| 48 |
48 |
*/
|
| 49 |
49 |
$used_pftpx_ports = array();
|
| 50 |
50 |
|
|
51 |
/* Used to hold the interface list that will be used on ruleset creation. */
|
|
52 |
$FilterIflist = array();
|
|
53 |
|
| 51 |
54 |
function filter_pflog_start() {
|
| 52 |
55 |
global $config, $g;
|
| 53 |
56 |
|
| ... | ... | |
| 58 |
61 |
|
| 59 |
62 |
mute_kernel_msgs();
|
| 60 |
63 |
|
| 61 |
|
$pid = `ps awwwux | grep -v "grep" | grep "tcpdump -v -l -n -e -ttt -i pflog0" | awk '{ print $2 }'`;
|
|
64 |
$pid = 0;
|
|
65 |
if (!$g['booting'])
|
|
66 |
$pid = `ps awwwux | grep -v "grep" | grep "tcpdump -v -l -n -e -ttt -i pflog0" | awk '{ print $2 }'`;
|
| 62 |
67 |
if(!$pid)
|
| 63 |
68 |
mwexec_bg("/usr/sbin/tcpdump -v -l -n -e -ttt -i pflog0 | logger -t pf -p local0.info");
|
| 64 |
69 |
|
| ... | ... | |
| 79 |
84 |
|
| 80 |
85 |
/* reload filter sync */
|
| 81 |
86 |
function filter_configure_sync() {
|
| 82 |
|
global $config, $g, $after_filter_configure_run;
|
|
87 |
global $config, $g, $after_filter_configure_run, $FilterIflist;
|
| 83 |
88 |
filter_pflog_start();
|
| 84 |
89 |
update_filter_reload_status("Initializing");
|
| 85 |
90 |
/* invalidate interface cache */
|
| ... | ... | |
| 117 |
122 |
}
|
| 118 |
123 |
}
|
| 119 |
124 |
|
| 120 |
|
$lan_if = $config['interfaces']['lan']['if'];
|
| 121 |
|
$wan_if = get_real_wan_interface();
|
|
125 |
/* Get interface list to work with. */
|
|
126 |
generate_optcfg_array();
|
| 122 |
127 |
|
| 123 |
128 |
/* generate aliases */
|
| 124 |
129 |
if($g['booting'] == true) echo ".";
|
| ... | ... | |
| 150 |
155 |
}
|
| 151 |
156 |
|
| 152 |
157 |
$fd = fopen("{$g['tmp_path']}/rules.debug", "w");
|
| 153 |
|
$rules = $aliases . " \n";
|
|
158 |
$rules .= "{$aliases} \n";
|
| 154 |
159 |
|
| 155 |
160 |
update_filter_reload_status("Setting up logging information");
|
| 156 |
161 |
|
| ... | ... | |
| 171 |
176 |
$rules .= "\n";
|
| 172 |
177 |
|
| 173 |
178 |
update_filter_reload_status("Setting up SCRUB information");
|
| 174 |
|
/* get our wan interface? */
|
| 175 |
|
$wanif = get_real_wan_interface();
|
| 176 |
179 |
|
| 177 |
180 |
/* disable scrub option */
|
| 178 |
181 |
if(!isset($config['system']['disablescrub'])) {
|
| ... | ... | |
| 303 |
306 |
}
|
| 304 |
307 |
|
| 305 |
308 |
function filter_generate_aliases() {
|
| 306 |
|
global $config, $g;
|
|
309 |
global $config, $FilterIflist;
|
| 307 |
310 |
if(isset($config['system']['developerspew'])) {
|
| 308 |
311 |
$mt = microtime();
|
| 309 |
312 |
echo "filter_generate_aliases() being called $mt\n";
|
| 310 |
313 |
}
|
| 311 |
|
$aliases = "";
|
| 312 |
|
|
| 313 |
|
$i = 0;
|
| 314 |
|
|
| 315 |
|
if($config['interfaces']['lan'])
|
| 316 |
|
$lanip = find_interface_ip($config['interfaces']['lan']['if']);
|
| 317 |
|
|
| 318 |
|
$wanip = find_interface_ip(get_real_wan_interface());
|
| 319 |
|
|
| 320 |
|
if($config['interfaces']['lan'])
|
| 321 |
|
$lan_aliases = " " . link_ip_to_carp_interface($lanip);
|
| 322 |
|
|
| 323 |
|
$wan_aliases = " " . link_ip_to_carp_interface($wanip);
|
| 324 |
|
|
| 325 |
|
if($config['interfaces']['lan']) {
|
| 326 |
|
if(link_int_to_bridge_interface("lan"))
|
| 327 |
|
$lan_aliases .= " " . link_int_to_bridge_interface("lan");
|
| 328 |
|
}
|
| 329 |
|
if(link_int_to_bridge_interface("wan"))
|
| 330 |
|
$wan_aliases .= " " . link_int_to_bridge_interface("wan");
|
|
314 |
$alias = "#System aliases\n ";
|
| 331 |
315 |
|
| 332 |
|
$aliases .= "# System Aliases \n";
|
| 333 |
316 |
$aliases .= "loopback = \"{ lo0 }\"\n";
|
| 334 |
317 |
|
| 335 |
|
if($config['interfaces']['lan'])
|
| 336 |
|
$aliases .= "lan = \"{ {$config['interfaces']['lan']['if']}{$lan_aliases} }\"\n";
|
| 337 |
|
|
| 338 |
|
$wanif = get_real_wan_interface();
|
| 339 |
|
|
| 340 |
|
/* carpdev support on WAN */
|
| 341 |
|
if($config['interfaces']['wan']['ipaddr'] == "carpdev-dhcp") {
|
| 342 |
|
$viparr = &$config['virtualip']['vip'];
|
| 343 |
|
$counter = 0;
|
| 344 |
|
if(is_array($viparr))
|
| 345 |
|
foreach ($viparr as $vip) {
|
| 346 |
|
if ($vip['mode'] == "carpdev-dhcp") {
|
| 347 |
|
if($vip['interface'] == "wan") {
|
| 348 |
|
if($counter == 0)
|
| 349 |
|
$wanif = "";
|
| 350 |
|
$wanif .= " carp{$counter}";
|
| 351 |
|
$aliases .= "carp{$counter} = \"{ carp{$counter} }\"\n";
|
| 352 |
|
}
|
| 353 |
|
$counter++;
|
|
318 |
$bridgetracker = 0;
|
|
319 |
foreach ($FilterIflist as $if => $ifcfg) {
|
|
320 |
$aliases .= "{$ifcfg['descr']} = \"{ ";
|
|
321 |
$aliases .= "{$ifcfg['if']} ";
|
|
322 |
|
|
323 |
if(link_int_to_bridge_interface($if))
|
|
324 |
$aliases .= " " . link_int_to_bridge_interface($if);
|
|
325 |
/* XXX: Ugly but this avoids uneccesary pollution in aliases. */
|
|
326 |
if ($ifcfg['ip'] != "carpdev-dhcp") {
|
|
327 |
$ip = find_interface_ip($ifcfg['if']);
|
|
328 |
if($ip) {
|
|
329 |
$carp_ints = link_ip_to_carp_interface($ip);
|
|
330 |
if($carp_ints)
|
|
331 |
$aliases .= $carp_ints;
|
| 354 |
332 |
}
|
| 355 |
333 |
}
|
| 356 |
|
}
|
| 357 |
|
|
| 358 |
|
if($config['interfaces']['wan']['ipaddr'] == "pppoe") {
|
| 359 |
|
$aliases .= "pppoe0 = \"{ " . $wanif . " " . get_real_wan_interface() . " }\" \n";
|
| 360 |
|
$aliases .= "wan = \"{ " . $wanif . "{$wan_aliases} pppoe0 }\"\n";
|
| 361 |
|
} else if ($config['interfaces']['wan']['ipaddr'] == "pptp") {
|
| 362 |
|
$aliases .= "pptp0 = \"{ " . $wanif . " " . get_real_wan_interface() . " }\" \n";
|
| 363 |
|
$aliases .= "wan = \"{ " . $wanif . "{$wan_aliases} pptp0 }\"\n";
|
| 364 |
|
} else {
|
| 365 |
|
$aliases .= "wan = \"{ " . $wanif . "{$wan_aliases} }\"\n";
|
| 366 |
|
}
|
| 367 |
|
|
| 368 |
|
$aliases .= "enc0 = \"{ enc0 }\"\n";
|
| 369 |
|
|
| 370 |
|
/* used to count netgraph interfaces */
|
| 371 |
|
$counter = 0;
|
| 372 |
|
|
| 373 |
|
/* ng ordering is VERY important here. do not alter order */
|
| 374 |
|
if($config['pptpd']['mode'] == "server") {
|
| 375 |
|
/* build pptp alias */
|
| 376 |
|
$tmp = "pptp = \"{ ";
|
| 377 |
|
$starting_pptp = 1;
|
| 378 |
|
if($config['interfaces']['wan']['ipaddr'] == "pppoe")
|
| 379 |
|
$starting_pptp = 1;
|
| 380 |
|
for($x=$starting_pptp; $x<$g["n_pptp_units"]+$starting_pptp; $x++)
|
| 381 |
|
$tmp .= "ng{$x} ";
|
| 382 |
|
$counter = $x;
|
| 383 |
|
$tmp .= "}\" \n";
|
| 384 |
|
if($counter > 0)
|
| 385 |
|
$aliases .= $tmp;
|
| 386 |
|
}
|
| 387 |
|
if($config['pppoe']['mode'] == "server") {
|
| 388 |
|
/* build pppoe alias */
|
| 389 |
|
$tmp = "pppoe = \"{ ";
|
| 390 |
|
$starting_pppoe = 1;
|
| 391 |
|
if($config['interfaces']['wan']['ipaddr'] == "pppoe")
|
| 392 |
|
$starting_pppoe = 1;
|
| 393 |
|
for($x=0; $x<$g["n_pppoe_units"]+$starting_pppoe; $x++) {
|
| 394 |
|
$tmp .= "ng{$counter} ";
|
| 395 |
|
$counter++;
|
| 396 |
|
}
|
| 397 |
|
$tmp .= "}\" \n";
|
| 398 |
|
if($x > 0)
|
| 399 |
|
$aliases .= $tmp;
|
| 400 |
|
}
|
| 401 |
334 |
|
| 402 |
|
|
| 403 |
|
/* if list */
|
| 404 |
|
$ifdescrs = get_configured_interface_list(true);
|
| 405 |
|
|
| 406 |
|
$bridgetracker = 0;
|
| 407 |
|
foreach ($ifdescrs as $ifdescr => $ifname) {
|
| 408 |
|
$aliases .= convert_friendly_interface_to_friendly_descr($ifname) . " = \"{ " . filter_opt_interface_to_real($ifname);
|
| 409 |
|
if(link_int_to_bridge_interface($ifname))
|
| 410 |
|
$aliases .= " " . link_int_to_bridge_interface($ifname);
|
| 411 |
|
$optip = find_interface_ip($config['interfaces'][$ifname]['if']);
|
| 412 |
|
if($optip) {
|
| 413 |
|
$opt_carp_ints = link_ip_to_carp_interface($optip);
|
| 414 |
|
if($opt_carp_ints)
|
| 415 |
|
$aliases .= $opt_carp_ints;
|
| 416 |
|
}
|
| 417 |
335 |
$aliases .= " }\"\n";
|
| 418 |
|
/* XXX TODO: below comment and subsequent two lines of code from
|
| 419 |
|
Adam Lebsack <adam at holonyx dot com>
|
| 420 |
|
I'm not sure what it means, marking this to look into. cmb@
|
| 421 |
|
|
| 422 |
|
add an alias, since much of the filter code is broken when it comes to
|
| 423 |
|
finding out the real interface */
|
| 424 |
|
if(preg_match("/^ppp_(.+)$/", $config['interfaces'][$ifname]['if'], $matches))
|
| 425 |
|
$aliases .= "{$config['interfaces'][$ifname]['if']} = \"ppp0\"\n";
