aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--config/onatproto/onatproto.inc18
-rw-r--r--config/onatproto/onatproto.patch267
-rw-r--r--config/onatproto/onatproto.xml65
-rw-r--r--pkg_config.7.xml11
4 files changed, 361 insertions, 0 deletions
diff --git a/config/onatproto/onatproto.inc b/config/onatproto/onatproto.inc
new file mode 100644
index 00000000..93454107
--- /dev/null
+++ b/config/onatproto/onatproto.inc
@@ -0,0 +1,18 @@
+<?php
+
+function onatproto_install() {
+ global $g, $config;
+
+ // Test to make sure the patch is not already applied.
+ $out = `patch -fslC --reverse -p1 -b .before_onatproto -d / -i /usr/local/pkg/onatproto.patch |& grep -ci reject`;
+ if ($out == 0) {
+ // If the patch has not already been applied, test to see if it will apply cleanly.
+ $out = `patch -fsNlC -p1 -b .before_onatproto -d / -i /usr/local/pkg/onatproto.patch |& grep -ci reject`;
+ if ($out == 0) {
+ // The patch should apply cleanly, let 'er rip.
+ mwexec("patch -fsNl -p1 -b .before_onatproto -d / -i /usr/local/pkg/onatproto.patch ");
+ }
+ }
+}
+
+?> \ No newline at end of file
diff --git a/config/onatproto/onatproto.patch b/config/onatproto/onatproto.patch
new file mode 100644
index 00000000..c8d802f3
--- /dev/null
+++ b/config/onatproto/onatproto.patch
@@ -0,0 +1,267 @@
+--- /etc/inc/filter.inc.orig 2009-02-24 15:11:55.000000000 -0500
++++ /etc/inc/filter.inc 2009-02-24 19:38:51.000000000 -0500
+@@ -494,7 +494,7 @@
+ }
+
+ /* Generate a 'nat on' or 'no nat on' rule for given interface */
+-function filter_nat_rules_generate_if($if, $src = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false) {
++function filter_nat_rules_generate_if($if, $src = "any", $proto = "any", $srcport = "", $dst = "any", $dstport = "", $natip = "", $natport = "", $nonat = false, $staticnatport = false) {
+ global $config;
+
+ /* XXX: billm - any idea if this code is needed? */
+@@ -507,6 +507,12 @@
+ else
+ $tgt = "($if)";
+
++ /* Add the protocol, if defined */
++ if (($proto != "") && ($proto != "any"))
++ $protocol = " proto {$proto}";
++ else
++ $protocol = "";
++
+ /* Add the hard set source port (useful for ISAKMP) */
+ if ($natport != "")
+ $tgt .= " port {$natport}";
+@@ -546,7 +552,7 @@
+
+ /* Put all the pieces together */
+ if($if_friendly)
+- $natrule = "{$nat} on \${$if_friendly} from {$src} to {$dst} {$target}{$staticnatport_txt}\n";
++ $natrule = "{$nat} on \${$if_friendly} {$protocol} from {$src} to {$dst} {$target}{$staticnatport_txt}\n";
+
+ return $natrule;
+ }
+@@ -654,6 +660,7 @@
+
+ $natrules .= filter_nat_rules_generate_if($natif,
+ $src,
++ $obent['protocol'],
+ $obent['sourceport'],
+ $dst,
+ $obent['dstport'],
+@@ -669,9 +676,9 @@
+ update_filter_reload_status("Creating outbound NAT rules");
+
+ $natrules .= filter_nat_rules_generate_if($wanif,
+- "{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, 500, false);
++ "{$lansa}/{$lancfg['subnet']}", "any", 500, "", 500, null, 500, false);
+ $natrules .= filter_nat_rules_generate_if($wanif,
+- "{$lansa}/{$lancfg['subnet']}", 5060, "", 5060, null, 5060, false);
++ "{$lansa}/{$lancfg['subnet']}", "any", 5060, "", 5060, null, 5060, false);
+ $natrules .= filter_nat_rules_generate_if($wanif,
+ "{$lansa}/{$lancfg['subnet']}");
+
+@@ -683,9 +690,9 @@
+ $opt_interface = $oc['if'];
+ if (interface_has_gateway("$opt_interface")) {
+ $natrules .= filter_nat_rules_generate_if($opt_interface,
+- "{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, 500, false);
++ "{$lansa}/{$lancfg['subnet']}", "any", 500, "", 500, null, 500, false);
+ $natrules .= filter_nat_rules_generate_if($opt_interface,
+- "{$lansa}/{$lancfg['subnet']}", 5060, "", 5060, null, 5060, false);
++ "{$lansa}/{$lancfg['subnet']}", "any", 5060, "", 5060, null, 5060, false);
