Commit d57dbf5a authored by Ad Schellevis's avatar Ad Schellevis

ipsec, cleanup non-functional nat before ipsec logic and ui for 17.7. In case...

ipsec, cleanup non-functional nat before ipsec logic and ui for 17.7. In case the feature will reemerge at some point, it would be better to move it to the firewall section anyway. for reference about this long standing issue see https://github.com/opnsense/core/issues/440
parent c5f11e99
...@@ -1591,66 +1591,6 @@ function filter_nat_rules_generate(&$FilterIflist) ...@@ -1591,66 +1591,6 @@ function filter_nat_rules_generate(&$FilterIflist)
} }
} }
/* ipsec nat */
if (isset($config['ipsec']['enable'])) {
if (isset($config['ipsec']['phase2'])) {
foreach ($config['ipsec']['phase2'] as $ph2ent) {
if ($ph2ent['mode'] != 'transport' && !empty($ph2ent['natlocalid']) && !isset($ph2ent['disabled'])) {
if (!is_array($ph2ent['localid'])) {
$ph2ent['localid'] = array();
}
$ph2ent['localid']['mode'] = $ph2ent['mode'];
$local_subnet = ipsec_idinfo_to_cidr($ph2ent['localid']);
if (empty($local_subnet) || $local_subnet == "0.0.0.0/0") {
continue;
} elseif (!is_subnet($local_subnet) && !is_ipaddr($local_subnet)) {
continue;
}
if (!is_array($ph2ent['natlocalid'])) {
$ph2ent['natlocalid'] = array();
}
$ph2ent['natlocalid']['mode'] = $ph2ent['mode'];
$natlocal_subnet = ipsec_idinfo_to_cidr($ph2ent['natlocalid']);
if (empty($natlocal_subnet) || $natlocal_subnet == "0.0.0.0/0") {
continue;
} elseif (!is_subnet($natlocal_subnet) && !is_ipaddr($natlocal_subnet)) {
continue;
}
if (!is_array($ph2ent['remoteid'])) {
$ph2ent['remoteid'] = array();
}
$ph2ent['remoteid']['mode'] = $ph2ent['mode'];
$remote_subnet = ipsec_idinfo_to_cidr($ph2ent['remoteid']);
if (empty($remote_subnet)) {
continue;
} elseif (!is_subnet($remote_subnet) && !is_ipaddr($remote_subnet)) {
continue;
}
if ($remote_subnet == "0.0.0.0/0") {
$remote_subnet = "any";
}
/* Try to enforce a specific NAT type or choose automatically. */
switch(isset($ph2ent['natlocalid']['nattype']) ? $ph2ent['natlocalid']['nattype'] : null) {
case "binat":
$nattype = "binat";
break;
case "nat":
$nattype = "nat";
break;
default:
if (is_ipaddr($natlocal_subnet) && !is_ipaddr($local_subnet)) {
$nattype = "nat";
} else {
$nattype = "binat";
}
break;
}
$natrules .= "{$nattype} on enc0 from {$local_subnet} to {$remote_subnet} -> {$natlocal_subnet}\n";
}
}
}
}
if (isset($config['nat']['outbound']['mode']) && $config['nat']['outbound']['mode'] == "disabled") { if (isset($config['nat']['outbound']['mode']) && $config['nat']['outbound']['mode'] == "disabled") {
$natrules .= "\n# Outbound NAT rules are disabled\n"; $natrules .= "\n# Outbound NAT rules are disabled\n";
} }
......
