Project

General

Profile

Download (15.4 KB) Statistics
| Branch: | Tag: | Revision:
1
<?php
2
/*
3
	firewall_nat.php
4
*/
5
/* ====================================================================
6
 *	Copyright (c)  2004-2015  Electric Sheep Fencing, LLC. All rights reserved.
7
 *
8
 *	Some or all of this file is based on the m0n0wall project which is
9
 *	Copyright (c)  2004 Manuel Kasper (BSD 2 clause)
10
 *
11
 *	Redistribution and use in source and binary forms, with or without modification,
12
 *	are permitted provided that the following conditions are met:
13
 *
14
 *	1. Redistributions of source code must retain the above copyright notice,
15
 *		this list of conditions and the following disclaimer.
16
 *
17
 *	2. Redistributions in binary form must reproduce the above copyright
18
 *		notice, this list of conditions and the following disclaimer in
19
 *		the documentation and/or other materials provided with the
20
 *		distribution.
21
 *
22
 *	3. All advertising materials mentioning features or use of this software
23
 *		must display the following acknowledgment:
24
 *		"This product includes software developed by the pfSense Project
25
 *		 for use in the pfSense software distribution. (http://www.pfsense.org/).
26
 *
27
 *	4. The names "pfSense" and "pfSense Project" must not be used to
28
 *		 endorse or promote products derived from this software without
29
 *		 prior written permission. For written permission, please contact
30
 *		 coreteam@pfsense.org.
31
 *
32
 *	5. Products derived from this software may not be called "pfSense"
33
 *		nor may "pfSense" appear in their names without prior written
34
 *		permission of the Electric Sheep Fencing, LLC.
35
 *
36
 *	6. Redistributions of any form whatsoever must retain the following
37
 *		acknowledgment:
38
 *
39
 *	"This product includes software developed by the pfSense Project
40
 *	for use in the pfSense software distribution (http://www.pfsense.org/).
41
 *
42
 *	THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
43
 *	EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
44
 *	IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
45
 *	PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
46
 *	ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
47
 *	SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
48
 *	NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
49
 *	LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
50
 *	HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
51
 *	STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
52
 *	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
53
 *	OF THE POSSIBILITY OF SUCH DAMAGE.
54
 *
55
 *	====================================================================
56
 *
57
 */
58

    
59
##|+PRIV
60
##|*IDENT=page-firewall-nat-portforward
61
##|*NAME=Firewall: NAT: Port Forward
62
##|*DESCR=Allow access to the 'Firewall: NAT: Port Forward' page.
63
##|*MATCH=firewall_nat.php*
64
##|-PRIV
65

    
66
require("guiconfig.inc");
67
require_once("functions.inc");
68
require_once("filter.inc");
69
require_once("shaper.inc");
70
require_once("itemid.inc");
71

    
72
if (!is_array($config['nat']['rule'])) {
73
	$config['nat']['rule'] = array();
74
}
75

    
76
$a_nat = &$config['nat']['rule'];
77

    
78
/* update rule order, POST[rule] is an array of ordered IDs */
79
if (array_key_exists('order-store', $_POST)) {
80
	if (is_array($_POST['rule']) && !empty($_POST['rule'])) {
81
		$a_nat_new = array();
82

    
83
		// if a rule is not in POST[rule], it has been deleted by the user
84
		foreach ($_POST['rule'] as $id) {
85
			$a_nat_new[] = $a_nat[$id];
86
		}
87

    
88
		$a_nat = $a_nat_new;
89

    
90

    
91
		$config['nat']['separator'] = "";
92

    
93
		if ($_POST['separator']) {
94
			$idx = 0;
95
			foreach ($_POST['separator'] as $separator) {
96
				$config['nat']['separator']['sep' . $idx++] = $separator;
97
			}
98
		}
99

    
100
		if (write_config()) {
101
			mark_subsystem_dirty('filter');
102
		}
103

    
104
		header("Location: firewall_nat.php");
105
		exit;
106
	}
107
}
108

    
109
/* if a custom message has been passed along, lets process it */
110
if ($_GET['savemsg']) {
111
	$savemsg = $_GET['savemsg'];
112
}
113

