From 3713a333d607dc79f6e4f3a294eaca34f2a5f99c Mon Sep 17 00:00:00 2001
From: Bill Marquette <billm@pfsense.org>
Date: Tue, 4 Oct 2005 02:05:59 +0000
Subject: Fix IPSec passthru (technically, fix any nat entry that would have
 forced a source port on a nat'd connection)

---
 etc/inc/filter.inc | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

(limited to 'etc/inc')

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index c9c6885..2868660 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -315,16 +315,14 @@ function filter_flush_state_table() {
 function filter_nat_rules_generate_if($if, $src, $srcport, $dst, $natport, $target, $nonat) {
 	global $config;
 
-	if($src=="/32")
+	if($src == "/32" || $src{0} == "/")
 		return;
 	
-	if($src{0} == "/")
-		return;
-
 	$nat = "nat";
 
+	/* Use interface name if IP isn't specified */
         if ($target)
-                $tgt = $target . "/32";
+                $tgt = "{$target}/32";
         else
                 $tgt = "($if)";
 	
@@ -338,11 +336,14 @@ function filter_nat_rules_generate_if($if, $src, $srcport, $dst, $natport, $targ
 	if ($dst == "")
 		$dst = "any";
 
+	/* Match on this source port */
         if ($srcport)
-		$src .= " port " . $srcport;
+		$src .= " port {$srcport}";
 
+	/* set the source port the world sees */
 	if ($natport)
-		$tgt .= " port " . $natport;
+		$second_half_of_rule .= " port {$natport}";
+
 
         $natrule = "{$nat} on {$if} from {$src} to {$dst} {$second_half_of_rule}\n";
 
@@ -1915,4 +1916,4 @@ function return_vpn_subnet($adr) {
 	return " # error - {$adr['network']} ";
 	
 }
-?>
\ No newline at end of file
+?>
-- 
cgit v1.1