From 4d6f1fddf63d1ff3ff9944b8b02048b4bb402096 Mon Sep 17 00:00:00 2001
From: smos <seth.mos@dds.nl>
Date: Tue, 20 Dec 2011 20:55:54 +0100
Subject: Add a checkbox that disabled automatically generates negate rules for
 directly connected networks and VPNs Ticket #2057 in redmine

---
 etc/inc/filter.inc                         |  2 +-
 usr/local/www/system_advanced_firewall.php | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index bcd9f4b..967991b 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -2045,7 +2045,7 @@ function filter_generate_user_rule($rule) {
 	$line = "";
 	/* exception(s) to a user rules can go here. */
 	/* rules with a gateway or pool should create another rule for routing to vpns */
-	if(($aline['route'] <> "") && (trim($aline['type']) == "pass") && strstr($dst, "any")) {
+	if((($aline['route'] <> "") && (trim($aline['type']) == "pass") && strstr($dst, "any")) && (!isset($config['system']['disablenegate']))) {
 		/* negate VPN/PPTP/PPPoE/Static Route networks for load balancer/gateway rules */
 		$negate_networks = " to <negate_networks> ";
 		$line .= $aline['type'] . $aline['direction'] . $aline['log'] . $aline['quick'] .
diff --git a/usr/local/www/system_advanced_firewall.php b/usr/local/www/system_advanced_firewall.php
index 2b3f5dd..6983422 100644
--- a/usr/local/www/system_advanced_firewall.php
+++ b/usr/local/www/system_advanced_firewall.php
@@ -57,6 +57,7 @@ $pconfig['optimization'] = $config['filter']['optimization'];
 $pconfig['maximumstates'] = $config['system']['maximumstates'];
 $pconfig['maximumtableentries'] = $config['system']['maximumtableentries'];
 $pconfig['disablereplyto'] = isset($config['system']['disablereplyto']);
+$pconfig['disablenegate'] = isset($config['system']['disablenegate']);
 $pconfig['disablenatreflection'] = $config['system']['disablenatreflection'];
 if (!isset($config['system']['enablebinatreflection']))
 	$pconfig['disablebinatreflection'] = "yes";
@@ -135,6 +136,11 @@ if ($_POST) {
                 else
                         unset($config['system']['disablereplyto']);
 
+		if($_POST['disablenegate'] == "yes")
+                        $config['system']['disablenegate'] = $_POST['disablenegate'];
+                else
+                        unset($config['system']['disablenegate']);
+
 		if($_POST['enablenatreflectionhelper'] == "yes")
 			$config['system']['enablenatreflectionhelper'] = "yes";
 		else
@@ -357,6 +363,16 @@ function update_description(itemnum) {
 								</td>
 							</tr>
 							<tr>
+								<td width="22%" valign="top" class="vncell">Disable Negate rules</td> 
+								<td width="78%" class="vtable">
+									<input name="disablenegate" type="checkbox" id="disablenegate" value="yes" <?php if ($pconfig['disablenegate']) echo "checked"; ?> />
+									<strong><?=gettext("Disable Negate rule on policy routing rules");?></strong>
+									<br />
+									<?=gettext("With Multi-WAN you generally want to ensure traffic reaches directly connected networks and VPN networks when using policy routing. You can disable this for special purposes but it requires manually creating rules for these networks");?>
+									<br />
+								</td>
+							</tr>
+							<tr>
 								<td colspan="2" class="list" height="12">&nbsp;</td>
 							</tr>
 							<?php if(count($config['interfaces']) > 1): ?>
-- 
cgit v1.1