From f8d5c01a6f4ab2ef307324acd4711cd76e005827 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Tue, 30 Jul 2019 11:57:47 +0200 Subject: [PATCH] Filter, automatic rules. "let out anything from firewall host itself (force gw)" not visible, since its not bound to the interface. Although we might want to show all rules without interface as well, the gateway rule belongs to the interface as the interface address is used as from address --- src/etc/inc/filter.lib.inc | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/etc/inc/filter.lib.inc b/src/etc/inc/filter.lib.inc index dd7b73fcb..15e425402 100644 --- a/src/etc/inc/filter.lib.inc +++ b/src/etc/inc/filter.lib.inc @@ -573,7 +573,7 @@ function filter_core_rules_system($fw, $defaults) // Our default setting has been to force traffic leaving a specific interface to use the associated gateway. // This behaviour can be disabled, so settings can be customized using manual firewall rules. if (empty($config['system']['pf_disable_force_gw'])) { - foreach ($fw->getInterfaceMapping() as $ifdescr => $ifcfg) { + foreach ($fw->getInterfaceMapping() as $intf => $ifcfg) { if (!isset($ifcfg['internal_dynamic']) && $ifcfg['if'] != 'lo0') { $intf_has_v4 = false; $intf_has_v6 = false; @@ -588,11 +588,9 @@ function filter_core_rules_system($fw, $defaults) if (($gwproto == 'inet' && $intf_has_v4) || ($gwproto == 'inet6' && $intf_has_v6)) { $fw->registerFilterRule( 100000, - array('from' => $ifcfg['if'], 'direction' => 'out', 'gateway' => $gwname, - 'destination' => array('network'=> $ifdescr, "not" => true), - 'statetype' => 'keep', - 'allowopts' => true, - 'quick' => false, + array('interface'=> $intf, 'from' => $ifcfg['if'], 'direction' => 'out', + 'destination' => array('network'=> $intf, "not" => true), + 'statetype' => 'keep', 'allowopts' => true, 'quick' => false, 'gateway' => $gwname, '#ref' => 'system_advanced_firewall.php#pf_disable_force_gw', 'descr' => "let out anything from firewall host itself (force gw)"), $defaults['pass']