From d3afd68acb8af56bdb38e2775d1424366efdf418 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 26 Dec 2017 19:20:24 +0100
Subject: [PATCH] Firewall/rule parsing. add initial SNAT implementation, for
 https://github.com/opnsense/core/issues/1326

---
 .../app/library/OPNsense/Firewall/Plugin.php  | 14 ++++
 .../library/OPNsense/Firewall/SNatRule.php    | 82 +++++++++++++++++++
 2 files changed, 96 insertions(+)
 create mode 100644 src/opnsense/mvc/app/library/OPNsense/Firewall/SNatRule.php

diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
index 7a84b0284..9f453b6ab 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/Plugin.php
@@ -264,6 +264,20 @@ class Plugin
         $this->natRules[$prio][] = $rule;
     }
 
+    /**
+     * register a destination Nat rule
+     * @param int $prio priority
+     * @param array $conf configuration
+     */
+    public function registerSNatRule($prio, $conf)
+    {
+        $rule = new SNatRule($this->interfaceMapping, $conf);
+        if (empty($this->natRules[$prio])) {
+            $this->natRules[$prio] = array();
+        }
+        $this->natRules[$prio][] = $rule;
+    }
+
     /**
      * register an Npt rule
      * @param int $prio priority
diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/SNatRule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/SNatRule.php
new file mode 100644
index 000000000..eff5c55a9
--- /dev/null
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/SNatRule.php
@@ -0,0 +1,82 @@
+<?php
+
+/**
+ *    Copyright (C) 2017 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+namespace OPNsense\Firewall;
+
+/**
+ * Class SNatRule, outbound / source nat rules
+ * @package OPNsense\Firewall
+ */
+class SNatRule extends Rule
+{
+    private $procorder = array(
+        'disabled' => 'parseIsComment',
+        'nonat' => 'parseBool,no nat,nat',
+        'log' => 'parseBool,log',
+        'interface' => 'parseInterface',
+        'ipprotocol' => 'parsePlain',
+        'protocol' => 'parseReplaceSimple,tcp/udp:{tcp udp},proto ',
+        'from' => 'parsePlain,from ',
+        'to' => 'parsePlain,to ',
+        'tag' => 'parsePlain, tag ',
+        'tagged' => 'parsePlain, tagged ',
+        'target' => 'parsePlain, -> ',
+        'poolopts' => 'parsePlain',
+        'staticnatport' => 'parseBool,  static-port , port 1024:65535 ',
+        'descr' => 'parseComment'
+    );
+
+    /**
+     * preprocess internal rule data to detail level of actual ruleset
+     * handles shortcuts, like inet46 and multiple interfaces
+     * @return array
+     */
+    private function parseNatRules()
+    {
+        foreach ($this->reader() as $rule) {
+            if ($rule['target'] == "other-subnet") {
+                $rule['target'] = $rule['targetip'] . '/' . $rule['targetip_subnet'];
+            }
+            yield $rule;
+        }
+    }
+
+    /**
+     * output rule as string
+     * @return string ruleset
+     */
+    public function __toString()
+    {
+        $ruleTxt = '';
+        foreach ($this->parseNatRules() as $rule) {
+            $ruleTxt .= $this->ruleToText($this->procorder, $rule). "\n";
+        }
+        return $ruleTxt;
+    }
+}