|
| 426 |
336 |
}
|
| 427 |
337 |
$aliases .= "# User Aliases \n";
|
| 428 |
338 |
/* Setup pf groups */
|
| 429 |
339 |
if (isset($config['aliases']['alias'])) {
|
| 430 |
|
foreach ($config['aliases']['alias'] as $alias) {
|
|
340 |
foreach ($config['aliases']['alias'] as $aliased) {
|
| 431 |
341 |
$extraalias = "";
|
| 432 |
|
$ip = find_interface_ip($alias['address']);
|
|
342 |
$ip = find_interface_ip($aliased['address']);
|
| 433 |
343 |
$extraalias = " " . link_ip_to_carp_interface($ip);
|
| 434 |
|
$aliases .= "{$alias['name']} = \"{ {$alias['address']}{$extralias} }\"\n";
|
|
344 |
$aliases .= "{$aliased['name']} = \"{ {$aliased['address']}{$extralias} }\"\n";
|
| 435 |
345 |
}
|
| 436 |
346 |
}
|
| 437 |
347 |
|
| 438 |
|
return $aliases;
|
|
348 |
$result = "{$alias} \n";
|
|
349 |
$result .= "{$aliases}";
|
|
350 |
return $result;
|
| 439 |
351 |
}
|
| 440 |
352 |
|
| 441 |
353 |
/* returns space seperated list of vpn subnets */
|
| ... | ... | |
| 486 |
398 |
|
| 487 |
399 |
foreach ($iflist as $ifent => $ifname) {
|
| 488 |
400 |
/* do not process interfaces that will end up with gateways */
|
| 489 |
|
$interface_ip = find_interface_ip(convert_friendly_interface_to_real_interface_name($ifname));
|
| 490 |
|
$sn = $config['interfaces'][$ifname]['subnet'];
|
|
401 |
$interface_ip = get_current_wan_address($ifent);
|
|
402 |
$sn = $config['interfaces'][$ifent]['subnet'];
|
| 491 |
403 |
if($sn == "") {
|
| 492 |
404 |
$subnet = "{$interface_ip}/32";
|
| 493 |
405 |
} else {
|
| 494 |
|
$sa = gen_subnet($interface_ip, $config['interfaces'][$ifname]['subnet']);
|
|
406 |
$sa = gen_subnet($interface_ip, $config['interfaces'][$ifent]['subnet']);
|
| 495 |
407 |
$subnet = "{$sa}/{$sn}";
|
| 496 |
408 |
}
|
| 497 |
409 |
if(is_subnet($subnet)) {
|
| ... | ... | |
| 505 |
417 |
return $networks;
|
| 506 |
418 |
}
|
| 507 |
419 |
|
| 508 |
|
function generate_optcfg_array(&$optcfg) {
|
| 509 |
|
global $config;
|
|
420 |
function generate_optcfg_array()
|
|
421 |
{
|
|
422 |
global $config, $FilterIflist;
|
| 510 |
423 |
if(isset($config['system']['developerspew'])) {
|
| 511 |
424 |
$mt = microtime();
|
| 512 |
425 |
echo "generate_optcfg_array() being called $mt\n";
|
| 513 |
426 |
}
|
| 514 |
427 |
|
| 515 |
428 |
/* if list */
|
| 516 |
|
$iflist = get_configured_interface_list(true);
|
|
429 |
$iflist = get_configured_interface_with_descr();
|
| 517 |
430 |
|
| 518 |
431 |
foreach ($iflist as $if => $ifdetail) {
|
| 519 |
432 |
$oc = $config['interfaces'][$if];
|
| 520 |
433 |
|
| 521 |
|
if ($oc['if']) {
|
| 522 |
|
$oic = array();
|
| 523 |
|
$oic['if'] = $oc['if'];
|
| 524 |
|
|
| 525 |
|
if ($oc['bridge']) {
|
| 526 |
|
if (!strstr($oc['bridge'], "opt") ||
|
| 527 |
|
isset($config['interfaces'][$oc['bridge']]['enable'])) {
|
| 528 |
|
if (is_ipaddr($config['interfaces'][$oc['bridge']]['ipaddr'])) {
|
| 529 |
|
$oic['ip'] = $config['interfaces'][$oc['bridge']]['ipaddr'];
|
| 530 |
|
$oic['sn'] = $config['interfaces'][$oc['bridge']]['subnet'];
|
| 531 |
|
$oic['sa'] = gen_subnet($oic['ip'], $oic['sn']);
|
| 532 |
|
}
|
| 533 |
|
}
|
| 534 |
|
$oic['bridge'] = 1;
|
| 535 |
|
} else {
|
| 536 |
|
$oic['ip'] = $oc['ipaddr'];
|
| 537 |
|
$oic['sn'] = $oc['subnet'];
|
| 538 |
|
$oic['descr'] = $oc['descr'];
|
|
434 |
$oic = array();
|
|
435 |
$oic['if'] = get_real_wan_interface($if);
|
|
436 |
|
|
437 |
if ($oc['bridge']) {
|
|
438 |
if (isset($config['interfaces'][$oc['bridge']]['enable']) &&
|
|
439 |
is_ipaddr($config['interfaces'][$oc['bridge']]['ipaddr'])) {
|
|
440 |
$oic['ip'] = $config['interfaces'][$oc['bridge']]['ipaddr'];
|
|
441 |
$oic['sn'] = $config['interfaces'][$oc['bridge']]['subnet'];
|
| 539 |
442 |
$oic['sa'] = gen_subnet($oic['ip'], $oic['sn']);
|
| 540 |
443 |
}
|
| 541 |
|
|
| 542 |
|
$optcfg[$if] = $oic;
|
|
444 |
$oic['descr'] = $ifdetail;
|
|
445 |
$oic['nonat'] = $oc['nonat'];
|
|
446 |
$oic['alias-address'] = $oc['alias-address'];
|
|
447 |
$oic['alias-subnet'] = $oc['alias-subnet'];
|
|
448 |
$oic['gateway'] = $oc['gateway'];
|
|
449 |
$oic['bridge'] = 1;
|
|
450 |
} else {
|
|
451 |
$oic['ip'] = $oc['ipaddr'];
|
|
452 |
$oic['sn'] = $oc['subnet'];
|
|
453 |
$oic['descr'] = $ifdetail;
|
|
454 |
$oic['sa'] = gen_subnet($oic['ip'], $oic['sn']);
|
|
455 |
$oic['nonat'] = $oc['nonat'];
|
|
456 |
$oic['alias-address'] = $oc['alias-address'];
|
|
457 |
$oic['alias-subnet'] = $oc['alias-subnet'];
|
|
458 |
$oic['gateway'] = $oc['gateway'];
|
| 543 |
459 |
}
|
| 544 |
|
}
|
|
460 |
|
|
461 |
$FilterIflist[$if] = $oic;
|
|
462 |
}
|
|
463 |
|
|
464 |
if ($config['pptpd']['mode'] == "server") {
|
|
465 |
$oic = array();
|
|
466 |
$oic['if'] = 'pptp';
|
|
467 |
$oic['descr'] = 'PPTP';
|
|
468 |
$oic['ip'] = $config['pptpd']['localip'];
|
|
469 |
$oc['sa'] = $config['pptpd']['remoteip'];
|
|
470 |
$oc['sn'] = $g['pptp_subnet'];
|
|
471 |
if($config['pptpd']['pptp_subnet'] <> "")
|
|
472 |
$oc['sn'] = $config['pptpd']['pptp_subnet'];
|
|
473 |
|
|
474 |
$FilterIflist['pptp'] = $oic;
|
|
475 |
}
|
|
476 |
|
|
477 |
if ($config['pppoe']['mode'] == "server") {
|
|
478 |
$oic = array();
|
|
479 |
$oic['if'] = 'pppoe';
|
|
480 |
$oic['descr'] = 'PPPoE';
|
|
481 |
$oc['ip'] = $config['pppoe']['localip'];
|
|
482 |
$oc['sa'] = $config['pppoe']['remoteip'];
|
|
483 |
$oc['sn'] = $g['pppoe_subnet'];
|
|
484 |
if($config['pppoe']['pppoe_subnet'] <> "")
|
|
485 |
$oc['sn'] = $config['pppoe']['pppoe_subnet'];
|
|
486 |
|
|
487 |
$FilterIflist['pppoe'] = $oic;
|
|
488 |
}
|
|
489 |
|
|
490 |
/* add ipsec interfaces */
|
|
491 |
if (isset($config['ipsec']['enable']) ||
|
|
492 |
isset($config['ipsec']['mobileclients']['enable'])) {
|
|
493 |
$oic = array();
|
|
494 |
$oic['if'] = 'enc0';
|
|
495 |
$oic['descr'] = 'IPsec';
|
|
496 |
$oic['ip'] = "none";
|
|
497 |
$FilterIflist['enc0'] = $oic;
|
|
498 |
}
|
|
499 |
|
|
500 |
/* add openvpn/tun interfaces */
|
|
501 |
if ($config['installedpackages']["openvpnserver"] ||
|
|
502 |
$config['installedpackages']["openvpnclient"]) {
|
|
503 |
if (!empty($config['installedpackages']["openvpnserver"]['config']) ||
|
|
504 |
!empty($config['installedpackages']["openvpnclient"]['config'])) {
|
|
505 |
$oic = array();
|
|
506 |
$oic['if'] = 'openvpn';
|
|
507 |
$oic['descr'] = 'OpenVPN';
|
|
508 |
$oic['ip'] = "none";
|
|
509 |
$FilterIflist['openvpn'] = $oic;
|
|
510 |
}
|
|
511 |
}
|
| 545 |
512 |
}
|
| 546 |
513 |
|
| 547 |
|
function filter_flush_nat_table() {
|
|
514 |
function filter_flush_nat_table()
|
|
515 |
{
|
| 548 |
516 |
global $config, $g;
|
| 549 |
517 |
if(isset($config['system']['developerspew'])) {
|
| 550 |
518 |
$mt = microtime();
|
| ... | ... | |
| 553 |
521 |
return mwexec("/sbin/pfctl -F nat");
|
| 554 |
522 |
}
|
| 555 |
523 |
|
| 556 |
|
function filter_flush_state_table() {
|
|
524 |
function filter_flush_state_table()
|
|
525 |
{
|
| 557 |
526 |
global $config, $g;
|
| 558 |
527 |
|
| 559 |
528 |
return mwexec("/sbin/pfctl -F state");
|
| 560 |
529 |
}
|
| 561 |
530 |
|
| 562 |
531 |
/* Generate a 'nat on' or 'no nat on' rule for given interface */
|
| 563 |
|
function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false) {
|
|
532 |
function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false)
|
|
533 |
{
|
| 564 |
534 |
global $config;
|
| 565 |
535 |
|
| 566 |
536 |
/* XXX: billm - any idea if this code is needed? */
|
| 567 |
537 |
if($src == "/32" || $src{0} == "/")
|
| 568 |
|
return;
|
|
538 |
return "# src incorrectly specified\n";
|
| 569 |
539 |
|
| 570 |
540 |
/* Use interface name if IP isn't specified */
|
| 571 |
541 |
if ($natip != "")
|
| 572 |
542 |
$tgt = "{$natip}/32";
|
| 573 |
543 |
else
|
| 574 |
|
$tgt = "($if)";
|
| 575 |
|
|
| 576 |
|
if($if == $config['interfaces']['wan']['if']) {
|
| 577 |
|
/* carpdev support on WAN */
|
| 578 |
|
if($config['interfaces']['wan']['ipaddr'] == "carpdev-dhcp") {
|
| 579 |
|
$viparr = &$config['virtualip']['vip'];
|
| 580 |
|
$counter = 0;
|
| 581 |
|
if(is_array($viparr))
|
| 582 |
|
foreach ($viparr as $vip) {
|
| 583 |
|
if ($vip['mode'] == "carpdev-dhcp") {
|
| 584 |