    
114
if ($_POST) {
115
	$pconfig = $_POST;
116

    
117
	if ($_POST['apply']) {
118

    
119
		$retval = 0;
120

    
121
		$retval |= filter_configure();
122
		$savemsg = get_std_save_message($retval);
123

    
124
		pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/apply");
125

    
126
		if ($retval == 0) {
127
			clear_subsystem_dirty('natconf');
128
			clear_subsystem_dirty('filter');
129
		}
130

    
131
	}
132
}
133

    
134
if ($_GET['act'] == "del") {
135
	if ($a_nat[$_GET['id']]) {
136

    
137
		if (isset($a_nat[$_GET['id']]['associated-rule-id'])) {
138
			delete_id($a_nat[$_GET['id']]['associated-rule-id'], $config['filter']['rule']);
139
			$want_dirty_filter = true;
140
		}
141
		unset($a_nat[$_GET['id']]);
142

    
143
		// Update the separators
144
		$a_separators = &$config['nat']['separator'];
145
		$ridx = $_GET['id'];
146
		$mvnrows = -1;
147
		move_separators($a_separators, $ridx, $mvnrows);
148

    
149
		if (write_config()) {
150
			mark_subsystem_dirty('natconf');
151
			if ($want_dirty_filter) {
152
				mark_subsystem_dirty('filter');
153
			}
154
		}
155

    
156
		header("Location: firewall_nat.php");
157
		exit;
158
	}
159
}
160

    
161
if (isset($_POST['del_x'])) {
162
	/* delete selected rules */
163
	if (is_array($_POST['rule']) && count($_POST['rule'])) {
164
		$a_separators = &$config['nat']['separator'];
165

    
166
		foreach ($_POST['rule'] as $rulei) {
167
			$target = $rule['target'];
168

    
169
			// Check for filter rule associations
170
			if (isset($a_nat[$rulei]['associated-rule-id'])) {
171
				delete_id($a_nat[$rulei]['associated-rule-id'], $config['filter']['rule']);
172

    
173
				mark_subsystem_dirty('filter');
174
			}
175

    
176
			unset($a_nat[$rulei]);
177

    
178
			// Update the separators
179
			$ridx = $rulei;
180
			$mvnrows = -1;
181
			move_separators($a_separators, $ridx, $mvnrows);
182
		}
183

    
184
		if (write_config()) {
185
			mark_subsystem_dirty('natconf');
186
		}
187

    
188
		header("Location: firewall_nat.php");
189
		exit;
190
	}
191
} else if ($_GET['act'] == "toggle") {
192
	if ($a_nat[$_GET['id']]) {
193
		if (isset($a_nat[$_GET['id']]['disabled'])) {
194
			unset($a_nat[$_GET['id']]['disabled']);
195
		} else {
196
			$a_nat[$_GET['id']]['disabled'] = true;
197
		}
198
		if (write_config(gettext("Firewall: NAT: Port forward, enable/disable NAT rule"))) {
199
			mark_subsystem_dirty('natconf');
200
		}
201
		header("Location: firewall_nat.php");
202
		exit;
203
	}
204
}
205

    
206
$pgtitle = array(gettext("Firewall"), gettext("NAT"), gettext("Port Forward"));
207
include("head.inc");
208

    
209
if ($savemsg) {
210
	print_info_box($savemsg, 'success');
211
}
212

    
213
if (is_subsystem_dirty('natconf')) {
214
	print_apply_box(gettext('The NAT configuration has been changed.') . '<br />' .
215
					gettext('You must apply the changes in order for them to take effect.'));
216
}
217

    
218
$tab_array = array();
219
$tab_array[] = array(gettext("Port Forward"), true, "firewall_nat.php");
220
$tab_array[] = array(gettext("1:1"), false, "firewall_nat_1to1.php");
221
$tab_array[] = array(gettext("Outbound"), false, "firewall_nat_out.php");
222
$tab_array[] = array(gettext("NPt"), false, "firewall_nat_npt.php");
223
display_top_tabs($tab_array);
224