...@@ -969,7 +969,6 @@ EOD; ...@@ -969,7 +969,6 @@ EOD;
chmod("/usr/local/etc/ipsec.secrets", 0600); chmod("/usr/local/etc/ipsec.secrets", 0600);
unset($pskconf); unset($pskconf);
$natfilterrules = false;
/* begin ipsec.conf */ /* begin ipsec.conf */
$ipsecconf = ""; $ipsecconf = "";
if (count($a_phase1)) { if (count($a_phase1)) {
...@@ -1158,9 +1157,6 @@ EOD; ...@@ -1158,9 +1157,6 @@ EOD;
log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet."); log_error("Invalid IPsec Phase 2 \"{$ph2ent['descr']}\" - {$ph2ent['localid']['type']} has no subnet.");
continue; continue;
} }
if (!empty($ph2ent['natlocalid'])) {
$natfilterrules = true;
}
} }
$leftsubnet_spec[] = $leftsubnet_data; $leftsubnet_spec[] = $leftsubnet_data;
...@@ -1409,10 +1405,6 @@ EOD; ...@@ -1409,10 +1405,6 @@ EOD;
mwexec("/usr/local/sbin/ipsec start", false); mwexec("/usr/local/sbin/ipsec start", false);
} }
if ($natfilterrules == true) {
filter_configure();
}
/* start filterdns, if necessary */ /* start filterdns, if necessary */
if (count($filterdns_list) > 0) { if (count($filterdns_list) > 0) {
$interval = 60; $interval = 60;
......
...@@ -80,21 +80,12 @@ function pconfig_to_idinfo($prefix, $pconfig) ...@@ -80,21 +80,12 @@ function pconfig_to_idinfo($prefix, $pconfig)
$type = isset($pconfig[$prefix."id_type"]) ? $pconfig[$prefix."id_type"] : null; $type = isset($pconfig[$prefix."id_type"]) ? $pconfig[$prefix."id_type"] : null;
$address = isset($pconfig[$prefix."id_address"]) ? $pconfig[$prefix."id_address"] : null; $address = isset($pconfig[$prefix."id_address"]) ? $pconfig[$prefix."id_address"] : null;
$netbits = isset($pconfig[$prefix."id_netbits"]) ? $pconfig[$prefix."id_netbits"] : null; $netbits = isset($pconfig[$prefix."id_netbits"]) ? $pconfig[$prefix."id_netbits"] : null;
$nattype = isset($pconfig[$prefix."id_nattype"]) ? $pconfig[$prefix."id_nattype"] : null;
switch ($type) { switch ($type) {
case "address": case "address":
if (!empty($nattype)) { return array('type' => $type, 'address' => $address);
return array('type' => $type, 'address' => $address, 'nattype' => $nattype);
} else {
return array('type' => $type, 'address' => $address);
}
case "network": case "network":
if (!empty($nattype)) { return array('type' => $type, 'address' => $address, 'netbits' => $netbits);
return array('type' => $type, 'address' => $address, 'netbits' => $netbits, 'nattype' => $nattype);
} else {
return array('type' => $type, 'address' => $address, 'netbits' => $netbits);
}
default: default:
return array('type' => $type ); return array('type' => $type );
} }
...@@ -109,17 +100,11 @@ function idinfo_to_pconfig($prefix, $idinfo, & $pconfig) ...@@ -109,17 +100,11 @@ function idinfo_to_pconfig($prefix, $idinfo, & $pconfig)
case "address": case "address":
$pconfig[$prefix."id_type"] = $idinfo['type']; $pconfig[$prefix."id_type"] = $idinfo['type'];
$pconfig[$prefix."id_address"] = $idinfo['address']; $pconfig[$prefix."id_address"] = $idinfo['address'];
if (isset($idinfo['nattype'])) {
$pconfig[$prefix."id_nattype"] = $idinfo['nattype'];
}
break; break;
case "network": case "network":
$pconfig[$prefix."id_type"] = $idinfo['type']; $pconfig[$prefix."id_type"] = $idinfo['type'];
$pconfig[$prefix."id_address"] = $idinfo['address']; $pconfig[$prefix."id_address"] = $idinfo['address'];
$pconfig[$prefix."id_netbits"] = $idinfo['netbits']; $pconfig[$prefix."id_netbits"] = $idinfo['netbits'];
if (isset($idinfo['nattype'])) {
$pconfig[$prefix."id_nattype"] = $idinfo['nattype'];
}
break; break;
default: default:
$pconfig[$prefix."id_type"] = $idinfo['type']; $pconfig[$prefix."id_type"] = $idinfo['type'];
