diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 5384b2a959..49da2aafc8 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -1104,40 +1104,56 @@ function filter_nat_rules_generate() {
/* any 1:1 mappings? */
if(is_array($config['nat']['onetoone'])) {
- foreach ($config['nat']['onetoone'] as $natent) {
- if(!is_numeric($natent['subnet']))
- $sn = 32;
- else
- $sn = $natent['subnet'];
- if(!$natent['interface'])
+ foreach ($config['nat']['onetoone'] as $rule) {
+ if (isset($rule['disabled']))
+ continue;
+
+ $sn = "";
+ $target = alias_expand($rule['external']);
+ if (!$target) {
+ $natrules .= "# Unresolvable alias {$rule['target']}\n";
+ continue; /* unresolvable alias */
+ }
+
+ if (!$rule['interface'])
$natif = "wan";
else
- $natif = $natent['interface'];
+ $natif = $rule['interface'];
+ if (!isset($FilterIflist[$natif]))
+ continue;
+
+ $srcaddr = filter_generate_address($rule, 'source');
+ $dstaddr = filter_generate_address($rule, 'destination');
+ if(!$dstaddr)
+ $dstaddr = $FilterIflist[$natif]['ip'];
+
+ $tmp = explode('/', $srcaddr);
+ if (!empty($tmp[1]) && is_numeric($tmp[1])) {
+ $sn = $tmp[1];
+ $sn1 = "/{$sn}";
+ }
+
$natif = $FilterIflist[$natif]['if'];
- if($natif) {
- /* If reflection is enabled, turn on extra redirections
- * for this rule by adding other interfaces to binat rule. */
- if((isset($config['system']['enablebinatreflection']) || $natent['natreflection'] == "enable")
- && $natent['natreflection'] != "disable") {
- $nat_if_list = filter_get_reflection_interfaces($natif);
- } else {
- $nat_if_list = array();
- }
+ /*
+ * If reflection is enabled, turn on extra redirections
+ * for this rule by adding other interfaces to binat rule.
+ */
+ if ((isset($rule['system']['enablebinatreflection']) || $rule['natreflection'] == "enable")
+ && $rule['natreflection'] != "disable")
+ $nat_if_list = filter_get_reflection_interfaces($natif);
+ else
+ $nat_if_list = array();
- $natrules .= "binat on {$natif} from {$natent['internal']}/{$sn} to any -> {$natent['external']}/{$sn}\n";
-
- if(!empty($nat_if_list)) {
- $binat_if_list = implode(" ", $nat_if_list);
- if(count($nat_if_list) > 1)
- $binat_if_list = "{ {$binat_if_list} }";
-
- $reflection_txt .= "rdr on {$binat_if_list} from any to {$natent['external']}/{$sn} -> {$natent['internal']}/{$sn} bitmask\n";
- }
-
- $nat_if_list = array_merge(array($natif), $nat_if_list);
- $reflection_txt .= filter_generate_reflection_nat($rule, $nat_if_list, "", "{$natent['internal']}/{$sn}", $natent['internal'], $sn);
+ $natrules .= "binat on {$natif} from {$srcaddr} to {$dstaddr} -> {$target}{$sn1}\n";
+ if (!empty($nat_if_list)) {
+ $binat_if_list = implode(" ", $nat_if_list);
+ $binat_if_list = "{ {$binat_if_list} }";
+ $reflection_txt .= "rdr on {$binat_if_list} from {$srcaddr} to {$target}{$sn1} -> {$dstaddr} bitmask\n";
}
+
+ $nat_if_list = array_merge(array($natif), $nat_if_list);
+ $reflection_txt .= filter_generate_reflection_nat($rule, $nat_if_list, "", $srcaddr, $traget, $sn);
}
}
$natrules .= "\n# Outbound NAT rules\n";
diff --git a/usr/local/www/firewall_nat_1to1.php b/usr/local/www/firewall_nat_1to1.php
index 494d34e2f9..94132f247b 100755
--- a/usr/local/www/firewall_nat_1to1.php
+++ b/usr/local/www/firewall_nat_1to1.php
@@ -102,8 +102,9 @@ include("head.inc");
