Reflection can have side effects unexpected to the user with rules using any for destination address, so change any to the interface subnet for reflection rules, which should be closer to the desired behavior in most cases but without the side effect.

1 files changed, 18 insertions, 1 deletions

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 686b61c..0aaa890 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -824,6 +824,23 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_
 			$rflctintrange = "";
 		$dstaddr = $dstaddr[0];
 
+		if(isset($rule['destination']['any'])) {
+			if(!$rule['interface'])
+				$natif = "wan";
+			else
+				$natif = $rule['interface'];
+
+			if(!isset($FilterIflist[$natif]))
+				return "";
+			if(is_ipaddr($FilterIflist[$natif]['ip']))
+				$dstaddr = $FilterIflist[$natif]['ip'];
+			else
+				return "";
+
+			if(!empty($FilterIflist[$natif]['sn']))
+				$dstaddr = gen_subnet($dstaddr, $FilterIflist[$natif]['sn']) . '/' . $FilterIflist[$natif]['sn'];
+		}
+
 		if (is_alias($rule['target']))
 			$target = filter_expand_alias($rule['target']);
 		else if(is_ipaddr($rule['target']))
@@ -831,7 +848,7 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_
 		else if (is_ipaddr($FilterIflist[$rule['target']]['ip']))
 			$target = $FilterIflist[$rule['target']]['ip'];
 		else
-			return "\n";
+			return "";
 
 		if($rule['local-port'])
 			$lrange_start = $rule['local-port'];