|
if($vip['interface'] == "wan")
|
| 585 |
|
$tgt = "carp{$counter}";
|
| 586 |
|
$counter++;
|
| 587 |
|
}
|
| 588 |
|
}
|
| 589 |
|
}
|
| 590 |
|
}
|
|
544 |
$tgt = "(". get_real_wan_interface($if).")";
|
| 591 |
545 |
|
| 592 |
546 |
/* Add the hard set source port (useful for ISAKMP) */
|
| 593 |
547 |
if ($natport != "")
|
| ... | ... | |
| 624 |
578 |
else
|
| 625 |
579 |
$staticnatport_txt = "";
|
| 626 |
580 |
|
| 627 |
|
$if_friendly = convert_real_interface_to_friendly_descr($if);
|
|
581 |
$if_friendly = convert_friendly_interface_to_friendly_descr($if);
|
| 628 |
582 |
|
| 629 |
583 |
/* Put all the pieces together */
|
| 630 |
|
if($if_friendly)
|
|
584 |
if ($if_friendly)
|
| 631 |
585 |
$natrule = "{$nat} on \${$if_friendly} from {$src} to {$dst} {$target}{$staticnatport_txt}\n";
|
|
586 |
else
|
|
587 |
$natrule .= "# Could not convert {$if} to friendly name(alias)\n";
|
| 632 |
588 |
|
| 633 |
589 |
return $natrule;
|
| 634 |
590 |
}
|
| 635 |
591 |
|
| 636 |
|
function is_one_to_one_or_server_nat_rule($iptocheck) {
|
|
592 |
function is_one_to_one_or_server_nat_rule($iptocheck)
|
|
593 |
{
|
| 637 |
594 |
global $config, $target;
|
| 638 |
595 |
if(isset($config['system']['developerspew'])) {
|
| 639 |
596 |
$mt = microtime();
|
| ... | ... | |
| 669 |
626 |
return FALSE;
|
| 670 |
627 |
}
|
| 671 |
628 |
|
| 672 |
|
function filter_nat_rules_generate() {
|
| 673 |
|
global $config, $g, $after_filter_configure_run, $used_pftpx_ports;
|
| 674 |
|
|
| 675 |
|
$wancfg = $config['interfaces']['wan'];
|
| 676 |
|
|
| 677 |
|
if($config['interfaces']['lan'])
|
| 678 |
|
$lancfg = $config['interfaces']['lan'];
|
| 679 |
|
|
| 680 |
|
$pptpdcfg = $config['pptpd'];
|
| 681 |
|
$pppoecfg = $config['pppoe'];
|
| 682 |
|
$wanif = get_real_wan_interface();
|
|
629 |
function filter_nat_rules_generate()
|
|
630 |
{
|
|
631 |
global $config, $g, $after_filter_configure_run, $used_pftpx_ports, $FilterIflist;
|
| 683 |
632 |
|
| 684 |
|
if($config['interfaces']['lan']) {
|
| 685 |
|
$lanif = $config['interfaces']['lan']['if'];
|
| 686 |
|
$lanip = $config['interfaces']['lan']['ipaddr'];
|
| 687 |
|
$lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
|
| 688 |
|
}
|
| 689 |
|
|
| 690 |
633 |
$natrules .= "nat-anchor \"ftp-proxy/*\"\n";
|
| 691 |
634 |
|
| 692 |
635 |
$natrules .= "nat-anchor \"natearly/*\"\n";
|
| 693 |
|
$natrules .= "nat-anchor \"natrules/*\"\n";
|
|
636 |
$natrules .= "nat-anchor \"natrules/*\"\n\n";
|
| 694 |
637 |
|
| 695 |
|
$natrules .= "# FTP proxy\n";
|
| 696 |
|
$natrules .= "rdr-anchor \"ftp-proxy/*\"\n";
|
| 697 |
|
$natrules .= "rdr-anchor \"tftp-proxy/*\"\n";
|
|
638 |
/*
|
|
639 |
$optints = array();
|
|
640 |
generate_optcfg_array($optints);
|
|
641 |
*/
|
| 698 |
642 |
|
| 699 |
643 |
update_filter_reload_status("Creating 1:1 rules...");
|
| 700 |
644 |
|
| ... | ... | |
| 706 |
650 |
else
|
| 707 |
651 |
$sn = $natent['subnet'];
|
| 708 |
652 |
|
| 709 |
|
if (!$natent['interface'] || ($natent['interface'] == "wan"))
|
| 710 |
|
$natif = $wanif;
|
| 711 |
|
else
|
| 712 |
|
$natif = $config['interfaces'][$natent['interface']]['if'];
|
|
653 |
if (!$natent['interface'])
|
|
654 |
$natif == "wan";
|
|
655 |
else
|
|
656 |
$natif = $natent['interface'];
|
| 713 |
657 |
|
| 714 |
|
if($natif)
|
|
658 |
$natif = get_real_wan_interface($natif);
|
|
659 |
|
|
660 |
if ($natif)
|
| 715 |
661 |
$natrules .= "binat on $natif from {$natent['internal']}/{$sn} to any -> {$natent['external']}/{$sn}\n";
|
| 716 |
662 |
}
|
| 717 |
663 |
}
|
| ... | ... | |
| 732 |
678 |
else
|
| 733 |
679 |
$dst = $obent['destination']['address'];
|
| 734 |
680 |
|
| 735 |
|
|
| 736 |
|
if (!$obent['interface'] || ($obent['interface'] == "wan"))
|
| 737 |
|
$natif = $wanif;
|
| 738 |
|
else
|
| 739 |
|
$natif = $config['interfaces'][$obent['interface']]['if'];
|
|
681 |
if (!$obent['interface'])
|
|
682 |
$natif == "wan";
|
|
683 |
else
|
|
684 |
$natif = $obent['interface'];
|
| 740 |
685 |
|
| 741 |
686 |
$natrules .= filter_nat_rules_generate_if($natif,
|
| 742 |
687 |
$src,
|
| ... | ... | |
| 753 |
698 |
} else {
|
| 754 |
699 |
/* standard outbound rules (one for each interface) */
|
| 755 |
700 |
update_filter_reload_status("Creating outbound NAT rules");
|
| 756 |
|
$target = get_current_wan_address($interface = "wan");
|
| 757 |
|
if(is_ipaddr($wancfg['alias-address'])) {
|
| 758 |
|
$aliastarget = $wancfg['alias-address'];
|
| 759 |
|
$aliassubnet = $wancfg['alias-subnet'];
|
| 760 |
|
if($config['interfaces']['lan'])
|
| 761 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 762 |
|
"{$lansa}/{$lancfg['subnet']}", null, "$aliastarget/$aliassubnet", null, $aliastarget, null, false);
|
| 763 |
|
}
|
| 764 |
|
if($config['interfaces']['lan']) {
|
| 765 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 766 |
|
"{$lansa}/{$lancfg['subnet']}", 500, "", 500, $target, 500, false);
|
| 767 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 768 |
|
"{$lansa}/{$lancfg['subnet']}", 4500, "", 4500, $target, 4500, false);
|
| 769 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 770 |
|
"{$lansa}/{$lancfg['subnet']}", 5060, "", 5060, $target, 5060, false);
|
| 771 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 772 |
|
"{$lansa}/{$lancfg['subnet']}", null, "", null, $target, null, false);
|
| 773 |
|
}
|
| 774 |
|
|
| 775 |
|
$optints = array();
|
| 776 |
|
generate_optcfg_array($optints);
|
| 777 |
|
|
| 778 |
|
/* generate lan nat mappings for opts with a gateway opts */
|
| 779 |
|
foreach($optints as $ocname => $oc) {
|
| 780 |
|
$opt_interface = $oc['if'];
|
| 781 |
|
if (interface_has_gateway("$opt_interface")) {
|
| 782 |
|
if(is_ipaddr($config['interfaces'][$ocname]['alias-address'])) {
|
| 783 |
|
$aliastarget = $config['interfaces'][$ocname]['alias-address'];
|
| 784 |
|
$aliassubnet = $config['interfaces'][$ocname]['alias-subnet'];
|
| 785 |
|
if($config['interfaces']['lan'])
|
| 786 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 787 |
|
"{$lansa}/{$lancfg['subnet']}", null, "$aliastarget/$aliassubnet", null, $aliastarget, null, false);
|
| 788 |
|
}
|
| 789 |
|
$target = get_current_wan_address($interface = "$ocname");
|
| 790 |
|
if($config['interfaces']['lan']) {
|
| 791 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 792 |
|
"{$lansa}/{$lancfg['subnet']}", 500, "", 500, $target, 500, false);
|
| 793 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 794 |
|
"{$lansa}/{$lancfg['subnet']}", 4500, "", 4500, $target, 4500, false);
|
| 795 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 796 |
|
"{$lansa}/{$lancfg['subnet']}", 5060, "", 5060, $target, 5060, false);
|
| 797 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 798 |
|
"{$lansa}/{$lancfg['subnet']}", null, "", null, $target, null, false);
|
|
701 |
|
|
702 |
$tonathosts = "";
|
|
703 |
$numberofnathosts = 0;
|
|
704 |
/* static routes */
|
|
705 |
if (is_array($config['staticroutes']['route'])) {
|
|
706 |
foreach ($config['staticroutes']['route'] as $route) {
|
|
707 |
$netip = explode("/", $route['network']);
|
|
708 |
if ((! interface_has_gateway($route['interface'])) && (is_private_ip($netip[0]))) {
|
|
709 |
$numberofnathosts++;
|
|
710 |
$tonathosts .= "{$route['network']} ";
|
| 799 |
711 |
}
|
| 800 |
712 |
}
|
| 801 |
713 |
}
|
| 802 |
714 |
|
| 803 |
|
/* optional interface if list */
|
| 804 |
|
$iflist = get_configured_interface_list(true);
|
| 805 |
|
|
| 806 |
|
foreach ($iflist as $if => $ifname) {
|
| 807 |
|
update_filter_reload_status("Creating outbound rules ({$if})");
|
| 808 |
|
$optcfg = $config['interfaces'][$if];
|
| 809 |
|
|
| 810 |
|
if ((!$optcfg['bridge']) && (!interface_has_gateway($if))) {
|
| 811 |
|
$optsa = gen_subnet($optcfg['ipaddr'], $optcfg['subnet']);
|
| 812 |
|
$target = get_current_wan_address($interface = "wan");
|
| 813 |
|
if(is_ipaddr($wancfg['alias-address'])) {
|
| 814 |
|
$aliastarget = $wancfg['alias-address'];
|
| 815 |
|
$aliassubnet = $wancfg['alias-subnet'];
|
| 816 |
|
if($config['interfaces']['lan'])
|
| 817 |
|
$natrules .= filter_nat_rules_generate_if($if,
