(filter) remove nat+proxy, https://github.com/opnsense/core/issues/963

5ea45d86 · Ad Schellevis · 8d0cb3c5 · 5ea45d86 · 5ea45d86 · 5ea45d86
Commit 5ea45d86 authored May 25, 2016 by Ad Schellevis
Showing with 20 additions and 275 deletions

filter.inc src/etc/inc/filter.inc +14 -258

firewall_nat_edit.php src/www/firewall_nat_edit.php +1 -2

system_advanced_firewall.php src/www/system_advanced_firewall.php +5 -15

No files found.
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -1127,211 +1127,6 @@ function filter_generate_reflection_nat(&$FilterIflist, $rule, &$route_table, $n
    return $natrules;
 }

-function filter_generate_reflection_proxy(&$FilterIflist, $rule, $nordr, $rdr_ifs, $srcaddr, $dstaddr_port, &$starting_localhost_port, &$reflection_txt)
-{
-    global $config;
-
-    $reflection_txt = array();
-    $natrules = '';
-
-    if (!empty($rdr_ifs)) {
-        if ($config['system']['reflectiontimeout']) {
-            $reflectiontimeout = $config['system']['reflectiontimeout'];
-        } else {
-            $reflectiontimeout = "2000";
-        }
-        update_filter_reload_status(sprintf(gettext("Creating reflection rule for %s..."), $rule['descr']));
-
-        $rdr_if_list = implode(" ", $rdr_ifs);
-        if (count($rdr_ifs) > 1) {
-            $rdr_if_list = "{ {$rdr_if_list} }";
-        }
-
-        $natrules .= "\n# Reflection redirects\n";
-
-        $localport = $rule['local-port'];
-        if (!empty($localport) && is_alias($localport)) {
-            $localport = filter_expand_alias($localport);
-            $localport = explode(" ", trim($localport));
-            // The translation port for rdr, when specified, does not support more than one port or range.
-            // Emulating for behavior consistent with the original port forward.
-            $localport = $localport[0];
-        }
-
-        if (is_alias($rule['destination']['port'])) {
-            if (empty($localport) || $rule['destination']['port'] == $rule['local-port']) {
-                $dstport = filter_expand_alias($rule['destination']['port']);
-                $dstport = array_filter(explode(" ", trim($dstport)));
-                $localport = "";
-            } else if (!empty($localport)) {
-                $dstport = array($localport);
-            }
-        } else {
-            $dstport = array(str_replace("-", ":", $rule['destination']['port']));
-            $dstport_split = explode(":", $dstport[0]);
-
-            if (!empty($localport) && $dstport_split[0] != $rule['local-port']) {
-                if (!is_alias($rule['local-port']) && $dstport_split[1] && $dstport_split[0] != $dstport_split[1]) {
-                    $localendport = $localport + ($dstport_split[1] - $dstport_split[0]);
-                    $localport .= ":$localendport";
-                }
-                $dstport = array($localport);
-            } else {
-                $localport = "";
-            }
-        }
-
-        $dstaddr = explode(" ", $dstaddr_port);
-        if ($dstaddr[2]) {
-            $rflctintrange = array_pop($dstaddr);
-            array_pop($dstaddr);
-        } else {
-            return "";
-        }
-        $dstaddr = implode(" ", $dstaddr);
-        if (empty($dstaddr) || trim($dstaddr) == "0.0.0.0" || strtolower(trim($dstaddr)) == "port") {
-            return "";
-        }
-
-        if (isset($rule['destination']['any'])) {
-            if (!$rule['interface']) {
-                $natif = "wan";
-            } else {
-                $natif = $rule['interface'];
-            }
-            if (!isset($FilterIflist[$natif])) {
-                return "";
-            }
-            if (is_ipaddr($FilterIflist[$natif]['ip'])) {
-                $dstaddr = $FilterIflist[$natif]['ip'];
-            } else {
-                return "";
-            }
-
-            if (!empty($FilterIflist[$natif]['sn'])) {
-                $dstaddr = gen_subnet($dstaddr, $FilterIflist[$natif]['sn']) . '/' . $FilterIflist[$natif]['sn'];
-            }
-        }
-
-        switch($rule['protocol']) {
-            case "tcp/udp":
-                $protocol = "{ tcp udp }";
-                $reflect_protos = array('tcp', 'udp');
-                break;
-            case "tcp":
-            case "udp":
-                $protocol = $rule['protocol'];
-                $reflect_protos = array($rule['protocol']);
-                break;
-            default:
-                return "";
-                break;
-        }
-
-        if (!empty($nordr)) {
-            $natrules .= "no rdr on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr} port {$rflctintrange}\n";
-            return $natrules;
-        }
-
-        if (is_alias($rule['target'])) {
