diff options
| -rw-r--r-- | etc/inc/filter.inc | 858 | ||||
| -rw-r--r-- | etc/inc/globals.inc | 2 | ||||
| -rw-r--r-- | etc/inc/pfsense-utils.inc | 6 | ||||
| -rw-r--r-- | etc/inc/upgrade_config.inc | 31 | ||||
| -rwxr-xr-x | usr/local/www/diag_backup.php | 5 | ||||
| -rwxr-xr-x | usr/local/www/firewall_aliases.php | 26 | ||||
| -rwxr-xr-x | usr/local/www/firewall_aliases_edit.php | 5 | ||||
| -rwxr-xr-x | usr/local/www/firewall_nat.php | 115 | ||||
| -rwxr-xr-x | usr/local/www/firewall_nat_edit.php | 571 | ||||
| -rwxr-xr-x | usr/local/www/firewall_rules_edit.php | 75 | ||||
| -rwxr-xr-x | usr/local/www/firewall_virtual_ip.php | 4 | ||||
| -rwxr-xr-x | usr/local/www/firewall_virtual_ip_edit.php | 4 | ||||
| -rw-r--r-- | usr/local/www/javascript/firewall_nat_edit/firewall_nat_edit.js | 172 | ||||
| -rw-r--r-- | usr/local/www/javascript/firewall_rules_edit/firewall_rules_edit.js | 49 |
14 files changed, 1176 insertions, 747 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 6254ee8..b229e7d 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -34,9 +34,10 @@ POSSIBILITY OF SUCH DAMAGE. pfSense_BUILDER_BINARIES: /sbin/sysctl /sbin/kldload /usr/sbin/tcpdump /sbin/pfctl /bin/rm - pfSense_BUILDER_BINARIES: /usr/sbin/inetd + pfSense_BUILDER_BINARIES: /usr/sbin/inetd pfSense_MODULE: filter */ + /* DISABLE_PHP_LINT_CHECKING */ /* include all configuration functions */ @@ -58,17 +59,17 @@ function flowtable_configure() { return; // Figure out how many flows we should reserve // sized 2x larger than the number of unique connection destinations. - if($config['system']['maximumstates'] <> "" && is_numeric($config['system']['maximumstates'])) + if($config['system']['maximumstates'] <> "" && is_numeric($config['system']['maximumstates'])) $maxstates = $config['system']['maximumstates']; else - $maxstates = "150000"; + $maxstates = "150000"; // nmbflows cpu count * ($maxstates * 2) $cpus = trim(`/sbin/sysctl kern.smp.cpus | /usr/bin/cut -d' ' -f2`); $nmbflows = ($cpus*($maxstates*2)); // Is flowtable enabled? if($config['system']['flowtable']) $flowtable_enable = 1; - else + else $flowtable_enable = 0; // Flowtable currently only works on 8.0 if(get_freebsd_version() == "8") { @@ -76,13 +77,13 @@ function flowtable_configure() { mwexec("/sbin/sysctl net.inet.flowtable.nmbflows={$config['system']['maximumstates']}"); mwexec("/sbin/sysctl net.inet.ip.output_flowtable_size={$nmbflows}"); } - mwexec("/sbin/sysctl net.inet.flowtable.enable={$flowtable_enable}"); - } + mwexec("/sbin/sysctl net.inet.flowtable.enable={$flowtable_enable}"); + } } function filter_load_ipfw() { global $config; - + if(!is_module_loaded("ipfw.ko")) { mute_kernel_msgs(); mwexec("/sbin/kldload ipfw"); @@ -99,7 +100,7 @@ function filter_load_ipfw() { */ mwexec("/sbin/sysctl net.inet.ip.pfil.outbound=\"pf\""); } - + /* Set ipfw state limit */ if($config['system']['maximumstates'] <> "" && is_numeric($config['system']['maximumstates'])) { /* Set ipfw states to user defined maximum states in Advanced menu. */ @@ -175,22 +176,22 @@ function filter_configure_sync() { $GatewayGroupsList = return_gateway_groups_array(); /* generate aliases */ - if($g['booting'] == true) + if($g['booting'] == true) echo "."; update_filter_reload_status("Creating aliases"); $aliases = filter_generate_aliases(); /* generate nat rules */ - if($g['booting'] == true) + if($g['booting'] == true) echo "."; update_filter_reload_status("Generating NAT rules"); $natrules = filter_nat_rules_generate(); /* generate pfctl rules */ - if($g['booting'] == true) + if($g['booting'] == true) echo "."; update_filter_reload_status("Generating filter rules"); $pfrules = filter_rules_generate(); /* generate altq, limiter */ - if($g['booting'] == true) + if($g['booting'] == true) echo "."; update_filter_reload_status("Generating ALTQ queues"); $altq_queues = filter_generate_altq_queues(); @@ -222,27 +223,27 @@ function filter_configure_sync() { $rules .= "{$aliases} \n"; update_filter_reload_status("Setting up logging information"); $rules .= filter_setup_logging_interfaces(); - if($config['system']['optimization'] <> "") { + if($config['system']['optimization'] <> "") { $rules .= "set optimization {$config['system']['optimization']}\n"; if($config['system']['optimization'] == "conservative") { $rules .= "set timeout { udp.first 300, udp.single 150, udp.multiple 900 }\n"; } - } else { + } else { $rules .= "set optimization normal\n"; } if($config['system']['maximumstates'] <> "" && is_numeric($config['system']['maximumstates'])) { /* User defined maximum states in Advanced menu. */ $rules .= "set limit states {$config['system']['maximumstates']}\n"; } else { - $max_states = pfsense_default_state_size(); - $rules .= "set limit states {$max_states}\n"; + $max_states = pfsense_default_state_size(); + $rules .= "set limit states {$max_states}\n"; } $rules .= discover_pkg_rules("pfearly"); - + // Configure flowtable support if enabled. flowtable_configure(); - + $rules .= "\n"; $rules .= "set skip on pfsync0\n"; $rules .= "\n"; @@ -254,7 +255,7 @@ function filter_configure_sync() { $rules .= "{$altq_queues}\n"; $rules .= "{$natrules}\n"; $rules .= "{$pfrules}\n"; - + $rules .= discover_pkg_rules("pflate"); if(!file_put_contents("{$g['tmp_path']}/rules.debug", $rules, LOCK_EX)) { @@ -263,7 +264,7 @@ function filter_configure_sync() { return; } - /* + /* * XXX: This are not being used for now so just comment them out. $rules = "1"; // force to be diff from oldrules $oldrules = "2"; // force to be diff from rules @@ -284,7 +285,7 @@ function filter_configure_sync() { echo "pfctl done at $mt\n"; } /* check for a error while loading the rules file. if an error has occured - * then output the contents of the error to the caller + * then output the contents of the error to the caller */ if($rules_loading <> 0) { $rules_error = exec_command("/sbin/pfctl -f {$g['tmp_path']}/rules.debug"); @@ -320,7 +321,7 @@ function filter_configure_sync() { fclose($filterdnsfd); } killbypid("{$g['tmp_path']}/filterdns.pid"); - /* + /* * FilterDNS has three debugging levels. The default choosen is 1. * Availabe are level 2 and greater then 2. */ @@ -331,17 +332,17 @@ function filter_configure_sync() { $fda = fopen("{$g['tmp_path']}/commands.txt", "w"); if($fda) { if($after_filter_configure_run) - foreach($after_filter_configure_run as $afcr) - fwrite($fda, $afcr . "\n"); + foreach($after_filter_configure_run as $afcr) + fwrite($fda, $afcr . "\n"); /* - * we need a way to let a user run a shell cmd after each - * filter_configure() call. run this xml command after - * each change. - */ - if($config['system']['afterfilterchangeshellcmd'] <> "") - fwrite($fda, $config['system']['afterfilterchangeshellcmd'] . "\n"); + * we need a way to let a user run a shell cmd after each + * filter_configure() call. run this xml command after + * each change. + */ + if($config['system']['afterfilterchangeshellcmd'] <> "") + fwrite($fda, $config['system']['afterfilterchangeshellcmd'] . "\n"); - fclose($fda); + fclose($fda); } unlock($filterlck); @@ -383,7 +384,7 @@ function filter_generate_scrubing() { $scrubrules = ""; /* disable scrub option */ foreach ($FilterIflist as $scrubif => $scrubcfg) { - if(isset($scrubcfg['virtual'])) + if(isset($scrubcfg['virtual'])) continue; /* set up MSS clamping */ if($scrubcfg['mtu'] <> "" && is_numeric($scrubcfg['mtu']) && $scrubcfg['if'] != "pppoe" && $scrubcfg['if'] != "pptp") @@ -409,7 +410,7 @@ function filter_generate_scrubing() { function filter_generate_nested_alias($name, $alias, &$aliasnesting, &$aliasaddrnesting) { global $aliastable, $filterdns; - + $addresses = split(" ", $alias); $finallist = ""; $builtlist = ""; @@ -446,10 +447,10 @@ function filter_expand_alias($alias_name) global $config; if(isset($config['aliases']['alias'])) { - foreach ($config['aliases']['alias'] as $aliased) { + foreach ($config['aliases']['alias'] as $aliased) { if($aliased['name'] == $alias_name) { $aliasnesting = array(); - $aliasaddrnesting = array(); + $aliasaddrnesting = array(); return filter_generate_nested_alias($aliased['name'], $aliased['address'], $aliasnesting, $aliasaddrnesting); } } @@ -494,7 +495,7 @@ function filter_generate_aliases() { $aliases .= "table <{$aliased['name']}> persist\n"; else $aliases .= "table <{$aliased['name']}> { {$addrlist}{$extralias} } \n"; - + $aliases .= "{$aliased['name']} = \"<{$aliased['name']}>\"\n"; } else if($aliased['type'] == "openvpn") { $openvpncfg = array(); @@ -515,7 +516,7 @@ function filter_generate_aliases() { } } $aliases .= "table <{$aliased['name']}> { {$newaddress}{$extralias} } \n"; - $aliases .= "{$aliased['name']} = \"<{$aliased['name']}>\"\n"; + $aliases .= "{$aliased['name']} = \"<{$aliased['name']}>\"\n"; } elseif($aliased['type'] == "urltable") { $urlfn = alias_expand_urltable($aliased['name']); if ($urlfn) { @@ -624,7 +625,7 @@ function filter_generate_optcfg_array() { $oic['bridge'] = link_interface_to_bridge($if); $FilterIflist[$if] = $oic; } - + if($config['pptpd']['mode'] == "server" || $config['pptpd']['mode'] == "redir") { $oic = array(); $oic['if'] = 'pptp'; @@ -652,7 +653,7 @@ function filter_generate_optcfg_array() { $oic['mode'] = $config['l2tp']['mode']; $oic['virtual'] = true; $FilterIflist['l2tp'] = $oic; - } + } if($config['pppoe']['mode'] == "server") { $oic = array(); $oic['if'] = 'pppoe'; @@ -710,7 +711,7 @@ function filter_flush_state_table() { return mwexec("/sbin/pfctl -F state"); } -function filter_generate_reflection($rule, $extport, &$starting_localhost_port, &$reflection_txt) { +function filter_generate_reflection($rule, $nordr, $srcaddr, $dstport, &$starting_localhost_port, &$reflection_txt) { global $FilterIflist, $config; // Initialize natrules holder string @@ -739,18 +740,19 @@ function filter_generate_reflection($rule, $extport, &$starting_localhost_port, update_filter_reload_status("Creating reflection rule for {$rule['descr']}..."); - if($extport[1]) - $range_end = ($extport[1]); + if($dstport[1]) + $range_end = ($dstport[1]); else - $range_end = ($extport[0]); + $range_end = ($dstport[0]); $range_end++; + /* TODO: support multiple ip's in an alias. */ - if (is_alias($rule['external-address'])) - $extaddr = filter_expand_alias($rule['external-address']); - else if(is_ipaddr($rule['external-address'])) - $extaddr = $rule['external-address']; + if (is_alias($rule['destination']['address'])) + $dstaddr = filter_expand_alias($rule['destination']['address']); + else if(is_ipaddr($rule['destination']['address'])) + $dstaddr = $rule['destination']['address']; else if (is_ipaddr($FilterIflist[$rule['interface']]['ip'])) - $extaddr = $FilterIflist[$rule['interface']]['ip']; + $dstaddr = $FilterIflist[$rule['interface']]['ip']; else return "\n"; @@ -765,8 +767,8 @@ function filter_generate_reflection($rule, $extport, &$starting_localhost_port, if($rule['local-port']) $lrange_start = $rule['local-port']; - if($range_end - $extport[0] > 500) { - $range_end = $extport[0]+1; + if($range_end - $dstport[0] > 500) { + $range_end = $dstport[0]+1; log_error("Not installing nat reflection rules for a port range > 500"); /* only install reflection rules for < 19991 items */ } else if($starting_localhost_port < 19991) { @@ -783,21 +785,21 @@ function filter_generate_reflection($rule, $extport, &$starting_localhost_port, } $inetdport = $starting_localhost_port; - if(($range_end - 1) > $extport[0]) { + if(($range_end - 1) > $dstport[0]) { $rflctrange = "{$starting_localhost_port}"; - $delta = $range_end - $extport[0] - 1; + $delta = $range_end - $dstport[0] - 1; if(($starting_localhost_port + $delta) > 19990) { - log_error("Installing partial nat reflection rules. Maximum 1,000 reached."); - $delta = 19990 - $starting_localhost_port; - } + log_error("Installing partial nat reflection rules. Maximum 1,000 reached."); + $delta = 19990 - $starting_localhost_port; + } $starting_localhost_port = $starting_localhost_port + $delta; $rflctrange .= ":{$starting_localhost_port}"; - $rflctintrange = "{$extport[0]}:{$range_end}"; + $rflctintrange = "{$dstport[0]}:{$range_end}"; if($rflctnorange) $toadd_array = range($loc_pt, $loc_pt + $delta); } else { $rflctrange = $starting_localhost_port; - $rflctintrange = $extport[0]; + $rflctintrange = $dstport[0]; if($rflctnorange) $toadd_array = array($loc_pt); $starting_localhost_port++; @@ -811,7 +813,8 @@ function filter_generate_reflection($rule, $extport, &$starting_localhost_port, $reflection_txt[] = "{$inetdport}\tdgram\tudp\tnowait/0\tnobody\t/usr/bin/nc\tnc -u -w {$reflectiontimeout} {$target} {$tda}\n"; $inetdport++; } - $natrules .= "rdr on {$rdr_if_list} proto {$protocol} from any to {$extaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n"; + $natrules .= "{$nordr}rdr on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr} port {$rflctintrange} tag PFREFLECT" . + ($nordr == "" ? " -> 127.0.0.1 port {$rflctrange}" : "") . "\n"; break; case "tcp": case "udp": @@ -827,7 +830,8 @@ function filter_generate_reflection($rule, $extport, &$starting_localhost_port, $reflection_txt[] = "{$inetdport}\t{$socktype}\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$target} {$tda}\n"; $inetdport++; } - $natrules .= "rdr on {$rdr_if_list} proto {$protocol} from any to {$extaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n"; + $natrules .= "{$nordr}rdr on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr} port {$rflctintrange} tag PFREFLECT" . + ($nordr == "" ? " -> 127.0.0.1 port {$rflctrange}" : "") . "\n"; break; } } @@ -852,7 +856,7 @@ function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = " else $tgt = "($if)"; } - /* Add the protocol, if defined */ + /* Add the protocol, if defined */ if (!empty($proto) && $proto != "any") $protocol = " proto {$proto}"; else @@ -879,7 +883,7 @@ function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = " if(!$natport) $staticnatport_txt = " port 1024:65535"; // set source port range else - $staticnatport_txt = ""; + $staticnatport_txt = ""; /* Allow for negating NAT entries */ if($nonat) { $nat = "no nat"; @@ -902,7 +906,7 @@ function filter_nat_rules_generate() { global $config, $g, $after_filter_configure_run, $FilterIflist; $natrules = "nat-anchor \"natearly/*\"\n"; - + $natrules .= "nat-anchor \"natrules/*\"\n\n"; update_filter_reload_status("Creating 1:1 rules..."); @@ -915,7 +919,7 @@ function filter_nat_rules_generate() { $sn = $natent['subnet']; if(!