diff options
| author | Erik Fonnesbeck <efonnes@gmail.com> | 2012-04-28 01:38:59 -0600 |
|---|---|---|
| committer | Erik Fonnesbeck <efonnes@gmail.com> | 2012-04-28 01:38:59 -0600 |
| commit | f9053c0c5f226a0361c31a16cd21fb96a6b2888c (patch) | |
| tree | 568b17e30067f6b757c788e8440221ac258d1e7a /etc | |
| parent | 43fd29dfa2866af83e816e87c814fc2302e41c25 (diff) | |
| download | pfsense-f9053c0c5f226a0361c31a16cd21fb96a6b2888c.zip pfsense-f9053c0c5f226a0361c31a16cd21fb96a6b2888c.tar.gz | |
Restore protection for the "destination any" case for port forward NAT Reflection, which was forgotten when shuffling around code before committing. Also add a couple other missing checks.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/filter.inc | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 7ad8d6e..4adc527 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1752,20 +1752,15 @@ function filter_nat_rules_generate() { else $nat_if_list = array(); + if(empty($nat_if_list)) + $reflection_type = "none"; + $localport_nat = $localport; if(empty($localport_nat) && $dstaddr_port[2]) $localport_nat = " port " . $dstaddr_port[2]; if($srcaddr <> "" && $dstaddr <> "" && $natif) { - $rdr_if_list = $natif; - if($reflection_type == "purenat" || isset($rule['nordr'])) { - $nat_if_list = array_merge(array($natif), $nat_if_list); - $rdr_if_list = implode(" ", $nat_if_list); - if(count($nat_if_list) > 1) - $rdr_if_list = "{ {$rdr_if_list} }"; - } - - $natrules .= "{$nordr}rdr {$rdrpass}on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr}" . ($nordr == "" ? " -> {$target}{$localport}" : ""); + $natrules .= "{$nordr}rdr {$rdrpass}on {$natif} proto {$protocol} from {$srcaddr} to {$dstaddr}" . ($nordr == "" ? " -> {$target}{$localport}" : ""); /* Does this rule redirect back to a internal host? */ if(isset($rule['destination']['any']) && !isset($rule['nordr']) && !isset($config['system']['enablenatreflectionhelper']) && !interface_has_gateway($rule['interface'])) { @@ -1785,8 +1780,18 @@ function filter_nat_rules_generate() { foreach ($reflection_rules as $txtline) fwrite($inetd_fd, $txtline); + } else if($reflection_type == "purenat" || isset($rule['nordr'])) { + $rdr_if_list = implode(" ", $nat_if_list); + if(count($nat_if_list) > 1) + $rdr_if_list = "{ {$rdr_if_list} }"; + $natrules .= "\n# Reflection redirect\n"; + $natrules .= "{$nordr}rdr {$rdrpass}on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr_reflect}" . ($nordr == "" ? " -> {$target}{$localport}" : ""); + $nat_if_list = array_merge(array($natif), $nat_if_list); } + if(empty($nat_if_list)) + $nat_if_list = array($natif); + $natrules .= "\n"; if(!isset($rule['nordr'])) $natrules .= filter_generate_reflection_nat($rule, $route_table, $nat_if_list, $protocol, "{$target}{$localport_nat}", $target_ip); |
