diff options
author | Ermal Luçi <eri@pfsense.org> | 2010-03-09 19:43:40 +0000 |
---|---|---|
committer | Ermal Luçi <eri@pfsense.org> | 2010-03-09 19:45:13 +0000 |
commit | 68ff67b360068bf308eb0305aeb1fa841f85bc01 (patch) | |
tree | 90859f18cd2eaff33edad581abb2bab3b4efcb78 | |
parent | 800ae4122c0efd20a6db87bac8d463a7fe145db8 (diff) | |
download | pfsense-68ff67b360068bf308eb0305aeb1fa841f85bc01.zip pfsense-68ff67b360068bf308eb0305aeb1fa841f85bc01.tar.gz |
Implement the protocol functionality on nat rules. This i based on a port that provides this functionality but with a lot more reduced patchset.
-rw-r--r-- | etc/inc/filter.inc | 12 | ||||
-rwxr-xr-x | usr/local/www/firewall_nat_out_edit.php | 22 |
2 files changed, 29 insertions, 5 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index f06d6ec..ac22ba6 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -828,7 +828,7 @@ function filter_generate_reflection($rule, $extport, &$starting_localhost_port, } /* Generate a 'nat on' or 'no nat on' rule for given interface */ -function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false) { +function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false, $proto = "") { global $config; /* XXX: billm - any idea if this code is needed? */ if($src == "/32" || $src{0} == "/") @@ -842,6 +842,11 @@ function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = " else $tgt = "($if)"; } + /* Add the protocol, if defined */ + if (!empty($proto) && $proto != "any") + $protocol = " proto {$proto}"; + else + $protocol = ""; /* Add the hard set source port (useful for ISAKMP) */ if($natport != "") $tgt .= " port {$natport}"; @@ -877,7 +882,7 @@ function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = " $if_friendly = convert_friendly_interface_to_friendly_descr($if); /* Put all the pieces together */ if($if_friendly) - $natrule = "{$nat} on \${$if_friendly} from {$src} to {$dst} {$target}{$staticnatport_txt}\n"; + $natrule = "{$nat} on \${$if_friendly} {$protocol} from {$src} to {$dst} {$target}{$staticnatport_txt}\n"; else $natrule .= "# Could not convert {$if} to friendly name(alias)\n"; return $natrule; @@ -937,7 +942,8 @@ function filter_nat_rules_generate() { $obent['target'], $obent['natport'], isset($obent['nonat']), - isset($obent['staticnatport']) + isset($obent['staticnatport']), + $obent['protocol'] ); } } diff --git a/usr/local/www/firewall_nat_out_edit.php b/usr/local/www/firewall_nat_out_edit.php index 209ee78..31e8a0c 100755 --- a/usr/local/www/firewall_nat_out_edit.php +++ b/usr/local/www/firewall_nat_out_edit.php @@ -66,6 +66,7 @@ if (isset($_GET['dup'])) { unset($after); if (isset($id) && $a_out[$id]) { + $pconfig['protocol'] = $a_out[$id]['protocol']; list($pconfig['source'],$pconfig['source_subnet']) = explode('/', $a_out[$id]['source']['network']); $pconfig['sourceport'] = $a_out[$id]['sourceport']; address_to_pconfig($a_out[$id]['destination'], $pconfig['destination'], @@ -107,8 +108,8 @@ if ($_POST) { $pconfig = $_POST; /* input validation */ - $reqdfields = explode(" ", "interface source source_subnet destination destination_subnet"); - $reqdfieldsn = explode(",", "Interface,Source,Source bit count,Destination,Destination bit count"); + $reqdfields = explode(" ", "interface protocol source source_subnet destination destination_subnet"); + $reqdfieldsn = explode(",", "Interface,Protocol,Source,Source bit count,Destination,Destination bit count"); do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); @@ -212,6 +213,11 @@ if ($_POST) { unset($natent['nonat']); } + if ($_POST['protocol'] && $_POST['protocol'] != "any") + $natent['protocol'] = $_POST['protocol']; + else + unset($natent['protocol']); + if ($ext == "any") { $natent['destination']['any'] = true; } else { @@ -334,6 +340,18 @@ function sourcesel_change() { <span class="vexpl">Choose which interface this rule applies to.<br> Hint: in most cases, you'll want to use WAN here.</span></td> </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Protocol</td> + <td width="78%" class="vtable"> + <select name="proto" class="formselect"> + <?php $protocols = explode(" ", "any TCP UDP TCP/UDP ICMP ESP AH GRE IGMP carp pfsync"); + foreach ($protocols as $proto): ?> + <option value="<?=strtolower($proto);?>" <?php if (strtolower($proto) == $pconfig['protocol']) echo "selected"; ?>><?=htmlspecialchars($proto);?></option> + <?php endforeach; ?> + </select> <br> <span class="vexpl">Choose which protocol this rule should match.<br /> + Hint: in most cases, you should specify <em>any</em> here.</span> + </td> + </tr> <tr> <td width="22%" valign="top" class="vncellreq">Source</td> <td width="78%" class="vtable"> |