Revision f4e6563a
Added by Scott Ullrich almost 20 years ago
| etc/inc/filter.inc | ||
|---|---|---|
| 340 | 340 |
return mwexec("/sbin/pfctl -F state");
|
| 341 | 341 |
} |
| 342 | 342 |
|
| 343 |
function filter_nat_rules_generate_if($if, $src, $srcport, $dst, $natport, $target, $nonat) {
|
|
| 343 |
/* Generate a 'nat on' or 'no nat on' rule for given interface */ |
|
| 344 |
function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false) {
|
|
| 344 | 345 |
global $config; |
| 345 | 346 |
|
| 347 |
/* XXX: billm - any idea if this code is needed? */ |
|
| 346 | 348 |
if($src == "/32" || $src{0} == "/")
|
| 347 | 349 |
return; |
| 348 |
|
|
| 349 |
$nat = "nat"; |
|
| 350 |
|
|
| 350 |
|
|
| 351 | 351 |
/* Use interface name if IP isn't specified */ |
| 352 |
if ($target)
|
|
| 353 |
$tgt = "{$target}/32";
|
|
| 352 |
if ($natip != "")
|
|
| 353 |
$tgt = "{$natip}/32";
|
|
| 354 | 354 |
else |
| 355 | 355 |
$tgt = "($if)"; |
| 356 |
|
|
| 357 |
/* Add the hard set source port (useful for ISAKMP) */ |
|
| 358 |
if ($natport != "") |
|
| 359 |
$tgt .= " port {$natport}";
|
|
| 356 | 360 |
|
| 357 |
if($nonat == true) {
|
|
| 358 |
$nat = "no nat"; |
|
| 359 |
$second_half_of_rule = ""; |
|
| 360 |
} else {
|
|
| 361 |
$second_half_of_rule = " -> {$tgt}";
|
|
| 362 |
} |
|
| 361 |
/* sometimes this gets called with "" instead of a value */ |
|
| 362 |
if ($src == "") |
|
| 363 |
$src = "any"; |
|
| 363 | 364 |
|
| 365 |
/* Match on this source port */ |
|
| 366 |
if ($srcport != "") |
|
| 367 |
$src .= " port {$srcport}";
|
|
| 368 |
|
|
| 369 |
/* sometimes this gets called with "" instead of a value */ |
|
| 364 | 370 |
if ($dst == "") |
| 365 | 371 |
$dst = "any"; |
| 366 | 372 |
|
| 367 |
/* Match on this source port */
|
|
| 368 |
if ($srcport)
|
|
| 369 |
$src .= " port {$srcport}";
|
|
| 373 |
/* Match on this dest port */
|
|
| 374 |
if ($dstport != "")
|
|
| 375 |
$dst .= " port {$dstport}";
|
|
| 370 | 376 |
|
| 371 |
/* set the source port the world sees */ |
|
| 372 |
if ($natport) |
|
| 373 |
$second_half_of_rule .= " port {$natport}";
|
|
| 377 |
/* Allow for negating NAT entries */ |
|
| 378 |
if ($nonat) {
|
|
| 379 |
$nat = "no nat"; |
|
| 380 |
$target = ""; |
|
| 381 |
} else {
|
|
| 382 |
$nat = "nat"; |
|
| 383 |
$target = "-> {$tgt}";
|
|
| 384 |
} |
|
| 374 | 385 |
|
| 375 |
$natrule = "{$nat} on {$if} from {$src} to {$dst} {$second_half_of_rule}\n";
|
|
| 386 |
/* Put all the pieces together */ |
|
| 387 |
$natrule = "{$nat} on {$if} from {$src} to {$dst} {$target}\n";
|
|
| 376 | 388 |
|
| 377 | 389 |
return $natrule; |
| 378 | 390 |
} |
| ... | ... | |
| 469 | 481 |
else |
| 470 | 482 |
$natif = $config['interfaces'][$obent['interface']]['if']; |
| 471 | 483 |
|
| 472 |
$natrules .= filter_nat_rules_generate_if($natif, $src, $obent['sourceport'], $dst, $obent['natport'], |
