Commit 729ae9da authored by Franco Fichtner's avatar Franco Fichtner

firwall: output nat logging; closes #916

(cherry picked from commit 71f7d3c2)
(cherry picked from commit 6e0b70a8)
parent 58189a6a
...@@ -1317,7 +1317,7 @@ function filter_nat_rules_outbound_automatic(&$FilterIflist, $src) ...@@ -1317,7 +1317,7 @@ function filter_nat_rules_outbound_automatic(&$FilterIflist, $src)
} }
/* Generate a 'nat on' or 'no nat on' rule for given interface */ /* Generate a 'nat on' or 'no nat on' rule for given interface */
function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false, $proto = "", $poolopts = "") function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false, $proto = "", $poolopts = "", $log = false)
{ {
global $config; global $config;
...@@ -1339,6 +1339,10 @@ function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcpor ...@@ -1339,6 +1339,10 @@ function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcpor
$tgt = "(" . $FilterIflist[$if]['if'] . ")"; $tgt = "(" . $FilterIflist[$if]['if'] . ")";
} }
} }
$logtag = '';
if ($log) {
$logtag = 'log';
}
/* Add the protocol, if defined */ /* Add the protocol, if defined */
if (!empty($proto) && $proto != "any") { if (!empty($proto) && $proto != "any") {
if ($proto == "tcp/udp") { if ($proto == "tcp/udp") {
...@@ -1397,7 +1401,7 @@ function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcpor ...@@ -1397,7 +1401,7 @@ function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcpor
$if_friendly = $FilterIflist[$if]['descr']; $if_friendly = $FilterIflist[$if]['descr'];
/* Put all the pieces together */ /* Put all the pieces together */
if ($if_friendly) { if ($if_friendly) {
$natrule = "{$nat} on \${$if_friendly} {$protocol} from {$src} to {$dst} {$target} {$poolopts} {$staticnatport_txt}\n"; $natrule = "{$nat} {$logtag} on \${$if_friendly} {$protocol} from {$src} to {$dst} {$target} {$poolopts} {$staticnatport_txt}\n";
} else { } else {
$natrule .= "# Could not convert {$if} to friendly name(alias)\n"; $natrule .= "# Could not convert {$if} to friendly name(alias)\n";
} }
...@@ -1612,7 +1616,8 @@ function filter_nat_rules_generate(&$FilterIflist) ...@@ -1612,7 +1616,8 @@ function filter_nat_rules_generate(&$FilterIflist)
isset($obent['nonat']), isset($obent['nonat']),
isset($obent['staticnatport']), isset($obent['staticnatport']),
$obent['protocol'], $obent['protocol'],
$poolopts $poolopts,
isset($obent['log'])
); );
} }
} }
......
...@@ -105,7 +105,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -105,7 +105,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
if (isset($configId)) { if (isset($configId)) {
// load data from config // load data from config
foreach (array('protocol','sourceport','dstport','natport','target','targetip' foreach (array('protocol','sourceport','dstport','natport','target','targetip'
,'targetip_subnet','poolopts','interface','descr','nonat' ,'targetip_subnet','poolopts','interface','descr','nonat','log'
,'disabled','staticnatport','nosync','ipprotocol') as $fieldname) { ,'disabled','staticnatport','nosync','ipprotocol') as $fieldname) {
if (isset($a_out[$configId][$fieldname])) { if (isset($a_out[$configId][$fieldname])) {
$pconfig[$fieldname] = $a_out[$configId][$fieldname]; $pconfig[$fieldname] = $a_out[$configId][$fieldname];
...@@ -211,7 +211,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -211,7 +211,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$natent['poolopts'] = $pconfig['poolopts']; $natent['poolopts'] = $pconfig['poolopts'];
$natent['ipprotocol'] = $pconfig['ipprotocol']; $natent['ipprotocol'] = $pconfig['ipprotocol'];
if ( isset($a_out[$id]['created']) && is_array($a_out[$id]['created']) ){ if (isset($a_out[$id]['created']) && is_array($a_out[$id]['created']) ){
$natent['created'] = $a_out[$id]['created']; $natent['created'] = $a_out[$id]['created'];
} }
...@@ -287,6 +287,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -287,6 +287,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
if(!empty($pconfig['nonat'])) { if(!empty($pconfig['nonat'])) {
$natent['nonat'] = true; $natent['nonat'] = true;
} }
if (!empty($pconfig['log'])) {
$natent['log'] = true;
}
if(isset($pconfig['nosync'] ) && $pconfig['nosync'] == "yes") { if(isset($pconfig['nosync'] ) && $pconfig['nosync'] == "yes") {
$natent['nosync'] = true; $natent['nosync'] = true;
...@@ -395,8 +398,8 @@ include("head.inc"); ...@@ -395,8 +398,8 @@ include("head.inc");
<td><a id="help_for_disabled" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Disabled"); ?></td> <td><a id="help_for_disabled" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Disabled"); ?></td>
<td> <td>
