}
 if ($_POST['proto'] == "icmp") {
     if ($filterent['ipprotocol'] == 'inet6' && $_POST['icmp6type']) {
         $filterent['icmptype'] = $_POST['icmp6type'];
     } else {
         if ($filterent['ipprotocol'] != 'inet6' && $_POST['icmptype']) {
             $filterent['icmptype'] = $_POST['icmptype'];
         } else {
             unset($filterent['icmptype']);
         }
     }
 } else {
     unset($filterent['icmptype']);
 }
 pconfig_to_address($filterent['source'], $_POST['src'], $_POST['srcmask'], $_POST['srcnot'], $_POST['srcbeginport'], $_POST['srcendport']);
 pconfig_to_address($filterent['destination'], $_POST['dst'], $_POST['dstmask'], $_POST['dstnot'], $_POST['dstbeginport'], $_POST['dstendport']);
 if ($_POST['disabled']) {
     $filterent['disabled'] = true;
 } else {
     unset($filterent['disabled']);
 }
 if ($_POST['dscp']) {
     $filterent['dscp'] = $_POST['dscp'];
 }
 if ($_POST['log']) {
     $filterent['log'] = true;
 } else {
     unset($filterent['log']);
 }
 strncpy($filterent['descr'], $_POST['descr'], 52);
 if ($_POST['gateway'] != "") {
Beispiel #2
0
function easyrule_pass_rule_add($int, $proto, $srchost, $dsthost, $dstport, $ipproto)
{
    global $config;
    /* No rules, start a new array */
    if (!is_array($config['filter']['rule'])) {
        $config['filter']['rule'] = array();
    }
    filter_rules_sort();
    $a_filter =& $config['filter']['rule'];
    /* Make up a new rule */
    $filterent = array();
    $filterent['type'] = 'pass';
    $filterent['interface'] = $int;
    $filterent['ipprotocol'] = $ipproto;
    $filterent['descr'] = gettext("Easy Rule: Passed from Firewall Log View");
    if ($proto != "any") {
        $filterent['protocol'] = $proto;
    } else {
        unset($filterent['protocol']);
    }
    /* Default to only allow echo requests, since that's what most people want and
     *  it should be a safe choice. */
    if ($proto == "icmp") {
        $filterent['icmptype'] = 'echoreq';
    }
    if (strtolower($proto) == "icmp6" || strtolower($proto) == "icmpv6") {
        $filterent['protocol'] = "icmp";
    }
    if (is_subnet($srchost)) {
        list($srchost, $srcmask) = explode("/", $srchost);
    } elseif (is_specialnet($srchost)) {
        $srcmask = 0;
    } elseif (is_ipaddrv6($srchost)) {
        $srcmask = 128;
    } else {
        $srcmask = 32;
    }
    if (is_subnet($dsthost)) {
        list($dsthost, $dstmask) = explode("/", $dsthost);
    } elseif (is_specialnet($dsthost)) {
        $dstmask = 0;
    } elseif (is_ipaddrv6($dsthost)) {
        $dstmask = 128;
    } else {
        $dstmask = 32;
    }
    pconfig_to_address($filterent['source'], $srchost, $srcmask);
    pconfig_to_address($filterent['destination'], $dsthost, $dstmask, '', $dstport, $dstport);
    $filterent['created'] = make_config_revision_entry(null, gettext("Easy Rule"));
    $a_filter[] = $filterent;
    write_config($filterent['descr']);
    $retval = filter_configure();
    return true;
}
     if (isset($id) && $a_1to1[$id] && $a_1to1[$id] === $natent) {
         continue;
     }
     if (check_subnets_overlap($_POST['internal'], $_POST['subnet'], $natent['internal'], $natent['subnet'])) {
         //$input_errors[] = "Another 1:1 rule overlaps with the specified internal subnet.";
         //break;
     }
 }
 if (!$input_errors) {
     $natent = array();
     $natent['disabled'] = isset($_POST['disabled']) ? true : false;
     $natent['external'] = $_POST['external'];
     $natent['descr'] = $_POST['descr'];
     $natent['interface'] = $_POST['interface'];
     pconfig_to_address($natent['source'], $_POST['src'], $_POST['srcmask'], $_POST['srcnot']);
     pconfig_to_address($natent['destination'], $_POST['dst'], $_POST['dstmask'], $_POST['dstnot']);
     if ($_POST['natreflection'] == "enable" || $_POST['natreflection'] == "disable") {
