lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-15 17:14:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Firewall/Nat, cleanup outbound overview page, ditch some old code

Browse Source
This commit is contained in:
Ad Schellevis 2018-01-01 20:10:52 +01:00
parent 1955d26b80
commit 30366b8bee
1 changed files with 35 additions and 362 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

397
src/www/firewall_nat_out.php
View File

@ -33,277 +33,6 @@ require_once("filter.inc");
require_once("interfaces.inc");
function filter_nat_rules_outbound_automatic(&$FilterIflist, $src)
{
global $config ;
$rules = array();
foreach ($FilterIflist as $if => $ifcfg) {
if (substr($ifcfg['if'], 0, 4) == 'ovpn') {
continue;
}
if (!interface_has_gateway($if)) {
continue;
}
$natent = array();
$natent['interface'] = $if;
$natent['source']['network'] = $src;
$natent['dstport'] = '500';
$natent['target'] = '';
$natent['destination']['any'] = true;
$natent['staticnatport'] = true;
$natent['descr'] = gettext('Auto created rule for ISAKMP');
$rules[] = $natent;
$natent = array();
$natent['interface'] = $if;
$natent['source']['network'] = $src;
$natent['sourceport'] = '';
$natent['target'] = '';
$natent['destination']['any'] = true;
$natent['natport'] = '';
$natent['descr'] = gettext('Auto created rule');
$rules[] = $natent;
}
return $rules;
}
function filter_nat_rules_automatic_tonathosts(&$FilterIflist, $with_descr = false)
{
global $config, $GatewaysList;
$tonathosts = array("127.0.0.0/8");
$descriptions = array(gettext("localhost"));
foreach (get_staticroutes() as $route) {
$netip = explode("/", $route['network']);
if (isset($GatewaysList[$route['gateway']])) {
$gateway =& $GatewaysList[$route['gateway']];
if (!interface_has_gateway($gateway['interface']) && is_private_ip($netip[0])) {
$tonathosts[] = $route['network'];
$descriptions[] = gettext("static route");
}
}
}
/* create outbound nat entries for all local networks */
foreach($FilterIflist as $ocname => $oc) {
if (interface_has_gateway($ocname)) {
continue;
}
if (isset($oc['alias-address']) && is_ipaddr($oc['alias-address'])) {
$tonathosts[] = "{$oc['alias-address']}/{$oc['alias-subnet']}";
$descriptions[] = $oc['descr'] . " " . gettext("DHCP alias address");
}
if (!empty($oc['sa'])) {
$tonathosts[] = "{$oc['sa']}/{$oc['sn']}";
$descriptions[] = $oc['descr'];
if (!empty($oc['vips']) && !empty($oc['internal_dynamic'])) {
foreach ($oc['vips'] as $vip) {
$tonathosts[] = "{$vip['sa']}/{$vip['sn']}";
$descriptions[] = $oc['descr'];
}
} elseif (isset($oc['vips']) && is_array($oc['vips'])) {
$if_subnets = array("{$oc['sa']}/{$oc['sn']}");
foreach ($oc['vips'] as $vip) {
if (!is_ipaddrv4($vip['ip'])) {
continue;
}
foreach ($if_subnets as $subnet) {
if (ip_in_subnet($vip['ip'], $subnet)) {
continue 2;
}
}
$network = gen_subnet($vip['ip'], $vip['sn']);
array_unshift($tonathosts, $network . '/' . $vip['sn']);
array_unshift($descriptions, "Virtual IP ({$oc['descr']})");
$if_subnets[] = $network . '/' . $vip['sn'];
unset($network);
}
unset($if_subnets);
}
}
}
/* add openvpn interfaces */
if (isset($config['openvpn']['openvpn-server'])) {
foreach ($config['openvpn']['openvpn-server'] as $ovpnsrv) {
if (!isset($ovpnsrv['disable']) && !empty($ovpnsrv['tunnel_network'])) {
