From 46bc6e545a17e77202aaf01ec0cd8d5a46567525 Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Tue, 25 Aug 2015 08:08:24 -0300 Subject: Move main pfSense content to src/ --- src/usr/local/www/firewall_nat_edit.php | 1016 +++++++++++++++++++++++++++++++ 1 file changed, 1016 insertions(+) create mode 100644 src/usr/local/www/firewall_nat_edit.php (limited to 'src/usr/local/www/firewall_nat_edit.php') diff --git a/src/usr/local/www/firewall_nat_edit.php b/src/usr/local/www/firewall_nat_edit.php new file mode 100644 index 0000000..db8a174 --- /dev/null +++ b/src/usr/local/www/firewall_nat_edit.php @@ -0,0 +1,1016 @@ +. + All rights reserved. + + Copyright (C) 2013-2015 Electric Sheep Fencing, LP + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* + pfSense_MODULE: nat +*/ + +##|+PRIV +##|*IDENT=page-firewall-nat-portforward-edit +##|*NAME=Firewall: NAT: Port Forward: Edit page +##|*DESCR=Allow access to the 'Firewall: NAT: Port Forward: Edit' page. +##|*MATCH=firewall_nat_edit.php* +##|-PRIV + +require("guiconfig.inc"); +require_once("itemid.inc"); +require_once("filter.inc"); +require("shaper.inc"); + +if (isset($_POST['referer'])) { + $referer = $_POST['referer']; +} else { + $referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_nat.php'); +} + +$specialsrcdst = explode(" ", "any (self) pptp pppoe l2tp openvpn"); +$ifdisp = get_configured_interface_with_descr(); +foreach ($ifdisp as $kif => $kdescr) { + $specialsrcdst[] = "{$kif}"; + $specialsrcdst[] = "{$kif}ip"; +} + +if (!is_array($config['nat']['rule'])) { + $config['nat']['rule'] = array(); +} +$a_nat = &$config['nat']['rule']; + +if (is_numericint($_GET['id'])) { + $id = $_GET['id']; +} +if (isset($_POST['id']) && is_numericint($_POST['id'])) { + $id = $_POST['id']; +} + +if (is_numericint($_GET['after']) || $_GET['after'] == "-1") { + $after = $_GET['after']; +} +if (isset($_POST['after']) && (is_numericint($_POST['after']) || $_POST['after'] == "-1")) { + $after = $_POST['after']; +} + +if (isset($_GET['dup']) && is_numericint($_GET['dup'])) { + $id = $_GET['dup']; + $after = $_GET['dup']; +} + +if (isset($id) && $a_nat[$id]) { + if (isset($a_nat[$id]['created']) && is_array($a_nat[$id]['created'])) { + $pconfig['created'] = $a_nat[$id]['created']; + } + + if (isset($a_nat[$id]['updated']) && is_array($a_nat[$id]['updated'])) { + $pconfig['updated'] = $a_nat[$id]['updated']; + } + + $pconfig['disabled'] = isset($a_nat[$id]['disabled']); + $pconfig['nordr'] = isset($a_nat[$id]['nordr']); + address_to_pconfig($a_nat[$id]['source'], $pconfig['src'], + $pconfig['srcmask'], $pconfig['srcnot'], + $pconfig['srcbeginport'], $pconfig['srcendport']); + + address_to_pconfig($a_nat[$id]['destination'], $pconfig['dst'], + $pconfig['dstmask'], $pconfig['dstnot'], + $pconfig['dstbeginport'], $pconfig['dstendport']); + + $pconfig['proto'] = $a_nat[$id]['protocol']; + $pconfig['localip'] = $a_nat[$id]['target']; + $pconfig['localbeginport'] = $a_nat[$id]['local-port']; + $pconfig['descr'] = $a_nat[$id]['descr']; + $pconfig['interface'] = $a_nat[$id]['interface']; + $pconfig['associated-rule-id'] = $a_nat[$id]['associated-rule-id']; + $pconfig['nosync'] = isset($a_nat[$id]['nosync']); + $pconfig['natreflection'] = $a_nat[$id]['natreflection']; + + if (!