diff options
-rw-r--r-- | config/onatproto/onatproto.inc | 18 | ||||
-rw-r--r-- | config/onatproto/onatproto.patch | 267 | ||||
-rw-r--r-- | config/onatproto/onatproto.xml | 65 | ||||
-rw-r--r-- | pkg_config.7.xml | 11 |
4 files changed, 361 insertions, 0 deletions
diff --git a/config/onatproto/onatproto.inc b/config/onatproto/onatproto.inc new file mode 100644 index 00000000..93454107 --- /dev/null +++ b/config/onatproto/onatproto.inc @@ -0,0 +1,18 @@ +<?php + +function onatproto_install() { + global $g, $config; + + // Test to make sure the patch is not already applied. + $out = `patch -fslC --reverse -p1 -b .before_onatproto -d / -i /usr/local/pkg/onatproto.patch |& grep -ci reject`; + if ($out == 0) { + // If the patch has not already been applied, test to see if it will apply cleanly. + $out = `patch -fsNlC -p1 -b .before_onatproto -d / -i /usr/local/pkg/onatproto.patch |& grep -ci reject`; + if ($out == 0) { + // The patch should apply cleanly, let 'er rip. + mwexec("patch -fsNl -p1 -b .before_onatproto -d / -i /usr/local/pkg/onatproto.patch "); + } + } +} + +?>
\ No newline at end of file diff --git a/config/onatproto/onatproto.patch b/config/onatproto/onatproto.patch new file mode 100644 index 00000000..c8d802f3 --- /dev/null +++ b/config/onatproto/onatproto.patch @@ -0,0 +1,267 @@ +--- /etc/inc/filter.inc.orig 2009-02-24 15:11:55.000000000 -0500 ++++ /etc/inc/filter.inc 2009-02-24 19:38:51.000000000 -0500 +@@ -494,7 +494,7 @@ + } + + /* Generate a 'nat on' or 'no nat on' rule for given interface */ +-function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false) { ++function filter_nat_rules_generate_if($if, $src = "any", $proto = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false) { + global $config; + + /* XXX: billm - any idea if this code is needed? */ +@@ -507,6 +507,12 @@ + else + $tgt = "($if)"; + ++ /* Add the protocol, if defined */ ++ if (($proto != "") && ($proto != "any")) ++ $protocol = " proto {$proto}"; ++ else ++ $protocol = ""; ++ + /* Add the hard set source port (useful for ISAKMP) */ + if ($natport != "") + $tgt .= " port {$natport}"; +@@ -546,7 +552,7 @@ + + /* Put all the pieces together */ + if($if_friendly) +- $natrule = "{$nat} on \${$if_friendly} from {$src} to {$dst} {$target}{$staticnatport_txt}\n"; ++ $natrule = "{$nat} on \${$if_friendly} {$protocol} from {$src} to {$dst} {$target}{$staticnatport_txt}\n"; + + return $natrule; + } +@@ -654,6 +660,7 @@ + + $natrules .= filter_nat_rules_generate_if($natif, + $src, ++ $obent['protocol'], + $obent['sourceport'], + $dst, + $obent['dstport'], +@@ -669,9 +676,9 @@ + update_filter_reload_status("Creating outbound NAT rules"); + + $natrules .= filter_nat_rules_generate_if($wanif, +- "{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, 500, false); ++ "{$lansa}/{$lancfg['subnet']}", "any", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($wanif, +- "{$lansa}/{$lancfg['subnet']}", 5060, "", 5060, null, 5060, false); ++ "{$lansa}/{$lancfg['subnet']}", "any", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($wanif, + "{$lansa}/{$lancfg['subnet']}"); + +@@ -683,9 +690,9 @@ + $opt_interface = $oc['if']; + if (interface_has_gateway("$opt_interface")) { + $natrules .= filter_nat_rules_generate_if($opt_interface, +- "{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, 500, false); ++ "{$lansa}/{$lancfg['subnet']}", "any", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, +- "{$lansa}/{$lancfg['subnet']}", 5060, "", 5060, null, 5060, false); ++ "{$lansa}/{$lancfg['subnet']}", "any", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, + "{$lansa}/{$lancfg['subnet']}"); + } +@@ -701,22 +708,22 @@ + + /* create outbound nat entries for primary wan */ + $natrules .= filter_nat_rules_generate_if($wanif, +- "{$optsa}/{$optcfg['subnet']}", 500, "", 500, null, 500, false); ++ "{$optsa}/{$optcfg['subnet']}", "any", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($wanif, +- "{$optsa}/{$optcfg['subnet']}", 5060, "", 5060, null, 5060, false); ++ "{$optsa}/{$optcfg['subnet']}", "any", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($wanif, +- "{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat'])); ++ "{$optsa}/{$optcfg['subnet']}", "any", null, "", null, null, null, isset($optcfg['nonat'])); + + /* create outbound nat entries for all opt wans */ + foreach($optints as $oc) { + $opt_interface = $oc['if']; + if (interface_has_gateway("$opt_interface")) { + $natrules .