}
if ($_POST['proto'] == "icmp") {
if ($filterent['ipprotocol'] == 'inet6' && $_POST['icmp6type']) {
$filterent['icmptype'] = $_POST['icmp6type'];
} else {
if ($filterent['ipprotocol'] != 'inet6' && $_POST['icmptype']) {
$filterent['icmptype'] = $_POST['icmptype'];
} else {
unset($filterent['icmptype']);
}
}
} else {
unset($filterent['icmptype']);
}
pconfig_to_address($filterent['source'], $_POST['src'], $_POST['srcmask'], $_POST['srcnot'], $_POST['srcbeginport'], $_POST['srcendport']);
pconfig_to_address($filterent['destination'], $_POST['dst'], $_POST['dstmask'], $_POST['dstnot'], $_POST['dstbeginport'], $_POST['dstendport']);
if ($_POST['disabled']) {
$filterent['disabled'] = true;
} else {
unset($filterent['disabled']);
}
if ($_POST['dscp']) {
$filterent['dscp'] = $_POST['dscp'];
}
if ($_POST['log']) {
$filterent['log'] = true;
} else {
unset($filterent['log']);
}
strncpy($filterent['descr'], $_POST['descr'], 52);
if ($_POST['gateway'] != "") {
function easyrule_pass_rule_add($int, $proto, $srchost, $dsthost, $dstport, $ipproto)
{
global $config;
/* No rules, start a new array */
if (!is_array($config['filter']['rule'])) {
$config['filter']['rule'] = array();
}
filter_rules_sort();
$a_filter =& $config['filter']['rule'];
/* Make up a new rule */
$filterent = array();
$filterent['type'] = 'pass';
$filterent['interface'] = $int;
$filterent['ipprotocol'] = $ipproto;
$filterent['descr'] = gettext("Easy Rule: Passed from Firewall Log View");
if ($proto != "any") {
$filterent['protocol'] = $proto;
} else {
unset($filterent['protocol']);
}
/* Default to only allow echo requests, since that's what most people want and
* it should be a safe choice. */
if ($proto == "icmp") {
$filterent['icmptype'] = 'echoreq';
}
if (strtolower($proto) == "icmp6" || strtolower($proto) == "icmpv6") {
$filterent['protocol'] = "icmp";
}
if (is_subnet($srchost)) {
list($srchost, $srcmask) = explode("/", $srchost);
} elseif (is_specialnet($srchost)) {
$srcmask = 0;
} elseif (is_ipaddrv6($srchost)) {
$srcmask = 128;
} else {
$srcmask = 32;
}
if (is_subnet($dsthost)) {
list($dsthost, $dstmask) = explode("/", $dsthost);
} elseif (is_specialnet($dsthost)) {
$dstmask = 0;
} elseif (is_ipaddrv6($dsthost)) {
$dstmask = 128;
} else {
$dstmask = 32;
}
pconfig_to_address($filterent['source'], $srchost, $srcmask);
pconfig_to_address($filterent['destination'], $dsthost, $dstmask, '', $dstport, $dstport);
$filterent['created'] = make_config_revision_entry(null, gettext("Easy Rule"));
$a_filter[] = $filterent;
write_config($filterent['descr']);
$retval = filter_configure();
return true;
}
if (isset($id) && $a_1to1[$id] && $a_1to1[$id] === $natent) {
continue;
}
if (check_subnets_overlap($_POST['internal'], $_POST['subnet'], $natent['internal'], $natent['subnet'])) {
//$input_errors[] = "Another 1:1 rule overlaps with the specified internal subnet.";
//break;
}
}
if (!$input_errors) {
$natent = array();
$natent['disabled'] = isset($_POST['disabled']) ? true : false;
$natent['external'] = $_POST['external'];
$natent['descr'] = $_POST['descr'];
$natent['interface'] = $_POST['interface'];
pconfig_to_address($natent['source'], $_POST['src'], $_POST['srcmask'], $_POST['srcnot']);
pconfig_to_address($natent['destination'], $_POST['dst'], $_POST['dstmask'], $_POST['dstnot']);
if ($_POST['natreflection'] == "enable" || $_POST['natreflection'] == "disable") {