$natent['interface']) $natif = "wan"; - else + else $natif = $natent['interface']; $natif = $FilterIflist[$natif]['if']; if($natif) @@ -936,7 +940,7 @@ function filter_nat_rules_generate() { $dst = $obent['destination']['address']; if(!$obent['interface']) $natif = "wan"; - else + else $natif = $obent['interface']; if (!isset($FilterIflist[$natif])) @@ -965,7 +969,7 @@ function filter_nat_rules_generate() { foreach ($config['staticroutes']['route'] as $route) { $netip = explode("/", $route['network']); if(is_array($config['gateways']['gateway_item'])) { - foreach($config['gateways']['gateway_item'] as $gateway) { + foreach($config['gateways']['gateway_item'] as $gateway) { if($route['gateway'] == $gateway['name']) { $gatewayip = $gateway['gateway']; $interfacegw = $gateway['interface']; @@ -1018,7 +1022,7 @@ function filter_nat_rules_generate() { } } /* add openvpn interfaces */ - if(is_array($config['openvpn']['openvpn-server'])) { + if(is_array($config['openvpn']['openvpn-server'])) { foreach ($config['openvpn']['openvpn-server'] as $ovpnsrv) { if (!empty($ovpnsrv['tunnel_network'])) { $numberofnathosts++; @@ -1026,7 +1030,7 @@ function filter_nat_rules_generate() { } } } - if(is_array($config['openvpn']['openvpn-client'])) { + if(is_array($config['openvpn']['openvpn-client'])) { foreach ($config['openvpn']['openvpn-client'] as $ovpnsrv) { if (!empty($ovpnsrv['tunnel_network'])) { $numberofnathosts++; @@ -1038,7 +1042,7 @@ function filter_nat_rules_generate() { if($numberofnathosts > 4) { $natrules .= "table <tonatsubnets> { {$tonathosts} }\n"; $macroortable = "<tonatsubnets>"; - } else if($numberofnathosts > 0) { + } else if($numberofnathosts > 0) { $natrules .= "tonatsubnets = \"{ {$tonathosts} }\"\n"; $macroortable = "\$tonatsubnets"; } @@ -1056,7 +1060,7 @@ function filter_nat_rules_generate() { "{$macroortable}", null, "", null, $target, null, isset($ifcfg['nonat'])); $natrules .= "\n"; } - } + } endif; } @@ -1081,7 +1085,7 @@ function filter_nat_rules_generate() { $direct_networks_list = filter_get_direct_networks_list(); if($vpns_list) $natrules .= "table <vpns> { $vpns_list }\n"; - if($direct_networks_list) + if($direct_networks_list) $natrules .= "table <direct_networks> { $direct_networks_list }\n"; /* DIAG: add ipv6 NAT, if requested */ @@ -1107,101 +1111,91 @@ function filter_nat_rules_generate() { $natrules .= "# NAT Inbound Redirects\n"; foreach ($config['nat']['rule'] as $rule) { update_filter_reload_status("Creating NAT rule {$rule['descr']}"); + + if(isset($rule['disabled'])) + continue; + + if (strtolower($rule['protocol']) == "tcp/udp") + $protocol = "{ tcp udp }"; + else + $protocol = strtolower($rule['protocol']); + /* if item is an alias, expand */ - $extport = ""; - $extport[0] = alias_expand($rule['external-port']); - if(!$extport[0]) - $extport = explode("-", $rule['external-port']); + $srcport = ""; + $srcport[0] = alias_expand($rule['source']['port']); + if(!$srcport[0]) + $srcport = explode("-", $rule['source']['port']); + + /* if item is an alias, expand */ + $dstport = ""; + $dstport[0] = alias_expand($rule['destination']['port']); + if(!$dstport[0]) + $dstport = explode("-", $rule['destination']['port']); + /* if item is an alias, expand */ $localport = alias_expand($rule['local-port']); - if(!$localport) + if(!$localport || $rule['destination']['port'] == $rule['local-port']) { $localport = ""; - else + } else { + if(($dstport[1]) && ($dstport[0] != $dstport[1])) { + $localendport = $localport + ($dstport[1] - $dstport[0]); + + $localport .= ":$localendport"; + } + $localport = " port {$localport}"; + } + $target = alias_expand($rule['target']); if(!$target) { $natrules .= "# Unresolvable alias {$rule['target']}\n"; continue; /* unresolvable alias */ } + if($rule['associated-rule-id'] == "pass") - $rdrpass = "pass"; + $rdrpass = "pass "; else - $rdrpass = ""; + $rdrpass = ""; if(!$rule['interface']) - $natif = "wan"; - else - $natif = $rule['interface']; + $natif = "wan"; + else + $natif = $rule['interface']; if (!isset($FilterIflist[$natif])) continue; - $extaddr = alias_expand($rule['external-address']); - if($rule['external-address'] == "any") - $extaddr = "any"; - if(!$extaddr) - $extaddr = $FilterIflist[$natif]['ip']; + $srcaddr = filter_generate_address($rule, 'source', true); + $dstaddr = filter_generate_address($rule, 'destination', true); + + if(!$dstaddr) + $dstaddr = $FilterIflist[$natif]['ip']; + $natif = $FilterIflist[$natif]['if']; - if($extaddr <> "") { + if (isset($rule['nordr'])) + $nordr = "no "; + else + $nordr = ""; + + if($srcaddr <> "" && $dstaddr <> "") { /* is rule a port range? */ - if((!$extport[1]) || ($extport[0] == $extport[1])) { - - switch ($rule['protocol']) { - case "tcp/udp": - if($natif) { - if($rule['external-port'] <> $rule['local-port']) - $natrules .= "{$nordr} rdr {$rdrpass} on $natif proto { tcp udp } from any to {$extaddr} port {$extport[0]} -> {$target}{$localport}"; - else - $natrules .= "{$nordr} rdr {$rdrpass} on $natif proto { tcp udp } from any to {$extaddr} port {$extport[0]} -> {$target}"; - } - break; - case "udp": - case "tcp": - if($extport[0]) - if($natif) { - if($rule['external-port'] <> $rule['local-port']) - $natrules .= "rdr {$rdrpass} on $natif proto {$rule['protocol']} from any to {$extaddr} port {$extport[0]} -> {$target}{$localport}"; - else - $natrules .= "rdr {$rdrpass} on $natif proto {$rule['protocol']} from any to {$extaddr} port {$extport[0]} -> {$target}"; - } - else - if($natif) - $natrules .= "rdr {$rdrpass} on $natif proto {$rule['protocol']} from any to {$extaddr} -> {$target}{$localport}"; - break; - default: - $natrules .= "rdr {$rdrpass} on $natif proto {$rule['protocol']} from any to {$extaddr} -> {$target}"; - break; - } - } else { - switch ($rule['protocol']) { - case "tcp/udp": - if($natif) - $natrules .= "{$nordr} rdr {$rdrpass} on $natif proto { tcp udp } from any to {$extaddr} port {$extport[0]}:{$extport[1]} -> {$target}{$localport}:*"; - break; - case "udp": - case "tcp": - if($natif) - $natrules .= "{$nordr} rdr {$rdrpass} on $natif proto {$rule['protocol']} from any to {$extaddr} port {$extport[0]}:{$extport[1]} -> {$target}{$localport}:*"; - break; - default: - if($natif) - $natrules .= "{$nordr} rdr {$rdrpass} on $natif proto {$rule['protocol']} from any to {$extaddr} -> {$target}"; - } - } + if($natif) + $natrules .= "{$nordr}rdr {$rdrpass}on {$natif} proto {$protocol} from {$srcaddr} to {$dstaddr}" . ($nordr == "" ? " -> {$target}{$localport}" : ""); + /* Does this rule redirect back to a internal host? */ - if($extaddr == "any" && !interface_has_gateway($rule['interface'])) { + if($dstaddr == "any" && !interface_has_gateway($rule['interface'])) { $rule_interface_ip = find_interface_ip($natif); $rule_interface_subnet = find_interface_subnet($natif); $rule_subnet = gen_subnet($rule_interface_ip, $rule_interface_subnet); $natrules .= "\n"; $natrules .= "no nat on {$natif} proto tcp from ({$natif}) to {$rule_subnet}/{$rule_interface_subnet}\n"; - $natrules .= "nat on {$natif} proto tcp from {$rule_subnet}/{$rule_interface_subnet} to {$target} port {$extport[0]} -> ({$natif})\n"; + $natrules .= "nat on {$natif} proto tcp from {$rule_subnet}/{$rule_interface_subnet} to {$target} port {$dstport[0]} -> ({$natif})\n"; } - $natrules .= filter_generate_reflection($rule, $extport, $starting_localhost_port, $reflection_rules); + $natrules .= filter_generate_reflection($rule, $nordr, $srcaddr, $dstport, $starting_localhost_port, $reflection_rules); $natrules .= "\n"; foreach ($reflection_rules as $txtline) - fwrite($inetd_fd, $txtline); + fwrite($inetd_fd, $txtline); } } } @@ -1219,12 +1213,12 @@ function filter_nat_rules_generate() { else if($pptpdcfg['mode'] == "redir") $pptpdtarget = $pptpdcfg['redir']; if($pptpdcfg['mode'] == "redir" && is_array($FilterIflist['wan'])) { - /* + /* * NB: ermal -- the rdr rule below is commented out now that we have a solution - * for PPTP passthrough. This unbreaks other GRE traffic passing - * through pfSense. + * for PPTP passthrough. This unbreaks other GRE traffic passing + * through pfSense. * After some more testing this will be removed compeletely. - */ + */ $natrules .= <<<EOD # PPTP @@ -1259,91 +1253,95 @@ function filter_generate_user_rule_arr($rule) { return $ret; } -function filter_generate_address(& $rule, $target = "source") { +function filter_generate_address(& $rule, $target = "source", $isnat = false) { global $FilterIflist; $src = ""; if(isset($rule[$target]['any'])) { - $src = "any"; - } else if($rule[$target]['network']) { - if(strstr($rule[$target]['network'], "opt")) { - $optmatch = ""; + $src = "any"; + } else if($rule[$target]['network']) { + if(strstr($rule[$target]['network'], "opt")) { + $optmatch = ""; $matches = ""; if(preg_match("/opt([0-9]*)/", $rule[$target]['network'], $optmatch)) { - $opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ip']; - if(!is_ipaddr($opt_ip)) - return ""; - $src = $opt_ip . "/" . - $FilterIflist["opt{$optmatch[1]}"]['sn']; - /* check for opt$NUMip here */ - } else if(preg_match("/opt([0-9]*)ip/", $rule[$target]['network'], $matches)) { - $src = $FilterIflist["opt{$matches[1]}"]['ip']; + $opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ip']; + if(!is_ipaddr($opt_ip)) + return ""; + $src = $opt_ip . "/" . + $FilterIflist["opt{$optmatch[1]}"]['sn']; + /* check for opt$NUMip here */ + } else if(preg_match("/opt([0-9]*)ip/", $rule[$target]['network'], $matches)) { + $src = $FilterIflist["opt{$matches[1]}"]['ip']; if(!is_ipaddr($src)) return ""; - } + } if(isset($rule[$target]['not'])) $src = " !{$src}"; - } else { - switch ($rule[$target]['network']) { - case 'wan': - $wansa = $FilterIflist['wan']['sa']; - $wansn = $FilterIflist['wan']['sn']; - $src = "{$wansa}/{$wansn}"; - break; - case 'wanip': - $src = $FilterIflist["wan"]['ip']; - break; - case 'lanip': - $src = $FilterIflist["lan"]['ip']; - break; - case 'lan': - $lansa = $FilterIflist['lan']['sa']; - $lansn = $FilterIflist['lan']['sn']; - $src = "{$lansa}/{$lansn}"; - break; - case 'pptp': - $pptpsa = gen_subnet($FilterIflist['pptp']['ip'], $FilterIflist['pptp']['sn']); - $pptpsn = $FilterIflist['pptp']['sn']; - $src = "{$pptpsa}/{$pptpsn}"; - break; - case 'pppoe': - $pppoesa = gen_subnet($FilterIflist['pppoe']['ip'], $FilterIflist['pppoe']['sn']); - $pppoesn = $FilterIflist['pppoe']['sn']; - $src = "{$pppoesa}/{$pppoesn}"; - break; - } - if(isset($rule[$target]['not'])) $src = "!{$src}"; - } + } else { + switch ($rule[$target]['network']) { + case 'wan': + $wansa = $FilterIflist['wan']['sa']; + $wansn = $FilterIflist['wan']['sn']; + $src = "{$wansa}/{$wansn}"; + break; + case 'wanip': + $src = $FilterIflist["wan"]['ip']; + break; + case 'lanip': + $src = $FilterIflist["lan"]['ip']; + break; + case 'lan': + $lansa = $FilterIflist['lan']['sa']; + $lansn = $FilterIflist['lan']['sn']; + $src = "{$lansa}/{$lansn}"; + break; + case 'pptp': + $pptpsa = gen_subnet($FilterIflist['pptp']['ip'], $FilterIflist['pptp']['sn']); + $pptpsn = $FilterIflist['pptp']['sn']; + $src = "{$pptpsa}/{$pptpsn}"; + break; + case 'pppoe': + $pppoesa = gen_subnet($FilterIflist['pppoe']['ip'], $FilterIflist['pppoe']['sn']); + $pppoesn = $FilterIflist['pppoe']['sn']; + $src = "{$pppoesa}/{$pppoesn}"; + break; + } + if(isset($rule[$target]['not'])) $src = "!{$src}"; + } } else if($rule[$target]['address']) { - $expsrc = alias_expand($rule[$target]['address']); - if(isset($rule[$target]['not'])) - $not = "!"; - else - $not = ""; + $expsrc = alias_expand($rule[$target]['address']); + if(isset($rule[$target]['not'])) + $not = "!"; + else + $not = ""; $src = " {$not} {$expsrc}"; - } + } if(in_array($rule['protocol'], array("tcp","udp","tcp/udp"))) { - if($rule[$target]['port']) { - $srcport = explode("-", $rule[$target]['port']); + if($rule[$target]['port']) { + $srcport = explode("-", $rule[$target]['port']); $srcporta = alias_expand($srcport[0]); if(!$srcporta) log_error("filter_generate_address: {$srcport[0]} is not a valid source port."); - else if((!$srcport[1]) || ($srcport[0] == $srcport[1])) { + else if((!$srcport[1]) || ($srcport[0] == $srcport[1])) { $src .= " port {$srcporta} "; - } else if(($srcport[0] == 1) && ($srcport[1] == 65535)) { - /* no need for a port statement here */ - } else if(is_port($srcporta) && $srcport[1] == 65535) { - $src .= " port >= {$srcporta} "; - } else if($srcport[0] == 1) { - $src .= " port <= {$srcport[1]} "; - } else { - $srcport[0]--; - $srcport[1]++; - $src .= " port {$srcport[0]} >< {$srcport[1]} "; - } - } - } + } else if(($srcport[0] == 1) && ($srcport[1] == 65535)) { + /* no need for a port statement here */ + } else if ($isnat) { + $src .= " port {$srcport[0]}:{$srcport[1]}"; + } else { + if(is_port($srcporta) && $srcport[1] == 65535) { + $src .= " port >= {$srcporta} "; + } else if($srcport[0] == 1) { + $src .= " port <= {$srcport[1]} "; + } else { + $srcport[0]--; + $srcport[1]++; + $src .= " port {$srcport[0]} >< {$srcport[1]} "; + } + } + } + } return $src; } @@ -1370,7 +1368,7 @@ function filter_generate_user_rule($rule) { $interfaces = explode(",", $rule['interface']); $ifliste = ""; foreach ($interfaces as $iface) { - if(array_key_exists($iface, $FilterIflist)) + if(array_key_exists($iface, $FilterIflist)) $ifliste .= " " . $FilterIflist[$iface]['if'] . " "; } if($ifliste <> "") @@ -1388,7 +1386,7 @@ function filter_generate_user_rule($rule) { $ifcfg = $FilterIflist[$rule['interface']]; if($pptpdcfg['mode'] != "server") { if(($rule['source']['network'] == "pptp") || - ($rule['destination']['network'] == "pptp")) + ($rule['destination']['network'] == "pptp")) return "# source network or destination network == pptp on " . $rule['descr']; } @@ -1409,7 +1407,7 @@ function filter_generate_user_rule($rule) { } if($type == "reject") { $aline['type'] = "block return "; - } else + } else $aline['type'] = $type . " "; if(isset($rule['floating']) && $rule['floating'] == "yes") { if($rule['direction'] != "any") @@ -1465,8 +1463,8 @@ function filter_generate_user_rule($rule) { $routeto .= "} "; } else { $routeto .= "} round-robin "; - if(isset($config['system']['lb_use_sticky'])) - $routeto .= " sticky-address "; + if(isset($config['system']['lb_use_sticky'])) + $routeto .