filter: properly add nat reflection helper for IPv6; closes #1232

(cherry picked from commit 661445dd) (cherry picked from commit 84d6d43b)

filter: properly add nat reflection helper for IPv6; closes #1232
(cherry picked from commit 661445dd) (cherry picked from commit 84d6d43b)
e559fb9b · Franco Fichtner · 1ce3d94c · e559fb9b · e559fb9b
Commit e559fb9b authored Oct 23, 2016 by Franco Fichtner
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 6 deletions

filter.inc src/etc/inc/filter.inc +12 -6

interfaces.inc src/etc/inc/interfaces.inc +11 -0

No files found.
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -1848,14 +1848,20 @@ function filter_nat_rules_generate(&$FilterIflist)
                $protocol_keyword = !empty($protocol) ? "proto" : "";
                $natrules .= "{$nordr}rdr {$rdrpass}on {$natif} {$address_family} {$protocol_keyword} {$protocol} from {$srcaddr} to {$dstaddr}" . ($nordr == "" ? " -> {$target}{$localport}" : "");
                /* Does this rule redirect back to a internal host? */
-                if (isset($rule['destination']['any']) && !isset($rule['nordr']) && !isset($config['system']['enablenatreflectionhelper']) && !interface_has_gateway($rule['interface'])) {
+                if (isset($rule['destination']['any']) && !isset($rule['nordr']) && !isset($config['system']['enablenatreflectionhelper'])) {
-                    $rule_interface_ip = find_interface_ip($natif);
+                    if ($address_family == 'inet6' && !interface_has_gatewayv6($rule['interface'])) {
-                    $rule_interface_subnet = find_interface_subnet($natif);
+                        $rule_interface_subnet = find_interface_subnet6($natif);
-                    if (!empty($rule_interface_ip) && !empty($rule_interface_subnet)) {
+                        $rule_interface_ip = find_interface_ipv6($natif);
+                        $rule_subnet = gen_subnetv6($rule_interface_ip, $rule_interface_subnet);
+                    } elseif (!interface_has_gateway($rule['interface'])) {
+                        $rule_interface_subnet = find_interface_subnet($natif);
+                        $rule_interface_ip = find_interface_ip($natif);
                        $rule_subnet = gen_subnet($rule_interface_ip, $rule_interface_subnet);
+                    }
+                    if (!empty($rule_interface_ip) && !empty($rule_interface_subnet)) {
                        $natrules .= "\n";
-                        $natrules .= "no nat on {$natif} proto tcp from ({$natif}) to {$rule_subnet}/{$rule_interface_subnet}\n";
+                        $natrules .= "no nat on {$natif} {$address_family} proto tcp from ({$natif}) to {$rule_subnet}/{$rule_interface_subnet}\n";
-                        $natrules .= "nat on {$natif} proto tcp from {$rule_subnet}/{$rule_interface_subnet} to {$target} port {$dstport[0]} -> ({$natif})\n";
+                        $natrules .= "nat on {$natif} {$address_family} proto tcp from {$rule_subnet}/{$rule_interface_subnet} to {$target} port {$dstport[0]} -> ({$natif})\n";
                    }
                }

--- a/src/etc/inc/interfaces.inc
+++ b/src/etc/inc/interfaces.inc
@@ -4382,6 +4382,17 @@ function find_interface_subnet($interface)
    return null;
 }
+function find_interface_subnet6($interface)
+{
+    $interface = trim($interface);
+    if (does_interface_exist($interface)) {
+        $ifinfo = legacy_get_interface_addresses($interface);
+        if (isset($ifinfo['subnetbits6'])) {
+            return $ifinfo['subnetbits6'];
+        }
+    }
+    return null;
+}
 function ip_in_interface_alias_subnet($interface, $ipalias)
 {