$pconfig['interface']) { + $pconfig['interface'] = "wan"; + } +} else { + $pconfig['interface'] = "wan"; + $pconfig['src'] = "any"; + $pconfig['srcbeginport'] = "any"; + $pconfig['srcendport'] = "any"; +} + +if (isset($_GET['dup']) && is_numericint($_GET['dup'])) { + unset($id); +} + +/* run through $_POST items encoding HTML entities so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ +unset($input_errors); +foreach ($_POST as $key => $value) { + $temp = $value; + $newpost = htmlentities($temp); + if ($newpost <> $temp) { + $input_errors[] = sprintf(gettext("Invalid characters detected %s. Please remove invalid characters and save again."), $temp); + } +} + +if ($_POST) { + + if (strtoupper($_POST['proto']) == "TCP" || strtoupper($_POST['proto']) == "UDP" || strtoupper($_POST['proto']) == "TCP/UDP") { + if ($_POST['srcbeginport_cust'] && !$_POST['srcbeginport']) { + $_POST['srcbeginport'] = trim($_POST['srcbeginport_cust']); + } + if ($_POST['srcendport_cust'] && !$_POST['srcendport']) { + $_POST['srcendport'] = trim($_POST['srcendport_cust']); + } + + if ($_POST['srcbeginport'] == "any") { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + } else { + if (!$_POST['srcendport']) { + $_POST['srcendport'] = $_POST['srcbeginport']; + } + } + if ($_POST['srcendport'] == "any") { + $_POST['srcendport'] = $_POST['srcbeginport']; + } + + if ($_POST['dstbeginport_cust'] && !$_POST['dstbeginport']) { + $_POST['dstbeginport'] = trim($_POST['dstbeginport_cust']); + } + if ($_POST['dstendport_cust'] && !$_POST['dstendport']) { + $_POST['dstendport'] = trim($_POST['dstendport_cust']); + } + + if ($_POST['dstbeginport'] == "any") { + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } else { + if (!$_POST['dstendport']) { + $_POST['dstendport'] = $_POST['dstbeginport']; + } + } + if ($_POST['dstendport'] == "any") { + $_POST['dstendport'] = $_POST['dstbeginport']; + } + + if ($_POST['localbeginport_cust'] && !$_POST['localbeginport']) { + $_POST['localbeginport'] = trim($_POST['localbeginport_cust']); + } + + /* Make beginning port end port if not defined and endport is */ + if (!$_POST['srcbeginport'] && $_POST['srcendport']) { + $_POST['srcbeginport'] = $_POST['srcendport']; + } + if (!$_POST['dstbeginport'] && $_POST['dstendport']) { + $_POST['dstbeginport'] = $_POST['dstendport']; + } + } else { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } + + if (is_specialnet($_POST['srctype'])) { + $_POST['src'] = $_POST['srctype']; + $_POST['srcmask'] = 0; + } else if ($_POST['srctype'] == "single") { + $_POST['srcmask'] = 32; + } + if (is_specialnet($_POST['dsttype'])) { + $_POST['dst'] = $_POST['dsttype']; + $_POST['dstmask'] = 0; + } else if ($_POST['dsttype'] == "single") { + $_POST['dstmask'] = 32; + } else if (is_ipaddr($_POST['dsttype'])) { + $_POST['dst'] = $_POST['dsttype']; + $_POST['dstmask'] = 32; + $_POST['dsttype'] = "single"; + } + + $pconfig = $_POST; + + /* input validation */ + if (strtoupper($_POST['proto']) == "TCP" or strtoupper($_POST['proto']) == "UDP" or strtoupper($_POST['proto']) == "TCP/UDP") { + $reqdfields = explode(" ", "interface proto dstbeginport dstendport"); + $reqdfieldsn = array(gettext("Interface"), gettext("Protocol"), gettext("Destination port from"), gettext("Destination port to")); + } else { + $reqdfields = explode(" ", "interface proto"); + $reqdfieldsn = array(gettext("Interface"), gettext("Protocol")); + } + + if ($_POST['srctype'] == "single" || $_POST['srctype'] == "network") { + $reqdfields[] = "src"; + $reqdfieldsn[] = gettext("Source address"); + } + if ($_POST['dsttype'] == "single" || $_POST['dsttype'] == "network") { + $reqdfields[] = "dst"; + $reqdfieldsn[] = gettext("Destination address"); + } + if (!isset($_POST['nordr'])) { + $reqdfields[] = "localip"; + $reqdfieldsn[] = gettext("Redirect target IP"); + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); + + if (!