From bdee20c620f29a193b17cbfbd924e8d60409989d Mon Sep 17 00:00:00 2001
From: Seth Mos <seth.mos@xs4all.nl>
Date: Wed, 25 Apr 2007 20:22:17 +0000
Subject: Merge 2nd pass NAT rule generation. Take ipsec and voip into account.

MFC: Soon?
---
 etc/inc/filter.inc | 63 +++++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 50 insertions(+), 13 deletions(-)

(limited to 'etc')

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index e88df88..e9660e0 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -684,15 +684,15 @@ function filter_nat_rules_generate() {
 		}
 	} else {
 		/* standard outbound rules (one for each interface) */
-		/* create ipsec passthru rule if requested */
-		if (isset($config['nat']['ipsecpassthru']['enable'])) {
-			$natrules .= filter_nat_rules_generate_if($wanif,
-				"{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, 500, false);
-		}
 
 		update_filter_reload_status("Creating outbound NAT rules");
 
-		$natrules .= filter_nat_rules_generate_if($wanif, "{$lansa}/{$lancfg['subnet']}");
+		$natrules .= filter_nat_rules_generate_if($wanif,
+			"{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, 500, false);
+		$natrules .= filter_nat_rules_generate_if($wanif,
+			"{$lansa}/{$lancfg['subnet']}", 5060, "", 5060, null, 5060, false);
+		$natrules .= filter_nat_rules_generate_if($wanif,
+			"{$lansa}/{$lancfg['subnet']}");
 
 		/* optional interfaces */
 		for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) {
@@ -707,8 +707,21 @@ function filter_nat_rules_generate() {
 		                 */
 				if((interface_has_gateway("opt{$i}"))) {
 					$natrules .= filter_nat_rules_generate_if($optcfg['if'],
+						"{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, 500, false);
+					$natrules .= filter_nat_rules_generate_if($optcfg['if'],
+						"{$lansa}/{$lancfg['subnet']}", 5060, "", 5060, null, 5060, false);
+					$natrules .= filter_nat_rules_generate_if($optcfg['if'],
 						"{$lansa}/{$lancfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat']));
 				}
+
+				/* create outbound nat entries for primary wan */
+				$natrules .= filter_nat_rules_generate_if($wanif,
+					"{$optsa}/{$optcfg['subnet']}", 500, "", 500, null, 500, false);
+				$natrules .= filter_nat_rules_generate_if($wanif,
+					"{$optsa}/{$optcfg['subnet']}", 5060, "", 5060, null, 5060, false);
+				$natrules .= filter_nat_rules_generate_if($wanif,
+					"{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat']));
+
 				/* create outbound nat entries for all opt wans */
 				$optints = array();
 				generate_optcfg_array($optints);
@@ -716,13 +729,13 @@ function filter_nat_rules_generate() {
 					$opt_interface = $oc['if'];
 					if (interface_has_gateway("opt{$i}")) {
 						$natrules .= filter_nat_rules_generate_if($opt_interface,
+							"{$optsa}/{$optcfg['subnet']}", 500, "", 500, null, 500, false);
+						$natrules .= filter_nat_rules_generate_if($opt_interface,
+							"{$optsa}/{$optcfg['subnet']}", 5060, "", 5060, null, 5060, false);
+						$natrules .= filter_nat_rules_generate_if($opt_interface,
 							"{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat']));
 					}
 				}
-
-				/* create outbound nat entries for primary wan */
-				$natrules .= filter_nat_rules_generate_if($wanif,
-					"{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat']));
 			}
 		}
 
@@ -732,6 +745,10 @@ function filter_nat_rules_generate() {
 			if($config['pptp']['pptp_subnet'] <> "")
 				$pptp_subnet = $config['pptp']['pptp_subnet'];
 			$natrules .= filter_nat_rules_generate_if($wanif,
+				"{$pptpdcfg['remoteip']}/{$pptp_subnet}", 500, "", 500, null, 500, false);
+			$natrules .= filter_nat_rules_generate_if($wanif,
+				"{$pptpdcfg['remoteip']}/{$pptp_subnet}", 5060, "", 5060, null, 5060, false);
+			$natrules .= filter_nat_rules_generate_if($wanif,
 				"{$pptpdcfg['remoteip']}/{$pptp_subnet}");
 