         $natent['natreflection'] = $_POST['natreflection'];
     } else {
         unset($natent['natreflection']);
     }
     if (isset($id) && $a_1to1[$id]) {
         $a_1to1[$id] = $natent;
     } else {
         if (is_numeric($after)) {
             array_splice($a_1to1, $after + 1, 0, array($natent));
         } else {
             $a_1to1[] = $natent;
         }
     }
     if (write_config()) {
 }
 if ($_POST['p1myidentt'] == "address" and $_POST['p1myident'] == "") {
     $input_errors[] = gettext("Tanımlayıcıya geçerli bir alan adı yazınız.");
 }
 if ($_POST['p1myidentt'] == "user_fqdn" and $_POST['p1myident'] == "") {
     $input_errors[] = gettext("Tanımlayıcıya geçerli bir alan adı yazınız.");
 }
 if ($_POST['p1myidentt'] == "myaddress") {
     $_POST['p1myident'] = "";
 }
 if (!$input_errors) {
     $ipsecent['disabled'] = $_POST['disabled'] ? true : false;
     //$ipsecent['auto'] = $_POST['auto'] ? true : false;
     $ipsecent['interface'] = $pconfig['interface'];
     $ipsecent['natt'] = $_POST['natt'] ? true : false;
     pconfig_to_address($ipsecent['local-subnet'], $_POST['localnet'], $_POST['localnetmask']);
     $ipsecent['remote-subnet'] = $_POST['remotenet'] . "/" . $_POST['remotebits'];
     /* if the old endpoint is different from the new one we make sure to purge
      * the old policy and add a new one. If the old endpoint IP is empty we 
      * only add new SPD entries. */
     if (!is_ipaddr($oldipsecent['remote-gateway'])) {
         $oldipsecent['remote-gateway'] = resolve_retry($oldipsecent['remote-gateway']);
     }
     if ($ipsecent['remote-gateway'] != $_POST['remotegw']) {
         if (!is_ipaddr($ipsecent['remote-gateway'])) {
             $ipsecent['remote-gateway'] = resolve_retry($ipsecent['remote-gateway']);
         }
         /* if the remote gateway changed and the interface is not WAN then remove route */
         /* the vpn_ipsec_configure() handles adding the route */
         if ($_POST['interface'] != "wan") {
             mwexec("/sbin/route delete -host {$ipsecent['remote-gateway']}");
 if (!is_specialnet($pconfig['dst']) && !is_ipaddroralias($pconfig['dst'])) {
     $input_errors[] = sprintf(gettext("%s is not a valid destination IP address or alias."), $pconfig['dst']);
 }
 if (!empty($pconfig['dstmask']) && !is_numericint($pconfig['dstmask'])) {
     $input_errors[] = gettext("A valid destination bit count must be specified.");
 }
 if (count($input_errors) == 0) {
     $natent = array();
     // 1-on-1 copy
     $natent['external'] = $pconfig['external'];
     $natent['descr'] = $pconfig['descr'];
     $natent['interface'] = $pconfig['interface'];
     // copy form data with some kind of logic in it
     $natent['disabled'] = isset($_POST['disabled']) ? true : false;
     pconfig_to_address($natent['source'], $pconfig['src'], $pconfig['srcmask'], !empty($pconfig['srcnot']));
     pconfig_to_address($natent['destination'], $pconfig['dst'], $pconfig['dstmask'], !empty($pconfig['dstnot']));
     if (isset($pconfig['natreflection']) && ($pconfig['natreflection'] == "enable" || $pconfig['natreflection'] == "disable")) {
         $natent['natreflection'] = $pconfig['natreflection'];
     }
     // save data
     if (isset($id)) {
         $a_1to1[$id] = $natent;
     } else {
         $a_1to1[] = $natent;
     }
     if (write_config()) {
         mark_subsystem_dirty('natconf');
     }
     header("Location: firewall_nat_1to1.php");
     exit;
 }
 }
 if ($pconfig['protocol'] != "any") {
     $filterent['protocol'] = $pconfig['protocol'];
 }
 if ($pconfig['protocol'] == "icmp" && !empty($pconfig['icmptype'])) {
     $filterent['icmptype'] = $pconfig['icmptype'];
 }
 // reset port values for non tcp/udp traffic
 if ($pconfig['protocol'] != "tcp" && $pconfig['protocol'] != "udp" && $pconfig['protocol'] != "tcp/udp") {