$_POST['srcbeginport']) { + $_POST['srcbeginport'] = 0; + $_POST['srcendport'] = 0; + } + if (!$_POST['dstbeginport']) { + $_POST['dstbeginport'] = 0; + $_POST['dstendport'] = 0; + } + + if ($_POST['src']) { + $_POST['src'] = trim($_POST['src']); + } + if ($_POST['dst']) { + $_POST['dst'] = trim($_POST['dst']); + } + if ($_POST['localip']) { + $_POST['localip'] = trim($_POST['localip']); + } + + if (!isset($_POST['nordr']) && ($_POST['localip'] && !is_ipaddroralias($_POST['localip']))) { + $input_errors[] = sprintf(gettext("\"%s\" is not a valid redirect target IP address or host alias."), $_POST['localip']); + } + + if ($_POST['srcbeginport'] && !is_portoralias($_POST['srcbeginport'])) { + $input_errors[] = sprintf(gettext("%s is not a valid start source port. It must be a port alias or integer between 1 and 65535."), $_POST['srcbeginport']); + } + if ($_POST['srcendport'] && !is_portoralias($_POST['srcendport'])) { + $input_errors[] = sprintf(gettext("%s is not a valid end source port. It must be a port alias or integer between 1 and 65535."), $_POST['srcendport']); + } + if ($_POST['dstbeginport'] && !is_portoralias($_POST['dstbeginport'])) { + $input_errors[] = sprintf(gettext("%s is not a valid start destination port. It must be a port alias or integer between 1 and 65535."), $_POST['dstbeginport']); + } + if ($_POST['dstendport'] && !is_portoralias($_POST['dstendport'])) { + $input_errors[] = sprintf(gettext("%s is not a valid end destination port. It must be a port alias or integer between 1 and 65535."), $_POST['dstendport']); + } + + if ((strtoupper($_POST['proto']) == "TCP" || strtoupper($_POST['proto']) == "UDP" || strtoupper($_POST['proto']) == "TCP/UDP") && (!isset($_POST['nordr']) && !is_portoralias($_POST['localbeginport']))) { + $input_errors[] = sprintf(gettext("A valid redirect target port must be specified. It must be a port alias or integer between 1 and 65535."), $_POST['localbeginport']); + } + + /* if user enters an alias and selects "network" then disallow. */ + if (($_POST['srctype'] == "network" && is_alias($_POST['src'])) || + ($_POST['dsttype'] == "network" && is_alias($_POST['dst']))) { + $input_errors[] = gettext("You must specify single host or alias for alias entries."); + } + + if (!is_specialnet($_POST['srctype'])) { + if (($_POST['src'] && !is_ipaddroralias($_POST['src']))) { + $input_errors[] = sprintf(gettext("%s is not a valid source IP address or alias."), $_POST['src']); + } + if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) { + $input_errors[] = gettext("A valid source bit count must be specified."); + } + } + if (!is_specialnet($_POST['dsttype'])) { + if (($_POST['dst'] && !is_ipaddroralias($_POST['dst']))) { + $input_errors[] = sprintf(gettext("%s is not a valid destination IP address or alias."), $_POST['dst']); + } + if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) { + $input_errors[] = gettext("A valid destination bit count must be specified."); + } + } + + if ($_POST['srcbeginport'] > $_POST['srcendport']) { + /* swap */ + $tmp = $_POST['srcendport']; + $_POST['srcendport'] = $_POST['srcbeginport']; + $_POST['srcbeginport'] = $tmp; + } + if ($_POST['dstbeginport'] > $_POST['dstendport']) { + /* swap */ + $tmp = $_POST['dstendport']; + $_POST['dstendport'] = $_POST['dstbeginport']; + $_POST['dstbeginport'] = $tmp; + } + + if (!