|
| 818 |
|
"{$lansa}/{$lancfg['subnet']}", null, "$aliastarget/$aliassubnet", null, $aliastarget, null, false);
|
|
715 |
/* create outbound nat entries for all local networks */
|
|
716 |
foreach($FilterIflist as $ocname => $oc) {
|
|
717 |
if (!interface_has_gateway($ocname)) {
|
|
718 |
if(is_ipaddr($oc['alias-address'])) {
|
|
719 |
$aliastarget = $oc['alias-address'];
|
|
720 |
$aliassubnet = $oc['alias-subnet'];
|
|
721 |
$numberofnathosts++;
|
|
722 |
$tonathosts .= "{$oc['sa']}/{$oc['sn']} ";
|
| 819 |
723 |
}
|
| 820 |
|
/* create outbound nat entries for primary wan */
|
| 821 |
|
if($config['interfaces']['lan']) {
|
| 822 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 823 |
|
"{$optsa}/{$optcfg['subnet']}", 500, "", 500, $target, 500, false);
|
| 824 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 825 |
|
"{$optsa}/{$optcfg['subnet']}", 4500, "", 4500, $target, 4500, false);
|
| 826 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 827 |
|
"{$optsa}/{$optcfg['subnet']}", 5060, "", 5060, $target, 5060, false);
|
| 828 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 829 |
|
"{$optsa}/{$optcfg['subnet']}", null, "", null, $target, null, isset($optcfg['nonat']));
|
| 830 |
|
}
|
| 831 |
|
|
| 832 |
|
/*
|
| 833 |
|
* XXX: ermal - is this correct at all or just
|
| 834 |
|
* curlies mess?!
|
| 835 |
|
*/
|
| 836 |
|
/* create outbound nat entries for all opt wans */
|
| 837 |
|
foreach($optints as $ocname => $oc) {
|
| 838 |
|
$opt_interface = $oc['if'];
|
| 839 |
|
if (interface_has_gateway($opt_interface)) {
|
| 840 |
|
$target = get_current_wan_address($interface = $ocname);
|
| 841 |
|
if(is_ipaddr($config['interfaces'][$ocname]['alias-address'])) {
|
| 842 |
|
$aliastarget = $config['interfaces'][$ocname]['alias-address'];
|
| 843 |
|
$aliassubnet = $config['interfaces'][$ocname]['alias-subnet'];
|
| 844 |
|
if($config['interfaces']['lan'])
|
| 845 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 846 |
|
"{$lansa}/{$lancfg['subnet']}", null, "$aliastarget/$aliassubnet", null, $aliastarget, null, false);
|
| 847 |
|
}
|
| 848 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 849 |
|
"{$optsa}/{$optcfg['subnet']}", 500, "", 500, $target, 500, false);
|
| 850 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 851 |
|
"{$optsa}/{$optcfg['subnet']}", 4500, "", 4500, $target, 4500, false);
|
| 852 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 853 |
|
"{$optsa}/{$optcfg['subnet']}", 5060, "", 5060, $target, 5060, false);
|
| 854 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 855 |
|
"{$optsa}/{$optcfg['subnet']}", null, "", null, $target, null, isset($optcfg['nonat']));
|
| 856 |
|
}
|
|
724 |
if ($oc['sa']) {
|
|
725 |
$tonathosts .= "{$oc['sa']}/{$oc['sn']} ";
|
|
726 |
$numberofnathosts++;
|
| 857 |
727 |
}
|
| 858 |
728 |
}
|
| 859 |
729 |
}
|
| ... | ... | |
| 861 |
731 |
/* PPTP subnet */
|
| 862 |
732 |
if ($pptpdcfg['mode'] == "server") {
|
| 863 |
733 |
$pptp_subnet = $g['pptp_subnet'];
|
| 864 |
|
if($config['pptp']['pptp_subnet'] <> "")
|
|
734 |
if ($config['pptp']['pptp_subnet'] <> "")
|
| 865 |
735 |
$pptp_subnet = $config['pptp']['pptp_subnet'];
|
| 866 |
|
$target = get_current_wan_address($interface = "wan");
|
| 867 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 868 |
|
"{$pptpdcfg['remoteip']}/{$pptp_subnet}", 500, "", 500, $target, 500, false);
|
| 869 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 870 |
|
"{$pptpdcfg['remoteip']}/{$pptp_subnet}", 4500, "", 4500, $target, 4500, false);
|
| 871 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 872 |
|
"{$pptpdcfg['remoteip']}/{$pptp_subnet}", 5060, "", 5060, $target, 5060, false);
|
| 873 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 874 |
|
"{$pptpdcfg['remoteip']}/{$pptp_subnet}", null, "", null, $target, null, false);
|
| 875 |
|
|
| 876 |
|
/* generate nat mappings for opts with a gateway opts */
|
| 877 |
|
foreach($optints as $ocname => $oc) {
|
| 878 |
|
$opt_interface = $oc['if'];
|
| 879 |
|
if ((is_private_ip($pptpdcfg['remoteip'])) && (interface_has_gateway($opt_interface))) {
|
| 880 |
|
$target = get_current_wan_address($interface = "$ocname");
|
| 881 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 882 |
|
"{$pptpdcfg['remoteip']}/{$pptp_subnet}", 500, "", 500, $target, 500, false);
|
| 883 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 884 |
|
"{$pptpdcfg['remoteip']}/{$pptp_subnet}", 4500, "", 4500, $target, 4500, false);
|
| 885 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 886 |
|
"{$pptpdcfg['remoteip']}/{$pptp_subnet}", 5060, "", 5060, $target, 5060, false);
|
| 887 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 888 |
|
"{$pptpdcfg['remoteip']}/{$pptp_subnet}", null, "", null, $target, null, false);
|
| 889 |
|
}
|
|
736 |
|
|
737 |
if (is_private_ip($pptpdcfg['remoteip'])) {
|
|
738 |
$numberofnathosts++;
|
|
739 |
$tonathosts .= "{$pptpdcfg['remoteip']}/{$pptp_subnet} ";
|
| 890 |
740 |
}
|
| 891 |
741 |
}
|
| 892 |
742 |
|
| 893 |
743 |
/* PPPoE subnet */
|
| 894 |
744 |
if ($pppoecfg['mode'] == "server") {
|
| 895 |
745 |
$pppoe_subnet = $g['pppoe_subnet'];
|
| 896 |
|
if($config['pppoe']['pppoe_subnet'] <> "")
|
|
746 |
if ($config['pppoe']['pppoe_subnet'] <> "")
|
| 897 |
747 |
$pppoe_subnet = $config['pppoe']['pppoe_subnet'];
|
| 898 |
|
$target = get_current_wan_address($interface = "wan");
|
| 899 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 900 |
|
"{$pppoecfg['remoteip']}/{$pppoe_subnet}", 500, "", 500, $target, 500, false);
|
| 901 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 902 |
|
"{$pppoecfg['remoteip']}/{$pppoe_subnet}", 4500, "", 4500, $target, 4500, false);
|
| 903 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 904 |
|
"{$pppoecfg['remoteip']}/{$pppoe_subnet}", 5060, "", 5060, $target, 5060, false);
|
| 905 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 906 |
|
"{$pppoecfg['remoteip']}/{$pppoe_subnet}", null, "", null, $target, null, false);
|
| 907 |
|
|
| 908 |
|
/* generate nat mappings for opts with a gateway opts */
|
| 909 |
|
foreach($optints as $ocname => $oc) {
|
| 910 |
|
$opt_interface = $oc['if'];
|
| 911 |
|
if ((is_private_ip($pppoecfg['remoteip'])) && (interface_has_gateway($opt_interface))) {
|
| 912 |
|
$target = get_current_wan_address($interface = "$ocname");
|
| 913 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 914 |
|
"{$pppoecfg['remoteip']}/{$pppoe_subnet}", 500, "", 500, $target, 500, false);
|
| 915 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 916 |
|
"{$pppoecfg['remoteip']}/{$pppoe_subnet}", 4500, "", 4500, $target, 4500, false);
|
| 917 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 918 |
|
"{$pppoecfg['remoteip']}/{$pppoe_subnet}", 5060, "", 5060, $target, 5060, false);
|
| 919 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 920 |
|
"{$pppoecfg['remoteip']}/{$pppoe_subnet}", null, "", null, $target, null, false);
|
| 921 |
|
}
|
|
748 |
if (is_private_ip($pppoecfg['remoteip'])) {
|
|
749 |
$numberofnathosts++;
|
|
750 |
$tonathosts .= "{$pppoecfg['remoteip']}/{$pppoe_subnet} ";
|
| 922 |
751 |
}
|
| 923 |
752 |
}
|
| 924 |
753 |
|
| 925 |
|
/* static routes */
|
| 926 |
|
if (is_array($config['staticroutes']['route'])) {
|
| 927 |
|
foreach ($config['staticroutes']['route'] as $route) {
|
| 928 |
|
$netip = explode("/", $route['network']);
|
| 929 |
|
if ((! interface_has_gateway($route['interface'])) && (is_private_ip($netip[0]))) {
|
| 930 |
|
$target = get_current_wan_address($interface = "wan");
|
| 931 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 932 |
|
"{$route['network']}", 500, "", 500, $target, 500, false);
|
| 933 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 934 |
|
"{$route['network']}", 4500, "", 4500, $target, 4500, false);
|
| 935 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 936 |
|
"{$route['network']}", 5060, "", 5060, $target, 5060, false);
|
| 937 |
|
$natrules .= filter_nat_rules_generate_if($wanif,
|
| 938 |
|
