diff options
author | Erik Fonnesbeck <efonnes@gmail.com> | 2012-04-17 23:04:59 -0600 |
---|---|---|
committer | Erik Fonnesbeck <efonnes@gmail.com> | 2012-04-20 00:20:30 -0600 |
commit | a6aedcd141d649d30ff4182bc5cc8f2fc371b7c3 (patch) | |
tree | ab75584deadad30200378776e4b9603016161b25 | |
parent | 112f56029d5663ffda3a7b8c83c473fd19bb281c (diff) | |
download | pfsense-a6aedcd141d649d30ff4182bc5cc8f2fc371b7c3.zip pfsense-a6aedcd141d649d30ff4182bc5cc8f2fc371b7c3.tar.gz |
Clean up filter_generate_reflection_nat, remove obsolete checks, and add new checks that are now needed. Ticket #2240
-rw-r--r-- | etc/inc/filter.inc | 67 |
1 files changed, 32 insertions, 35 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index c204266..472be3e 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -777,7 +777,10 @@ function filter_get_direct_networks_list($returnsubnetsonly = true) { if($returnsubnetsonly) { $networks_arr[] = $subnet; } else { - $networks_arr[] = array('subnet' => $subnet, 'if' => $ifent); + $networks_arr[] = array( + 'subnet' => $subnet, + 'if' => $ifent, + 'ip' => $ifcfg['ip']); } } } @@ -791,7 +794,10 @@ function filter_get_direct_networks_list($returnsubnetsonly = true) { if($returnsubnetsonly) { $networks_arr[] = $subnet; } else { - $networks_arr[] = array('subnet' => $subnet, 'if' => $vip['interface']); + $networks_arr[] = array( + 'subnet' => $subnet, + 'if' => $vip['interface'], + 'ip' => $vip['subnet']); } } } @@ -995,20 +1001,19 @@ function filter_generate_reflection_nat($rule, &$route_table, $nat_ifs, $protoco $target_subnet = 32; if(!is_array($route_table)) { - $route_table = array(); /* get a simulated IPv4-only route table based on the config */ $route_table = filter_get_direct_networks_list(false); foreach($route_table as $rt_key => $rt_ent) { if(!is_subnetv4($rt_ent['subnet'])) unset($route_table[$rt_key]); - if(isset($route_table[$rt_key])) - $route_table[$rt_key]['if'] = get_real_interface($rt_ent['if']); + if(isset($route_table[$rt_key]) && isset($FilterIflist[$rt_ent['if']]['if'])) + $route_table[$rt_key]['if'] = $FilterIflist[$rt_ent['if']]['if']; } } /* Check if the target is accessed through a static route */ foreach($route_table as $route) { - if(is_subnet($route['subnet']) && is_ipaddr($route['gateway'])) { + if(isset($route['gateway']) && is_ipaddr($route['gateway'])) { $subnet_split = explode("/", $route['subnet']); if(in_array($route['if'], $nat_ifs) && check_subnets_overlap($target_ip, $target_subnet, $subnet_split[0], $subnet_split[1])) { $target_ip = $route['gateway']; @@ -1020,37 +1025,29 @@ function filter_generate_reflection_nat($rule, &$route_table, $nat_ifs, $protoco /* Search for matching subnets in the routing table */ foreach($route_table as $route) { - if(is_subnet($route['subnet'])) { - $subnet = $route['subnet']; - $subnet_split = explode("/", $subnet); - $subnet_if = $route['if']; - if(in_array($subnet_if, $nat_ifs) && check_subnets_overlap($target_ip, $target_subnet, $subnet_split[0], $subnet_split[1])) { - $ifsubnet_ip = ""; - foreach ($FilterIflist as $ifent => $ifname) { - if(ip_in_subnet($ifname['ip'], $subnet) && $ifname['if'] == $subnet_if) { - $ifsubnet_ip = $ifname['ip']; - break; - } - } - if(empty($ifsubnet_ip)) { - foreach(get_configured_ip_aliases_list() as $subnet_ip => $ifent) { - if(ip_in_subnet($subnet_ip, $subnet) && $FilterIflist[$ifent]['if'] == $subnet_if) { - $ifsubnet_ip = $subnet_ip; - break; - } - } + $subnet = $route['subnet']; + $subnet_split = explode("/", $subnet); + $subnet_if = $route['if']; + if(in_array($subnet_if, $nat_ifs) && check_subnets_overlap($target_ip, $target_subnet, $subnet_split[0], $subnet_split[1])) { + $ifsubnet_ip = ""; + /* Find interface IP to use for NAT */ + foreach ($route_table as $ifnetwork) { + if(isset($ifnetwork['ip']) && is_ipaddr($ifnetwork['ip']) && $ifnetwork['if'] == $subnet_if && ip_in_subnet($ifnetwork['ip'], $subnet)) { + $ifsubnet_ip = $ifnetwork['ip']; + break; } - if(!empty($ifsubnet_ip)) { - $subnets = array($subnet); - foreach($route_table as $rtentry) { - if(is_subnet($rtentry['subnet']) && is_ipaddr($rtentry['gateway']) && ip_in_subnet($rtentry['gateway'], $subnet) && $rtentry['if'] == $subnet_if) - $subnets[] = $rtentry['subnet']; - } - if(count($subnets) > 1) - $subnet = "{ " . implode(" ", $subnets) . " }"; - $natrules .= "no nat on {$subnet_if}{$protocol_text} from {$subnet_if} to {$target}\n"; - $natrules .= "nat on {$subnet_if}{$protocol_text} from {$subnet} to {$target} -> {$ifsubnet_ip}{$static_port}\n"; + } + if(!empty($ifsubnet_ip)) { + $subnets = array($subnet); + /* Find static routes that also need to be referenced in the NAT rule */ + foreach($route_table as $rtentry) { + if(isset($rtentry['gateway']) && is_ipaddr($rtentry['gateway']) && $rtentry['if'] == $subnet_if && ip_in_subnet($rtentry['gateway'], $subnet)) + $subnets[] = $rtentry['subnet']; } + if(count($subnets) > 1) + $subnet = "{ " . implode(" ", $subnets) . " }"; + $natrules .= "no nat on {$subnet_if}{$protocol_text} from {$subnet_if} to {$target}\n"; + $natrules .= "nat on {$subnet_if}{$protocol_text} from {$subnet} to {$target} -> {$ifsubnet_ip}{$static_port}\n"; } } } |