$input_errors) { + if (!isset($_POST['nordr']) && ($_POST['dstendport'] - $_POST['dstbeginport'] + $_POST['localbeginport']) > 65535) { + $input_errors[] = gettext("The target port range must be an integer between 1 and 65535."); + } + } + + /* check for overlaps */ + foreach ($a_nat as $natent) { + if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) { + continue; + } + if ($natent['interface'] != $_POST['interface']) { + continue; + } + if ($natent['destination']['address'] != $_POST['dst']) { + continue; + } + if (($natent['proto'] != $_POST['proto']) && ($natent['proto'] != "tcp/udp") && ($_POST['proto'] != "tcp/udp")) { + continue; + } + + list($begp, $endp) = explode("-", $natent['destination']['port']); + if (!$endp) { + $endp = $begp; + } + + if (!((($_POST['dstbeginport'] < $begp) && ($_POST['dstendport'] < $begp)) || + (($_POST['dstbeginport'] > $endp) && ($_POST['dstendport'] > $endp)))) { + $input_errors[] = gettext("The destination port range overlaps with an existing entry."); + break; + } + } + + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/input_validation"); + + if (!$input_errors) { + $natent = array(); + + $natent['disabled'] = isset($_POST['disabled']) ? true:false; + $natent['nordr'] = isset($_POST['nordr']) ? true:false; + + if ($natent['nordr']) { + $_POST['associated-rule-id'] = ''; + $_POST['filter-rule-association'] = ''; + } + + pconfig_to_address($natent['source'], $_POST['src'], + $_POST['srcmask'], $_POST['srcnot'], + $_POST['srcbeginport'], $_POST['srcendport']); + + pconfig_to_address($natent['destination'], $_POST['dst'], + $_POST['dstmask'], $_POST['dstnot'], + $_POST['dstbeginport'], $_POST['dstendport']); + + $natent['protocol'] = $_POST['proto']; + + if (!$natent['nordr']) { + $natent['target'] = $_POST['localip']; + $natent['local-port'] = $_POST['localbeginport']; + } + $natent['interface'] = $_POST['interface']; + $natent['descr'] = $_POST['descr']; + $natent['associated-rule-id'] = $_POST['associated-rule-id']; + + if ($_POST['filter-rule-association'] == "pass") { + $natent['associated-rule-id'] = "pass"; + } + + if ($_POST['nosync'] == "yes") { + $natent['nosync'] = true; + } else { + unset($natent['nosync']); + } + + if ($_POST['natreflection'] == "enable" || $_POST['natreflection'] == "purenat" || $_POST['natreflection'] == "disable") { + $natent['natreflection'] = $_POST['natreflection']; + } else { + unset($natent['natreflection']); + } + + // If we used to have an associated filter rule, but no-longer should have one + if (!empty($a_nat[$id]) && (empty($natent['associated-rule-id']) || $natent['associated-rule-id'] != $a_nat[$id]['associated-rule-id'])) { + // Delete the previous rule + delete_id($a_nat[$id]['associated-rule-id'], $config['filter']['rule']); + mark_subsystem_dirty('filter'); + } + + $need_filter_rule = false; + // Updating a rule with a filter rule associated + if (!empty($natent['associated-rule-id'])) { + $need_filter_rule = true; + } + // Create a rule or if we want to create a new one + if ($natent['associated-rule-id'] == 