"{$route['network']}", null, "", null, $target, null, false);
|
| 939 |
|
}
|
| 940 |
|
/* generate nat mapping for static routes on opts */
|
| 941 |
|
foreach($optints as $ocname => $oc) {
|
| 942 |
|
$opt_interface = $oc['if'];
|
| 943 |
|
if ((! interface_has_gateway($route['interface'])) && (is_private_ip($netip[0])) && (interface_has_gateway($opt_interface))) {
|
| 944 |
|
$target = get_current_wan_address($interface = "$ocname");
|
| 945 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 946 |
|
"{$route['network']}", 500, "", 500, $target, 500, false);
|
| 947 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 948 |
|
"{$route['network']}", 4500, "", 4500, $target, 4500, false);
|
| 949 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 950 |
|
"{$route['network']}", 5060, "", 5060, $target, 5060, false);
|
| 951 |
|
$natrules .= filter_nat_rules_generate_if($opt_interface,
|
| 952 |
|
"{$route['network']}", null, "", null, $target, null, false);
|
| 953 |
|
}
|
| 954 |
|
}
|
|
754 |
$natrules .= "\n# Subnets to NAT \n";
|
|
755 |
if ($numberofnathosts > 4) {
|
|
756 |
$natrules .= "table <tonatsubnets> { {$tonathosts} }\n";
|
|
757 |
$macroortable = "<tonatsubnets>";
|
|
758 |
} else if ($numberofnathosts > 0) {
|
|
759 |
$natrules .= "tonatsubnets = \"{ {$tonathosts} }\"\n";
|
|
760 |
$macroortable = "\$tonatsubnets";
|
|
761 |
}
|
|
762 |
|
|
763 |
if ($numberofnathosts > 0):
|
|
764 |
|
|
765 |
if (!empty($config['installedpackages']['openvpnclient']['config'])) {
|
|
766 |
foreach ($config['installedpackages']['openvpnclient']['config'] as $id => $settings)
|
|
767 |
if (!empty($settings['remote_network']))
|
|
768 |
$natrules .= "nat on ovpnc{$id} from \$tonatsubnets to any -> (ovpnc{$id})\n";
|
|
769 |
}
|
|
770 |
|
|
771 |
foreach ($FilterIflist as $if => $ifcfg) {
|
|
772 |
update_filter_reload_status("Creating outbound rules {$if} - ({$ifcfg['descr']})");
|
|
773 |
|
|
774 |
if (interface_has_gateway($if)) {
|
|
775 |
$target = get_current_wan_address($if);
|
|
776 |
|
|
777 |
/* do not nat tftp proxy */
|
|
778 |
$natrules .= "no nat on \${$ifcfg['descr']} to port tftp\n";
|
|
779 |
|
|
780 |
|
|
781 |
/* create outbound nat entries for all local networks */
|
|
782 |
$natrules .= filter_nat_rules_generate_if($if,
|
|
783 |
"{$macroortable}", 500, "", 500, $target, 500, false);
|
|
784 |
$natrules .= filter_nat_rules_generate_if($if,
|
|
785 |
"{$macroortable}", 4500, "", 4500, $target, 4500, false);
|
|
786 |
$natrules .= filter_nat_rules_generate_if($if,
|
|
787 |
"{$macroortable}", 5060, "", 5060, $target, 5060, false);
|
|
788 |
$natrules .= filter_nat_rules_generate_if($if,
|
|
789 |
"{$macroortable}", null, "", null, $target, null, isset($ifcfg['nonat']));
|
|
790 |
$natrule .= "\n";
|
| 955 |
791 |
|
| 956 |
792 |
}
|
| 957 |
793 |
}
|
| 958 |
|
|
|
794 |
|
|
795 |
endif;
|
| 959 |
796 |
}
|
| 960 |
797 |
|
| 961 |
798 |
$natrules .= "\n#SSH Lockout Table\n";
|
| ... | ... | |
| 964 |
801 |
/* is SPAMD insalled? */
|
| 965 |
802 |
if (is_package_installed("spamd") == 1) {
|
| 966 |
803 |
$natrules .= "\n# spam table \n";
|
| 967 |
|
|
|
804 |
$wanif = get_real_wan_interface("wan");
|
| 968 |
805 |
$natrules .= "table <whitelist> persist\n";
|
| 969 |
806 |
$natrules .= "table <blacklist> persist\n";
|
| 970 |
807 |
$natrules .= "table <spamd> persist\n";
|
| ... | ... | |
| 988 |
825 |
|
| 989 |
826 |
update_filter_reload_status("Setting up FTP helper");
|
| 990 |
827 |
|
| 991 |
|
/* do not nat tftp proxy */
|
| 992 |
|
$natrules .= "\nno nat on \$wan to port tftp\n\n";
|
|
828 |
$natrules .= "\n# FTP proxy\n";
|
|
829 |
$natrules .= "rdr-anchor \"ftp-proxy/*\"\n";
|
|
830 |
$natrules .= "rdr-anchor \"tftp-proxy/*\"\n";
|
| 993 |
831 |
|
| 994 |
|
$natrules .= "\n# FTP Proxy/helper\n";
|
| 995 |
|
|
| 996 |
|
/* if list */
|
| 997 |
|
$iflist = get_configured_interface_list();
|
|
832 |
$natrules .= "\n";
|
| 998 |
833 |
|
| 999 |
834 |
$interface_counter = 0;
|
| 1000 |
835 |
$vpns_list = get_vpns_list();
|
| ... | ... | |
| 1010 |
845 |
if($direct_networks_list)
|
| 1011 |
846 |
$natrules .= "table <direct_networks> { $direct_networks_list }\n";
|
| 1012 |
847 |
/* loop through all interfaces and handle ftp-proxy redirections */
|
| 1013 |
|
foreach ($iflist as $ifent => $ifname) {
|
| 1014 |
|
/* XXX: ermal - this should be reallt unified with code above. */
|
| 1015 |
|
if ($ifent == "wan")
|
| 1016 |
|
continue;
|
|
848 |
foreach ($FilterIflist as $ifent => $ifcfg) {
|
|
849 |
$realif = $ifcfg['if'];
|
|
850 |
$int_ip = get_current_wan_address($ifent);
|
| 1017 |
851 |
|
| 1018 |
|
$ifname_lower = convert_friendly_interface_to_friendly_descr(strtolower($ifname));
|
| 1019 |
|
$realif = convert_friendly_interface_to_real_interface_name(strtolower($ifname));
|
| 1020 |
|
$int_ip = find_interface_ip($realif);
|
| 1021 |
|
if(isset($config['interfaces'][strtolower($ifname)]['disableftpproxy'])) {
|
|
852 |
if ($int_ip == "")
|
|
853 |
continue;
|
|
854 |
if(isset($config['interfaces'][$ifent]['disableftpproxy'])) {
|
| 1022 |
855 |
if($g['debug'])
|
| 1023 |
|
log_error("Filter: FTP proxy disabled for interface {$ifname} - ignoring.");
|
|
856 |
log_error("Filter: FTP proxy disabled for interface {$ifcfg['descr']} - ignoring.");
|
| 1024 |
857 |
$interface_counter++;
|
| 1025 |
858 |
continue;
|
| 1026 |
859 |
}
|
| 1027 |
860 |
/* are we in routed mode? no source nat rules and not a outside interface? */
|
| 1028 |
861 |
/* If we have advanced outbound nat we skip the FTP proxy, we use ftpsesame */
|
| 1029 |
|
if((isset($config['nat']['advancedoutbound']['enable'])) && (! interface_has_gateway($ifname))) {
|
|
862 |
if((isset($config['nat']['advancedoutbound']['enable'])) &&
|
|
863 |
(! interface_has_gateway($ifent))) {
|
| 1030 |
864 |
$sourcenat = 0;
|
| 1031 |
865 |
/* we are using advanced outbound nat, are we in routing mode? */
|
| 1032 |
|
$realif = convert_friendly_interface_to_real_interface_name($ifname);
|
| 1033 |
866 |
/* if the interface address lies within a outbound NAT source network we should skip */
|
| 1034 |
867 |
if(! empty($config['nat']['advancedoutbound']['rule'])) {
|
| 1035 |
868 |
foreach($config['nat']['advancedoutbound']['rule'] as $natnetwork) {
|
| ... | ... | |
| 1041 |
874 |
}
|
| 1042 |
875 |
if($sourcenat == 0) {
|
| 1043 |
876 |
if($g['debug'])
|
| 1044 |
|
log_error("Filter: No AON rule matched for interface {$ifname} - not using the FTP proxy");
|
|
877 |
log_error("Filter: No AON rule matched for interface {$ifcfg['descr']} - not using the FTP proxy");
|
| 1045 |
878 |
$interface_counter++;
|
| 1046 |
879 |
continue;
|
| 1047 |
880 |
} else {
|
| 1048 |
881 |
if($g['debug'])
|
| 1049 |
|
log_error("Filter: AON Rule matched for interface {$ifname} - using FTP proxy");
|
|
882 |
log_error("Filter: AON Rule matched for interface {$ifcfg['descr']} - using FTP proxy");
|
| 1050 |
883 |
}
|
| 1051 |
884 |
}
|
| 1052 |
|
$tmp_port = 8021 + $interface_counter;
|
| 1053 |
|
$tmp_interface = convert_friendly_interface_to_real_interface_name($ifname);
|
| 1054 |
|
$ifname_lower = strtolower(convert_friendly_interface_to_friendly_descr($ifname));
|
| 1055 |
|
$vpns = get_vpns_list();
|
| 1056 |
885 |
/* if the user has defined, include the alias so that we do not redirect ftp
|
| 1057 |
886 |
connections across the tunnels to ftp-proxy */
|
| 1058 |
|
$int_ip = find_interface_ip($tmp_interface);
|
| 1059 |
|
/* if interface lacks an ip, dont setup a rdr for ftp. they are most likely on a bridged interface */
|
| 1060 |
|
if($int_ip and $vpns_list)
|
| 1061 |
|
if($ifname_lower) {
|
| 1062 |
|
$natrules .= "no rdr on $tmp_interface proto tcp from any to <vpns> port 21\n";
|
| 1063 |
|
$natrules .= "no rdr on $tmp_interface proto udp from any to <vpns> port tftp\n";
|
| 1064 |
|
if($onetoone_list) {
|
| 1065 |
|
$natrules .= "no rdr on $tmp_interface proto tcp from <onetoonelist> to any port 21\n";
|
| 1066 |
|
$natrules .= "no rdr on $tmp_interface proto udp from <onetoonelist> to any port tftp\n";
|
| 1067 |
|
}
|
|
887 |
/* if interface lacks an ip, dont setup a rdr for ftp.
