lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-18 10:35:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

firewall/nat, regression in previous. https://github.com/opnsense/core/issues/1326

Browse Source 
Because we can't use :network when interfaces don't have any address configured on filter load, we need to make sure we know which addresses are configured, add relevant ifconfig
data to setInterfaceMapping() in filter.inc.
This commit is contained in:
Ad Schellevis 2017-12-22 21:52:46 +01:00
parent 3b53e1d089
commit 65d08b716c
2 changed files with 29 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/etc/inc/filter.inc
View File

@ -185,11 +185,19 @@ function filter_configure_sync($verbose = false)
// initialize fw plugin object
$fw = new \OPNsense\Firewall\Plugin();
$cnfint = legacy_config_get_interfaces(array("enable" => true));
// to set "reply-to" we need to know the gateway for our interface, let's collect it here and pass it on to
// setInterfaceMapping()
$ifdetails = legacy_interfaces_details();
foreach ($cnfint as $key => &$value) {
// to set "reply-to" we need to know the gateway for our interface, let's collect it here and pass it on to
// setInterfaceMapping()
$value['gateway'] = get_interface_gateway($key);
$value['gatewayv6'] = get_interface_gateway_v6($key);
// In some cases we need to know if there currently are addresses configured on an interface, we pass
// the relevant ifconfig data to our interfacemapping (prevents "could not parse host specification" on load)
if (!empty($ifdetails[$value['if']])) {
$value['ifconfig'] = array();
$value['ifconfig']['ipv4'] = $ifdetails[$value['if']]['ipv4'];
$value['ifconfig']['ipv6'] = $ifdetails[$value['if']]['ipv6'];
}
}
// init interfaces and gateways
$fw->setInterfaceMapping($cnfint);

32
src/opnsense/mvc/app/library/OPNsense/Firewall/NatRule.php
View File

@ -60,7 +60,8 @@ class NatRule extends Rule
'interface' => 'parseInterface',
'protocol' => 'parseReplaceSimple,tcp/udp:{tcp udp},proto ',
'interface.from' => 'parseInterface, from ,:network',
'localport' => 'parsePlainCurly,to ',
'target.to' => 'parsePlainCurly,to ',
'localport' => 'parsePlainCurly,port ',
'interface.to' => 'parseInterface, -> ',
'staticnatport' => 'parseBool, static-port , port 1024:65535 '
)
@ -162,22 +163,27 @@ class NatRule extends Rule
if (!empty($interface) && empty($this->interfaceMapping[$interface]['if'])) {
$tmp['disabled'] = true;
}
// automatically generate nat rule when enablenatreflectionhelper is set
if (!$tmp['disabled'] && empty($tmp['nordr']) && !empty($tmp['enablenatreflectionhelper'])) {
$tmp2 = $tmp;
$tmp2['rule_types'][] = "rdr_nat";
$tmp2['staticnatport'] = !empty($tmp['staticnatport']);
$result[] = $tmp2;
} else {
$result[] = $tmp;
}
// When reflection is enabled our ruleset should cover all
$interflist = array($tmp['interface']);
if (!$tmp['disabled'] && in_array($tmp['natreflection'], array("purenat", "enable"))) {
foreach ($this->reflectionInterfaces($interface) as $refl_interf) {
$tmp['interface'] = $refl_interf;
$result[] = $tmp;
$interflist = array_merge($interflist, $this->reflectionInterfaces($interface));
}
foreach ($interflist as $interf) {
$rule = $tmp;
// automatically generate nat rule when enablenatreflectionhelper is set
if (!$rule['disabled'] && empty($rule['nordr']) && !empty($rule['enablenatreflectionhelper'])) {
// Only add nat rules when the selected interface has an address configured
if (!empty($this->interfaceMapping[$interf])) {
if (!empty($this->interfaceMapping[$interf]['ifconfig']['ipv4']) ||
!empty($this->interfaceMapping[$interf]['ifconfig']['ipv4']) ) {
$rule['rule_types'][] = "rdr_nat";
$rule['staticnatport'] = !empty($rule['staticnatport']);
}
}
}
$rule['interface'] = $interf;
$result[] = $rule;
}
}
}