'new') { + $need_filter_rule = true; + unset($natent['associated-rule-id']); + $_POST['filter-rule-association']='add-associated'; + } + // If creating a new rule, where we want to add the filter rule, associated or not + else if (isset($_POST['filter-rule-association']) && + ($_POST['filter-rule-association'] == 'add-associated' || + $_POST['filter-rule-association'] == 'add-unassociated')) { + $need_filter_rule = true; + } + + if ($need_filter_rule == true) { + + /* auto-generate a matching firewall rule */ + $filterent = array(); + unset($filterentid); + // If a rule already exists, load it + if (!empty($natent['associated-rule-id'])) { + $filterentid = get_id($natent['associated-rule-id'], $config['filter']['rule']); + if ($filterentid === false) { + $filterent['associated-rule-id'] = $natent['associated-rule-id']; + } else { + $filterent =& $config['filter']['rule'][$filterentid]; + } + } + pconfig_to_address($filterent['source'], $_POST['src'], + $_POST['srcmask'], $_POST['srcnot'], + $_POST['srcbeginport'], $_POST['srcendport']); + + // Update interface, protocol and destination + $filterent['interface'] = $_POST['interface']; + $filterent['protocol'] = $_POST['proto']; + $filterent['destination']['address'] = $_POST['localip']; + + $dstpfrom = $_POST['localbeginport']; + $dstpto = $dstpfrom + $_POST['dstendport'] - $_POST['dstbeginport']; + + if ($dstpfrom == $dstpto) { + $filterent['destination']['port'] = $dstpfrom; + } else { + $filterent['destination']['port'] = $dstpfrom . "-" . $dstpto; + } + + /* + * Our firewall filter description may be no longer than + * 63 characters, so don't let it be. + */ + $filterent['descr'] = substr("NAT " . $_POST['descr'], 0, 62); + + // If this is a new rule, create an ID and add the rule + if ($_POST['filter-rule-association'] == 'add-associated') { + $filterent['associated-rule-id'] = $natent['associated-rule-id'] = get_unique_id(); + $filterent['created'] = make_config_revision_entry(null, gettext("NAT Port Forward")); + $config['filter']['rule'][] = $filterent; + } + + mark_subsystem_dirty('filter'); + } + + if (isset($a_nat[$id]['created']) && is_array($a_nat[$id]['created'])) { + $natent['created'] = $a_nat[$id]['created']; + } + + $natent['updated'] = make_config_revision_entry(); + + // Allow extending of the firewall edit page and include custom input validation + pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/pre_write_config"); + + // Update the NAT entry now + if (isset($id) && $a_nat[$id]) { + $a_nat[$id] = $natent; + } else { + $natent['created'] = make_config_revision_entry(); + if (is_numeric($after)) { + array_splice($a_nat, $after+1, 0, array($natent)); + } else { + $a_nat[] = $natent; + } + } + + if (write_config()) { + mark_subsystem_dirty('natconf'); + } + + header("Location: firewall_nat.php"); + exit; + } +} + +$closehead = false; +$pgtitle = array(gettext("Firewall"), gettext("NAT"), gettext("Port Forward"), gettext("Edit")); +include("head.inc"); + +?> + + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ /> +
+ +
+ /> + +
+
+
+
+ +
+ +
+
+   + +
+ " /> - +
+ /> + +
+ +
+
+ + + + + + + + + +
   + +
   + + / + +
+
+ + + + + + + + + +
   + + +
+ + +
+
+ + +
+ '' + +
+ +
+ +
+ + 192.168.1.12 + +
+ +
+
+ + +
+ +
+ +
+ />
+ +
+ +
+ \n"; + echo $linkedrule; + ?> +
+ +

+
 
+ +
+ +
  
  + " /> + " onclick="window.location.href=''" /> + + + + + +
+
+ + + + + -- cgit v1.1