* [PATCH 2/4] BUG11559: firewall.cgi
2018-05-02 11:27 [PATCH 1/4] BUG11559: Languagefiles Alexander Marx
@ 2018-05-02 11:27 ` Alexander Marx
2018-05-07 16:23 ` Peter Müller
2018-05-02 11:27 ` [PATCH 3/4] BUG11559: firewall-lib Alexander Marx
` (3 subsequent siblings)
4 siblings, 1 reply; 11+ messages in thread
From: Alexander Marx @ 2018-05-02 11:27 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3273 bytes --]
When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.
This patch has the changes for firewall.cgi
---
html/cgi-bin/firewall.cgi | 36 +++++++++++++++++++++++++++++++++---
1 file changed, 33 insertions(+), 3 deletions(-)
diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index face0f4..499f279 100644
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -1161,11 +1161,31 @@ END
#IPsec netze
foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) {
if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){
- print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq '');
+ print"<tr><td valign='top'><input type='radio' name='$grp' id='ipsec_net_$srctgt' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq '');
$show='1';
+
+ #Check if we have more than one REMOTE subnet in config
+ my @arr1 = split /\|/, $ipsecconf{$key}[11];
+ my $cnt1 += @arr1;
+
print "<option ";
- print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ipsecconf{$key}[1]);
- print ">$ipsecconf{$key}[1]</option>";
+ print "value=$ipsecconf{$key}[1]";
+ print " selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]");
+ print ">$ipsecconf{$key}[1] ";
+ print "($Lang::tr{'fwdfw all subnets'})" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets
+ print "</option>";
+
+ if ($cnt1 > 1){
+ foreach my $val (@arr1){
+ #normalize subnet to cidr notation
+ my ($val1,$val2) = split /\//, $val;
+ my $val3 = &General::iporsubtocidr($val2);
+ print "<option ";
+ print "value='$ipsecconf{$key}[1]|$val1/$val3'";
+ print "selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]|$val1/$val3");
+ print ">$ipsecconf{$key}[1] ($val1/$val3)</option>";
+ }
+ }
}
}
if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
@@ -2575,6 +2595,11 @@ END
#SOURCE
my $ipfireiface;
&getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost);
+ # Check SRC Host and replace "|" with space
+ if ($$hash{$key}[4] =~ /\|/){
+ $$hash{$key}[4] =~ s/\|/ (/g;
+ $$hash{$key}[4] = $$hash{$key}[4].")";
+ }
print"<td align='center' width='30%' $tdcolor>";
if ($$hash{$key}[3] eq 'ipfire_src'){
$ipfireiface=$Lang::tr{'fwdfw iface'};
@@ -2640,6 +2665,11 @@ END
print<<END;
<td align='center' $tdcolor>
END
+ # Check TGT Host and replace "|" with space
+ if ($$hash{$key}[6] =~ /\|/){
+ $$hash{$key}[6] =~ s/\|/ (/g;
+ $$hash{$key}[6] = $$hash{$key}[6].")";
+ }
#Is this a DNAT rule?
my $natstring;
if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
--
2.7.4
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: [PATCH 2/4] BUG11559: firewall.cgi
2018-05-02 11:27 ` [PATCH 2/4] BUG11559: firewall.cgi Alexander Marx
@ 2018-05-07 16:23 ` Peter Müller
0 siblings, 0 replies; 11+ messages in thread
From: Peter Müller @ 2018-05-07 16:23 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3390 bytes --]
When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.
