From 3354580997ab07e1f740f2fbe0f3055546d0951c Mon Sep 17 00:00:00 2001
From: mkasper <mkasper@e36fee2c-cc09-0410-a7cc-ebac5c6737de>
Date: Sat, 18 Mar 2006 17:10:26 +0000
Subject: [PATCH] Added "disable port mapping" option to advanced outbound NAT
 (helps with certain IPsec VPN gateways that insist on the IKE source port
 being 500).

git-svn-id: https://svn.m0n0.ch/wall/trunk@99 e36fee2c-cc09-0410-a7cc-ebac5c6737de
---
 CHANGELOG                        |  7 +++++++
 phpconf/config.xml               |  1 +
 phpconf/inc/filter.inc           | 20 ++++++++++----------
 webgui/firewall_nat_out.php      |  5 ++++-
 webgui/firewall_nat_out_edit.php | 13 +++++++++++++
 5 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 2f39033..57f324a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -3,6 +3,13 @@ $Id$
 *** Note: Please add new entries to the top of this file. ***
 -------------------------------------------------------------------------------
 
+- added "disable port mapping" option to advanced outbound NAT (helps with certain IPsec
+  VPN gateways that insist on the IKE source port being 500) (mkasper)
+
+- updated PHP to 4.4.2 (mkasper)
+
+- updated ipsec-tools to 0.6.5 (fixes problem with /32 subnets) (mkasper)
+
 - added option to System: Advanced page to allow IPsec/ESP-encrypted IP fragments to be passed (mkasper)
 
 - added DHCP/interface route fix for UK ADSL half-bridge modems (DSL-300T, X-modem) (mkasper)
diff --git a/phpconf/config.xml b/phpconf/config.xml
index 8e9cd57..c92f0b4 100644
--- a/phpconf/config.xml
+++ b/phpconf/config.xml
@@ -331,6 +331,7 @@
 				</destination>
 				<target>xxx.xxx.xxx.xxx</target>
 				<descr></descr>
+				<noportmap/>
 			</rule>
 		</advancedoutbound>
 		-->
diff --git a/phpconf/inc/filter.inc b/phpconf/inc/filter.inc
index ee20ef3..8587748 100644
--- a/phpconf/inc/filter.inc
+++ b/phpconf/inc/filter.inc
@@ -113,20 +113,20 @@ function filter_flush_state_table() {
 	return mwexec("/sbin/ipf -FS");
 }
 
-function filter_nat_rules_generate_if($if, $src, $dst, $target) {
+function filter_nat_rules_generate_if($if, $src, $dst, $target, $portmap = true) {
 
 	if ($target)
 		$tgt = $target . "/32";
 	else
 		$tgt = "0/32";
-
-	$natrule = <<<EOD
-map $if $src $dst -> {$tgt} proxy port ftp ftp/tcp
-map $if $src $dst -> {$tgt} portmap tcp/udp auto
-map $if $src $dst -> {$tgt}
-
-EOD;
-
+	
+	$natrule = "map $if $src $dst -> {$tgt} proxy port ftp ftp/tcp\n";
+	
+	if ($portmap)
+		$natrule .= "map $if $src $dst -> {$tgt} portmap tcp/udp auto\n";
+	
+	$natrule .= "map $if $src $dst -> {$tgt}\n";
+	
 	return $natrule;
 }
 
@@ -183,7 +183,7 @@ function filter_nat_rules_generate() {
 					$natif = $config['interfaces'][$obent['interface']]['if'];
 				
 				$natrules .= filter_nat_rules_generate_if($natif, $src, $dst,
-					$obent['target']);
+					$obent['target'], !isset($obent['noportmap']));
 			}
 		}	
 	} else {
diff --git a/webgui/firewall_nat_out.php b/webgui/firewall_nat_out.php
index 1d13c10..0a29fdf 100755
--- a/webgui/firewall_nat_out.php
+++ b/webgui/firewall_nat_out.php
@@ -128,7 +128,7 @@ if ($_GET['act'] == "del") {
                   <td width="5%" class="list"></td>
                 </tr>
               <?php $i = 0; foreach ($a_out as $natent): ?>
-                <tr> 
+                <tr valign="top"> 
                   <td class="listlr">
                     <?php
 					if (!$natent['interface'] || ($natent['interface'] == "wan"))
@@ -157,6 +157,9 @@ if ($_GET['act'] == "del") {
                           echo "*";
                       else
                           echo $natent['target'];
+                         
+                      if (isset($natent['noportmap']))
+                          echo "<br>(no portmap)";
                     ?>
                   </td>
                   <td class="listbg"> 
diff --git a/webgui/firewall_nat_out_edit.php b/webgui/firewall_nat_out_edit.php
index b0c6cf4..a5ccf52 100755
--- a/webgui/firewall_nat_out_edit.php
+++ b/webgui/firewall_nat_out_edit.php
@@ -67,11 +67,13 @@ if (isset($id) && $a_out[$id]) {
 	if (!$pconfig['interface'])
 		$pconfig['interface'] = "wan";
     $pconfig['descr'] = $a_out[$id]['descr'];
+    $pconfig['noportmap'] = isset($a_out[$id]['noportmap']);
 } else {
     $pconfig['source_subnet'] = 24;
     $pconfig['destination'] = "any";
     $pconfig['destination_subnet'] = 24;
 	$pconfig['interface'] = "wan";
+    $pconfig['noportmap'] = false;
 }
 
 if ($_POST) {
@@ -152,6 +154,7 @@ if ($_POST) {
         $natent['descr'] = $_POST['descr'];
         $natent['target'] = $_POST['target'];
         $natent['interface'] = $_POST['interface'];
+        $natent['noportmap'] = $_POST['noportmap'] ? true : false;
         
         if ($ext == "any")
             $natent['destination']['any'] = true;
@@ -277,6 +280,16 @@ function typesel_change() {
                     <br>
                      <span class="vexpl">Packets matching this rule will be mapped to the IP address given here. Leave blank to use the selected interface's IP address.</span></td>
                 </tr>
+                <tr> 
+                  <td width="22%" valign="top" class="vncell">Portmap</td>
+                  <td width="78%" class="vtable">
+					<input name="noportmap" type="checkbox" id="noportmap" value="1" <?php if ($pconfig['noportmap']) echo "checked"; ?>> <strong>Disable port mapping</strong>
+                    <br>
+                     <span class="vexpl">This option disables remapping of the source port number for outbound packets. This may help with software
+                     	that insists on the source ports being left unchanged when applying NAT (such as some IPsec VPN gateways). However,
+                     	with this option enabled, two clients behind NAT cannot communicate with the same server at the same time using the
+                     	same source ports.</span></td>
+                </tr>
                 <tr> 
                   <td width="22%" valign="top" class="vncell">Description</td>
                   <td width="78%" class="vtable"> 
-- 
2.25.1