diff options
| -rw-r--r-- | etc/inc/filter.inc | 35 | ||||
| -rw-r--r-- | etc/inc/pfsense-utils.inc | 30 | ||||
| -rwxr-xr-x | usr/local/www/interfaces.php | 60 |
3 files changed, 67 insertions, 58 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index e34599d..d8a4dce 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -553,7 +553,7 @@ function filter_generate_aliases() { } elseif (!empty($ifcfg['descr']) && !empty($ifcfg['if'])) { /* XXX possibly add 6to4 in the future as well, stf0 */ if ($ifcfg['type6'] == '6rd') - $aliases .= "{$ifcfg['descr']} = \"{ {$ifcfg['if']} srd0 stf0 "; + $aliases .= "{$ifcfg['descr']} = \"{ {$ifcfg['if']} stf0 "; else if ($ifcfg['type6'] == '6to4') $aliases .= "{$ifcfg['descr']} = \"{ {$ifcfg['if']} stf0 "; else @@ -2515,8 +2515,8 @@ EOD; $ipfrules .= <<<EOD # allow our proto 41 traffic from the 6to4 border relay in -pass in on \${$oc['descr']} proto 41 from 192.88.99.1 to any label "Allow 6in4 traffic in for 6to4 on {$oc['descr']}" -pass out on \${$oc['descr']} proto 41 from any to 192.88.99.1 label "Allow 6in4 traffic out for 6to4 on {$oc['descr']}" +pass in on \${$oc['descr']} proto 41 from 192.88.99.1 to (self) label "Allow 6in4 traffic in for 6to4 on {$oc['descr']}" +pass out on \${$oc['descr']} proto 41 from (self) to 192.88.99.1 label "Allow 6in4 traffic out for 6to4 on {$oc['descr']}" EOD; break; @@ -2570,18 +2570,7 @@ EOD; $ipfrules .= "pass out route-to ( {$ifcfg['if']} {$gw} ) from {$ifcfg['ip']} to !{$ifcfg['sa']}/{$ifcfg['sn']} keep state allow-opts label \"let out anything from firewall host itself\"\n"; $gwv6 = get_interface_gateway_v6($ifdescr); - switch($ifcfg['type6']) { - case "6rd": - case "6to4": - $stf = stf0; - $pdlen = 48; - break; - default: - $stf = $ifcfg['if']; - $pdlen = 64; - break; - } - /* FIXME: get the right delegated prefix length, cheating here with /48 */ + $pdlen = 64 - calculate_ipv6_delegation_length($ifdescr); if (is_ipaddrv6($gwv6) && is_ipaddrv6($ifcfg['ipv6'])) $ipfrules .= "pass out route-to ( {$stf} {$gwv6} ) inet6 from {$ifcfg['ipv6']}/$pdlen to !{$ifcfg['ipv6']}/{$pdlen} keep state allow-opts label \"let out anything from firewall host itself\"\n"; } @@ -2704,20 +2693,8 @@ EOD; $ifcfgipv6 = find_interface_ipv6($realif); $trackifname = $config['interfaces'][$ifdescr]['track6-interface']; $trackcfg = $config['interfaces'][$trackifname]; - /* determine possible prefix length */ - switch($trackcfg['ipaddrv6']) { - case "6to4": - $pdlen = 16; - break; - case "6rd": - $rd6plen = explode("/", $trackcfg['prefix-6rd']); - $pdlen =(64 - ($rd6plen[1] + (32 - $trackcfg['prefix-6rd-v4plen']))); - break; - case "dhcp6": - $pdlen = $trackcfg['dhcp6-ia-pd-len']; - break; - } - $pdlen = (64 - $pdlen); + + $pdlen = 64 - calculate_ipv6_delegation_length($trackifname); if(is_ipaddrv6($ifcfgipv6)) { $prefix = Net_IPv6::getNetmask($ifcfgipv6, $pdlen); $ipfrules .= "pass in quick on \${$oc['descr']} inet6 from $prefix/$pdlen to any keep state label \"Allow IPv6 on {$oc['descr']} to any\"\n"; diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index edc2680..c7083ce 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2375,4 +2375,34 @@ function convert_128bit_to_ipv6($ip6bin) { return($ip6addr); } + +/* Returns the calculated bit length of the prefix delegation from the WAN interface */ +/* DHCP-PD is variable, calculate from the prefix-len on the WAN interface */ +/* 6rd is variable, calculate from 64 - (v6 prefixlen - (32 - v4 prefixlen)) */ +/* 6to4 is 16 bits, e.g. 65535 */ +function calculate_ipv6_delegation_length($if) { + global $config; + + if(!is_array($config['interfaces'][$if])) + return false; + + switch($config['interfaces'][$if]['ipaddrv6']) { + case "6to4": + $pdlen = 16; + break; + case "6rd": + $rd6cfg = $config['interfaces'][$if]; + $rd6plen = explode("/", $rd6cfg['prefix-6rd']); + $pdlen = (64 - ($rd6plen[1] + (32 - $rd6cfg['prefix-6rd-v4plen']))); + break; + case "dhcp6": + $dhcp6cfg = $config['interfaces'][$if]; + $pdlen = $dhcp6cfg['dhcp6-ia-pd-len']; + break; + default: + $pdlen = 0; + break; + } + return($pdlen); +} ?> diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index b1d6a92..fc3b1cc 100755 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -500,20 +500,32 @@ if ($_POST['apply']) { } case "dhcp6": if (in_array($wancfg['ipaddrv6'], array())) - $input_errors[] = sprintf(gettext("You have to reassign the interface to be able to configure as %s."),$_POST['type']); + $input_errors[] = sprintf(gettext("You have to reassign the interface to be able to configure as %s."),$_POST['type6']); break; case "6rd": + foreach ($ifdescrs as $ifent => $ifdescr) { + if ($if != $ifent && (($_POST['ipaddrv6'] == $_POST['type6']) || ($_POST['ipaddrv6'] == "6to4")) ) { + $input_errors[] = sprintf(gettext("You can only have one interface configured as %s or 6to4."),$_POST['type6']); + break; + } + } if (in_array($wancfg['ipaddrv6'], array())) - $input_errors[] = sprintf(gettext("You have to reassign the interface to be able to configure as %s."),$_POST['type']); + $input_errors[] = sprintf(gettext("You have to reassign the interface to be able to configure as %s."),$_POST['type6']); break; case "6to4": + foreach ($ifdescrs as $ifent => $ifdescr) { + if ($if != $ifent && (($_POST['ipaddrv6'] == $_POST['type6']) || ($_POST['ipaddrv6'] == "6rd")) ) { + $input_errors[] = sprintf(gettext("You can only have one interface configured as %s or 6rd."),$_POST['type6']); + break; + } + } if (in_array($wancfg['ipaddrv6'], array())) - $input_errors[] = sprintf(gettext("You have to reassign the interface to be able to configure as %s."),$_POST['type']); + $input_errors[] = sprintf(gettext("You have to reassign the interface to be able to configure as %s."),$_POST['type6']); break; case "track6": /* needs to check if $track6-prefix-id is used on another interface */ if (in_array($wancfg['ipaddrv6'], array())) - $input_errors[] = sprintf(gettext("You have to reassign the interface to be able to configure as %s."),$_POST['type']); + $input_errors[] = sprintf(gettext("You have to reassign the interface to be able to configure as %s."),$_POST['type6']); break; } @@ -1823,38 +1835,28 @@ $types6 = array("none" => gettext("None"), "staticv6" => gettext("Static IPv6"), <td width="78%" class="vtable"> <select name="track6-prefix-id" class="formselect" id="track6-prefix-id"> <?php - /* DHCP-PD is variable, calculate from the prefix-len on the WAN interface */ - /* 6rd is variable, calculate from 64 - (v6 prefixlen - (32 - v4 prefixlen)) */ - /* 6to4 is 16 bits, e.g. 65535 */ - switch($config['interfaces'][$pconfig['track6-interface']]['ipaddrv6']) { - case "6to4": - $pdlen = 16; - break; - case "6rd": - $rd6cfg = $config['interfaces'][$pconfig['track6-interface']]; - $rd6plen = explode("/", $rd6cfg['prefix-6rd']); - $pdlen = (64 - ($rd6plen[1] + (32 - $rd6cfg['prefix-6rd-v4plen']))); - break; - case "dhcp6": - $dhcp6cfg = $config['interfaces'][$pconfig['track6-interface']]; - $pdlen = $dhcp6cfg['dhcp6-ia-pd-len']; - break; - default: - $pdlen = 0; + if((count($dynv6ifs) == 1) && (!isset($pconfig['track6-interface']))) { + foreach($dynv6ifs as $trackif => $trackdescr) break; + $pdlen = calculate_ipv6_delegation_length($trackif); + } else { + $pdlen = calculate_ipv6_delegation_length($pconfig['track6-interface']); } - print_r($pconfig['track6-interface']); + + $numbers = pow(2, $pdlen); if($pconfig['track6-prefix-id'] == "none") $selected = "selected"; echo "<option value=\"none\" {$selected}>". gettext("None") ."</option>\n"; - $numbers = pow(2, $pdlen); + $choices = array(); for($i = 0;$i < $numbers; $i++) { - echo "<option value=\"{$i}\" "; - if ("$i" == $pconfig['track6-prefix-id']) { - echo "selected"; - } - echo ">" . dechex($i) . "</option>\n"; + if ("$i" == $pconfig['track6-prefix-id']) + $selected = "selected"; + else + $selected = ""; + + $choices[] = sprintf("<option value=\"%d\" $selected>%0x</option>", $i, $i); } + echo implode("\n", $choices); ?> </select> <?=gettext("The value in this field is the (Delegated) IPv6 prefix id. This determines the configurable network ID based on the dynamic IPv6 connection"); ?> |