= " sticky-address "; } } /* Add the load balanced gateways */ @@ -1506,7 +1504,7 @@ function filter_generate_user_rule($rule) { $aline['prot'] = " proto tcp "; } update_filter_reload_status("Creating rule {$rule['descr']}"); - + /* source address */ $src = filter_generate_address($rule, "source"); if(empty($src) || ($src == "/")) { @@ -1581,7 +1579,7 @@ function filter_generate_user_rule($rule) { if($noadvoptions == false || $l7_present) if( isset($rule['source-track']) and $rule['source-track'] <> "" or - isset($rule['max']) and $rule['max'] <> "" or + isset($rule['max']) and $rule['max'] <> "" or isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "" or isset($rule['max-src-conn']) and $rule['max-src-conn'] <> "" or isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" or @@ -1602,14 +1600,16 @@ function filter_generate_user_rule($rule) { $aline['flags'] .= "max-src-states " . $rule['max-src-states'] . " "; if(isset($rule['statetimeout']) and $rule['statetimeout'] <> "") $aline['flags'] .= "tcp.established " . $rule['statetimeout'] . " "; - if(isset($rule['max-src-conn-rate']) and $rule['max-src-conn-rate'] <> "" - and isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "") { + if(isset($rule['max-src-conn-rate']) + and $rule['max-src-conn-rate'] <> "" + and isset($rule['max-src-conn-rates']) + and $rule['max-src-conn-rates'] <> "") { $aline['flags'] .= "max-src-conn-rate " . $rule['max-src-conn-rate'] . " "; $aline['flags'] .= "/" . $rule['max-src-conn-rates'] . ", overload <virusprot> flush global "; } - if(!empty($aline['divert'])) + if(!empty($aline['divert'])) $aline['flags'] .= "max-packets 5 "; - + $aline['flags'] .= " ) "; } } @@ -1638,22 +1638,22 @@ function filter_generate_user_rule($rule) { } /* is a time based rule schedule attached? */ - if(!empty($rule['sched']) && !empty($config['schedules'])) { + if(!empty($rule['sched']) && !empty($config['schedules'])) { $aline['schedlabel'] = ""; - foreach ($config['schedules']['schedule'] as $sched) { - if($sched['name'] == $rule['sched']) { - if(!filter_get_time_based_rule_status($sched)) { + foreach ($config['schedules']['schedule'] as $sched) { + if($sched['name'] == $rule['sched']) { + if(!filter_get_time_based_rule_status($sched)) { if(!isset($config['system']['schedule_states'])) - mwexec("/sbin/pfctl -y {$sched['schedlabel']}"); - return "# schedule finished - {$rule['descr']}"; - } else if($g['debug']) - log_error("[TDR DEBUG] status true -- rule type '$type'"); + mwexec("/sbin/pfctl -y {$sched['schedlabel']}"); + return "# schedule finished - {$rule['descr']}"; + } else if($g['debug']) + log_error("[TDR DEBUG] status true -- rule type '$type'"); $aline['schedlabel'] = " schedule \"{$sched['schedlabel']}\" "; - break; - } - } - } + break; + } + } + } $line = ""; /* exception(s) to a user rules can go here. */ @@ -1674,14 +1674,14 @@ function filter_generate_user_rule($rule) { $aline['reply'] . $aline['route'] . $aline['prot'] . $aline['src'] . $aline['os'] . $aline['dst'] . $aline['divert'] . $aline['icmp-type'] . $aline['tag'] . $aline['tagged'] . $aline['dscp'] . $aline['allowopts'] . $aline['flags'] . $aline['queue'] . $aline['dnpipe'] . $aline['schedlabel']; - + return $line; } function filter_rules_generate() { global $config, $g, $FilterIflist, $time_based_rules; - + update_filter_reload_status("Creating default rules"); if(isset($config['system']['developerspew'])) { $mt = microtime(); @@ -1698,25 +1698,25 @@ function filter_rules_generate() { */ if(isset($config['captiveportal']['enable'])) { $cpinterfaces = explode(",", $config['captiveportal']['interface']); - $cpiflist = array(); + $cpiflist = array(); $cpiplist = array(); - foreach ($cpinterfaces as $cpifgrp) { - if(!isset($FilterIflist[$cpifgrp])) - continue; - $tmpif = get_real_interface($cpifgrp); - if(!empty($tmpif)) { - $cpiflist[] = "{$tmpif}"; - $cpipm = get_interface_ip($cpifgrp); - if(is_ipaddr($cpipm)) - $cpiplist[] = $cpipm; - } - } - if (count($cpiplist) > 0 && count($cpiflist) > 0) { - $cpinterface = implode(" ", $cpiflist); - $cpaddresses = implode(" ", $cpiplist); - $ipfrules .= "pass in quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { 8000 8001 } keep state(sloppy)\n"; - $ipfrules .= "pass out quick on { {$cpinterface} } proto tcp from { {$cpaddresses} } port { 8000 8001 } to any keep state(sloppy)\n"; - } + foreach ($cpinterfaces as $cpifgrp) { + if(!isset($FilterIflist[$cpifgrp])) + continue; + $tmpif = get_real_interface($cpifgrp); + if(!empty($tmpif)) { + $cpiflist[] = "{$tmpif}"; + $cpipm = get_interface_ip($cpifgrp); + if(is_ipaddr($cpipm)) + $cpiplist[] = $cpipm; + } + } + if (count($cpiplist) > 0 && count($cpiflist) > 0) { + $cpinterface = implode(" ", $cpiflist); + $cpaddresses = implode(" ", $cpiplist); + $ipfrules .= "pass in quick on { {$cpinterface} } proto tcp from any to { {$cpaddresses} } port { 8000 8001 } keep state(sloppy)\n"; + $ipfrules .= "pass out quick on { {$cpinterface} } proto tcp from { {$cpaddresses} } port { 8000 8001 } to any keep state(sloppy)\n"; + } } /* relayd */ $ipfrules .= "anchor \"relayd/*\"\n"; @@ -1741,14 +1741,14 @@ block quick proto { tcp, udp } from any to any port = 0 EOD; - if(!isset($config['system']['ipv6allow'])) { - $ipfrules .= "# Block all IPv6\n"; - $ipfrules .= "block in quick inet6 all\n"; - $ipfrules .= "block out quick inet6 all\n"; - } + if(!isset($config['system']['ipv6allow'])) { + $ipfrules .= "# Block all IPv6\n"; + $ipfrules .= "block in quick inet6 all\n"; + $ipfrules .= "block out quick inet6 all\n"; + } + + $ipfrules .= <<<EOD - $ipfrules .= <<<EOD - # snort2c block quick from <snort2c> to any label "Block snort2c hosts" block quick from any to <snort2c> label "Block snort2c hosts" @@ -1767,15 +1767,15 @@ EOD; $ipfrules .= filter_process_carp_rules(); - $ipfrules .= "\n# SSH lockout\n"; - if(is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) { - $ipfrules .= "block in log quick proto tcp from <sshlockout> to any port "; - $ipfrules .= $config['system']['ssh']['port']; - $ipfrules .= " label \"sshlockout\"\n"; - } else { + $ipfrules .= "\n# SSH lockout\n"; + if(is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) { + $ipfrules .= "block in log quick proto tcp from <sshlockout> to any port "; + $ipfrules .= $config['system']['ssh']['port']; + $ipfrules .= " label \"sshlockout\"\n"; + } else { if($config['system']['ssh']['port'] <> "") $sshport = $config['system']['ssh']['port']; - else + else $sshport = 22; $ipfrules .= "block in log quick proto tcp from <sshlockout> to any port {$sshport} label \"sshlockout\"\n"; } @@ -1818,7 +1818,7 @@ EOD; if(isset($config['interfaces'][$on]['blockpriv'])) { if($isbridged == false) { $ipfrules .= <<<EOD -# block anything from private networks on interfaces with the option set +# block anything from private networks on interfaces with the option set antispoof for \${$oc['descr']} block in $log quick on \${$oc['descr']} from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block in $log quick on \${$oc['descr']} from 127.0.0.0/8 to any label "block private networks from wan block 127/8" @@ -1870,7 +1870,7 @@ EOD; break; } } - /* + /* * NB: The loopback rules are needed here since the antispoof would take precedence then. * If you ever add the 'quick' keyword to the antispoof rules above move the looback * rules before them. @@ -1902,7 +1902,7 @@ EOD; /* add ipsec interfaces */ - if(isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable'])) + if(isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable'])) $ipfrules .= <<<EOD pass out on \$IPsec all keep state label "IPsec internal host to host" @@ -1910,7 +1910,7 @@ EOD; /* pass traffic between statically routed subnets and the subnet on the * interface in question to avoid problems with complicated routing - * topologies + * topologies */ if(isset($config['filter']['bypassstaticroutes']) && is_array($config['staticroutes']['route']) && count($config['staticroutes']['route'])) { $ipfrules .= "anchor \"staticrouted\" \n"; @@ -1939,7 +1939,7 @@ EOD; if(!isset($config['system']['webgui']['noantilockout'])) { if(count($config['interfaces']) > 1 && !empty($FilterIflist['lan']['if'])) { /* if antilockout is enabled, LAN exists and has - * an IP and subnet mask assigned + * an IP and subnet mask assigned */ $lanif = $FilterIflist["lan"]['if']; $ipfrules .= <<<EOD @@ -1958,7 +1958,7 @@ pass in quick on {$wanif} from any to ({$wanif}) keep state label "anti-lockout EOD; } - } + } /* PPTPd enabled? */ if($pptpdcfg['mode'] && ($pptpdcfg['mode'] != "off")) { if($pptpdcfg['mode'] == "server") @@ -1995,7 +1995,7 @@ EOD; /* Pre-cache all our rules so we only have to generate them once */ $rule_arr1 = array(); $rule_arr2 = array(); - /* + /* * NB: Floating rules need to be written before regular once. */ foreach ($config['filter']['rule'] as $rule) { @@ -2006,7 +2006,7 @@ EOD; } else { $rule_arr2[] = filter_generate_user_rule_arr($rule); } - if($rule['sched']) + if($rule['sched']) $time_based_rules = true; } } @@ -2026,7 +2026,7 @@ EOD; update_filter_reload_status("Creating IPsec rules..."); $ipfrules .= filter_generate_ipsec_rules(); - $ipfrules .= <<<EOD + $ipfrules .= <<<EOD # package manager late specific hook anchor "packagelate" @@ -2038,7 +2038,7 @@ anchor "limitingesr" anchor "miniupnpd" EOD; - + return $ipfrules; } @@ -2068,50 +2068,51 @@ function tdr_install_cron($should_install) { * none ******/ function filter_tdr_install_cron($should_install) { - global $config, $g; + global $config, $g; - if($g['booting']==true) - return; + if($g['booting']==true) + return; - $is_installed = false; + $is_installed = false; - if(!$config['cron']['item']) - return; + if(!$config['cron']['item']) + return; - $x=0; - foreach($config['cron']['item'] as $item) { - if(strstr($item['command'], "filter_configure_sync")) { - $is_installed = true; - break; - } - $x++; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "0,15,30,45"; - $cron_item['hour'] = "*"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/etc/rc.filter_configure_sync"; - $config['cron']['item'][] = $cron_item; - write_config("Installed 15 minute filter reload for Time Based Rules"); - configure_cron(); - } - break; - case false: - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - write_config(); - } - configure_cron(); - } - break; - } + $x=0; + foreach($config['cron']['item'] as $item) { + if(strstr($item['command'], "filter_configure_sync")) { + $is_installed = true; + break; + } + $x++; + } + + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "0,15,30,45"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/etc/rc.filter_configure_sync"; + $config['cron']['item'][] = $cron_item; + write_config("Installed 15 minute filter reload for Time Based Rules"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + write_config(); + } + configure_cron(); + } + break; + } } /****f* filter/filter_get_time_based_rule_status @@ -2141,132 +2142,132 @@ function filter_tdr_install_cron($should_install) { </schedules> */ function filter_get_time_based_rule_status($schedule) { - $should_add_rule = false; - /* no schedule? rule should be installed */ - if(empty($schedule)) - return true; - /* - * iterate through time blocks and determine - * if the rule should be installed or not. - */ - foreach($schedule['timerange'] as $timeday) { - if($timeday['month']) - $month = $timeday['month']; - else - $week = ""; - if($timeday['day']) - $day = $timeday['day']; - else - $day = ""; - if($timeday['hour']) - $hour = $timeday['hour']; - else - $hour = ""; - if($timeday['position']) - $position = $timeday['position']; - else - $position = ""; - if($timeday['desc']) - $desc = $timeday['desc']; - else - $desc = ""; - if($month) { - $monthstatus = filter_tdr_month($month); - } else { - $monthstatus = true; - } - if($day) { - $daystatus = filter_tdr_day($day); - } else { - $daystatus = true; - } - if($hour) { - $hourstatus = filter_tdr_hour($hour); - } else { - $hourstatus = true; - } - if($position) { - $positionstatus = filter_tdr_position($position); - } else { - $positionstatus = true; - } - - if($monthstatus == true && $daystatus == true && $positionstatus == true && $hourstatus == true) + $should_add_rule = false; + /* no schedule? rule should be installed */ + if(empty($schedule)) + return true; + /* + * iterate through time blocks and determine + * if the rule should be installed or not. + */ + foreach($schedule['timerange'] as $timeday) { + if($timeday['month']) + $month = $timeday['month']; + else + $week = ""; + if($timeday['day']) + $day = $timeday['day']; + else + $day = ""; + if($timeday['hour']) + $hour = $timeday['hour']; + else + $hour = ""; + if($timeday['position']) + $position = $timeday['position']; + else + $position = ""; + if($timeday['desc']) + $desc = $timeday['desc']; + else + $desc = ""; + if($month) { + $monthstatus = filter_tdr_month($month); + } else { + $monthstatus = true; + } + if($day) { + $daystatus = filter_tdr_day($day); + } else { + $daystatus = true; + } + if($hour) { + $hourstatus = filter_tdr_hour($hour); + } else { + $hourstatus = true; + } + if($position) { + $positionstatus = filter_tdr_position($position); + } else { + $positionstatus = true; + } + + if($monthstatus == true && $daystatus == true && $positionstatus == true && $hourstatus == true) $should_add_rule = true; - } + } - return $should_add_rule; + return $should_add_rule; } function filter_tdr_day($schedule) { global $g; - /* - * Calculate day of month. - * IE: 29th of may - */ - $weekday = date("w"); - if($weekday == 0) - $weekday = 7; - $date = date("d"); - $defined_days = split(",", $schedule); + /* + * Calculate day of month. + * IE: 29th of may + */ + $weekday = date("w"); + if($weekday == 0) + $weekday = 7; + $date = date("d"); + $defined_days = split(",", $schedule); if($g['debug']) - log_error("[TDR DEBUG] filter_tdr_day($schedule)"); - foreach($defined_days as $dd) { - if($date == $dd) - return true; - } - return false; + log_error("[TDR DEBUG] filter_tdr_day($schedule)"); + foreach($defined_days as $dd) { + if($date == $dd) + return true; + } + return false; } function filter_tdr_hour($schedule) { global $g; - /* $schedule should be a string such as 16:00-19:00 */ - $tmp = split("-", $schedule); - $starting_time = strtotime($tmp[0]); - $ending_time = strtotime($tmp[1]); - $now = strtotime("now"); + /* $schedule should be a string such as 16:00-19:00 */ + $tmp = split("-", $schedule); + $starting_time = strtotime($tmp[0]); + $ending_time = strtotime($tmp[1]); + $now = strtotime("now"); if($g['debug']) - log_error("[TDR DEBUG] S: $starting_time E: $ending_time N: $now"); - if($now >= $starting_time and $now <= $ending_time) - return true; - return false; + log_error("[TDR DEBUG] S: $starting_time E: $ending_time N: $now"); + if($now >= $starting_time and $now <= $ending_time) + return true; + return false; } function filter_tdr_position($schedule) { global $g; - /* - * Calculate possition, ie: day of week. - * Sunday = 7, Monday = 1, Tuesday = 2 - * Weds = 3, Thursday = 4, Friday = 5, - * Saturday = 6 - * ... - */ - $weekday = date("w"); + /* + * Calculate possition, ie: day of week. + * Sunday = 7, Monday = 1, Tuesday = 2 + * Weds = 3, Thursday = 4, Friday = 5, + * Saturday = 6 + * ... + */ + $weekday = date("w"); if($g['debug']) - log_error("[TDR DEBUG] filter_tdr_position($schedule) $weekday"); - if($weekday == 0) - $weekday = 7; - $schedule_days = split(",", $schedule); - foreach($schedule_days as $day) { - if($day == $weekday) - return true; - } - return false; + log_error("[TDR DEBUG] filter_tdr_position($schedule) $weekday"); + if($weekday == 0) + $weekday = 7; + $schedule_days = split(",", $schedule); + foreach($schedule_days as $day) { + if($day == $weekday) + return true; + } + return false; } function filter_tdr_month($schedule) { global $g; - /* - * Calculate month - */ - $todays_month = date("n"); - $months = split(",", $schedule); + /* + * Calculate month + */ + $todays_month = date("n"); + $months = split(",", $schedule); if($g['debug']) - log_error("[TDR DEBUG] filter_tdr_month($schedule)"); - foreach($months as $month) { - if($month == $todays_month) - return true; - } - return false; + log_error("[TDR DEBUG] filter_tdr_month($schedule)"); + foreach($months as $month) { + if($month == $todays_month) + return true; + } + return false; } function filter_setup_logging_interfaces() { @@ -2277,13 +2278,13 @@ function filter_setup_logging_interfaces() { } $rules = ""; foreach ($FilterIflist as $ifdescr => $ifcfg) { - /* + /* * XXX: This should be cleared out after a discussion - * between pf(4) devs is cleared out. This breaks + * between pf(4) devs is cleared out. This breaks * compatibility with OpenBSD. - */ + */ if(isset($ifcfg['virtual'])) - continue; + continue; $rules .