$natent['natreflection'] = $_POST['natreflection'];
} else {
unset($natent['natreflection']);
}
if (isset($id) && $a_1to1[$id]) {
$a_1to1[$id] = $natent;
} else {
if (is_numeric($after)) {
array_splice($a_1to1, $after + 1, 0, array($natent));
} else {
$a_1to1[] = $natent;
}
}
if (write_config()) {
}
if ($_POST['p1myidentt'] == "address" and $_POST['p1myident'] == "") {
$input_errors[] = gettext("Tanımlayıcıya geçerli bir alan adı yazınız.");
}
if ($_POST['p1myidentt'] == "user_fqdn" and $_POST['p1myident'] == "") {
$input_errors[] = gettext("Tanımlayıcıya geçerli bir alan adı yazınız.");
}
if ($_POST['p1myidentt'] == "myaddress") {
$_POST['p1myident'] = "";
}
if (!$input_errors) {
$ipsecent['disabled'] = $_POST['disabled'] ? true : false;
//$ipsecent['auto'] = $_POST['auto'] ? true : false;
$ipsecent['interface'] = $pconfig['interface'];
$ipsecent['natt'] = $_POST['natt'] ? true : false;
pconfig_to_address($ipsecent['local-subnet'], $_POST['localnet'], $_POST['localnetmask']);
$ipsecent['remote-subnet'] = $_POST['remotenet'] . "/" . $_POST['remotebits'];
/* if the old endpoint is different from the new one we make sure to purge
* the old policy and add a new one. If the old endpoint IP is empty we
* only add new SPD entries. */
if (!is_ipaddr($oldipsecent['remote-gateway'])) {
$oldipsecent['remote-gateway'] = resolve_retry($oldipsecent['remote-gateway']);
}
if ($ipsecent['remote-gateway'] != $_POST['remotegw']) {
if (!is_ipaddr($ipsecent['remote-gateway'])) {
$ipsecent['remote-gateway'] = resolve_retry($ipsecent['remote-gateway']);
}
/* if the remote gateway changed and the interface is not WAN then remove route */
/* the vpn_ipsec_configure() handles adding the route */
if ($_POST['interface'] != "wan") {
mwexec("/sbin/route delete -host {$ipsecent['remote-gateway']}");
if (!is_specialnet($pconfig['dst']) && !is_ipaddroralias($pconfig['dst'])) {
$input_errors[] = sprintf(gettext("%s is not a valid destination IP address or alias."), $pconfig['dst']);
}
if (!empty($pconfig['dstmask']) && !is_numericint($pconfig['dstmask'])) {
$input_errors[] = gettext("A valid destination bit count must be specified.");
}
if (count($input_errors) == 0) {
$natent = array();
// 1-on-1 copy
$natent['external'] = $pconfig['external'];
$natent['descr'] = $pconfig['descr'];
$natent['interface'] = $pconfig['interface'];
// copy form data with some kind of logic in it
$natent['disabled'] = isset($_POST['disabled']) ? true : false;
pconfig_to_address($natent['source'], $pconfig['src'], $pconfig['srcmask'], !empty($pconfig['srcnot']));
pconfig_to_address($natent['destination'], $pconfig['dst'], $pconfig['dstmask'], !empty($pconfig['dstnot']));
if (isset($pconfig['natreflection']) && ($pconfig['natreflection'] == "enable" || $pconfig['natreflection'] == "disable")) {
$natent['natreflection'] = $pconfig['natreflection'];
}
// save data
if (isset($id)) {
$a_1to1[$id] = $natent;
} else {
$a_1to1[] = $natent;
}
if (write_config()) {
mark_subsystem_dirty('natconf');
}
header("Location: firewall_nat_1to1.php");
exit;
}
}
if ($pconfig['protocol'] != "any") {
$filterent['protocol'] = $pconfig['protocol'];
}
if ($pconfig['protocol'] == "icmp" && !empty($pconfig['icmptype'])) {
$filterent['icmptype'] = $pconfig['icmptype'];
}
// reset port values for non tcp/udp traffic
if ($pconfig['protocol'] != "tcp" && $pconfig['protocol'] != "udp" && $pconfig['protocol'] != "tcp/udp") {
$pconfig['srcbeginport'] = 0;
$pconfig['srcendport'] = 0;
$pconfig['dstbeginport'] = 0;
$pconfig['dstendport'] = 0;
}
pconfig_to_address($filterent['source'], $pconfig['src'], $pconfig['srcmask'], !empty($pconfig['srcnot']), $pconfig['srcbeginport'], $pconfig['srcendport']);
pconfig_to_address($filterent['destination'], $pconfig['dst'], $pconfig['dstmask'], !empty($pconfig['dstnot']), $pconfig['dstbeginport'], $pconfig['dstendport']);
$filterent['updated'] = make_config_revision_entry();
// update or insert item
if (isset($id)) {
if (isset($a_filter[$id]['created']) && is_array($a_filter[$id]['created'])) {
$filterent['created'] = $a_filter[$id]['created'];
}
$a_filter[$id] = $filterent;
} else {
$filterent['created'] = make_config_revision_entry();
if (isset($after)) {
array_splice($a_filter, $after + 1, 0, array($filterent));
} else {
$a_filter[] = $filterent;
}
}
}
}
if ($need_filter_rule == true) {
/* auto-generate a matching firewall rule */
$filterent = array();
unset($filterentid);
// If a rule already exists, load it
if (!empty($natent['associated-rule-id'])) {
$filterentid = get_id($natent['associated-rule-id'], $config['filter']['rule']);
if ($filterentid === false) {
$filterent['associated-rule-id'] = $natent['associated-rule-id'];
} else {
$filterent =& $config['filter']['rule'][$filterentid];
}
}
pconfig_to_address($filterent['source'], $_POST['src'], $_POST['srcmask'], $_POST['srcnot'], $_POST['srcbeginport'], $_POST['srcendport']);
// Update interface, protocol and destination
$filterent['interface'] = $_POST['interface'];
$filterent['protocol'] = $_POST['proto'];
$filterent['destination']['address'] = $_POST['localip'];
$dstpfrom = $_POST['localbeginport'];
$dstpto = $dstpfrom + $_POST['dstendport'] - $_POST['dstbeginport'];
if ($dstpfrom == $dstpto) {
$filterent['destination']['port'] = $dstpfrom;
} else {
$filterent['destination']['port'] = $dstpfrom . "-" . $dstpto;
}
/*
* Our firewall filter description may be no longer than
* 63 characters, so don't let it be.
*/
if (!empty($natent['associated-rule-id'])) {
// search rule by associated-rule-id
$filterentid = false;
foreach ($config['filter']['rule'] as $key => $item) {
if (isset($item['associated-rule-id']) && $item['associated-rule-id'] == $natent['associated-rule-id']) {
$filterentid = $key;
break;
}
}
if ($filterentid === false) {
$filterent['associated-rule-id'] = $natent['associated-rule-id'];
} else {
$filterent =& $config['filter']['rule'][$filterentid];
}
}
pconfig_to_address($filterent['source'], $pconfig['src'], $pconfig['srcmask'], !empty($pconfig['srcnot']), $pconfig['srcbeginport'], $pconfig['srcendport']);
// Update interface, protocol and destination
$filterent['interface'] = $pconfig['interface'];
$filterent['protocol'] = $pconfig['protocol'];
if (!isset($filterent['destination'])) {
$filterent['destination'] = array();
}
$filterent['destination']['address'] = $pconfig['target'];
if (is_numericint($pconfig['local-port']) && is_numericint($pconfig['dstendport']) && is_numericint($pconfig['dstbeginport'])) {
$dstpfrom = $pconfig['local-port'];
$dstpto = $dstpfrom + max($pconfig['dstendport'], $pconfig['dstbeginport']) - min($pconfig['dstbeginport'], $pconfig['dstendport']);
if ($dstpfrom == $dstpto) {
$filterent['destination']['port'] = $dstpfrom;
} else {
$filterent['destination']['port'] = $dstpfrom . "-" . $dstpto;
}