diff options
author | smos <seth.mos@dds.nl> | 2012-05-31 20:03:50 +0200 |
---|---|---|
committer | smos <seth.mos@dds.nl> | 2012-05-31 20:08:55 +0200 |
commit | 05a4cebd90d35db07b588b1bb1cc969552cb3cd0 (patch) | |
tree | 746d302d9d32ff8a4ee605000353c7e1f3cd160d /usr/local/www/firewall_rules_edit.php | |
parent | c1d36d26a9cc341508eb472475c3bac70b4f8e04 (diff) | |
download | pfsense-05a4cebd90d35db07b588b1bb1cc969552cb3cd0.zip pfsense-05a4cebd90d35db07b588b1bb1cc969552cb3cd0.tar.gz |
Add a inet46 filter type on the firewall rules page. I have locked down a few of the most common limitations.
Still arguing if we should lock this down even further to aliases only.
Redmine ticket #2466
Diffstat (limited to 'usr/local/www/firewall_rules_edit.php')
-rwxr-xr-x | usr/local/www/firewall_rules_edit.php | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index 57f01bf..13f4287 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -213,6 +213,9 @@ if ($_POST) { if($_POST['ipprotocol'] == $family) { continue; } + if(($_POST['ipprotocol'] == "inet46") && ($_POST['ipprotocol'] != $family)) { + $input_errors[] = gettext("You can not assign a gateway to a rule that applies to IPv4 and IPv6"); + } if(($_POST['ipprotocol'] == "inet6") && ($_POST['ipprotocol'] != $family)) { $input_errors[] = gettext("You can not assign a IPv4 gateway group on IPv6 Address Family rule"); } @@ -223,6 +226,9 @@ if ($_POST) { } } if (($_POST['ipprotocol'] <> "") && ($_POST['gateway'] <> "") && (is_ipaddr(lookup_gateway_ip_by_name($_POST['gateway'])))) { + if(($_POST['ipprotocol'] == "inet46") && ($_POST['gateway'] <> "")) { + $input_errors[] = gettext("You can not assign a gateway to a rule that applies to IPv4 and IPv6"); + } if(($_POST['ipprotocol'] == "inet6") && (!is_ipaddrv6(lookup_gateway_ip_by_name($_POST['gateway'])))) { $input_errors[] = gettext("You can not assign the IPv4 Gateway to a IPv6 Filter rule"); } @@ -231,6 +237,15 @@ if ($_POST) { } } + if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "tcp/udp") && ($_POST['proto'] != "icmp")) { + if($_POST['ipprotocol'] == "inet46") + $input_errors[] = gettext("You can not assign a protocol other then ICMP, TCP, UDP or TCP/UDP to a rule that applies to IPv4 and IPv6"); + } + if (($_POST['proto'] == "icmp") && ($_POST['icmptype'] <> "")){ + if($_POST['ipprotocol'] == "inet46") + $input_errors[] = gettext("You can not assign a ICMP type to a rule that applies to IPv4 and IPv6"); + } + if (($_POST['proto'] != "tcp") && ($_POST['proto'] != "udp") && ($_POST['proto'] != "tcp/udp")) { $_POST['srcbeginport'] = 0; $_POST['srcendport'] = 0; @@ -390,6 +405,9 @@ if ($_POST) { $input_errors[] = gettext("You can not use IPv6 addresses in IPv4 rules."); if((is_ipaddrv4($_POST['src']) || is_ipaddrv4($_POST['dst'])) && ($_POST['ipprotocol'] == "inet6")) $input_errors[] = gettext("You can not use IPv4 addresses in IPv6 rules."); + if((is_ipaddr($_POST['src']) || is_ipaddr($_POST['dst'])) && ($_POST['ipprotocol'] == "inet46")) + $input_errors[] = gettext("You can not use a IPv4 or IPv6 address in combined IPv4 + IPv6 rules."); + } if ($_POST['srcbeginport'] > $_POST['srcendport']) { @@ -809,7 +827,7 @@ include("head.inc"); <td width="22%" valign="top" class="vncellreq"><?=gettext("TCP/IP Version");?></td> <td width="78%" class="vtable"> <select name="ipprotocol" class="formselect"> - <?php $ipproto = array('inet' => 'IPv4','inet6' => 'IPv6'); + <?php $ipproto = array('inet' => 'IPv4','inet6' => 'IPv6', 'inet46' => 'IPv4+IPv6' ); foreach ($ipproto as $proto => $name): ?> <option value="<?=$proto;?>" <?php if ($proto == $pconfig['ipprotocol']): ?> @@ -1347,6 +1365,8 @@ $i--): ?> $gateways = return_gateways_array(); // add statically configured gateways to list foreach($gateways as $gwname => $gw) { + if(($pconfig['ipprotocol'] == "inet46")) + continue; if(($pconfig['ipprotocol'] == "inet6") && !is_ipaddrv6($gw['gateway'])) continue; if(($pconfig['ipprotocol'] == "inet") && !is_ipaddrv4($gw['gateway'])) @@ -1364,6 +1384,8 @@ $i--): ?> if (is_array($config['gateways']['gateway_group'])) { foreach($config['gateways']['gateway_group'] as $gw_group) { $af = explode("|", $gw_group['item'][0]); + if(($pconfig['ipprotocol'] == "inet46")) + continue; if(($pconfig['ipprotocol'] == "inet6") && !is_ipaddrv6(lookup_gateway_ip_by_name($af[0]))) continue; if(($pconfig['ipprotocol'] == "inet") && !is_ipaddrv4(lookup_gateway_ip_by_name($af[0]))) |