-            $target = filter_expand_alias($rule['target']);
-        } elseif (is_ipaddr($rule['target'])) {
-            $target = $rule['target'];
-        } elseif (is_ipaddr($FilterIflist[$rule['target']]['ip'])) {
-            $target = $FilterIflist[$rule['target']]['ip'];
-        } else {
-            return "";
-        }
-        $starting_localhost_port_tmp = $starting_localhost_port;
-        $toomanyports = false;
-        /* only install reflection rules for < 19991 items */
-        foreach($dstport as $loc_pt) {
-            if ($starting_localhost_port < 19991) {
-                $toadd_array = array();
-                $inetdport = $starting_localhost_port;
-                $rflctrange = $starting_localhost_port;
-
-                $loc_pt = explode(":", $loc_pt);
-                if ($loc_pt[1] && $loc_pt[1] > $loc_pt[0]) {
-                    $delta = $loc_pt[1] - $loc_pt[0];
-                } else {
-                    $delta = 0;
-                }
-
-                if (($inetdport + $delta + 1) - $starting_localhost_port_tmp > 500) {
-                    log_error("Not installing NAT reflection rules for a port range > 500");
-                    $inetdport = $starting_localhost_port;
-                    $toadd_array = array();
-                    $toomanyports = true;
-                    break;
-                } else if (($inetdport + $delta) > 19990) {
-                    log_error("Installing partial NAT reflection rules. Maximum 1,000 reached.");
-                    $delta = 19990 - $inetdport;
-                    $loc_pt[1] = $loc_pt[0] + $delta;
-                    if ($delta == 0) {
-                        unset($loc_pt[1]);
-                    }
-                    $toomanyports = true;
-
-                    if (!empty($localport)) {
-                        if (is_alias($rule['destination']['port'])) {
-                            $rflctintrange = alias_expand($rule['destination']['port']);
-                        } else {
-                            if ($dstport_split[1]) {
-                                $dstport_split[1] = $dstport_split[0] + $inetdport + $delta - $starting_localhost_port;
-                            }
-                            $rflctintrange = implode(":", $dstport_split);
-                        }
-                    }
-                }
-
-                if (empty($localport)) {
-                    $rflctintrange = implode(":", $loc_pt);
-                }
-                if ($inetdport + $delta > $starting_localhost_port) {
-                    $rflctrange .= ":" . ($inetdport + $delta);
-                }
-                $starting_localhost_port = $inetdport + $delta + 1;
-                $toadd_array = array_merge($toadd_array, range($loc_pt[0], $loc_pt[0] + $delta));
-
-                if (!empty($toadd_array)) {
-                    $rtarget = explode(" ", trim($target));
-                    foreach($toadd_array as $tda) {
-                        if (empty($tda)) {
-                            continue;
-                        }
-                        foreach($reflect_protos as $reflect_proto) {
-                            if ($reflect_proto == "udp") {
-                                $socktype = "dgram";
-                                $dash_u = "-u ";
-                                $wait = "wait\t";
-                            } else {
-                                $socktype = "stream";
-                                $dash_u = "";
-                                $wait = "nowait/0";
-                            }
-                            foreach ($rtarget as $targip) {
-                                if (empty($targip)) {
-                                    continue;
-                                }
-                                $reflection_txt[] = "{$inetdport}\t{$socktype}\t{$reflect_proto}\t{$wait}\tnobody\t/usr/bin/nc\tnc {$dash_u}-w {$reflectiontimeout} {$targip} {$tda}\n";
-                            }
-                        }
-                        $inetdport++;
-                    }
-                    $natrules .= "rdr on {$rdr_if_list} proto {$protocol} from {$srcaddr} to {$dstaddr} port {$rflctintrange} tag PFREFLECT -> 127.0.0.1 port {$rflctrange}\n";
-                }
-            }
-
-            if ($toomanyports) {
-                break;
-            }
-        }
-        $reflection_txt = array_unique($reflection_txt);
-    }
-
-    return $natrules;
-}

 function filter_nat_rules_automatic_tonathosts(&$FilterIflist, $with_descr = false)
 {
@@ -1855,7 +1650,6 @@ function filter_nat_rules_generate(&$FilterIflist)
        $natrules .= "rdr on \${$FilterIflist['wan']['descr']} proto ipv6 from any to any -> {$config['diag']['ipv6nat']['ipaddr']}\n";
    }