= "set loginterface {$ifcfg['if']}\n"; } return $rules; @@ -2297,7 +2298,7 @@ function filter_process_carp_nat_rules() { echo "filter_process_carp_nat_rules() being called $mt\n"; } $lines = ""; - if(isset($config['installedpackages']['carp']['config']) && + if(isset($config['installedpackages']['carp']['config']) && is_array($config['installedpackages']['carp']['config'])) { foreach($config['installedpackages']['carp']['config'] as $carp) { $ip = $carp['ipaddress']; @@ -2350,8 +2351,8 @@ function filter_generate_ipsec_rules() { else exec("/sbin/sysctl net.inet.ipcomp.ipcomp_enable=0"); - if(isset($config['ipsec']['enable']) && - is_array($config['ipsec']['phase1'])) { + if(isset($config['ipsec']['enable']) && + is_array($config['ipsec']['phase1'])) { /* step through all phase1 entries */ foreach ($config['ipsec']['phase1'] as $ph1ent) { if(isset ($ph1ent['disabled'])) @@ -2403,7 +2404,7 @@ function filter_generate_ipsec_rules() { if(!is_ipaddr($gateway) || empty($interface)) { $route_to = " "; $reply_to = " "; - } else { + } else { $route_to = " route-to ( $interface $gateway ) "; $reply_to = " reply-to ( $interface $gateway ) "; } @@ -2446,11 +2447,11 @@ EOD; function discover_pkg_rules($ruletype) { global $config, $g; - if(!is_dir("/usr/local/pkg")) + if(!is_dir("/usr/local/pkg")) return ""; $files = split("\n", trim(`ls /usr/local/pkg/*.inc`)); foreach($files as $pkg_inc) { - if($pkg_inc == "ls: No match.") + if($pkg_inc == "ls: No match.") continue; update_filter_reload_status("Checking for {$ruletype} PF hooks in package {$pkg_inc}"); require_once($pkg_inc); @@ -2472,4 +2473,5 @@ function discover_pkg_rules($ruletype) { return $rules; } +// vim: ts=4 sw=4 noexpandtab ?> diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 76548d0..86d50f9 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -88,7 +88,7 @@ $g = array( "disablehelpmenu" => false, "disablehelpicon" => false, "debug" => false, - "latest_config" => "6.1", + "latest_config" => "6.2", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "105", "minimum_ram_warning_text" => "128 MB", diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index c6b897c..df11107 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -289,9 +289,11 @@ function is_alias_inuse($alias) { /* loop through nat rules looking for alias in use */ if(is_array($config['nat']['rule'])) foreach($config['nat']['rule'] as $rule) { - if($rule['target'] == $alias) + if($rule['target'] && $rule['target'] == $alias) return true; - if($rule['external-address'] == $alias) + if($rule['source']['address'] && $rule['source']['address'] == $alias) + return true; + if($rule['destination']['address'] && $rule['destination']['address'] == $alias) return true; } return false; diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index da8594a..7640df4 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -1863,4 +1863,35 @@ function upgrade_060_to_061() { $config['interfaces']['lan']['enable'] = true; } +function upgrade_061_to_062() { + global $config; + + /* Convert NAT port forwarding rules */ + if (is_array($config['nat']['rule'])) { + $a_nat = &$config['nat']['rule']; + + foreach ($a_nat as &$natent) { + $natent['disabled'] = false; + $natent['nordr'] = false; + + $natent['source'] = array( + "not" => false, + "any" => true, + "port" => "" + ); + + $natent['destination'] = array( + "not" => false, + "address" => $natent['external-address'], + "port" => $natent['external-port'] + ); + + unset($natent['external-address']); + unset($natent['external-port']); + } + + unset($natent); + } +} + ?> diff --git a/usr/local/www/diag_backup.php b/usr/local/www/diag_backup.php index 64273fc..1ff119e 100755 --- a/usr/local/www/diag_backup.php +++ b/usr/local/www/diag_backup.php @@ -340,8 +340,11 @@ if ($_POST) { update_alias_names_upon_change('filter', 'rule', 'source', 'address', $newname, $origname); update_alias_names_upon_change('filter', 'rule', 'destination', 'address', $newname, $origname); // NAT Rules + update_alias_names_upon_change('nat', 'rule', 'source', 'address', $newname, $origname); + update_alias_names_upon_change('nat', 'rule', 'source', 'port', $newname, $origname); + update_alias_names_upon_change('nat', 'rule', 'destination', 'address', $newname, $origname); + update_alias_names_upon_change('nat', 'rule', 'destination', 'port', $newname, $origname); update_alias_names_upon_change('nat', 'rule', 'target', '', $newname, $origname); - update_alias_names_upon_change('nat', 'rule', 'external-port', '', $newname, $origname); update_alias_names_upon_change('nat', 'rule', 'local-port', '', $newname, $origname); // Alias in an alias update_alias_names_upon_change('aliases', 'alias', 'address', '', $newname, $origname); diff --git a/usr/local/www/firewall_aliases.php b/usr/local/www/firewall_aliases.php index d5a6a5f..bc210a1 100755 --- a/usr/local/www/firewall_aliases.php +++ b/usr/local/www/firewall_aliases.php @@ -87,22 +87,22 @@ if ($_GET['act'] == "del") { if($is_alias_referenced == false) { if(is_array($config['filter']['rule'])) { foreach($config['filter']['rule'] as $rule) { - if($rule['source']['address'] == $alias_name) { + if($rule['source']['address'] && $rule['source']['address'] == $alias_name) { $is_alias_referenced = true; $referenced_by = $rule['descr']; break; } - if($rule['destination']['address'] == $alias_name) { + if($rule['source']['port'] && $rule['source']['port'] == $alias_name) { $is_alias_referenced = true; $referenced_by = $rule['descr']; break; } - if($rule['source']['port'] == $alias_name) { + if($rule['destination']['address'] && $rule['destination']['address'] == $alias_name) { $is_alias_referenced = true; $referenced_by = $rule['descr']; break; } - if($rule['destination']['port'] == $alias_name) { + if($rule['destination']['port'] && $rule['destination']['port'] == $alias_name) { $is_alias_referenced = true; $referenced_by = $rule['descr']; break; @@ -113,22 +113,32 @@ if ($_GET['act'] == "del") { if($is_alias_referenced == false) { if(is_array($config['nat']['rule'])) { foreach($config['nat']['rule'] as $rule) { - if($rule['target'] == $alias_name) { + if($rule['source']['address'] && $rule['source']['address'] == $alias_name) { $is_alias_referenced = true; $referenced_by = $rule['descr']; break; } - if($rule['external-address'] == $alias_name) { + if($rule['source']['port'] && $rule['source']['port'] == $alias_name) { $is_alias_referenced = true; $referenced_by = $rule['descr']; break; } - if($rule['external-port'] == $alias_name) { + if($rule['destination']['address'] && $rule['destination']['address'] == $alias_name) { $is_alias_referenced = true; $referenced_by = $rule['descr']; break; } - if($rule['local-port'] == $alias_name) { + if($rule['destination']['port'] && $rule['destination']['port'] == $alias_name) { + $is_alias_referenced = true; + $referenced_by = $rule['descr']; + break; + } + if($rule['target'] && $rule['target'] == $alias_name) { + $is_alias_referenced = true; + $referenced_by = $rule['descr']; + break; + } + if($rule['local-port'] && $rule['local-port'] == $alias_name) { $is_alias_referenced = true; $referenced_by = $rule['descr']; break; diff --git a/usr/local/www/firewall_aliases_edit.php b/usr/local/www/firewall_aliases_edit.php index 9c8025d..dca3d12 100755 --- a/usr/local/www/firewall_aliases_edit.php +++ b/usr/local/www/firewall_aliases_edit.php @@ -295,8 +295,11 @@ if ($_POST) { update_alias_names_upon_change('filter', 'rule', 'source', 'address', $_POST['name'], $origname); update_alias_names_upon_change('filter', 'rule', 'destination', 'address', $_POST['name'], $origname); // NAT Rules + update_alias_names_upon_change('nat', 'rule', 'source', 'address', $_POST['name'], $origname); + update_alias_names_upon_change('nat', 'rule', 'source', 'port', $_POST['name'], $origname); + update_alias_names_upon_change('nat', 'rule', 'destination', 'address', $_POST['name'], $origname); + update_alias_names_upon_change('nat', 'rule', 'destination', 'port', $_POST['name'], $origname); update_alias_names_upon_change('nat', 'rule', 'target', '', $_POST['name'], $origname); - update_alias_names_upon_change('nat', 'rule', 'external-port', '', $_POST['name'], $origname); update_alias_names_upon_change('nat', 'rule', 'local-port', '' , $_POST['name'], $origname); // Alias in an alias update_alias_names_upon_change('aliases', 'alias', 'address', '' , $_POST['name'], $origname); diff --git a/usr/local/www/firewall_nat.php b/usr/local/www/firewall_nat.php index 696248f..0c9229b 100755 --- a/usr/local/www/firewall_nat.php +++ b/usr/local/www/firewall_nat.php @@ -185,10 +185,13 @@ echo "<script type=\"text/javascript\" language=\"javascript\" src=\"/javascript <td width="3%" class="list"> </td> <td width="5%" class="listhdrr">If</td> <td width="5%" class="listhdrr">Proto</td> - <td width="20%" class="listhdrr">Ext. port range</td> - <td width="20%" class="listhdrr">NAT IP</td> - <td width="20%" class="listhdrr">Int. port range</td> - <td width="20%" class="listhdr">Description</td> + <td width="11%" class="listhdrr">Src. addr</td> + <td width="11%" class="listhdrr">Src. ports</td> + <td width="11%" class="listhdrr">Dest. addr</td> + <td width="11%" class="listhdrr">Dest. ports</td> + <td width="11%" class="listhdrr">NAT IP</td> + <td width="11%" class="listhdrr">NAT Ports</td> + <td width="11%" class="listhdr">Description</td> <td width="5%" class="list"> <table border="0" cellspacing="0" cellpadding="1"> <tr> @@ -202,26 +205,26 @@ echo "<script type=\"text/javascript\" language=\"javascript\" src=\"/javascript <?php //build Alias popup box - $span_begin = ""; - $span_end = ""; - $alias_src_port_span_begin = ""; - $alias_dst_span_begin = ""; - $alias_dst_port_span_begin = ""; - - list($beginport, $endport) = split("-", $natent['external-port']); - - $alias_popup = rule_popup("",$beginport,$natent['target'],$natent['local-port']); $span_end = "</U></span>"; - - + + $alias_popup = rule_popup($natent['source']['address'], pprint_port($natent['source']['port']), $natent['destination']['address'], pprint_port($natent['destination']['port'])); + + $alias_src_span_begin = $alias_popup["src"]; $alias_src_port_span_begin = $alias_popup["srcport"]; - - $alias_dst_span_begin = $alias_popup["dst"]; - + $alias_dst_span_begin = $alias_popup["dst"]; $alias_dst_port_span_begin = $alias_popup["dstport"]; - - + $alias_popup = rule_popup("","",$natent['target'], pprint_port($natent['local-port'])); + + $alias_target_span_begin = $alias_popup["dst"]; + $alias_local_port_span_begin = $alias_popup["dstport"]; + + if (isset($natent['disabled'])) + $textss = "<span class=\"gray\">"; + else + $textss = "<span>"; + + $textse = "</span>"; /* if user does not have access to edit an interface skip on to the next record */ if(!have_natpfruleint_access($natent['interface'])) @@ -230,14 +233,14 @@ echo "<script type=\"text/javascript\" language=\"javascript\" src=\"/javascript <tr valign="top" id="fr<?=$nnats;?>"> <td class="listt"><input type="checkbox" id="frc<?=$nnats;?>" name="rule[]" value="<?=$i;?>" onClick="fr_bgcolor('<?=$nnats;?>')" style="margin: 0; padding: 0; width: 15px; height: 15px;"></td> <td class="listt" align="center"> - <?php if(!empty($natent['associated-rule-id'])): ?> - <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_chain.png" width="17" height="17" title="Firewall rule ID <?=htmlspecialchars($nnatid); ?> is managed with this rule" border="0"> - <?php endif; ?> <?php if($natent['associated-rule-id'] == "pass"): ?> <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_pass.gif" title="All traffic matching this NAT entry is passed" border="0"> + <?php elseif (!empty($natent['associated-rule-id'])): ?> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_chain.png" width="17" height="17" title="Firewall rule ID <?=htmlspecialchars($nnatid); ?> is managed with this rule" border="0"> <?php endif; ?> </td> <td class="listlr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_edit.php?id=<?=$nnats;?>';"> + <?=$textss;?> <?php if (!$natent['interface'] || ($natent['interface'] == "wan")) echo "WAN"; @@ -246,49 +249,46 @@ echo "<script type=\"text/javascript\" language=\"javascript\" src=\"/javascript else echo strtoupper($config['interfaces'][$natent['interface']]['descr']); ?