This patch has the changes for firewall.cgi
Signed-off-by: Alexander Marx <alexander.marx(a)ipfire.org>
Tested-by: Peter Müller <peter.mueller(a)link38.eu>
---
html/cgi-bin/firewall.cgi | 36 +++++++++++++++++++++++++++++++++---
1 file changed, 33 insertions(+), 3 deletions(-)
diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index face0f4..499f279 100644
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -1161,11 +1161,31 @@ END
#IPsec netze
foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) {
if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){
- print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq '');
+ print"<tr><td valign='top'><input type='radio' name='$grp' id='ipsec_net_$srctgt' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq '');
$show='1';
+
+ #Check if we have more than one REMOTE subnet in config
+ my @arr1 = split /\|/, $ipsecconf{$key}[11];
+ my $cnt1 += @arr1;
+
print "<option ";
- print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ipsecconf{$key}[1]);
- print ">$ipsecconf{$key}[1]</option>";
+ print "value=$ipsecconf{$key}[1]";
+ print " selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]");
+ print ">$ipsecconf{$key}[1] ";
+ print "($Lang::tr{'fwdfw all subnets'})" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets
+ print "</option>";
+
+ if ($cnt1 > 1){
+ foreach my $val (@arr1){
+ #normalize subnet to cidr notation
+ my ($val1,$val2) = split /\//, $val;
+ my $val3 = &General::iporsubtocidr($val2);
+ print "<option ";
+ print "value='$ipsecconf{$key}[1]|$val1/$val3'";
+ print "selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]|$val1/$val3");
+ print ">$ipsecconf{$key}[1] ($val1/$val3)</option>";
+ }
+ }
}
}
if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
@@ -2575,6 +2595,11 @@ END
#SOURCE
my $ipfireiface;
&getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost);
+ # Check SRC Host and replace "|" with space
+ if ($$hash{$key}[4] =~ /\|/){
+ $$hash{$key}[4] =~ s/\|/ (/g;
+ $$hash{$key}[4] = $$hash{$key}[4].")";
+ }
print"<td align='center' width='30%' $tdcolor>";
if ($$hash{$key}[3] eq 'ipfire_src'){
$ipfireiface=$Lang::tr{'fwdfw iface'};
@@ -2640,6 +2665,11 @@ END
print<<END;
<td align='center' $tdcolor>
END
+ # Check TGT Host and replace "|" with space
+ if ($$hash{$key}[6] =~ /\|/){
+ $$hash{$key}[6] =~ s/\|/ (/g;
+ $$hash{$key}[6] = $$hash{$key}[6].")";
+ }
#Is this a DNAT rule?
my $natstring;
if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
--
2.7.4
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH 3/4] BUG11559: firewall-lib
2018-05-02 11:27 [PATCH 1/4] BUG11559: Languagefiles Alexander Marx
2018-05-02 11:27 ` [PATCH 2/4] BUG11559: firewall.cgi Alexander Marx
@ 2018-05-02 11:27 ` Alexander Marx
2018-05-07 16:24 ` Peter Müller
2018-05-02 11:27 ` [PATCH 4/4] BUG11559: fwhosts Alexander Marx
` (2 subsequent siblings)
4 siblings, 1 reply; 11+ messages in thread
From: Alexander Marx @ 2018-05-02 11:27 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1730 bytes --]
When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.
This patch has neccessary changes for the firewall-lib. While the network name of the IpSec changes
on save (subnet is added to name) we need to split the name or normalise the field before using it.
---
config/firewall/firewall-lib.pl | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index eabd9a4..9b7f55c 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -150,6 +150,9 @@ sub get_ipsec_net_ip
my $val=shift;
my $field=shift;
foreach my $key (sort {$a <=> $b} keys %ipsecconf){
+ #adapt $val to reflect real name without subnet (if rule with only one ipsec subnet is created)
+ my @tmpval = split (/\|/, $val);
+ $val = $tmpval[0];
if($ipsecconf{$key}[1] eq $val){
return $ipsecconf{$key}[$field];
}
@@ -390,10 +393,16 @@ sub get_address
# IPsec networks.
} elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
- my $network_address = &get_ipsec_net_ip($value, 11);
- my @nets = split(/\|/, $network_address);
- foreach my $net (@nets) {
- push(@ret, [$net, ""]);
+ #Check if we have multiple subnets and only want one of them
+ if ( $value =~ /\|/ ){
+ my @parts = split(/\|/, $value);
+ push(@ret, [$parts[1], ""]);
+ }else{
+ my $network_address = &get_ipsec_net_ip($value, 11);
+ my @nets = split(/\|/, $network_address);
+ foreach my $net (@nets) {
+ push(@ret, [$net, ""]);
+ }
}
# The firewall's own IP addresses.
--
2.7.4
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: [PATCH 3/4] BUG11559: firewall-lib
2018-05-02 11:27 ` [PATCH 3/4] BUG11559: firewall-lib Alexander Marx
@ 2018-05-07 16:24 ` Peter Müller
0 siblings, 0 replies; 11+ messages in thread
From: Peter Müller @ 2018-05-07 16:24 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1849 bytes --]
When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.