    
225
$columns_in_table = 13;
226
?>
227

    
228
<form action="firewall_nat.php" method="post" name="iform">
229
	<div class="panel panel-default">
230
		<div class="panel-heading"><h2 class="panel-title"><?=gettext('Rules')?></h2></div>
231
		<div class="panel-body table-responsive">
232
			<table id="ruletable" class="table table-striped table-hover table-condensed">
233
				<thead>
234
					<tr>
235
						<th><!-- Checkbox --></th>
236
						<th><!-- Icon --></th>
237
						<th><!-- Rule type --></th>
238
						<th><?=gettext("Interface")?></th>
239
						<th><?=gettext("Protocol")?></th>
240
						<th><?=gettext("Source Address")?></th>
241
						<th><?=gettext("Source Ports")?></th>
242
						<th><?=gettext("Dest. Address")?></th>
243
						<th><?=gettext("Dest. Ports")?></th>
244
						<th><?=gettext("NAT IP")?></th>
245
						<th><?=gettext("NAT Ports")?></th>
246
						<th><?=gettext("Description")?></th>
247
						<th><?=gettext("Actions")?></th>
248
					</tr>
249
				</thead>
250
				<tbody class='user-entries'>
251
<?php
252

    
253
$nnats = $i = 0;
254
$separators = $config['nat']['separator'];
255

    
256
// Get a list of separator rows and use it to call the display separator function only for rows which there are separator(s).
257
// More efficient than looping through the list of separators on every row.
258
$seprows = separator_rows($separators);
259

    
260
foreach ($a_nat as $natent):
261

    
262
	// Display separator(s) for section beginning at rule n
263
	if ($seprows[$nnats]) {
264
		display_separator($separators, $nnats, $columns_in_table);
265
	}
266

    
267
	$alias = rule_columns_with_alias(
268
		$natent['source']['address'],
269
		pprint_port($natent['source']['port']),
270
		$natent['destination']['address'],
271
		pprint_port($natent['destination']['port'])
272
	);
273

    
274
	/* if user does not have access to edit an interface skip on to the next record */
275
	if (!have_natpfruleint_access($natent['interface'])) {
276
		continue;
277
	}
278

    
279
	if (isset($natent['disabled'])) {
280
		$iconfn = "pass_d";
281
		$trclass = 'class="disabled"';
282
	} else {
283
		$iconfn = "pass";
284
		$trclass = '';
285
	}
286
?>
287

    
288
					<tr id="fr<?=$nnats;?>" <?=$trclass?> onClick="fr_toggle(<?=$nnats;?>)" ondblclick="document.location='firewall_nat_edit.php?id=<?=$i;?>';">
289
						<td >
290
							<input type="checkbox" id="frc<?=$nnats;?>" onClick="fr_toggle(<?=$nnats;?>)" name="rule[]" value="<?=$i;?>"/>
291
						</td>
292
						<td>
293
							<a href="?act=toggle&amp;id=<?=$i?>">
294
								<i class="fa <?= ($iconfn == "pass") ? "fa-check":"fa-times"?>" title="<?=gettext("click to toggle enabled/disabled status")?>"></i>
295
<?php 	if (isset($natent['nordr'])) { ?>
296
								&nbsp;<i class="fa fa-hand-stop-o text-danger" title="<?=gettext("Negated: This rule excludes NAT from a later rule")?>"></i>
297
<?php 	} ?>
298
							</a>
299
						</td>
300
						<td>
301
<?php
302
	if ($natent['associated-rule-id'] == "pass"):
303
?>
304
							<i class="fa fa-play" title="<?=gettext("All traffic matching this NAT entry is passed")?>"></i>
305
<?php
306
	elseif (!empty($natent['associated-rule-id'])):
307
?>
308
							<i class="fa fa-random" title="<?=sprintf(gettext("Firewall rule ID %s is managed by this rule"), htmlspecialchars($natent['associated-rule-id']))?>"></i>
309
<?php
310
	endif;
311
?>
312
						</td>
313
						<td>
314
							<?=$textss?>
315
<?php
316
	if (!$natent['interface']) {
317
		echo htmlspecialchars(convert_friendly_interface_to_friendly_descr("wan"));
318
	} else {
319
		echo htmlspecialchars(convert_friendly_interface_to_friendly_descr($natent['interface']));
320
	}
321
?>
322
							<?=$textse?>
323
						</td>
324