|
|
888 |
they are most likely on a bridged interface */
|
|
889 |
if($int_ip and $vpns_list) {
|
|
890 |
$natrules .= "no rdr on $realif proto tcp from any to <vpns> port 21\n";
|
|
891 |
$natrules .= "no rdr on $realif proto udp from any to <vpns> port tftp\n";
|
|
892 |
if($onetoone_list) {
|
|
893 |
$natrules .= "no rdr on $realif proto tcp from <onetoonelist> to any port 21\n";
|
|
894 |
$natrules .= "no rdr on $realif proto udp from <onetoonelist> to any port tftp\n";
|
| 1068 |
895 |
}
|
| 1069 |
|
if($ifname_lower) {
|
| 1070 |
|
$temp_array_holder_pftpx = array();
|
| 1071 |
|
$temp_array_holder_pftpx['port'] = $tmp_port;
|
| 1072 |
|
$temp_array_holder_pftpx['interface'] = $tmp_interface;
|
| 1073 |
|
$used_pftpx_ports[] = $temp_array_holder_pftpx;
|
| 1074 |
|
$natrules .= "rdr on $tmp_interface proto tcp from any to any port 21 -> 127.0.0.1 port {$tmp_port}\n";
|
| 1075 |
|
$natrules .= "rdr on $tmp_interface proto udp from any to any port tftp -> 127.0.0.1 port 6969\n";
|
| 1076 |
896 |
}
|
|
897 |
$tmp_port = 8021 + $interface_counter;
|
|
898 |
$temp_array_holder_pftpx = array();
|
|
899 |
$temp_array_holder_pftpx['port'] = $tmp_port;
|
|
900 |
$temp_array_holder_pftpx['interface'] = "\${$ifcfg['descr']}";
|
|
901 |
$temp_array_holder_pftpx['realif'] = $realif;
|
|
902 |
$used_pftpx_ports[] = $temp_array_holder_pftpx;
|
|
903 |
$natrules .= "rdr on $realif proto tcp from any to any port 21 -> 127.0.0.1 port {$tmp_port}\n";
|
|
904 |
$natrules .= "rdr on $realif proto udp from any to any port tftp -> 127.0.0.1 port 6969\n";
|
| 1077 |
905 |
$interface_counter++;
|
| 1078 |
906 |
}
|
| 1079 |
907 |
$natrules .= "\n";
|
| ... | ... | |
| 1092 |
920 |
$inetd_fd = fopen("/var/etc/inetd.conf","w");
|
| 1093 |
921 |
|
| 1094 |
922 |
/* add tftp protocol helper */
|
| 1095 |
|
fwrite($inetd_fd, "tftp\tdgram\tudp\twait\t\troot\t/usr/local/sbin/tftp-proxy -v\n");
|
|
923 |
fwrite($inetd_fd, "tftp\tdgram\tudp\twait\t\troot\t/usr/local/sbin/tftp-proxy -v\n");
|
| 1096 |
924 |
|
| 1097 |
925 |
if (isset($config['nat']['rule'])) {
|
| 1098 |
926 |
$natrules .= "# NAT Inbound Redirects\n";
|
| 1099 |
927 |
|
|
928 |
$inetd_fd = fopen("/var/etc/inetd.conf","w");
|
|
929 |
|
|
930 |
/* add tftp protocol helper */
|
|
931 |
fwrite($inetd_fd, "tftp\tdgram\tudp\twait\t\troot\t/usr/local/sbin/tftp-proxy -v\n");
|
|
932 |
|
| 1100 |
933 |
if(!isset($config['system']['disablenatreflection'])) {
|
| 1101 |
934 |
/* start redirects on port 19000 of localhost */
|
| 1102 |
935 |
$starting_localhost_port = 19000;
|
| ... | ... | |
| 1141 |
974 |
else
|
| 1142 |
975 |
$extaddr = get_current_wan_address($rule['interface']);
|
| 1143 |
976 |
|
| 1144 |
|
if (!$rule['interface'] || ($rule['interface'] == "wan"))
|
| 1145 |
|
$natif = $wanif;
|
| 1146 |
|
else if($rule['interface'] == "\$pptp")
|
| 1147 |
|
$natif = "pptp";
|
| 1148 |
|
else if($rule['interface'] == "\$pppoe")
|
| 1149 |
|
$natif = "pppoe";
|
| 1150 |
|
else
|
| 1151 |
|
$natif = $config['interfaces'][$rule['interface']]['if'];
|
|
977 |
if (!$rule['interface'])
|
|
978 |
$natif == "wan";
|
|
979 |
else
|
|
980 |
$natif = $rule['interface'];
|
| 1152 |
981 |
|
| 1153 |
|
if($config['interfaces']['lan'])
|
| 1154 |
|
$lanif = $lancfg['if'];
|
|
982 |
$natif = get_real_wan_interface($natif);
|
| 1155 |
983 |
|
| 1156 |
984 |
/*
|
| 1157 |
985 |
* Expand aliases
|
| ... | ... | |
| 1174 |
1002 |
$helpers = exec("/bin/ps awux | grep {$target} -b {$external_address} | grep -v grep");
|
| 1175 |
1003 |
if(!$helpers) {
|
| 1176 |
1004 |
if($external_address == "")
|
| 1177 |
|
$external_address = find_interface_ip(get_real_wan_interface());
|
|
1005 |
$external_address = find_interface_ip($natif);
|
| 1178 |
1006 |
/* install a ftp-proxy helper, do not set a rule. also use the delay filter configure run
|
| 1179 |
1007 |
* routines because if this is the first bootup the filter is not completely configured
|
| 1180 |
1008 |
* and thus pf is not fully running. otherwise we end up with: ftp-proxy: pf is disabled
|
| 1181 |
1009 |
*/
|
| 1182 |
1010 |
/* Get the ftp queue for this interface */
|
| 1183 |
1011 |
if (isset($config['interfaces'][$rule['interface']]['ftpqueue']))
|
| 1184 |
|
$shaper_queue = " -q ". $config['interfaces'][$rule['interface']]['ftpqueue'];
|
|
1012 |
$shaper_queue = $config['interfaces'][$rule['interface']]['ftpqueue'];
|
| 1185 |
1013 |
/* else default queue configured on shaper will get this */
|
| 1186 |
|
$after_filter_configure_run[] = "/usr/local/sbin/ftp-proxy {$shaper_queue} -R {$target} -b {$external_address} ";
|
|
1014 |
$after_filter_configure_run[] = "/usr/local/sbin/pftpx {$shaper_queue} -f {$target} -b {$external_address} -c 21 -g 21";
|
| 1187 |
1015 |
}
|
| 1188 |
1016 |
$dontinstallrdr = true;
|
| 1189 |
1017 |
}
|
| ... | ... | |
| 1192 |
1020 |
if($extaddr == "")
|
| 1193 |
1021 |
$dontinstallrdr = true;
|
| 1194 |
1022 |
|
| 1195 |
|
$rdr_on = convert_real_interface_to_friendly_descr($rule['interface']);
|
| 1196 |
|
|
| 1197 |
1023 |
if($dontinstallrdr == false) {
|
| 1198 |
1024 |
/* is rule a port range? */
|
| 1199 |
1025 |
if ((!$extport[1]) || ($extport[0] == $extport[1])) {
|
| ... | ... | |
| 1245 |
1071 |
/* does this rule redirect back to a internal host?
|
| 1246 |
1072 |
* if so, add some extra goo to help this work.