This patch has neccessary changes for the firewall-lib. While the network name of the IpSec changes
on save (subnet is added to name) we need to split the name or normalise the field before using it.
Signed-off-by: Alexander Marx <alexander.marx(a)ipfire.org>
Tested-by: Peter Müller <peter.mueller(a)link38.eu>
---
config/firewall/firewall-lib.pl | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index eabd9a4..9b7f55c 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -150,6 +150,9 @@ sub get_ipsec_net_ip
my $val=shift;
my $field=shift;
foreach my $key (sort {$a <=> $b} keys %ipsecconf){
+ #adapt $val to reflect real name without subnet (if rule with only one ipsec subnet is created)
+ my @tmpval = split (/\|/, $val);
+ $val = $tmpval[0];
if($ipsecconf{$key}[1] eq $val){
return $ipsecconf{$key}[$field];
}
@@ -390,10 +393,16 @@ sub get_address
# IPsec networks.
} elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
- my $network_address = &get_ipsec_net_ip($value, 11);
- my @nets = split(/\|/, $network_address);
- foreach my $net (@nets) {
- push(@ret, [$net, ""]);
+ #Check if we have multiple subnets and only want one of them
+ if ( $value =~ /\|/ ){
+ my @parts = split(/\|/, $value);
+ push(@ret, [$parts[1], ""]);
+ }else{
+ my $network_address = &get_ipsec_net_ip($value, 11);
+ my @nets = split(/\|/, $network_address);
+ foreach my $net (@nets) {
+ push(@ret, [$net, ""]);
+ }
}
# The firewall's own IP addresses.
--
2.7.4
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH 4/4] BUG11559: fwhosts
2018-05-02 11:27 [PATCH 1/4] BUG11559: Languagefiles Alexander Marx
2018-05-02 11:27 ` [PATCH 2/4] BUG11559: firewall.cgi Alexander Marx
2018-05-02 11:27 ` [PATCH 3/4] BUG11559: firewall-lib Alexander Marx
@ 2018-05-02 11:27 ` Alexander Marx
2018-05-07 16:24 ` Peter Müller
2018-05-06 20:02 ` [PATCH 1/4] BUG11559: Languagefiles Peter Müller
2018-05-07 16:22 ` Peter Müller
4 siblings, 1 reply; 11+ messages in thread
From: Alexander Marx @ 2018-05-02 11:27 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 7746 bytes --]
When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.
This patch adds the changes to the firewall groups.
---
html/cgi-bin/fwhosts.cgi | 87 ++++++++++++++++++++++++++++++------------------
1 file changed, 55 insertions(+), 32 deletions(-)
diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index a2ade8a..fb33ac6 100644
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -54,6 +54,7 @@ my %fwinp=();
my %fwout=();
my %ovpnsettings=();
my %netsettings=();
+my %optionsfw=();
my $errormessage;
my $hint;
@@ -70,6 +71,7 @@ my $configgeoipgrp = "${General::swroot}/fwhosts/customgeoipgrp";
my $fwconfigfwd = "${General::swroot}/firewall/config";
my $fwconfiginp = "${General::swroot}/firewall/input";
my $fwconfigout = "${General::swroot}/firewall/outgoing";
+my $fwoptions = "${General::swroot}/optionsfw/settings";
my $configovpn = "${General::swroot}/ovpn/settings";
my $configipsecrw = "${General::swroot}/vpn/settings";
@@ -87,8 +89,9 @@ unless (-e $configgeoipgrp) { system("touch $configgeoipgrp"); }
