Add patch from lietu (Janne Enberg). Ticket #136

1) Multiple NAT rules can be assigned the same filter rule
-> Fixed, added assigned-nat-rule-id to filter rules to keep track of the assignment

2) when removing the link (i.e. switching to "pass" or "none", the linked rule isn't deleted (should it be? probably yes)
-> Fixed, when a NAT rule's association is removed, the filter rule is deleted. Added a "create new associated filter rule" option to the
dropdown if there is none selected.

3) The destination IP and port of linked rules can be edited in firewall_rules_edit.php and shouldn't be. Source should be editable but not
destination, since that should strictly be tied to the NAT rule.
-> Fixed, you cannot edit the destination for the filter rules that are linked to NAT rules, this has been disabled both by JavaScript and
PHP.

4) If you edit the source in a linked firewall rule, it gets overwritten when you edit the NAT rule. The NAT rule should never touch the
firewall rule source after the rule exists.
-> Fixed, previously the old rule was deleted and a new one created, now it only updates the old rule and doesn't touch the source.

Also added crosslinking from the NAT rule to the filter rule and back, so you can jump to edit the filter rule from the NAT rule and
vice-versa.

1 files changed, 35 insertions, 11 deletions

diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php
index 0871e82..a0ce08a 100755
--- a/usr/local/www/firewall_rules_edit.php
+++ b/usr/local/www/firewall_rules_edit.php
@@ -156,6 +156,7 @@ if (isset($id) && $a_filter[$id]) {
 
 	//schedule support
 	$pconfig['sched'] = $a_filter[$id]['sched'];
+	$pconfig['associated-nat-rule-id'] = $a_filter[$id]['associated-nat-rule-id'];
 
 } else {
 	/* defaults */
@@ -243,8 +244,12 @@ if ($_POST) {
 	}
 
 	/* input validation */
-	$reqdfields = explode(" ", "type proto src dst");
-	$reqdfieldsn = explode(",", "Type,Protocol,Source,Destination");
+	$reqdfields = explode(" ", "type proto src");
+	if ( isset($a_filter[$id]['associated-nat-rule-id'])===false )
+		$redqfields[] = "dst";
+	$reqdfieldsn = explode(",", "Type,Protocol,Source");
+	if ( isset($a_filter[$id]['associated-nat-rule-id'])===false )
+		$reqdfieldsn[] = "Destination";
 
 	if($_POST['statetype'] == "modulate state" or $_POST['statetype'] == "synproxy state") {
 		if( $_POST['proto'] != "tcp" )
@@ -257,7 +262,8 @@ if ($_POST) {
 		$reqdfields[] = "srcmask";
 		$reqdfieldsn[] = "Source bit count";
 	}
-	if (!(is_specialnet($_POST['dsttype']) || ($_POST['dsttype'] == "single"))) {
+	if ( isset($a_filter[$id]['associated-nat-rule-id'])===false &&
+	(!(is_specialnet($_POST['dsttype']) || ($_POST['dsttype'] == "single"))) ) {
 		$reqdfields[] = "dstmask";
 		$reqdfieldsn[] = "Destination bit count";
 	}
@@ -454,6 +460,12 @@ if ($_POST) {
 			$filterent['sched'] = $_POST['sched'];
 		}
 
+		// If we have an associated nat rule, make sure the destination doesn't change
+		if( isset($a_filter[$id]['associated-nat-rule-id']) ) {
+			$filterent['destination'] = $a_filter[$id]['destination'];
+			$filterent['associated-nat-rule-id'] = $a_filter[$id]['associated-nat-rule-id'];
+		}
+
 		if (isset($id) && $a_filter[$id])
 			$a_filter[$id] = $filterent;
 		else {
@@ -746,7 +758,19 @@ include("head.inc");
 		<tr>
 			<td width="22%" valign="top" class="vncellreq">Destination</td>
 			<td width="78%" class="vtable">
-				<input name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>>
+				<?php $dst_disabled=false; ?>
+				<?php if( isset($pconfig['associated-nat-rule-id']) ): ?>
+					<span class="red"><strong>NOTE: </strong></span> This is an associated to a NAT rule.<br />
+					You cannot edit the destination of associated filter rules.<br />
+					<br />
+					<a href="firewall_nat_edit.php?id=<?=$pconfig['associated-nat-rule-id'];?>">View the NAT rule</a><br />
+					<br />
+					<?php $dst_disabled=true; ?>
+					<script type="text/javascript">
+					dstenabled = 0;
+					</script>
+				<?php endif; ?>
+				<input<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>>
 				<strong>not</strong>
 					<br />
 				Use this option to invert the sense of the match.
@@ -756,7 +780,7 @@ include("head.inc");
 					<tr>
 						<td>Type:&nbsp;&nbsp;</td>
 						<td>
-							<select name="dsttype" class="formselect" onChange="typesel_change()">
+							<select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dsttype" class="formselect" onChange="typesel_change()">
 <?php
 								$sel = is_specialnet($pconfig['dst']); ?>
 								<option value="any" <?php if ($pconfig['dst'] == "any") { echo "selected"; } ?>>any</option>
@@ -786,9 +810,9 @@ include("head.inc");
 					<tr>
 						<td>Address:&nbsp;&nbsp;</td>
 						<td>
-							<input name="dst" type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>">
+							<input<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dst" type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>">
 							/
-							<select name="dstmask" class="formselect" id="dstmask">
+							<select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstmask" class="formselect" id="dstmask">
 <?php
 							for ($i = 31; $i > 0; $i--): ?>
 								<option value="<?=$i;?>" <?php if ($i == $pconfig['dstmask']) echo "selected"; ?>><?=$i;?></option>
@@ -806,27 +830,27 @@ include("head.inc");
 					<tr>
 						<td>from:&nbsp;&nbsp;</td>
 						<td>
-							<select name="dstbeginport" class="formselect" onchange="dst_rep_change();ext_change()">
+							<select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstbeginport" class="formselect" onchange="dst_rep_change();ext_change()">
 								<option value="">(other)</option>
 								<option value="any" <?php $bfound = 0; if ($pconfig['dstbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
 <?php 							foreach ($wkports as $wkport => $wkportdesc): ?>
 									<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstbeginport']) { echo "selected"; $bfound = 1; }?>><?=htmlspecialchars($wkportdesc);?></option>
 <?php 							endforeach; ?>
 							</select>
-							<input autocomplete='off' class="formfldalias" name="dstbeginport_cust" id="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>">
+							<input<?php echo ($dst_disabled===true?' DISABLED':''); ?> autocomplete='off' class="formfldalias" name="dstbeginport_cust" id="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>">
 						</td>
 					</tr>
 					<tr>
 						<td>to:</td>
 						<td>
-							<select name="dstendport" class="formselect" onchange="ext_change()">
+							<select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstendport" class="formselect" onchange="ext_change()">
 								<option value="">(other)</option>
 								<option value="any" <?php $bfound = 0; if ($pconfig['dstendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option>
 <?php							foreach ($wkports as $wkport => $wkportdesc): ?>
 									<option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option>
 <?php 							endforeach; ?>
 							</select>
-							<input autocomplete='off' class="formfldalias" name="dstendport_cust" id="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>">
+							<input<?php echo ($dst_disabled===true?' DISABLED':''); ?> autocomplete='off' class="formfldalias" name="dstendport_cust" id="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>">
 						</td>
 					</tr>
 				</table>