Firewall: DNAT - Show right DNAT interface in ruletable
authorAlexander Marx <alexander.marx@ipfire.org>
Fri, 21 Mar 2014 07:28:24 +0000 (08:28 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 21 Mar 2014 11:51:09 +0000 (12:51 +0100)
Now:
When using a hostgroup as source there are all corresponding DNAT
interfaces shown in ruletable depending on the entries in the group.

When in DNAT area "-automatic" is selected, the DNAT interfaces are
shown as IP-Addresses, else they are shown as "ORANGE","GREEN","BLUE"...

BUGFIX: When there is a MAC address used in a sourcegroup, the rules could not be set. Now MAC addresses get allways the public interface as DNAT

config/firewall/firewall-lib.pl
html/cgi-bin/firewall.cgi

index 6f04b0c..a82fc90 100755 (executable)
@@ -51,11 +51,12 @@ my $configipsec             = "${General::swroot}/vpn/config";
 my $configovpn         = "${General::swroot}/ovpn/settings";
 my $val;
 my $field;
+my $netsettings                = "${General::swroot}/ethernet/settings";
 
 &General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
 &General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings);
 &General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings);
-
+&General::readhash("$netsettings", \%defaultNetworks);
 
 &General::readhasharray("$confignet", \%customnetwork);
 &General::readhasharray("$confighost", \%customhost);
@@ -253,8 +254,8 @@ sub get_host_ip
                }  
        }
 }
-# Functions used by rules.pl
-sub get_addresses {
+sub get_addresses
+{
        my $hash = shift;
        my $key  = shift;
        my $type = shift;
@@ -293,7 +294,8 @@ sub get_addresses {
 
        return @addresses;
 }
-sub get_address {
+sub get_address
+{
        my $key   = shift;
        my $value = shift;
        my $type  = shift;
@@ -401,21 +403,24 @@ sub get_address {
 
        return @ret;
 }
-sub get_external_interface() {
+sub get_external_interface()
+{
        open(IFACE, "/var/ipfire/red/iface") or return "";
        my $iface = <IFACE>;
        close(IFACE);
 
        return $iface;
 }
-sub get_external_address() {
+sub get_external_address()
+{
        open(ADDR, "/var/ipfire/red/local-ipaddress") or return "";
        my $address = <ADDR>;
        close(ADDR);
 
        return $address;
 }
-sub get_alias {
+sub get_alias
+{
        my $id = shift;
 
        foreach my $alias (sort keys %aliases) {
@@ -424,13 +429,14 @@ sub get_alias {
                }
        }
 }
-sub get_nat_address {
+sub get_nat_address
+{
        my $zone = shift;
        my $source = shift;
 
        # Any static address of any zone.
        if ($zone eq "AUTO") {
-               if ($source) {
+               if ($source && ($source !~ m/mac/i )) {
                        my $firewall_ip = &get_internal_firewall_ip_address($source, 1);
                        if ($firewall_ip) {
                                return $firewall_ip;
@@ -456,7 +462,8 @@ sub get_nat_address {
 
        print_error("Could not find NAT address");
 }
-sub get_internal_firewall_ip_addresses {
+sub get_internal_firewall_ip_addresses
+{
        my $use_orange = shift;
 
        my @zones = ("GREEN", "BLUE");
@@ -474,7 +481,8 @@ sub get_internal_firewall_ip_addresses {
 
        return @addresses;
 }
-sub get_matching_firewall_address {
+sub get_matching_firewall_address
+{
        my $addr = shift;
        my $use_orange = shift;
 
@@ -498,7 +506,8 @@ sub get_matching_firewall_address {
 
        return 0;
 }
-sub get_internal_firewall_ip_address {
+sub get_internal_firewall_ip_address
+{
        my $subnet = shift;
        my $use_orange = shift;
 
@@ -517,5 +526,4 @@ sub get_internal_firewall_ip_address {
        return 0;
 }
 
-
 return 1;
index 436bdaf..d69d821 100644 (file)
@@ -989,6 +989,12 @@ sub deleterule
                &base;
        }
 }
+sub del_double
+{
+       my %all=();
+       @all{@_}=1;
+       return (keys %all);
+}
 sub disable_rule
 {
        my $key1=shift;
@@ -2551,9 +2557,22 @@ END
                                        <td align='center' $tdcolor>
 END
                        #Is this a DNAT rule?
+                       my $natstring;
                        if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
                                if ($$hash{$key}[29] eq 'Default IP'){$$hash{$key}[29]=$Lang::tr{'red1'};}
-                               print "Firewall ($$hash{$key}[29])";
+                               if ($$hash{$key}[29] eq 'AUTO'){
+                                       my @src_addresses=&fwlib::get_addresses(\%$hash,$key,'src');
+                                       my @nat_ifaces;
+                                       foreach my $val (@src_addresses){
+                                               my ($ip,$sub)=split("/",$val);
+                                               push (@nat_ifaces,&fwlib::get_nat_address($$hash{$key}[29],$ip));
+                                       }
+                                       @nat_ifaces=&del_double(@nat_ifaces);
+                                       $natstring = join(', ', @nat_ifaces);
+                               }else{
+                                       $natstring = $$hash{$key}[29];
+                               }
+                               print "$Lang::tr{'firewall'} ($natstring)";
                                if($$hash{$key}[30] ne ''){
                                        $$hash{$key}[30]=~ tr/|/,/;
                                        print": $$hash{$key}[30]";