&General::readhasharray("$configipsec", \%ipsecconf);
&General::readhash("$configipsecrw", \%ipsecsettings);
&General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
-&Header::getcgihash(\%fwhostsettings);
+&General::readhash($fwoptions, \%optionsfw);
+&Header::getcgihash(\%fwhostsettings);
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'fwhost menu'}, 1, '');
&Header::openbigbox('100%', 'center');
@@ -1548,27 +1551,30 @@ END
print"</select></td></tr>";
}
#IPsec networks
- my @IPSEC_N2N=();
+
foreach my $key (sort { ncmp($ipsecconf{$a}[0],$ipsecconf{$b}[0]) } keys %ipsecconf) {
- if ($ipsecconf{$key}[3] eq 'net'){
- $show='1';
- push (@IPSEC_N2N,$ipsecconf{$key}[1]);
- }
- }
- if ($show eq '1'){
- $show='';
- print<<END;
- <td style='width:15em;'>
- <label>
- <input type='radio' name='grp2' id='IPSEC_NET' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}>
- $Lang::tr{'fwhost ipsec net'}
- </label>
- </td>
- <td style='text-align:right;'>
- <select name='IPSEC_NET' style='width:16em;'>"
-END
- foreach(@IPSEC_N2N){
- print"<option value='$_'>$_</option>";
+ if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){
+ print "<td style='width:15em;'><label><input type='radio' name='grp2' id='IPSEC_NET' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}>$Lang::tr{'fwhost ipsec net'}</label></td><td style='text-align:right;'><select name='IPSEC_NET' style='width:16em;'>" if $show eq '';
+ $show=1;
+ #Check if we have more than one REMOTE subnet in config
+ my @arr1 = split /\|/, $ipsecconf{$key}[11];
+ my $cnt1 += @arr1;
+
+ print"<option value=$ipsecconf{$key}[1]>";
+ print"$ipsecconf{$key}[1]";
+ print" ($Lang::tr{'fwdfw all subnets'})" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets
+ print"</option>";
+
+ if ($cnt1 > 1){
+ foreach my $val (@arr1){
+ #normalize subnet to cidr notation
+ my ($val1,$val2) = split /\//, $val;
+ my $val3 = &General::iporsubtocidr($val2);
+ print "<option ";
+ print "value='$ipsecconf{$key}[1]|$val1/$val3'";
+ print ">$ipsecconf{$key}[1] ($val1/$val3)</option>";
+ }
+ }
}
}
print"</select></td></tr>";
@@ -2116,14 +2122,15 @@ sub viewtablegrp
print "<td width='39%' align='left' $col>";
if($customgrp{$key}[3] eq 'Standard Network'){
print &get_name($customgrp{$key}[2])."</td>";
+ }elsif($customgrp{$key}[3] eq "IpSec Network" && $customgrp{$key}[2] =~ /\|/){
+ my ($a,$b) = split /\|/, $customgrp{$key}[2];
+ print "$a</td>";
}else{
print "$customgrp{$key}[2]</td>";
}
if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost err emptytable'}){
print "<td align='center' $col>$Lang::tr{'fwhost deleted'}</td><td align='center' $col>$Lang::tr{'fwhost '.$customgrp{$key}[3]}</td><td width='1%' $col><form method='post'>";
}else{
- my ($colip,$colsub) = split("/",$ip);
- $ip="$colip/".&General::iporsubtocidr($colsub) if ($colsub);
print"<td align='center' $col>".&getcolor($ip)."</td><td align='center' $col>$Lang::tr{'fwhost '.$customgrp{$key}[3]}</td><td width='1%' $col><form method='post'>";
}
if ($delflag > 0 && $ip ne ''){
@@ -2896,7 +2903,23 @@ sub getipforgroup
if ($type eq 'IpSec Network'){
foreach my $key (keys %ipsecconf) {
