[PATCH 1/4] BUG11559: Languagefiles

[PATCH 1/4] BUG11559: Languagefiles

[Alexander Marx]

[-- Attachment #1: Type: text/plain, Size: 1249 bytes --]

When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.

This patch adds a new languagefileword "fwdfw all subnets" which is used in firewall.cgi and fwhosts.cgi
---
 langs/de/cgi-bin/de.pl | 1 +
 langs/en/cgi-bin/en.pl | 1 +
 2 files changed, 2 insertions(+)

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 07bef90..9cc345a 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1065,6 +1065,7 @@
 'fwdfw additional' => 'Weitere Einstellungen',
 'fwdfw addrule' => 'Regel hinzufügen/ändern:',
 'fwdfw all icmp' => 'Alle ICMP-Typen',
+'fwdfw all subnets' => 'Alle Subnetze',
 'fwdfw change' => 'Aktualisieren',
 'fwdfw copy' => 'Kopieren',
 'fwdfw delete' => 'Löschen',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index a343b3b..60747f7 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1092,6 +1092,7 @@
 'fwdfw additional' => 'Additional settings',
 'fwdfw addrule' => 'Add/Edit rule:',
 'fwdfw all icmp' => 'All ICMP types',
+'fwdfw all subnets' => 'All subnets',
 'fwdfw change' => 'Update',
 'fwdfw copy' => 'Copy',
 'fwdfw delete' => 'Delete',
-- 
2.7.4

[PATCH 2/4] BUG11559: firewall.cgi

[Alexander Marx]

[-- Attachment #1: Type: text/plain, Size: 3273 bytes --]

When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.

This patch has the changes for firewall.cgi
---
 html/cgi-bin/firewall.cgi | 36 +++++++++++++++++++++++++++++++++---
 1 file changed, 33 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index face0f4..499f279 100644
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -1161,11 +1161,31 @@ END
 	#IPsec netze
 	foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) {
 		if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){
-			print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq '');
+			print"<tr><td valign='top'><input type='radio' name='$grp' id='ipsec_net_$srctgt' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq '');
 			$show='1';
+
+			#Check if we have more than one REMOTE subnet in config
+			my @arr1 = split /\|/, $ipsecconf{$key}[11];
+			my $cnt1 += @arr1;
+
 			print "<option ";
-			print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ipsecconf{$key}[1]);
-			print ">$ipsecconf{$key}[1]</option>";
+			print "value=$ipsecconf{$key}[1]";
+			print " selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]");
+			print ">$ipsecconf{$key}[1] ";
+			print "($Lang::tr{'fwdfw all subnets'})" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets
+			print "</option>";
+
+			if ($cnt1 > 1){
+				foreach my $val (@arr1){
+					#normalize subnet to cidr notation
+					my ($val1,$val2) = split /\//, $val;
+					my $val3 = &General::iporsubtocidr($val2);
+					print "<option ";
+					print "value='$ipsecconf{$key}[1]|$val1/$val3'";
+					print "selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]|$val1/$val3");
+					print ">$ipsecconf{$key}[1] ($val1/$val3)</option>";
+				}
+			}
 		}
 	}
 	if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
@@ -2575,6 +2595,11 @@ END
 			#SOURCE
 			my $ipfireiface;
 			&getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost);
+			# Check SRC Host and replace "|" with space
+			if ($$hash{$key}[4] =~ /\|/){
+				$$hash{$key}[4] =~ s/\|/ (/g;
+				$$hash{$key}[4] = $$hash{$key}[4].")";
+			}
 			print"<td align='center' width='30%' $tdcolor>";
 			if ($$hash{$key}[3] eq 'ipfire_src'){
 				$ipfireiface=$Lang::tr{'fwdfw iface'};
@@ -2640,6 +2665,11 @@ END
 			print<<END;
 					<td align='center' $tdcolor>
 END
+			# Check TGT Host and replace "|" with space
+			if ($$hash{$key}[6] =~ /\|/){
+				$$hash{$key}[6] =~ s/\|/ (/g;
+				$$hash{$key}[6] = $$hash{$key}[6].")";
+			}
 			#Is this a DNAT rule?
 			my $natstring;
 			if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
-- 
2.7.4

[PATCH 3/4] BUG11559: firewall-lib

[Alexander Marx]

[-- Attachment #1: Type: text/plain, Size: 1730 bytes --]

When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.