> + <?=$textse;?> </td> + <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_edit.php?id=<?=$nnats;?>';"> - <?=strtoupper($natent['protocol']);?> + <?=$textss;?><?=strtoupper($natent['protocol']);?><?=$textse;?> </td> + <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_edit.php?id=<?=$nnats;?>';"> - <?php - list($beginport, $endport) = split("-", $natent['external-port']); - if ((!$endport) || ($beginport == $endport)) { - echo $alias_src_port_span_begin; - echo $beginport; - if ($wkports[$beginport]) - echo " (" . $wkports[$beginport] . ")"; - else - echo " "; - echo $span_end; - } else - echo $beginport . " - " . $endport; - ?> + <?=$textss;?><?php echo $alias_src_span_begin;?><?php echo htmlspecialchars(pprint_address($natent['source']));?><?php echo $alias_src_span_end;?><?=$textse;?> </td> <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_edit.php?id=<?=$nnats;?>';"> - <?php echo $alias_dst_span_begin;?><?=$natent['target'];?><?php echo $span_end;?> - <?php if ($natent['external-address']) - echo "<br>(ext.: " . $natent['external-address'] . ")"; - else - echo "<br>(ext.: " . find_interface_ip(convert_friendly_interface_to_real_interface_name($natent['interface'])) . ")"; - ?> + <?=$textss;?><?php echo $alias_src_port_span_begin;?><?php echo htmlspecialchars(pprint_port($natent['source']['port']));?><?php echo $alias_src_port_span_end;?><?=$textse;?> </td> + + <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_edit.php?id=<?=$nnats;?>';"> + <?=$textss;?><?php echo $alias_dst_span_begin;?><?php echo htmlspecialchars(pprint_address($natent['destination']));?><?php echo $alias_dst_span_end;?><?=$textse;?> + </td> + <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_edit.php?id=<?=$nnats;?>';"> + <?=$textss;?><?php echo $alias_dst_port_span_begin;?><?php echo htmlspecialchars(pprint_port($natent['destination']['port']));?><?php echo $alias_dst_port_span_end;?><?=$textse;?> + </td> + <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_edit.php?id=<?=$nnats;?>';"> - <?php if ((!$endport) || ($beginport == $endport)) { - echo $alias_dst_port_span_begin; - echo $natent['local-port']; - if ($wkports[$natent['local-port']]) - echo " (" . $wkports[$natent['local-port']] . ")"; - else - echo " "; - echo $span_end; - } else - echo $natent['local-port'] . " - " . - ($natent['local-port']+$endport-$beginport); - ?> + <?=$textss;?><?php echo $alias_target_span_begin;?><?php echo htmlspecialchars($natent['target']);?><?php echo $alias_target_span_end;?><?=$textse;?> </td> + <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_edit.php?id=<?=$nnats;?>';"> + <?php + $localport = $natent['local-port']; + + list($dstbeginport, $dstendport) = split("-", $natent['destination']['port']); + + if ($dstendport) { + $localendport = $natent['local-port'] + $dstendport - $dstbeginport; + $localport .= '-' . $localendport; + } + ?> + <?=$textss;?><?php echo $alias_local_port_span_begin;?><?php echo htmlspecialchars(pprint_port($localport));?><?php echo $alias_local_port_span_end;?><?=$textse;?> + </td> + <td class="listbg" onClick="fr_toggle(<?=$nnats;?>)" ondblclick="document.location='firewall_nat_edit.php?id=<?=$nnats;?>';"> - <?=htmlspecialchars($natent['descr']);?> + <?=$textss;?><?=htmlspecialchars($natent['descr']);?> <?=$textse;?> </td> <td valign="middle" class="list" nowrap> <table border="0" cellspacing="0" cellpadding="1"> @@ -304,6 +304,9 @@ echo "<script type=\"text/javascript\" language=\"javascript\" src=\"/javascript <?php $i++; $nnats++; endforeach; ?> <tr> <td class="list" colspan="8"></td> + <td> </td> + <td> </td> + <td> </td> <td class="list" valign="middle" nowrap> <table border="0" cellspacing="0" cellpadding="1"> <tr> diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index 8b36fb8..c7d5a92 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -44,6 +44,13 @@ require_once("itemid.inc"); require("filter.inc"); require("shaper.inc"); +$specialsrcdst = explode(" ", "any pptp pppoe l2tp openvpn"); +$ifdisp = get_configured_interface_with_descr(); +foreach ($ifdisp as $kif => $kdescr) { + $specialsrcdst[] = "{$kif}"; + $specialsrcdst[] = "{$kif}ip"; +} + if (!is_array($config['nat']['rule'])) { $config['nat']['rule'] = array(); } @@ -59,96 +66,200 @@ if (isset($_GET['dup'])) { } if (isset($id) && $a_nat[$id]) { - $pconfig['extaddr'] = $a_nat[$id]['external-address']; + $pconfig['disabled'] = isset($a_nat[$id]['disabled']); + $pconfig['nordr'] = isset($a_nat[$id]['nordr']); + + address_to_pconfig($a_nat[$id]['source'], $pconfig['src'], + $pconfig['srcmask'], $pconfig['srcnot'], + $pconfig['srcbeginport'], $pconfig['srcendport']); + + address_to_pconfig($a_nat[$id]['destination'], $pconfig['dst'], + $pconfig['dstmask'], $pconfig['dstnot'], + $pconfig['dstbeginport'], $pconfig['dstendport']); + $pconfig['proto'] = $a_nat[$id]['protocol']; - list($pconfig['beginport'],$pconfig['endport']) = explode("-", $a_nat[$id]['external-port']); - if(!$pconfig['endport']) - $pconfig['endport'] = $pconfig['beginport']; $pconfig['localip'] = $a_nat[$id]['target']; $pconfig['localbeginport'] = $a_nat[$id]['local-port']; $pconfig['descr'] = $a_nat[$id]['descr']; $pconfig['interface'] = $a_nat[$id]['interface']; $pconfig['associated-rule-id'] = $a_nat[$id]['associated-rule-id']; $pconfig['nosync'] = isset($a_nat[$id]['nosync']); + if (!$pconfig['interface']) $pconfig['interface'] = "wan"; } else { $pconfig['interface'] = "wan"; + $pconfig['src'] = "any"; + $pconfig['srcbeginport'] = "any"; + $pconfig['srcendport'] = "any"; } if (isset($_GET['dup'])) unset($id); /* run through $_POST items encoding HTML entties so that the user - * cannot think he is slick and perform a XSS attack on the unwilling + * cannot think he is slick and perform a XSS attack on the unwilling */ foreach ($_POST as $key => $value) { $temp = $value; $newpost = htmlentities($temp); - if($newpost <> $temp) - $input_errors[] = "Invalid characters detected ($temp). Please remove invalid characters and save again."; + if($newpost <> $temp) + $input_errors[] = "Invalid characters detected ($temp). Please remove invalid characters and save again."; } if ($_POST) { - if ($_POST['beginport_cust'] && !$_POST['beginport']) - $_POST['beginport'] = $_POST['beginport_cust']; - if ($_POST['endport_cust'] && !$_POST['endport']) - $_POST['endport'] = $_POST['endport_cust']; - if ($_POST['localbeginport_cust'] && !$_POST['localbeginport']) - $_POST['localbeginport'] = $_POST['localbeginport_cust']; + if(strtoupper($_POST['proto']) == "TCP" || strtoupper($_POST['proto']) == "UDP" || strtoupper($_POST['proto']) == "TCP/UDP") { + if ($_POST['srcbeginport_cust'] && !$_POST['srcbeginport']) + $_POST['srcbeginport'] = $_POST['srcbeginport_cust']; + if ($_POST['srcendport_cust'] && !$_POST['srcendport']) + $_POST['srcendport'] = $_POST['srcendport_cust']; + + if ($_POST['srcbeginport'] == "any") { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + } else { + if (!$_POST['srcendport']) + $_POST['srcendport'] = $_POST['srcbeginport']; + } + if ($_POST['srcendport'] == "any") + $_POST['srcendport'] = $_POST['srcbeginport']; + + if ($_POST['dstbeginport_cust'] && !$_POST['dstbeginport']) + $_POST['dstbeginport'] = $_POST['dstbeginport_cust']; + if ($_POST['dstendport_cust'] && !$_POST['dstendport']) + $_POST['dstendport'] = $_POST['dstendport_cust']; + + if ($_POST['dstbeginport'] == "any") { + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } else { + if (!$_POST['dstendport']) + $_POST['dstendport'] = $_POST['dstbeginport']; + } + if ($_POST['dstendport'] == "any") + $_POST['dstendport'] = $_POST['dstbeginport']; + + if ($_POST['localbeginport_cust'] && !$_POST['localbeginport']) + $_POST['localbeginport'] = $_POST['localbeginport_cust']; - if (!$_POST['endport']) - $_POST['endport'] = $_POST['beginport']; - /* Make beginning port end port if not defined and endport is */ - if (!$_POST['beginport'] && $_POST['endport']) - $_POST['beginport'] = $_POST['endport']; + /* Make beginning port end port if not defined and endport is */ + if (!$_POST['srcbeginport'] && $_POST['srcendport']) + $_POST['srcbeginport'] = $_POST['srcendport']; + if (!$_POST['dstbeginport'] && $_POST['dstendport']) + $_POST['dstbeginport'] = $_POST['dstendport']; + } else { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } + + if (is_specialnet($_POST['srctype'])) { + $_POST['src'] = $_POST['srctype']; + $_POST['srcmask'] = 0; + } else if ($_POST['srctype'] == "single") { + $_POST['srcmask'] = 32; + } + if (is_specialnet($_POST['dsttype'])) { + $_POST['dst'] = $_POST['dsttype']; + $_POST['dstmask'] = 0; + } else if ($_POST['dsttype'] == "single") { + $_POST['dstmask'] = 32; + } else if (is_ipaddr($_POST['dsttype'])) { + $_POST['dst'] = $_POST['dsttype']; + $_POST['dstmask'] = 32; + $_POST['dsttype'] = "single"; + } unset($input_errors); $pconfig = $_POST; /* input validation */ if(strtoupper($_POST['proto']) == "TCP" or strtoupper($_POST['proto']) == "UDP" or strtoupper($_POST['proto']) == "TCP/UDP") { - $reqdfields = explode(" ", "interface proto beginport endport localip localbeginport"); - $reqdfieldsn = explode(",", "Interface,Protocol,External port from,External port to,NAT IP,Local port"); + $reqdfields = explode(" ", "interface proto dstbeginport dstendport localip"); + $reqdfieldsn = explode(",", "Interface,Protocol,Destination port from,Destination port to,NAT IP"); } else { $reqdfields = explode(" ", "interface proto localip"); $reqdfieldsn = explode(",", "Interface,Protocol,NAT IP"); } + if ($_POST['srctype'] == "single" || $_POST['srctype'] == "network") { + $reqdfields[] = "src"; + $reqdfieldsn[] = "Source address"; + } + if ($_POST['dsttype'] == "single" || $_POST['dsttype'] == "network") { + $reqdfields[] = "dst"; + $reqdfieldsn[] = "Destination address"; + } + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + if (!$_POST['srcbeginport']) { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + } + if (!$_POST['dstbeginport']) { + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } + if (($_POST['localip'] && !is_ipaddroralias($_POST['localip']))) { $input_errors[] = "\"{$_POST['localip']}\" is not valid NAT IP address or host alias."; } - /* only validate the ports if the protocol is TCP, UDP or TCP/UDP */ - if(strtoupper($_POST['proto']) == "TCP" or strtoupper($_POST['proto']) == "UDP" or strtoupper($_POST['proto']) == "TCP/UDP") { + if ($_POST['srcbeginport'] && !is_portoralias($_POST['srcbeginport'])) + $input_errors[] = "{$_POST['srcbeginport']} is not a valid start source port. It must be a port alias or integer between 1 and 65535."; + if ($_POST['srcendport'] && !is_portoralias($_POST['srcendport'])) + $input_errors[] = "{$_POST['srcendport']} is not a valid end source port. It must be a port alias or integer between 1 and 65535."; + if ($_POST['dstbeginport'] && !is_portoralias($_POST['dstbeginport'])) + $input_errors[] = "{$_POST['dstbeginport']} is not a valid start destination port. It must be a port alias or integer between 1 and 65535."; + if ($_POST['dstendport'] && !is_portoralias($_POST['dstendport'])) + $input_errors[] = "{$_POST['dstendport']} is not a valid end destination port. It must be a port alias or integer between 1 and 65535."; + + if ($_POST['localbeginport'] && !is_portoralias($_POST['localbeginport'])) { + $input_errors[] = "{$_POST['localbeginport']} is not a valid local port. It must be a port alias or integer between 1 and 65535."; + } - if ($_POST['beginport'] && !is_portoralias($_POST['beginport'])) { - $input_errors[] = "The start port must be an integer between 1 and 65535."; - } + /* if user enters an alias and selects "network" then disallow. */ + if( ($_POST['srctype'] == "network" && is_alias($_POST['src']) ) + || ($_POST['dsttype'] == "network" && is_alias($_POST['dst']) ) ) { + $input_errors[] = "You must specify single host or alias for alias entries."; + } - if ($_POST['endport'] && !is_portoralias($_POST['endport'])) { - $input_errors[] = "The end port must be an integer between 1 and 65535."; + if (!is_specialnet($_POST['srctype'])) { + if (($_POST['src'] && !is_ipaddroralias($_POST['src']))) { + $input_errors[] = "{$_POST['src']} is not a valid source IP address or alias."; } - - if ($_POST['localbeginport'] && !is_portoralias($_POST['localbeginport'])) { - $input_errors[] = "The local port must be an integer between 1 and 65535."; + if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) { + $input_errors[] = "A valid source bit count must be specified."; } - - if ($_POST['beginport'] > $_POST['endport']) { - /* swap */ - $tmp = $_POST['endport']; - $_POST['endport'] = $_POST['beginport']; - $_POST['beginport'] = $tmp; + } + if (!is_specialnet($_POST['dsttype'])) { + if (($_POST['dst'] && !is_ipaddroralias($_POST['dst']))) { + $input_errors[] = "{$_POST['dst']} is not a valid destination IP address or alias."; } - - if (!$input_errors) { - if (($_POST['endport'] - $_POST['beginport'] + $_POST['localbeginport']) > 65535) - $input_errors[] = "The target port range must be an integer between 1 and 65535."; + if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) { + $input_errors[] = "A valid destination bit count must be specified."; } + } + + if ($_POST['srcbeginport'] > $_POST['srcendport']) { + /* swap */ + $tmp = $_POST['srcendport']; + $_POST['srcendport'] = $_POST['srcbeginport']; + $_POST['srcbeginport'] = $tmp; + } + if ($_POST['dstbeginport'] > $_POST['dstendport']) { + /* swap */ + $tmp = $_POST['dstendport']; + $_POST['dstendport'] = $_POST['dstbeginport']; + $_POST['dstbeginport'] = $tmp; + } + if (!$input_errors) { + if (($_POST['dstendport'] - $_POST['dstbeginport'] + $_POST['localbeginport']) > 65535) + $input_errors[] = "The target port range must be an integer between 1 and 65535."; } /* check for overlaps */ @@ -157,40 +268,45 @@ if ($_POST) { continue; if ($natent['interface'] != $_POST['interface']) continue; - if ($natent['external-address'] != $_POST['extaddr']) + if ($natent['destination']['address'] != $_POST['dst']) continue; if (($natent['proto'] != $_POST['proto']) && ($natent['proto'] != "tcp/udp") && ($_POST['proto'] != "tcp/udp")) continue; - list($begp,$endp) = explode("-", $natent['external-port']); + list($begp,$endp) = explode("-", $natent['destination']['port']); if (!$endp) $endp = $begp; if (!