if ($ipsecconf{$key}[1] eq $name){
- return $ipsecconf{$key}[11];
+ if ($ipsecconf{$key}[11] =~ /\|/) {
+ my $string;
+ my @parts = split /\|/ , $ipsecconf{$key}[11];
+ foreach my $key1 (@parts){
+ my ($val1,$val2) = split (/\//, $key1);
+ my $val3 = &Network::convert_netmask2prefix($val2) || $val2;
+ $string .= "$val1/$val3<br>";
+ }
+ return $string;
+ }else{
+ return $ipsecconf{$key}[11];
+ }
+ }else{
+ if ($name =~ /\|/) {
+ my ($a,$b) = split /\|/, $name;
+ return $b;
+ }
}
}
&deletefromgrp($name,$configgrp);
@@ -2917,7 +2940,7 @@ sub getipforgroup
foreach my $key (keys %ccdhost) {
if($ccdhost{$key}[1] eq $name){
my ($a,$b) = split ("/",$ccdhost{$key}[11]);
- $b=&General::iporsubtodec($b);
+ $b=&Network::convert_netmask2prefix($b) || ($b);
return "$a/$b";
}
}
@@ -2929,7 +2952,7 @@ sub getipforgroup
foreach my $key (keys %ccdhost) {
if($ccdhost{$key}[1] eq $name){
my ($a,$b) = split (/\//,$ccdhost{$key}[33]);
- $b=&General::iporsubtodec($b);
+ $b=&Network::convert_netmask2prefix($b) || ($b) ;
return "$a/$b";
}
}
@@ -2941,7 +2964,7 @@ sub getipforgroup
foreach my $key (keys %ccdnet) {
if ($ccdnet{$key}[0] eq $name){
my ($a,$b) = split (/\//,$ccdnet{$key}[1]);
- $b=&General::iporsubtodec($b);
+ $b=&Network::convert_netmask2prefix($b) || ($b);
return "$a/$b";
}
}
@@ -2961,7 +2984,7 @@ sub getipforgroup
if ($type eq 'Custom Network'){
foreach my $key (keys %customnetwork) {
if($customnetwork{$key}[0] eq $name){
- return $customnetwork{$key}[1]."/".$customnetwork{$key}[2];
+ return $customnetwork{$key}[1]."/".&Network::convert_netmask2prefix($customnetwork{$key}[2]) || $customnetwork{$key}[2];
}
}
}
@@ -2976,20 +2999,20 @@ sub getipforgroup
if ($name eq 'GREEN'){
my %hash=();
&General::readhash("${General::swroot}/ethernet/settings",\%hash);
- return $hash{'GREEN_NETADDRESS'}."/".$hash{'GREEN_NETMASK'};
+ return $hash{'GREEN_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'GREEN_NETMASK'}) || $hash{'GREEN_NETMASK'};
}
if ($name eq 'BLUE'){
my %hash=();
&General::readhash("${General::swroot}/ethernet/settings",\%hash);
- return $hash{'BLUE_NETADDRESS'}."/".$hash{'BLUE_NETMASK'};
+ return $hash{'BLUE_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'BLUE_NETMASK'}) || $hash{'BLUE_NETMASK'};
}
if ($name eq 'ORANGE'){
my %hash=();
&General::readhash("${General::swroot}/ethernet/settings",\%hash);
- return $hash{'ORANGE_NETADDRESS'}."/".$hash{'ORANGE_NETMASK'};
+ return $hash{'ORANGE_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'ORANGE_NETMASK'}) || $hash{'ORANGE_NETMASK'};
}
if ($name eq 'ALL'){
- return "0.0.0.0/0.0.0.0";
+ return "0.0.0.0/0";
}
if ($name =~ /IPsec/i){
my %hash=();
--
2.7.4
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: [PATCH 4/4] BUG11559: fwhosts
2018-05-02 11:27 ` [PATCH 4/4] BUG11559: fwhosts Alexander Marx
@ 2018-05-07 16:24 ` Peter Müller
0 siblings, 0 replies; 11+ messages in thread
From: Peter Müller @ 2018-05-07 16:24 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 7863 bytes --]
When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.
This patch adds the changes to the firewall groups.
Signed-off-by: Alexander Marx <alexander.marx(a)ipfire.org>
Tested-by: Peter Müller <peter.mueller(a)link38.eu>
---
html/cgi-bin/fwhosts.cgi | 87 ++++++++++++++++++++++++++++++------------------
1 file changed, 55 insertions(+), 32 deletions(-)
diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index a2ade8a..fb33ac6 100644
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -54,6 +54,7 @@ my %fwinp=();
my %fwout=();
my %ovpnsettings=();
my %netsettings=();
+my %optionsfw=();
my $errormessage;
my $hint;
@@ -70,6 +71,7 @@ my $configgeoipgrp = "${General::swroot}/fwhosts/customgeoipgrp";
my $fwconfigfwd = "${General::swroot}/firewall/config";
my $fwconfiginp = "${General::swroot}/firewall/input";
my $fwconfigout = "${General::swroot}/firewall/outgoing";
+my $fwoptions = "${General::swroot}/optionsfw/settings";
my $configovpn = "${General::swroot}/ovpn/settings";
my $configipsecrw = "${General::swroot}/vpn/settings";
@@ -87,8 +89,9 @@ unless (-e $configgeoipgrp) { system("touch $configgeoipgrp"); }
&General::readhasharray("$configipsec", \%ipsecconf);
&General::readhash("$configipsecrw", \%ipsecsettings);
&General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
-&Header::getcgihash(\%fwhostsettings);
+&General::readhash($fwoptions, \%optionsfw);
+&Header::getcgihash(\%fwhostsettings);
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'fwhost menu'}, 1, '');
&Header::openbigbox('100%', 'center');
@@ -1548,27 +1551,30 @@ END
print"</select></td></tr>";
}
#IPsec networks
- my @IPSEC_N2N=();
+
foreach my $key (sort { ncmp($ipsecconf{$a}[0],$ipsecconf{$b}[0]) } keys %ipsecconf) {
- if ($ipsecconf{$key}[3] eq 'net'){
- $show='1';
- push (@IPSEC_N2N,$ipsecconf{$key}[1]);
- }
- }
- if ($show eq '1'){
- $show='';
- print<<END;
- <td style='width:15em;'>
- <label>
- <input type='radio' name='grp2' id='IPSEC_NET' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}>
- $Lang::tr{'fwhost ipsec net'}
- </label>
- </td>
- <td style='text-align:right;'>
- <select name='IPSEC_NET' style='width:16em;'>"
-END
- foreach(@IPSEC_N2N){
- print"<option value='$_'>$_</option>";
+ if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){
+ print "<td style='width:15em;'><label><input type='radio' name='grp2' id='IPSEC_NET' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}>$Lang::tr{'fwhost ipsec net'}</label></td><td style='text-align:right;'><select name='IPSEC_NET' style='width:16em;'>" if $show eq '';
+ $show=1;
+ #Check if we have more than one REMOTE subnet in config
+ my @arr1 = split /\|/, $ipsecconf{$key}[11];
+ my $cnt1 += @arr1;
+
+ print"<option value=$ipsecconf{$key}[1]>";
+ print"$ipsecconf{$key}[1]";
+ print" ($Lang::tr{'fwdfw all subnets'})" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets
+ print"</option>";
+
+ if ($cnt1 > 1){
+ foreach my $val (@arr1){
+ #normalize subnet to cidr notation
+ my ($val1,$val2) = split /\//, $val;
+ my $val3 = &General::iporsubtocidr($val2);
+ print "<option ";
+ print "value='$ipsecconf{$key}[1]|$val1/$val3'";
+ print ">$ipsecconf{$key}[1] ($val1/$val3)</option>";
+ }
+ }
}
}
print"</select></td></tr>";
@@ -2116,14 +2122,15 @@ sub viewtablegrp
print "<td width='39%' align='left' $col>";
if($customgrp{$key}[3] eq 'Standard Network'){
print &get_name($customgrp{$key}[2])."</td>";
+ }elsif($customgrp{$key}[3] eq "IpSec Network" && $customgrp{$key}[2] =~ /\|/){
+ my ($a,$b) = split /\|/, $customgrp{$key}[2];
+ print "$a</td>";
}else{
print "$customgrp{$key}[2]</td>";
}
