diff options
author | Bill Marquette <billm@pfsense.org> | 2005-10-04 02:05:59 +0000 |
---|---|---|
committer | Bill Marquette <billm@pfsense.org> | 2005-10-04 02:05:59 +0000 |
commit | 3713a333d607dc79f6e4f3a294eaca34f2a5f99c (patch) | |
tree | 63e0a6250a7338063c0783a4f5dbce89ef78149a /etc | |
parent | eb60dfb02e879c27a0513db2b45fa36cf7eebbfa (diff) | |
download | pfsense-3713a333d607dc79f6e4f3a294eaca34f2a5f99c.zip pfsense-3713a333d607dc79f6e4f3a294eaca34f2a5f99c.tar.gz |
Fix IPSec passthru (technically, fix any nat entry that would have forced
a source port on a nat'd connection)
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index c9c6885..2868660 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -315,16 +315,14 @@ function filter_flush_state_table() { function filter_nat_rules_generate_if($if, $src, $srcport, $dst, $natport, $target, $nonat) { global $config; - if($src=="/32") + if($src == "/32" || $src{0} == "/") return; - if($src{0} == "/") - return; - $nat = "nat"; + /* Use interface name if IP isn't specified */ if ($target) - $tgt = $target . "/32"; + $tgt = "{$target}/32"; else $tgt = "($if)"; @@ -338,11 +336,14 @@ function filter_nat_rules_generate_if($if, $src, $srcport, $dst, $natport, $targ if ($dst == "") $dst = "any"; + /* Match on this source port */ if ($srcport) - $src .= " port " . $srcport; + $src .= " port {$srcport}"; + /* set the source port the world sees */ if ($natport) - $tgt .= " port " . $natport; + $second_half_of_rule .= " port {$natport}"; + $natrule = "{$nat} on {$if} from {$src} to {$dst} {$second_half_of_rule}\n"; @@ -1915,4 +1916,4 @@ function return_vpn_subnet($adr) { return " # error - {$adr['network']} "; } -?>
\ No newline at end of file +?> |