From 1e7b0d20823c6c4c73ab2a31ea21ef5f9232112c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fredrik=20R=C3=B6nnvall?= Date: Fri, 8 Feb 2019 14:21:46 +0100 Subject: [PATCH] Allow explicitly setting Source Hash Key This key is randomly assigned unless set every time the ruleset is loaded. In order to make it persist, allow setting it to a predetermined value. --- .../library/OPNsense/Firewall/SNatRule.php | 5 ++ src/www/firewall_nat_out_edit.php | 87 +++++++++++-------- 2 files changed, 58 insertions(+), 34 deletions(-) diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/SNatRule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/SNatRule.php index 29ebcd1b5..d502031b7 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Firewall/SNatRule.php +++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/SNatRule.php @@ -51,6 +51,7 @@ class SNatRule extends Rule 'target' => 'parsePlain, -> ', 'natport' => 'parsePlain, port ', 'poolopts' => 'parsePlain', + 'poolopts_sourcehashkey' => 'parsePlain', 'staticnatport' => 'parseBool, static-port ', 'descr' => 'parseComment' ); @@ -109,6 +110,10 @@ class SNatRule extends Rule $rule[$fieldname] = "$".$rule[$fieldname]; } } + if (empty($rule['poolopts']) || $rule['poolopts'] != "source-hash"){ + // Make sure this is empty unless source-hash + $rule['poolopts_sourcehashkey'] = ''; + } if (!empty($rule['staticnatport']) || !empty($rule['nonat'])) { $rule['natport'] = ''; } elseif (empty($rule['natport'])) { diff --git a/src/www/firewall_nat_out_edit.php b/src/www/firewall_nat_out_edit.php index c8c08fa62..bc2634804 100644 --- a/src/www/firewall_nat_out_edit.php +++ b/src/www/firewall_nat_out_edit.php @@ -99,7 +99,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { if (isset($configId)) { // load data from config foreach (array('protocol','sourceport','dstport','natport','target','targetip' - ,'targetip_subnet','poolopts','interface','descr','nonat','log' + ,'targetip_subnet','poolopts','poolopts_sourcehashkey','interface','descr','nonat','log' ,'disabled','staticnatport','nosync','ipprotocol','tag','tagged') as $fieldname) { if (isset($a_out[$configId][$fieldname])) { $pconfig[$fieldname] = $a_out[$configId][$fieldname]; @@ -123,7 +123,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { // initialize unused elements foreach (array('protocol','sourceport','dstport','natport','target','targetip', - 'targetip_subnet','poolopts','interface','descr','nonat','tag','tagged', + 'targetip_subnet','poolopts','poolopts_sourcehashkey','interface','descr','nonat','tag','tagged', 'disabled','staticnatport','nosync','source','source_subnet','ipprotocol') as $fieldname) { if (!isset($pconfig[$fieldname])) { $pconfig[$fieldname] = null; @@ -195,7 +195,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { if (!empty($pconfig['targetip']) && is_alias($pconfig['targetip']) && !empty($pconfig['poolopts']) && substr($pconfig['poolopts'], 0, 11) != 'round-robin') { $input_errors[] = gettext("Only Round Robin pool options may be chosen when selecting an alias."); } - + /* Verify Source Hash Key if provided */ + if (!empty($pconfig['poolopts']) && $pconfig['poolopts'] == 'source-hash' && !empty($pconfig['poolopts_sourcehashkey'])){ + if (substr($pconfig['poolopts_sourcehashkey'], 0, 2) != "0x" || !ctype_xdigit(substr($pconfig['poolopts_sourcehashkey'], 2, 32)) ){ + $input_errors[] = gettext("Source Hash Key must be 0x followed by 32 hexadecimal digits"); + } + } // validate ipv4/v6, addresses should use selected address family foreach (array('source', 'destination', 'targetip') as $fieldname) { if (is_ipaddrv6($pconfig[$fieldname]) && $pconfig['ipprotocol'] != 'inet6') { @@ -215,6 +220,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $natent['tag'] = $pconfig['tag']; $natent['tagged'] = $pconfig['tagged']; $natent['poolopts'] = $pconfig['poolopts']; + $natent['poolopts_sourcehashkey'] = $pconfig['poolopts_sourcehashkey']; $natent['ipprotocol'] = $pconfig['ipprotocol']; if (isset($a_out[$id]['created']) && is_array($a_out[$id]['created']) ){ @@ -715,37 +721,50 @@ include("head.inc"); - - + + + + + + + + + +
+ + +
+ +