From d8553a0e7f1f13ab778eed64297e65372d5abcb7 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Tue, 14 Jun 2022 13:43:46 +0200 Subject: [PATCH] firewall: allow NPT logging; closes #5228 We will be adding NPT logging support because the infrastructure already supports it. 1:1 is a bit harder to deal with so hands off for now and see how this works out. --- .../Diagnostics/Api/FirewallController.php | 2 +- .../app/library/OPNsense/Firewall/NptRule.php | 26 ++++--- .../views/OPNsense/Diagnostics/fw_log.volt | 11 ++- src/www/firewall_nat_npt_edit.php | 71 ++++++++++--------- 4 files changed, 60 insertions(+), 50 deletions(-) diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/FirewallController.php b/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/FirewallController.php index 8d84a44de..db0e6e9f3 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/FirewallController.php +++ b/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/FirewallController.php @@ -79,7 +79,7 @@ class FirewallController extends ApiControllerBase } sort($interfaces, SORT_NATURAL | SORT_FLAG_CASE); return [ - 'action' => ['pass', 'block', 'rdr', 'nat'], /* XXX binat is possible but not yet supported in rules */ + 'action' => ['pass', 'block', 'rdr', 'nat', 'binat'], 'interface_name' => $interfaces, 'dir' => ['in', 'out'], ]; diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/NptRule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/NptRule.php index 8a0714096..1f59d5185 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Firewall/NptRule.php +++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/NptRule.php @@ -1,7 +1,7 @@ array( - 'disabled' => 'parseIsComment', - 'binat' => 'parseStaticText,binat ', - 'interface' => 'parseInterface', - 'from' => 'parsePlain,from , to any', - 'to' => 'parsePlain, -> ', - 'descr' => 'parseComment' - ), - ); + private $procorder = [ + 'disabled' => 'parseIsComment', + 'binat' => 'parseStaticText,binat ', + 'log' => 'parseBool,log', + 'interface' => 'parseInterface', + 'from' => 'parsePlain,from , to any', + 'to' => 'parsePlain, -> ', + 'descr' => 'parseComment' + ]; /** * search interfaces without a gateway other then the one provided @@ -52,7 +51,7 @@ class NptRule extends Rule */ private function reflectionInterfaces($interface) { - $result = array(); + $result = []; foreach ($this->interfaceMapping as $intfk => $intf) { if ( empty($intf['gateway']) && empty($intf['gatewayv6']) && $interface != $intfk @@ -72,7 +71,6 @@ class NptRule extends Rule private function parseNptRules() { foreach ($this->reader('npt') as $rule) { - $rule['rule_type'] = "binat_1"; yield $rule; } } @@ -85,7 +83,7 @@ class NptRule extends Rule { $ruleTxt = ''; foreach ($this->parseNptRules() as $rule) { - $ruleTxt .= $this->ruleToText($this->procorder[$rule['rule_type']], $rule) . "\n"; + $ruleTxt .= $this->ruleToText($this->procorder, $rule) . "\n"; } return $ruleTxt; } diff --git a/src/opnsense/mvc/app/views/OPNsense/Diagnostics/fw_log.volt b/src/opnsense/mvc/app/views/OPNsense/Diagnostics/fw_log.volt index 2bb96d9c0..63467b69b 100644 --- a/src/opnsense/mvc/app/views/OPNsense/Diagnostics/fw_log.volt +++ b/src/opnsense/mvc/app/views/OPNsense/Diagnostics/fw_log.volt @@ -29,8 +29,13 @@ $( document ).ready(function() { var field_type_icons = { - 'pass': 'fa-play', 'block': 'fa-ban', 'in': 'fa-arrow-right', - 'out': 'fa-arrow-left', 'rdr': 'fa-exchange', 'nat': 'fa-exchange' + 'binat': 'fa-exchange', + 'block': 'fa-ban', + 'in': 'fa-arrow-right', + 'nat': 'fa-exchange', + 'out': 'fa-arrow-left', + 'pass': 'fa-play', + 'rdr': 'fa-exchange' }; var interface_descriptions = {}; let