diff options
| author | Seth Mos <seth.mos@xs4all.nl> | 2007-04-25 20:22:17 +0000 |
|---|---|---|
| committer | Seth Mos <seth.mos@xs4all.nl> | 2007-04-25 20:22:17 +0000 |
| commit | bdee20c620f29a193b17cbfbd924e8d60409989d (patch) | |
| tree | f0fa20a81ceb70550e06a02b2225b23ea0396285 /etc | |
| parent | 427b1ceaa3e9fcff909108e183ef17ef9697102f (diff) | |
| download | pfsense-bdee20c620f29a193b17cbfbd924e8d60409989d.zip pfsense-bdee20c620f29a193b17cbfbd924e8d60409989d.tar.gz | |
Merge 2nd pass NAT rule generation. Take ipsec and voip into account.
MFC: Soon?
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/filter.inc | 63 |
1 files changed, 50 insertions, 13 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index e88df88..e9660e0 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -684,15 +684,15 @@ function filter_nat_rules_generate() { } } else { /* standard outbound rules (one for each interface) */ - /* create ipsec passthru rule if requested */ - if (isset($config['nat']['ipsecpassthru']['enable'])) { - $natrules .= filter_nat_rules_generate_if($wanif, - "{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, 500, false); - } update_filter_reload_status("Creating outbound NAT rules"); - $natrules .= filter_nat_rules_generate_if($wanif, "{$lansa}/{$lancfg['subnet']}"); + $natrules .= filter_nat_rules_generate_if($wanif, + "{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($wanif, + "{$lansa}/{$lancfg['subnet']}", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($wanif, + "{$lansa}/{$lancfg['subnet']}"); /* optional interfaces */ for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { @@ -707,8 +707,21 @@ function filter_nat_rules_generate() { */ if((interface_has_gateway("opt{$i}"))) { $natrules .= filter_nat_rules_generate_if($optcfg['if'], + "{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($optcfg['if'], + "{$lansa}/{$lancfg['subnet']}", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($optcfg['if'], "{$lansa}/{$lancfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat'])); } + + /* create outbound nat entries for primary wan */ + $natrules .= filter_nat_rules_generate_if($wanif, + "{$optsa}/{$optcfg['subnet']}", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($wanif, + "{$optsa}/{$optcfg['subnet']}", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($wanif, + "{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat'])); + /* create outbound nat entries for all opt wans */ $optints = array(); generate_optcfg_array($optints); @@ -716,13 +729,13 @@ function filter_nat_rules_generate() { $opt_interface = $oc['if']; if (interface_has_gateway("opt{$i}")) { $natrules .= filter_nat_rules_generate_if($opt_interface, + "{$optsa}/{$optcfg['subnet']}", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, + "{$optsa}/{$optcfg['subnet']}", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, "{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat'])); } } - - /* create outbound nat entries for primary wan */ - $natrules .= filter_nat_rules_generate_if($wanif, - "{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat'])); } } @@ -732,6 +745,10 @@ function filter_nat_rules_generate() { if($config['pptp']['pptp_subnet'] <> "") $pptp_subnet = $config['pptp']['pptp_subnet']; $natrules .= filter_nat_rules_generate_if($wanif, + "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($wanif, + "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($wanif, "{$pptpdcfg['remoteip']}/{$pptp_subnet}"); /* generate nat mappings for opts with a gateway opts */ @@ -739,6 +756,10 @@ function filter_nat_rules_generate() { $opt_interface = $oc['if']; if ((is_private_ip($pptpdcfg['remoteip'])) && (interface_has_gateway($opt_interface))) { $natrules .= filter_nat_rules_generate_if($opt_interface, + "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, + "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, "{$pptpdcfg['remoteip']}/{$pptp_subnet}"); } } @@ -750,6 +771,10 @@ function filter_nat_rules_generate() { if($config['pppoe']['pppoe_subnet'] <> "") $pppoe_subnet = $config['pppoe']['pppoe_subnet']; $natrules .= filter_nat_rules_generate_if($wanif, + "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($wanif, + "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($wanif, "{$pppoecfg['remoteip']}/{$pppoe_subnet}"); /* generate nat mappings for opts with a gateway opts */ @@ -757,6 +782,10 @@ function filter_nat_rules_generate() { $opt_interface = $oc['if']; if ((is_private_ip($pppoecfg['remoteip'])) && (interface_has_gateway($opt_interface))) { $natrules .= filter_nat_rules_generate_if($opt_interface, + "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, + "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, "{$pppoecfg['remoteip']}/{$pppoe_subnet}"); } } @@ -768,14 +797,22 @@ function filter_nat_rules_generate() { $netip = explode("/", $route['network']); if ((! interface_has_gateway($route['interface'])) && (is_private_ip($netip[0]))) { $natrules .= filter_nat_rules_generate_if($wanif, - $route['network'], "", null); + "{$route['network']}", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($wanif, + "{$route['network']}", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($wanif, + "{$route['network']}", "", null); } /* generate nat mapping for static routes on opts */ foreach($optints as $oc) { $opt_interface = $oc['if']; if ((! interface_has_gateway($route['interface'])) && (is_private_ip($netip[0])) && (interface_has_gateway($opt_interface))) { $natrules .= filter_nat_rules_generate_if($opt_interface, - $route['network'], "", null); + "{$route['network']}", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, + "{$route['network']}", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, + "{$route['network']}", "", null); } } @@ -784,7 +821,7 @@ function filter_nat_rules_generate() { } - $natrules .= "#SSH Lockout Table\n"; + $natrules .= "\n#SSH Lockout Table\n"; $natrules .= "table <sshlockout> persist\n\n"; /* is SPAMD insalled? */ |
