| 391 |
391 |
return $scrubrules;
|
| 392 |
392 |
}
|
| 393 |
393 |
|
| 394 |
|
function filter_generate_nested_alias($name, $alias, &$aliasnesting, &$aliasaddrnesting) {
|
|
394 |
function filter_generate_nested_alias($name, $alias, &$aliasnesting, &$aliasaddrnesting)
|
|
395 |
{
|
| 395 |
396 |
global $aliastable, $filterdns;
|
| 396 |
397 |
|
| 397 |
398 |
$addresses = split(" ", $alias);
|
| ... | ... | |
| 419 |
420 |
return $finallist;
|
| 420 |
421 |
}
|
| 421 |
422 |
|
|
423 |
function filter_expand_alias($alias_name)
|
|
424 |
{
|
|
425 |
global $config;
|
|
426 |
|
|
427 |
if (isset($config['aliases']['alias'])) {
|
|
428 |
foreach ($config['aliases']['alias'] as $aliased) {
|
|
429 |
if ($aliased['name'] == $alias_name) {
|
|
430 |
$aliasnesting = array();
|
|
431 |
$aliasaddrnesting = array();
|
|
432 |
return filter_generate_nested_alias($aliased['name'], $aliased['address'], $aliasnesting, $aliasaddrnesting);
|
|
433 |
}
|
|
434 |
}
|
|
435 |
}
|
|
436 |
}
|
|
437 |
|
| 422 |
438 |
function filter_generate_aliases() {
|
| 423 |
439 |
global $config, $FilterIflist;
|
| 424 |
440 |
if(isset($config['system']['developerspew'])) {
|
| ... | ... | |
| 686 |
702 |
return mwexec("/sbin/pfctl -F state");
|
| 687 |
703 |
}
|
| 688 |
704 |
|
| 689 |
|
function filter_generate_reflection($rule, $extport, &$starting_localhost_port) {
|
|
705 |
function filter_generate_reflection($rule, $target, $extport, &$starting_localhost_port) {
|
| 690 |
706 |
global $FilterIflist, $config;
|
| 691 |
707 |
|
| 692 |
708 |
// Initialize natrules holder string
|
| 693 |
709 |
$natrules = "";
|
| 694 |
710 |
|
| 695 |
|
// Keeps track of items already seen to avoid duplicates in inetd.conf
|
| 696 |
|
$reflection_seen = array();
|
|
711 |
if (!isset($config['system']['disablenatreflection'])) {
|
|
712 |
if($config['system']['reflectiontimeout'])
|
|
713 |
$reflectiontimeout = $config['system']['reflectiontimeout'];
|
|
714 |
else
|
|
715 |
$reflectiontimeout = "2000";
|
| 697 |
716 |
|
| 698 |
|
if(!isset($config['system']['disablenatreflection'])) {
|
| 699 |
|
$inetd_fd = fopen("/var/etc/inetd.conf","w");
|
| 700 |
|
/* add tftp protocol helper */
|
| 701 |
|
fwrite($inetd_fd, "tftp\tdgram\tudp\twait\t\troot\t/usr/local/sbin/tftp-proxy -v\n");
|
| 702 |
717 |
update_filter_reload_status("Setting up NAT Reflection");
|
|
718 |
|
|
719 |
$reflection_txt = array();
|
| 703 |
720 |
$natrules .= "\n# Reflection redirects\n";
|
| 704 |
721 |
foreach ($FilterIflist as $ifent => $ifname) {
|
| 705 |
722 |
/* do not process interfaces with gateways*/
|
| 706 |
723 |
if (interface_has_gateway($ifent))
|
| 707 |
724 |
continue;
|
|
725 |
|
|
726 |
update_filter_reload_status("Creating reflection rule for {$rule['descr']}...");
|
|
727 |
|
| 708 |
728 |
if($extport[1])
|
| 709 |
729 |
