firewall: consolidate anti-lockout behaviour; closes #1304

Assume LAN unless we only have one interface and that is WAN. If LAN is not there, no problem: the text will either show WAN if it works or show LAN and do nothing. We could argue that 1 interface that is not WAN or LAN is possible and should receive anti-lockout too, but this would change the previous behaviour too much and is not generally possible from the GUI or console.

firewall: consolidate anti-lockout behaviour; closes #1304
Assume LAN unless we only have one interface and that is WAN. If LAN is not there, no problem: the text will either show WAN if it works or show LAN and do nothing. We could argue that 1 interface that is not WAN or LAN is possible and should receive anti-lockout too, but this would change the previous behaviour too much and is not generally possible from the GUI or console.
7097b1d0 · Franco Fichtner · 6e260ef5 · 7097b1d0 · 7097b1d0 · 7097b1d0
Commit 7097b1d0 authored Dec 20, 2016 by Franco Fichtner
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 8 deletions

filter.inc src/etc/inc/filter.inc +5 -5

filter.lib.inc src/etc/inc/filter.lib.inc +2 -2

system_advanced_admin.php src/www/system_advanced_admin.php +2 -1

No files found.
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -1778,12 +1778,12 @@ function filter_nat_rules_generate(&$FilterIflist)
    }

    // prevent redirection on ports with "lock out" protection
-    if (!isset($config['system']['webgui']['noantilockout'])) {
-        $alports = implode(" ", filter_core_antilockout_ports());
-        if ( !empty($FilterIflist['lan']['if']) ) {
+    $lockoutprts = filter_core_antilockout_ports();
+    if (count($lockoutprts) > 0) {
+        $alports = implode(' ', $lockoutprts);
+        if (!empty($FilterIflist['lan']['if']) ) {
            $alintrf = $FilterIflist['lan']['if'];
-        } elseif ( !empty($FilterIflist['wan']['if']) ) {
-            // single-interface deployment, add to WAN
+        } elseif (count($config['interfaces']) == 1 && !empty($FilterIflist['wan']['if']) ) {
            $alintrf = $FilterIflist['wan']['if'];
        } else {
            $alintrf = null;

--- a/src/etc/inc/filter.lib.inc
+++ b/src/etc/inc/filter.lib.inc
@@ -325,9 +325,9 @@ function filter_core_rules_system($fw, $defaults)
    $lockoutprts = filter_core_antilockout_ports();
    if (count($lockoutprts) > 0) {
        $lockoutif = null;
-        if (count($config['interfaces']) > 1 && !empty($config['interfaces']['lan']['if'])) {
+        if (!empty($config['interfaces']['lan']['if'])) {
            $lockoutif = 'lan';
-        } elseif (count($config['interfaces']) == 1  && !empty($config['interfaces']['wan']['if'])) {
+        } elseif (count($config['interfaces']) == 1 && !empty($config['interfaces']['wan']['if'])) {
            $lockoutif = 'wan';
        }
        if (!empty($lockoutif)) {

--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@@ -417,7 +417,8 @@ include("head.inc");
                                          "rule set. Check this box to disable this automatically added rule, so access " .
                                          "to the web GUI is controlled by the user-defined firewall rules " .
                                          "(ensure you have a firewall rule in place that allows you in, or you will " .
-                                          "lock yourself out!)"), (empty($config['interfaces']['lan']) ? gettext("WAN") : gettext("LAN"))); ?>
+                                          "lock yourself out!)"), count($config['interfaces']) == 1 && !empty($config['interfaces']['wan']['if'] ?
+                                          gettext("WAN") : gettext("LAN"))); ?>
                      <em><?= gettext('Hint: the "Set interface(s) IP address" option in the console menu resets this setting as well.'); ?></em>
                    </div>
                  </td>