|
| 473 |
$obent['target'], isset($obent['nonat']));
|
|
| 484 |
$natrules .= filter_nat_rules_generate_if($natif, $src, $obent['sourceport'], $dst, $obent['dstport'], $obent['target'], $obent['natport'],
|
|
| 485 |
isset($obent['nonat'])); |
|
| 474 | 486 |
} |
| 475 | 487 |
} |
| 476 | 488 |
} else {
|
| ... | ... | |
| 478 | 490 |
/* create ipsec passthru rule if requested */ |
| 479 | 491 |
if (isset($config['nat']['ipsecpassthru']['enable'])) {
|
| 480 | 492 |
$natrules .= filter_nat_rules_generate_if($wanif, |
| 481 |
"{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, false);
|
|
| 493 |
"{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, 500, false);
|
|
| 482 | 494 |
} |
| 483 |
$natrules .= filter_nat_rules_generate_if($wanif, |
|
| 484 |
"{$lansa}/{$lancfg['subnet']}", null, "", null, null, false);
|
|
| 495 |
$natrules .= filter_nat_rules_generate_if($wanif, "{$lansa}/{$lancfg['subnet']}");
|
|
| 485 | 496 |
|
| 486 | 497 |
/* optional interfaces */ |
| 487 | 498 |
for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) {
|
| ... | ... | |
| 495 | 506 |
*/ |
| 496 | 507 |
if($optcfg['gateway'] <> "") |
| 497 | 508 |
$natrules .= filter_nat_rules_generate_if($optcfg['if'], |
| 498 |
"{$lansa}/{$lancfg['subnet']}", null, "", null, null, isset($optcfg['nonat']));
|
|
| 509 |
"{$lansa}/{$lancfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat']));
|
|
| 499 | 510 |
|
| 500 | 511 |
$natrules .= filter_nat_rules_generate_if($wanif, |
| 501 |
"{$optsa}/{$optcfg['subnet']}", null, "", null, null, isset($optcfg['nonat']));
|
|
| 512 |
"{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat']));
|
|
| 502 | 513 |
} |
| 503 | 514 |
} |
| 504 | 515 |
|
| ... | ... | |
| 508 | 519 |
if($config['pptp']['pptp_subnet'] <> "") |
| 509 | 520 |
$pptp_subnet = $config['pptp']['pptp_subnet']; |
| 510 | 521 |
$natrules .= filter_nat_rules_generate_if($wanif, |
| 511 |
"{$pptpdcfg['remoteip']}/{$pptp_subnet}", null, "", null, null, "");
|
|
| 522 |
"{$pptpdcfg['remoteip']}/{$pptp_subnet}");
|
|
| 512 | 523 |
} |
| 513 | 524 |
|
| 514 | 525 |
/* PPPoE subnet */ |
| ... | ... | |
| 517 | 528 |
if($config['pppoe']['pppoe_subnet'] <> "") |
| 518 | 529 |
$pppoe_subnet = $config['pppoe']['pppoe_subnet']; |
| 519 | 530 |
$natrules .= filter_nat_rules_generate_if($wanif, |
| 520 |
"{$pppoecfg['remoteip']}/{$pppoe_subnet}", null, "", null, null, "");
|
|
| 531 |
"{$pppoecfg['remoteip']}/{$pppoe_subnet}");
|
|
| 521 | 532 |
} |
| 522 | 533 |
|
| 523 | 534 |
|
Also available in: Unified diff
MFC 7145
Better mousetrap, generate the "right" filter rules - future proof for the next change which will be to allow destination port to be chosen in adv. nat (we had been kind of overloading what this function did, it wasn't right) Shorten some calls to filter_nat_generate_if() that don't need to pass more arguments.