$range_end = ($extport[1]);
|
| 710 |
730 |
else
|
| 711 |
731 |
$range_end = ($extport[0]);
|
| 712 |
732 |
$range_end++;
|
| 713 |
|
if (alias_expand($rule['external-address']))
|
| 714 |
|
$extaddr = alias_expand($extaddr);
|
| 715 |
|
else if ($rule['external-address'] <> "")
|
| 716 |
|
$extaddr = $rule['external-address'];
|
| 717 |
|
else
|
|
733 |
$extaddr = alias_expand($rule['external-address']);
|
|
734 |
if (!$extaddr)
|
| 718 |
735 |
$extaddr = $FilterIflist[$rule['interface']]['ip'];
|
| 719 |
|
if($rule['local-port'])
|
|
736 |
if ($rule['local-port'])
|
| 720 |
737 |
$lrange_start = $rule['local-port'];
|
| 721 |
|
if($range_end - $extport[0] > 500) {
|
|
738 |
if ($range_end - $extport[0] > 500) {
|
| 722 |
739 |
$range_end = $extport[0]+1;
|
| 723 |
740 |
log_error("Not installing nat reflection rules for a port range > 500");
|
| 724 |
|
} else {
|
| 725 |
|
/* only install reflection rules for < 19991 items */
|
| 726 |
|
if($starting_localhost_port < 19991) {
|
| 727 |
|
$loc_pt = $lrange_start;
|
| 728 |
|
for($x=$extport[0]; $x<$range_end; $x++) {
|
| 729 |
|
$xxx = $x;
|
| 730 |
|
update_filter_reload_status("Creating reflection rule for {$rule['descr']}...");
|
| 731 |
|
if($config['system']['reflectiontimeout'])
|
| 732 |
|
$reflectiontimeout = $config['system']['reflectiontimeout'];
|
| 733 |
|
else
|
| 734 |
|
$reflectiontimeout = "2000";
|
| 735 |
|
$toadd_array = array();
|
| 736 |
|
if(is_alias($loc_pt)) {
|
| 737 |
|
$loc_pt_translated = alias_expand($loc_pt);
|
| 738 |
|
add_hostname_to_watch($loc_pt_translated);
|
| 739 |
|
if(stristr($loc_pt_translated, " ")) {
|
| 740 |
|
/* XXX: we should deal with multiple ports */
|
| 741 |
|
$loc_pt_translated_split = split(" ", $loc_pt_translated);
|
| 742 |
|
foreach($loc_pt_translated_split as $lpts)
|
|
741 |
/* only install reflection rules for < 19991 items */
|
|
742 |
} else if ($starting_localhost_port < 19991) {
|
|
743 |
$loc_pt = $lrange_start;
|
|
744 |
for($x=$extport[0]; $x<$range_end; $x++) {
|
|
745 |
$xxx = $x;
|
|
746 |
$toadd_array = array();
|
|
747 |
if(is_alias($loc_pt)) {
|
|
748 |
$loc_pt_translated = filter_expand_alias($loc_pt);
|
|
749 |
if (!$loc_pt_translated) {
|
|
750 |
log_error("Reflection processing: {$loc_pt} is not a vaild port alias.");
|
|
751 |
continue;
|
|
752 |
}
|
|
753 |
if(stristr($loc_pt_translated, " ")) {
|
|
754 |
/* XXX: we should deal with multiple ports */
|
|
755 |
$loc_pt_translated_split = split(" ", $loc_pt_translated);
|
|
756 |
foreach($loc_pt_translated_split as $lpts)
|
| 743 |
757 |
$toadd_array[] = $lpts;
|
| 744 |
|
} else {
|
| 745 |
|
$toadd_array[] = $loc_pt_translated;
|
| 746 |
|
}
|
| 747 |
|
} else {
|
| 748 |
|
$loc_pt_translated = $loc_pt;
|
|
758 |
} else
|
| 749 |
759 |
$toadd_array[] = $loc_pt_translated;
|
| 750 |
|
}
