_disabled===true?' DISABLED':''); ?> autocomplete='off' class="formfldalias" name="dstendport_cust" id="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>">
|
|
| 830 | 854 |
</td> |
| 831 | 855 |
</tr> |
| 832 | 856 |
</table> |
Also available in: Unified diff
Add patch from lietu (Janne Enberg). Ticket #136
1) Multiple NAT rules can be assigned the same filter rule
-> Fixed, added assigned-nat-rule-id to filter rules to keep track of the assignment
2) when removing the link (i.e. switching to "pass" or "none", the linked rule isn't deleted (should it be? probably yes)
-> Fixed, when a NAT rule's association is removed, the filter rule is deleted. Added a "create new associated filter rule" option to the
dropdown if there is none selected.
3) The destination IP and port of linked rules can be edited in firewall_rules_edit.php and shouldn't be. Source should be editable but not
destination, since that should strictly be tied to the NAT rule.
-> Fixed, you cannot edit the destination for the filter rules that are linked to NAT rules, this has been disabled both by JavaScript and
PHP.
4) If you edit the source in a linked firewall rule, it gets overwritten when you edit the NAT rule. The NAT rule should never touch the
firewall rule source after the rule exists.
-> Fixed, previously the old rule was deleted and a new one created, now it only updates the old rule and doesn't touch the source.
Also added crosslinking from the NAT rule to the filter rule and back, so you can jump to edit the filter rule from the NAT rule and
vice-versa.