diff options
author | Seth Mos <seth.mos@dds.nl> | 2011-01-18 09:10:36 +0100 |
---|---|---|
committer | Seth Mos <seth.mos@dds.nl> | 2011-01-18 09:10:36 +0100 |
commit | 1f74cd2d101f032472a4968a10b64161652d6c1f (patch) | |
tree | d692513243aaed6003264f0b877b50cbeb69328b /etc/inc/filter.inc | |
parent | c9d174dfc0a29c59ae35f43a470460f36f695b61 (diff) | |
parent | 96e889fc1e938187dd18238d80e3163e1aca3006 (diff) | |
download | pfsense-1f74cd2d101f032472a4968a10b64161652d6c1f.zip pfsense-1f74cd2d101f032472a4968a10b64161652d6c1f.tar.gz |
Merge remote branch 'upstream/master'
Conflicts:
etc/inc/interfaces.inc
etc/inc/system.inc
Diffstat (limited to 'etc/inc/filter.inc')
-rw-r--r-- | etc/inc/filter.inc | 34 |
1 files changed, 21 insertions, 13 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 6aaaeeb..72435de 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1091,13 +1091,18 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ } /* Generate a 'nat on' or 'no nat on' rule for given interface */ -function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false, $proto = "") { +function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false, $proto = "", $poolopts = "") { global $config, $FilterIflist; /* XXX: billm - any idea if this code is needed? */ if($src == "/32" || $src{0} == "/") return "# src incorrectly specified\n"; if($natip != "") { - $tgt = "{$natip}/32"; + if (is_subnet($natip)) + $tgt = $natip; + elseif (is_alias($natip)) + $tgt = "\${$natip}"; + else + $tgt = "{$natip}/32"; } else { $natip = get_interface_ip($if); if(is_ipaddr($natip)) @@ -1129,18 +1134,17 @@ function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = " if($dstport != "") $dst .= " port {$dstport}"; /* outgoing static-port option, hamachi, Grandstream, VOIP, etc */ + $staticnatport_txt = ""; if($staticnatport) - $staticnatport_txt = " static-port"; - else - if(!$natport) - $staticnatport_txt = " port 1024:65535"; // set source port range - else - $staticnatport_txt = ""; + $staticnatport_txt = "static-port"; + elseif(!$natport) + $tgt .= " port 1024:65535"; // set source port range /* Allow for negating NAT entries */ if($nonat) { $nat = "no nat"; $target = ""; $staticnatport_txt = ""; + $poolopts = ""; } else { $nat = "nat"; $target = "-> {$tgt}"; @@ -1148,7 +1152,7 @@ function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = " $if_friendly = $FilterIflist[$if]['descr']; /* Put all the pieces together */ if($if_friendly) - $natrule = "{$nat} on \${$if_friendly} {$protocol} from {$src} to {$dst} {$target}{$staticnatport_txt}\n"; + $natrule = "{$nat} on \${$if_friendly} {$protocol} from {$src} to {$dst} {$target} {$poolopts} {$staticnatport_txt}\n"; else $natrule .= "# Could not convert {$if} to friendly name(alias)\n"; return $natrule; @@ -1241,6 +1245,9 @@ function filter_nat_rules_generate() { else $natif = $obent['interface']; + $obtarget = ($obent['target'] == "other-subnet") ? $obent['targetip'] . '/' . $obent['targetip_subnet']: $obent['target']; + $poolopts = (is_subnet($obtarget) || is_alias($obtarget)) ? $obent['poolopts'] : ""; + if (!isset($FilterIflist[$natif])) continue; @@ -1249,11 +1256,12 @@ function filter_nat_rules_generate() { $obent['sourceport'], $dst, $obent['dstport'], - $obent['target'], + $obtarget, $obent['natport'], isset($obent['nonat']), isset($obent['staticnatport']), - $obent['protocol'] + $obent['protocol'], + $poolopts ); } } @@ -1540,7 +1548,7 @@ function filter_generate_user_rule_arr($rule) { $ret['rule'] = $line; $ret['interface'] = $rule['interface']; if($rule['descr'] != "" and $line != "") - $ret['descr'] = "label \"USER_RULE: " . str_replace('"', '', substr($rule['descr'], 0, 63)) . "\""; + $ret['descr'] = "label \"USER_RULE: " . str_replace('"', '', substr($rule['descr'], 0, 52)) . "\""; else $ret['descr'] = "label \"USER_RULE\""; @@ -2138,7 +2146,7 @@ EOD; $cpinterface = implode(" ", $cpiflist); $cpaddresses = implode(" ", $cpiplist); $ipfrules .= "pass in {$log} quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { 8000 8001 } keep state(sloppy)\n"; - $ipfrules .= "pass out {$log} quick on { {$cpinterface} } proto tcp from any port { 8000 8001 80 } to any flags any keep state(sloppy)\n"; + $ipfrules .= "pass out {$log} quick on { {$cpinterface} } proto tcp from any to any flags any keep state(sloppy)\n"; } } |