net/firewall - NPTv6 add track interface and validations for opnsense…

…/core#6383
blauerRegen · Jan 4, 2024 · ab8853c · ab8853c
1 parent 6143ea9
commit ab8853c
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 6 deletions.
diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/NptController.php
@@ -39,7 +39,7 @@ public function searchRuleAction()
         };
         return $this->searchBase(
             "npt.rule",
-            ['enabled', 'sequence', 'source_net', 'destination_net', 'description'],
+            ['enabled', 'sequence', 'source_net', 'destination_net', 'trackif', 'description'],
             "sequence",
             $filter_funct
         );

diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/NptController.php
@@ -47,6 +47,9 @@ public function indexAction()
             [
                 'id' => 'destination_net', 'heading' => gettext('External IPv6 Prefix')
             ],
+            [
+                'id' => 'trackif', 'heading' => gettext('Track if')
+            ],
             [
                 'id' => 'description', 'heading' => gettext('Description')
             ]

diff --git a/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml b/net/firewall/src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogNptRule.xml
@@ -10,6 +10,12 @@
         <label>Sequence</label>
         <type>text</type>
     </field>
+    <field>
+        <id>rule.log</id>
+        <label>Log</label>
+        <type>checkbox</type>
+        <help>Log packets that are handled by this rule</help>
+    </field>
     <field>
         <id>rule.interface</id>
         <label>Interface</label>
@@ -24,6 +30,13 @@
         <id>rule.destination_net</id>
         <label>External IPv6 Prefix (target)</label>
         <type>text</type>
+        <help>Enter the external IPv6 prefix for this network prefix translation. Leave empty to auto-detect the prefix address using the specified tracking interface instead. The prefix size specified for the internal prefix will also be applied to the external prefix.</help>
+    </field>
+    <field>
+        <id>rule.trackif</id>
+        <label>Track interface</label>
+        <type>dropdown</type>
+        <help>Use prefix defined on the selected interface instead of the interface this rule applies to when target prefix is not provided.</help>
     </field>
     <field>
         <id>rule.categories</id>

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
@@ -97,14 +97,22 @@ public function performValidation($validateFullModel = false)
         }
         foreach ($this->npt->rule->iterateItems() as $rule) {
             if ($validateFullModel || $rule->isFieldChanged()) {
-                $src_is_addr = Util::isSubnet($rule->source_net) || Util::isIpAddress($rule->source_net);
-                $src_proto = strpos($rule->source_net, ':') === false ? "inet" : "inet6";
-                if ($src_is_addr && $src_proto != 'inet6') {
+                if (!empty((string)$rule->destination_net) && !empty((string)$rule->trackif)) {
                     $messages->appendMessage(new Message(
-                        gettext("You can not use IPv4 addresses in IPv6 rules."),
-                        $rule->source_net->__reference
+                        gettext("A track interface is only allowed without an extrenal prefix."),
+                        $rule->trackif->__reference
                     ));
                 }
+                if (!empty((string)$rule->destination_net) && !empty((string)$rule->source_net)) {
+                    $dparts = explode('/', (string)$rule->destination_net);
+                    $sparts = explode('/', (string)$rule->source_net);
+                    if (count($dparts) == 2 && count($sparts) == 2 && $dparts[1] != $sparts[1]) {
+                        $messages->appendMessage(new Message(
+                            gettext("External subnet should match internal subnet."),
+                            $rule->destination_net->__reference
+                        ));
+                    }
+                }
             }
         }
         return $messages;

diff --git a/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml b/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
@@ -219,6 +219,10 @@
                     <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
+                <log type="BooleanField">
+                    <Default>0</Default>
+                    <Required>Y</Required>
+                </log>
                 <sequence type="IntegerField">
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>99999</MaximumValue>
@@ -242,6 +246,8 @@
                     <NetMaskRequired>Y</NetMaskRequired>
                     <WildcardEnabled>N</WildcardEnabled>
                 </destination_net>
+                <trackif type="InterfaceField">
+                </trackif>
                 <categories type="ModelRelationField">
                     <Model>
                         <rulesets>
-Original file line number
+Diff line change
@@ Expand Up / @@ -47,6 +47,9 @@ public function indexAction() @@
                 [
                     'id' => 'destination_net', 'heading' => gettext('External IPv6 Prefix')
                 ],
+                [
+                    'id' => 'trackif', 'heading' => gettext('Track if')
+                ],
                 [
                     'id' => 'description', 'heading' => gettext('Description')
                 ]
@@ Expand Down @@