+ $natrules .= filter_nat_rules_generate_if($opt_interface,
+ "{$lansa}/{$lancfg['subnet']}");
+ }
+@@ -701,22 +708,22 @@
+
+ /* create outbound nat entries for primary wan */
+ $natrules .= filter_nat_rules_generate_if($wanif,
+- "{$optsa}/{$optcfg['subnet']}", 500, "", 500, null, 500, false);
++ "{$optsa}/{$optcfg['subnet']}", "any", 500, "", 500, null, 500, false);
+ $natrules .= filter_nat_rules_generate_if($wanif,
+- "{$optsa}/{$optcfg['subnet']}", 5060, "", 5060, null, 5060, false);
++ "{$optsa}/{$optcfg['subnet']}", "any", 5060, "", 5060, null, 5060, false);
+ $natrules .= filter_nat_rules_generate_if($wanif,
+- "{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat']));
++ "{$optsa}/{$optcfg['subnet']}", "any", null, "", null, null, null, isset($optcfg['nonat']));
+
+ /* create outbound nat entries for all opt wans */
+ foreach($optints as $oc) {
+ $opt_interface = $oc['if'];
+ if (interface_has_gateway("$opt_interface")) {
+ $natrules .= filter_nat_rules_generate_if($opt_interface,
+- "{$optsa}/{$optcfg['subnet']}", 500, "", 500, null, 500, false);
++ "{$optsa}/{$optcfg['subnet']}", "any", 500, "", 500, null, 500, false);
+ $natrules .= filter_nat_rules_generate_if($opt_interface,
+- "{$optsa}/{$optcfg['subnet']}", 5060, "", 5060, null, 5060, false);
++ "{$optsa}/{$optcfg['subnet']}", "any", 5060, "", 5060, null, 5060, false);
+ $natrules .= filter_nat_rules_generate_if($opt_interface,
+- "{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat']));
++ "{$optsa}/{$optcfg['subnet']}", "any", null, "", null, null, null, isset($optcfg['nonat']));
+ }
+ }
+ }
+@@ -728,9 +735,9 @@
+ if($config['pptp']['pptp_subnet'] <> "")
+ $pptp_subnet = $config['pptp']['pptp_subnet'];
+ $natrules .= filter_nat_rules_generate_if($wanif,
+- "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 500, "", 500, null, 500, false);
++ "{$pptpdcfg['remoteip']}/{$pptp_subnet}", "any", 500, "", 500, null, 500, false);
+ $natrules .= filter_nat_rules_generate_if($wanif,
+- "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 5060, "", 5060, null, 5060, false);
++ "{$pptpdcfg['remoteip']}/{$pptp_subnet}", "any", 5060, "", 5060, null, 5060, false);
+ $natrules .= filter_nat_rules_generate_if($wanif,
+ "{$pptpdcfg['remoteip']}/{$pptp_subnet}");
+
+@@ -739,9 +746,9 @@
+ $opt_interface = $oc['if'];
+ if ((is_private_ip($pptpdcfg['remoteip'])) && (interface_has_gateway($opt_interface))) {
+ $natrules .= filter_nat_rules_generate_if($opt_interface,
+- "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 500, "", 500, null, 500, false);
++ "{$pptpdcfg['remoteip']}/{$pptp_subnet}", "any", 500, "", 500, null, 500, false);
+ $natrules .= filter_nat_rules_generate_if($opt_interface,
+- "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 5060, "", 5060, null, 5060, false);
++ "{$pptpdcfg['remoteip']}/{$pptp_subnet}", "any", 5060, "", 5060, null, 5060, false);
+ $natrules .= filter_nat_rules_generate_if($opt_interface,
+ "{$pptpdcfg['remoteip']}/{$pptp_subnet}");
+ }
+@@ -754,20 +761,20 @@
+ if($config['pppoe']['pppoe_subnet'] <> "")
+ $pppoe_subnet = $config['pppoe']['pppoe_subnet'];
+ $natrules .= filter_nat_rules_generate_if($wanif,
+- "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 500, "", 500, null, 500, false);
++ "{$pppoecfg['remoteip']}/{$pppoe_subnet}", "any", 500, "", 500, null, 500, false);
+ $natrules .= filter_nat_rules_generate_if($wanif,
+- "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 5060, "", 5060, null, 5060, false);
++ "{$pppoecfg['remoteip']}/{$pppoe_subnet}", "any", 5060, "", 5060, null, 5060, false);
+ $natrules .= filter_nat_rules_generate_if($wanif,
+- "{$pppoecfg['remoteip']}/{$pppoe_subnet}");
++ "{$pppoecfg['remoteip']}/{$pppoe_subnet}", "any");
+
+ /* generate nat mappings for opts with a gateway opts */