|
|
760 |
} else {
|
|
761 |
$loc_pt_translated = $loc_pt;
|
|
762 |
$toadd_array[] = $loc_pt_translated;
|
|
763 |
}
|
| 751 |
764 |
|
| 752 |
|
switch($rule['protocol']) {
|
| 753 |
|
case "tcp/udp":
|
| 754 |
|
$protocol = "{ tcp udp }";
|
| 755 |
|
foreach($toadd_array as $tda) {
|
| 756 |
|
$reflection_txt = "\tstream\ttcp/udp\tnowait/0\tnobody\t/usr/bin/nc -w {$reflectiontimeout}{$target} {$tda}\n";
|
| 757 |
|
if(!in_array($reflection_txt, $reflection_seen)) {
|
| 758 |
|
fwrite($inetd_fd, $starting_localhost_port . $reflection_txt);
|
| 759 |
|
$reflection_seen[] = $reflection_txt;
|
| 760 |
|
}
|
| 761 |
|
$natrules .= "rdr on {$ifname['if']} proto tcp from any to {$extaddr} port {$xxx} tag PFREFLECT -> 127.0.0.1 port {$starting_localhost_port}\n";
|
| 762 |
|
$starting_localhost_port++;
|
| 763 |
|
$reflection_txt = "\tstream\ttcp/udp\tnowait/0\tnobody\t/usr/bin/nc -u -w {$reflectiontimeout} {$target} {$tda}\n";
|
| 764 |
|
if(!in_array($reflection_txt, $reflection_seen)) {
|
| 765 |
|
fwrite($inetd_fd, $starting_localhost_port . $reflection_txt);
|
| 766 |
|
$reflection_seen[] = $reflection_txt;
|
| 767 |
|
}
|
| 768 |
|
$natrules .= "rdr on { {$ifname['if']} } proto udp from any to {$extaddr} port {$xxx} tag PFREFLECT -> 127.0.0.1 port {$starting_localhost_port}\n";
|
| 769 |
|
$xxx++;
|
| 770 |
|
$starting_localhost_port++;
|
| 771 |
|
}
|
| 772 |
|
break;
|
| 773 |
|
case "tcp":
|
| 774 |
|
case "udp":
|
| 775 |
|
$protocol = $rule['protocol'];
|
| 776 |
|
foreach($toadd_array as $tda){
|
| 777 |
|
if($protocol == "udp") {
|
| 778 |
|
$socktype = "dgram";
|
| 779 |
|
$dash_u = "-u ";
|
| 780 |
|
} else {
|
| 781 |
|
$socktype = "stream";
|
| 782 |
|
$dash_u = "";
|
| 783 |
|
}
|
| 784 |
|
if($config['system']['reflectiontimeout'])
|
| 785 |
|
$reflectiontimeout = $config['system']['reflectiontimeout'];
|
| 786 |
|
else
|
| 787 |
|
$reflectiontimeout = "20";
|
| 788 |
|
$reflection_txt = "\t{$socktype}\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc nc {$dash_u}-w {$reflectiontimeout} {$target} {$tda}\n";
|
| 789 |
|
if(!in_array($reflection_txt, $reflection_seen)) {
|
| 790 |
|
fwrite($inetd_fd, $starting_localhost_port . $reflection_txt);
|
| 791 |
|
$reflection_seen[] = $reflection_txt;
|
| 792 |
|
}
|
| 793 |
|
$natrules .= "rdr on { {$ifname['if']} } proto {$protocol} from any to {$extaddr} port {$xxx} tag PFREFLECT -> 127.0.0.1 port {$starting_localhost_port}\n";
|
| 794 |
|
$xxx++;
|
| 795 |
|
$starting_localhost_port++;
|
| 796 |
|
}
|
| 797 |
|
break;
|
| 798 |
|
default:
|
| 799 |
|
break;
|
|
765 |
switch($rule['protocol']) {
|
|
766 |
case "tcp/udp":
|
|
767 |
$protocol = "{ tcp udp }";
|
|
768 |
foreach($toadd_array as $tda) {
|
|
769 |
$reflection_txt[] = "{$starting_localhost_port}\tstream\ttcp\tnowait/0\tnobody\t/usr/bin/nc -w {$reflectiontimeout} {$target} {$tda}\n";