( (($_POST['beginport'] < $begp) && ($_POST['endport'] < $begp)) || (($_POST['beginport'] > $endp) && ($_POST['endport'] > $endp)))) { - $input_errors[] = "The external port range overlaps with an existing entry."; + $input_errors[] = "The destination port range overlaps with an existing entry."; break; } } if (!$input_errors) { $natent = array(); - if ($_POST['extaddr']) - $natent['external-address'] = $_POST['extaddr']; - $natent['protocol'] = $_POST['proto']; - if ($_POST['beginport'] == $_POST['endport']) - $natent['external-port'] = $_POST['beginport']; - else - $natent['external-port'] = $_POST['beginport'] . "-" . $_POST['endport']; + $natent['disabled'] = isset($_POST['disabled']) ? true:false; + $natent['nordr'] = isset($_POST['nordr']) ? true:false; + + pconfig_to_address($natent['source'], $_POST['src'], + $_POST['srcmask'], $_POST['srcnot'], + $_POST['srcbeginport'], $_POST['srcendport']); + + pconfig_to_address($natent['destination'], $_POST['dst'], + $_POST['dstmask'], $_POST['dstnot'], + $_POST['dstbeginport'], $_POST['dstendport']); + + $natent['protocol'] = $_POST['proto']; $natent['target'] = $_POST['localip']; $natent['local-port'] = $_POST['localbeginport']; $natent['interface'] = $_POST['interface']; $natent['descr'] = $_POST['descr']; $natent['associated-rule-id'] = $_POST['associated-rule-id']; - + if($_POST['filter-rule-association'] == "pass") $natent['associated-rule-id'] = "pass"; @@ -200,7 +316,7 @@ if ($_POST) { unset($natent['nosync']); // If we used to have an associated filter rule, but no-longer should have one - if ($a_nat[$id]>0 && empty($natent['associated-rule-id'])) { + if ($a_nat[$id]>0 && ( empty($natent['associated-rule-id']) || $natent['associated-rule-id'] != $a_nat[$id]['associated-rule-id'] ) ) { // Delete the previous rule delete_id($a_nat[$id]['associated-rule-id'], $config['filter']['rule']); mark_subsystem_dirty('filter'); @@ -241,13 +357,16 @@ if ($_POST) { if (!empty($natent['associated-rule-id'])) { $filterentid = get_id($natent['associated-rule-id'], $config['filter']['rule']); if ($filterentid == false) { - $filterent['source']['any'] = ""; + pconfig_to_address($filterent['source'], $_POST['src'], + $_POST['srcmask'], $_POST['srcnot'], + $_POST['srcbeginport'], $_POST['srcendport']); $filterent['associated-rule-id'] = $natent['associated-rule-id']; } else $filterent =& $config['filter']['rule'][$filterentid]; } else - // Create the default source entry for new filter entries - $filterent['source']['any'] = ""; + pconfig_to_address($filterent['source'], $_POST['src'], + $_POST['srcmask'], $_POST['srcnot'], + $_POST['srcbeginport'], $_POST['srcendport']); // Update interface, protocol and destination $filterent['interface'] = $_POST['interface']; @@ -255,7 +374,7 @@ if ($_POST) { $filterent['destination']['address'] = $_POST['localip']; $dstpfrom = $_POST['localbeginport']; - $dstpto = $dstpfrom + $_POST['endport'] - $_POST['beginport']; + $dstpto = $dstpfrom + $_POST['dstendport'] - $_POST['dstbeginport']; if ($dstpfrom == $dstpto) $filterent['destination']['port'] = $dstpfrom; @@ -308,31 +427,47 @@ include("fbegin.inc"); ?> <form action="firewall_nat_edit.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td colspan="2" valign="top" class="listtopic">Edit NAT entry</td> - </tr> - <tr> + <td colspan="2" valign="top" class="listtopic">Edit Redirect entry</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Disabled</td> + <td width="78%" class="vtable"> + <input name="disabled" type="checkbox" id="disabled" value="yes" <?php if ($pconfig['disabled']) echo "checked"; ?>> + <strong>Disable this rule</strong><br /> + <span class="vexpl">Set this option to disable this rule without removing it from the list.</span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">No RDR (NOT)</td> + <td width="78%" class="vtable"> + <input type="checkbox" name="nordr"<?php if($pconfig['nordr']) echo " CHECKED"; ?>> + <span class="vexpl">Enabling this option will disable redirection for this entry. + <br>Hint: this option is rarely needed, don't use this unless you know what you're doing.</span> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncellreq">Interface</td> <td width="78%" class="vtable"> - <select name="interface" class="formselect"> + <select name="interface" class="formselect" onChange="dst_change(this.value);typesel_change();"> <?php - + $iflist = get_configured_interface_with_descr(false, true); - foreach ($iflist as $if => $ifdesc) - if(have_ruleint_access($if)) + foreach ($iflist as $if => $ifdesc) + if(have_ruleint_access($if)) $interfaces[$if] = $ifdesc; - + if ($config['pptpd']['mode'] == "server") - if(have_ruleint_access("pptp")) + if(have_ruleint_access("pptp")) $interfaces['pptp'] = "PPTP VPN"; - + if ($config['pppoe']['mode'] == "server") - if(have_ruleint_access("pppoe")) + if(have_ruleint_access("pppoe")) $interfaces['pppoe'] = "PPPoE VPN"; - + /* add ipsec interfaces */ if (isset($config['ipsec']['enable']) || isset($config['ipsec']['mobileclients']['enable'])) - if(have_ruleint_access("enc0")) - $interfaces["enc0"] = "IPsec"; + if(have_ruleint_access("enc0")) + $interfaces["enc0"] = "IPsec"; foreach ($interfaces as $iface => $ifacename): ?> <option value="<?=$iface;?>" <?php if ($iface == $pconfig['interface']) echo "selected"; ?>> @@ -343,33 +478,6 @@ include("fbegin.inc"); ?> <span class="vexpl">Choose which interface this rule applies to.<br> Hint: in most cases, you'll want to use WAN here.</span></td> </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">External address</td> - <td width="78%" class="vtable"> - <select name="extaddr" class="formselect"> - <option value="" <?php if (!$pconfig['extaddr']) echo "selected"; ?>>Interface address</option> -<?php if (is_array($config['virtualip']['vip'])): - foreach ($config['virtualip']['vip'] as $sn): - if ($sn['mode'] == "proxyarp" && $sn['type'] == "network"): - $baseip = ip2long($sn['subnet']) & ip2long(gen_subnet_mask($sn['subnet_bits'])); - for ($i = $sn['subnet_bits']; $i <= 32; $i++): - $baseip = $baseip + 1; - $snip = long2ip($baseip); - ?> - <option value="<?=$snip;?>" <?php if ($snip == $pconfig['extaddr']) echo "selected"; ?>><?=htmlspecialchars("{$snip} ({$sn['descr']})");?></option> - <?php endfor; - else: ?> - <option value="<?=$sn['subnet'];?>" <?php if ($sn['subnet'] == $pconfig['extaddr']) echo "selected"; ?>><?=htmlspecialchars("{$sn['subnet']} ({$sn['descr']})");?></option> - <?php endif; ?> -<?php endforeach; - endif; ?> - <option value="any" <?php if($pconfig['extaddr'] == "any") echo "selected"; ?>>any</option> - </select> - <br /> - <span class="vexpl"> - If you want this rule to apply to another IP address than the IP address of the interface chosen above, - select it here (you need to define <a href="firewall_virtual_ip.php">Virtual IP</a> addresses on the first). Also note that if you are trying to redirect connections on the LAN select the "any" option.</span></td> - </tr> <tr> <td width="22%" valign="top" class="vncellreq">Protocol</td> <td width="78%" class="vtable"> @@ -381,55 +489,223 @@ include("fbegin.inc"); ?> this rule should match.<br> Hint: in most cases, you should specify <em>TCP</em> here.</span></td> </tr> + <tr id="showadvancedboxsrc" name="showadvancedboxsrc"> + <td width="22%" valign="top" class="vncellreq">Source</td> + <td width="78%" class="vtable"> + <input type="button" onClick="show_source()" value="Advanced"></input> - Show source address and port range</a> + </td> + </tr> + <tr style="display: none;" id="srctable" name="srctable"> + <td width="22%" valign="top" class="vncellreq">Source</td> + <td width="78%" class="vtable"> + <input name="srcnot" type="checkbox" id="srcnot" value="yes" <?php if ($pconfig['srcnot']) echo "checked"; ?>> + <strong>not</strong> + <br /> + Use this option to invert the sense of the match. + <br /> + <br /> + <table border="0" cellspacing="0" cellpadding="0"> + <tr> + <td>Type: </td> + <td> + <select name="srctype" class="formselect" onChange="typesel_change()"> +<?php + $sel = is_specialnet($pconfig['src']); ?> + <option value="any" <?php if ($pconfig['src'] == "any") { echo "selected"; } ?>>any</option> + <option value="single" <?php if (($pconfig['srcmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>Single host or alias</option> + <option value="network" <?php if (!$sel) echo "selected"; ?>>Network</option> + <?php if(have_ruleint_access("pptp")): ?> + <option value="pptp" <?php if ($pconfig['src'] == "pptp") { echo "selected"; } ?>>PPTP clients</option> + <?php endif; ?> + <?php if(have_ruleint_access("pppoe")): ?> + <option value="pppoe" <?php if ($pconfig['src'] == "pppoe") { echo "selected"; } ?>>PPPoE clients</option> + <?php endif; ?> + <?php if(have_ruleint_access("l2tp")): ?> + <option value="l2tp" <?php if ($pconfig['src'] == "l2tp") { echo "selected"; } ?>>L2TP clients</option> + <?php endif; ?> +<?php + foreach ($ifdisp as $ifent => $ifdesc): ?> + <?php if(have_ruleint_access($ifent)): ?> + <option value="<?=$ifent;?>" <?php if ($pconfig['src'] == $ifent) { echo "selected"; } ?>><?=htmlspecialchars($ifdesc);?> subnet</option> + <option value="<?=$ifent;?>ip"<?php if ($pconfig['src'] == $ifent . "ip") { echo "selected"; } ?>> + <?=$ifdesc?> address + </option> + <?php endif; ?> +<?php endforeach; ?> + </select> + </td> + </tr> + <tr> + <td>Address: </td> + <td> + <input autocomplete='off' name="src" type="text" class="formfldalias" id="src" size="20" value="<?php if (!is_specialnet($pconfig['src'])) echo htmlspecialchars($pconfig['src']);?>"> / + <select name="srcmask" class="formselect" id="srcmask"> +<?php for ($i = 31; $i > 0; $i--): ?> + <option value="<?=$i;?>" <?php if ($i == $pconfig['srcmask']) echo "selected"; ?>><?=$i;?></option> +<?php endfor; ?> + </select> + </td> + </tr> + </table> + </td> + </tr> + <tr style="display:none" id="sprtable" name="sprtable"> + <td width="22%" valign="top" class="vncellreq">Source port range</td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="0" cellpadding="0"> + <tr> + <td>from: </td> + <td> + <select name="srcbeginport" class="formselect" onchange="src_rep_change();ext_change()"> + <option value="">(other)</option> + <option value="any" <?php $bfound = 0; if ($pconfig['srcbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option> +<?php foreach ($wkports as $wkport => $wkportdesc): ?> + <option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcbeginport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option> +<?php endforeach; ?> + </select> + <input autocomplete='off' class="formfldalias" name="srcbeginport_cust" id="srcbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcbeginport']) echo $pconfig['srcbeginport']; ?>"> + </td> + </tr> + <tr> + <td>to:</td> + <td> + <select name="srcendport" class="formselect" onchange="ext_change()"> + <option value="">(other)</option> + <option value="any" <?php $bfound = 0; if ($pconfig['srcendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option> +<?php foreach ($wkports as $wkport => $wkportdesc): ?> + <option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option> +<?php endforeach; ?> + </select> + <input autocomplete='off' class="formfldalias" name="srcendport_cust" id="srcendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcendport']) echo $pconfig['srcendport']; ?>"> + </td> + </tr> + </table> + <br /> + <span class="vexpl">Specify the source port or port range for this rule. <b>This is almost never equal to the destination port range (and is usually "any")</b>. <br /> Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port</span><br/> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Destination</td> + <td width="78%" class="vtable"> + <input name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>> + <strong>not</strong> + <br /> + Use this option to invert the sense of the match. + <br /> + <br /> + <table border="0" cellspacing="0" cellpadding="0"> + <tr> + <td>Type: </td> + <td> + <select name="dsttype" class="formselect" onChange="typesel_change()"> +<?php + $sel = is_specialnet($pconfig['dst']); ?> + <option value="any" <?php if ($pconfig['dst'] == "any") { echo "selected"; } ?>>any</option> + <option value="single" <?php if (($pconfig['dstmask'] == 32) && !$sel) { echo "selected"; $sel = 1; } ?>>Single host or alias</option> + <option value="network" <?php if (!$sel) echo "selected"; ?>>Network</option> + <?php if(have_ruleint_access("pptp")): ?> + <option value="pptp" <?php if ($pconfig['dst'] == "pptp") { echo "selected"; } ?>>PPTP clients</option> + <?php endif; ?> + <?php if(have_ruleint_access("pppoe")): ?> + <option value="pppoe" <?php if ($pconfig['dst'] == "pppoe") { echo "selected"; } ?>>PPPoE clients</option> + <?php endif; ?> + <?php if(have_ruleint_access("l2tp")): ?> + <option value="l2tp" <?php if ($pconfig['dst'] == "l2tp") { echo "selected"; } ?>>L2TP clients</option> + <?php endif; ?> + +<?php foreach ($ifdisp as $if => $ifdesc): ?> + <?php if(have_ruleint_access($if)): ?> + <option value="<?=$if;?>" <?php if ($pconfig['dst'] == $if) { echo "selected"; } ?>><?=htmlspecialchars($ifdesc);?> subnet</option> + <option value="<?=$if;?>ip"<?php if ($pconfig['dst'] == $if . "ip") { echo "selected"; } ?>> + <?=$ifdesc;?> address + </option> + <?php endif; ?> +<?php endforeach; ?> + +<?php if (is_array($config['virtualip']['vip'])): + foreach ($config['virtualip']['vip'] as $sn): + if ($sn['mode'] == "proxyarp" && $sn['type'] == "network"): + $baseip = ip2long($sn['subnet']) & ip2long(gen_subnet_mask($sn['subnet_bits'])); + + for ($i = $sn['subnet_bits']; $i <= 32; $i++): + $baseip = $baseip + 1; + $snip = long2ip($baseip); +?> + <option value="<?=$snip;?>" <?php if ($snip == $pconfig['dst']) echo "selected"; ?>><?=htmlspecialchars("{$snip} ({$sn['descr']})");?></option> +<?php endfor; + else: +?> + <option value="<?=$sn['subnet'];?>" <?php if ($sn['subnet'] == $pconfig['dst']) echo "selected"; ?>><?=htmlspecialchars("{$sn['subnet']} ({$sn['descr']})");?></option> +<?php endif; + endforeach; + endif; +?> + </select> + </td> + </tr> + <tr> + <td>Address: </td> + <td> + <input name="dst" type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>"> + / + <select name="dstmask" class="formselect" id="dstmask"> +<?php + for ($i = 31; $i > 0; $i--): ?> + <option value="<?=$i;?>" <?php if ($i == $pconfig['dstmask']) echo "selected"; ?>><?=$i;?></option> +<?php endfor; ?