Firewall/SNAT, wrap interface as list to prevent "no IP address found…

… for ..." in some scenario's (openvpn for example)
opnsense · Feb 5, 2018 · bad6be2 · bad6be2
1 parent 49a2bc6
commit bad6be2
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/src/opnsense/mvc/app/library/OPNsense/Firewall/SNatRule.php b/src/opnsense/mvc/app/library/OPNsense/Firewall/SNatRule.php
@@ -72,10 +72,18 @@ private function parseNatRules()
             } elseif (empty($rule['target'])) {
                 $interf = $rule['interface'];
                 if (!empty($this->interfaceMapping[$interf])) {
-                    if (($this->isIpV4($rule) && !empty($this->interfaceMapping[$interf]['ifconfig']['ipv4'])) ||
-                        (!$this->isIpV4($rule) && !empty($this->interfaceMapping[$interf]['ifconfig']['ipv6']))
+                    $interf_settings = $this->interfaceMapping[$interf];
+                    if ((($this->isIpV4($rule) && !empty($interf_settings['ifconfig']['ipv4'])) ||
+                        (!$this->isIpV4($rule) && !empty($interf_settings['ifconfig']['ipv6'])))
+                        && (!empty($rule['poolopts']) || $rule['poolopts'] != 'round-robin')
                     ) {
-                        $rule['target'] = $this->interfaceMapping[$interf]['if'];
+                        // When pool options are set, we may not specify our interface as a list
+                        // (which doesn't require the same network validations as single items do).
+                        $rule['target'] = "{$interf_settings['if']}";
+                    } elseif (!empty($interf_settings['if'])) {
+                        // Define target as list, to prevent "no IP address found for *Interface*" when pf can't
+                        // find an address on the interface for the same protocol family.
+                        $rule['target'] = "({$interf_settings['if']})";
                     }
                 }
                 if (empty($rule['target'])) {