|
|
770 |
$reflection_txt[] = "{$starting_localhost_port}\tdgram\tudp\tnowait/0\tnobody\t/usr/bin/nc -u -w {$reflectiontimeout} {$target} {$tda}\n";
|
|
771 |
$natrules .= "rdr on { {$ifname['if']} } proto {$protocol} from any to {$extaddr} port {$xxx} tag PFREFLECT -> 127.0.0.1 port {$starting_localhost_port}\n";
|
|
772 |
}
|
|
773 |
break;
|
|
774 |
case "tcp":
|
|
775 |
case "udp":
|
|
776 |
$protocol = $rule['protocol'];
|
|
777 |
if($protocol == "udp") {
|
|
778 |
$socktype = "dgram";
|
|
779 |
$dash_u = "-u ";
|
|
780 |
} else {
|
|
781 |
$socktype = "stream";
|
|
782 |
$dash_u = "";
|
| 800 |
783 |
}
|
| 801 |
|
$loc_pt++;
|
| 802 |
|
if($starting_localhost_port > 19990) {
|
| 803 |
|
log_error("Not installing nat reflection rules. Maximum 1,000 reached.");
|
| 804 |
|
$x = $range_end+1;
|
|
784 |
foreach($toadd_array as $tda){
|
|
785 |
$reflection_txt[] = "{$starting_localhost_port}\t{$socktype}\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc nc {$dash_u}-w {$reflectiontimeout} {$target} {$tda}\n";
|
|
786 |
$natrules .= "rdr on { {$ifname['if']} } proto {$protocol} from any to {$extaddr} port {$xxx} tag PFREFLECT -> 127.0.0.1 port {$starting_localhost_port}\n";
|
| 805 |
787 |
}
|
|
788 |
break;
|
|
789 |
}
|
|
790 |
$loc_pt++;
|
|
791 |
$xxx++;
|
|
792 |
$starting_localhost_port++;
|
|
793 |
if ($starting_localhost_port > 19990) {
|
|
794 |
log_error("Not installing nat reflection rules. Maximum 1,000 reached.");
|
|
795 |
$x = $range_end+1;
|
| 806 |
796 |
}
|
| 807 |
797 |
}
|
| 808 |
798 |
}
|
| 809 |
799 |
}
|
|
800 |
|
|
801 |
$inetd_fd = fopen("/var/etc/inetd.conf","w");
|
|
802 |
|
|
803 |
/* add tftp protocol helper */
|
|
804 |
fwrite($inetd_fd, "tftp\tdgram\tudp\twait\t\troot\t/usr/local/sbin/tftp-proxy -v\n");
|
|
805 |
$reflection_txt = array_unique($reflection_txt);
|
|
806 |
foreach ($reflection_txt as $txtline)
|
|
807 |
fwrite($inetd_fd, $txtline);
|
|
808 |
fclose($inetd_fd);
|
| 810 |
809 |
}
|
|
810 |
|
| 811 |
811 |
return $natrules;
|
| 812 |
812 |
}
|
| 813 |
813 |
|
| ... | ... | |
| 1056 |
1056 |
update_filter_reload_status("Creating NAT rule {$rule['descr']}");
|
| 1057 |
1057 |
/* if item is an alias, expand */
|
| 1058 |
1058 |
$extport = "";
|
| 1059 |
|
if(alias_expand($rule['external-port']))
|
| 1060 |
|
$extport[0] = alias_expand($rule['external-port']);
|
| 1061 |
|
else
|
|
1059 |
$extport[0] = alias_expand($rule['external-port']);
|
|
1060 |
if (!$extport[0])
|
| 1062 |
1061 |
$extport = explode("-", $rule['external-port']);
|
| 1063 |
1062 |
/* if item is an alias, expand */
|
| 1064 |
|
if(alias_expand($rule['local-port']))
|
|
1063 |
$localport = alias_expand($rule['local-port']);
|
|
1064 |
if(!$localport)
|
| 1065 |
1065 |
$localport = "";
|
| 1066 |
1066 |
else
|