|
| 1247 |
1073 |
*/
|
| 1248 |
|
$rule_friendly_if = convert_friendly_interface_to_real_interface_name($rule['interface']);
|
| 1249 |
|
$rule_interface_ip = find_interface_ip($rule_friendly_if);
|
|
1074 |
$rule_interface_ip = find_interface_ip($natif);
|
| 1250 |
1075 |
$rule_interface_subnet = $config['interfaces'][$rule['interface']]['subnet'];
|
| 1251 |
1076 |
$rule_subnet = gen_subnet($rule_interface_ip, $rule_interface_subnet);
|
| 1252 |
1077 |
if($config['interfaces']['lan']) {
|
| 1253 |
1078 |
if($rule['external-address'] == "any" and $rule['interface'] == "lan") {
|
| 1254 |
1079 |
$natrules .= "\n";
|
| 1255 |
|
if($rule_friendly_if)
|
| 1256 |
|
$natrules .= "no nat on {$rule_friendly_if} proto tcp from {$rule_friendly_if} to {$rule_subnet}/{$rule_interface_subnet}\n";
|
| 1257 |
|
if($rule_friendly_if)
|
| 1258 |
|
$natrules .= "nat on {$rule_friendly_if} proto tcp from {$rule_subnet}/{$rule_interface_subnet} to {$target} port {$extport[0]} -> {$rule_friendly_if}\n";
|
|
1080 |
$natrules .= "no nat on {$natif} proto tcp from ({$natif}) to {$rule_subnet}/{$rule_interface_subnet}\n";
|
|
1081 |
$natrules .= "nat on {$natif} proto tcp from {$rule_subnet}/{$rule_interface_subnet} to {$target} port {$extport[0]} -> ({$natif})\n";
|
| 1259 |
1082 |
}
|
| 1260 |
1083 |
}
|
| 1261 |
1084 |
|
| ... | ... | |
| 1264 |
1087 |
update_filter_reload_status("Setting up reflection");
|
| 1265 |
1088 |
|
| 1266 |
1089 |
$natrules .= "\n# Reflection redirects\n";
|
| 1267 |
|
foreach ($iflist as $ifent => $ifname) {
|
|
1090 |
foreach ($FilterIflist as $ifent => $ifname) {
|
| 1268 |
1091 |
|
| 1269 |
1092 |
/* do not process interfaces with gateways*/
|
| 1270 |
|
if($config['interfaces'][$ifname]['gateway'] <> "")
|
| 1271 |
|
continue;
|
| 1272 |
|
|
| 1273 |
|
/* do not process interfaces that will end up with gateways */
|
| 1274 |
|
if($config['interfaces'][$ifname]['ipaddr'] == "dhcp" or
|
| 1275 |
|
$config['interfaces'][$ifname]['ipaddr'] == "bigpond" or
|
| 1276 |
|
$config['interfaces'][$ifname]['ipaddr'] == "pppoe" or
|
| 1277 |
|
$config['interfaces'][$ifname]['ipaddr'] == "pptp")
|
|
1093 |
if (interface_has_gateway($ifent))
|
| 1278 |
1094 |
continue;
|
| 1279 |
1095 |
|
| 1280 |
|
$ifname_real = convert_friendly_interface_to_real_interface_name($ifname);
|
| 1281 |
|
|
| 1282 |
1096 |
if($extport[1])
|
| 1283 |
1097 |
$range_end = ($extport[1]);
|
| 1284 |
1098 |
else
|
| ... | ... | |
| 1289 |
1103 |
if($rule['local-port'])
|
| 1290 |
1104 |
$lrange_start = $rule['local-port'];
|
| 1291 |
1105 |
|
|
1106 |
|
| 1292 |
1107 |
if($range_end - $extport[0] > 500) {
|
| 1293 |
1108 |
$range_end = $extport[0]+1;
|
| 1294 |
1109 |
log_error("Not installing nat reflection rules for a port range > 500");
|
| ... | ... | |
| 1308 |
1123 |
|
| 1309 |
1124 |
update_filter_reload_status("Creating reflection rule for {$rule['descr']}...");
|
| 1310 |
1125 |
|
| 1311 |
|
$ifname_real = convert_friendly_interface_to_friendly_descr(strtolower($ifname));
|
| 1312 |
1126 |
|
| 1313 |
1127 |
if($config['system']['reflectiontimeout'])
|
| 1314 |
1128 |
$reflectiontimeout = $config['system']['reflectiontimeout'];
|
| 1315 |
1129 |
else
|
| 1316 |
1130 |
$reflectiontimeout = "2000";
|
| 1317 |
1131 |
|
|
1132 |
|
| 1318 |
1133 |
switch($rule['protocol']) {
|
| 1319 |
1134 |
|
| 1320 |
1135 |
case "tcp/udp":
|
| ... | ... | |
| 1337 |
1152 |
}
|
| 1338 |
1153 |
foreach($toadd_array as $tda){
|
| 1339 |
1154 |
fwrite($inetd_fd, "{$starting_localhost_port}\tstream\ttcp/udp\tnowait/0\tnobody\t/usr/bin/nc nc -u -w {$reflectiontimeout} {$target} {$tda}\n");
|
| 1340 |
|
if($ifname_real)
|
| 1341 |
|
$natrules .= "rdr on \${$ifname_real} proto tcp from any to {$extaddr} port { {$xxx} } -> 127.0.0.1 port {$starting_localhost_port}\n";
|
|
1155 |
$natrules .= "rdr on {$ifname['if']} proto tcp from any to {$extaddr} port { {$xxx} } -> 127.0.0.1 port {$starting_localhost_port}\n";
|
| 1342 |
1156 |
$starting_localhost_port++;
|
| 1343 |
1157 |
fwrite($inetd_fd, "{$starting_localhost_port}\tstream\ttcp/udp\tnowait/0\tnobody\t/usr/bin/nc nc -w {$reflectiontimeout} {$target} {$tda}\n");
|
| 1344 |
|
if($ifname_real)
|
| 1345 |
|
$natrules .= "rdr on \${$ifname_real} proto udp from any to {$extaddr} port { {$xxx} } -> 127.0.0.1 port {$starting_localhost_port}\n";
|
|
1158 |
$natrules .= "rdr on {$ifname['if']} proto udp from any to {$extaddr} port { {$xxx} } -> 127.0.0.1 port {$starting_localhost_port}\n";
|
| 1346 |
1159 |
$xxx++;
|
| 1347 |
1160 |
$starting_localhost_port++;
|
| 1348 |
1161 |
}
|
| ... | ... | |
| 1376 |
1189 |
else
|
| 1377 |
1190 |
$reflectiontimeout = "20";
|
| 1378 |
1191 |
fwrite($inetd_fd, "{$starting_localhost_port}\tstream\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc nc {$dash_u}-w {$reflectiontimeout} {$target} {$tda}\n");
|
| 1379 |
|
if($ifname_real)
|
| 1380 |
|
$natrules .= "rdr on \${$ifname_real} proto {$protocol} from any to {$extaddr} port { {$xxx} } -> 127.0.0.1 port {$starting_localhost_port}\n";
|
|
1192 |
$natrules .= "rdr on {$ifname['if']} proto {$protocol} from any to {$extaddr} port { {$xxx} } -> 127.0.0.1 port {$starting_localhost_port}\n";
|
| 1381 |
1193 |
$xxx++;
|
| 1382 |
1194 |
$starting_localhost_port++;
|
| 1383 |
1195 |
}
|
| ... | ... | |
| 1400 |
1212 |
|
| 1401 |
1213 |
$natrules .= "\n";
|
| 1402 |
1214 |
}
|
| 1403 |
|
|
| 1404 |
1215 |
}
|
| 1405 |
1216 |
|
| 1406 |
|
fclose($inetd_fd); // Close file handle
|
| 1407 |
|
|
| 1408 |
|
// Check if inetd is running, if not start it. If so, restart it gracefully.
|
| 1409 |
|
$helpers = trim(exec("/bin/ps ax | /usr/bin/grep inetd | /usr/bin/grep -v grep | /usr/bin/grep 127"));
|
| 1410 |
|
if(!$helpers)
|
| 1411 |
|
mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf");
|
| 1412 |
|
else
|
| 1413 |
|
mwexec("/usr/bin/killall -HUP inetd");
|
|
1217 |
fclose($inetd_fd); // Close file handle
|
|
1218 |
|
|
1219 |
// Check if inetd is running, if not start it. If so, restart it gracefully.
|
|
1220 |
$helpers = trim(exec("/bin/ps ax | /usr/bin/grep inetd | /usr/bin/grep -v grep | /usr/bin/grep 127"));
|
|
1221 |
if(!$helpers)
|
|
1222 |
mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf");
|
|
1223 |
else
|
|
1224 |
mwexec("/usr/bin/killall -HUP inetd");
|
| 1414 |
1225 |
|
| 1415 |
1226 |
if ($pptpdcfg['mode'] && $pptpdcfg['mode'] != "off") {
|
| 1416 |
1227 |
|
| ... | ... | |
| 1430 |
1241 |
$natrules .= <<<EOD
|
| 1431 |
1242 |
|
| 1432 |
1243 |
# PPTP
|
| 1433 |
|
rdr on \$wan proto gre from any to any -> $pptpdtarget
|
| 1434 |
|
rdr on \$wan proto tcp from any to any port 1723 -> $pptpdtarget
|
|
1244 |
#rdr on \$WAN proto gre from any to any -> $pptpdtarget
|
|
1245 |
rdr on \$WAN proto tcp from any to any port 1723 -> $pptpdtarget
|
| 1435 |
1246 |
|
| 1436 |
1247 |
EOD;
|
| 1437 |
1248 |
}
|
| ... | ... | |
| 1466 |
1277 |
return $natrules;
|
| 1467 |
1278 |
}
|
| 1468 |
1279 |
|
| 1469 |
|
function run_command_return_string($cmd) {
|
|
1280 |
function run_command_return_string($cmd)
|
|
1281 |
{
|
| 1470 |
1282 |
global $config;
|
| 1471 |
1283 |
if(isset($config['system']['developerspew'])) {
|
| 1472 |
1284 |
$mt = microtime();
|
| ... | ... | |
| 1481 |
1293 |
return $tmp;
|
| 1482 |
1294 |
}
|
| 1483 |
1295 |
|
| 1484 |
|
function generate_user_filter_rule_arr($rule, $ngcounter) {
|
| 1485 |
|
global $config;
|
|
1296 |
function generate_user_filter_rule_arr($rule)
|
|
1297 |
{
|
|
1298 |
global $config, $FilterIflist;
|
| 1486 |
1299 |
update_filter_reload_status("Creating filter rules {$rule['descr']} ...");
|
| 1487 |
1300 |
if(isset($config['system']['developerspew'])) {
|
| 1488 |
1301 |
$mt = microtime();
|
| 1489 |
1302 |
echo "generate_user_filter_rule() being called $mt\n";
|
| 1490 |
1303 |
}
|
| 1491 |
1304 |
$ret = array();
|
| 1492 |
|
$line = generate_user_filter_rule($rule, $ngcounter);
|
|
1305 |
$line = generate_user_filter_rule($rule);
|
| 1493 |
1306 |
$ret['rule'] = $line;
|
| 1494 |
1307 |
$ret['interface'] = $rule['interface'];
|
| 1495 |
1308 |
if($rule['descr'] != "" and $line != "")
|
| ... | ... | |
| 1500 |
1313 |
return $ret;
|
| 1501 |
1314 |
}
|
| 1502 |
1315 |
|
| 1503 |
|
function generate_user_filter_rule($rule, $ngcounter) {
|
| 1504 |
|
global $config, $g;
|
|
1316 |
function generate_user_filter_rule($rule)
|
|
1317 |
{
|
|
1318 |
global $config, $g, $FilterIflist;
|
| 1505 |
1319 |
global $table_cache;
|
| 1506 |
1320 |
global $schedule_enabled;
|
| 1507 |
1321 |
|
| ... | ... | |
| 1510 |
1324 |
echo "generate_user_filter_rule() being called $mt\n";
|
| 1511 |
1325 |