-    $inetd_fd = fopen('/var/etc/inetd.conf', 'w');

    // prevent redirection on ports with "lock out" protection
    if (!isset($config['system']['webgui']['noantilockout'])) {
@@ -1877,7 +1671,6 @@ function filter_nat_rules_generate(&$FilterIflist)

    if (isset($config['nat']['rule'])) {
        /* start reflection redirects on port 19000 of localhost */
-        $starting_localhost_port = 19000;
        $natrules .= "# NAT Inbound Redirects\n";
          foreach ($config['nat']['rule'] as $rule) {
            update_filter_reload_status(sprintf(gettext("Creating NAT rule %s"), $rule['descr']));
@@ -1972,10 +1765,8 @@ function filter_nat_rules_generate(&$FilterIflist)
            if (!isset($FilterIflist[$natif])) {
                continue;
            }
-            $srcaddr = filter_generate_address($FilterIflist, $rule, 'source', true);
-            $dstaddr = filter_generate_address($FilterIflist, $rule, 'destination', true);
-            $srcaddr = trim($srcaddr);
-            $dstaddr = trim($dstaddr);
+            $srcaddr = trim(filter_generate_address($FilterIflist, $rule, 'source', true));
+            $dstaddr = trim(filter_generate_address($FilterIflist, $rule, 'destination', true));

            if (!$dstaddr) {
                $dstaddr = $FilterIflist[$natif]['ip'];
@@ -2000,31 +1791,6 @@ function filter_nat_rules_generate(&$FilterIflist)

            $natif = $FilterIflist[$natif]['if'];

-            $reflection_type = "none";
-            if ($rule['natreflection'] != "disable" && $dstaddr_port[0] != "0.0.0.0") {
-                if ($rule['natreflection'] == "enable") {
-                    $reflection_type = "proxy";
-                } elseif ($rule['natreflection'] == "purenat") {
-                    $reflection_type = "purenat";
-                } elseif (!isset($config['system']['disablenatreflection'])) {
-                    if (isset($config['system']['enablenatreflectionpurenat'])) {
-                        $reflection_type = "purenat";
-                    } else {
-                        $reflection_type = "proxy";
-                    }
-                }
-            }
-
-            if ($reflection_type != "none") {
-                $nat_if_list = filter_get_reflection_interfaces($FilterIflist, $natif);
-            } else {
-                $nat_if_list = array();
-            }
-
-            if (empty($nat_if_list)) {
-                $reflection_type = "none";
-            }
-
            $localport_nat = $localport;
            if (empty($localport_nat) && $dstaddr_port[2]) {
                $localport_nat = " port " . $dstaddr_port[2];
@@ -2045,14 +1811,11 @@ function filter_nat_rules_generate(&$FilterIflist)
                    }
                }

-                if ($reflection_type != "none") {
-                    if ($reflection_type == "proxy" && !isset($rule['nordr'])) {
-                        $natrules .= filter_generate_reflection_proxy($FilterIflist, $rule, $nordr, $nat_if_list, $srcaddr, $dstaddr, $starting_localhost_port, $reflection_rules);
-                        $nat_if_list = array($natif);
-                        foreach ($reflection_rules as $txtline) {
-                            fwrite($inetd_fd, $txtline);
-                        }
-                    } elseif ($reflection_type == "purenat" || isset($rule['nordr'])) {
+                $nat_if_list = array();
+                if ($rule['natreflection'] != "disable" && $dstaddr_port[0] != "0.0.0.0" && !is_ipaddrv6($target)) {
+                    $nat_if_list = filter_get_reflection_interfaces($FilterIflist, $natif);
+                    if (!empty($nat_if_list)) {
+                        if (in_array($rule['natreflection'], array("purenat", "enable")) || !isset($config['system']['disablenatreflection'])) {
                            $rdr_if_list = implode(" ", $nat_if_list);
                            if (count($nat_if_list) > 1) {
                                $rdr_if_list = "{ {$rdr_if_list} }";
@@ -2062,6 +1825,7 @@ function filter_nat_rules_generate(&$FilterIflist)
                            $nat_if_list = array_merge(array($natif), $nat_if_list);
                        }
                    }
+                }

                if (empty($nat_if_list)) {
                    $nat_if_list = array($natif);
@@ -2075,8 +1839,6 @@ function filter_nat_rules_generate(&$FilterIflist)
        }
    }

