(firewall) parse /etc/protocols for valid options, sort most used on top.

58001db0 · Ad Schellevis · a356f26b · 58001db0 · 58001db0 · 58001db0
Commit 58001db0 authored May 25, 2016 by Ad Schellevis
4 changed files
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -1699,7 +1699,7 @@ function filter_nat_rules_generate(&$FilterIflist)
            }

            $address_family = !empty($rule['ipprotocol']) ? $rule['ipprotocol'] : "";
-            switch(strtolower($rule['protocol'])) {
+            switch(strtolower(!empty($rule['protocol']) ? $rule['protocol'] : "")) {
                case "tcp/udp":
                    $protocol = "{ tcp udp }";
                    break;
@@ -1789,7 +1789,8 @@ function filter_nat_rules_generate(&$FilterIflist)


            if ($srcaddr <> "" && $dstaddr <> "" && $natif) {
-                $natrules .= "{$nordr}rdr {$rdrpass}on {$natif} {$address_family} proto {$protocol} from {$srcaddr} to {$dstaddr}" . ($nordr == "" ? " -> {$target}{$localport}" : "");
+                $protocol_keyword = !empty($protocol) ? "proto" : "";
+                $natrules .= "{$nordr}rdr {$rdrpass}on {$natif} {$address_family} {$protocol_keyword} {$protocol} from {$srcaddr} to {$dstaddr}" . ($nordr == "" ? " -> {$target}{$localport}" : "");
                /* Does this rule redirect back to a internal host? */
                if (isset($rule['destination']['any']) && !isset($rule['nordr']) && !isset($config['system']['enablenatreflectionhelper']) && !interface_has_gateway($rule['interface'])) {
                    $rule_interface_ip = find_interface_ip($natif);
@@ -1812,7 +1813,8 @@ function filter_nat_rules_generate(&$FilterIflist)
                                $rdr_if_list = "{ {$rdr_if_list} }";
                            }
                            $natrules .= "\n# Reflection redirect\n";
-                            $natrules .= "{$nordr}rdr {$rdrpass}on {$rdr_if_list} {$address_family} proto {$protocol} from {$srcaddr} to {$dstaddr_reflect}" . ($nordr == "" ? " -> {$target}{$localport}" : "");
+                            $protocol_keyword = !empty($protocol) ? "proto" : "";
+                            $natrules .= "{$nordr}rdr {$rdrpass}on {$rdr_if_list} {$address_family} {$protocol_keyword} {$protocol} from {$srcaddr} to {$dstaddr_reflect}" . ($nordr == "" ? " -> {$target}{$localport}" : "");
                            $nat_if_list = array_merge(array($natif), $nat_if_list);
                        }
                    }
@@ -3425,3 +3427,21 @@ function default_state_size()

    return $max_states;
 }
+
+function get_protocols()
+{
+    $protocols = array("any", "TCP", "UDP", "TCP/UDP", "ICMP", "ESP", "AH", "GRE", "IGMP", "PIM", "OSPF");
+
+    foreach (explode("\n", file_get_contents('/etc/protocols')) as $line) {
+        if (substr($line,0, 1) != "#") {
+            $parts = preg_split('/\s+/', $line);
+            if (count($parts) >= 4 && $parts[1] > 0) {
+                $protocol = trim(strtoupper($parts[0]));
+                if (!in_array($protocol, $protocols)) {
+                    $protocols[] = $protocol;
+                }
+            }
+        }
+    }
+    return $protocols;
+}
--- a/src/www/firewall_nat_edit.php
+++ b/src/www/firewall_nat_edit.php
@@ -30,6 +30,7 @@

 require_once("guiconfig.inc");
 require_once("pfsense-utils.inc");
+require_once("filter.inc");

 /**
 * build array with interface options for this form
@@ -278,7 +279,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
        $natent = array();

        // 1-on-1 copy
+        if ($pconfig['protocol'] != 'any') {
            $natent['protocol'] = $pconfig['protocol'];
+        }
        $natent['interface'] = $pconfig['interface'];
        $natent['ipprotocol'] = $pconfig['ipprotocol'];
        $natent['descr'] = $pconfig['descr'];
@@ -368,9 +371,13 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
              $pconfig['srcbeginport'], $pconfig['srcendport']);