     $pconfig['srcbeginport'] = 0;
     $pconfig['srcendport'] = 0;
     $pconfig['dstbeginport'] = 0;
     $pconfig['dstendport'] = 0;
 }
 pconfig_to_address($filterent['source'], $pconfig['src'], $pconfig['srcmask'], !empty($pconfig['srcnot']), $pconfig['srcbeginport'], $pconfig['srcendport']);
 pconfig_to_address($filterent['destination'], $pconfig['dst'], $pconfig['dstmask'], !empty($pconfig['dstnot']), $pconfig['dstbeginport'], $pconfig['dstendport']);
 $filterent['updated'] = make_config_revision_entry();
 // update or insert item
 if (isset($id)) {
     if (isset($a_filter[$id]['created']) && is_array($a_filter[$id]['created'])) {
         $filterent['created'] = $a_filter[$id]['created'];
     }
     $a_filter[$id] = $filterent;
 } else {
     $filterent['created'] = make_config_revision_entry();
     if (isset($after)) {
         array_splice($a_filter, $after + 1, 0, array($filterent));
     } else {
         $a_filter[] = $filterent;
     }
 }
     }
 }
 if ($need_filter_rule == true) {
     /* auto-generate a matching firewall rule */
     $filterent = array();
     unset($filterentid);
     // If a rule already exists, load it
     if (!empty($natent['associated-rule-id'])) {
         $filterentid = get_id($natent['associated-rule-id'], $config['filter']['rule']);
         if ($filterentid === false) {
             $filterent['associated-rule-id'] = $natent['associated-rule-id'];
         } else {
             $filterent =& $config['filter']['rule'][$filterentid];
         }
     }
     pconfig_to_address($filterent['source'], $_POST['src'], $_POST['srcmask'], $_POST['srcnot'], $_POST['srcbeginport'], $_POST['srcendport']);
     // Update interface, protocol and destination
     $filterent['interface'] = $_POST['interface'];
     $filterent['protocol'] = $_POST['proto'];
     $filterent['destination']['address'] = $_POST['localip'];
     $dstpfrom = $_POST['localbeginport'];
     $dstpto = $dstpfrom + $_POST['dstendport'] - $_POST['dstbeginport'];
     if ($dstpfrom == $dstpto) {
         $filterent['destination']['port'] = $dstpfrom;
     } else {
         $filterent['destination']['port'] = $dstpfrom . "-" . $dstpto;
     }
     /*
      * Our firewall filter description may be no longer than
      * 63 characters, so don't let it be.
      */
Beispiel #8
0
 if (!empty($natent['associated-rule-id'])) {
     // search rule by associated-rule-id
     $filterentid = false;
     foreach ($config['filter']['rule'] as $key => $item) {
         if (isset($item['associated-rule-id']) && $item['associated-rule-id'] == $natent['associated-rule-id']) {
             $filterentid = $key;
             break;
         }
     }
     if ($filterentid === false) {
         $filterent['associated-rule-id'] = $natent['associated-rule-id'];
     } else {
         $filterent =& $config['filter']['rule'][$filterentid];
     }
 }
 pconfig_to_address($filterent['source'], $pconfig['src'], $pconfig['srcmask'], !empty($pconfig['srcnot']), $pconfig['srcbeginport'], $pconfig['srcendport']);
 // Update interface, protocol and destination
 $filterent['interface'] = $pconfig['interface'];
 $filterent['protocol'] = $pconfig['protocol'];
 if (!isset($filterent['destination'])) {
     $filterent['destination'] = array();
 }
 $filterent['destination']['address'] = $pconfig['target'];
 if (is_numericint($pconfig['local-port']) && is_numericint($pconfig['dstendport']) && is_numericint($pconfig['dstbeginport'])) {
     $dstpfrom = $pconfig['local-port'];
     $dstpto = $dstpfrom + max($pconfig['dstendport'], $pconfig['dstbeginport']) - min($pconfig['dstbeginport'], $pconfig['dstendport']);
     if ($dstpfrom == $dstpto) {
         $filterent['destination']['port'] = $dstpfrom;
     } else {
         $filterent['destination']['port'] = $dstpfrom . "-" . $dstpto;
     }