diff options
author | Ermal Luçi <eri@pfsense.org> | 2010-01-26 23:59:43 +0000 |
---|---|---|
committer | Ermal Luçi <eri@pfsense.org> | 2010-01-26 23:59:43 +0000 |
commit | 9b16b83439add7c4898c8911e5a36a1ed1d3bdc2 (patch) | |
tree | 77a4f23c1936b15e962ee61ff2b6aabecd8aabd9 /usr | |
parent | 8f3f7729dca3cb734bc9d06a53953a07d6fca0c1 (diff) | |
download | pfsense-9b16b83439add7c4898c8911e5a36a1ed1d3bdc2.zip pfsense-9b16b83439add7c4898c8911e5a36a1ed1d3bdc2.tar.gz |
Ticket #136.
Fix associated nat rules.
Now both the filter rules and the nat ones contain a associated-rule-id tag which helps link the items together.
The API to use for this is in itemid.inc.
All the issues should be solved now.
Diffstat (limited to 'usr')
-rwxr-xr-x | usr/local/www/firewall_nat.php | 10 | ||||
-rwxr-xr-x | usr/local/www/firewall_nat_edit.php | 83 | ||||
-rwxr-xr-x | usr/local/www/firewall_rules_edit.php | 24 |
3 files changed, 63 insertions, 54 deletions
diff --git a/usr/local/www/firewall_nat.php b/usr/local/www/firewall_nat.php index f7ddc8b..696248f 100755 --- a/usr/local/www/firewall_nat.php +++ b/usr/local/www/firewall_nat.php @@ -88,8 +88,8 @@ if (isset($_POST['del_x'])) { foreach ($_POST['rule'] as $rulei) { $target = $rule['target']; // Check for filter rule associations - if (isset($a_nat[$rulei]['associated-filter-rule-id'])){ - delete_id($a_nat[$rulei]['associated-filter-rule-id'], $config['filter']['rule']); + if (isset($a_nat[$rulei]['associated-rule-id'])){ + delete_id($a_nat[$rulei]['associated-rule-id'], $config['filter']['rule']); mark_subsystem_dirty('filter'); } @@ -230,10 +230,10 @@ echo "<script type=\"text/javascript\" language=\"javascript\" src=\"/javascript <tr valign="top" id="fr<?=$nnats;?>"> <td class="listt"><input type="checkbox" id="frc<?=$nnats;?>" name="rule[]" value="<?=$i;?>" onClick="fr_bgcolor('<?=$nnats;?>')" style="margin: 0; padding: 0; width: 15px; height: 15px;"></td> <td class="listt" align="center"> - <?php if(isset($natent['associated-filter-rule-id']) && $natent['associated-filter-rule-id']>0): ?> - <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_chain.png" width="17" height="17" title="Firewall rule ID <?=htmlspecialchars($natent['associated-filter-rule-id']); ?> is managed with this rule" border="0"> + <?php if(!empty($natent['associated-rule-id'])): ?> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_chain.png" width="17" height="17" title="Firewall rule ID <?=htmlspecialchars($nnatid); ?> is managed with this rule" border="0"> <?php endif; ?> - <?php if($natent['associated-filter-rule-id'] == "pass"): ?> + <?php if($natent['associated-rule-id'] == "pass"): ?> <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_pass.gif" title="All traffic matching this NAT entry is passed" border="0"> <?php endif; ?> </td> diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index af5d6d0..9be1e4b 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -68,7 +68,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['localbeginport'] = $a_nat[$id]['local-port']; $pconfig['descr'] = $a_nat[$id]['descr']; $pconfig['interface'] = $a_nat[$id]['interface']; - $pconfig['associated-filter-rule-id'] = $a_nat[$id]['associated-filter-rule-id']; + $pconfig['associated-rule-id'] = $a_nat[$id]['associated-rule-id']; $pconfig['nosync'] = isset($a_nat[$id]['nosync']); if (!$pconfig['interface']) $pconfig['interface'] = "wan"; @@ -189,10 +189,10 @@ if ($_POST) { $natent['local-port'] = $_POST['localbeginport']; $natent['interface'] = $_POST['interface']; $natent['descr'] = $_POST['descr']; - $natent['associated-filter-rule-id'] = $_POST['associated-filter-rule-id']; + $natent['associated-rule-id'] = $_POST['associated-rule-id']; if($_POST['filter-rule-association'] == "pass") - $natent['associated-filter-rule-id'] = "pass"; + $natent['associated-rule-id'] = "pass"; if($_POST['nosync'] == "yes") $natent['nosync'] = true; @@ -200,20 +200,20 @@ if ($_POST) { unset($natent['nosync']); // If we