From da4a241cfde3eb8202120b0c13c7ea7873aaa482 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 7 Oct 2019 21:34:48 +0200
Subject: [PATCH] Firewall/SourceNat, don't store interace address, but a
 reference. closes https://github.com/opnsense/core/issues/3712

---
 .../mvc/app/library/OPNsense/Firewall/SNatRule.php       | 6 ++++++
 src/www/firewall_nat_out.php                             | 2 ++
 src/www/firewall_nat_out_edit.php                        | 9 ++++-----
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/SNatRule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/SNatRule.php
index a62b09842..95e1ac3cb 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Firewall/SNatRule.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Firewall/SNatRule.php
@@ -91,6 +91,12 @@ class SNatRule extends Rule
                     $this->log('SNAT / pool type not round-robin');
                     $rule['disabled'] = true;
                 }
+            } elseif (preg_match("/^(wan|lan|opt[0-9]+)ip$/", $rule['target'], $matches)) {
+                $rule['target'] = "({$this->interfaceMapping["{$matches[1]}"]['if']}:0)";
+                if (empty($this->interfaceMapping["{$matches[1]}"])) {
+                    $this->log("SNAT / target missing");
+                    $rule['disabled'] = true;
+                }
             }
             foreach (array("sourceport", "dstport", "natport") as $fieldname) {
                 if (!empty($rule[$fieldname]) && Util::isAlias($rule[$fieldname])) {
diff --git a/src/www/firewall_nat_out.php b/src/www/firewall_nat_out.php
index 5a81b6b9b..9d3e264e2 100644
--- a/src/www/firewall_nat_out.php
+++ b/src/www/firewall_nat_out.php
@@ -455,6 +455,8 @@ include("head.inc");
                           $nat_address = '<I>NO NAT</I>';
                       } elseif (empty($natent['target'])) {
                           $nat_address = gettext("Interface address");
+                      } elseif (is_specialnet($natent['target'])) {
+                          $nat_address = htmlspecialchars(get_specialnets()[$natent['target']]);
                       } elseif ($natent['target'] == "other-subnet") {
                           $nat_address = $natent['targetip'] . '/' . $natent['targetip_subnet'];
                       } else {
diff --git a/src/www/firewall_nat_out_edit.php b/src/www/firewall_nat_out_edit.php
index 753c84078..26d927753 100644
--- a/src/www/firewall_nat_out_edit.php
+++ b/src/www/firewall_nat_out_edit.php
@@ -39,10 +39,8 @@ function formTranslateAddresses() {
     $retval = array();
 
     // add this hosts ips
-    foreach ($config['interfaces'] as $intf => $intfdata) {
-        if (isset($intfdata['ipaddr']) && is_ipaddr($intfdata['ipaddr'])) {
-            $retval[$intfdata['ipaddr']] = (!empty($intfdata['descr']) ? $intfdata['descr'] : $intf ) . " " . gettext("address");
-        }
+    foreach (legacy_config_get_interfaces(array('virtual' => false, "enable" => true)) as $intf => $intfdata) {
+        $retval[$intf."ip"] = (!empty($intfdata['descr']) ? $intfdata['descr'] : $intf ) . " " . gettext("address");
     }
 
     // add VIPs's
@@ -188,7 +186,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $input_errors[] = gettext("Negating destination address of \"any\" is invalid.");
     }
 
-    if (!empty($pconfig['targetip']) && !is_ipaddr($pconfig['targetip']) && !is_subnet($pconfig['targetip']) && !is_alias($pconfig['targetip']) && empty($pconfig['nonat'])) {
+    if (!empty($pconfig['targetip']) && !is_ipaddr($pconfig['targetip']) && !is_subnet($pconfig['targetip'])
+          && !is_specialnet($pconfig['targetip']) && !is_alias($pconfig['targetip']) && empty($pconfig['nonat'])) {
         $input_errors[] = gettext("A valid target IP address must be specified.");
     }
     /* Verify Pool Options */