diff options
author | Scott Ullrich <sullrich@pfsense-org.local> | 2009-08-24 18:04:17 -0400 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense-org.local> | 2009-08-24 18:04:17 -0400 |
commit | fcf168cb8958954606ab7b079e6cac96056aac2f (patch) | |
tree | f068157d5799548ebe242c7568aeee2def79b75b /usr/local/www/firewall_nat_edit.php | |
parent | 83eb45678f289484309c8d693959e674ab22e1e6 (diff) | |
parent | 5335abaecf87cefb3e83f52dde71b251a3efd778 (diff) | |
download | pfsense-fcf168cb8958954606ab7b079e6cac96056aac2f.zip pfsense-fcf168cb8958954606ab7b079e6cac96056aac2f.tar.gz |
Merge branch 'master' of git://rcs.pfsense.org/pfsense/automatically-managing-firewall-rules-with-nat-rules into review/master
Diffstat (limited to 'usr/local/www/firewall_nat_edit.php')
-rwxr-xr-x | usr/local/www/firewall_nat_edit.php | 74 |
1 files changed, 60 insertions, 14 deletions
diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index 10fb84d..d8a9fb6 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -61,6 +61,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['localbeginport'] = $a_nat[$id]['local-port']; $pconfig['descr'] = $a_nat[$id]['descr']; $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['associated-filter-rule-id'] = $a_nat[$id]['associated-filter-rule-id']; $pconfig['nosync'] = isset($a_nat[$id]['nosync']); if (!$pconfig['interface']) $pconfig['interface'] = "wan"; @@ -181,24 +182,29 @@ if ($_POST) { $natent['local-port'] = $_POST['localbeginport']; $natent['interface'] = $_POST['interface']; $natent['descr'] = $_POST['descr']; + $natent['associated-filter-rule-id'] = $_POST['associated-filter-rule-id']; if($_POST['nosync'] == "yes") $natent['nosync'] = true; else unset($natent['nosync']); - if (isset($id) && $a_nat[$id]) - $a_nat[$id] = $natent; - else { - if (is_numeric($after)) - array_splice($a_nat, $after+1, 0, array($natent)); - else - $a_nat[] = $natent; - } + $need_filter_rule = false; + // Updating a rule with a filter rule associated + if( $natent['associated-filter-rule-id']>0 ) + $need_filter_rule = true; + // If creating a new rule, where we want to add the filter rule, associated or not + else if( isset($_POST['filter-rule-association']) && + ($_POST['filter-rule-association']=='add-associated' || + $_POST['filter-rule-association']=='add-unassociated') ) + $need_filter_rule = true; - mark_subsystem_dirty('natconf'); + if ($need_filter_rule) { + + // If we had a previous rule associated with this NAT rule, delete that + if( $natent['associated-filter-rule-id'] > 0 ) + delete_id($natent['associated-filter-rule-id'], $config['filter']['rule']); - if ($_POST['autoadd']) { /* auto-generate a matching firewall rule */ $filterent = array(); $filterent['interface'] = $_POST['interface']; @@ -221,11 +227,30 @@ if ($_POST) { */ $filterent['descr'] = substr("NAT " . $_POST['descr'], 0, 59); + // If we had a previous rule association, update this rule with that ID so we don't lose association + if ($natent['associated-filter-rule-id'] > 0) + $filterent['id'] = $natent['associated-filter-rule-id']; + // If we wanted this rule to be associated, make sure the NAT entry is updated with the same ID + else if($_POST['filter-rule-association']=='add-associated') + $natent['associated-filter-rule-id'] = $filterent['id'] = get_next_id($config['filter']['rule']); + $config['filter']['rule'][] = $filterent; mark_subsystem_dirty('filter'); } + // Update NAT entry after creating/updating the firewall rule, so we have it's rule ID if one was created + if (isset($id) && $a_nat[$id]) + $a_nat[$id] = $natent; + else { + if (is_numeric($after)) + array_splice($a_nat, $after+1, 0, array($natent)); + else + $a_nat[] = $natent; + } + + mark_subsystem_dirty('natconf'); + write_config(); header("Location: firewall_nat.php"); @@ -390,13 +415,34 @@ include("fbegin.inc"); ?> HINT: This prevents the rule from automatically syncing to other CARP members. </td> </tr> + <?php if (isset($id) && $a_nat[$id] && !isset($_GET['dup'])): ?> + <tr> + <td width="22%" valign="top" class="vncell">Filter rule association</td> + <td width="78%" class="vtable"> + <select name="associated-filter-rule-id"> + <option value="">None</option> + <?php foreach ($config['filter']['rule'] as $filter_rule): ?> + <?php if (isset($filter_rule['id']) && $filter_rule['id']>0): ?> + <option value="<?php echo $filter_rule['id']; ?>"<?php if($filter_rule['id']==$pconfig['associated-filter-rule-id']) echo " SELECTED"; ?>> + <?php echo htmlspecialchars('Rule ' . $filter_rule['id'] . ' - ' . $filter_rule['descr']); ?> + </option> + <?php endif; ?> + <?php endforeach; ?> + </select> + </td> + </tr> + <?php endif; ?> <?php if ((!(isset($id) && $a_nat[$id])) || (isset($_GET['dup']))): ?> <tr> - <td width="22%" valign="top"> </td> + <td width="22%" valign="top">Filter rule association</td> <td width="78%"> - <input name="autoadd" type="checkbox" id="autoadd" value="yes" CHECKED> - <strong>Auto-add a firewall rule to permit traffic through - this NAT rule</strong></td> + <select name="filter-rule-association" id="filter-rule-association"> + <option value="">None</option> + <option value="add-associated" selected="selected">Add associated rule</option> + <option value="add-unassociated">Add unassociated rule</option> + <option value="pass">Pass</option> + </select> + </td> </tr><?php endif; ?> <tr> <td width="22%" valign="top"> </td> |