From d8f23d5210ae12e6f5e31f57c7170edd2587eec5 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Sun, 9 Dec 2018 19:52:23 +0100 Subject: [PATCH] Firwall/Nat, when using "Reflection for port forwards" we should only add nat rules for interfaces with configured addresses. Although this looks a bit duplicate at first, when the nat interface itself (e.g. openvpn) is missing a network, we should add a rdr, but skip the nat rule. closes https://github.com/opnsense/core/issues/3023 --- .../mvc/app/library/OPNsense/Firewall/ForwardRule.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/ForwardRule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/ForwardRule.php index d1f0ad82d..3c9025cea 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Firewall/ForwardRule.php +++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/ForwardRule.php @@ -156,8 +156,13 @@ class ForwardRule extends Rule $rule = $tmp; // automatically generate nat rule when enablenatreflectionhelper is set if (!$rule['disabled'] && empty($rule['nordr']) && !empty($rule['enablenatreflectionhelper'])) { - $rule['rule_types'][] = "rdr_nat"; - $rule['staticnatport'] = !empty($rule['staticnatport']); + if (!empty($this->interfaceMapping[$rule['interface']]) && ( + !empty($this->interfaceMapping[$rule['interface']]['ifconfig']['ipv4']) || + !empty($this->interfaceMapping[$rule['interface']]['ifconfig']['ipv6']) + )) { + $rule['rule_types'][] = "rdr_nat"; + $rule['staticnatport'] = !empty($rule['staticnatport']); + } } $rule['interface'] = $interf; yield $rule;