This patch has neccessary changes for the firewall-lib. While the network name of the IpSec changes
on save (subnet is added to name) we need to split the name or normalise the field before using it.
---
 config/firewall/firewall-lib.pl | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index eabd9a4..9b7f55c 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -150,6 +150,9 @@ sub get_ipsec_net_ip
 	my $val=shift;
 	my $field=shift;
 	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
+		#adapt $val to reflect real name without subnet (if rule with only one ipsec subnet is created)
+		my @tmpval = split (/\|/, $val);
+		$val = $tmpval[0];
 		if($ipsecconf{$key}[1] eq $val){
 			return $ipsecconf{$key}[$field];
 		}
@@ -390,10 +393,16 @@ sub get_address
 
 	# IPsec networks.
 	} elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
-		my $network_address = &get_ipsec_net_ip($value, 11);
-		my @nets = split(/\|/, $network_address);
-		foreach my $net (@nets) {
-			push(@ret, [$net, ""]);
+		#Check if we have multiple subnets and only want one of them
+		if ( $value =~ /\|/ ){
+			my @parts = split(/\|/, $value);
+			push(@ret, [$parts[1], ""]);
+		}else{
+			my $network_address = &get_ipsec_net_ip($value, 11);
+			my @nets = split(/\|/, $network_address);
+			foreach my $net (@nets) {
+				push(@ret, [$net, ""]);
+			}
 		}
 
 	# The firewall's own IP addresses.
-- 
2.7.4

[PATCH 4/4] BUG11559: fwhosts

[Alexander Marx]

[-- Attachment #1: Type: text/plain, Size: 7746 bytes --]

When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.

This patch adds the changes to the firewall groups.
---
 html/cgi-bin/fwhosts.cgi | 87 ++++++++++++++++++++++++++++++------------------
 1 file changed, 55 insertions(+), 32 deletions(-)

diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index a2ade8a..fb33ac6 100644
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -54,6 +54,7 @@ my %fwinp=();
 my %fwout=();
 my %ovpnsettings=();
 my %netsettings=();
+my %optionsfw=();
 
 my $errormessage;
 my $hint;
@@ -70,6 +71,7 @@ my $configgeoipgrp	= "${General::swroot}/fwhosts/customgeoipgrp";
 my $fwconfigfwd		= "${General::swroot}/firewall/config";
 my $fwconfiginp		= "${General::swroot}/firewall/input";
 my $fwconfigout		= "${General::swroot}/firewall/outgoing";
+my $fwoptions 		= "${General::swroot}/optionsfw/settings";
 my $configovpn		= "${General::swroot}/ovpn/settings";
 my $configipsecrw	= "${General::swroot}/vpn/settings";
 
@@ -87,8 +89,9 @@ unless (-e $configgeoipgrp) { system("touch $configgeoipgrp"); }
 &General::readhasharray("$configipsec", \%ipsecconf);
 &General::readhash("$configipsecrw", \%ipsecsettings);
 &General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
-&Header::getcgihash(\%fwhostsettings);
+&General::readhash($fwoptions, \%optionsfw);
 