+ foreach($optints as $oc) {
+ $opt_interface = $oc['if'];
+ if ((is_private_ip($pppoecfg['remoteip'])) && (interface_has_gateway($opt_interface))) {
+ $natrules .= filter_nat_rules_generate_if($opt_interface,
+- "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 500, "", 500, null, 500, false);
++ "{$pppoecfg['remoteip']}/{$pppoe_subnet}", "any", 500, "", 500, null, 500, false);
+ $natrules .= filter_nat_rules_generate_if($opt_interface,
+- "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 5060, "", 5060, null, 5060, false);
++ "{$pppoecfg['remoteip']}/{$pppoe_subnet}", "any", 5060, "", 5060, null, 5060, false);
+ $natrules .= filter_nat_rules_generate_if($opt_interface,
+ "{$pppoecfg['remoteip']}/{$pppoe_subnet}");
+ }
+@@ -780,22 +787,22 @@
+ $netip = explode("/", $route['network']);
+ if ((! interface_has_gateway($route['interface'])) && (is_private_ip($netip[0]))) {
+ $natrules .= filter_nat_rules_generate_if($wanif,
+- "{$route['network']}", 500, "", 500, null, 500, false);
++ "{$route['network']}", "any", 500, "", 500, null, 500, false);
+ $natrules .= filter_nat_rules_generate_if($wanif,
+- "{$route['network']}", 5060, "", 5060, null, 5060, false);
++ "{$route['network']}", "any", 5060, "", 5060, null, 5060, false);
+ $natrules .= filter_nat_rules_generate_if($wanif,
+- "{$route['network']}", "", null);
++ "{$route['network']}", "any", "", null);
+ }
+ /* generate nat mapping for static routes on opts */
+ foreach($optints as $oc) {
+ $opt_interface = $oc['if'];
+ if ((! interface_has_gateway($route['interface'])) && (is_private_ip($netip[0])) && (interface_has_gateway($opt_interface))) {
+ $natrules .= filter_nat_rules_generate_if($opt_interface,
+- "{$route['network']}", 500, "", 500, null, 500, false);
++ "{$route['network']}", "any", 500, "", 500, null, 500, false);
+ $natrules .= filter_nat_rules_generate_if($opt_interface,
+- "{$route['network']}", 5060, "", 5060, null, 5060, false);
++ "{$route['network']}", "any", 5060, "", 5060, null, 5060, false);
+ $natrules .= filter_nat_rules_generate_if($opt_interface,
+- "{$route['network']}", "", null);
++ "{$route['network']}", "any", "", null);
+ }
+ }
+
+--- /usr/local/www-orig/firewall_nat_out.php 2008-01-07 21:14:44.000000000 -0500
++++ /usr/local/www/firewall_nat_out.php 2009-02-24 18:21:20.000000000 -0500
+@@ -102,6 +102,7 @@
+ $natent['interface'] = "wan";
+ $natent['destination']['any'] = true;
+ $natent['natport'] = "";
++ $natent['protocol'] = "any";
+ $a_out[] = $natent;
+ }
+ $savemsg = "Default rules for each interface have been created.";
+@@ -265,6 +266,11 @@
+ echo "LAN";
+ else
+ echo htmlspecialchars($config['interfaces'][$natent['interface']]['descr']);
++
++ if (($natent['protocol'] != "any") && ($natent['protocol'] != ""))
++ $proto = $natent['protocol'] . "/";
++ else
++ $proto = "";
+ ?>
+ &nbsp;
+ </td>
+@@ -273,10 +279,11 @@
+ </td>
+ <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_out_edit.php?id=<?=$nnats;?>';">
+ <?php
++
+ if (!$natent['sourceport'])
+- echo "*";
++ echo $proto . "*";
+ else
+- echo $natent['sourceport'];
++ echo $proto . $natent['sourceport'];
+ ?>
+ </td>
+ <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_out_edit.php?id=<?=$nnats;?>';">
+@@ -293,9 +300,9 @@
+ <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_out_edit.php?id=<?=$nnats;?>';">
+ <?php
+ if (!$natent['dstport'])
+- echo "*";
++ echo $proto . "*";
+ else
+- echo $natent['dstport'];
++ echo $proto . $natent['dstport'];
+ ?>
+ </td>
+ <td class="listr" onClick="fr_toggle(<?=$nnats;?>)" id="frd<?=$nnats;?>" ondblclick="document.location='firewall_nat_out_edit.php?id=<?=$nnats;?>';">
+--- /usr/local/www-orig/firewall_nat_out_edit.php 2008-11-08 17:53:23.000000000 -0500
