summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorErik Fonnesbeck <efonnes@gmail.com>2012-04-17 23:04:59 -0600
committerErik Fonnesbeck <efonnes@gmail.com>2012-04-20 00:20:30 -0600
commita6aedcd141d649d30ff4182bc5cc8f2fc371b7c3 (patch)
treeab75584deadad30200378776e4b9603016161b25
parent112f56029d5663ffda3a7b8c83c473fd19bb281c (diff)
downloadpfsense-a6aedcd141d649d30ff4182bc5cc8f2fc371b7c3.zip
pfsense-a6aedcd141d649d30ff4182bc5cc8f2fc371b7c3.tar.gz
Clean up filter_generate_reflection_nat, remove obsolete checks, and add new checks that are now needed. Ticket #2240
-rw-r--r--etc/inc/filter.inc67
1 files changed, 32 insertions, 35 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index c204266..472be3e 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -777,7 +777,10 @@ function filter_get_direct_networks_list($returnsubnetsonly = true) {
if($returnsubnetsonly) {
$networks_arr[] = $subnet;
} else {
- $networks_arr[] = array('subnet' => $subnet, 'if' => $ifent);
+ $networks_arr[] = array(
+ 'subnet' => $subnet,
+ 'if' => $ifent,
+ 'ip' => $ifcfg['ip']);
}
}
}
@@ -791,7 +794,10 @@ function filter_get_direct_networks_list($returnsubnetsonly = true) {
if($returnsubnetsonly) {
$networks_arr[] = $subnet;
} else {
- $networks_arr[] = array('subnet' => $subnet, 'if' => $vip['interface']);
+ $networks_arr[] = array(
+ 'subnet' => $subnet,
+ 'if' => $vip['interface'],
+ 'ip' => $vip['subnet']);
}
}
}
@@ -995,20 +1001,19 @@ function filter_generate_reflection_nat($rule, &$route_table, $nat_ifs, $protoco
$target_subnet = 32;
if(!is_array($route_table)) {
- $route_table = array();
/* get a simulated IPv4-only route table based on the config */
$route_table = filter_get_direct_networks_list(false);
foreach($route_table as $rt_key => $rt_ent) {
if(!is_subnetv4($rt_ent['subnet']))
unset($route_table[$rt_key]);
- if(isset($route_table[$rt_key]))
- $route_table[$rt_key]['if'] = get_real_interface($rt_ent['if']);
+ if(isset($route_table[$rt_key]) && isset($FilterIflist[$rt_ent['if']]['if']))
+ $route_table[$rt_key]['if'] = $FilterIflist[$rt_ent['if']]['if'];
}
}
/* Check if the target is accessed through a static route */
foreach($route_table as $route) {
- if(is_subnet($route['subnet']) && is_ipaddr($route['gateway'])) {
+ if(isset($route['gateway']) && is_ipaddr($route['gateway'])) {
$subnet_split = explode("/", $route['subnet']);
if(in_array($route['if'], $nat_ifs) && check_subnets_overlap($target_ip, $target_subnet, $subnet_split[0], $subnet_split[1])) {
$target_ip = $route['gateway'];
@@ -1020,37 +1025,29 @@ function filter_generate_reflection_nat($rule, &$route_table, $nat_ifs, $protoco
/* Search for matching subnets in the routing table */
foreach($route_table as $route) {
- if(is_subnet($route['subnet'])) {
- $subnet = $route['subnet'];
- $subnet_split = explode("/", $subnet);
- $subnet_if = $route['if'];
- if(in_array($subnet_if, $nat_ifs) && check_subnets_overlap($target_ip, $target_subnet, $subnet_split[0], $subnet_split[1])) {
- $ifsubnet_ip = "";
- foreach ($FilterIflist as $ifent => $ifname) {
- if(ip_in_subnet($ifname['ip'], $subnet) && $ifname['if'] == $subnet_if) {
- $ifsubnet_ip = $ifname['ip'];
- break;
- }
- }
- if(empty($ifsubnet_ip)) {
- foreach(get_configured_ip_aliases_list() as $subnet_ip => $ifent) {
- if(ip_in_subnet($subnet_ip, $subnet) && $FilterIflist[$ifent]['if'] == $subnet_if) {
- $ifsubnet_ip = $subnet_ip;
- break;
- }
- }
+ $subnet = $route['subnet'];
+ $subnet_split = explode("/", $subnet);
+ $subnet_if = $route['if'];
+ if(in_array($subnet_if, $nat_ifs) && check_subnets_overlap($target_ip, $target_subnet, $subnet_split[0], $subnet_split[1])) {
+ $ifsubnet_ip = "";
+ /* Find interface IP to use for NAT */
+ foreach ($route_table as $ifnetwork) {
+ if(isset($ifnetwork['ip']) && is_ipaddr($ifnetwork['ip']) && $ifnetwork['if'] == $subnet_if && ip_in_subnet($ifnetwork['ip'], $subnet)) {
+ $ifsubnet_ip = $ifnetwork['ip'];
+ break;
}
- if(!empty($ifsubnet_ip)) {
- $subnets = array($subnet);
- foreach($route_table as $rtentry) {
- if(is_subnet($rtentry['subnet']) && is_ipaddr($rtentry['gateway']) && ip_in_subnet($rtentry['gateway'], $subnet) && $rtentry['if'] == $subnet_if)
- $subnets[] = $rtentry['subnet'];
- }
- if(count($subnets) > 1)
- $subnet = "{ " . implode(" ", $subnets) . " }";
- $natrules .= "no nat on {$subnet_if}{$protocol_text} from {$subnet_if} to {$target}\n";
- $natrules .= "nat on {$subnet_if}{$protocol_text} from {$subnet} to {$target} -> {$ifsubnet_ip}{$static_port}\n";
+ }
+ if(!empty($ifsubnet_ip)) {
+ $subnets = array($subnet);
+ /* Find static routes that also need to be referenced in the NAT rule */
+ foreach($route_table as $rtentry) {
+ if(isset($rtentry['gateway']) && is_ipaddr($rtentry['gateway']) && $rtentry['if'] == $subnet_if && ip_in_subnet($rtentry['gateway'], $subnet))
+ $subnets[] = $rtentry['subnet'];
}
+ if(count($subnets) > 1)
+ $subnet = "{ " . implode(" ", $subnets) . " }";
+ $natrules .= "no nat on {$subnet_if}{$protocol_text} from {$subnet_if} to {$target}\n";
+ $natrules .= "nat on {$subnet_if}{$protocol_text} from {$subnet} to {$target} -> {$ifsubnet_ip}{$static_port}\n";
}
}
}
OpenPOWER on IntegriCloud