+&Header::getcgihash(\%fwhostsettings);
 &Header::showhttpheaders();
 &Header::openpage($Lang::tr{'fwhost menu'}, 1, '');
 &Header::openbigbox('100%', 'center');
@@ -1548,27 +1551,30 @@ END
 				print"</select></td></tr>";
 			}
 			#IPsec networks
-			my @IPSEC_N2N=();
+
 			foreach my $key (sort { ncmp($ipsecconf{$a}[0],$ipsecconf{$b}[0]) } keys %ipsecconf) {
-				if ($ipsecconf{$key}[3] eq 'net'){
-					$show='1';
-					push (@IPSEC_N2N,$ipsecconf{$key}[1]);
-				}
-			}
-			if ($show eq '1'){
-				$show='';
-				print<<END;
-					<td style='width:15em;'>
-						<label>
-							<input type='radio' name='grp2' id='IPSEC_NET' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}>
-							$Lang::tr{'fwhost ipsec net'}
-						</label>
-					</td>
-					<td style='text-align:right;'>
-					<select name='IPSEC_NET' style='width:16em;'>"
-END
-				foreach(@IPSEC_N2N){
-					print"<option value='$_'>$_</option>";
+				if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){
+					print "<td style='width:15em;'><label><input type='radio' name='grp2' id='IPSEC_NET' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}>$Lang::tr{'fwhost ipsec net'}</label></td><td style='text-align:right;'><select name='IPSEC_NET' style='width:16em;'>" if $show eq '';
+					$show=1;
+					#Check if we have more than one REMOTE subnet in config
+					my @arr1 = split /\|/, $ipsecconf{$key}[11];
+					my $cnt1 += @arr1;
+
+					print"<option value=$ipsecconf{$key}[1]>";
+					print"$ipsecconf{$key}[1]";
+					print" ($Lang::tr{'fwdfw all subnets'})" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets
+					print"</option>";
+
+					if ($cnt1 > 1){
+						foreach my $val (@arr1){
+							#normalize subnet to cidr notation
+							my ($val1,$val2) = split /\//, $val;
+							my $val3 = &General::iporsubtocidr($val2);
+							print "<option ";
+							print "value='$ipsecconf{$key}[1]|$val1/$val3'";
+							print ">$ipsecconf{$key}[1] ($val1/$val3)</option>";
+						}
+					}
 				}
 			}
 			print"</select></td></tr>";
@@ -2116,14 +2122,15 @@ sub viewtablegrp
 			print "<td width='39%' align='left' $col>";
 			if($customgrp{$key}[3] eq 'Standard Network'){
 				print &get_name($customgrp{$key}[2])."</td>";
+			}elsif($customgrp{$key}[3] eq "IpSec Network" && $customgrp{$key}[2] =~ /\|/){
+				my ($a,$b) = split /\|/, $customgrp{$key}[2];
+					print "$a</td>";
 			}else{
 				print "$customgrp{$key}[2]</td>";
 			}
 			if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost err emptytable'}){
 				print "<td align='center' $col>$Lang::tr{'fwhost deleted'}</td><td align='center' $col>$Lang::tr{'fwhost '.$customgrp{$key}[3]}</td><td width='1%' $col><form method='post'>";
 			}else{
-				my ($colip,$colsub) = split("/",$ip);
-				$ip="$colip/".&General::iporsubtocidr($colsub) if ($colsub);
 				print"<td align='center' $col>".&getcolor($ip)."</td><td align='center' $col>$Lang::tr{'fwhost '.$customgrp{$key}[3]}</td><td width='1%' $col><form method='post'>";
 			}
 			if ($delflag > 0 && $ip ne ''){
@@ -2896,7 +2903,23 @@ sub getipforgroup
 	if ($type eq 'IpSec Network'){
 		foreach my $key (keys %ipsecconf) {
 			if ($ipsecconf{$key}[1] eq $name){
-				return $ipsecconf{$key}[11];
+				if ($ipsecconf{$key}[11] =~ /\|/) {
+					my $string;
+					my @parts = split /\|/ , $ipsecconf{$key}[11];
+					foreach my $key1 (@parts){
+						my ($val1,$val2) = split (/\//, $key1);
+						my $val3 = &Network::convert_netmask2prefix($val2) || $val2;
+						$string .= "$val1/$val3<br>";
+					}
+					return $string;
+				}else{
+					return $ipsecconf{$key}[11];
+				}
+			}else{
+				if ($name =~ /\|/) {
+					my ($a,$b) = split /\|/, $name;
+					return $b;
+				}
 			}
 		}
 		&deletefromgrp($name,$configgrp);
@@ -2917,7 +2940,7 @@ sub getipforgroup
 		foreach my $key (keys %ccdhost) {
 			if($ccdhost{$key}[1] eq $name){
 				my ($a,$b) = split ("/",$ccdhost{$key}[11]);
-				$b=&General::iporsubtodec($b);
+				$b=&Network::convert_netmask2prefix($b) || ($b);
 				return "$a/$b";
 			}
 		}
@@ -2929,7 +2952,7 @@ sub getipforgroup
 		foreach my $key (keys %ccdhost) {
 			if($ccdhost{$key}[1] eq $name){
 				my ($a,$b) = split (/\//,$ccdhost{$key}[33]);
-				$b=&General::iporsubtodec($b);
+				$b=&Network::convert_netmask2prefix($b) || ($b) ;
 				return "$a/$b";
 			}
 		}
@@ -2941,7 +2964,7 @@ sub getipforgroup
 		foreach my $key (keys %ccdnet) {
 			if ($ccdnet{$key}[0] eq $name){
 				my ($a,$b) = split (/\//,$ccdnet{$key}[1]);
-				$b=&General::iporsubtodec($b);
+				$b=&Network::convert_netmask2prefix($b) || ($b);
 				return "$a/$b";
 			}
 		}
@@ -2961,7 +2984,7 @@ sub getipforgroup
 	if ($type eq 'Custom Network'){
 		foreach my $key (keys %customnetwork) {
 			if($customnetwork{$key}[0] eq $name){
-				return $customnetwork{$key}[1]."/".$customnetwork{$key}[2];
+				return $customnetwork{$key}[1]."/".&Network::convert_netmask2prefix($customnetwork{$key}[2]) || $customnetwork{$key}[2];
 			}
 		}
 	}
@@ -2976,20 +2999,20 @@ sub getipforgroup
 		if ($name eq 'GREEN'){
 			my %hash=();
 			&General::readhash("${General::swroot}/ethernet/settings",\%hash);
-			return $hash{'GREEN_NETADDRESS'}."/".$hash{'GREEN_NETMASK'};
+			return $hash{'GREEN_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'GREEN_NETMASK'}) || $hash{'GREEN_NETMASK'};
 		}
 		if ($name eq 'BLUE'){
 			my %hash=();
 			&General::readhash("${General::swroot}/ethernet/settings",\%hash);
-			return $hash{'BLUE_NETADDRESS'}."/".$hash{'BLUE_NETMASK'};
+			return $hash{'BLUE_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'BLUE_NETMASK'}) || $hash{'BLUE_NETMASK'};
 		}
 		if ($name eq 'ORANGE'){
 			my %hash=();
 			&General::readhash("${General::swroot}/ethernet/settings",\%hash);
-			return $hash{'ORANGE_NETADDRESS'}."/".$hash{'ORANGE_NETMASK'};
+			return $hash{'ORANGE_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'ORANGE_NETMASK'}) || $hash{'ORANGE_NETMASK'};
 		}
 		if ($name eq 'ALL'){
-			return "0.0.0.0/0.0.0.0";
+			return "0.0.0.0/0";
 		}
 		if ($name =~ /IPsec/i){
 			my %hash=();
-- 
2.7.4

