diff options
author | Steve Beaver <sbeaver@netgate.com> | 2016-12-20 12:01:42 -0500 |
---|---|---|
committer | Steve Beaver <sbeaver@netgate.com> | 2016-12-20 12:01:42 -0500 |
commit | 3d4c51e4a6e50888960408ff2d7cba7a01de02f4 (patch) | |
tree | 995926e739585e3ef4a4841f6aa54ff86ac21d91 /src/usr | |
parent | 0ded76a663457ff3d2b9457ed7447ac3a200f999 (diff) | |
parent | bcdf453402a2f742b2656cd59602250f062896ee (diff) | |
download | pfsense-3d4c51e4a6e50888960408ff2d7cba7a01de02f4.zip pfsense-3d4c51e4a6e50888960408ff2d7cba7a01de02f4.tar.gz |
Merge pull request #3299 from phil-davis/patch-8
Diffstat (limited to 'src/usr')
-rw-r--r-- | src/usr/local/www/firewall_nat_1to1_edit.php | 53 |
1 files changed, 47 insertions, 6 deletions
diff --git a/src/usr/local/www/firewall_nat_1to1_edit.php b/src/usr/local/www/firewall_nat_1to1_edit.php index 15d9425..e763aa7 100644 --- a/src/usr/local/www/firewall_nat_1to1_edit.php +++ b/src/usr/local/www/firewall_nat_1to1_edit.php @@ -38,6 +38,10 @@ require_once("shaper.inc"); $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_nat_1to1.php'); +function get_must_be_both_text() { + return(" " . gettext("They must be either both IPv4 or both IPv6 addresses.")); +} + $specialsrcdst = explode(" ", "any pptp pppoe l2tp openvpn"); $ifdisp = get_configured_interface_with_descr(); @@ -163,9 +167,13 @@ if ($_POST) { $pconfig = $_POST; + $extipaddrtype = false; + $srcipaddrtype = false; + $dstipaddrtype = false; + /* For external, user can enter only ip's */ - if (($_POST['external'])) { - validateipaddr($_POST['external'], IPV4V6, "External subnet IP", $input_errors, false); + if ($_POST['external']) { + $extipaddrtype = validateipaddr($_POST['external'], IPV4V6, "External subnet IP", $input_errors, false); } /* For dst, if user enters an alias and selects "network" then disallow. */ @@ -175,8 +183,19 @@ if ($_POST) { /* For src, user can enter only ips or networks */ if (!is_specialnet($_POST['srctype'])) { - if (($_POST['src'])) { - validateipaddr($_POST['src'], IPV4V6, "Internal address", $input_errors, false); + if ($_POST['src']) { + $srcipaddrtype = validateipaddr($_POST['src'], IPV4V6, "Internal address", $input_errors, false); + if ($srcipaddrtype) { + // It is a valid IP address of some address family. + // Check that the address family matches the other IP addresses entered. + if ($extipaddrtype && ($srcipaddrtype != $extipaddrtype)) { + $input_errors[] = sprintf( + gettext("The external IP address (%s) and internal IP address (%s) are of different address families.") . + get_must_be_both_text(), + $_POST['external'], + $_POST['src']); + } + } } if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) { @@ -186,8 +205,30 @@ if ($_POST) { /* For dst, user can enter ips, networks or aliases */ if (!is_specialnet($_POST['dsttype'])) { - if (($_POST['dst'])) { - validateipaddr($_POST['dst'], IPV4V6, "Destination address", $input_errors, true); + if ($_POST['dst']) { + $dstipaddrtype = validateipaddr($_POST['dst'], IPV4V6, "Destination address", $input_errors, true); + if ($dstipaddrtype == 1) { + // It is an alias. + // pf does not report "error loading rules" if the address family of items in the alias does not match the external/internal address family. + // So that is up to the user to make sensible, we do not try and verify it here. + } elseif ($dstipaddrtype) { + // It is a valid IP address of some address family. + // Check that the address family matches the other IP addresses entered. + if ($extipaddrtype && ($dstipaddrtype != $extipaddrtype)) { + $input_errors[] = sprintf( + gettext("The external IP address (%s) and destination IP address (%s) are of different address families.") . + get_must_be_both_text(), + $_POST['external'], + $_POST['dst']); + } + if ($srcipaddrtype && ($dstipaddrtype != $srcipaddrtype)) { + $input_errors[] = sprintf( + gettext("The internal IP address (%s) and destination IP address (%s) are of different address families.") . + get_must_be_both_text(), + $_POST['src'], + $_POST['dst']); + } + } } if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) { |