From 8659bc21482615ccf471478016fe81400fdb9794 Mon Sep 17 00:00:00 2001
From: Erik Fonnesbeck <efonnes@gmail.com>
Date: Mon, 3 May 2010 23:48:49 -0600
Subject: Reflection can have side effects unexpected to the user with rules
 using any for destination address, so change any to the interface subnet for
 reflection rules, which should be closer to the desired behavior in most
 cases but without the side effect.

---
 etc/inc/filter.inc | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

(limited to 'etc/inc')

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 686b61c..0aaa890 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -824,6 +824,23 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_
 			$rflctintrange = "";
 		$dstaddr = $dstaddr[0];
 
+		if(isset($rule['destination']['any'])) {
+			if(!$rule['interface'])
+				$natif = "wan";
+			else
+				$natif = $rule['interface'];
+
+			if(!isset($FilterIflist[$natif]))
+				return "";
+			if(is_ipaddr($FilterIflist[$natif]['ip']))
+				$dstaddr = $FilterIflist[$natif]['ip'];
+			else
+				return "";
+
+			if(!empty($FilterIflist[$natif]['sn']))
+				$dstaddr = gen_subnet($dstaddr, $FilterIflist[$natif]['sn']) . '/' . $FilterIflist[$natif]['sn'];
+		}
+
 		if (is_alias($rule['target']))
 			$target = filter_expand_alias($rule['target']);
 		else if(is_ipaddr($rule['target']))
@@ -831,7 +848,7 @@ function filter_generate_reflection($rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_
 		else if (is_ipaddr($FilterIflist[$rule['target']]['ip']))
 			$target = $FilterIflist[$rule['target']]['ip'];
 		else
-			return "\n";
+			return "";
 
 		if($rule['local-port'])
 			$lrange_start = $rule['local-port'];
-- 
cgit v1.1