diff options
author | Renato Botelho <garga@FreeBSD.org> | 2013-11-13 07:45:09 -0200 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2013-11-13 07:45:09 -0200 |
commit | eef01b14df77186f9c1205e9e5cb83f80407d7fd (patch) | |
tree | b072fabb314ff6c7eac40f843afb4cec6745d024 /etc | |
parent | d5ab3af4e23c7abdc89bb6d867cb0ed9495c5bea (diff) | |
download | pfsense-eef01b14df77186f9c1205e9e5cb83f80407d7fd.zip pfsense-eef01b14df77186f9c1205e9e5cb83f80407d7fd.tar.gz |
Add hybrid and disabled outbound NAT, fixes #2416:
- Add 2 new outbound NAT modes, hybrid and disabled, manual and advanced
keep working the same way
- Hybrid mode applies manual rules first, automatic after
- Disabled do no create any outbound NAT rules
- Remove ipsecpassthru config field and rename advancedoutbound to
outbound
- Save mode on $config['nat']['outbound']['mode'] to simplify the logic
- Modify config.default to reflect changes
- Add code to upgrade config, and change latest_version to 10.3
- Use html to align modes and remove some hacks to align using
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 23 | ||||
-rw-r--r-- | etc/inc/globals.inc | 2 | ||||
-rw-r--r-- | etc/inc/upgrade_config.inc | 16 | ||||
-rwxr-xr-x | etc/rc.filter_synchronize | 10 |
4 files changed, 36 insertions, 15 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 8c18857..94610a8 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1570,12 +1570,14 @@ function filter_nat_rules_generate() { } } - $natrules .= "\n# Outbound NAT rules\n"; - /* outbound rules - advanced or standard */ - if(isset($config['nat']['advancedoutbound']['enable'])) { + if ($config['nat']['outbound']['mode'] == "disabled") + $natrules .= "\n# Outbound NAT rules are disabled\n"; + + if ($config['nat']['outbound']['mode'] == "advanced" || $config['nat']['outbound']['mode'] == "hybrid") { + $natrules .= "\n# Outbound NAT rules (manual)\n"; /* advanced outbound rules */ - if(is_array($config['nat']['advancedoutbound']['rule'])) { - foreach ($config['nat']['advancedoutbound']['rule'] as $obent) { + if(is_array($config['nat']['outbound']['rule'])) { + foreach ($config['nat']['outbound']['rule'] as $obent) { if (isset($obent['disabled'])) continue; update_filter_reload_status(sprintf(gettext("Creating advanced outbound rule %s"), $obent['descr'])); @@ -1608,7 +1610,11 @@ function filter_nat_rules_generate() { ); } } - } else { + } + + /* outbound rules */ + if ($config['nat']['outbound']['mode'] == "automatic" || $config['nat']['outbound']['mode'] == "hybrid") { + $natrules .= "\n# Outbound NAT rules (automatic)\n"; /* standard outbound rules (one for each interface) */ update_filter_reload_status(gettext("Creating outbound NAT rules")); $tonathosts = ""; @@ -1699,7 +1705,7 @@ function filter_nat_rules_generate() { $natrules .= "tonatsubnets = \"{ {$tonathosts} }\"\n"; $macroortable = "\$tonatsubnets"; } - if($numberofnathosts > 0): + if($numberofnathosts > 0) { foreach ($FilterIflist as $if => $ifcfg) { if (substr($ifcfg['if'], 0, 4) == "ovpn") continue; @@ -1711,10 +1717,9 @@ function filter_nat_rules_generate() { "{$macroortable}", 500, "", 500, $target, 500, false); $natrules .= filter_nat_rules_generate_if($if, "{$macroortable}", null, "", null, $target, null, isset($ifcfg['nonat'])); - $natrules .= "\n"; } } - endif; + } } /* load balancer anchor */ diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index b301a81..083f6dd 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -72,7 +72,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "http://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "10.2", + "latest_config" => "10.3", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index 0e8e5e8..6cce866 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -3197,4 +3197,20 @@ function upgrade_101_to_102() { } } } + +function upgrade_102_to_103() { + global $config; + + if (isset($config['nat']['advancedoutbound']['enable'])) { + $config['nat']['advancedoutbound']['mode'] = "advanced"; + unset($config['nat']['advancedoutbound']['enable']); + } else + $config['nat']['advancedoutbound']['mode'] = "automatic"; + + $config['nat']['outbound'] = $config['nat']['advancedoutbound']; + + unset($config['nat']['ipsecpassthru']); + unset($config['nat']['advancedoutbound']); +} + ?> diff --git a/etc/rc.filter_synchronize b/etc/rc.filter_synchronize index 318eaf4..d521d05 100755 --- a/etc/rc.filter_synchronize +++ b/etc/rc.filter_synchronize @@ -149,12 +149,12 @@ function carp_sync_xml($url, $username, $password, $sections, $port = 80, $metho $config_copy = $config; /* strip out nosync items */ - if (is_array($config_copy['nat']['advancedoutbound']['rule'])) { - $rulescnt = count($config_copy['nat']['advancedoutbound']['rule']); + if (is_array($config_copy['nat']['outbound']['rule'])) { + $rulescnt = count($config_copy['nat']['outbound']['rule']); for ($x = 0; $x < $rulescnt; $x++) { - $config_copy['nat']['advancedoutbound']['rule'][$x]['descr'] = remove_special_characters($config_copy['nat']['advancedoutbound']['rule'][$x]['descr']); - if (isset ($config_copy['nat']['advancedoutbound']['rule'][$x]['nosync'])) - unset ($config_copy['nat']['advancedoutbound']['rule'][$x]); + $config_copy['nat']['outbound']['rule'][$x]['descr'] = remove_special_characters($config_copy['nat']['outbound']['rule'][$x]['descr']); + if (isset ($config_copy['nat']['outbound']['rule'][$x]['nosync'])) + unset ($config_copy['nat']['outbound']['rule'][$x]); } } if (is_array($config_copy['nat']['rule'])) { |