firewall: add tag/tagged to port forwarding for #1423

It's a bit funny that the help text indicates we can use tag/tagged with
NAT rules as well, because this was never implemented although it really
works.

src/etc/inc/filter.inc

@@ -1892,9 +1892,17 @@ function filter_nat_rules_generate(&$FilterIflist)
                 $localport_nat = " port " . $dstaddr_port[2];
             }
 
+            $tagging = '';
+            if (!empty($rule['tag'])) {
+                $tagging .= " tag {$rule['tag']}";
+            }
+            if (!empty($rule['tagged'])) {
+                $tagging .= " tagged {$rule['tagged']}";
+            }
+
             if ($srcaddr <> "" && $dstaddr <> "" && $natif) {
                 $protocol_keyword = !empty($protocol) ? "proto" : "";
-                $natrules .= "{$nordr}rdr {$rdrpass}on {$natif} {$address_family} {$protocol_keyword} {$protocol} from {$srcaddr} to {$dstaddr}" . ($nordr == "" ? " -> {$target}{$localport}" : "");
+                $natrules .= "{$nordr}rdr {$rdrpass}on {$natif} {$address_family} {$protocol_keyword} {$protocol} from {$srcaddr} to {$dstaddr}{$tagging}" . ($nordr == "" ? " -> {$target}{$localport}" : "");
                 /* Does this rule redirect back to a internal host? */
                 if (isset($rule['destination']['any']) && !isset($rule['nordr']) && !isset($config['system']['enablenatreflectionhelper'])) {
                     if ($address_family == 'inet6' && !interface_has_gatewayv6($rule['interface'])) {

src/www/firewall_nat_edit.php

@@ -62,8 +62,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig['local-port'] = 80;
     if (isset($configId)) {
         // copy 1-on-1
-        foreach (array('protocol','target','local-port','descr','interface','associated-rule-id','nosync'
-                      ,'natreflection','created','updated','ipprotocol') as $fieldname) {
+        foreach (array('protocol','target','local-port','descr','interface','associated-rule-id','nosync',
+                      'natreflection','created','updated','ipprotocol','tag','tagged') as $fieldname) {
             if (isset($a_nat[$configId][$fieldname])) {
                 $pconfig[$fieldname] = $a_nat[$configId][$fieldname];
             } else {
@@ -121,7 +121,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $pconfig['src'] = "any";
     }
     // init empty fields
-    foreach (array("dst","dstmask","srcmask","dstbeginport","dstendport","target","local-port","natreflection","descr","disabled","nosync", "ipprotocol") as $fieldname) {
+    foreach (array('dst','dstmask','srcmask','dstbeginport','dstendport','target','local-port','natreflection','descr','disabled','nosync','ipprotocol','tag','tagged') as $fieldname) {
         if (!isset($pconfig[$fieldname])) {
             $pconfig[$fieldname] = null;
         }
@@ -217,13 +217,15 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $natent['interface'] = $pconfig['interface'];
         $natent['ipprotocol'] = $pconfig['ipprotocol'];
         $natent['descr'] = $pconfig['descr'];
+        $natent['tag'] = $pconfig['tag'];
+        $natent['tagged'] = $pconfig['tagged'];
+
         if (!empty($pconfig['associated-rule-id'])) {
             $natent['associated-rule-id'] = $pconfig['associated-rule-id'];
         } else {
             $natent['associated-rule-id'] = null;
         }
 
-
         // form processing logic
         $natent['disabled'] = !empty($pconfig['disabled']) ? true:false;
         $natent['nordr'] = !empty($pconfig['nordr']) ? true:false;
@@ -914,6 +916,24 @@ $( document ).ready(function() {
                       <?=gettext("You may enter a description here " ."for your reference (not parsed)."); ?>
                     </div>
                 </tr>
+                <tr>
+                    <td><a id="help_for_tag" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("Set local tag"); ?></td>
+                    <td>
+                      <input name="tag" type="text" value="<?=$pconfig['tag'];?>" />
+                      <div class="hidden" for="help_for_tag">
+                        <?= gettext("You can mark a packet matching this rule and use this mark to match on other NAT/filter rules.") ?>
+                      </div>
+                    </td>
+                </tr>
+                <tr>
+                    <td><a id="help_for_tagged" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Match local tag"); ?>   </td>
+                    <td>
+                      <input name="tagged" type="text" value="<?=$pconfig['tagged'];?>" />
+                      <div class="hidden" for="help_for_tagged">
+                        <?=gettext("You can match packet on a mark placed before on another rule.")?>
+                      </div>
+                    </td>
+                </tr>
                 <tr>
                   <td><a id="help_for_nosync" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a>  <?=gettext("No XMLRPC Sync"); ?></td>
                   <td>

src/www/firewall_rules_edit.php

@@ -1322,7 +1322,7 @@ include("head.inc");
                       <td>
                         <input name="tag" type="text" value="<?=$pconfig['tag'];?>" />
                         <div class="hidden" for="help_for_tag">
-                          <?= sprintf(gettext("You can mark a packet matching this rule and use this mark to match on other NAT/filter rules. It is called %sPolicy filtering%s."),'<b>','</b>') ?>
+                          <?= gettext("You can mark a packet matching this rule and use this mark to match on other NAT/filter rules.") ?>
                         </div>
                       </td>
                   </tr>