$tonathosts[] = $ovpnsrv['tunnel_network'];
$descriptions[] = gettext("OpenVPN server");
}
}
}
if (isset($config['openvpn']['openvpn-client'])) {
foreach ($config['openvpn']['openvpn-client'] as $ovpncli) {
if (!isset($ovpncli['disable']) && !empty($ovpncli['tunnel_network'])) {
$tonathosts[] = $ovpncli['tunnel_network'];
$descriptions[] = gettext("OpenVPN client");
}
}
}
/* IPsec mode_cfg subnet */
if (isset($config['ipsec']['client']['enable']) &&
!empty($config['ipsec']['client']['pool_address']) &&
!empty($config['ipsec']['client']['pool_netbits'])) {
$tonathosts[] = "{$config['ipsec']['client']['pool_address']}/{$config['ipsec']['client']['pool_netbits']}";
$descriptions[] = gettext("IPsec client");
}
if ($with_descr) {
$combined = array();
foreach ($tonathosts as $idx => $subnet) {
$combined[] = array(
"subnet" => $subnet,
"descr" => $descriptions[$idx]);
}
return $combined;
} else {
return $tonathosts;
}
}
function filter_generate_optcfg_array()
{
global $config;
$FilterIflist = array();
/* traverse interfaces */
foreach (legacy_config_get_interfaces(array("enable" => true)) as $if => $ifdetail) {
if (isset($ifdetail['internal_dynamic'])) {
// transform plugin configuration
$oic = array();
$oic['internal_dynamic'] = true;
$oic['vips'] = array();
$oic['vips6'] = array();
$oic['descr'] = $ifdetail['descr'];
$oic['if'] = $ifdetail['if'];
if (isset($ifdetail['virtual'])) {
$oic['virtual'] = $ifdetail['virtual'];
}
if (!empty($ifdetail['networks'])) {
foreach (isset($ifdetail['networks'][0]) ? $ifdetail['networks'] : array($ifdetail['networks']) as $indx => $network) {
if (is_ipaddrv4($network['network'])) {
if ($indx == 0) {
$oic['sa'] = $network['network'];
$oic['sn'] = $network['mask'];
} else {
$vip = array();
$vip['sa'] = $network['network'];
$vip['sn'] = $network['mask'];
$oic['vips'][] = $vip;
}
} elseif (is_ipaddrv6($network['network'])) {
if ($indx == 0) {
$oic['sav6'] = $network['network'];
$oic['snv6'] = $network['mask'];
} else {
$vip = array();
$vip['sa'] = $network['network'];
$vip['sn'] = $network['mask'];
$oic['vips6'][] = $vip;
}
}
}
}
$FilterIflist[$if] = $oic;
} else {
// XXX needs cleanup, original content
$oic = array();
$oic['if'] = get_real_interface($if);
if (!does_interface_exist($oic['if'])) {
continue;
}
$oic['ifv6'] = get_real_interface($if, "inet6");
$oic['ip'] = get_interface_ip($if);
$oic['ipv6'] = get_interface_ipv6($if);
if (!is_ipaddrv4($ifdetail['ipaddr']) && !empty($ifdetail['ipaddr'])) {
$oic['type'] = $ifdetail['ipaddr'];
}
if (isset($ifdetail['ipaddrv6'])) {
if ( !is_ipaddrv6($ifdetail['ipaddrv6']) && !empty($ifdetail['ipaddrv6'])) {
$oic['type6'] = $ifdetail['ipaddrv6'];
}
} else {
$oic['type6'] = null;
}
if (!empty($ifdetail['track6-interface'])) {
$oic['track6-interface'] = $ifdetail['track6-interface'];
}
$oic['sn'] = get_interface_subnet($if);
$oic['snv6'] = get_interface_subnetv6($if);
$oic['mtu'] = empty($ifdetail['mtu']) ? 1500 : $ifdetail['mtu'];
$oic['mss'] = empty($ifdetail['mss']) ? '' : $ifdetail['mss'];
$oic['descr'] = !empty($ifdetail['descr']) ? $ifdetail['descr'] : $if;
$oic['sa'] = gen_subnet($oic['ip'], $oic['sn']);
$oic['sav6'] = gen_subnetv6($oic['ipv6'], $oic['snv6']);
if (isset($ifdetail['alias-address'])) {
$oic['alias-address'] = $ifdetail['alias-address'];
} else {