 			/* generate nat mappings for opts with a gateway opts */
@@ -739,6 +756,10 @@ function filter_nat_rules_generate() {
 				$opt_interface = $oc['if'];
 				if ((is_private_ip($pptpdcfg['remoteip'])) && (interface_has_gateway($opt_interface))) {
 					$natrules .= filter_nat_rules_generate_if($opt_interface,
+						"{$pptpdcfg['remoteip']}/{$pptp_subnet}", 500, "", 500, null, 500, false);
+					$natrules .= filter_nat_rules_generate_if($opt_interface,
+						"{$pptpdcfg['remoteip']}/{$pptp_subnet}", 5060, "", 5060, null, 5060, false);
+					$natrules .= filter_nat_rules_generate_if($opt_interface,
 						"{$pptpdcfg['remoteip']}/{$pptp_subnet}");
 				}
 			}
@@ -750,6 +771,10 @@ function filter_nat_rules_generate() {
 			if($config['pppoe']['pppoe_subnet'] <> "")
 				$pppoe_subnet = $config['pppoe']['pppoe_subnet'];
 			$natrules .= filter_nat_rules_generate_if($wanif,
+				"{$pppoecfg['remoteip']}/{$pppoe_subnet}", 500, "", 500, null, 500, false);
+			$natrules .= filter_nat_rules_generate_if($wanif,
+				"{$pppoecfg['remoteip']}/{$pppoe_subnet}", 5060, "", 5060, null, 5060, false);
+			$natrules .= filter_nat_rules_generate_if($wanif,
 				"{$pppoecfg['remoteip']}/{$pppoe_subnet}");
 
 			/* generate nat mappings for opts with a gateway opts */
@@ -757,6 +782,10 @@ function filter_nat_rules_generate() {
 				$opt_interface = $oc['if'];
 				if ((is_private_ip($pppoecfg['remoteip'])) && (interface_has_gateway($opt_interface))) {
 					$natrules .= filter_nat_rules_generate_if($opt_interface,
+						"{$pppoecfg['remoteip']}/{$pppoe_subnet}", 500, "", 500, null, 500, false);
+					$natrules .= filter_nat_rules_generate_if($opt_interface,
+						"{$pppoecfg['remoteip']}/{$pppoe_subnet}", 5060, "", 5060, null, 5060, false);
+					$natrules .= filter_nat_rules_generate_if($opt_interface,
 						"{$pppoecfg['remoteip']}/{$pppoe_subnet}");
 				}
 			}
@@ -768,14 +797,22 @@ function filter_nat_rules_generate() {
 				$netip = explode("/", $route['network']);
 				if ((! interface_has_gateway($route['interface'])) && (is_private_ip($netip[0]))) {
 					$natrules .= filter_nat_rules_generate_if($wanif,
-						$route['network'], "", null);
+						"{$route['network']}", 500, "", 500, null, 500, false);
+					$natrules .= filter_nat_rules_generate_if($wanif,
+						"{$route['network']}", 5060, "", 5060, null, 5060, false);
+					$natrules .= filter_nat_rules_generate_if($wanif,
+						"{$route['network']}", "", null);
 				}
 				/* generate nat mapping for static routes on opts */
 				foreach($optints as $oc) {
 					$opt_interface = $oc['if'];
 					if ((! interface_has_gateway($route['interface'])) && (is_private_ip($netip[0])) && (interface_has_gateway($opt_interface))) {
 						$natrules .= filter_nat_rules_generate_if($opt_interface,
-							$route['network'], "", null);
+							"{$route['network']}", 500, "", 500, null, 500, false);
+						$natrules .= filter_nat_rules_generate_if($opt_interface,
+							"{$route['network']}", 5060, "", 5060, null, 5060, false);
+						$natrules .= filter_nat_rules_generate_if($opt_interface,
+							"{$route['network']}", "", null);
 					}
 				}
 
@@ -784,7 +821,7 @@ function filter_nat_rules_generate() {
 
 	}
 
-	$natrules .= "#SSH Lockout Table\n";
+	$natrules .= "\n#SSH Lockout Table\n";
 	$natrules .= "table <sshlockout> persist\n\n";
 
 	/* is SPAMD insalled? */
-- 
cgit v1.1