= filter_nat_rules_generate_if($opt_interface, +- "{$optsa}/{$optcfg['subnet']}", 500, "", 500, null, 500, false); ++ "{$optsa}/{$optcfg['subnet']}", "any", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, +- "{$optsa}/{$optcfg['subnet']}", 5060, "", 5060, null, 5060, false); ++ "{$optsa}/{$optcfg['subnet']}", "any", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, +- "{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat'])); ++ "{$optsa}/{$optcfg['subnet']}", "any", null, "", null, null, null, isset($optcfg['nonat'])); + } + } + } +@@ -728,9 +735,9 @@ + if($config['pptp']['pptp_subnet'] <> "") + $pptp_subnet = $config['pptp']['pptp_subnet']; + $natrules .= filter_nat_rules_generate_if($wanif, +- "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 500, "", 500, null, 500, false); ++ "{$pptpdcfg['remoteip']}/{$pptp_subnet}", "any", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($wanif, +- "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 5060, "", 5060, null, 5060, false); ++ "{$pptpdcfg['remoteip']}/{$pptp_subnet}", "any", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($wanif, + "{$pptpdcfg['remoteip']}/{$pptp_subnet}"); + +@@ -739,9 +746,9 @@ + $opt_interface = $oc['if']; + if ((is_private_ip($pptpdcfg['remoteip'])) && (interface_has_gateway($opt_interface))) { + $natrules .= filter_nat_rules_generate_if($opt_interface, +- "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 500, "", 500, null, 500, false); ++ "{$pptpdcfg['remoteip']}/{$pptp_subnet}", "any", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, +- "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 5060, "", 5060, null, 5060, false); ++ "{$pptpdcfg['remoteip']}/{$pptp_subnet}", "any", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, + "{$pptpdcfg['remoteip']}/{$pptp_subnet}"); + } +@@ -754,20 +761,20 @@ + if($config['pppoe']['pppoe_subnet'] <> "") + $pppoe_subnet = $config['pppoe']['pppoe_subnet']; + $natrules .= filter_nat_rules_generate_if($wanif, +- "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 500, "", 500, null, 500, false); ++ "{$pppoecfg['remoteip']}/{$pppoe_subnet}", "any", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($wanif, +- "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 5060, "", 5060, null, 5060, false); ++ "{$pppoecfg['remoteip']}/{$pppoe_subnet}", "any", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($wanif, +- "{$pppoecfg['remoteip']}/{$pppoe_subnet}"); ++ "{$pppoecfg['remoteip']}/{$pppoe_subnet}", "any"); + + /* generate nat mappings for opts with a gateway opts */ + foreach($optints as $oc) { + $opt_interface = $oc['if']; + if ((is_private_ip($pppoecfg['remoteip'])) && (interface_has_gateway($opt_interface))) { + $natrules .= filter_nat_rules_generate_if($opt_interface, +- "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 500, "", 500, null, 500, false); ++ "{$pppoecfg['remoteip']}/{$pppoe_subnet}", "any", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, +- "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 5060, "", 5060, null, 5060, false); ++ "{$pppoecfg['remoteip']}/{$pppoe_subnet}", "any", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, + "{$pppoecfg['remoteip']}/{$pppoe_subnet}"); + } +@@ -780,22 +787,22 @@ + $netip = explode("/", $route['network']); + if ((! interface_has_gateway($route['interface'])) && (is_private_ip($netip[0]))) { + $natrules .= filter_nat_rules_generate_if($wanif, +- "{$route['network']}", 500, "", 500, null, 500, false); ++ "{$route['network']}", "any", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($wanif, +- "{$route['network']}", 5060, "", 5060, null, 5060, false); ++ "{$route['network']}", "any", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($wanif, +- "{$route['network']}", "", null); ++ "{$route['network']}", "any", "", null); + } + /* generate nat mapping for static routes on opts */ + foreach($optints as $oc) { + $opt_interface = $oc['if']; + if ((! interface_has_gateway($route['interface'])) && (is_private_ip($netip[0])) && (interface_has_gateway($opt_interface))) { + $natrules .= filter_nat_rules_generate_if($opt_interface, +- "{$route['network']}", 500, "", 500, null, 500, false); ++ "{$route['network']}", "any", 500, "", 500, null, 500, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, +- "{$route['network']}", 5060, "", 5060, null, 5060, false); ++ "{$route['network']}", "any", 5060, "", 5060, null, 5060, false); + $natrules .= filter_nat_rules_generate_if($opt_interface, +- "{$route['network']}", "", null); ++ "{$route['network']}", "any", "", null); + } + } + +--- /usr/local/www-orig/firewall_nat_out.php 2008-01-07 21:14:44.000000000 -0500 ++++ /usr/local/www/firewall_nat_out.php 2009-02-24 18:21:20.000000000 -0500 +@@ -102,6 +102,7 @@ + $natent['interface'] = "wan"; + $natent['destination']['any'] = true; + $natent['natport'] = ""; ++ $natent['protocol'] = "any"; + $a_out[] = $natent; + } + $savemsg = "Default rules for each interface have been created."; +@@ -265,6 +266,11 @@ + echo "LAN"; + else + echo htmlspecialchars($config['interfaces'][$natent['interface']]['descr']); ++ ++ if (($natent['protocol'] != "any") && ($natent['protocol'] != "")) ++ $proto = $natent['protocol'] . "/"; ++ else ++ $proto = ""; + ?