Re: [PATCH 1/4] BUG11559: Languagefiles

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1599 bytes --]

Hello,

I have tested this patchset and can confirm it is working correctly.
It solves https://bugzilla.ipfire.org/show_bug.cgi?id=11559 by adding
the ability to select networks announced via IPsec N2N connections
for firewall rules or network groups.

Best regards,
Peter Müller

> When creating firewallrules or using firewall groups,
> it should be possible to select a single IpSec subnet if there is more than one.
> 
> This patch adds a new languagefileword "fwdfw all subnets" which is used in firewall.cgi and fwhosts.cgi
> ---
>  langs/de/cgi-bin/de.pl | 1 +
>  langs/en/cgi-bin/en.pl | 1 +
>  2 files changed, 2 insertions(+)
> 
> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> index 07bef90..9cc345a 100644
> --- a/langs/de/cgi-bin/de.pl
> +++ b/langs/de/cgi-bin/de.pl
> @@ -1065,6 +1065,7 @@
>  'fwdfw additional' => 'Weitere Einstellungen',
>  'fwdfw addrule' => 'Regel hinzufügen/ändern:',
>  'fwdfw all icmp' => 'Alle ICMP-Typen',
> +'fwdfw all subnets' => 'Alle Subnetze',
>  'fwdfw change' => 'Aktualisieren',
>  'fwdfw copy' => 'Kopieren',
>  'fwdfw delete' => 'Löschen',
> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> index a343b3b..60747f7 100644
> --- a/langs/en/cgi-bin/en.pl
> +++ b/langs/en/cgi-bin/en.pl
> @@ -1092,6 +1092,7 @@
>  'fwdfw additional' => 'Additional settings',
>  'fwdfw addrule' => 'Add/Edit rule:',
>  'fwdfw all icmp' => 'All ICMP types',
> +'fwdfw all subnets' => 'All subnets',
>  'fwdfw change' => 'Update',
>  'fwdfw copy' => 'Copy',
>  'fwdfw delete' => 'Delete',
> 


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 1/4] BUG11559: Languagefiles

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2758 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Peter,

could you please add the appropriate tags to the patches?

Best,
- -Michael

On Sun, 2018-05-06 at 22:02 +0200, Peter Müller wrote:
> Hello,
> 
> I have tested this patchset and can confirm it is working correctly.
> It solves https://bugzilla.ipfire.org/show_bug.cgi?id=11559 by adding
> the ability to select networks announced via IPsec N2N connections
> for firewall rules or network groups.
> 
> Best regards,
> Peter Müller
> 
> > When creating firewallrules or using firewall groups,
> > it should be possible to select a single IpSec subnet if there is more than
> > one.
> > 
> > This patch adds a new languagefileword "fwdfw all subnets" which is used in
> > firewall.cgi and fwhosts.cgi
> > ---
> >  langs/de/cgi-bin/de.pl | 1 +
> >  langs/en/cgi-bin/en.pl | 1 +
> >  2 files changed, 2 insertions(+)
> > 
> > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> > index 07bef90..9cc345a 100644
> > --- a/langs/de/cgi-bin/de.pl
> > +++ b/langs/de/cgi-bin/de.pl
> > @@ -1065,6 +1065,7 @@
> >  'fwdfw additional' => 'Weitere Einstellungen',
> >  'fwdfw addrule' => 'Regel hinzufügen/ändern:',
> >  'fwdfw all icmp' => 'Alle ICMP-Typen',
> > +'fwdfw all subnets' => 'Alle Subnetze',
> >  'fwdfw change' => 'Aktualisieren',
> >  'fwdfw copy' => 'Kopieren',
> >  'fwdfw delete' => 'Löschen',
> > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> > index a343b3b..60747f7 100644
> > --- a/langs/en/cgi-bin/en.pl
> > +++ b/langs/en/cgi-bin/en.pl
> > @@ -1092,6 +1092,7 @@
> >  'fwdfw additional' => 'Additional settings',
> >  'fwdfw addrule' => 'Add/Edit rule:',
> >  'fwdfw all icmp' => 'All ICMP types',
> > +'fwdfw all subnets' => 'All subnets',
> >  'fwdfw change' => 'Update',
> >  'fwdfw copy' => 'Copy',
> >  'fwdfw delete' => 'Delete',
> > 
> 
> 
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlrwLUUACgkQgHnw/2+Q
CQec0Q/5AVU4WGh5t4muhkqgQQaN8rZ6sHPMD1I9qPIQWcUV5XRqdFF+9nHAGGN3
USmQoH7eCioC1gW5O5k5IJm1VuD2QczrTQEcuhGszsltOkW33aASU1L+AwppYVGo
BWpTLVO9TlftVVZtBFmKUjPEXbG0AQLMx3PID3vcCeYH9lohqQPhJ2zMqFenvJ/L
JOHwWJwZvmrNCDI6EIzEXTvs5/bo8FLI2571LNn2wcCoed+dKjUVKD32/wK63h55
PY96I+i0/aZPH0IjK7ru1uRKhJWxOU4ng5OiXmjuYEb46G3Gmi3G8KKlclm6p3tU
DHR6EAKFkFmfv8s5YzbTAdekFmXeEHPZ6mCJPZYYIxMVpC9KW2P02K/uB5YD90VF
nTCfTMiVTvKlfUgyPkstjuBNBqxH+od8YkPk5HNo4f0dxhiQ5ssRTzP/VXy6lnA6
YmLFN1VLxwEdNPr9u36JI4S7bJf4sZ/O5nFxhCOyZvcEp4DMXMBY1NWM40SyN3wX
nE+ho22DCBWKqUCryLGf/2Ga8uwzpxN3mQ4ImYHIrCBFAllRsE6I/BzwjxFKCoES
wbmYIyLCuZ7Wk3Vkzgt/Gs6Ntog91FEC0Q5djzQXE+sL1ZA+roOhubQw2QyhcNWt
+MrV8Z82QmOKMqNPOmkn4hmTabQRJrvSNgLgK2SpDCQZ1eKl3Mc=
=JvSO
-----END PGP SIGNATURE-----

