diff --git a/src/www/firewall_nat_1to1_edit.php b/src/www/firewall_nat_1to1_edit.php index d8bc78dca..df12148dc 100644 --- a/src/www/firewall_nat_1to1_edit.php +++ b/src/www/firewall_nat_1to1_edit.php @@ -30,564 +30,440 @@ require_once("guiconfig.inc"); require_once("interfaces.inc"); require_once("pfsense-utils.inc"); -$referer = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/firewall_nat_1to1.php'); +/** + * fetch list of selectable networks to use in form + */ +function formNetworks() { + $networks = array(); + $networks["any"] = gettext("any"); + $networks["pptp"] = gettext("PPTP clients"); + $networks["pppoe"] = gettext("PPPoE clients"); + $networks["l2tp"] = gettext("L2TP clients"); + foreach (get_configured_interface_with_descr() as $ifent => $ifdesc) { + $networks[$ifent] = htmlspecialchars($ifdesc) . " " . gettext("net"); + $networks[$ifent."ip"] = htmlspecialchars($ifdesc). " ". gettext("address"); + } + return $networks; +} +/** + * build array with interface options for this form + */ +function formInterfaces() { + global $config; + $interfaces = array(); + foreach ( get_configured_interface_with_descr(false, true) as $if => $ifdesc) + $interfaces[$if] = $ifdesc; + + if (isset($config['l2tp']['mode']) && $config['l2tp']['mode'] == "server") + $interfaces['l2tp'] = "L2TP VPN"; + + if (isset($config['pptpd']['mode']) && $config['pptpd']['mode'] == "server") + $interfaces['pptp'] = "PPTP VPN"; + + if (is_pppoe_server_enabled()) + $interfaces['pppoe'] = "PPPoE VPN"; + + /* add ipsec interfaces */ + if (isset($config['ipsec']['enable']) || isset($config['ipsec']['client']['enable'])) + $interfaces["enc0"] = "IPsec"; + + /* add openvpn/tun interfaces */ + if (isset($config['openvpn']['openvpn-server']) || isset($config['openvpn']['openvpn-client'])) { + $interfaces['openvpn'] = 'OpenVPN'; + } + return $interfaces; +} + +/** + * obscured by clouds, is_specialnet uses this.. so let's hide it in here. + * let's kill this another day. + */ $specialsrcdst = explode(" ", "any pptp pppoe l2tp openvpn"); $ifdisp = get_configured_interface_with_descr(); foreach ($ifdisp as $kif => $kdescr) { - $specialsrcdst[] = "{$kif}"; - $specialsrcdst[] = "{$kif}ip"; + $specialsrcdst[] = "{$kif}"; + $specialsrcdst[] = "{$kif}ip"; } -if (!is_array($config['nat']['onetoone'])) - $config['nat']['onetoone'] = array(); - +if (!isset($config['nat']['onetoone'])) { + $config['nat']['onetoone'] = array(); +} $a_1to1 = &$config['nat']['onetoone']; -if (is_numericint($_GET['id'])) - $id = $_GET['id']; -if (isset($_POST['id']) && is_numericint($_POST['id'])) - $id = $_POST['id']; +if ($_SERVER['REQUEST_METHOD'] === 'GET') { + // input record id, if valid + if (isset($_GET['dup']) && isset($a_1to1[$_GET['dup']])) { + $configId = $_GET['dup']; + } elseif (isset($_GET['id']) && isset($a_1to1[$_GET['id']])) { + $id = $_GET['id']; + $configId = $id; + } -$after = $_GET['after']; -if (isset($_POST['after'])) - $after = $_POST['after']; - -if (isset($_GET['dup'])) { - $id = $_GET['dup']; - $after = $_GET['dup']; -} - -if (isset($id) && $a_1to1[$id]) { - $pconfig['disabled'] = isset($a_1to1[$id]['disabled']); - - address_to_pconfig($a_1to1[$id]['source'], $pconfig['src'], - $pconfig['srcmask'], $pconfig['srcnot'], - $pconfig['srcbeginport'], $pconfig['srcendport']); - - address_to_pconfig($a_1to1[$id]['destination'], $pconfig['dst'], - $pconfig['dstmask'], $pconfig['dstnot'], - $pconfig['dstbeginport'], $pconfig['dstendport']); - - $pconfig['interface'] = $a_1to1[$id]['interface']; - if (!$pconfig['interface']) + $pconfig = array(); + // set defaults $pconfig['interface'] = "wan"; + $pconfig['src'] = 'lan'; + $pconfig['dst'] = 'any'; + if (isset($configId)) { + // copy settings from config + foreach (array('disabled','interface','external','descr','natreflection') as $fieldname) { + if (isset($a_1to1[$id][$fieldname])) { + $pconfig[$fieldname] = $a_1to1[$id][$fieldname]; + } else { + $pconfig[$fieldname] = null; + } + } + // read settings with some kind of logic + address_to_pconfig($a_1to1[$id]['source'], $pconfig['src'], + $pconfig['srcmask'], $pconfig['srcnot'], + $pconfig['srcbeginport'], $pconfig['srcendport']); - $pconfig['external'] = $a_1to1[$id]['external']; - $pconfig['descr'] = $a_1to1[$id]['descr']; - $pconfig['natreflection'] = $a_1to1[$id]['natreflection']; -} else - $pconfig['interface'] = "wan"; - -if (isset($_GET['dup'])) - unset($id); - -if ($_POST) { - - unset($input_errors); - $pconfig = $_POST; - /* run through $_POST items encoding HTML entties so that the user - * cannot think he is slick and perform a XSS attack on the unwilling - */ - foreach ($_POST as $key => $value) { - $temp = str_replace(">", "", $value); - $newpost = htmlentities($temp); - if($newpost <> $temp) - $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); - } - - /* input validation */ - $reqdfields = explode(" ", "interface external"); - $reqdfieldsn = array(gettext("Interface"), gettext("External subnet")); - if ($_POST['srctype'] == "single" || $_POST['srctype'] == "network") { - $reqdfields[] = "src"; - $reqdfieldsn[] = gettext("Source address"); - } - if ($_POST['dsttype'] == "single" || $_POST['dsttype'] == "network") { - $reqdfields[] = "dst"; - $reqdfieldsn[] = gettext("Destination address"); - } - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); - - if ($_POST['external']) - $_POST['external'] = trim($_POST['external']); - if ($_POST['src']) - $_POST['src'] = trim($_POST['src']); - if ($_POST['dst']) - $_POST['dst'] = trim($_POST['dst']); - - if (is_specialnet($_POST['srctype'])) { - $_POST['src'] = $_POST['srctype']; - $_POST['srcmask'] = 0; - } else if ($_POST['srctype'] == "single") { - $_POST['srcmask'] = 32; - } - if (is_specialnet($_POST['dsttype'])) { - $_POST['dst'] = $_POST['dsttype']; - $_POST['dstmask'] = 0; - } else if ($_POST['dsttype'] == "single") { - $_POST['dstmask'] = 32; - } else if (is_ipaddr($_POST['dsttype'])) { - $_POST['dst'] = $_POST['dsttype']; - $_POST['dstmask'] = 32; - $_POST['dsttype'] = "single"; - } - - /* For external, user can enter only ip's */ - if (($_POST['external'] && !is_ipaddr($_POST['external']))) - $input_errors[] = gettext("A valid external subnet must be specified."); - - /* For dst, if user enters an alias and selects "network" then disallow. */ - if ($_POST['dsttype'] == "network" && is_alias($_POST['dst']) ) - $input_errors[] = gettext("You must specify single host or alias for alias entries."); - - /* For src, user can enter only ip's or networks */ - if (!is_specialnet($_POST['srctype'])) { - if (($_POST['src'] && !is_ipaddr($_POST['src']))) { - $input_errors[] = sprintf(gettext("%s is not a valid internal IP address."), $_POST['src']); + address_to_pconfig($a_1to1[$id]['destination'], $pconfig['dst'], + $pconfig['dstmask'], $pconfig['dstnot'], + $pconfig['dstbeginport'], $pconfig['dstendport']); + } else { + // init form data on new + foreach (array('disabled','interface','external','descr','natreflection' + ,'src','srcmask','srcnot','srcbeginport','srcendport' + ,'dst','dstmask','dstnot','dstbeginport','dstendport' + ) as $fieldname) { + if (!isset($pconfig[$fieldname])) { + $pconfig[$fieldname] = null; + } + } } - if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) { - $input_errors[] = gettext("A valid internal bit count must be specified."); - } - } - - /* For dst, user can enter ip's, networks or aliases */ - if (!is_specialnet($_POST['dsttype'])) { - if (($_POST['dst'] && !is_ipaddroralias($_POST['dst']))) { - $input_errors[] = sprintf(gettext("%s is not a valid destination IP address or alias."), $_POST['dst']); - } - if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) { - $input_errors[] = gettext("A valid destination bit count must be specified."); - } - } - - /* check for overlaps with other 1:1 */ - foreach ($a_1to1 as $natent) { - if (isset($id) && ($a_1to1[$id]) && ($a_1to1[$id] === $natent)) - continue; - - if (check_subnets_overlap($_POST['internal'], $_POST['subnet'], $natent['internal'], $natent['subnet'])) { - //$input_errors[] = "Another 1:1 rule overlaps with the specified internal subnet."; - //break; - } - } - - if (!