diff options
author | Ermal <eri@pfsense.org> | 2013-09-03 18:39:56 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2013-09-03 18:40:17 +0000 |
commit | 44f0f09bda6b59c0f2f08c87c4d4e32b149555bb (patch) | |
tree | a8787a5e613e2dc751043076d5369afb6e2b85b9 /etc/inc | |
parent | 3cb55704924734aa19de58349198ca99d15e00ea (diff) | |
download | pfsense-44f0f09bda6b59c0f2f08c87c4d4e32b149555bb.zip pfsense-44f0f09bda6b59c0f2f08c87c4d4e32b149555bb.tar.gz |
Fixes #3173 if any port information exists on the rule than put it on the NEGATE rule generated.
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/filter.inc | 63 |
1 files changed, 36 insertions, 27 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 0ed2cde..2407b6e 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1939,6 +1939,40 @@ function filter_generate_user_rule_arr($rule) { return $ret; } +function filter_generate_port(& $rule, $target = "source", $isnat = false) { + + $src = ""; + + $rule['protocol'] = strtolower($rule['protocol']); + if(in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) { + if($rule[$target]['port']) { + $srcport = explode("-", $rule[$target]['port']); + $srcporta = alias_expand($srcport[0]); + if(!$srcporta) + log_error(sprintf(gettext("filter_generate_address: %s is not a valid {$target} port."), $srcport[0])); + else if((!$srcport[1]) || ($srcport[0] == $srcport[1])) { + $src .= " port {$srcporta} "; + } else if(($srcport[0] == 1) && ($srcport[1] == 65535)) { + /* no need for a port statement here */ + } else if ($isnat) { + $src .= " port {$srcport[0]}:{$srcport[1]}"; + } else { + if(is_port($srcporta) && $srcport[1] == 65535) { + $src .= " port >= {$srcporta} "; + } else if($srcport[0] == 1) { + $src .= " port <= {$srcport[1]} "; + } else { + $srcport[0]--; + $srcport[1]++; + $src .= " port {$srcport[0]} >< {$srcport[1]} "; + } + } + } + } + + return $src; +} + function filter_generate_address(& $rule, $target = "source", $isnat = false) { global $FilterIflist, $config; $src = ""; @@ -2074,32 +2108,7 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { $src = " {$not} {$expsrc}"; } - $rule['protocol'] = strtolower($rule['protocol']); - if(in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) { - if($rule[$target]['port']) { - $srcport = explode("-", $rule[$target]['port']); - $srcporta = alias_expand($srcport[0]); - if(!$srcporta) - log_error(sprintf(gettext("filter_generate_address: %s is not a valid source port."), $srcport[0])); - else if((!$srcport[1]) || ($srcport[0] == $srcport[1])) { - $src .= " port {$srcporta} "; - } else if(($srcport[0] == 1) && ($srcport[1] == 65535)) { - /* no need for a port statement here */ - } else if ($isnat) { - $src .= " port {$srcport[0]}:{$srcport[1]}"; - } else { - if(is_port($srcporta) && $srcport[1] == 65535) { - $src .= " port >= {$srcporta} "; - } else if($srcport[0] == 1) { - $src .= " port <= {$srcport[1]} "; - } else { - $srcport[0]--; - $srcport[1]++; - $src .= " port {$srcport[0]} >< {$srcport[1]} "; - } - } - } - } + $src .= filter_generate_port($rule, $target, $isnat); return $src; } @@ -2459,7 +2468,7 @@ function filter_generate_user_rule($rule) { /* rules with a gateway or pool should create another rule for routing to vpns */ if((($aline['route'] <> "") && (trim($aline['type']) == "pass") && strstr($dst, "any")) && (!isset($config['system']['disablenegate']))) { /* negate VPN/PPTP/PPPoE/Static Route networks for load balancer/gateway rules */ - $negate_networks = " to <negate_networks> "; + $negate_networks = " to <negate_networks> " . filter_generate_port($rule, "destination"); $line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] . $aline['interface'] . $aline['ipprotocol'] . $aline['prot'] . $aline['src'] . $aline['os'] . $negate_networks . $aline['icmp-type'] . $aline['icmp6-type'] . $aline['tag'] . $aline['tagged'] . |