}
|
| 1512 |
1326 |
|
|
1327 |
/* don't include disabled rules */
|
|
1328 |
if (isset($rule['disabled'])) {
|
|
1329 |
return "# rule " . $rule['descr'] . " disabled \n";
|
|
1330 |
}
|
|
1331 |
|
| 1513 |
1332 |
if($config['schedules']) {
|
| 1514 |
1333 |
foreach($config['schedules']['schedule'] as $sched) {
|
| 1515 |
1334 |
$schedule_enabled = true;
|
| ... | ... | |
| 1526 |
1345 |
|
| 1527 |
1346 |
update_filter_reload_status("Creating filter rules {$rule['descr']} ...");
|
| 1528 |
1347 |
|
| 1529 |
|
$wancfg = $config['interfaces']['wan'];
|
| 1530 |
|
if($config['interfaces']['lan']) {
|
| 1531 |
|
$lancfg = $config['interfaces']['lan'];
|
| 1532 |
|
$lanif = $lancfg['if'];
|
| 1533 |
|
$lanip = $lancfg['ipaddr'];
|
| 1534 |
|
$lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
|
| 1535 |
|
$lansn = $lancfg['subnet'];
|
| 1536 |
|
}
|
| 1537 |
1348 |
$pptpdcfg = $config['pptpd'];
|
| 1538 |
1349 |
$pppoecfg = $config['pppoe'];
|
| 1539 |
1350 |
|
| 1540 |
|
$wanif = get_real_wan_interface();
|
| 1541 |
|
|
| 1542 |
1351 |
$int = "";
|
| 1543 |
1352 |
|
| 1544 |
|
$optcfg = array();
|
| 1545 |
|
generate_optcfg_array($optcfg);
|
| 1546 |
|
|
| 1547 |
|
$curwanip = get_current_wan_address();
|
| 1548 |
|
|
| 1549 |
|
/* don't include disabled rules */
|
| 1550 |
|
if (isset($rule['disabled'])) {
|
| 1551 |
|
return "# rule " . $rule['descr'] . " disabled \n";
|
| 1552 |
|
}
|
| 1553 |
|
|
| 1554 |
|
$pptpdcfg = $config['pptpd'];
|
| 1555 |
|
$pppoecfg = $config['pppoe'];
|
| 1556 |
|
|
| 1557 |
|
if ($pptpdcfg['mode'] == "server") {
|
| 1558 |
|
$pptpip = $pptpdcfg['localip'];
|
| 1559 |
|
$pptpsa = $pptpdcfg['remoteip'];
|
| 1560 |
|
$pptpsn = $g['pptp_subnet'];
|
| 1561 |
|
if($config['pptp']['pptp_subnet'] <> "")
|
| 1562 |
|
$pptpsn = $config['pptp']['pptp_subnet'];
|
| 1563 |
|
}
|
| 1564 |
|
|
| 1565 |
|
if ($pppoecfg['mode'] == "server") {
|
| 1566 |
|
$pppoeip = $pppoecfg['localip'];
|
| 1567 |
|
$pppoesa = $pppoecfg['remoteip'];
|
| 1568 |
|
$pppoesn = $g['pppoe_subnet'];
|
| 1569 |
|
if($config['pppoe']['pppoe_subnet'] <> "")
|
| 1570 |
|
$pppoesn = $config['pppoe']['pppoe_subnet'];
|
| 1571 |
|
}
|
| 1572 |
|
|
| 1573 |
|
/* does the rule deal with a PPTP interface? */
|
| 1574 |
|
if ($rule['interface'] == "pptp") {
|
| 1575 |
|
if ($pptpdcfg['mode'] != "server")
|
| 1576 |
|
return "";
|
| 1577 |
|
$nif = $g['n_pptp_units'];
|
| 1578 |
|
if($config['pptp']['n_pptp_units'] <> "")
|
| 1579 |
|
$nif = $config['pptp']['n_pptp_units'];
|
| 1580 |
|
$ispptp = true;
|
| 1581 |
|
} else if($rule['interface'] == "pppoe") {
|
| 1582 |
|
if ($pppoecfg['mode'] != "server") {
|
| 1583 |
|
return " # Error creating pppoe rule";
|
| 1584 |
|
}
|
| 1585 |
|
$nif = $g['n_pppoe_units'];
|
| 1586 |
|
if($config['pppoe']['n_pppoe_units'] <> "")
|
| 1587 |
|
$nif = $config['pppoe']['n_pppoe_units'];
|
| 1588 |
|
$ispppoe = true;
|
| 1589 |
|
} else {
|
| 1590 |
|
|
| 1591 |
|
/* Check to see if the interface is opt and in our opt list */
|
| 1592 |
|
if (!isset($rule['floating']) && strstr($rule['interface'], "opt")) {
|
| 1593 |
|
if (!array_key_exists($rule['interface'], $optcfg)) {
|
| 1594 |
|
$item = "";
|
| 1595 |
|
foreach($optcfg as $oc) $item .= $oc['if'];
|
| 1596 |
|
return "# {$real_int} {$item} {$rule['interface']} array key does not exist for " . $rule['descr'];
|
|
1353 |
/* Check to see if the interface is in our list */
|
|
1354 |
if (isset($rule['floating'])) {
|
|
1355 |
if (isset($rule['interface']) && $rule['interface'] <> "") {
|
|
1356 |
$interfaces = explode(",", $rule['interface']);
|
|
1357 |
$ifliste = "";
|
|
1358 |
foreach ($interfaces as $iface) {
|
|
1359 |
if (array_key_exists($iface, $FilterIflist))
|
|
1360 |
$ifliste .= " " . $FilterIflist[$iface]['if'] . " ";
|
|
1361 |
}
|
|
1362 |
if ($ifliste <> "")
|
|
1363 |
$aline['interface'] = " on { {$ifliste} }";
|
|
1364 |
else
|
|
1365 |
$aline['interface'] = "";
|
| 1597 |
1366 |
}
|
| 1598 |
|
}
|
| 1599 |
|
|
| 1600 |
|
$nif = 1;
|
| 1601 |
|
$ispptp = false;
|
| 1602 |
|
$ispppoe = false;
|
| 1603 |
|
}
|
|
1367 |
else
|
|
1368 |
$aline['interface'] = "";
|
|
1369 |
} else if (!array_key_exists($rule['interface'], $FilterIflist)) {
|
|
1370 |
foreach($FilterIflist as $oc) $item .= $oc['descr'];
|
|
1371 |
return "# {$item} {$rule['interface']} array key does not exist for " . $rule['descr'];
|
|
1372 |
} else
|
|
1373 |
$aline['interface'] = " on \$" . $FilterIflist[$rule['interface']]['descr'] . " ";
|
|
1374 |
|
|
1375 |
$ifcfg = $FilterIflist[$rule['interface']];
|
| 1604 |
1376 |
|
| 1605 |
1377 |
if ($pptpdcfg['mode'] != "server") {
|
| 1606 |
1378 |
if (($rule['source']['network'] == "pptp") ||
|
| 1607 |
|
($rule['destination']['network'] == "pptp")) {
|
|
1379 |
($rule['destination']['network'] == "pptp"))
|
| 1608 |
1380 |
return "# source network or destination network == pptp on " . $rule['descr'];
|
| 1609 |
|
}
|
| 1610 |
1381 |
}
|
| 1611 |
1382 |
|
| 1612 |
1383 |
if ($rule['source']['network'] && strstr($rule['source']['network'], "opt")) {
|
| 1613 |
|
if (!array_key_exists($rule['source']['network'], $optcfg)) {
|
|
1384 |
if (!array_key_exists($rule['source']['network'], $FilterIflist)) {
|
| 1614 |
1385 |
$optmatch = "";
|
| 1615 |
|
if(preg_match("/opt([0-999])/", $rule['source']['network'], $optmatch)) {
|
| 1616 |
|
$real_opt_int = convert_friendly_interface_to_real_interface_name("opt" . $optmatch[1]);
|
| 1617 |
|
$opt_ip = find_interface_ip($real_opt_int);
|
|
1386 |
if (preg_match("/opt([0-999])/", $rule['source']['network'], $optmatch)) {
|
|
1387 |
$opt_ip = get_current_wan_address("opt{$optmatch[1]}");
|
| 1618 |
1388 |
if(!$opt_ip)
|
| 1619 |
|
return "# unresolvable optarray $real_opt_int - $optmatch[0] - $opt_ip";
|
|
1389 |
return "# unresolvable optarray $optmatch[0] - $opt_ip";
|
| 1620 |
1390 |
} else {
|
| 1621 |
1391 |
return "# {$rule['source']['network']} !array_key_exists source network " . $rule['descr'];
|
| 1622 |
1392 |
}
|
| 1623 |
1393 |
}
|
| 1624 |
1394 |
}
|
| 1625 |
1395 |
if ($rule['destination']['network'] && strstr($rule['destination']['network'], "opt")) {
|
| 1626 |
|
if (!array_key_exists($rule['destination']['network'], $optcfg)) {
|
|
1396 |
if (!array_key_exists($rule['destination']['network'], $FilterIflist)) {
|
| 1627 |
1397 |
if(preg_match("/opt([0-999])/", $rule['destination']['network'], $optmatch)) {
|
| 1628 |
|
$real_opt_int = convert_friendly_interface_to_real_interface_name("opt" . $optmatch[1]);
|
| 1629 |
|
$opt_ip = find_interface_ip($real_opt_int);
|
|
1398 |
$opt_ip = get_current_wan_address("opt{$optmatch[1]}");
|
| 1630 |
1399 |
if(!$opt_ip)
|
| 1631 |
|
return "# unresolvable oparray $real_opt_int - $optmatch[0] - $opt_ip";
|
|
1400 |
return "# unresolvable oparray $optmatch[0] - $opt_ip";
|
| 1632 |
1401 |
} else {
|
| 1633 |
1402 |
return "# {$item} {$rule['destination']['network']} !array_key_exists dest network " . $rule['descr'];
|
| 1634 |
1403 |
}
|
| ... | ... | |
| 1645 |
1414 |
return "# unresolvable dest aliases {$rule['descr']}";
|
| 1646 |
1415 |
}
|
| 1647 |
1416 |
|
| 1648 |
|
/* optional interface if list */
|
| 1649 |
|
$ifdescrs = get_configured_interface_list(true);
|
|
1417 |
/* optional interface if list
|
|
1418 |
$ifdescrs = get_configured_interface_list(true); */
|
| 1650 |
1419 |
|
| 1651 |
1420 |
update_filter_reload_status("Setting up pass/block rules");
|
| 1652 |
1421 |
|
| 1653 |
|
for ($iif = 0; $iif < $nif; $iif++) {
|
| 1654 |
|
|
| 1655 |
|
$type = $rule['type'];
|
|
1422 |
$type = $rule['type'];
|
| 1656 |
1423 |
|
| 1657 |
1424 |
|
| 1658 |
|
if ($type != "pass" && $type != "block" && $type != "reject") {
|
| 1659 |
|
/* default (for older rules) is pass */
|
| 1660 |
|
$type = "pass ";
|
| 1661 |
|
}
|
| 1662 |
|
|
| 1663 |
|
if ($type == "reject") {
|
| 1664 |
|
/* special reject packet */
|
| 1665 |
|
if ($rule['protocol'] == "tcp") {
|
| 1666 |
|
$aline['type'] = "block return-rst ";
|
| 1667 |
|
} else if ($rule['protocol'] == "udp") {
|
| 1668 |
|
$aline['type'] = "block return-icmp ";
|
| 1669 |
|
} else if ($rule['protocol'] == "tcp/udp") {
|
| 1670 |
|
$aline['type'] = "block return ";
|
| 1671 |
|
} else {
|
| 1672 |
|
$aline['type'] = "block ";
|
| 1673 |
|
}
|
| 1674 |
|
} else {
|
| 1675 |
|
$aline['type'] = $type . " ";
|
| 1676 |
|
}
|
|
1425 |
if ($type != "pass" && $type != "block" && $type != "reject") {
|
|
1426 |
/* default (for older rules) is pass */
|
|
1427 |
$type = "pass ";
|
Added by Ermal Luçi about 17 years ago
NOTE: this is only half part of the changes the other half will come after