| 1067 |
|
$localport = " port {$rule['local-port']}";
|
|
1067 |
$localport = " port {$localport}";
|
| 1068 |
1068 |
$target = alias_expand($rule['target']);
|
| 1069 |
1069 |
if (!$target) {
|
| 1070 |
1070 |
$natrules .= "# Unresolvable alias {$rule['target']}\n";
|
| ... | ... | |
| 1078 |
1078 |
$natif = "wan";
|
| 1079 |
1079 |
else
|
| 1080 |
1080 |
$natif = $rule['interface'];
|
| 1081 |
|
if (alias_expand($rule['external-address']))
|
| 1082 |
|
$extaddr = alias_expand($rule['external-address']);
|
| 1083 |
|
else if ($rule['external-address'] <> "")
|
| 1084 |
|
$extaddr = $rule['external-address'];
|
| 1085 |
|
else
|
| 1086 |
|
$extaddr = $FilterIflist[$rule['interface']]['ip'];
|
|
1081 |
$extaddr = alias_expand($rule['external-address']);
|
|
1082 |
if (!$extaddr)
|
|
1083 |
$extaddr = $FilterIflist[$natif]['ip'];
|
| 1087 |
1084 |
$natif = $FilterIflist[$natif]['if'];
|
| 1088 |
1085 |
|
| 1089 |
1086 |
if ($extaddr <> "") {
|
| ... | ... | |
| 1146 |
1143 |
$natrules .= "nat on {$natif} proto tcp from {$rule_subnet}/{$rule_interface_subnet} to {$target} port {$extport[0]} -> ({$natif})\n";
|
| 1147 |
1144 |
}
|
| 1148 |
1145 |
}
|
| 1149 |
|
$natrules .= filter_generate_reflection($rule, $extport, $starting_localhost_port);
|
|
1146 |
$natrules .= filter_generate_reflection($rule, $target, $extport, $starting_localhost_port);
|
| 1150 |
1147 |
$natrules .= "\n";
|
| 1151 |
1148 |
}
|
| 1152 |
1149 |
}
|
| ... | ... | |
| 1275 |
1272 |
if (in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) {
|
| 1276 |
1273 |
if ($rule[$target]['port']) {
|
| 1277 |
1274 |
$srcport = explode("-", $rule[$target]['port']);
|
| 1278 |
|
if (alias_expand($srcport[0]))
|
| 1279 |
|
$srcporta = alias_expand($srcport[0]);
|
| 1280 |
|
else
|
| 1281 |
|
$srcporta = $srcport[0];
|
| 1282 |
|
if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) {
|
| 1283 |
|
if(alias_expand($srcport[0]))
|
| 1284 |
|
$src .= " port {$srcporta} ";
|
| 1285 |
|
else
|
| 1286 |
|
$src .= " port = {$srcporta} ";
|
|
1275 |
$srcporta = alias_expand($srcport[0]);
|
|
1276 |
if (!$srcporta)
|
|
1277 |
log_error("filter_generate_address: {$srcport[0]} is not a valid source port.");
|
|
1278 |
else if ((!$srcport[1]) || ($srcport[0] == $srcport[1])) {
|
|
1279 |
$src .= " port {$srcporta} ";
|
| 1287 |
1280 |
} else if (($srcport[0] == 1) && ($srcport[1] == 65535)) {
|
| 1288 |
1281 |
/* no need for a port statement here */
|
| 1289 |
|
} else if ($srcport[1] == 65535) {
|
| 1290 |
|
$src .= " port >= {$srcport[0]} ";
|
|
1282 |
} else if (is_port($srcporta) && $srcport[1] == 65535) {
|
|
1283 |
$src .= " port >= {$srcporta} ";
|
| 1291 |
1284 |
} else if ($srcport[0] == 1) {
|
| 1292 |
1285 |
$src .= " port <= {$srcport[1]} ";
|
| 1293 |
1286 |
} else {
|
Added by Ermal Luçi over 15 years ago