$oic['alias-address'] = null;
}
if (isset($ifdetail['alias-subnet'])) {
$oic['alias-subnet'] = $ifdetail['alias-subnet'];
} else {
$oic['alias-subnet'] = null;
}
if (isset($ifdetail['gateway'])) {
$oic['gateway'] = $ifdetail['gateway'];
} else {
$oic['gateway'] = null ;
}
if (isset($ifdetail['gatewayv6'])) {
$oic['gatewayv6'] = $ifdetail['gatewayv6'];
} else {
$oic['gatewayv6'] = null;
}
$oic['bridge'] = link_interface_to_bridge($if);
$vips = link_interface_to_vips($if);
if (!empty($vips)) {
foreach ($vips as $vipidx => $vip) {
if (is_ipaddrv4($vip['subnet'])) {
if (!isset($oic['vips'])) {
$oic['vips'] = array();
}
$oic['vips'][$vipidx]['ip'] = $vip['subnet'];
if (empty($vip['subnet_bits'])) {
$oic['vips'][$vipidx]['sn'] = 32;
} else {
$oic['vips'][$vipidx]['sn'] = $vip['subnet_bits'];
}
} elseif (is_ipaddrv6($vip['subnet'])) {
if (!is_array($oic['vips6'])) {
$oic['vips6'] = array();
}
$oic['vips6'][$vipidx]['ip'] = $vip['subnet'];
if (empty($vip['subnet_bits'])) {
$oic['vips6'][$vipidx]['sn'] = 128;
} else {
$oic['vips6'][$vipidx]['sn'] = $vip['subnet_bits'];
}
}
}
}
unset($vips);
$FilterIflist[$if] = $oic;
}
}
return $FilterIflist ;
}
$GatewaysList = return_gateways_array(false, true) + return_gateway_groups_array();
$a_out = &config_read_array('nat', 'outbound', 'rule');
if (!isset($config['nat']['outbound']['mode'])) {
$config['nat']['outbound']['mode'] = "automatic";
@ -323,51 +52,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
clear_subsystem_dirty('filter');
} elseif (isset($pconfig['save']) && $pconfig['save'] == "Save") {
$mode = $config['nat']['outbound']['mode'];
/* mutually exclusive settings - if user wants advanced NAT, we don't generate automatic rules */
if ($pconfig['mode'] == "advanced" && ($mode == "automatic" || $mode == "hybrid")) {
/* XXX cranky low-level call, please refactor */
$FilterIflist = filter_generate_optcfg_array();
$tonathosts = filter_nat_rules_automatic_tonathosts($FilterIflist, true);
$automatic_rules = filter_nat_rules_outbound_automatic($FilterIflist, '');
$allinterfaces = legacy_config_get_interfaces();
foreach ($tonathosts as $tonathost) {
foreach ($automatic_rules as $natent) {
$natent['source']['network'] = $tonathost['subnet'];
$natent['descr'] .= ' - ' . $tonathost['descr'] . ' -> ' . $allinterfaces[$natent['interface']]['descr'];
$natent['created'] = make_config_revision_entry();
/* Try to detect already auto created rules and avoid duplicate them */
$found = false;
foreach ($a_out as $rule) {
// initialize optional values
if (!isset($rule['dstport'])) {
$rule['dstport'] = "";
}
if (!isset($natent['dstport'])) {
$natent['dstport'] = "";
}
//
if ($rule['interface'] == $natent['interface'] &&
$rule['source']['network'] == $natent['source']['network'] &&
$rule['dstport'] == $natent['dstport'] &&
$rule['target'] == $natent['target'] &&
$rule['descr'] == $natent['descr']) {
$found = true;
break;
}
}
if (!$found) {
$a_out[] = $natent;
}
}
}
$savemsg = gettext("Default rules for each interface have been created.");
}
$config['nat']['outbound']['mode'] = $pconfig['mode'];
write_config();
mark_subsystem_dirty('natconf');
header(url_safe('Location: /firewall_nat_out.php'));
@ -802,11 +487,17 @@ include("head.inc");
<?php
// when automatic or hybrid, display "auto" table.
