diff options
author | Erik Fonnesbeck <efonnes@gmail.com> | 2010-05-03 23:48:49 -0600 |
---|---|---|
committer | Erik Fonnesbeck <efonnes@gmail.com> | 2010-05-04 00:35:51 -0600 |
commit | 8659bc21482615ccf471478016fe81400fdb9794 (patch) | |
tree | 2f0607cad382d5faab735444eb025e49e5d0cd6c /etc | |
parent | 13b37be24c346e850d732cbc964e6d031814e8d5 (diff) | |
download | pfsense-8659bc21482615ccf471478016fe81400fdb9794.zip pfsense-8659bc21482615ccf471478016fe81400fdb9794.tar.gz |
Reflection can have side effects unexpected to the user with rules using any for destination address, so change any to the interface subnet for reflection rules, which should be closer to the desired behavior in most cases but without the side effect.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 686b61c..0aaa890 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -824,6 +824,23 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ $rflctintrange = ""; $dstaddr = $dstaddr[0]; + if(isset($rule['destination']['any'])) { + if(!$rule['interface']) + $natif = "wan"; + else + $natif = $rule['interface']; + + if(!isset($FilterIflist[$natif])) + return ""; + if(is_ipaddr($FilterIflist[$natif]['ip'])) + $dstaddr = $FilterIflist[$natif]['ip']; + else + return ""; + + if(!empty($FilterIflist[$natif]['sn'])) + $dstaddr = gen_subnet($dstaddr, $FilterIflist[$natif]['sn']) . '/' . $FilterIflist[$natif]['sn']; + } + if (is_alias($rule['target'])) $target = filter_expand_alias($rule['target']); else if(is_ipaddr($rule['target'])) @@ -831,7 +848,7 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_ else if (is_ipaddr($FilterIflist[$rule['target']]['ip'])) $target = $FilterIflist[$rule['target']]['ip']; else - return "\n"; + return ""; if($rule['local-port']) $lrange_start = $rule['local-port']; |