Services: Captive Portal: Administration - add "Allow inbound" option…

… to select interfaces which may enter the zone, closes opnsense#7161 This may be practical if services in the zone should be accesible from outside the zone or when services need to pass a network which uses a captive portal (users which should be authenticated are in the same network as services need to traverse to reach the internet).
marcushoff · May 22, 2024 · 00e3d6d · 00e3d6d
1 parent a86d6e0
commit 00e3d6d
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 1 deletion.
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/forms/dialogZone.xml b/src/opnsense/mvc/app/controllers/OPNsense/CaptivePortal/forms/dialogZone.xml
@@ -17,6 +17,15 @@
         <type>select_multiple</type>
         <help><![CDATA[Select interface(s) to enable for captive portal.]]></help>
     </field>
+    <field>
+        <id>zone.interfaces_inbound</id>
+        <label>Allow inbound</label>
+        <type>select_multiple</type>
+        <help><![CDATA[
+            Select interfaces from which to allow inbound (stateful) traffic. This can be convenient if the zone in question
+            contains machines/servers which should be accessible from other networks attached to this firewall.
+        ]]></help>
+    </field>
     <field>
         <id>zone.authservers</id>
         <label>Authenticate using</label>

diff --git a/src/opnsense/mvc/app/models/OPNsense/CaptivePortal/CaptivePortal.php b/src/opnsense/mvc/app/models/OPNsense/CaptivePortal/CaptivePortal.php
@@ -31,6 +31,7 @@
 namespace OPNsense\CaptivePortal;
 
 use OPNsense\Base\BaseModel;
+use OPNsense\Base\Messages\Message;
 
 /**
  * Class CaptivePortal
@@ -84,4 +85,35 @@ public function getTemplateByName($name)
         $newItem->fileid = uniqid();
         return $newItem;
     }
+    /**
+     * {@inheritdoc}
+     */
+    public function performValidation($validateFullModel = false)
+    {
+        $messages = parent::performValidation($validateFullModel);
+        // validate changed instances
+        foreach ($this->zones->zone->iterateItems() as $zone) {
+            if (!$validateFullModel && !$zone->isFieldChanged()) {
+                continue;
+            }
+            $key = $zone->__reference;
+            if (!empty((string)$zone->interfaces_inbound) && !empty((string)$zone->interfaces)) {
+                $ifs_inbound = array_filter(explode(',', $zone->interfaces_inbound));
+                $ifs = array_filter(explode(',', $zone->interfaces));
+                $overlap = array_intersect($ifs_inbound, $ifs);
+                if (!empty($overlap)) {
+                    $messages->appendMessage(
+                        new Message(
+                            sprintf(
+                                gettext("Inbound interfaces may not overlap with zone interfaces (%s)"),
+                                implode(',', $overlap)
+                            ),
+                            $key . ".interfaces_inbound"
+                        )
+                    );
+                }
+            }
+        }
+        return $messages;
+    }
 }
diff --git a/src/opnsense/mvc/app/models/OPNsense/CaptivePortal/CaptivePortal.xml b/src/opnsense/mvc/app/models/OPNsense/CaptivePortal/CaptivePortal.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/captiveportal</mount>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <description>Captive portal application model</description>
     <items>
         <zones>
@@ -25,6 +25,12 @@
                     </filters>
                     <ValidationMessage>At least one interface must be selected</ValidationMessage>
                 </interfaces>
+                <interfaces_inbound type="InterfaceField">
+                    <Multiple>Y</Multiple>
+                    <filters>
+                        <enable>/^(?!0).*$/</enable>
+                    </filters>
+                </interfaces_inbound>
                 <authservers type="AuthenticationServerField">
                     <Multiple>Y</Multiple>
                 </authservers>

diff --git a/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf b/src/opnsense/service/templates/OPNsense/IPFW/ipfw.conf
@@ -116,6 +116,12 @@ add {{loop.index  + 1000}} skipto 60000 icmp from any to { 255.255.255.255 or me
 {# authenticated clients #}
 add {{3000 + item.zoneid|int }}  skipto tablearg ip from table({{item.zoneid|int}}) to any via {{item.if}}
 add {{3000 + item.zoneid|int }}  skipto tablearg ip from any to table({{item.zoneid|int}}) via {{item.if}}
+# Allowed traffic heading into this zone #
+{%   if item.obj.interfaces_inbound|default('') != '' %}
+{%     for inbound_if in item.obj.interfaces_inbound.split(',') if helpers.physical_interface(inbound_if)%}
+add {{3000 + item.zoneid|int }}  skipto 60000 ip from any to any recv {{helpers.physical_interface(inbound_if)}} xmit {{item.if}} keep-state
+{%     endfor %}
+{%   endif %}
 {% endfor %}