hostnameMap = {}; @@ -280,7 +285,7 @@ log_tr.addClass('fw_pass'); } else if (record['action'] == 'block') { log_tr.addClass('fw_block'); - } else if (record['action'] == 'rdr' || record['action'] == 'nat') { + } else if (record['action'] == 'rdr' || record['action'] == 'nat' || record['action'] == 'binat') { log_tr.addClass('fw_nat'); } $("#grid-log > tbody > tr:first").before(log_tr); diff --git a/src/www/firewall_nat_npt_edit.php b/src/www/firewall_nat_npt_edit.php index 03cdfe1c2..61c0c58fe 100644 --- a/src/www/firewall_nat_npt_edit.php +++ b/src/www/firewall_nat_npt_edit.php @@ -43,10 +43,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $pconfig = array(); // set defaults - $pconfig['interface'] = "wan"; + $pconfig['interface'] = 'wan'; if (isset($configId)) { // copy 1-to-1 attributes - foreach (array('disabled','interface','descr', 'category') as $fieldname) { + foreach (array('disabled','interface','descr','log','category') as $fieldname) { if (isset($a_npt[$configId][$fieldname])) { $pconfig[$fieldname] = $a_npt[$configId][$fieldname]; } @@ -64,7 +64,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { } // initialize empty form values - foreach (array('disabled','interface','descr','src','srcmask','dst') as $fieldname) { + foreach (array('disabled','interface','descr','src','srcmask','dst','log') as $fieldname) { if (!isset($pconfig[$fieldname])) { $pconfig[$fieldname] = null; } @@ -100,37 +100,37 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { } if (count($input_errors) == 0) { - $natent = array(); + $natent = []; - $natent['disabled'] = isset($pconfig['disabled']) ? true:false; - $natent['category'] = !empty($pconfig['category']) ? implode(",", $pconfig['category']) : null; - $natent['descr'] = $pconfig['descr']; - $natent['interface'] = $pconfig['interface']; - pconfig_to_address( - $natent['source'], trim($pconfig['src']), $pconfig['srcmask'] - ); + $natent['disabled'] = isset($pconfig['disabled']) ? true : false; + $natent['category'] = !empty($pconfig['category']) ? implode(",", $pconfig['category']) : null; + $natent['descr'] = $pconfig['descr']; + $natent['interface'] = $pconfig['interface']; + $natent['log'] = !empty($pconfig['log']); - pconfig_to_address( - $natent['destination'], trim($pconfig['dst']), $pconfig['srcmask'] - ); + pconfig_to_address($natent['source'], trim($pconfig['src']), $pconfig['srcmask']); + pconfig_to_address($natent['destination'], trim($pconfig['dst']), $pconfig['srcmask']); - if (isset($id)) { - $a_npt[$id] = $natent; - } elseif (isset($after)) { - array_splice($a_npt, $after+1, 0, array($natent)); - } else { - $a_npt[] = $natent; - } - OPNsense\Core\Config::getInstance()->fromArray($config); - $catmdl = new OPNsense\Firewall\Category(); - if ($catmdl->sync()) { - $catmdl->serializeToConfig(); - $config = OPNsense\Core\Config::getInstance()->toArray(listtags()); - } - write_config(); - mark_subsystem_dirty('natconf'); - header(url_safe('Location: /firewall_nat_npt.php')); - exit; + if (isset($id)) { + $a_npt[$id] = $natent; + } elseif (isset($after)) { + array_splice($a_npt, $after+1, 0, array($natent)); + } else { + $a_npt[] = $natent; + } + + OPNsense\Core\Config::getInstance()->fromArray($config); + $catmdl = new OPNsense\Firewall\Category(); + if ($catmdl->sync()) { + $catmdl->serializeToConfig(); + $config = OPNsense\Core\Config::getInstance()->toArray(listtags()); + } + + write_config(); + mark_subsystem_dirty('natconf'); + + header(url_safe('Location: /firewall_nat_npt.php')); + exit; } } @@ -168,8 +168,8 @@ $( document ).ready(function() { /> + @@ -224,6 +224,13 @@ $( document ).ready(function() { + + + + /> +
+ +