used to have an associated filter rule, but no-longer should have one - if( $a_nat[$id]>0 && ($natent['associated-filter-rule-id']>0)===false ) { + if ($a_nat[$id]>0 && empty($natent['associated-rule-id'])) { // Delete the previous rule - delete_id($a_nat[$id]['associated-filter-rule-id'], $config['filter']['rule']); + delete_id($a_nat[$id]['associated-rule-id'], $config['filter']['rule']); mark_subsystem_dirty('filter'); } $need_filter_rule = false; // Updating a rule with a filter rule associated - if( $natent['associated-filter-rule-id']>0 ) + if (!empty($natent['associated-rule-id'])) $need_filter_rule = true; // Create a rule or if we want to create a new one - if( $natent['associated-filter-rule-id']=='new' ) { + if( $natent['associated-rule-id']=='new' ) { $need_filter_rule = true; - unset( $natent['associated-filter-rule-id'] ); + unset( $natent['associated-rule-id'] ); $_POST['filter-rule-association']='add-associated'; } // If creating a new rule, where we want to add the filter rule, associated or not @@ -232,21 +232,23 @@ if ($_POST) { $id = count($a_nat); } - if ($need_filter_rule) { + if ($need_filter_rule == true) { /* auto-generate a matching firewall rule */ $filterent = array(); - + unset($filterentid); // If a rule already exists, load it - if( $natent['associated-filter-rule-id'] > 0 ) - $filterent = &get_id($natent['associated-filter-rule-id'], $config['filter']['rule']); - else + if (!empty($natent['associated-rule-id'])) { + $filterentid = get_id($natent['associated-rule-id'], $config['filter']['rule']); + if ($filterentid == false) { + $filterent['source']['any'] = ""; + $filterent['associated-rule-id'] = $natent['associated-rule-id']; + } else + $filterent =& $config['filter']['rule'][$filterentid]; + } else // Create the default source entry for new filter entries $filterent['source']['any'] = ""; - // Update associated nat rule ID - $filterent['associated-nat-rule-id'] = $id; - // Update interface, protocol and destination $filterent['interface'] = $_POST['interface']; $filterent['protocol'] = $_POST['proto']; @@ -260,17 +262,15 @@ if ($_POST) { else $filterent['destination']['port'] = $dstpfrom . "-" . $dstpto; - $filterent['descr'] = "NAT " . $_POST['descr']; /* * Our firewall filter description may be no longer than * 63 characters, so don't let it be. */ - $filterent['descr'] = substr("NAT " . $_POST['descr'], 0, 59); + $filterent['descr'] = substr("NAT " . $_POST['descr'], 0, 62); // If this is a new rule, create an ID and add the rule if( $_POST['filter-rule-association']=='add-associated' ) { - $natent['associated-filter-rule-id'] = $filterent['id'] = get_next_id($config['filter']['rule']); - + $filterent['associated-rule-id'] = $natent['associated-rule-id'] = get_unique_id(); $config['filter']['rule'][] = $filterent; } @@ -457,32 +457,33 @@ include("fbegin.inc"); ?> <tr> <td width="22%" valign="top" class="vncell">Filter rule association</td> <td width="78%" class="vtable"> - <select name="associated-filter-rule-id"> + <select name="associated-rule-id"> <option value="">None</option> - <option value="pass" <?php if($pconfig['associated-filter-rule-id'] == "pass") echo " SELECTED"; ?>>Pass</option> - <?php foreach ($config['filter']['rule'] as $filter_rule): ?> - <?php if (isset($filter_rule['id']) && $filter_rule['id']>0 && ( isset($filter_rule['associated-nat-rule-id'])===false || $filter_rule['id']==$pconfig['associated-filter-rule-id'])): ?> - <option value="<?php echo $filter_rule['id']; ?>"<?php if($filter_rule['id']==$pconfig['associated-filter-rule-id']) echo " SELECTED"; ?>> - <?php echo htmlspecialchars('Rule ' . $filter_rule['id'] . ' - ' . $filter_rule['descr']); ?> - </option> - <?php endif; ?> - <?php endforeach; ?> - <?php if ( ($pconfig['associated-filter-rule-id']>0)===false ): ?> - <option value="new">Create new associated filter rule</option> - <?php endif; ?> - </select> - <?php if($pconfig['associated-filter-rule-id']>0): ?