Re: [PATCH 1/4] BUG11559: Languagefiles

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1366 bytes --]

When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.

This patch adds a new languagefileword "fwdfw all subnets" which is used in firewall.cgi and fwhosts.cgi
Signed-off-by: Alexander Marx <alexander.marx(a)ipfire.org>
Tested-by: Peter Müller <peter.mueller(a)link38.eu>
---
 langs/de/cgi-bin/de.pl | 1 +
 langs/en/cgi-bin/en.pl | 1 +
 2 files changed, 2 insertions(+)

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 07bef90..9cc345a 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1065,6 +1065,7 @@
 'fwdfw additional' => 'Weitere Einstellungen',
 'fwdfw addrule' => 'Regel hinzufügen/ändern:',
 'fwdfw all icmp' => 'Alle ICMP-Typen',
+'fwdfw all subnets' => 'Alle Subnetze',
 'fwdfw change' => 'Aktualisieren',
 'fwdfw copy' => 'Kopieren',
 'fwdfw delete' => 'Löschen',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index a343b3b..60747f7 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1092,6 +1092,7 @@
 'fwdfw additional' => 'Additional settings',
 'fwdfw addrule' => 'Add/Edit rule:',
 'fwdfw all icmp' => 'All ICMP types',
+'fwdfw all subnets' => 'All subnets',
 'fwdfw change' => 'Update',
 'fwdfw copy' => 'Copy',
 'fwdfw delete' => 'Delete',
-- 
2.7.4



[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 2/4] BUG11559: firewall.cgi

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 3390 bytes --]

When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.

This patch has the changes for firewall.cgi
Signed-off-by: Alexander Marx <alexander.marx(a)ipfire.org>
Tested-by: Peter Müller <peter.mueller(a)link38.eu>
---
 html/cgi-bin/firewall.cgi | 36 +++++++++++++++++++++++++++++++++---
 1 file changed, 33 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index face0f4..499f279 100644
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -1161,11 +1161,31 @@ END
 	#IPsec netze
 	foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) {
 		if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){
-			print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq '');
+			print"<tr><td valign='top'><input type='radio' name='$grp' id='ipsec_net_$srctgt' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq '');
 			$show='1';
+
+			#Check if we have more than one REMOTE subnet in config
+			my @arr1 = split /\|/, $ipsecconf{$key}[11];
+			my $cnt1 += @arr1;
+
 			print "<option ";
-			print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ipsecconf{$key}[1]);
-			print ">$ipsecconf{$key}[1]</option>";
+			print "value=$ipsecconf{$key}[1]";
+			print " selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]");
+			print ">$ipsecconf{$key}[1] ";
+			print "($Lang::tr{'fwdfw all subnets'})" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets
+			print "</option>";
+
+			if ($cnt1 > 1){
+				foreach my $val (@arr1){
+					#normalize subnet to cidr notation
+					my ($val1,$val2) = split /\//, $val;
+					my $val3 = &General::iporsubtocidr($val2);
+					print "<option ";
+					print "value='$ipsecconf{$key}[1]|$val1/$val3'";
+					print "selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]|$val1/$val3");
+					print ">$ipsecconf{$key}[1] ($val1/$val3)</option>";
+				}
+			}
 		}
 	}
 	if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
@@ -2575,6 +2595,11 @@ END
 			#SOURCE
 			my $ipfireiface;
 			&getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost);
+			# Check SRC Host and replace "|" with space
+			if ($$hash{$key}[4] =~ /\|/){
+				$$hash{$key}[4] =~ s/\|/ (/g;
+				$$hash{$key}[4] = $$hash{$key}[4].")";
+			}
 			print"<td align='center' width='30%' $tdcolor>";
 			if ($$hash{$key}[3] eq 'ipfire_src'){
 				$ipfireiface=$Lang::tr{'fwdfw iface'};
@@ -2640,6 +2665,11 @@ END
 			print<<END;
 					<td align='center' $tdcolor>
 END
+			# Check TGT Host and replace "|" with space
+			if ($$hash{$key}[6] =~ /\|/){
+				$$hash{$key}[6] =~ s/\|/ (/g;
+				$$hash{$key}[6] = $$hash{$key}[6].")";
+			}
 			#Is this a DNAT rule?
 			my $natstring;
 			if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
-- 
2.7.4