> + </select> + </td> + </tr> + </table> + </td> + </tr> + <tr id="dprtr" name="dprtr"> + <td width="22%" valign="top" class="vncellreq">Destination port range </td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="0" cellpadding="0"> + <tr> + <td>from: </td> + <td> + <select name="dstbeginport" class="formselect" onchange="dst_rep_change();ext_change()"> + <option value="">(other)</option> +<?php foreach ($wkports as $wkport => $wkportdesc): ?> + <option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstbeginport']) { echo "selected"; $bfound = 1; }?>><?=htmlspecialchars($wkportdesc);?></option> +<?php endforeach; ?> + </select> + <input autocomplete='off' class="formfldalias" name="dstbeginport_cust" id="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>"> + </td> + </tr> + <tr> + <td>to:</td> + <td> + <select name="dstendport" class="formselect" onchange="ext_change()"> + <option value="">(other)</option> +<?php foreach ($wkports as $wkport => $wkportdesc): ?> + <option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option> +<?php endforeach; ?> + </select> + <input autocomplete='off' class="formfldalias" name="dstendport_cust" id="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>"> + </td> + </tr> + </table> + <br /> + <span class="vexpl"> + Specify the port or port range for the destination of the packet for this rule. + <br /> + Hint: you can leave the <em>'to'</em> field empty if you only want to filter a single port + </span> + </td> + </tr> <tr> - <td width="22%" valign="top" class="vncellreq">External port - range </td> - <td width="78%" class="vtable"> - <table border="0" cellspacing="0" cellpadding="0"> - <tr> - <td>from: </td> - <td><select name="beginport" class="formselect" onChange="ext_rep_change(); ext_change(); check_for_aliases();"> - <option value="">(other)</option> - <?php $bfound = 0; foreach ($wkports as $wkport => $wkportdesc): ?> - <option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['beginport']) { - echo "selected"; - $bfound = 1; - }?>> - <?=htmlspecialchars($wkportdesc);?> - </option> - <?php endforeach; ?> - </select> <input onChange="check_for_aliases();" autocomplete='off' class="formfldalias" name="beginport_cust" id="beginport_cust" type="text" size="5" value="<?php if (!$bfound) echo $pconfig['beginport']; ?>"></td> - </tr> - <tr> - <td>to:</td> - <td><select name="endport" class="formselect" onChange="ext_change(); check_for_aliases();"> - <option value="">(other)</option> - <?php $bfound = 0; foreach ($wkports as $wkport => $wkportdesc): ?> - <option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['endport']) { - echo "selected"; - $bfound = 1; - }?>> - <?=htmlspecialchars($wkportdesc);?> - </option> - <?php endforeach; ?> - </select> <input onChange="check_for_aliases();" class="formfldalias" autocomplete='off' name="endport_cust" id="endport_cust" type="text" size="5" value="<?php if (!$bfound) echo $pconfig['endport']; ?>"></td> - </tr> - </table> - <br> <span class="vexpl">Specify the port or port range on - the firewall's external address for this mapping.<br> - Hint: you can leave the <em>'to'</em> field empty if you only - want to map a single port</span></td> - </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">NAT IP</td> + <td width="22%" valign="top" class="vncellreq">Redirect target IP</td> <td width="78%" class="vtable"> <input autocomplete='off' name="localip" type="text" class="formfldalias" id="localip" size="20" value="<?=htmlspecialchars($pconfig['localip']);?>"> <br> <span class="vexpl">Enter the internal IP address of the server on which you want to map the ports.<br> e.g. <em>192.168.1.12</em></span></td> </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Local port</td> + <tr name="lprtr" id="lprtr"> + <td width="22%" valign="top" class="vncellreq">Redirect target port</td> <td width="78%" class="vtable"> <select name="localbeginport" class="formselect" onChange="ext_change();check_for_aliases();"> <option value="">(other)</option> @@ -470,7 +746,7 @@ include("fbegin.inc"); ?> <select name="associated-rule-id"> <option value="">None</option> <option value="pass" <?php if($pconfig['associated-rule-id'] == "pass") echo " SELECTED"; ?>>Pass</option> - <?php + <?php $linkedrule = ""; if (is_array($config['filter']['rule'])) { $filter_id = 0; @@ -482,7 +758,7 @@ include("fbegin.inc"); ?> $linkedrule = "<br /><a href=\"firewall_rules_edit.php?id={$filter_id}\">View the filter rule</a><br/>"; } echo ">". htmlspecialchars('Rule ' . $filter_rule['descr']) . "</option>\n"; - + } if ($filter_rule['interface'] == $pconfig['interface']) $filter_id++; @@ -526,6 +802,9 @@ include("fbegin.inc"); ?> <script language="JavaScript"> <!-- ext_change(); + dst_change(document.iform.interface.value); + typesel_change(); + proto_change(); //--> </script> <?php @@ -560,9 +839,13 @@ if($config['aliases']['alias'] <> "") var customarray=new Array(<?php echo $portaliases; ?>); var oTextbox1 = new AutoSuggestControl(document.getElementById("localip"), new StateSuggestions(addressarray)); - var oTextbox2 = new AutoSuggestControl(document.getElementById("beginport_cust"), new StateSuggestions(customarray)); - var oTextbox3 = new AutoSuggestControl(document.getElementById("endport_cust"), new StateSuggestions(customarray)); - var oTextbox4 = new AutoSuggestControl(document.getElementById("localbeginport_cust"), new StateSuggestions(customarray)); + var oTextbox2 = new AutoSuggestControl(document.getElementById("src"), new StateSuggestions(addressarray)); + var oTextbox3 = new AutoSuggestControl(document.getElementById("dst"), new StateSuggestions(addressarray)); + var oTextbox4 = new AutoSuggestControl(document.getElementById("dstbeginport_cust"), new StateSuggestions(customarray)); + var oTextbox5 = new AutoSuggestControl(document.getElementById("dstendport_cust"), new StateSuggestions(customarray)); + var oTextbox6 = new AutoSuggestControl(document.getElementById("srcbeginport_cust"), new StateSuggestions(customarray)); + var oTextbox7 = new AutoSuggestControl(document.getElementById("srcendport_cust"), new StateSuggestions(customarray)); + var oTextbox8 = new AutoSuggestControl(document.getElementById("localbeginport_cust"), new StateSuggestions(customarray)); //--> </script> <?php include("fend.inc"); ?> diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index 236a23a..5bbfadb 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -672,7 +672,28 @@ include("head.inc"); <tr> <td width="22%" valign="top" class="vncellreq">Source</td> <td width="78%" class="vtable"> - <input name="srcnot" type="checkbox" id="srcnot" value="yes" <?php if ($pconfig['srcnot']) echo "checked"; ?>> + <?php $edit_disabled=false; ?> + <?php if( isset($pconfig['associated-rule-id']) ): ?> + <span class="red"><strong>NOTE: </strong></span> This is associated to a NAT rule.<br /> + You cannot edit the source and destination of associated filter rules.<br /> + <br /> + <?php + $edit_disabled=true; + if (is_array($config['nat']['rule'])) { + foreach( $config['nat']['rule'] as $index => $nat_rule ) { + if( $nat_rule['associated-rule-id']==$pconfig['associated-rule-id']) { + echo "<a href=\"firewall_nat_edit.php?id={$nat_rule[$index]}\">View the NAT rule</a><br>"; + break; + } + } + } + ?> + <br /> + <script type="text/javascript"> + editenabled = 0; + </script> + <?php endif; ?> + <input<?php echo ($edit_disabled===true?' DISABLED':''); ?> name="srcnot" type="checkbox" id="srcnot" value="yes" <?php if ($pconfig['srcnot']) echo "checked"; ?>> <strong>not</strong> <br /> Use this option to invert the sense of the match. @@ -682,7 +703,7 @@ include("head.inc"); <tr> <td>Type: </td> <td> - <select name="srctype" class="formselect" onChange="typesel_change()"> + <select<?php echo ($edit_disabled===true?' DISABLED':''); ?> name="srctype" class="formselect" onChange="typesel_change()"> <?php $sel = is_specialnet($pconfig['src']); ?> <option value="any" <?php if ($pconfig['src'] == "any") { echo "selected"; } ?>>any</option> @@ -712,8 +733,8 @@ include("head.inc"); <tr> <td>Address: </td> <td> - <input autocomplete='off' name="src" type="text" class="formfldalias" id="src" size="20" value="<?php if (!is_specialnet($pconfig['src'])) echo htmlspecialchars($pconfig['src']);?>"> / - <select name="srcmask" class="formselect" id="srcmask"> + <input<?php echo ($edit_disabled===true?' DISABLED':''); ?> autocomplete='off' name="src" type="text" class="formfldalias" id="src" size="20" value="<?php if (!is_specialnet($pconfig['src'])) echo htmlspecialchars($pconfig['src']);?>"> / + <select<?php echo ($edit_disabled===true?' DISABLED':''); ?> name="srcmask" class="formselect" id="srcmask"> <?php for ($i = 31; $i > 0; $i--): ?> <option value="<?=$i;?>" <?php if ($i == $pconfig['srcmask']) echo "selected"; ?>><?=$i;?></option> <?php endfor; ?> @@ -723,7 +744,7 @@ include("head.inc"); </table> <div id="showadvancedboxspr"> <p> - <input type="button" onClick="show_source_port_range()" value="Advanced"></input> - Show source port range</a> + <input<?php echo ($edit_disabled===true?' DISABLED':''); ?> type="button" onClick="show_source_port_range()" value="Advanced"></input> - Show source port range</a> </div> </td> </tr> @@ -734,27 +755,27 @@ include("head.inc"); <tr> <td>from: </td> <td> - <select name="srcbeginport" class="formselect" onchange="src_rep_change();ext_change()"> + <select<?php echo ($edit_disabled===true?' DISABLED':''); ?> name="srcbeginport" class="formselect" onchange="src_rep_change();ext_change()"> <option value="">(other)</option> <option value="any" <?php $bfound = 0; if ($pconfig['srcbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option> <?php foreach ($wkports as $wkport => $wkportdesc): ?> <option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcbeginport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option> <?php endforeach; ?> </select> - <input autocomplete='off' class="formfldalias" name="srcbeginport_cust" id="srcbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcbeginport']) echo $pconfig['srcbeginport']; ?>"> + <input<?php echo ($edit_disabled===true?' DISABLED':''); ?> autocomplete='off' class="formfldalias" name="srcbeginport_cust" id="srcbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcbeginport']) echo $pconfig['srcbeginport']; ?>"> </td> </tr> <tr> <td>to:</td> <td> - <select name="srcendport" class="formselect" onchange="ext_change()"> + <select<?php echo ($edit_disabled===true?' DISABLED':''); ?> name="srcendport" class="formselect" onchange="ext_change()"> <option value="">(other)</option> <option value="any" <?php $bfound = 0; if ($pconfig['srcendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option> <?php foreach ($wkports as $wkport => $wkportdesc): ?> <option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option> <?php endforeach; ?> </select> - <input autocomplete='off' class="formfldalias" name="srcendport_cust" id="srcendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcendport']) echo $pconfig['srcendport']; ?>"> + <input<?php echo ($edit_disabled===true?' DISABLED':''); ?> autocomplete='off' class="formfldalias" name="srcendport_cust" id="srcendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcendport']) echo $pconfig['srcendport']; ?>"> </td> </tr> </table> @@ -765,27 +786,7 @@ include("head.inc"); <tr> <td width="22%" valign="top" class="vncellreq">Destination</td> <td width="78%" class="vtable"> - <?php $dst_disabled=false; ?> - <?php if( isset($pconfig['associated-rule-id']) ): ?> - <span class="red"><strong>NOTE: </strong></span> This is associated to a NAT rule.<br /> - You cannot edit the destination of associated filter rules.<br /> - <br /> - <?php - if (is_array($config['nat']['rule'])) { - foreach( $config['nat']['rule'] as $index => $nat_rule ) { - if( $nat_rule['assocaited-rule-id']==$pconfig['associated-rule-id']) - echo "<a href=\"firewall_nat_edit.php?id={$nat_rule[$index]}\">View the NAT rule</a>\n"; - break; - } - } - ?> - <br /> - <?php $dst_disabled=true; ?> - <script type="text/javascript"> - dstenabled = 0; - </script> - <?php endif; ?> - <input<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>> + <input<?php echo ($edit_disabled===true?' DISABLED':''); ?> name="dstnot" type="checkbox" id="dstnot" value="yes" <?php if ($pconfig['dstnot']) echo "checked"; ?>> <strong>not</strong> <br /> Use this option to invert the sense of the match. @@ -795,7 +796,7 @@ include("head.inc"); <tr> <td>Type: </td> <td> - <select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dsttype" class="formselect" onChange="typesel_change()"> + <select<?php echo ($edit_disabled===true?' DISABLED':''); ?> name="dsttype" class="formselect" onChange="typesel_change()"> <?php $sel = is_specialnet($pconfig['dst']); ?> <option value="any" <?php if ($pconfig['dst'] == "any") { echo "selected"; } ?>>any</option> @@ -825,9 +826,9 @@ include("head.inc"); <tr> <td>Address: </td> <td> - <input<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dst" type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>"> + <input<?php echo ($edit_disabled===true?' DISABLED':''); ?> name="dst" type="text" class="formfldalias" id="dst" size="20" value="<?php if (!is_specialnet($pconfig['dst'])) echo htmlspecialchars($pconfig['dst']);?>"> / - <select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstmask" class="formselect" id="dstmask"> + <select<?php echo ($edit_disabled===true?' DISABLED':''); ?> name="dstmask" class="formselect" id="dstmask"> <?php for ($i = 31; $i > 0; $i--): ?> <option value="<?=$i;?>" <?php if ($i == $pconfig['dstmask']) echo "selected"; ?>><?=$i;?></option> @@ -845,27 +846,27 @@ include("head.inc"); <tr> <td>from: </td> <td> - <select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstbeginport" class="formselect" onchange="dst_rep_change();ext_change()"> + <select<?php echo ($edit_disabled===true?' DISABLED':''); ?> name="dstbeginport" class="formselect" onchange="dst_rep_change();ext_change()"> <option value="">(other)</option> <option value="any" <?php $bfound = 0; if ($pconfig['dstbeginport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option> <?php foreach ($wkports as $wkport => $wkportdesc): ?> <option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstbeginport']) { echo "selected"; $bfound = 1; }?>><?=htmlspecialchars($wkportdesc);?></option> <?php endforeach; ?> </select> - <input<?php echo ($dst_disabled===true?' DISABLED':''); ?> autocomplete='off' class="formfldalias" name="dstbeginport_cust" id="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>"> + <input<?php echo ($edit_disabled===true?' DISABLED':''); ?> autocomplete='off' class="formfldalias" name="dstbeginport_cust" id="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>"> </td> </tr> <tr> <td>to:</td> <td> - <select<?php echo ($dst_disabled===true?' DISABLED':''); ?> name="dstendport" class="formselect" onchange="ext_change()"> + <select<?php echo ($edit_disabled===true?' DISABLED':''); ?> name="dstendport" class="formselect" onchange="ext_change()"> <option value="">(other)</option> <option value="any" <?php $bfound = 0; if ($pconfig['dstendport'] == "any") { echo "selected"; $bfound = 1; } ?>>any</option> <?php foreach ($wkports as $wkport => $wkportdesc): ?> <option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option> <?php endforeach; ?> </select> - <input<?php echo ($dst_disabled===true?' DISABLED':''); ?> autocomplete='off' class="formfldalias" name="dstendport_cust" id="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>"> + <input<?php echo ($edit_disabled===true?' DISABLED':''); ?> autocomplete='off' class="formfldalias" name="dstendport_cust" id="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>"> </td> </tr> </table> diff --git a/usr/local/www/firewall_virtual_ip.php b/usr/local/www/firewall_virtual_ip.php index 2a01c91..873f422 100755 --- a/usr/local/www/firewall_virtual_ip.php +++ b/usr/local/www/firewall_virtual_ip.php @@ -94,8 +94,8 @@ if ($_GET['act'] == "del") { /* make sure no inbound NAT mappings reference this entry */ if (is_array($config['nat']['rule'])) { foreach ($config['nat']['rule'] as $rule) { - if($rule['external-address'] <> "") { - if ($rule['external-address'] == $a_vip[$_GET['id']]['subnet']) { + if($rule['destination']['address'] <> "") { + if ($rule['destination']['address'] == $a_vip[$_GET['id']]['subnet']) { $input_errors[] = "This entry cannot be deleted because it is still referenced by at least one NAT mapping."; break; } diff --git a/usr/local/www/firewall_virtual_ip_edit.php b/usr/local/www/firewall_virtual_ip_edit.php index 096fb86..89e473a 100755 --- a/usr/local/www/firewall_virtual_ip_edit.php +++ b/usr/local/www/firewall_virtual_ip_edit.php @@ -206,8 +206,8 @@ if ($_POST) { interface_vip_bring_down($a_vip[$id]); /* modify all virtual IP rules with this address */ for ($i = 0; isset($config['nat']['rule'][$i]); $i++) { - if ($config['nat']['rule'][$i]['external-address'] == $a_vip[$id]['subnet']) - $config['nat']['rule'][$i]['external-address'] = $vipent['subnet']; + if ($config['nat']['rule'][$i]['destination']['address'] == $a_vip[$id]['subnet']) + $config['nat']['rule'][$i]['destination']['address'] = $vipent['subnet']; } $a_vip[$id] = $vipent; } else diff --git a/usr/local/www/javascript/firewall_nat_edit/firewall_nat_edit.js b/usr/local/www/javascript/firewall_nat_edit/firewall_nat_edit.js index a2dff4c..2cc7d7f 100644 --- a/usr/local/www/javascript/firewall_nat_edit/firewall_nat_edit.js +++ b/usr/local/www/javascript/firewall_nat_edit/firewall_nat_edit.js @@ -1,28 +1,65 @@ <!-- +var portsenabled = 1; +var dstenabled = 1; +var showsource = 0; + function ext_change() { - if (document.iform.beginport.selectedIndex == 0) { - document.iform.beginport_cust.disabled = 0; + if ((document.iform.srcbeginport.selectedIndex == 0) && portsenabled) { + document.iform.srcbeginport_cust.disabled = 0; + } else { + document.iform.srcbeginport_cust.value = ""; + document.iform.srcbeginport_cust.disabled = 1; + } + if ((document.iform.srcendport.selectedIndex == 0) && portsenabled) { + document.iform.srcendport_cust.disabled = 0; + } else { + document.iform.srcendport_cust.value = ""; + document.iform.srcendport_cust.disabled = 1; + } + if ((document.iform.dstbeginport.selectedIndex == 0) && portsenabled && dstenabled) { + document.iform.dstbeginport_cust.disabled = 0; } else { - document.iform.beginport_cust.value = ""; - document.iform.beginport_cust.disabled = 1; + document.iform.dstbeginport_cust.value = ""; + document.iform.dstbeginport_cust.disabled = 1; } - if (document.iform.endport.selectedIndex == 0) { - document.iform.endport_cust.disabled = 0; + if ((document.iform.dstendport.selectedIndex == 0) && portsenabled && dstenabled) { + document.iform.dstendport_cust.disabled = 0; } else { - document.iform.endport_cust.value = ""; - document.iform.endport_cust.disabled = 1; + document.iform.dstendport_cust.value = ""; + document.iform.dstendport_cust.disabled = 1; } - if (document.iform.localbeginport.selectedIndex == 0) { + + if ((document.iform.localbeginport.selectedIndex == 0) && portsenabled) { document.iform.localbeginport_cust.disabled = 0; } else { document.iform.localbeginport_cust.value = ""; document.iform.localbeginport_cust.disabled = 1; } + + if (!portsenabled) { + document.iform.srcbeginport.disabled = 1; + document.iform.srcendport.disabled = 1; + document.iform.dstbeginport.disabled = 1; + document.iform.dstendport.disabled = 1; + document.iform.localbeginport_cust.disabled = 1; + } else { + document.iform.srcbeginport.disabled = 0; + document.iform.srcendport.disabled = 0; + document.iform.localbeginport_cust.disabled = 0; + if( dstenabled ) { + document.iform.dstbeginport.disabled = 0; + document.iform.dstendport.disabled = 0; + } + } } -function ext_rep_change() { - document.iform.endport.selectedIndex = document.iform.beginport.selectedIndex; - document.iform.localbeginport.selectedIndex = document.iform.beginport.selectedIndex; +function show_source() { + if(portsenabled) + document.getElementById("sprtable").style.display = ''; + + document.getElementById("srctable").style.display = ''; + document.getElementById("showadvancedboxsrc").style.display = 'none'; + showsource = 1; } function check_for_aliases() { @@ -30,64 +67,117 @@ function check_for_aliases() { * entry of Local port */ for(i=0; i<customarray.length; i++) { - if(document.iform.beginport_cust.value == customarray[i]) { - document.iform.endport_cust.value = customarray[i]; + if(document.iform.dstbeginport_cust.value == customarray[i]) { + document.iform.dstendport_cust.value = customarray[i]; document.iform.localbeginport_cust.value = customarray[i]; - document.iform.endport_cust.disabled = 1; + document.iform.dstendport_cust.disabled = 1; document.iform.localbeginport.disabled = 1; document.iform.localbeginport_cust.disabled = 1; - document.iform.endport_cust.disabled = 0; + document.iform.dstendport_cust.disabled = 0; document.iform.localbeginport.disabled = 0; document.iform.localbeginport_cust.disabled = 0; } - if(document.iform.beginport.value == customarray[i]) { - document.iform.endport_cust.value = customarray[i]; + if(document.iform.dstbeginport.value == customarray[i]) { + document.iform.dstendport_cust.value = customarray[i]; document.iform.localbeginport_cust.value = customarray[i]; - document.iform.endport_cust.disabled = 1; + document.iform.dstendport_cust.disabled = 1; document.iform.localbeginport.disabled = 1; document.iform.localbeginport_cust.disabled = 1; - document.iform.endport_cust.disabled = 0; + document.iform.dstendport_cust.disabled = 0; document.iform.localbeginport.disabled = 0; document.iform.localbeginport_cust.disabled = 0; } - if(document.iform.endport_cust.value == customarray[i]) { - document.iform.endport_cust.value = customarray[i]; + if(document.iform.dstendport_cust.value == customarray[i]) { + document.iform.dstendport_cust.value = customarray[i]; document.iform.localbeginport_cust.value = customarray[i]; - document.iform.endport_cust.disabled = 1; + document.iform.dstendport_cust.disabled = 1; document.iform.localbeginport.disabled = 1; document.iform.localbeginport_cust.disabled = 1; - document.iform.endport_cust.disabled = 0; + document.iform.dstendport_cust.disabled = 0; document.iform.localbeginport.disabled = 0; document.iform.localbeginport_cust.disabled = 0; } - if(document.iform.endport.value == customarray[i]) { - document.iform.endport_cust.value = customarray[i]; + if(document.iform.dstendport.value == customarray[i]) { + document.iform.dstendport_cust.value = customarray[i]; document.iform.localbeginport_cust.value = customarray[i]; - document.iform.endport_cust.disabled = 1; + document.iform.dstendport_cust.disabled = 1; document.iform.localbeginport.disabled = 1; document.iform.localbeginport_cust.disabled = 1; - document.iform.endport_cust.disabled = 0; + document.iform.dstendport_cust.disabled = 0; document.iform.localbeginport.disabled = 0; document.iform.localbeginport_cust.disabled = 0; } + } } function proto_change() { - if(document.iform.proto.selectedIndex > 2) { - document.iform.beginport_cust.disabled = 1; - document.iform.endport_cust.disabled = 1; - document.iform.beginport.disabled = 1; - document.iform.endport.disabled = 1; - document.iform.localbeginport_cust.disabled = 1; - document.iform.localbeginport.disabled = 1; + if (document.iform.proto.selectedIndex < 3) { + portsenabled = 1; } else { - document.iform.beginport_cust.disabled = 0; - document.iform.endport_cust.disabled = 0; - document.iform.beginport.disabled = 0; - document.iform.endport.disabled = 0; - document.iform.localbeginport_cust.disabled = 0; - document.iform.localbeginport.disabled = 0; + portsenabled = 0; + } + + if(document.iform.proto.selectedIndex >= 0 && document.iform.proto.selectedIndex <= 2) { + document.getElementById("sprtable").style.display = showsource == 1 ? '':'none'; + document.getElementById("dprtr").style.display = ''; + document.getElementById("lprtr").style.display = ''; + } else { + document.getElementById("sprtable").style.display = 'none'; + document.getElementById("dprtr").style.display = 'none'; + document.getElementById("lprtr").style.display = 'none'; } } + +function typesel_change() { + switch (document.iform.srctype.selectedIndex) { + case 1: /* single */ + document.iform.src.disabled = 0; + document.iform.srcmask.value = ""; + document.iform.srcmask.disabled = 1; + break; + case 2: /* network */ + document.iform.src.disabled = 0; + document.iform.srcmask.disabled = 0; + break; + default: + document.iform.src.value = ""; + document.iform.src.disabled = 1; + document.iform.srcmask.value = ""; + document.iform.srcmask.disabled = 1; + break; + } + if( dstenabled ) + { + switch (document.iform.dsttype.selectedIndex) { + case 1: /* single */ + document.iform.dst.disabled = 0; + document.iform.dstmask.value = ""; + document.iform.dstmask.disabled = 1; + break; + case 2: /* network */ + document.iform.dst.disabled = 0; + document.iform.dstmask.disabled = 0; + break; + default: + document.iform.dst.value = ""; + document.iform.dst.disabled = 1; + document.iform.dstmask.value = ""; + document.iform.dstmask.disabled = 1; + break; + } + } +} + +function src_rep_change() { + document.iform.srcendport.selectedIndex = document.iform.srcbeginport.selectedIndex; +} + +function dst_rep_change() { + document.iform.dstendport.selectedIndex = document.iform.dstbeginport.selectedIndex; +} + +function dst_change( iface ) { + document.iform.dsttype.value = iface.concat("ip"); +} //--> diff --git a/usr/local/www/javascript/firewall_rules_edit/firewall_rules_edit.js b/usr/local/www/javascript/firewall_rules_edit/firewall_rules_edit.js index 75bcb62..1b7f33a 100644 --- a/usr/local/www/javascript/firewall_rules_edit/firewall_rules_edit.js +++ b/usr/local/www/javascript/firewall_rules_edit/firewall_rules_edit.js @@ -1,6 +1,6 @@ <!-- var portsenabled = 1; -var dstenabled = 1; +var editenabled = 1; function ext_change() { if ((document.iform.srcbeginport.selectedIndex == 0) && portsenabled) { @@ -15,13 +15,13 @@ function ext_change() { document.iform.srcendport_cust.value = ""; document.iform.srcendport_cust.disabled = 1; } - if ((document.iform.dstbeginport.selectedIndex == 0) && portsenabled && dstenabled) { + if ((document.iform.dstbeginport.selectedIndex == 0) && portsenabled && editenabled) { document.iform.dstbeginport_cust.disabled = 0; } else { document.iform.dstbeginport_cust.value = ""; document.iform.dstbeginport_cust.disabled = 1; } - if ((document.iform.dstendport.selectedIndex == 0) && portsenabled && dstenabled) { + if ((document.iform.dstendport.selectedIndex == 0) && portsenabled && editenabled) { document.iform.dstendport_cust.disabled = 0; } else { document.iform.dstendport_cust.value = ""; @@ -36,7 +36,7 @@ function ext_change() { } else { document.iform.srcbeginport.disabled = 0; document.iform.srcendport.disabled = 0; - if( dstenabled ) { + if( editenabled ) { document.iform.dstbeginport.disabled = 0; document.iform.dstendport.disabled = 0; } @@ -49,25 +49,24 @@ function show_source_port_range() { } function typesel_change() { - switch (document.iform.srctype.selectedIndex) { - case 1: /* single */ - document.iform.src.disabled = 0; - document.iform.srcmask.value = ""; - document.iform.srcmask.disabled = 1; - break; - case 2: /* network */ - document.iform.src.disabled = 0; - document.iform.srcmask.disabled = 0; - break; - default: - document.iform.src.value = ""; - document.iform.src.disabled = 1; - document.iform.srcmask.value = ""; - document.iform.srcmask.disabled = 1; - break; - } - if( dstenabled ) - { + if( editenabled ) { + switch (document.iform.srctype.selectedIndex) { + case 1: /* single */ + document.iform.src.disabled = 0; + document.iform.srcmask.value = ""; + document.iform.srcmask.disabled = 1; + break; + case 2: /* network */ + document.iform.src.disabled = 0; + document.iform.srcmask.disabled = 0; + break; + default: + document.iform.src.value = ""; + document.iform.src.disabled = 1; + document.iform.srcmask.value = ""; + document.iform.srcmask.disabled = 1; + break; + } switch (document.iform.dsttype.selectedIndex) { case 1: /* single */ document.iform.dst.disabled = 0; @@ -118,7 +117,9 @@ function proto_change() { if(document.iform.proto.selectedIndex >= 0 && document.iform.proto.selectedIndex <= 2) { document.getElementById("dprtr").style.display = ''; - document.getElementById("showadvancedboxspr").innerHTML='<p><input type="button" onClick="show_source_port_range()" value="Advanced"></input> - Show source port range</a>'; + if (editenabled) { + document.getElementById("showadvancedboxspr").innerHTML='<p><input type="button" onClick="show_source_port_range()" value="Advanced"></input> - Show source port range</a>'; + } } else { document.getElementById("sprtable").style.display = 'none'; document.getElementById("dprtr").style.display = 'none'; |
