Skip to content

O
OpnSense
Commit 852657c7 authored by Franco Fichtner's avatar Franco Fichtner
Browse files
Options

firewall: support tag/tagged for manual outbound NAT; closes #1586

parent 7a78cc99
Hide whitespace changes
Inline Side-by-side
Showing with 50 additions and 20 deletions
src/etc/inc/filter.inc
View file @ 852657c7
......@@ -1387,7 +1387,7 @@ function filter_nat_rules_outbound_automatic(&$FilterIflist, $src)
}
/* Generate a 'nat on' or 'no nat on' rule for given interface */
function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false, $proto = "", $poolopts = "", $log = false, $ipproto = "inet")
function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false, $proto = "", $poolopts = "", $log = false, $ipproto = "inet", $tag = '', $tagged = '')
{
global $config;
......@@ -1473,6 +1473,14 @@ function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcpor
} elseif (!$natport) {
$tgt .= " port 1024:65535"; // set source port range
}
/* set and get tag handling */
$tagging = '';
if (!empty($tag)) {
$tagging .= " tag {$tag}";
}
if (!empty($tagged)) {
$tagging .= " tagged {$tagged}";
}
/* Allow for negating NAT entries */
if ($nonat) {
$nat = "no nat";
......@@ -1486,7 +1494,7 @@ function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcpor
$if_friendly = $FilterIflist[$if]['descr'];
/* Put all the pieces together */
if ($if_friendly) {
$natrule = "{$nat} {$logtag} on \${$if_friendly}{$ipprotocol}{$protocol} from {$src} to {$dst} {$target} {$poolopts} {$staticnatport_txt}\n";
$natrule = "{$nat} {$logtag} on \${$if_friendly}{$ipprotocol}{$protocol} from {$src} to {$dst}${tagging} {$target} {$poolopts} {$staticnatport_txt}\n";
} else {
$natrule .= "# Could not convert {$if} to friendly name(alias)\n";
}
......@@ -1686,7 +1694,7 @@ function filter_nat_rules_generate(&$FilterIflist)
$obtarget = ($obent['target'] == "other-subnet") ? $obent['targetip'] . '/' . $obent['targetip_subnet']: $obent['target'];
$poolopts = (is_subnet($obtarget) || is_alias($obtarget)) ? $obent['poolopts'] : "";
$natrules .= filter_nat_rules_generate_if (
$natrules .= filter_nat_rules_generate_if(
$FilterIflist,
$obent['interface'],
$src,
......@@ -1700,7 +1708,9 @@ function filter_nat_rules_generate(&$FilterIflist)
$obent['protocol'],
$poolopts,
isset($obent['log']),
$obent['ipprotocol']
$obent['ipprotocol'],
$obent['tag'],
$obent['tagged']
);
}
}
......@@ -1731,7 +1741,7 @@ function filter_nat_rules_generate(&$FilterIflist)
$a_outs = filter_nat_rules_outbound_automatic($FilterIflist, $macroortable);
foreach ($a_outs as $a_out) {
$natrules .= filter_nat_rules_generate_if (
$natrules .= filter_nat_rules_generate_if(
$FilterIflist,
$a_out['interface'],
$a_out['source']['network'],
......
src/www/firewall_nat_out_edit.php
View file @ 852657c7
......@@ -106,7 +106,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
// load data from config
foreach (array('protocol','sourceport','dstport','natport','target','targetip'
,'targetip_subnet','poolopts','interface','descr','nonat','log'
,'disabled','staticnatport','nosync','ipprotocol') as $fieldname) {
,'disabled','staticnatport','nosync','ipprotocol','tag','tagged') as $fieldname) {
if (isset($a_out[$configId][$fieldname])) {
$pconfig[$fieldname] = $a_out[$configId][$fieldname];
}
......@@ -126,9 +126,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
}
// initialize unused elements
foreach (array('protocol','sourceport','dstport','natport','target','targetip'
,'targetip_subnet','poolopts','interface','descr','nonat'
,'disabled','staticnatport','nosync','source','source_subnet','ipprotocol') as $fieldname) {
foreach (array('protocol','sourceport','dstport','natport','target','targetip',
'targetip_subnet','poolopts','interface','descr','nonat','tag','tagged',
'disabled','staticnatport','nosync','source','source_subnet','ipprotocol') as $fieldname) {
if (!isset($pconfig[$fieldname])) {
$pconfig[$fieldname] = null;
}
......@@ -209,6 +209,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$natent['destination'] = array();
$natent['descr'] = $pconfig['descr'];
$natent['interface'] = $pconfig['interface'];
$natent['tag'] = $pconfig['tag'];
$natent['tagged'] = $pconfig['tagged'];
$natent['poolopts'] = $pconfig['poolopts'];
$natent['ipprotocol'] = $pconfig['ipprotocol'];
......@@ -671,6 +673,21 @@ include("head.inc");
</div>
</td>
</tr>
<tr>
<td><a id="help_for_natport" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Translation") . " / " .gettext("port:");?></td>
<td>
<input name="natport" type="text" value="<?=$pconfig['natport'];?>" />
<div class="hidden" for="help_for_natport">
<?=gettext("Enter the source port for the outbound NAT mapping.");?>
</div>
</td>
</tr>
<tr>
<td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Static-port:");?></td>
<td>
<input name="staticnatport" type="checkbox" <?=!empty($pconfig['staticnatport']) ? " checked=\"checked\"" : "";?> >
</td>
</tr>
<tr>
<td><a id="help_for_poolopts" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Pool Options:");?></td>
<td>
......@@ -708,19 +725,22 @@ include("head.inc");
</td>
</tr>
<tr>
<td><a id="help_for_natport" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Translation") . " / " .gettext("port:");?></td>
<td>
<input name="natport" type="text" value="<?=$pconfig['natport'];?>" />
<div class="hidden" for="help_for_natport">
<?=gettext("Enter the source port for the outbound NAT mapping.");?>
</div>
</td>
<td><a id="help_for_tag" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Set local tag"); ?></td>
<td>
<input name="tag" type="text" value="<?=$pconfig['tag'];?>" />
<div class="hidden" for="help_for_tag">
<?= gettext("You can mark a packet matching this rule and use this mark to match on other NAT/filter rules.") ?>
</div>
</td>
</tr>
<tr>
<td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Static-port:");?></td>
<td>
<input name="staticnatport" type="checkbox" <?=!empty($pconfig['staticnatport']) ? " checked=\"checked\"" : "";?> >
</td>
<td><a id="help_for_tagged" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Match local tag"); ?> </td>
<td>
<input name="tagged" type="text" value="<?=$pconfig['tagged'];?>" />
<div class="hidden" for="help_for_tagged">
<?=gettext("You can match packet on a mark placed before on another rule.")?>
</div>
</td>
</tr>
<tr>
<td><a id="help_for_nosync" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("No XMLRPC Sync"); ?></td>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023