-    fclose($inetd_fd);
-
    $natrules .= "\n# UPnP\n";
    $natrules .= "rdr-anchor \"miniupnpd\"\n";

@@ -2084,12 +1846,6 @@ function filter_nat_rules_generate(&$FilterIflist)
        $natrules .= "\n# Reflection redirects and NAT for 1:1 mappings\n" . $reflection_txt;
    }

-    if (!isvalidpid('/var/run/inetd.pid')) {
-        mwexec("/usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf");
-    } else {
-        killbypid('/var/run/inetd.pid', 'HUP');
-    }
-
    return $natrules;
 }


--- a/src/www/firewall_nat_edit.php
+++ b/src/www/firewall_nat_edit.php
@@ -312,7 +312,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            $natent['associated-rule-id'] = "pass";
        }

-        if ($pconfig['natreflection'] == "enable" || $pconfig['natreflection'] == "purenat" || $pconfig['natreflection'] == "disable") {
+        if ($pconfig['natreflection'] == "purenat" || $pconfig['natreflection'] == "disable") {
            $natent['natreflection'] = $pconfig['natreflection'];
        }

@@ -968,7 +968,6 @@ $( document ).ready(function() {
                  <td>
                    <select name="natreflection" class="selectpicker">
                    <option value="default" <?=$pconfig['natreflection'] != "enable" && $pconfig['natreflection'] != "purenat" && $pconfig['natreflection'] != "disable" ? "selected=\"selected\"" : ""; ?>><?=gettext("Use system default"); ?></option>
-                    <option value="enable" <?=$pconfig['natreflection'] == "enable" ? "selected=\"selected\"" : ""; ?>><?=gettext("Enable (NAT + Proxy)"); ?></option>
                    <option value="purenat" <?=$pconfig['natreflection'] == "purenat" ? "selected=\"selected\"" : ""; ?>><?=gettext("Enable (Pure NAT)"); ?></option>
                    <option value="disable" <?=$pconfig['natreflection'] == "disable" ? "selected=\"selected\"" : ""; ?>><?=gettext("Disable"); ?></option>
                    </select>

--- a/src/www/system_advanced_firewall.php
+++ b/src/www/system_advanced_firewall.php
@@ -61,9 +61,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    $pconfig['skip_rules_gw_down'] = isset($config['system']['skip_rules_gw_down']);
    $pconfig['lb_use_sticky'] = isset($config['system']['lb_use_sticky']);
    $pconfig['srctrack'] = !empty($config['system']['srctrack']) ? $config['system']['srctrack'] : null;
-    if (!isset($config['system']['disablenatreflection']) && !isset($config['system']['enablenatreflectionpurenat'])) {
-        $pconfig['natreflection'] = "proxy";
-    } elseif (isset($config['system']['enablenatreflectionpurenat'])) {
+    if (!isset($config['system']['disablenatreflection'])) {
        $pconfig['natreflection'] = "purenat";
    } else {
        $pconfig['natreflection'] = "disable";
@@ -162,17 +160,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            unset($config['system']['checkaliasesurlcert']);
        }

-        if ($pconfig['natreflection'] == "proxy") {
+        if ($pconfig['natreflection'] == "purenat") {
+            if (isset($config['system']['disablenatreflection'])) {
                unset($config['system']['disablenatreflection']);
-            unset($config['system']['enablenatreflectionpurenat']);
-        } elseif ($pconfig['natreflection'] == "purenat") {
-            unset($config['system']['disablenatreflection']);
-            $config['system']['enablenatreflectionpurenat'] = "yes";
+            }
        } else {
            $config['system']['disablenatreflection'] = "yes";
-            if (isset($config['system']['enablenatreflectionpurenat'])) {
-                unset($config['system']['enablenatreflectionpurenat']);
-            }
        }

        if (!empty($pconfig['enablebinatreflection'])) {
@@ -305,9 +298,6 @@ include("head.inc");
                      <option value="disable" <?=$pconfig['natreflection'] == "disable" ? "selected=\"selected\"" : "";?>>
                        <?=gettext("Disable"); ?>
                      </option>
-                      <option value="proxy" <?=$pconfig['natreflection'] == "proxy" ? "selected=\"selected\"" : "";?>>
-                        <?=gettext("Enable (NAT + Proxy)"); ?>
-                      </option>
                      <option value="purenat" <?=$pconfig['natreflection'] == "purenat" ? "selected=\"selected\"" : "";?>>
                        <?=gettext("Enable (Pure NAT)"); ?>
                      </option>