            // Update interface, protocol and destination
-            $filterent['interface'] = $pconfig['interface'];
-            $filterent['protocol'] = $pconfig['protocol'];
-            $filterent['ipprotocol'] = $pconfig['ipprotocol'];
+            $filterent['interface'] = $natent['interface'];
+            if (!empty($natent['protocol'])) {
+                $filterent['protocol'] = $natent['protocol'];
+            } elseif (isset($filterent['protocol'])) {
+                unset($filterent['protocol']);
+            }
+            $filterent['ipprotocol'] = $natent['ipprotocol'];
            if (!isset($filterent['destination'])) {
                $filterent['destination'] = array();
            }
@@ -618,7 +625,7 @@ $( document ).ready(function() {
                  <td>
                    <div class="input-group">
                      <select id="proto" name="protocol" class="selectpicker" data-live-search="true" data-size="5" data-width="auto">
-<?php                foreach (explode(" ", "TCP UDP TCP/UDP ICMP ESP AH GRE IGMP PIM OSPF") as $proto):
+<?php                foreach (get_protocols() as $proto):
 ?>
              <option value="<?=strtolower($proto);?>" <?= strtolower($proto) == $pconfig['protocol'] ? "selected=\"selected\"" : ""; ?>>
                          <?=$proto;?>

--- a/src/www/firewall_nat_out_edit.php
+++ b/src/www/firewall_nat_out_edit.php
@@ -30,7 +30,7 @@

 require_once("guiconfig.inc");
 require_once("pfsense-utils.inc");
-
+require_once("filter.inc");

 /**
 * build array with interface options for this form
@@ -487,9 +487,9 @@ include("head.inc");
                  <td>
                    <div class="input-group">
                      <select id="proto" name="protocol" class="selectpicker" data-live-search="true" data-size="5" data-width="auto">
-<?php                foreach (array("any" => gettext("any"), "TCP" => gettext("TCP"), "UDP" => gettext("UDP"), "TCP/UDP" => gettext("TCP/UDP"), "ICMP" => gettext("ICMP"), "ESP" => gettext("ESP"), "AH" => gettext("AH"), "GRE" => gettext("GRE"), "IGMP" => gettext("IGMP"), "PIM" => gettext("PIM"), " OSPF" => gettext("OSPF")) as $proto => $proto_translated):
+<?php                foreach (get_protocols() as $proto):
 ?>
-              <option value="<?=strtolower($proto);?>" <?= strtolower($proto) == $pconfig['protocol'] ? "selected=\"selected\"" : ""; ?>><?=$proto_translated?></option>
+              <option value="<?=strtolower($proto);?>" <?= strtolower($proto) == $pconfig['protocol'] ? "selected=\"selected\"" : ""; ?>><?=$proto;?></option>
 <?php                endforeach; ?>
              </select>
                    </div>

--- a/src/www/firewall_rules_edit.php
+++ b/src/www/firewall_rules_edit.php
@@ -32,6 +32,7 @@ require_once("guiconfig.inc");
 require_once("pfsense-utils.inc");
 require_once("interfaces.inc");
 require_once("services.inc");
+require_once("filter.inc");

 /* TCP flags */
 $tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg", "ece", "cwr");
@@ -837,8 +838,7 @@ include("head.inc");
                    <td>
                      <select <?=!empty($pconfig['associated-rule-id']) ? "disabled" : "";?> name="protocol" id="proto" class="selectpicker" data-live-search="true" data-size="5" >
 <?php
-                      $protocols = explode(" ", "any TCP UDP TCP/UDP ICMP ESP AH GRE IGMP PIM OSPF carp pfsync");
-                      foreach ($protocols as $proto): ?>
+                      foreach (get_protocols() as $proto): ?>
                        <option value="<?=strtolower($proto);?>" <?= strtolower($proto) == $pconfig['protocol'] ? "selected=\"selected\"" :""; ?>>
                          <?=$proto;?>
                        </option>