> - <?php + <option value="pass" <?php if($pconfig['associated-rule-id'] == "pass") echo " SELECTED"; ?>>Pass</option> + <?php + if (is_array($config['filter']['rule'])) { + foreach ($config['filter']['rule'] as $filter_rule) { + if (isset($filter_rule['associated-rule-id'])) { + echo "<option value=\"{$filter_rule['associated-rule-id']}\""; + if ($filter_rule['associated-rule-id']==$pconfig['associated-rule-id']) + echo " SELECTED"; + echo ">". htmlspecialchars('Rule ' . $filter_rule['descr']) . "</option>\n"; + + } + } + } + if (isset($pconfig['associated-rule-id'])) + echo "<option value=\"new\">Create new associated filter rule</option>\n"; + echo "</select>\n"; + if(isset($pconfig['associated-rule-id']) && is_array($config['filter']['rule'])) { foreach( $config['filter']['rule'] as $index => $filter_rule ) { - if( $filter_rule['id']==$pconfig['associated-filter-rule-id'] ) { - ?> - <a href="firewall_rules_edit.php?id=<?=$filter_rule['id'];?>">View the filter rule</a> - <?php + if( $filter_rule['assocaited-rule-id']==$pconfig['associated-rule-id'] ) { + echo "<a href=\"firewall_rules_edit.php?id={$filter_rule[$index]}\">View the filter rule</a>"; break; } } - ?> - <?php endif; ?> + } + ?> </td> </tr> <?php endif; ?> diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index d799841..034a683 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -157,7 +157,7 @@ if (isset($id) && $a_filter[$id]) { //schedule support $pconfig['sched'] = $a_filter[$id]['sched']; - $pconfig['associated-nat-rule-id'] = $a_filter[$id]['associated-nat-rule-id']; + $pconfig['associated-rule-id'] = $a_filter[$id]['associated-rule-id']; } else { /* defaults */ @@ -246,10 +246,10 @@ if ($_POST) { /* input validation */ $reqdfields = explode(" ", "type proto src"); - if ( isset($a_filter[$id]['associated-nat-rule-id'])===false ) + if ( isset($a_filter[$id]['associated-rule-id'])===false ) $redqfields[] = "dst"; $reqdfieldsn = explode(",", "Type,Protocol,Source"); - if ( isset($a_filter[$id]['associated-nat-rule-id'])===false ) + if ( isset($a_filter[$id]['associated-rule-id'])===false ) $reqdfieldsn[] = "Destination"; if($_POST['statetype'] == "modulate state" or $_POST['statetype'] == "synproxy state") { @@ -263,7 +263,7 @@ if ($_POST) { $reqdfields[] = "srcmask"; $reqdfieldsn[] = "Source bit count"; } - if ( isset($a_filter[$id]['associated-nat-rule-id'])===false && + if ( isset($a_filter[$id]['associated-rule-id'])===false && (!(is_specialnet($_POST['dsttype']) || ($_POST['dsttype'] == "single"))) ) { $reqdfields[] = "dstmask"; $reqdfieldsn[] = "Destination bit count"; @@ -463,9 +463,9 @@ if ($_POST) { } // If we have an associated nat rule, make sure the destination doesn't change - if( isset($a_filter[$id]['associated-nat-rule-id']) ) { + if( isset($a_filter[$id]['associated-rule-id']) ) { $filterent['destination'] = $a_filter[$id]['destination']; - $filterent['associated-nat-rule-id'] = $a_filter[$id]['associated-nat-rule-id']; + $filterent['associated-rule-id'] = $a_filter[$id]['associated-rule-id']; } if (isset($id) && $a_filter[$id]) @@ -760,11 +760,19 @@ include("head.inc"); <td width="22%" valign="top" class="vncellreq">Destination</td> <td width="78%" class="vtable"> <?php $dst_disabled=false; ?> - <?php if( isset($pconfig['associated-nat-rule-id']) ): ?> + <?php if( isset($pconfig['associated-rule-id']) ): ?> <span class="red"><strong>NOTE: </strong></span> This is associated to a NAT rule.<br /> You cannot edit the destination of associated filter rules.<br /> <br /> - <a href="firewall_nat_edit.php?id=<?=$pconfig['associated-nat-rule-id'];?>">View the NAT rule</a><br /> + <?php + if (is_array($config['nat']['rule'])) { + foreach( $config['nat']['rule'] as $index => $nat_rule ) { + if( $nat_rule['assocaited-rule-id']==$pconfig['associated-rule-id']) + echo "<a href=\"firewall_nat_edit.php?id={$nat_rule[$index]}\">View the NAT rule</a>\n"; + break; + } + } + ?> <br /> <?php $dst_disabled=true; ?> <script type="text/javascript"> |