From 30366b8bee0a4740b40fd6c18eee5821bbebb25c Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Mon, 1 Jan 2018 20:10:52 +0100 Subject: [PATCH] Firewall/Nat, cleanup outbound overview page, ditch some old code --- src/www/firewall_nat_out.php | 397 +++-------------------------------- 1 file changed, 35 insertions(+), 362 deletions(-) diff --git a/src/www/firewall_nat_out.php b/src/www/firewall_nat_out.php index fa24c3d24..a4a352ed4 100644 --- a/src/www/firewall_nat_out.php +++ b/src/www/firewall_nat_out.php @@ -33,277 +33,6 @@ require_once("filter.inc"); require_once("interfaces.inc"); -function filter_nat_rules_outbound_automatic(&$FilterIflist, $src) -{ - global $config ; - - $rules = array(); - - foreach ($FilterIflist as $if => $ifcfg) { - if (substr($ifcfg['if'], 0, 4) == 'ovpn') { - continue; - } - - if (!interface_has_gateway($if)) { - continue; - } - - $natent = array(); - $natent['interface'] = $if; - $natent['source']['network'] = $src; - $natent['dstport'] = '500'; - $natent['target'] = ''; - $natent['destination']['any'] = true; - $natent['staticnatport'] = true; - $natent['descr'] = gettext('Auto created rule for ISAKMP'); - $rules[] = $natent; - - $natent = array(); - $natent['interface'] = $if; - $natent['source']['network'] = $src; - $natent['sourceport'] = ''; - $natent['target'] = ''; - $natent['destination']['any'] = true; - $natent['natport'] = ''; - $natent['descr'] = gettext('Auto created rule'); - $rules[] = $natent; - } - - return $rules; -} - -function filter_nat_rules_automatic_tonathosts(&$FilterIflist, $with_descr = false) -{ - global $config, $GatewaysList; - - $tonathosts = array("127.0.0.0/8"); - $descriptions = array(gettext("localhost")); - - foreach (get_staticroutes() as $route) { - $netip = explode("/", $route['network']); - if (isset($GatewaysList[$route['gateway']])) { - $gateway =& $GatewaysList[$route['gateway']]; - if (!interface_has_gateway($gateway['interface']) && is_private_ip($netip[0])) { - $tonathosts[] = $route['network']; - $descriptions[] = gettext("static route"); - } - } - } - - /* create outbound nat entries for all local networks */ - foreach($FilterIflist as $ocname => $oc) { - if (interface_has_gateway($ocname)) { - continue; - } - if (isset($oc['alias-address']) && is_ipaddr($oc['alias-address'])) { - $tonathosts[] = "{$oc['alias-address']}/{$oc['alias-subnet']}"; - $descriptions[] = $oc['descr'] . " " . gettext("DHCP alias address"); - } - if (!empty($oc['sa'])) { - $tonathosts[] = "{$oc['sa']}/{$oc['sn']}"; - $descriptions[] = $oc['descr']; - if (!empty($oc['vips']) && !empty($oc['internal_dynamic'])) { - foreach ($oc['vips'] as $vip) { - $tonathosts[] = "{$vip['sa']}/{$vip['sn']}"; - $descriptions[] = $oc['descr']; - } - } elseif (isset($oc['vips']) && is_array($oc['vips'])) { - $if_subnets = array("{$oc['sa']}/{$oc['sn']}"); - foreach ($oc['vips'] as $vip) { - if (!is_ipaddrv4($vip['ip'])) { - continue; - } - foreach ($if_subnets as $subnet) { - if (ip_in_subnet($vip['ip'], $subnet)) { - continue 2; - } - } - $network = gen_subnet($vip['ip'], $vip['sn']); - array_unshift($tonathosts, $network . '/' . $vip['sn']); - array_unshift($descriptions, "Virtual IP ({$oc['descr']})"); - $if_subnets[] = $network . '/' . $vip['sn']; - unset($network); - } - unset($if_subnets); - } - } - } - - /* add openvpn interfaces */ - if (isset($config['openvpn']['openvpn-server'])) { - foreach ($config['openvpn']['openvpn-server'] as $ovpnsrv) { - if (!isset($ovpnsrv['disable']) && !empty($ovpnsrv['tunnel_network'])) { - $tonathosts[] = $ovpnsrv['tunnel_network']; - $descriptions[] = gettext("OpenVPN server"); - } - } - } - - if (isset($config['openvpn']['openvpn-client'])) { - foreach ($config['openvpn']['openvpn-client'] as $ovpncli) { - if (!isset($ovpncli['disable']) && !empty($ovpncli['tunnel_network'])) { - $tonathosts[] = $ovpncli['tunnel_network']; - $descriptions[] = gettext("OpenVPN client"); - } - } - } - - /* IPsec mode_cfg subnet */ - if (isset($config['ipsec']['client']['enable']) && - !empty($config['ipsec']['client']['pool_address']) && - !empty($config['ipsec']['client']['pool_netbits'])) { - $tonathosts[] = "{$config['ipsec']['client']['pool_address']}/{$config['ipsec']['client']['pool_netbits']}"; - $descriptions[] = gettext("IPsec client"); - } - - if ($with_descr) { - $combined = array(); - foreach ($tonathosts as $idx => $subnet) { - $combined[] = array( - "subnet" => $subnet, - "descr" => $descriptions[$idx]); - } - - return $combined; - } else { - return $tonathosts; - } -} - - -function filter_generate_optcfg_array() -{ - global $config; - - $FilterIflist = array(); - - /* traverse interfaces */ - foreach (legacy_config_get_interfaces(array("enable" => true)) as $if => $ifdetail) { - if (isset($ifdetail['internal_dynamic'])) { - // transform plugin configuration - $oic = array(); - $oic['internal_dynamic'] = true; - $oic['vips'] = array(); - $oic['vips6'] = array(); - $oic['descr'] = $ifdetail['descr']; - $oic['if'] = $ifdetail['if']; - if (isset($ifdetail['virtual'])) { - $oic['virtual'] = $ifdetail['virtual']; - } - if (!empty($ifdetail['networks'])) { - foreach (isset($ifdetail['networks'][0]) ? $ifdetail['networks'] : array($ifdetail['networks']) as $indx => $network) { - if (is_ipaddrv4($network['network'])) { - if ($indx == 0) { - $oic['sa'] = $network['network']; - $oic['sn'] = $network['mask']; - } else { - $vip = array(); - $vip['sa'] = $network['network']; - $vip['sn'] = $network['mask']; - $oic['vips'][] = $vip; - } - } elseif (is_ipaddrv6($network['network'])) { - if ($indx == 0) { - $oic['sav6'] = $network['network']; - $oic['snv6'] = $network['mask']; - } else { - $vip = array(); - $vip['sa'] = $network['network']; - $vip['sn'] = $network['mask']; - $oic['vips6'][] = $vip; - } - } - } - } - $FilterIflist[$if] = $oic; - } else { - // XXX needs cleanup, original content - $oic = array(); - $oic['if'] = get_real_interface($if); - if (!does_interface_exist($oic['if'])) { - continue; - } - $oic['ifv6'] = get_real_interface($if, "inet6"); - $oic['ip'] = get_interface_ip($if); - $oic['ipv6'] = get_interface_ipv6($if); - if (!is_ipaddrv4($ifdetail['ipaddr']) && !empty($ifdetail['ipaddr'])) { - $oic['type'] = $ifdetail['ipaddr']; - } - if (isset($ifdetail['ipaddrv6'])) { - if ( !is_ipaddrv6($ifdetail['ipaddrv6']) && !empty($ifdetail['ipaddrv6'])) { - $oic['type6'] = $ifdetail['ipaddrv6']; - } - } else { - $oic['type6'] = null; - } - if (!empty($ifdetail['track6-interface'])) { - $oic['track6-interface'] = $ifdetail['track6-interface']; - } - $oic['sn'] = get_interface_subnet($if); - $oic['snv6'] = get_interface_subnetv6($if); - $oic['mtu'] = empty($ifdetail['mtu']) ? 1500 : $ifdetail['mtu']; - $oic['mss'] = empty($ifdetail['mss']) ? '' : $ifdetail['mss']; - $oic['descr'] = !empty($ifdetail['descr']) ? $ifdetail['descr'] : $if; - $oic['sa'] = gen_subnet($oic['ip'], $oic['sn']); - $oic['sav6'] = gen_subnetv6($oic['ipv6'], $oic['snv6']); - if (isset($ifdetail['alias-address'])) { - $oic['alias-address'] = $ifdetail['alias-address']; - } else { - $oic['alias-address'] = null; - } - if (isset($ifdetail['alias-subnet'])) { - $oic['alias-subnet'] = $ifdetail['alias-subnet']; - } else { - $oic['alias-subnet'] = null; - } - if (isset($ifdetail['gateway'])) { - $oic['gateway'] = $ifdetail['gateway']; - } else { - $oic['gateway'] = null ; - } - if (isset($ifdetail['gatewayv6'])) { - $oic['gatewayv6'] = $ifdetail['gatewayv6']; - } else { - $oic['gatewayv6'] = null; - } - $oic['bridge'] = link_interface_to_bridge($if); - $vips = link_interface_to_vips($if); - if (!empty($vips)) { - foreach ($vips as $vipidx => $vip) { - if (is_ipaddrv4($vip['subnet'])) { - if (!isset($oic['vips'])) { - $oic['vips'] = array(); - } - $oic['vips'][$vipidx]['ip'] = $vip['subnet']; - if (empty($vip['subnet_bits'])) { - $oic['vips'][$vipidx]['sn'] = 32; - } else { - $oic['vips'][$vipidx]['sn'] = $vip['subnet_bits']; - } - } elseif (is_ipaddrv6($vip['subnet'])) { - if (!is_array($oic['vips6'])) { - $oic['vips6'] = array(); - } - $oic['vips6'][$vipidx]['ip'] = $vip['subnet']; - if (empty($vip['subnet_bits'])) { - $oic['vips6'][$vipidx]['sn'] = 128; - } else { - $oic['vips6'][$vipidx]['sn'] = $vip['subnet_bits']; - } - } - } - } - unset($vips); - $FilterIflist[$if] = $oic; - } - } - - return $FilterIflist ; -} - - -$GatewaysList = return_gateways_array(false, true) + return_gateway_groups_array(); - $a_out = &config_read_array('nat', 'outbound', 'rule'); if (!isset($config['nat']['outbound']['mode'])) { $config['nat']['outbound']['mode'] = "automatic"; @@ -323,51 +52,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { clear_subsystem_dirty('filter'); } elseif (isset($pconfig['save']) && $pconfig['save'] == "Save") { $mode = $config['nat']['outbound']['mode']; - /* mutually exclusive settings - if user wants advanced NAT, we don't generate automatic rules */ - if ($pconfig['mode'] == "advanced" && ($mode == "automatic" || $mode == "hybrid")) { - /* XXX cranky low-level call, please refactor */ - $FilterIflist = filter_generate_optcfg_array(); - $tonathosts = filter_nat_rules_automatic_tonathosts($FilterIflist, true); - $automatic_rules = filter_nat_rules_outbound_automatic($FilterIflist, ''); - $allinterfaces = legacy_config_get_interfaces(); - - foreach ($tonathosts as $tonathost) { - foreach ($automatic_rules as $natent) { - $natent['source']['network'] = $tonathost['subnet']; - $natent['descr'] .= ' - ' . $tonathost['descr'] . ' -> ' . $allinterfaces[$natent['interface']]['descr']; - $natent['created'] = make_config_revision_entry(); - - /* Try to detect already auto created rules and avoid duplicate them */ - $found = false; - foreach ($a_out as $rule) { - // initialize optional values - if (!isset($rule['dstport'])) { - $rule['dstport'] = ""; - } - if (!isset($natent['dstport'])) { - $natent['dstport'] = ""; - } - // - if ($rule['interface'] == $natent['interface'] && - $rule['source']['network'] == $natent['source']['network'] && - $rule['dstport'] == $natent['dstport'] && - $rule['target'] == $natent['target'] && - $rule['descr'] == $natent['descr']) { - $found = true; - break; - } - } - - if (!$found) { - $a_out[] = $natent; - } - } - } - $savemsg = gettext("Default rules for each interface have been created."); - } - $config['nat']['outbound']['mode'] = $pconfig['mode']; - write_config(); mark_subsystem_dirty('natconf'); header(url_safe('Location: /firewall_nat_out.php')); @@ -802,11 +487,17 @@ include("head.inc"); getInterfaceMapping() as $intf => $intfcf) { + if (!empty($intfcf['ifconfig']['ipv4']) && empty($intfcf['gateway'])) { + $intfv4[] = $intfcf['descr'] . ":" . gettext("Network"); + } elseif (substr($intfcf['if'], 0, 4) != 'ovpn' && !empty($intfcf['gateway'])) { + $intfnatv4[] = $intfcf; + } + } + $intfv4 = array_merge($intfv4, filter_core_get_default_nat_outbound_networks()); ?>
@@ -819,7 +510,7 @@ include("head.inc");     - + @@ -831,55 +522,37 @@ include("head.inc");   "> + + + * + * + 500 + + * + + + + +   - - - - - - - - - - - - - - - - - - - -NO NAT'; - } elseif (empty($natent['target'])) { - $nat_address = htmlspecialchars(convert_friendly_interface_to_friendly_descr($natent['interface'])) . " address"; - } elseif ($natent['target'] == "other-subnet") { - $nat_address = $natent['targetip'] . '/' . $natent['targetip_subnet']; - } else { - $nat_address = htmlspecialchars($natent['target']); - } -?> - - - - - - - - - - + "> + + + * + * + * + + * + +