> + + </td> +@@ -273,10 +279,11 @@ + </td> + <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_out_edit.php?id=<?=$nnats;?>';"> + <?php ++ + if (!$natent['sourceport']) +- echo "*"; ++ echo $proto . "*"; + else +- echo $natent['sourceport']; ++ echo $proto . $natent['sourceport']; + ?> + </td> + <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_out_edit.php?id=<?=$nnats;?>';"> +@@ -293,9 +300,9 @@ + <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_out_edit.php?id=<?=$nnats;?>';"> + <?php + if (!$natent['dstport']) +- echo "*"; ++ echo $proto . "*"; + else +- echo $natent['dstport']; ++ echo $proto . $natent['dstport']; + ?> + </td> + <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_out_edit.php?id=<?=$nnats;?>';"> +--- /usr/local/www-orig/firewall_nat_out_edit.php 2008-11-08 17:53:23.000000000 -0500 ++++ /usr/local/www/firewall_nat_out_edit.php 2009-02-25 12:07:33.000000000 -0500 +@@ -49,6 +49,7 @@ + } + + if (isset($id) && $a_out[$id]) { ++ $pconfig['proto'] = $a_out[$id]['protocol']; + list($pconfig['source'],$pconfig['source_subnet']) = explode('/', $a_out[$id]['source']['network']); + $pconfig['sourceport'] = $a_out[$id]['sourceport']; + address_to_pconfig($a_out[$id]['destination'], $pconfig['destination'], +@@ -170,6 +171,9 @@ + if (!$natent['interface']) + $natent['interface'] == "wan"; + ++ if ($natent['proto'] != $_POST['proto']) ++ continue; ++ + if (($natent['interface'] == $_POST['interface']) && ($natent['source']['network'] == $osn)) { + if (isset($natent['destination']['not']) == isset($_POST['destination_not'])) { + if ((isset($natent['destination']['any']) && ($ext == "any")) || +@@ -188,6 +192,7 @@ + $natent['descr'] = $_POST['descr']; + $natent['target'] = $_POST['target']; + $natent['interface'] = $_POST['interface']; ++ $natent['protocol'] = $_POST['proto']; + + /* static-port */ + if(isset($_POST['staticnatport'])) +@@ -316,6 +321,17 @@ + Hint: in most cases, you'll want to use WAN here.</span></td> + </tr> + <tr> ++ <td width="22%" valign="top" class="vncellreq">Protocol</td> ++ <td width="78%" class="vtable"> ++ <select name="proto" class="formfld" onChange="proto_change(); check_for_aliases();"> ++ <?php $protocols = explode(" ", "any TCP UDP GRE ESP AH L2TP ICMP"); foreach ($protocols as $proto): ?> ++ <option value="<?=strtolower($proto);?>" <?php if (strtolower($proto) == $pconfig['proto']) echo "selected"; ?>><?=htmlspecialchars($proto);?></option> ++ <?php endforeach; ?> ++ </select> <br> <span class="vexpl">Choose which IP protocol ++ this rule should match.<br> ++ Hint: in most cases, you should specify <em>any</em> here.</span></td> ++ </tr> ++ <tr> + <td width="22%" valign="top" class="vncellreq">Source</td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="1" cellpadding="1"> diff --git a/config/onatproto/onatproto.xml b/config/onatproto/onatproto.xml new file mode 100644 index 00000000..e4e4e8b9 --- /dev/null +++ b/config/onatproto/onatproto.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + onatproto.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Patch to add Protocol options to Manual Outbound NAT</description> + <requirements>pfSense 1.2.x</requirements> + <faq>Only needed if you want to NAT outbound based on protocol as well as port.</faq> + <name>onatproto</name> + <version>0.1</version> + <title>onatproto</title> + <include_file>/usr/local/pkg/onatproto.inc</include_file> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/onatproto/onatproto.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/onatproto/onatproto.patch</item> + </additional_files_needed> + <custom_php_install_command> + onatproto_install(); + </custom_php_install_command> +</packagegui> diff --git a/pkg_config.7.xml b/pkg_config.7.xml index ab5c1c39..83e172b9 100644 --- a/pkg_config.7.xml +++ b/pkg_config.7.xml @@ -590,5 +590,16 @@ <config_file>http://www.pfsense.com/packages/config/openvpn-client-export/openvpn-client-export.xml</config_file> <configurationfile>openvpn-client-export.xml</configurationfile> </package> + <package> + <name>onatproto</name> + <descr>Patch to add Protocol options to Manual Outbound NAT. WARNING! Cannot be uninstalled.</descr> + <category>System</category> + <config_file>http://www.pfsense.com/packages/config/onatproto/onatproto.xml</config_file> + <version>0.1</version> + <status>BETA</status> + <required_version>1.2.1</required_version> + <maximum_version>1.2.3</maximum_version> + <configurationfile>dashboard.xml</configurationfile> + </package> </packages> </pfsensepkgs> |