    
325
						<td>
326
							<?=$textss?><?=strtoupper($natent['protocol'])?><?=$textse?>
327
						</td>
328

    
329
						<td>
330

    
331

    
332
<?php
333
	if (isset($alias['src'])):
334
?>
335
							<a href="/firewall_aliases_edit.php?id=<?=$alias['src']?>" data-toggle="popover" data-trigger="hover focus" title="<?=gettext('Alias details')?>" data-content="<?=alias_info_popup($alias['src'])?>" data-html="true">
336
<?php
337
	endif;
338
?>
339
							<?=htmlspecialchars(pprint_address($natent['source']))?>
340
<?php
341
	if (isset($alias['src'])):
342
?>
343
							<i class='fa fa-pencil'></i></a>
344
<?php
345
	endif;
346
?>
347
						</td>
348
						<td>
349
<?php
350
	if (isset($alias['srcport'])):
351
?>
352
							<a href="/firewall_aliases_edit.php?id=<?=$alias['srcport']?>" data-toggle="popover" data-trigger="hover focus" title="<?=gettext('Alias details')?>" data-content="<?=alias_info_popup($alias['srcport'])?>" data-html="true">
353
<?php
354
	endif;
355
?>
356
							<?=htmlspecialchars(pprint_port($natent['source']['port']))?>
357
<?php
358
	if (isset($alias['srcport'])):
359
?>
360
							<i class='fa fa-pencil'></i></a>
361
<?php
362
	endif;
363
?>
364
						</td>
365

    
366
						<td>
367
<?php
368
	if (isset($alias['dst'])):
369
?>
370
							<a href="/firewall_aliases_edit.php?id=<?=$alias['dst']?>" data-toggle="popover" data-trigger="hover focus" title="<?=gettext('Alias details')?>" data-content="<?=alias_info_popup($alias['dst'])?>" data-html="true">
371
<?php
372
	endif;
373
?>
374
							<?=htmlspecialchars(pprint_address($natent['destination']))?>
375
<?php
376
	if (isset($alias['dst'])):
377
?>
378
							<i class='fa fa-pencil'></i></a>
379
<?php
380
	endif;
381
?>
382
						</td>
383
						<td>
384
<?php
385
	if (isset($alias['dstport'])):
386
?>
387
							<a href="/firewall_aliases_edit.php?id=<?=$alias['dstport']?>" data-toggle="popover" data-trigger="hover focus" title="<?=gettext('Alias details')?>" data-content="<?=alias_info_popup($alias['dstport'])?>" data-html="true">
388
<?php
389
	endif;
390
?>
391
							<?=htmlspecialchars(pprint_port($natent['destination']['port']))?>
392
<?php
393
	if (isset($alias['dstport'])):
394
?>
395
							<i class='fa fa-pencil'></i></a>
396
<?php
397
	endif;
398
?>
399
						</td>
400

    
401
						<td >
402
							<?=htmlspecialchars($natent['target'])?>
403
						</td>
404
						<td>
405
<?php
406
	$localport = $natent['local-port'];
407

    
408
	list($dstbeginport, $dstendport) = explode("-", $natent['destination']['port']);
409

    
410
	if ($dstendport) {
411
		$localendport = $natent['local-port'] + $dstendport - $dstbeginport;
412
		$localport	 .= '-' . $localendport;
413
	}
414
?>
415
							<?=htmlspecialchars(pprint_port($localport))?>
416
						</td>
417

    
418
						<td>
419
							<?=htmlspecialchars($natent['descr'])?>
420
						</td>
421
						<td>
422
							<a class="fa fa-pencil" title="<?=gettext("Edit rule"); ?>" href="firewall_nat_edit.php?id=<?=$i?>"></a>
423
							<a class="fa fa-clone"	  title="<?=gettext("Add a new NAT based on this one")?>" href="firewall_nat_edit.php?dup=<?=$i?>"></a>
424
							<a class="fa fa-trash"	title="<?=gettext("Delete rule")?>" href="firewall_nat.php?act=del&amp;id=<?=$i?>"></a>
425
						</td>
426
					</tr>
427
<?php
428
	$i++;
429
	$nnats++;
430

