diff options
| author | Erik Fonnesbeck <efonnes@gmail.com> | 2010-05-04 19:44:02 -0600 |
|---|---|---|
| committer | Erik Fonnesbeck <efonnes@gmail.com> | 2010-05-04 21:11:06 -0600 |
| commit | e9dd5ceae8c26c7e355fa036aeb4e21bf550b2fa (patch) | |
| tree | 9aefd2ff64ff9a380d6066c229b5652419b03488 /etc/inc/filter.inc | |
| parent | 1c826e4874f27190bcad62eb75ec32ebad1e9e2e (diff) | |
| download | pfsense-e9dd5ceae8c26c7e355fa036aeb4e21bf550b2fa.zip pfsense-e9dd5ceae8c26c7e355fa036aeb4e21bf550b2fa.tar.gz | |
Added reflection redirect rule and rearranged some related code that goes with it.
Diffstat (limited to 'etc/inc/filter.inc')
| -rw-r--r-- | etc/inc/filter.inc | 106 |
1 files changed, 49 insertions, 57 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index a54ff46..200852e 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -791,45 +791,15 @@ function filter_get_reflection_interfaces($natif = "") { return $nat_if_list; } -function filter_generate_reflection_nat($rule, $rdr_ifs, $protocol, $srcaddr, $dstaddr_port, $target) { +function filter_generate_reflection_nat($rule, $nat_ifs, $protocol, $srcaddr, $dstaddr, $target) { global $FilterIflist, $config; // Initialize natrules holder string $natrules = ""; - if(!empty($rdr_ifs)) { + if(!empty($nat_ifs)) { update_filter_reload_status("Creating reflection NAT rule for {$rule['descr']}..."); - $rdr_if_list = implode(" ", $rdr_ifs); - if(count($rdr_ifs) > 1) - $rdr_if_list = "{ {$rdr_if_list} }"; - - $natrules .= "\n# Reflection redirects\n"; - - $dstaddr = explode(" ", $dstaddr_port); - if($dstaddr[2]) - $rflctintrange = $dstaddr[2]; - else - $rflctintrange = ""; - $dstaddr = $dstaddr[0]; - - if(isset($rule['destination']['any'])) { - if(!$rule['interface']) - $natif = "wan"; - else - $natif = $rule['interface']; - - if(!isset($FilterIflist[$natif])) - return ""; - if(is_ipaddr($FilterIflist[$natif]['ip'])) - $dstaddr = $FilterIflist[$natif]['ip']; - else - return ""; - - if(!empty($FilterIflist[$natif]['sn'])) - $dstaddr = gen_subnet($dstaddr, $FilterIflist[$natif]['sn']) . '/' . $FilterIflist[$natif]['sn']; - } - if(is_alias($rule['target'])) $target_translated = filter_expand_alias($rule['target']); else if(is_ipaddr($rule['target'])) @@ -1137,20 +1107,6 @@ function filter_nat_rules_generate() { $localport = " port {$localport}"; } - switch(strtolower($rule['protocol'])) { - case "tcp/udp": - $protocol = "{ tcp udp }"; - break; - case "tcp": - case "udp": - $protocol = strtolower($rule['protocol']); - break; - default: - $protocol = strtolower($rule['protocol']); - $localport = ""; - break; - } - $target = alias_expand($rule['target']); if(!$target && !isset($rule['nordr'])) { $natrules .= "# Unresolvable alias {$rule['target']}\n"; @@ -1161,6 +1117,13 @@ function filter_nat_rules_generate() { $rdrpass = "pass "; else $rdrpass = ""; + + if (isset($rule['nordr'])) { + $nordr = "no "; + $rdrpass = ""; + } else + $nordr = ""; + if(!$rule['interface']) $natif = "wan"; else @@ -1171,17 +1134,42 @@ function filter_nat_rules_generate() { $srcaddr = filter_generate_address($rule, 'source', true); $dstaddr = filter_generate_address($rule, 'destination', true); + $srcaddr = trim($srcaddr); + $dstaddr = trim($dstaddr); if(!$dstaddr) $dstaddr = $FilterIflist[$natif]['ip']; + $dstaddr_port = explode(" ", $dstaddr); + $dstaddr_reflect = $dstaddr; + if(isset($rule['destination']['any'])) { + $dstaddr_reflect = $FilterIflist[$natif]['ip']; + if(!empty($FilterIflist[$natif]['sn'])) + $dstaddr_reflect = gen_subnet($dstaddr_reflect, $FilterIflist[$natif]['sn']) . '/' . $FilterIflist[$natif]['sn']; + + if($dstaddr_port[2]) + $dstaddr_reflect .= " port " . $dstaddr_port[2]; + } + $natif = $FilterIflist[$natif]['if']; - if (isset($rule['nordr'])) { - $nordr = "no "; - $rdrpass = ""; - } else - $nordr = ""; + switch(strtolower($rule['protocol'])) { + case "tcp/udp": + $protocol = "{ tcp udp }"; + break; + case "tcp": + case "udp": + $protocol = strtolower($rule['protocol']); + break; + default: + $protocol = strtolower($rule['protocol']); + $localport = ""; + break; + } + + $localport_nat = $localport; + if(empty($localport_nat) && $dstaddr_port[2]) + $localport_nat = " port " . $dstaddr_port[2]; if(!isset($config['system']['disablenatreflection'])) { $nat_if_list = filter_get_reflection_interfaces($natif); @@ -1190,23 +1178,27 @@ function filter_nat_rules_generate() { } if($srcaddr <> "" && $dstaddr <> "" && $natif) { - $srcaddr = trim($srcaddr); - $dstaddr = trim($dstaddr); + $natrules .= "{$nordr}rdr {$rdrpass}on {$natif} proto {$protocol} from {$srcaddr} to {$dstaddr}" . ($nordr == "" ? " -> {$target}{$localport}\n" : "\n"); - $natrules .= "{$nordr}rdr {$rdrpass}on {$natif} proto {$protocol} from {$srcaddr} to {$dstaddr}" . ($nordr == "" ? " -> {$target}{$localport}" : ""); + if(!empty($nat_if_list)) { + $rdr_if_list = implode(" ", $nat_if_list); + if(count($nat_if_list) > 1) + $rdr_if_list = "{ {$rdr_if_list} }"; + + $natrules .= "{$nordr}rdr on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr_reflect}" . ($nordr == "" ? " -> {$target}{$localport}\n" : "\n"); + } /* Does this rule redirect back to a internal host? */ if(isset($rule['destination']['any']) && !interface_has_gateway($rule['interface']) && !isset($rule['nordr'])) { $rule_interface_ip = find_interface_ip($natif); $rule_interface_subnet = find_interface_subnet($natif); $rule_subnet = gen_subnet($rule_interface_ip, $rule_interface_subnet); - $natrules .= "\n"; $natrules .= "no nat on {$natif} proto tcp from ({$natif}) to {$rule_subnet}/{$rule_interface_subnet}\n"; $natrules .= "nat on {$natif} proto tcp from {$rule_subnet}/{$rule_interface_subnet} to {$target} port {$dstport[0]} -> ({$natif})\n"; } + $nat_if_list[] = $natif; if(!isset($rule['nordr'])) - $natrules .= filter_generate_reflection_nat($rule, $nat_if_list, $protocol, $srcaddr, $dstaddr, "{$target}{$localport}"); - $natrules .= "\n"; + $natrules .= filter_generate_reflection_nat($rule, $nat_if_list, $protocol, $srcaddr, $dstaddr_reflect, "{$target}{$localport_nat}"); } } } |
