diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index fa94b5874..027b8eaf3 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -185,11 +185,19 @@ function filter_configure_sync($verbose = false) // initialize fw plugin object $fw = new \OPNsense\Firewall\Plugin(); $cnfint = legacy_config_get_interfaces(array("enable" => true)); - // to set "reply-to" we need to know the gateway for our interface, let's collect it here and pass it on to - // setInterfaceMapping() + $ifdetails = legacy_interfaces_details(); foreach ($cnfint as $key => &$value) { + // to set "reply-to" we need to know the gateway for our interface, let's collect it here and pass it on to + // setInterfaceMapping() $value['gateway'] = get_interface_gateway($key); $value['gatewayv6'] = get_interface_gateway_v6($key); + // In some cases we need to know if there currently are addresses configured on an interface, we pass + // the relevant ifconfig data to our interfacemapping (prevents "could not parse host specification" on load) + if (!empty($ifdetails[$value['if']])) { + $value['ifconfig'] = array(); + $value['ifconfig']['ipv4'] = $ifdetails[$value['if']]['ipv4']; + $value['ifconfig']['ipv6'] = $ifdetails[$value['if']]['ipv6']; + } } // init interfaces and gateways $fw->setInterfaceMapping($cnfint); diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/NatRule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/NatRule.php index 0b976eaaf..be3d53e21 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Firewall/NatRule.php +++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/NatRule.php @@ -60,7 +60,8 @@ class NatRule extends Rule 'interface' => 'parseInterface', 'protocol' => 'parseReplaceSimple,tcp/udp:{tcp udp},proto ', 'interface.from' => 'parseInterface, from ,:network', - 'localport' => 'parsePlainCurly,to ', + 'target.to' => 'parsePlainCurly,to ', + 'localport' => 'parsePlainCurly,port ', 'interface.to' => 'parseInterface, -> ', 'staticnatport' => 'parseBool, static-port , port 1024:65535 ' ) @@ -162,22 +163,27 @@ class NatRule extends Rule if (!empty($interface) && empty($this->interfaceMapping[$interface]['if'])) { $tmp['disabled'] = true; } - // automatically generate nat rule when enablenatreflectionhelper is set - if (!$tmp['disabled'] && empty($tmp['nordr']) && !empty($tmp['enablenatreflectionhelper'])) { - $tmp2 = $tmp; - $tmp2['rule_types'][] = "rdr_nat"; - $tmp2['staticnatport'] = !empty($tmp['staticnatport']); - $result[] = $tmp2; - } else { - $result[] = $tmp; - } // When reflection is enabled our ruleset should cover all + $interflist = array($tmp['interface']); if (!$tmp['disabled'] && in_array($tmp['natreflection'], array("purenat", "enable"))) { - foreach ($this->reflectionInterfaces($interface) as $refl_interf) { - $tmp['interface'] = $refl_interf; - $result[] = $tmp; + $interflist = array_merge($interflist, $this->reflectionInterfaces($interface)); + } + foreach ($interflist as $interf) { + $rule = $tmp; + // automatically generate nat rule when enablenatreflectionhelper is set + if (!$rule['disabled'] && empty($rule['nordr']) && !empty($rule['enablenatreflectionhelper'])) { + // Only add nat rules when the selected interface has an address configured + if (!empty($this->interfaceMapping[$interf])) { + if (!empty($this->interfaceMapping[$interf]['ifconfig']['ipv4']) || + !empty($this->interfaceMapping[$interf]['ifconfig']['ipv4']) ) { + $rule['rule_types'][] = "rdr_nat"; + $rule['staticnatport'] = !empty($rule['staticnatport']); + } + } } + $rule['interface'] = $interf; + $result[] = $rule; } } }