    
431
endforeach;
432

    
433
// There can be separator(s) after the last rule listed.
434
if ($seprows[$nnats]) {
435
	display_separator($separators, $nnats, $columns_in_table);
436
}
437
?>
438
				</tbody>
439
			</table>
440
		</div>
441
	</div>
442

    
443
	<nav class="action-buttons">
444
		<a href="firewall_nat_edit.php?after=-1" class="btn btn-sm btn-success" title="<?=gettext('Add rule to the top of the list')?>">
445
			<i class="fa fa-level-up icon-embed-btn"></i>
446
			<?=gettext('Add')?>
447
		</a>
448
		<a href="firewall_nat_edit.php" class="btn btn-sm btn-success" title="<?=gettext('Add rule to the end of the list')?>">
449
			<i class="fa fa-level-down icon-embed-btn"></i>
450
			<?=gettext('Add')?>
451
		</a>
452
		<button name="del_x" type="submit" class="btn btn-danger btn-sm" title="<?=gettext('Delete selected rules')?>">
453
			<i class="fa fa-trash icon-embed-btn"></i>
454
			<?=gettext("Delete"); ?>
455
		</button>
456
		<button type="submit" id="order-store" name="order-store" class="btn btn-primary btn-sm" disabled title="<?=gettext('Save rule order')?>">
457
			<i class="fa fa-save icon-embed-btn"></i>
458
			<?=gettext("Save")?>
459
		</button>
460
		<button type="submit" id="addsep" name="addsep" class="btn btn-sm btn-warning" title="<?=gettext('Add separator')?>">
461
			<i class="fa fa-plus icon-embed-btn"></i>
462
			<?=gettext("Separator")?>
463
		</button>
464
	</nav>
465
</form>
466

    
467
<script type="text/javascript">
468
//<![CDATA[
469
//Need to create some variables here so that jquery/pfSenseHelpers.js can read them
470
iface = "<?=strtolower($if)?>";
471
cncltxt = '<?=gettext("Cancel")?>';
472
svtxt = '<?=gettext("Save")?>';
473
svbtnplaceholder = '<?=gettext("Enter a description, Save, then drag to final location.")?>';
474
configsection = "nat";
475
dirty = false;
476

    
477
events.push(function() {
478

    
479
	// Make rules sortable
480
	$('table tbody.user-entries').sortable({
481
		cursor: 'grabbing',
482
		update: function(event, ui) {
483
			$('#order-store').removeAttr('disabled');
484
			dirty = true;
485
			reindex_rules(ui.item.parent('tbody'));
486
			dirty = true;
487
		}
488
	});
489

    
490
	// Check all of the rule checkboxes so that their values are posted
491
	$('#order-store').click(function () {
492
	   $('[id^=frc]').prop('checked', true);
493

    
494
		// Save the separator bar configuration
495
		save_separators();
496

    
497
		// Suppress the "Do you really want to leave the page" message
498
		saving = true;
499

    
500
	});
501

    
502
	// Globals
503
	saving = false;
504
	dirty = false;
505

    
506
	// provide a warning message if the user tries to change page before saving
507
	$(window).bind('beforeunload', function(){
508
		if (!saving && dirty) {
509
			return ("<?=gettext('You have moved one or more Port Forward rules but have not yet saved')?>");
510
		} else {
511
			return undefined;
512
		}
513
	});
514
});
515
//]]>
516
</script>
517
<?php
518

    
519
if (count($a_nat) > 0) {
520
?>
521
<!-- Legend -->
522
<div>
523
	<dl class="dl-horizontal responsive">
524
		<dt><?=gettext('Legend')?></dt>					<dd></dd>
525
		<dt><i class="fa fa-play"></i></dt>			<dd><?=gettext('Pass')?></dd>
526
		<dt><i class="fa fa-random"></i></dt>		<dd><?=gettext('Linked rule')?></dd>
527
	</dl>
528
</div>
529

    
530
<?php
531
}
532

    
533
include("foot.inc");
(41-41/227)