$input_errors) { - $natent = array(); - - $natent['disabled'] = isset($_POST['disabled']) ? true:false; - $natent['external'] = $_POST['external']; - $natent['descr'] = $_POST['descr']; - $natent['interface'] = $_POST['interface']; - - pconfig_to_address($natent['source'], $_POST['src'], - $_POST['srcmask'], $_POST['srcnot']); - - pconfig_to_address($natent['destination'], $_POST['dst'], - $_POST['dstmask'], $_POST['dstnot']); - - if ($_POST['natreflection'] == "enable" || $_POST['natreflection'] == "disable") - $natent['natreflection'] = $_POST['natreflection']; - else - unset($natent['natreflection']); - - if (isset($id) && $a_1to1[$id]) - $a_1to1[$id] = $natent; - else { - if (is_numeric($after)) - array_splice($a_1to1, $after+1, 0, array($natent)); - else - $a_1to1[] = $natent; +} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') { + $input_errors = array(); + $pconfig = $_POST; + // input record id, if valid + if (isset($_POST['id']) && isset($a_1to1[$_POST['id']])) { + $id = $_POST['id']; } - if (write_config()) - mark_subsystem_dirty('natconf'); - header("Location: firewall_nat_1to1.php"); - exit; - } + // trim input + foreach (array('external','src','dst') as $fieldname) { + if (isset($pconfig[$fieldname])) { + $pconfig[$fieldname] = trim($pconfig[$fieldname]); + } + } + + // validate input + foreach ($pconfig as $key => $value) { + if($value <> htmlentities($value)) + $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); + } + + /* input validation */ + $reqdfields = explode(" ", "interface external src dst"); + $reqdfieldsn = array(gettext("Interface"), gettext("External subnet"), gettext("Source address"), gettext("Destination address")); + do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors); + + + /* For external, user can enter only ip's */ + if (!empty($pconfig['external']) && !is_ipaddr($_POST['external'])) { + $input_errors[] = gettext("A valid external subnet must be specified."); + } + /* For src, user can enter only ip's or networks */ + if (!is_specialnet($pconfig['src']) && !is_ipaddroralias($pconfig['src'])) { + $input_errors[] = sprintf(gettext("%s is not a valid source IP address or alias."), $pconfig['src']); + } + if (!empty($pconfig['srcmask']) && !is_numericint($pconfig['srcmask'])) { + $input_errors[] = gettext("A valid source bit count must be specified."); + } + /* For dst, user can enter ip's, networks or aliases */ + if (!is_specialnet($pconfig['dst']) && !is_ipaddroralias($pconfig['dst'])) { + $input_errors[] = sprintf(gettext("%s is not a valid destination IP address or alias."), $pconfig['dst']); + } + if (!empty($pconfig['dstmask']) && !is_numericint($pconfig['dstmask'])) { + $input_errors[] = gettext("A valid destination bit count must be specified."); + } + + if (count($input_errors) == 0) { + $natent = array(); + // 1-on-1 copy + $natent['external'] = $pconfig['external']; + $natent['descr'] = $pconfig['descr']; + $natent['interface'] = $pconfig['interface']; + + // copy form data with some kind of logic in it + $natent['disabled'] = isset($_POST['disabled']) ? true:false; + pconfig_to_address($natent['source'], $pconfig['src'], + $pconfig['srcmask'], !empty($pconfig['srcnot'])); + + pconfig_to_address($natent['destination'], $pconfig['dst'], + $pconfig['dstmask'], !empty($pconfig['dstnot'])); + + if (isset($pconfig['natreflection'] ) && ($pconfig['natreflection'] == "enable" || $pconfig['natreflection'] == "disable")) { + $natent['natreflection'] = $pconfig['natreflection']; + } + + // save data + if (isset($id)) { + $a_1to1[$id] = $natent; + } else { + $a_1to1[] = $natent; + } + + if (write_config()) { + mark_subsystem_dirty('natconf'); + } + header("Location: firewall_nat_1to1.php"); + exit; + } } +legacy_html_escape_form_data($pconfig); $pgtitle = array(gettext("Firewall"),gettext("NAT"),gettext("1:1"),gettext("Edit")); include("head.inc"); - ?> - - - - +
-
-
- - 0) print_input_errors($input_errors); - ?> - -
- -
- -
- -
- +?> +
+
+ +
+
- - - - - + - - + + + + + + + + + + - - + - -
- /> -
- + 		+ +
- + /> + +
+
+
- .
- .
- + +
- -
+
- /> - -
- -
-
- - - - + + + + + - -
   - + /> + +
+ + + -
+
   - - - - - -
- - - -
+
+ + "/> + +
-
- +
- /> - -
- -
-
- + + + + + + - - + + - - + - - +
+ /> + +
+ - -
   - + + "> + + + + + "> + $ifdesc): + ?> + + +
   - - - - - -
- - -
+
+ + " aria-label=""/> + +
-
- +
- -
- - - - 		+ +
+
  +   " /> - " onclick="window.location.href=''" /> - - + " onclick="window.location.href=''" /> + +
- - - - + + + + - - -