...@@ -184,9 +169,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -184,9 +169,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
// fields with some kind of logic // fields with some kind of logic
$pconfig['disabled'] = isset($config['ipsec']['phase2'][$p2index]['disabled']); $pconfig['disabled'] = isset($config['ipsec']['phase2'][$p2index]['disabled']);
if (!empty($config['ipsec']['phase2'][$p2index]['natlocalid'])) {
idinfo_to_pconfig("natlocal", $config['ipsec']['phase2'][$p2index]['natlocalid'], $pconfig);
}
idinfo_to_pconfig("local", $config['ipsec']['phase2'][$p2index]['localid'], $pconfig); idinfo_to_pconfig("local", $config['ipsec']['phase2'][$p2index]['localid'], $pconfig);
idinfo_to_pconfig("remote", $config['ipsec']['phase2'][$p2index]['remoteid'], $pconfig); idinfo_to_pconfig("remote", $config['ipsec']['phase2'][$p2index]['remoteid'], $pconfig);
if (!empty($config['ipsec']['phase2'][$p2index]['encryption-algorithm-option'])) { if (!empty($config['ipsec']['phase2'][$p2index]['encryption-algorithm-option'])) {
...@@ -276,34 +258,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -276,34 +258,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
} }
} }
if (!empty($pconfig['natlocalid_address'])) {
switch ($pconfig['natlocalid_type']) {
case "network":
if (($pconfig['natlocalid_netbits'] != 0 && !$pconfig['natlocalid_netbits']) || !is_numeric($pconfig['natlocalid_netbits'])) {
$input_errors[] = gettext("A valid NAT local network bit count must be specified.");
}
if ($pconfig['localid_type'] == "address") {
$input_errors[] = gettext("You cannot configure a network type address for NAT while only an address type is selected for local source.");
}
// address rules also apply to network type (hence, no break)
case "address":
if (!empty($pconfig['natlocalid_address']) && !is_ipaddr($pconfig['natlocalid_address'])) {
$input_errors[] = gettext("A valid NAT local network IP address must be specified.");
} elseif (is_ipaddrv4($pconfig['natlocalid_address']) && ($pconfig['mode'] != "tunnel")) {
$input_errors[] = gettext("A valid NAT local network IPv4 address must be specified or you need to change Mode to IPv6");
} elseif (is_ipaddrv6($pconfig['natlocalid_address']) && ($pconfig['mode'] != "tunnel6")) {
$input_errors[] = gettext("A valid NAT local network IPv6 address must be specified or you need to change Mode to IPv4");
}
break;
}
switch ($pconfig['natlocalid_nattype']) {
case "binat":
if ($pconfig['natlocalid_netbits'] != $pconfig['localid_netbits']) {
$input_errors[] = gettext("BINAT requires that the netmask of the local network matches the one of the NAT/BINAT network.");
}
}
}
switch ($pconfig['remoteid_type']) { switch ($pconfig['remoteid_type']) {
case "network": case "network":
if (($pconfig['remoteid_netbits'] != 0 && !$pconfig['remoteid_netbits']) || !is_numeric($pconfig['remoteid_netbits'])) { if (($pconfig['remoteid_netbits'] != 0 && !$pconfig['remoteid_netbits']) || !is_numeric($pconfig['remoteid_netbits'])) {
...@@ -414,9 +368,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -414,9 +368,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
// fields with some logic in them // fields with some logic in them
$ph2ent['disabled'] = $pconfig['disabled'] ? true : false; $ph2ent['disabled'] = $pconfig['disabled'] ? true : false;
if (($ph2ent['mode'] == "tunnel") || ($ph2ent['mode'] == "tunnel6")) { if (($ph2ent['mode'] == "tunnel") || ($ph2ent['mode'] == "tunnel6")) {
if (!empty($pconfig['natlocalid_address'])) {
$ph2ent['natlocalid'] = pconfig_to_idinfo("natlocal", $pconfig);
}
$ph2ent['localid'] = pconfig_to_idinfo("local", $pconfig); $ph2ent['localid'] = pconfig_to_idinfo("local", $pconfig);