[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 3/4] BUG11559: firewall-lib

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1849 bytes --]

When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.

This patch has neccessary changes for the firewall-lib. While the network name of the IpSec changes
on save (subnet is added to name) we need to split the name or normalise the field before using it.

Signed-off-by: Alexander Marx <alexander.marx(a)ipfire.org>
Tested-by: Peter Müller <peter.mueller(a)link38.eu>
---
 config/firewall/firewall-lib.pl | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index eabd9a4..9b7f55c 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -150,6 +150,9 @@ sub get_ipsec_net_ip
 	my $val=shift;
 	my $field=shift;
 	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
+		#adapt $val to reflect real name without subnet (if rule with only one ipsec subnet is created)
+		my @tmpval = split (/\|/, $val);
+		$val = $tmpval[0];
 		if($ipsecconf{$key}[1] eq $val){
 			return $ipsecconf{$key}[$field];
 		}
@@ -390,10 +393,16 @@ sub get_address
 
 	# IPsec networks.
 	} elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
-		my $network_address = &get_ipsec_net_ip($value, 11);
-		my @nets = split(/\|/, $network_address);
-		foreach my $net (@nets) {
-			push(@ret, [$net, ""]);
+		#Check if we have multiple subnets and only want one of them
+		if ( $value =~ /\|/ ){
+			my @parts = split(/\|/, $value);
+			push(@ret, [$parts[1], ""]);
+		}else{
+			my $network_address = &get_ipsec_net_ip($value, 11);
+			my @nets = split(/\|/, $network_address);
+			foreach my $net (@nets) {
+				push(@ret, [$net, ""]);
+			}
 		}
 
 	# The firewall's own IP addresses.
-- 
2.7.4



[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 4/4] BUG11559: fwhosts

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 7863 bytes --]

When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.

This patch adds the changes to the firewall groups.
Signed-off-by: Alexander Marx <alexander.marx(a)ipfire.org>
Tested-by: Peter Müller <peter.mueller(a)link38.eu>
---
 html/cgi-bin/fwhosts.cgi | 87 ++++++++++++++++++++++++++++++------------------
 1 file changed, 55 insertions(+), 32 deletions(-)

diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index a2ade8a..fb33ac6 100644
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -54,6 +54,7 @@ my %fwinp=();
 my %fwout=();
 my %ovpnsettings=();
 my %netsettings=();
+my %optionsfw=();
 
 my $errormessage;
 my $hint;
@@ -70,6 +71,7 @@ my $configgeoipgrp	= "${General::swroot}/fwhosts/customgeoipgrp";
 my $fwconfigfwd		= "${General::swroot}/firewall/config";
 my $fwconfiginp		= "${General::swroot}/firewall/input";
 my $fwconfigout		= "${General::swroot}/firewall/outgoing";
+my $fwoptions 		= "${General::swroot}/optionsfw/settings";
 my $configovpn		= "${General::swroot}/ovpn/settings";
 my $configipsecrw	= "${General::swroot}/vpn/settings";
 
@@ -87,8 +89,9 @@ unless (-e $configgeoipgrp) { system("touch $configgeoipgrp"); }
 &General::readhasharray("$configipsec", \%ipsecconf);
 &General::readhash("$configipsecrw", \%ipsecsettings);
 &General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
-&Header::getcgihash(\%fwhostsettings);
+&General::readhash($fwoptions, \%optionsfw);
 