if ($mode == "automatic" || $mode == "hybrid"):
/* XXX cranky low-level call, please refactor */
$FilterIflist = filter_generate_optcfg_array();
$automatic_rules = filter_nat_rules_outbound_automatic(
$FilterIflist, implode(' ', filter_nat_rules_automatic_tonathosts($FilterIflist))
);
$fw = filter_core_get_initialized_plugin_system();
$intfv4 = array();
$intfnatv4 = array();
foreach ($fw->getInterfaceMapping() as $intf => $intfcf) {
if (!empty($intfcf['ifconfig']['ipv4']) && empty($intfcf['gateway'])) {
$intfv4[] = $intfcf['descr'] . ":" . gettext("Network");
} elseif (substr($intfcf['if'], 0, 4) != 'ovpn' && !empty($intfcf['gateway'])) {
$intfnatv4[] = $intfcf;
}
}
$intfv4 = array_merge($intfv4, filter_core_get_default_nat_outbound_networks());
?>
<section class="col-xs-12">
<div class="table-responsive content-box ">
@ -819,7 +510,7 @@ include("head.inc");
<th>&nbsp;</th>
<th>&nbsp;</th>
<th><?=gettext("Interface");?></th>
<th><?=gettext("Source");?></th>
<th><?=gettext("Source Networks");?></th>
<th class="hidden-xs hidden-sm"><?=gettext("Source Port");?></th>
<th class="hidden-xs hidden-sm"><?=gettext("Destination");?></th>
<th class="hidden-xs hidden-sm"><?=gettext("Destination Port");?></th>
@ -831,55 +522,37 @@ include("head.inc");
</thead>
<tbody>
<?php
foreach ($automatic_rules as $natent):
foreach ($intfnatv4 as $natintf):
?>
<tr>
<td>&nbsp;</td>
<td>
<span class="glyphicon glyphicon-play text-success" data-toggle="tooltip" title="<?=gettext("automatic outbound nat");?>"></span>
</td>
<td><?= htmlspecialchars($natintf['descr']); ?></td>
<td><?= implode(' , ', $intfv4);?></td>
<td class="hidden-xs hidden-sm">*</td>
<td class="hidden-xs hidden-sm">*</td>
<td class="hidden-xs hidden-sm">500</td>
<td class="hidden-xs hidden-sm"><?= htmlspecialchars($natintf['descr']); ?></td>
<td class="hidden-xs hidden-sm">*</td>
<td class="hidden-xs hidden-sm"><?=gettext("YES");?></td>
<td><?=gettext('Auto created rule for ISAKMP');?></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>
<?= htmlspecialchars(convert_friendly_interface_to_friendly_descr($natent['interface'])); ?>
</td>
<td>
<?= isset($natent['source']['not']) ? '!' : '' ?>
<?=$natent['source']['network'];?>
</td>
<td class="hidden-xs hidden-sm">
<?=(!empty($natent['protocol'])) ? $natent['protocol'] . '/' : "" ;?>
<?=empty($natent['sourceport']) ? "*" : $natent['sourceport'] ;?>
</td>
<td class="hidden-xs hidden-sm">
<?= isset($natent['destination']['not']) ? '!' : '' ?>
<?=isset($natent['destination']['any']) ? "*" : $natent['destination']['address'] ;?>
</td>
<td class="hidden-xs hidden-sm">
<?=!empty($natent['protocol']) ? $natent['protocol'] . '/' : "" ;?>
<?=empty($natent['dstport']) ? "*" : $natent['dstport'] ;?>
</td>
<td class="hidden-xs hidden-sm">
<?php
if (isset($natent['nonat'])) {
$nat_address = '<I>NO NAT</I>';
} elseif (empty($natent['target'])) {
$nat_address = htmlspecialchars(convert_friendly_interface_to_friendly_descr($natent['interface'])) . " address";
} elseif ($natent['target'] == "other-subnet") {
$nat_address = $natent['targetip'] . '/' . $natent['targetip_subnet'];
} else {
$nat_address = htmlspecialchars($natent['target']);
}
?>
<?=$nat_address;?>
</td>
<td class="hidden-xs hidden-sm">
<?= empty($natent['natport']) ? "*" : $natent['natport'];?>
</td>
<td class="hidden-xs hidden-sm">
<?= isset($natent['staticnatport']) ? gettext("YES") : gettext("NO") ;?>
</td>
<td>
<?=htmlspecialchars($natent['descr']);?>
<span class="glyphicon glyphicon-play text-success" data-toggle="tooltip" title="<?=gettext("automatic outbound nat");?>"></span>
</td>
<td><?= htmlspecialchars($natintf['descr']); ?></td>
<td><?= implode(' , ', $intfv4);?></td>
<td class="hidden-xs hidden-sm">*</td>
<td class="hidden-xs hidden-sm">*</td>
<td class="hidden-xs hidden-sm">*</td>
<td class="hidden-xs hidden-sm"><?= htmlspecialchars($natintf['descr']); ?></td>
<td class="hidden-xs hidden-sm">*</td>
<td class="hidden-xs hidden-sm"><?=gettext("NO");?></td>
<td><?=gettext('Auto created rule');?></td>
</tr>
<?php
endforeach;