| =gettext("Interface"); ?> |
=gettext("External IP"); ?> |
- =gettext("Internal IP"); ?> |
- =gettext("Description"); ?> |
+ =gettext("Source IP"); ?> |
+ =gettext("Destination IP"); ?> |
+ =gettext("Description"); ?> |
@@ -124,12 +125,13 @@ include("head.inc");
?>
|
-
+
|
-
+
+ |
+
+
|
=htmlspecialchars($natent['descr']);?>
@@ -145,7 +147,7 @@ include("head.inc");
|
- |
+ |
diff --git a/usr/local/www/firewall_nat_1to1_edit.php b/usr/local/www/firewall_nat_1to1_edit.php
index 50579597d9..89c3335bae 100755
--- a/usr/local/www/firewall_nat_1to1_edit.php
+++ b/usr/local/www/firewall_nat_1to1_edit.php
@@ -54,9 +54,17 @@ function nat_1to1_rules_sort() {
}
require("guiconfig.inc");
+require_once("interfaces.inc");
require("filter.inc");
require("shaper.inc");
+$specialsrcdst = explode(" ", "any pptp pppoe l2tp openvpn");
+$ifdisp = get_configured_interface_with_descr();
+foreach ($ifdisp as $kif => $kdescr) {
+ $specialsrcdst[] = "{$kif}";
+ $specialsrcdst[] = "{$kif}ip";
+}
+
if (!is_array($config['nat']['onetoone'])) {
$config['nat']['onetoone'] = array();
}
@@ -67,21 +75,25 @@ if (isset($_POST['id']))
$id = $_POST['id'];
if (isset($id) && $a_1to1[$id]) {
- $pconfig['external'] = $a_1to1[$id]['external'];
- $pconfig['internal'] = $a_1to1[$id]['internal'];
+ $pconfig['disabled'] = isset($a_1to1[$id]['disabled']);
+
+ address_to_pconfig($a_1to1[$id]['source'], $pconfig['src'],
+ $pconfig['srcmask'], $pconfig['srcnot'],
+ $pconfig['srcbeginport'], $pconfig['srcendport']);
+
+ address_to_pconfig($a_1to1[$id]['destination'], $pconfig['dst'],
+ $pconfig['dstmask'], $pconfig['dstnot'],
+ $pconfig['dstbeginport'], $pconfig['dstendport']);
+
$pconfig['interface'] = $a_1to1[$id]['interface'];
if (!$pconfig['interface'])
$pconfig['interface'] = "wan";
- if (!$a_1to1[$id]['subnet'])
- $pconfig['subnet'] = 32;
- else
- $pconfig['subnet'] = $a_1to1[$id]['subnet'];
+
+ $pconfig['external'] = $a_1to1[$id]['external'];
$pconfig['descr'] = $a_1to1[$id]['descr'];
$pconfig['natreflection'] = $a_1to1[$id]['natreflection'];
-} else {
- $pconfig['subnet'] = 32;
+} else
$pconfig['interface'] = "wan";
-}
if ($_POST) {
@@ -89,27 +101,67 @@ if ($_POST) {
$pconfig = $_POST;
/* input validation */
- $reqdfields = explode(" ", "interface external internal");
- $reqdfieldsn = array(gettext("Interface"),gettext("External subnet"),gettext("Internal subnet"));
+ $reqdfields = explode(" ", "interface external");
+ $reqdfieldsn = array(gettext("Interface"), gettext("External subnet"));
+ if ($_POST['srctype'] == "single" || $_POST['srctype'] == "network") {
+ $reqdfields[] = "src";
+ $reqdfieldsn[] = gettext("Source address");
+ }
+ if ($_POST['dsttype'] == "single" || $_POST['dsttype'] == "network") {
+ $reqdfields[] = "dst";
+ $reqdfieldsn[] = gettext("Destination address");
+ }
do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
- if (($_POST['external'] && !is_ipaddr($_POST['external']))) {
+ if (is_specialnet($_POST['srctype'])) {
+ $_POST['src'] = $_POST['srctype'];
+ $_POST['srcmask'] = 0;
+ } else if ($_POST['srctype'] == "single") {
+ $_POST['srcmask'] = 32;
+ }
+ if (is_specialnet($_POST['dsttype'])) {
+ $_POST['dst'] = $_POST['dsttype'];
+ $_POST['dstmask'] = 0;
+ } else if ($_POST['dsttype'] == "single") {
+ $_POST['dstmask'] = 32;
+ } else if (is_ipaddr($_POST['dsttype'])) {