+&Header::getcgihash(\%fwhostsettings);
 &Header::showhttpheaders();
 &Header::openpage($Lang::tr{'fwhost menu'}, 1, '');
 &Header::openbigbox('100%', 'center');
@@ -1548,27 +1551,30 @@ END
 				print"</select></td></tr>";
 			}
 			#IPsec networks
-			my @IPSEC_N2N=();
+
 			foreach my $key (sort { ncmp($ipsecconf{$a}[0],$ipsecconf{$b}[0]) } keys %ipsecconf) {
-				if ($ipsecconf{$key}[3] eq 'net'){
-					$show='1';
-					push (@IPSEC_N2N,$ipsecconf{$key}[1]);
-				}
-			}
-			if ($show eq '1'){
-				$show='';
-				print<<END;
-					<td style='width:15em;'>
-						<label>
-							<input type='radio' name='grp2' id='IPSEC_NET' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}>
-							$Lang::tr{'fwhost ipsec net'}
-						</label>
-					</td>
-					<td style='text-align:right;'>
-					<select name='IPSEC_NET' style='width:16em;'>"
-END
-				foreach(@IPSEC_N2N){
-					print"<option value='$_'>$_</option>";
+				if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){
+					print "<td style='width:15em;'><label><input type='radio' name='grp2' id='IPSEC_NET' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}>$Lang::tr{'fwhost ipsec net'}</label></td><td style='text-align:right;'><select name='IPSEC_NET' style='width:16em;'>" if $show eq '';
+					$show=1;
+					#Check if we have more than one REMOTE subnet in config
+					my @arr1 = split /\|/, $ipsecconf{$key}[11];
+					my $cnt1 += @arr1;
+
+					print"<option value=$ipsecconf{$key}[1]>";
+					print"$ipsecconf{$key}[1]";
+					print" ($Lang::tr{'fwdfw all subnets'})" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets
+					print"</option>";
+
+					if ($cnt1 > 1){
+						foreach my $val (@arr1){
+							#normalize subnet to cidr notation
+							my ($val1,$val2) = split /\//, $val;
+							my $val3 = &General::iporsubtocidr($val2);
+							print "<option ";
+							print "value='$ipsecconf{$key}[1]|$val1/$val3'";
+							print ">$ipsecconf{$key}[1] ($val1/$val3)</option>";
+						}
+					}
 				}
 			}
 			print"</select></td></tr>";
@@ -2116,14 +2122,15 @@ sub viewtablegrp
 			print "<td width='39%' align='left' $col>";
 			if($customgrp{$key}[3] eq 'Standard Network'){
 				print &get_name($customgrp{$key}[2])."</td>";
+			}elsif($customgrp{$key}[3] eq "IpSec Network" && $customgrp{$key}[2] =~ /\|/){
+				my ($a,$b) = split /\|/, $customgrp{$key}[2];
+					print "$a</td>";
 			}else{
 				print "$customgrp{$key}[2]</td>";
 			}
 			if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost err emptytable'}){
 				print "<td align='center' $col>$Lang::tr{'fwhost deleted'}</td><td align='center' $col>$Lang::tr{'fwhost '.$customgrp{$key}[3]}</td><td width='1%' $col><form method='post'>";
 			}else{
-				my ($colip,$colsub) = split("/",$ip);
-				$ip="$colip/".&General::iporsubtocidr($colsub) if ($colsub);
 				print"<td align='center' $col>".&getcolor($ip)."</td><td align='center' $col>$Lang::tr{'fwhost '.$customgrp{$key}[3]}</td><td width='1%' $col><form method='post'>";
 			}
 			if ($delflag > 0 && $ip ne ''){
@@ -2896,7 +2903,23 @@ sub getipforgroup
 	if ($type eq 'IpSec Network'){
 		foreach my $key (keys %ipsecconf) {
 			if ($ipsecconf{$key}[1] eq $name){
-				return $ipsecconf{$key}[11];
+				if ($ipsecconf{$key}[11] =~ /\|/) {
+					my $string;
+					my @parts = split /\|/ , $ipsecconf{$key}[11];
+					foreach my $key1 (@parts){
+						my ($val1,$val2) = split (/\//, $key1);
+						my $val3 = &Network::convert_netmask2prefix($val2) || $val2;
+						$string .= "$val1/$val3<br>";
+					}
+					return $string;
+				}else{
+					return $ipsecconf{$key}[11];
+				}
+			}else{
+				if ($name =~ /\|/) {
+					my ($a,$b) = split /\|/, $name;
+					return $b;
+				}
 			}
 		}
 		&deletefromgrp($name,$configgrp);
@@ -2917,7 +2940,7 @@ sub getipforgroup
 		foreach my $key (keys %ccdhost) {
 			if($ccdhost{$key}[1] eq $name){
 				my ($a,$b) = split ("/",$ccdhost{$key}[11]);
-				$b=&General::iporsubtodec($b);
+				$b=&Network::convert_netmask2prefix($b) || ($b);
 				return "$a/$b";
 			}
 		}
@@ -2929,7 +2952,7 @@ sub getipforgroup
 		foreach my $key (keys %ccdhost) {
 			if($ccdhost{$key}[1] eq $name){
 				my ($a,$b) = split (/\//,$ccdhost{$key}[33]);
-				$b=&General::iporsubtodec($b);
+				$b=&Network::convert_netmask2prefix($b) || ($b) ;
 				return "$a/$b";
 			}
 		}
@@ -2941,7 +2964,7 @@ sub getipforgroup
 		foreach my $key (keys %ccdnet) {
 			if ($ccdnet{$key}[0] eq $name){
 				my ($a,$b) = split (/\//,$ccdnet{$key}[1]);
-				$b=&General::iporsubtodec($b);
+				$b=&Network::convert_netmask2prefix($b) || ($b);
 				return "$a/$b";
 			}
 		}
@@ -2961,7 +2984,7 @@ sub getipforgroup
 	if ($type eq 'Custom Network'){
 		foreach my $key (keys %customnetwork) {
 			if($customnetwork{$key}[0] eq $name){
-				return $customnetwork{$key}[1]."/".$customnetwork{$key}[2];
+				return $customnetwork{$key}[1]."/".&Network::convert_netmask2prefix($customnetwork{$key}[2]) || $customnetwork{$key}[2];
 			}
 		}
 	}
@@ -2976,20 +2999,20 @@ sub getipforgroup
 		if ($name eq 'GREEN'){
 			my %hash=();
 			&General::readhash("${General::swroot}/ethernet/settings",\%hash);
-			return $hash{'GREEN_NETADDRESS'}."/".$hash{'GREEN_NETMASK'};
+			return $hash{'GREEN_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'GREEN_NETMASK'}) || $hash{'GREEN_NETMASK'};
 		}
 		if ($name eq 'BLUE'){
 			my %hash=();
 			&General::readhash("${General::swroot}/ethernet/settings",\%hash);
-			return $hash{'BLUE_NETADDRESS'}."/".$hash{'BLUE_NETMASK'};
+			return $hash{'BLUE_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'BLUE_NETMASK'}) || $hash{'BLUE_NETMASK'};
 		}
 		if ($name eq 'ORANGE'){
 			my %hash=();
 			&General::readhash("${General::swroot}/ethernet/settings",\%hash);
-			return $hash{'ORANGE_NETADDRESS'}."/".$hash{'ORANGE_NETMASK'};
+			return $hash{'ORANGE_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'ORANGE_NETMASK'}) || $hash{'ORANGE_NETMASK'};
 		}
 		if ($name eq 'ALL'){
-			return "0.0.0.0/0.0.0.0";
+			return "0.0.0.0/0";
 		}
 		if ($name =~ /IPsec/i){
 			my %hash=();
-- 
2.7.4



[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 1/4] BUG11559: Languagefiles

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2019 bytes --]

Hello Michael,

done. I also added the missing "Signed-off-by..."-tags;
hope Alexander does not mind.

Best regards,
Peter Müller

> Hi Peter,
> 
> could you please add the appropriate tags to the patches?
> 
> Best,
> -Michael
> 
> On Sun, 2018-05-06 at 22:02 +0200, Peter Müller wrote:
>> Hello,
> 
>> I have tested this patchset and can confirm it is working correctly.
>> It solves https://bugzilla.ipfire.org/show_bug.cgi?id=11559 by adding
>> the ability to select networks announced via IPsec N2N connections
>> for firewall rules or network groups.
> 
>> Best regards,
>> Peter Müller
> 
>>> When creating firewallrules or using firewall groups,
>>> it should be possible to select a single IpSec subnet if there is more than
>>> one.
>>>
>>> This patch adds a new languagefileword "fwdfw all subnets" which is used in
>>> firewall.cgi and fwhosts.cgi
>>> ---
>>>  langs/de/cgi-bin/de.pl | 1 +
>>>  langs/en/cgi-bin/en.pl | 1 +
>>>  2 files changed, 2 insertions(+)
>>>
>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
>>> index 07bef90..9cc345a 100644
>>> --- a/langs/de/cgi-bin/de.pl
>>> +++ b/langs/de/cgi-bin/de.pl
>>> @@ -1065,6 +1065,7 @@
>>>  'fwdfw additional' => 'Weitere Einstellungen',
>>>  'fwdfw addrule' => 'Regel hinzufügen/ändern:',
>>>  'fwdfw all icmp' => 'Alle ICMP-Typen',
>>> +'fwdfw all subnets' => 'Alle Subnetze',
>>>  'fwdfw change' => 'Aktualisieren',
>>>  'fwdfw copy' => 'Kopieren',
>>>  'fwdfw delete' => 'Löschen',
>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
>>> index a343b3b..60747f7 100644
>>> --- a/langs/en/cgi-bin/en.pl
>>> +++ b/langs/en/cgi-bin/en.pl
>>> @@ -1092,6 +1092,7 @@
>>>  'fwdfw additional' => 'Additional settings',
>>>  'fwdfw addrule' => 'Add/Edit rule:',
>>>  'fwdfw all icmp' => 'All ICMP types',
>>> +'fwdfw all subnets' => 'All subnets',
>>>  'fwdfw change' => 'Update',
>>>  'fwdfw copy' => 'Copy',
>>>  'fwdfw delete' => 'Delete',
>>>
> 
> 
> 


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]