++++ /usr/local/www/firewall_nat_out_edit.php 2009-02-25 12:07:33.000000000 -0500
+@@ -49,6 +49,7 @@
+ }
+
+ if (isset($id) && $a_out[$id]) {
++ $pconfig['proto'] = $a_out[$id]['protocol'];
+ list($pconfig['source'],$pconfig['source_subnet']) = explode('/', $a_out[$id]['source']['network']);
+ $pconfig['sourceport'] = $a_out[$id]['sourceport'];
+ address_to_pconfig($a_out[$id]['destination'], $pconfig['destination'],
+@@ -170,6 +171,9 @@
+ if (!$natent['interface'])
+ $natent['interface'] == "wan";
+
++ if ($natent['proto'] != $_POST['proto'])
++ continue;
++
+ if (($natent['interface'] == $_POST['interface']) && ($natent['source']['network'] == $osn)) {
+ if (isset($natent['destination']['not']) == isset($_POST['destination_not'])) {
+ if ((isset($natent['destination']['any']) && ($ext == "any")) ||
+@@ -188,6 +192,7 @@
+ $natent['descr'] = $_POST['descr'];
+ $natent['target'] = $_POST['target'];
+ $natent['interface'] = $_POST['interface'];
++ $natent['protocol'] = $_POST['proto'];
+
+ /* static-port */
+ if(isset($_POST['staticnatport']))
+@@ -316,6 +321,17 @@
+ Hint: in most cases, you'll want to use WAN here.</span></td>
+ </tr>
+ <tr>
++ <td width="22%" valign="top" class="vncellreq">Protocol</td>
++ <td width="78%" class="vtable">
++ <select name="proto" class="formfld" onChange="proto_change(); check_for_aliases();">
++ <?php $protocols = explode(" ", "any TCP UDP GRE ESP AH L2TP ICMP"); foreach ($protocols as $proto): ?>
++ <option value="<?=strtolower($proto);?>" <?php if (strtolower($proto) == $pconfig['proto']) echo "selected"; ?>><?=htmlspecialchars($proto);?></option>
++ <?php endforeach; ?>
++ </select> <br> <span class="vexpl">Choose which IP protocol
++ this rule should match.<br>
++ Hint: in most cases, you should specify <em>any</em> &nbsp;here.</span></td>
++ </tr>
++ <tr>
+ <td width="22%" valign="top" class="vncellreq">Source</td>
+ <td width="78%" class="vtable">
+ <table border="0" cellspacing="1" cellpadding="1">
diff --git a/config/onatproto/onatproto.xml b/config/onatproto/onatproto.xml
new file mode 100644
index 00000000..e4e4e8b9
--- /dev/null
+++ b/config/onatproto/onatproto.xml
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ onatproto.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2007 to whom it may belong
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Patch to add Protocol options to Manual Outbound NAT</description>
+ <requirements>pfSense 1.2.x</requirements>
+ <faq>Only needed if you want to NAT outbound based on protocol as well as port.</faq>
+ <name>onatproto</name>
+ <version>0.1</version>
+ <title>onatproto</title>
+ <include_file>/usr/local/pkg/onatproto.inc</include_file>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/onatproto/onatproto.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/onatproto/onatproto.patch</item>
+ </additional_files_needed>
+ <custom_php_install_command>
+ onatproto_install();
+ </custom_php_install_command>
+</packagegui>
diff --git a/pkg_config.7.xml b/pkg_config.7.xml
index ab5c1c39..83e172b9 100644
--- a/pkg_config.7.xml
+++ b/pkg_config.7.xml
@@ -590,5 +590,16 @@
<config_file>http://www.pfsense.com/packages/config/openvpn-client-export/openvpn-client-export.xml</config_file>
<configurationfile>openvpn-client-export.xml</configurationfile>
</package>
+ <package>
+ <name>onatproto</name>
+ <descr>Patch to add Protocol options to Manual Outbound NAT. WARNING! Cannot be uninstalled.</descr>
+ <category>System</category>
+ <config_file>http://www.pfsense.com/packages/config/onatproto/onatproto.xml</config_file>
+ <version>0.1</version>
+ <status>BETA</status>
+ <required_version>1.2.1</required_version>
+ <maximum_version>1.2.3</maximum_version>
+ <configurationfile>dashboard.xml</configurationfile>
+ </package>
</packages>
</pfsensepkgs>