$ph2ent['remoteid'] = pconfig_to_idinfo("remote", $pconfig); $ph2ent['remoteid'] = pconfig_to_idinfo("remote", $pconfig);
} }
...@@ -484,7 +435,7 @@ include("head.inc"); ...@@ -484,7 +435,7 @@ include("head.inc");
}); });
$("#proto").change(); $("#proto").change();
['localid', 'remoteid', 'natlocalid'].map(function(field){ ['localid', 'remoteid'].map(function(field){
$("#"+field+"_type").change(function(){ $("#"+field+"_type").change(function(){
$("#"+field+"_netbits").prop("disabled", true); $("#"+field+"_netbits").prop("disabled", true);
$("#"+field+"_address").prop("disabled", true); $("#"+field+"_address").prop("disabled", true);
...@@ -608,64 +559,6 @@ if (isset($input_errors) && count($input_errors) > 0) { ...@@ -608,64 +559,6 @@ if (isset($input_errors) && count($input_errors) > 0) {
</select> </select>
</td> </td>
</tr> </tr>
<tr class="opt_localid">
<td colspan="2"><b><?=gettext("NAT/BINAT");?></b></td>
</tr>
<tr class="opt_localid">
<td><a id="help_for_natlocalid_nattype" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("NAT Type"); ?></td>
<td>
<select name="natlocalid_nattype" class="formselect">
<option value="auto" <?=empty($pconfig['natlocalid_nattype']) || $pconfig['natlocalid_nattype'] == "auto" ? "selected=\"selected\"" : "";?> >
<?=gettext("Auto"); ?>
</option>
<option value="nat" <?=!empty($pconfig['natlocalid_nattype']) && $pconfig['natlocalid_nattype'] == "nat" ? "selected=\"selected\"" : "";?>>
<?=gettext("NAT"); ?>
</option>
<option value="binat" <?=!empty($pconfig['natlocalid_nattype']) && $pconfig['natlocalid_nattype'] == "binat" ? "selected=\"selected\"" : "";?>>
<?=gettext("BINAT"); ?>
</option>
</select>
<div class="hidden" for="help_for_natlocalid_nattype">
<?= gettext('Enforce the type of NAT by choosing either NAT or BINAT. Leave it to Auto to let OPNsense automatically choose the best NAT option.') ?>
</div>
</td>
</tr>
<tr class="opt_localid">
<td><a id="help_for_natlocalid_type" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Type"); ?></td>
<td>
<select name="natlocalid_type" id="natlocalid_type">
<option value="address" <?=!empty($pconfig['natlocalid_type']) && $pconfig['natlocalid_type'] == "address" ? "selected=\"selected\"" : "";?> >
<?=gettext("Address"); ?>
</option>
<option value="network" <?=!empty($pconfig['natlocalid_type']) && $pconfig['natlocalid_type'] == "network" ? "selected=\"selected\"" : "";?>>
<?=gettext("Network"); ?>
</option>
<option value="none" <?=empty($pconfig['natlocalid_type']) || $pconfig['natlocalid_type'] == "none" ? "selected=\"selected\"" : "";?>>
<?=gettext("None"); ?>
</option>
</select>
<div class="hidden" for="help_for_natlocalid_type">
<?= gettext('In case you need NAT/BINAT on this network specify the address to be translated.') ?>
</div>
</td>
</tr>
<tr class="opt_localid">
<td><i class="fa fa-info-circle text-muted"></i> <?=gettext("Address:");?>&nbsp;&nbsp;</td>
<td>
<input name="natlocalid_address" type="text" class="formfld unknown ipv4v6" id="natlocalid_address" size="28" value="<?=isset($pconfig['natlocalid_address']) ? $pconfig['natlocalid_address'] : "";?>" />
/
<select name="natlocalid_netbits" data-network-id="natlocalid_address" class="formselect ipv4v6net" id="natlocalid_netbits">
<?php
for ($i = 128; $i >= 0; $i--) :?>
<option value="<?=$i;?>" <?= isset($pconfig['natlocalid_netbits']) && $i == $pconfig['natlocalid_netbits'] ? "selected=\"selected\"" : "";?>>
<?=$i;?>
</option>
<?php
endfor; ?>
</select>
</td>
</tr>
<?php if (!isset($pconfig['mobile'])) : <?php if (!isset($pconfig['mobile'])) :
?> ?>
<tr class="opt_remoteid"> <tr class="opt_remoteid">
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment