<?php # # Copyright(C) 2004-2005 INL # Written by Eric Leblond <regit@inl.fr> # Vincent Deffontaines <gryzor@inl.fr> # Jean Gillaux <jean@inl.fr> # # $Id: nat.php 17927 2009-02-16 13:16:09Z haypo $ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, version 3 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see <http://www.gnu.org/licenses/>. # # $title='nat'; $singtitle='nat'; $header_ask_list_change=Array('sortsnat', 'sortdnat', 'sortpnat'); require_once ("include/common.php"); require_once ("include/types.php"); require_once ("include/headers.php"); require_once ("include/edit_nat.php"); require_once ("include/nat_func.php"); require_once ("include/html.php"); initRuleset(); $snats=&$expolicy->snats; $dnats=&$expolicy->dnats; $pnats=&$expolicy->pnats; $dndSortSnat = getHttp('dndSortSnat'); $dndSortDnat = getHttp('dndSortDnat'); $dndSortPnat = getHttp('dndSortPnat'); $nat_type=getHttp('nat_type'); $new_nat=getHttp('new_nat'); $ch_nat=getHttp('nat'); $ch_name=getHttp('ch_name'); $nat_nb=getHttp('nat_nb'); $ch_proto=getHttp('proto'); $ch_srcnet=getHttp('srcnet'); $ch_dstnet=getHttp('dstnet'); $ch_sport=getHttp('sport'); $ch_dport=getHttp('dport'); $rand_sport=getHttp('rand_sport', 0); $ch_icmptype=getHttp('icmptype'); $ch_nat_addr=getHttp('nat_addr'); $ch_nat_port=getHttp('nat_port'); $delete_s=getHttp('delete_s'); $ch_comment=getHttp('comment'); #Security filtering if (!check_aclorder($dndSortSnat, 'SNAT order')) { log_and_exit(-1); } if (!check_aclorder($dndSortDnat, 'DNAT order')) { log_and_exit(-1); } if (!check_aclorder($dndSortPnat, 'PNAT order')) { log_and_exit(-1); } if (!check_nb($ch_nat)) { log_and_exit(-1); } if ($ch_sport != '' and !check_port_range($ch_sport)) { log_error(sprintf(_('Sorry, bad parameter received for "%s": "%s"!'), 'sport', $ch_sport)); log_and_exit(-1); } if (!check_nb($ch_dport)) { log_and_exit(-1); } if ($rand_sport == 'on') $rand_sport = 1; if (!check_nb($rand_sport)) { log_and_exit(-1); } if (!isset($ch_icmptype)) $ch_icmptype = '--'; if(isset($delete_s))//delete nat rule? { if (!check_input_var('elt', 'ID', $delete_s, 'snat ID')) log_and_exit(-1); switch($nat_type){ case "DNAT": $dnats->del_elt($delete_s); $dnats = $dnats->reorder(); break; case "SNAT": $snats->del_elt($delete_s); $snats = $snats->reorder(); break; case "PNAT": $pnats->del_elt($delete_s); $pnats = $pnats->reorder(); break; default: break; } $snat_ress = &$snats->ordered_list_tab(); $dnat_ress = &$dnats->ordered_list_tab(); $pnat_ress = &$pnats->ordered_list_tab(); saveRuleset($expolicy); }else if (isset($new_nat)) { if (!in_array($nat_type, $NAT_TYPES)) { log_error(sprintf(_('Sorry, bad parameter received (for "%s")'), 'nat type')); log_and_exit(-1); } if (!check_input_var('ress', 'name', $new_nat)) log_and_exit(-1); #Creating new NAT rule now. $data = Array( 'name' => $new_nat, ); try { if ($nat_type == 'SNAT') { $data['srcnet'] = '192.168.0.0/24'; $data['rewritetoaddr'] = '192.168.0.1'; $new = new nat($nat_type, $data,'data',$snats->new_id()); $snats->add_elt($new); } else if ($nat_type == 'DNAT') { $data['dstnet'] = '192.168.0.1'; $data['rewritetoaddr'] = '192.168.0.2'; $new = new nat($nat_type, $data,'data',$dnats->new_id()); $dnats->add_elt($new); } else { $data['dstnet'] = '192.168.0.1'; $new = new nat($nat_type, $data,'data',$pnats->new_id()); $pnats->add_elt($new); } $ch_nat = $new->ID; saveRuleset($expolicy); } catch (Exception $err) { log_error(sprintf(_("Unable to create the new NAT rule: %s"), $err->getMessage()), $err->getTrace()); } }else if (isset($ch_nat) and isset($ch_name) and isset($nat_nb) and isset($ch_proto)) { if ($nat_type == 'SNAT') { $tmp=$snats->get_elt($ch_nat); }else if ($nat_type == 'DNAT') { $tmp=$dnats->get_elt($ch_nat); }else if ($nat_type == 'PNAT') { $tmp=$pnats->get_elt($ch_nat); }else{ log_error(sprintf(_('Sorry, bad parameter received (for "%s")'), "nat type")); log_and_exit(-1); } if (!isset($tmp)) { log_error(sprintf(_('Sorry, cannot work on non-existing element: "%s"'), "nat".$ch_nat)); log_and_exit(-1); } $possible_protos=possible_values('elt','open_proto'); $match=0; foreach ($possible_protos as $possible) { if ($possible == $ch_proto) { $match++; break; } } if ($match == 0) { log_error(sprintf(_('Sorry, bad parameter received (for "%s")'), "proto")); log_and_exit(-1); } $possible_icmptypes=possible_values('proto','icmptype'); $match=0; foreach ($possible_icmptypes as $possible) { if ($possible == $ch_icmptype) { $match++; break; } } if ($match == 0) { log_error(sprintf(_('Sorry, bad parameter received (for "%s")'), "icmp type")); log_and_exit(-1); } if (!is_a_net($ch_srcnet, 'srcnet')) { log_and_exit(-1); } if (!is_a_net($ch_dstnet, 'dstnet')) { log_and_exit(-1); } if (check_ip($ch_nat_addr)) { if (!check_input_var('ress', 'ID', $ch_nat_port, 'nat addr/nat port')) { log_and_exit(-1); } } if (!check_input_var('ress', 'comment', $ch_comment)) { log_and_exit(-1); } if (!check_input_var('ress', 'name', $ch_name)) { log_and_exit(-1); } if ($nat_type == 'SNAT') { #Source NAT should be set if (is_empty($ch_srcnet)) { log_error(sprintf(_('Sorry, at least one parameter is missing (%s).'), "src net")); log_and_exit(-1); } if ($netfilter_snat_supports_sport_randomization) { if (is_empty($rand_sport)) { log_error(sprintf(_('Sorry, at least one parameter is missing (%s).'), "rand_sport")); log_and_exit(-1); } } } if ($nat_type == 'DNAT') { #Source NAT should be set if (is_empty($ch_dstnet)) { log_error(sprintf(_('Sorry, at least one parameter is missing (%s).'), "dst net")); log_and_exit(-1); } } unset($received); $seen_mod=0; if ($nat_type == 'SNAT') { $my_nat=&$snats->get_elt_by_id($ch_nat); }else if ($nat_type == 'DNAT') { $my_nat=&$dnats->get_elt_by_id($ch_nat); }else{ $my_nat=&$pnats->get_elt_by_id($ch_nat); } $received['ID']=$my_nat->ID; if ($netfilter_snat_supports_sport_randomization) { $received['rand_sport']=$rand_sport; if ($rand_sport!=$my_nat->rand_sport) $seen_mod++; } $received['srcnet']=$ch_srcnet; if ($ch_srcnet!=$my_nat->srcnet) $seen_mod++; $received['dstnet']=$ch_dstnet; if ($ch_dstnet!=$my_nat->dstnet) $seen_mod++; $received['proto']=$ch_proto; if ($received['proto']!=$my_nat->proto) $seen_mod++; $received['icmptype']=$ch_icmptype; if ($ch_icmptype!=$my_nat->icmptype) $seen_mod++; $received['comment']=$ch_comment; if ($ch_comment!=$my_nat->comment) $seen_mod++; $received['name']=$ch_name; if ($ch_name!=$my_nat->name) $seen_mod++; $received['sport']=$ch_sport; if ($ch_sport!=$my_nat->sport) $seen_mod++; $received['dport']=$ch_dport; if ($ch_dport!=$my_nat->dport) $seen_mod++; if (isset($ch_nat_addr)) { $received['rewritetoaddr']=$ch_nat_addr; if ($ch_nat_addr != $my_nat->rewritetoaddr) $seen_mod++; } if (isset($ch_nat_port)) { $received['rewritetoport']=$ch_nat_port; if ($ch_nat_port != $my_nat->rewritetoport) $seen_mod++; } $received['modified']=$my_nat->modified; if ($seen_mod) $received['modified'] = modifiedTimestamp(); $new_nat=new nat($nat_type, $received,'data',$my_nat->ID); if ($nat_type == 'SNAT') { $snats->replace_elt($new_nat); }else if ($nat_type == 'DNAT') { $dnats->replace_elt($new_nat); }else{ $pnats->replace_elt($new_nat); } saveRuleset($expolicy); } /* save modified order */ $ch_nat_tmp = $ch_nat; if($dndSortSnat){ $snats2 = nat_set_order($dndSortSnat, $snats,$ch_nat_tmp); if($nat_type=="SNAT"){ $ch_nat = $ch_nat_tmp; } $snats=$snats2; $expolicy->snats = $snats; $_SESSION['modified']=1; } if($dndSortDnat){ $dnats2 = nat_set_order($dndSortDnat, $dnats,$ch_nat_tmp); if($nat_type=="DNAT"){ $ch_nat = $ch_nat_tmp; } $dnats=$dnats2; $expolicy->dnats = $dnats; $_SESSION['modified']=1; } if($dndSortPnat){ $pnats2 = nat_set_order($dndSortPnat, $pnats,$ch_nat_tmp); if($nat_type=="PNAT"){ $ch_nat = $ch_nat_tmp; } $pnats=$pnats2; $expolicy->pnats = $pnats; $_SESSION['modified']=1; } if($dndSortDnat or $dndSortPnat or $dndSortSnat){ sessionSaveRuleset($expolicy); } /* Page DISPLAY */ $nat_menu_class = "aclmenu_ext"; echo "<div class=\"$nat_menu_class\">\n"; displayNatReorderButtons(); displaySNAT($snats); displayDNAT($dnats); displayPNAT($pnats); displayNatReorderButtons(); print "\n</div>\n"; begin_content_detail(); print _('New NAT rule:'); print "<form action=\"$title.php\" method=\"post\">"; select_list('nat_type', $NAT_TYPES); print ' <input type="text" size="20" name="new_nat"> '; print '<input type="submit" value="'._('New').'" class="button">'; print '</form>'; end_content_detail(); if (isset($ch_nat)){ begin_content_detail(); editNat($expolicy, $nat_type, $ch_nat); end_content_detail(); } print_ask_save_changes(); require_once ("include/footer.php"); ?>