<input name="disabled" type="checkbox" id="disabled" value="yes" <?= !empty($pconfig['disabled']) ? "checked=\"checked\"" : ""; ?> /> <input name="disabled" type="checkbox" id="disabled" value="yes" <?= !empty($pconfig['disabled']) ? "checked=\"checked\"" : ""; ?> />
<strong><?=gettext("Disable this rule"); ?></strong>
<div class="hidden" for="help_for_disabled"> <div class="hidden" for="help_for_disabled">
<strong><?=gettext("Disable this rule"); ?></strong><br />
<?=gettext("Set this option to disable this rule without removing it from the list."); ?> <?=gettext("Set this option to disable this rule without removing it from the list."); ?>
</div> </div>
</td> </td>
...@@ -604,6 +607,16 @@ include("head.inc"); ...@@ -604,6 +607,16 @@ include("head.inc");
</div> </div>
</td> </td>
</tr> </tr>
<tr>
<td><a id="help_for_log" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Log");?></td>
<td>
<input name="log" type="checkbox" id="log" value="yes" <?= !empty($pconfig['log']) ? "checked=\"checked\"" : ""; ?> />
<strong><?=gettext("Log packets that are handled by this rule");?></strong>
<div class="hidden" for="help_for_log">
<?=sprintf(gettext("Hint: the firewall has limited local log space. Don't turn on logging for everything. If you want to do a lot of logging, consider using a %sremote syslog server%s."),'<a href="diag_logs_settings.php">','</a>') ?>
</div>
</td>
</tr>
<tr> <tr>
<td><a id="help_for_poolopts" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Pool Options:");?></td> <td><a id="help_for_poolopts" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Pool Options:");?></td>
<td> <td>
......
...@@ -650,8 +650,8 @@ include("head.inc"); ...@@ -650,8 +650,8 @@ include("head.inc");
<td><a id="help_for_disabled" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Disabled"); ?></td> <td><a id="help_for_disabled" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Disabled"); ?></td>
<td> <td>
<input name="disabled" type="checkbox" id="disabled" value="yes" <?= !empty($pconfig['disabled']) ? "checked=\"checked\"" : ""; ?> /> <input name="disabled" type="checkbox" id="disabled" value="yes" <?= !empty($pconfig['disabled']) ? "checked=\"checked\"" : ""; ?> />
<strong><?=gettext("Disable this rule"); ?></strong>
<div class="hidden" for="help_for_disabled"> <div class="hidden" for="help_for_disabled">
<strong><?=gettext("Disable this rule"); ?></strong><br />
<?=gettext("Set this option to disable this rule without removing it from the list."); ?> <?=gettext("Set this option to disable this rule without removing it from the list."); ?>
</div> </div>
</td> </td>
...@@ -663,8 +663,8 @@ include("head.inc"); ...@@ -663,8 +663,8 @@ include("head.inc");
</td> </td>
<td> <td>
<input name="quick" type="checkbox" id="quick" value="yes" <?php if ($pconfig['quick']) echo "checked=\"checked\""; ?> /> <input name="quick" type="checkbox" id="quick" value="yes" <?php if ($pconfig['quick']) echo "checked=\"checked\""; ?> />
<strong><?=gettext("Apply the action immediately on match.");?></strong>
<div class="hidden" for="help_for_quick"> <div class="hidden" for="help_for_quick">
<strong><?=gettext("Apply the action immediately on match.");?></strong><br />
<?=gettext("Set this option if you need to apply this action to traffic that matches this rule immediately.");?> <?=gettext("Set this option if you need to apply this action to traffic that matches this rule immediately.");?>
</div> </div>
</td> </td>
...@@ -1069,9 +1069,8 @@ include("head.inc"); ...@@ -1069,9 +1069,8 @@ include("head.inc");
<td><a id="help_for_log" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Log");?></td> <td><a id="help_for_log" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Log");?></td>
<td> <td>
<input name="log" type="checkbox" id="log" value="yes" <?= !empty($pconfig['log']) ? "checked=\"checked\"" : ""; ?> /> <input name="log" type="checkbox" id="log" value="yes" <?= !empty($pconfig['log']) ? "checked=\"checked\"" : ""; ?> />
<strong><?=gettext("Log packets that are handled by this rule");?></strong>
<div class="hidden" for="help_for_log"> <div class="hidden" for="help_for_log">
<strong><?=gettext("Log packets that are handled by this rule");?></strong>
<br />
<?=sprintf(gettext("Hint: the firewall has limited local log space. Don't turn on logging for everything. If you want to do a lot of logging, consider using a %sremote syslog server%s."),'<a href="diag_logs_settings.php">','</a>') ?> <?=sprintf(gettext("Hint: the firewall has limited local log space. Don't turn on logging for everything. If you want to do a lot of logging, consider using a %sremote syslog server%s."),'<a href="diag_logs_settings.php">','</a>') ?>
</div> </div>
</td> </td>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment