Skip to content

O
OpnSense
Commit 852657c7 authored by Franco Fichtner's avatar Franco Fichtner
Browse files
Options

firewall: support tag/tagged for manual outbound NAT; closes #1586

parent 7a78cc99
Show whitespace changes
Inline Side-by-side
Showing with 50 additions and 20 deletions
src/etc/inc/filter.inc
View file @ 852657c7
...@@ -1387,7 +1387,7 @@ function filter_nat_rules_outbound_automatic(&$FilterIflist, $src) ...@@ -1387,7 +1387,7 @@ function filter_nat_rules_outbound_automatic(&$FilterIflist, $src)
} }
/* Generate a 'nat on' or 'no nat on' rule for given interface */ /* Generate a 'nat on' or 'no nat on' rule for given interface */
function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false, $proto = "", $poolopts = "", $log = false, $ipproto = "inet") function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false, $proto = "", $poolopts = "", $log = false, $ipproto = "inet", $tag = '', $tagged = '')
{ {
global $config; global $config;
...@@ -1473,6 +1473,14 @@ function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcpor ...@@ -1473,6 +1473,14 @@ function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcpor
} elseif (!$natport) { } elseif (!$natport) {
$tgt .= " port 1024:65535"; // set source port range $tgt .= " port 1024:65535"; // set source port range
} }
/* set and get tag handling */
$tagging = '';
if (!empty($tag)) {
$tagging .= " tag {$tag}";
}
if (!empty($tagged)) {
$tagging .= " tagged {$tagged}";
}
/* Allow for negating NAT entries */ /* Allow for negating NAT entries */
if ($nonat) { if ($nonat) {
$nat = "no nat"; $nat = "no nat";
...@@ -1486,7 +1494,7 @@ function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcpor ...@@ -1486,7 +1494,7 @@ function filter_nat_rules_generate_if(&$FilterIflist, $if, $src = "any", $srcpor
$if_friendly = $FilterIflist[$if]['descr']; $if_friendly = $FilterIflist[$if]['descr'];
/* Put all the pieces together */ /* Put all the pieces together */
if ($if_friendly) { if ($if_friendly) {
$natrule = "{$nat} {$logtag} on \${$if_friendly}{$ipprotocol}{$protocol} from {$src} to {$dst} {$target} {$poolopts} {$staticnatport_txt}\n"; $natrule = "{$nat} {$logtag} on \${$if_friendly}{$ipprotocol}{$protocol} from {$src} to {$dst}${tagging} {$target} {$poolopts} {$staticnatport_txt}\n";
} else { } else {
$natrule .= "# Could not convert {$if} to friendly name(alias)\n"; $natrule .= "# Could not convert {$if} to friendly name(alias)\n";
} }
...@@ -1686,7 +1694,7 @@ function filter_nat_rules_generate(&$FilterIflist) ...@@ -1686,7 +1694,7 @@ function filter_nat_rules_generate(&$FilterIflist)
$obtarget = ($obent['target'] == "other-subnet") ? $obent['targetip'] . '/' . $obent['targetip_subnet']: $obent['target']; $obtarget = ($obent['target'] == "other-subnet") ? $obent['targetip'] . '/' . $obent['targetip_subnet']: $obent['target'];
$poolopts = (is_subnet($obtarget) || is_alias($obtarget)) ? $obent['poolopts'] : ""; $poolopts = (is_subnet($obtarget) || is_alias($obtarget)) ? $obent['poolopts'] : "";
$natrules .= filter_nat_rules_generate_if ( $natrules .= filter_nat_rules_generate_if(
$FilterIflist, $FilterIflist,
$obent['interface'], $obent['interface'],
$src, $src,
...@@ -1700,7 +1708,9 @@ function filter_nat_rules_generate(&$FilterIflist) ...@@ -1700,7 +1708,9 @@ function filter_nat_rules_generate(&$FilterIflist)
$obent['protocol'], $obent['protocol'],
$poolopts, $poolopts,
isset($obent['log']), isset($obent['log']),
$obent['ipprotocol'] $obent['ipprotocol'],
$obent['tag'],
$obent['tagged']
); );
} }
} }
...@@ -1731,7 +1741,7 @@ function filter_nat_rules_generate(&$FilterIflist) ...@@ -1731,7 +1741,7 @@ function filter_nat_rules_generate(&$FilterIflist)
$a_outs = filter_nat_rules_outbound_automatic($FilterIflist, $macroortable); $a_outs = filter_nat_rules_outbound_automatic($FilterIflist, $macroortable);
foreach ($a_outs as $a_out) { foreach ($a_outs as $a_out) {
$natrules .= filter_nat_rules_generate_if ( $natrules .= filter_nat_rules_generate_if(
$FilterIflist, $FilterIflist,
$a_out['interface'], $a_out['interface'],
$a_out['source']['network'], $a_out['source']['network'],
......
src/www/firewall_nat_out_edit.php
View file @ 852657c7
...@@ -106,7 +106,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -106,7 +106,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
// load data from config // load data from config
foreach (array('protocol','sourceport','dstport','natport','target','targetip' foreach (array('protocol','sourceport','dstport','natport','target','targetip'
,'targetip_subnet','poolopts','interface','descr','nonat','log' ,'targetip_subnet','poolopts','interface','descr','nonat','log'
,'disabled','staticnatport','nosync','ipprotocol') as $fieldname) { ,'disabled','staticnatport','nosync','ipprotocol','tag','tagged') as $fieldname) {
if (isset($a_out[$configId][$fieldname])) { if (isset($a_out[$configId][$fieldname])) {
$pconfig[$fieldname] = $a_out[$configId][$fieldname]; $pconfig[$fieldname] = $a_out[$configId][$fieldname];
} }
...@@ -126,9 +126,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -126,9 +126,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
} }
// initialize unused elements // initialize unused elements
foreach (array('protocol','sourceport','dstport','natport','target','targetip' foreach (array('protocol','sourceport','dstport','natport','target','targetip',
,'targetip_subnet','poolopts','interface','descr','nonat' 'targetip_subnet','poolopts','interface','descr','nonat','tag','tagged',
,'disabled','staticnatport','nosync','source','source_subnet','ipprotocol') as $fieldname) { 'disabled','staticnatport','nosync','source','source_subnet','ipprotocol') as $fieldname) {
if (!isset($pconfig[$fieldname])) { if (!isset($pconfig[$fieldname])) {
$pconfig[$fieldname] = null; $pconfig[$fieldname] = null;
} }
...@@ -209,6 +209,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -209,6 +209,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$natent['destination'] = array(); $natent['destination'] = array();
$natent['descr'] = $pconfig['descr']; $natent['descr'] = $pconfig['descr'];
$natent['interface'] = $pconfig['interface']; $natent['interface'] = $pconfig['interface'];
$natent['tag'] = $pconfig['tag'];
$natent['tagged'] = $pconfig['tagged'];
$natent['poolopts'] = $pconfig['poolopts']; $natent['poolopts'] = $pconfig['poolopts'];
$natent['ipprotocol'] = $pconfig['ipprotocol']; $natent['ipprotocol'] = $pconfig['ipprotocol'];
...@@ -671,6 +673,21 @@ include("head.inc"); ...@@ -671,6 +673,21 @@ include("head.inc");
</div> </div>
</td> </td>
</tr> </tr>
<tr>
<td><a id="help_for_natport" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Translation") . " / " .gettext("port:");?></td>
<td>
<input name="natport" type="text" value="<?=$pconfig['natport'];?>" />
<div class="hidden" for="help_for_natport">
<?=gettext("Enter the source port for the outbound NAT mapping.");?>
</div>
</td>
</tr>
<tr>
<td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Static-port:");?></td>
<td>
<input name="staticnatport" type="checkbox" <?=!empty($pconfig['staticnatport']) ? " checked=\"checked\"" : "";?> >
</td>
</tr>
<tr> <tr>
<td><a id="help_for_poolopts" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Pool Options:");?></td> <td><a id="help_for_poolopts" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Pool Options:");?></td>
<td> <td>
...@@ -708,18 +725,21 @@ include("head.inc"); ...@@ -708,18 +725,21 @@ include("head.inc");
</td> </td>
</tr> </tr>
<tr> <tr>
<td><a id="help_for_natport" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Translation") . " / " .gettext("port:");?></td> <td><a id="help_for_tag" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Set local tag"); ?></td>
<td> <td>
<input name="natport" type="text" value="<?=$pconfig['natport'];?>" /> <input name="tag" type="text" value="<?=$pconfig['tag'];?>" />
<div class="hidden" for="help_for_natport"> <div class="hidden" for="help_for_tag">
<?=gettext("Enter the source port for the outbound NAT mapping.");?> <?= gettext("You can mark a packet matching this rule and use this mark to match on other NAT/filter rules.") ?>
</div> </div>
</td> </td>
</tr> </tr>
<tr> <tr>
<td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Static-port:");?></td> <td><a id="help_for_tagged" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Match local tag"); ?> </td>
<td> <td>
<input name="staticnatport" type="checkbox" <?=!empty($pconfig['staticnatport']) ? " checked=\"checked\"" : "";?> > <input name="tagged" type="text" value="<?=$pconfig['tagged'];?>" />
<div class="hidden" for="help_for_tagged">
<?=gettext("You can match packet on a mark placed before on another rule.")?>
</div>
</td> </td>
</tr> </tr>
<tr> <tr>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023