From a6aedcd141d649d30ff4182bc5cc8f2fc371b7c3 Mon Sep 17 00:00:00 2001
From: Erik Fonnesbeck <efonnes@gmail.com>
Date: Tue, 17 Apr 2012 23:04:59 -0600
Subject: Clean up filter_generate_reflection_nat, remove obsolete checks, and
 add new checks that are now needed. Ticket #2240

---
 etc/inc/filter.inc | 67 ++++++++++++++++++++++++++----------------------------
 1 file changed, 32 insertions(+), 35 deletions(-)

(limited to 'etc')

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index c204266..472be3e 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -777,7 +777,10 @@ function filter_get_direct_networks_list($returnsubnetsonly = true) {
 			if($returnsubnetsonly) {
 				$networks_arr[] = $subnet;
 			} else {
-				$networks_arr[] = array('subnet' => $subnet, 'if' => $ifent);
+				$networks_arr[] = array(
+					'subnet' => $subnet,
+					'if' => $ifent,
+					'ip' => $ifcfg['ip']);
 			}
 		}
 	}
@@ -791,7 +794,10 @@ function filter_get_direct_networks_list($returnsubnetsonly = true) {
 			if($returnsubnetsonly) {
 				$networks_arr[] = $subnet;
 			} else {
-				$networks_arr[] = array('subnet' => $subnet, 'if' => $vip['interface']);
+				$networks_arr[] = array(
+					'subnet' => $subnet,
+					'if' => $vip['interface'],
+					'ip' => $vip['subnet']);
 			}
 		}
 	}
@@ -995,20 +1001,19 @@ function filter_generate_reflection_nat($rule, &$route_table, $nat_ifs, $protoco
 		$target_subnet = 32;
 
 	if(!is_array($route_table)) {
-		$route_table = array();
 		/* get a simulated IPv4-only route table based on the config */
 		$route_table = filter_get_direct_networks_list(false);
 		foreach($route_table as $rt_key => $rt_ent) {
 			if(!is_subnetv4($rt_ent['subnet']))
 				unset($route_table[$rt_key]);
-			if(isset($route_table[$rt_key]))
-				$route_table[$rt_key]['if'] = get_real_interface($rt_ent['if']);
+			if(isset($route_table[$rt_key]) && isset($FilterIflist[$rt_ent['if']]['if']))
+				$route_table[$rt_key]['if'] = $FilterIflist[$rt_ent['if']]['if'];
 		}
 	}
 
 	/* Check if the target is accessed through a static route */
 	foreach($route_table as $route) {
-		if(is_subnet($route['subnet']) && is_ipaddr($route['gateway'])) {
+		if(isset($route['gateway']) && is_ipaddr($route['gateway'])) {
 			$subnet_split = explode("/", $route['subnet']);
 			if(in_array($route['if'], $nat_ifs) && check_subnets_overlap($target_ip, $target_subnet, $subnet_split[0], $subnet_split[1])) {
 				$target_ip = $route['gateway'];
@@ -1020,37 +1025,29 @@ function filter_generate_reflection_nat($rule, &$route_table, $nat_ifs, $protoco
 
 	/* Search for matching subnets in the routing table */
 	foreach($route_table as $route) {
-		if(is_subnet($route['subnet'])) {
-			$subnet = $route['subnet'];
-			$subnet_split = explode("/", $subnet);
-			$subnet_if = $route['if'];
-			if(in_array($subnet_if, $nat_ifs) && check_subnets_overlap($target_ip, $target_subnet, $subnet_split[0], $subnet_split[1])) {
-				$ifsubnet_ip = "";
-				foreach ($FilterIflist as $ifent => $ifname) {
-					if(ip_in_subnet($ifname['ip'], $subnet) && $ifname['if'] == $subnet_if) {
-						$ifsubnet_ip = $ifname['ip'];
-						break;
-					}
-				}
-				if(empty($ifsubnet_ip)) {
-					foreach(get_configured_ip_aliases_list() as $subnet_ip => $ifent) {
-						if(ip_in_subnet($subnet_ip, $subnet) && $FilterIflist[$ifent]['if'] == $subnet_if) {
-							$ifsubnet_ip = $subnet_ip;
-							break;
-						}
-					}
+		$subnet = $route['subnet'];
+		$subnet_split = explode("/", $subnet);
+		$subnet_if = $route['if'];
+		if(in_array($subnet_if, $nat_ifs) && check_subnets_overlap($target_ip, $target_subnet, $subnet_split[0], $subnet_split[1])) {
+			$ifsubnet_ip = "";
+			/* Find interface IP to use for NAT */
+			foreach ($route_table as $ifnetwork) {
+				if(isset($ifnetwork['ip']) && is_ipaddr($ifnetwork['ip']) && $ifnetwork['if'] == $subnet_if && ip_in_subnet($ifnetwork['ip'], $subnet)) {
+					$ifsubnet_ip = $ifnetwork['ip'];
+					break;
 				}
-				if(!empty($ifsubnet_ip)) {
-					$subnets = array($subnet);
-					foreach($route_table as $rtentry) {
-						if(is_subnet($rtentry['subnet']) && is_ipaddr($rtentry['gateway']) && ip_in_subnet($rtentry['gateway'], $subnet) && $rtentry['if'] == $subnet_if)
-							$subnets[] = $rtentry['subnet'];
-					}
-					if(count($subnets) > 1)
-						$subnet = "{ " . implode(" ", $subnets) . " }";
-					$natrules .= "no nat on {$subnet_if}{$protocol_text} from {$subnet_if} to {$target}\n";
-					$natrules .= "nat on {$subnet_if}{$protocol_text} from {$subnet} to {$target} -> {$ifsubnet_ip}{$static_port}\n";
+			}
+			if(!empty($ifsubnet_ip)) {
+				$subnets = array($subnet);
+				/* Find static routes that also need to be referenced in the NAT rule */
+				foreach($route_table as $rtentry) {
+					if(isset($rtentry['gateway']) && is_ipaddr($rtentry['gateway']) && $rtentry['if'] == $subnet_if && ip_in_subnet($rtentry['gateway'], $subnet))
+						$subnets[] = $rtentry['subnet'];
 				}
+				if(count($subnets) > 1)
+					$subnet = "{ " . implode(" ", $subnets) . " }";
+				$natrules .= "no nat on {$subnet_if}{$protocol_text} from {$subnet_if} to {$target}\n";
+				$natrules .= "nat on {$subnet_if}{$protocol_text} from {$subnet} to {$target} -> {$ifsubnet_ip}{$static_port}\n";
 			}
 		}
 	}
-- 
cgit v1.1