+ $_POST['dst'] = $_POST['dsttype'];
+ $_POST['dstmask'] = 32;
+ $_POST['dsttype'] = "single";
+ }
+
+ if (($_POST['external'] && !is_ipaddroralias($_POST['external'])))
$input_errors[] = gettext("A valid external subnet must be specified.");
- }
- if (($_POST['internal'] && !is_ipaddr($_POST['internal']))) {
- $input_errors[] = gettext("A valid internal subnet must be specified.");
- }
+
+ /* if user enters an alias and selects "network" then disallow. */
+ if( ($_POST['srctype'] == "network" && is_alias($_POST['src']) )
+ || ($_POST['dsttype'] == "network" && is_alias($_POST['dst']) ) )
+ $input_errors[] = gettext("You must specify single host or alias for alias entries.");
+
+ if (!is_specialnet($_POST['srctype'])) {
+ if (($_POST['src'] && !is_ipaddroralias($_POST['src']))) {
+ $input_errors[] = sprintf(gettext("%s is not a valid source IP address or alias."), $_POST['src']);
+ }
+ if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) {
+ $input_errors[] = gettext("A valid source bit count must be specified.");
+ }
+ }
+ if (!is_specialnet($_POST['dsttype'])) {
+ if (($_POST['dst'] && !is_ipaddroralias($_POST['dst']))) {
+ $input_errors[] = sprintf(gettext("%s is not a valid destination IP address or alias."), $_POST['dst']);
+ }
+ if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) {
+ $input_errors[] = gettext("A valid destination bit count must be specified.");
+ }
+ }
/* check for overlaps with other 1:1 */
foreach ($a_1to1 as $natent) {
if (isset($id) && ($a_1to1[$id]) && ($a_1to1[$id] === $natent))
continue;
- if (check_subnets_overlap($_POST['external'], $_POST['subnet'], $natent['external'], $natent['subnet'])) {
- //$input_errors[] = "Another 1:1 rule overlaps with the specified external subnet.";
- //break;
- } else if (check_subnets_overlap($_POST['internal'], $_POST['subnet'], $natent['internal'], $natent['subnet'])) {
+ if (check_subnets_overlap($_POST['internal'], $_POST['subnet'], $natent['internal'], $natent['subnet'])) {
//$input_errors[] = "Another 1:1 rule overlaps with the specified internal subnet.";
//break;
}
@@ -118,16 +170,20 @@ if ($_POST) {
if (!$input_errors) {
$natent = array();
+ $natent['disabled'] = isset($_POST['disabled']) ? true:false;
$natent['external'] = $_POST['external'];
- $natent['internal'] = $_POST['internal'];
- $natent['subnet'] = $_POST['subnet'];
+ $natent['externalmask'] = $_POST['externalmask'];
$natent['descr'] = $_POST['descr'];
$natent['interface'] = $_POST['interface'];
+ pconfig_to_address($natent['source'], $_POST['src'],
+ $_POST['srcmask'], $_POST['srcnot']);
+
+ pconfig_to_address($natent['destination'], $_POST['dst'],
+ $_POST['dstmask'], $_POST['dstnot']);
+
if ($_POST['natreflection'] == "enable" || $_POST['natreflection'] == "disable")
$natent['natreflection'] = $_POST['natreflection'];
- else
- unset($natent['natreflection']);
if (isset($id) && $a_1to1[$id])
$a_1to1[$id] = $natent;
@@ -150,6 +206,49 @@ include("head.inc");
?>
+
+
+
+
+
+ "")
+ foreach($config['aliases']['alias'] as $alias_name) {
+ switch ($alias_name['type']) {
+ case "host":
+ case "network":
+ case "openvpn":
+ case "urltable":
+ if($addrisfirst == 1) $aliasesaddr .= ",";
+ $aliasesaddr .= "'" . $alias_name['name'] . "'";
+ $addrisfirst = 1;
+ break;
+ default:
+ break;
+ }
+ }
+?>
+
| |