if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost err emptytable'}){
print "<td align='center' $col>$Lang::tr{'fwhost deleted'}</td><td align='center' $col>$Lang::tr{'fwhost '.$customgrp{$key}[3]}</td><td width='1%' $col><form method='post'>";
}else{
- my ($colip,$colsub) = split("/",$ip);
- $ip="$colip/".&General::iporsubtocidr($colsub) if ($colsub);
print"<td align='center' $col>".&getcolor($ip)."</td><td align='center' $col>$Lang::tr{'fwhost '.$customgrp{$key}[3]}</td><td width='1%' $col><form method='post'>";
}
if ($delflag > 0 && $ip ne ''){
@@ -2896,7 +2903,23 @@ sub getipforgroup
if ($type eq 'IpSec Network'){
foreach my $key (keys %ipsecconf) {
if ($ipsecconf{$key}[1] eq $name){
- return $ipsecconf{$key}[11];
+ if ($ipsecconf{$key}[11] =~ /\|/) {
+ my $string;
+ my @parts = split /\|/ , $ipsecconf{$key}[11];
+ foreach my $key1 (@parts){
+ my ($val1,$val2) = split (/\//, $key1);
+ my $val3 = &Network::convert_netmask2prefix($val2) || $val2;
+ $string .= "$val1/$val3<br>";
+ }
+ return $string;
+ }else{
+ return $ipsecconf{$key}[11];
+ }
+ }else{
+ if ($name =~ /\|/) {
+ my ($a,$b) = split /\|/, $name;
+ return $b;
+ }
}
}
&deletefromgrp($name,$configgrp);
@@ -2917,7 +2940,7 @@ sub getipforgroup
foreach my $key (keys %ccdhost) {
if($ccdhost{$key}[1] eq $name){
my ($a,$b) = split ("/",$ccdhost{$key}[11]);
- $b=&General::iporsubtodec($b);
+ $b=&Network::convert_netmask2prefix($b) || ($b);
return "$a/$b";
}
}
@@ -2929,7 +2952,7 @@ sub getipforgroup
foreach my $key (keys %ccdhost) {
if($ccdhost{$key}[1] eq $name){
my ($a,$b) = split (/\//,$ccdhost{$key}[33]);
- $b=&General::iporsubtodec($b);
+ $b=&Network::convert_netmask2prefix($b) || ($b) ;
return "$a/$b";
}
}
@@ -2941,7 +2964,7 @@ sub getipforgroup
foreach my $key (keys %ccdnet) {
if ($ccdnet{$key}[0] eq $name){
my ($a,$b) = split (/\//,$ccdnet{$key}[1]);
- $b=&General::iporsubtodec($b);
+ $b=&Network::convert_netmask2prefix($b) || ($b);
return "$a/$b";
}
}
@@ -2961,7 +2984,7 @@ sub getipforgroup
if ($type eq 'Custom Network'){
foreach my $key (keys %customnetwork) {
if($customnetwork{$key}[0] eq $name){
- return $customnetwork{$key}[1]."/".$customnetwork{$key}[2];
+ return $customnetwork{$key}[1]."/".&Network::convert_netmask2prefix($customnetwork{$key}[2]) || $customnetwork{$key}[2];
}
}
}
@@ -2976,20 +2999,20 @@ sub getipforgroup
if ($name eq 'GREEN'){
my %hash=();
&General::readhash("${General::swroot}/ethernet/settings",\%hash);
- return $hash{'GREEN_NETADDRESS'}."/".$hash{'GREEN_NETMASK'};
+ return $hash{'GREEN_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'GREEN_NETMASK'}) || $hash{'GREEN_NETMASK'};
}
if ($name eq 'BLUE'){
my %hash=();
&General::readhash("${General::swroot}/ethernet/settings",\%hash);
- return $hash{'BLUE_NETADDRESS'}."/".$hash{'BLUE_NETMASK'};
+ return $hash{'BLUE_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'BLUE_NETMASK'}) || $hash{'BLUE_NETMASK'};
}
if ($name eq 'ORANGE'){
my %hash=();
&General::readhash("${General::swroot}/ethernet/settings",\%hash);
- return $hash{'ORANGE_NETADDRESS'}."/".$hash{'ORANGE_NETMASK'};
+ return $hash{'ORANGE_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'ORANGE_NETMASK'}) || $hash{'ORANGE_NETMASK'};
}
if ($name eq 'ALL'){
- return "0.0.0.0/0.0.0.0";
+ return "0.0.0.0/0";
}
if ($name =~ /IPsec/i){
my %hash=();
--
2.7.4
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 1/4] BUG11559: Languagefiles
2018-05-02 11:27 [PATCH 1/4] BUG11559: Languagefiles Alexander Marx
` (2 preceding siblings ...)
2018-05-02 11:27 ` [PATCH 4/4] BUG11559: fwhosts Alexander Marx
@ 2018-05-06 20:02 ` Peter Müller
2018-05-07 10:41 ` Michael Tremer
2018-05-07 16:22 ` Peter Müller
4 siblings, 1 reply; 11+ messages in thread
From: Peter Müller @ 2018-05-06 20:02 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1599 bytes --]
Hello,
I have tested this patchset and can confirm it is working correctly.
It solves https://bugzilla.ipfire.org/show_bug.cgi?id=11559 by adding
the ability to select networks announced via IPsec N2N connections
for firewall rules or network groups.
Best regards,
Peter Müller
> When creating firewallrules or using firewall groups,
> it should be possible to select a single IpSec subnet if there is more than one.
>
> This patch adds a new languagefileword "fwdfw all subnets" which is used in firewall.cgi and fwhosts.cgi
> ---
> langs/de/cgi-bin/de.pl | 1 +
> langs/en/cgi-bin/en.pl | 1 +
> 2 files changed, 2 insertions(+)
>
> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> index 07bef90..9cc345a 100644
> --- a/langs/de/cgi-bin/de.pl
> +++ b/langs/de/cgi-bin/de.pl
> @@ -1065,6 +1065,7 @@
> 'fwdfw additional' => 'Weitere Einstellungen',
> 'fwdfw addrule' => 'Regel hinzufügen/ändern:',
> 'fwdfw all icmp' => 'Alle ICMP-Typen',
> +'fwdfw all subnets' => 'Alle Subnetze',
> 'fwdfw change' => 'Aktualisieren',
> 'fwdfw copy' => 'Kopieren',
> 'fwdfw delete' => 'Löschen',
> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> index a343b3b..60747f7 100644
> --- a/langs/en/cgi-bin/en.pl
> +++ b/langs/en/cgi-bin/en.pl
> @@ -1092,6 +1092,7 @@
> 'fwdfw additional' => 'Additional settings',
> 'fwdfw addrule' => 'Add/Edit rule:',
> 'fwdfw all icmp' => 'All ICMP types',
> +'fwdfw all subnets' => 'All subnets',
> 'fwdfw change' => 'Update',
> 'fwdfw copy' => 'Copy',
> 'fwdfw delete' => 'Delete',
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: [PATCH 1/4] BUG11559: Languagefiles
2018-05-06 20:02 ` [PATCH 1/4] BUG11559: Languagefiles Peter Müller
@ 2018-05-07 10:41 ` Michael Tremer
2018-05-07 16:25 ` Peter Müller
0 siblings, 1 reply; 11+ messages in thread
From: Michael Tremer @ 2018-05-07 10:41 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2758 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Peter,
could you please add the appropriate tags to the patches?
Best,
- -Michael
On Sun, 2018-05-06 at 22:02 +0200, Peter Müller wrote:
> Hello,
>
> I have tested this patchset and can confirm it is working correctly.
> It solves https://bugzilla.ipfire.org/show_bug.cgi?id=11559 by adding
> the ability to select networks announced via IPsec N2N connections
> for firewall rules or network groups.
>
> Best regards,
> Peter Müller
>
> > When creating firewallrules or using firewall groups,
> > it should be possible to select a single IpSec subnet if there is more than
> > one.
> >
> > This patch adds a new languagefileword "fwdfw all subnets" which is used in
> > firewall.cgi and fwhosts.cgi
> > ---
> > langs/de/cgi-bin/de.pl | 1 +
> > langs/en/cgi-bin/en.pl | 1 +
> > 2 files changed, 2 insertions(+)
> >
> > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> > index 07bef90..9cc345a 100644
> > --- a/langs/de/cgi-bin/de.pl
> > +++ b/langs/de/cgi-bin/de.pl
> > @@ -1065,6 +1065,7 @@
> > 'fwdfw additional' => 'Weitere Einstellungen',
> > 'fwdfw addrule' => 'Regel hinzufügen/ändern:',
> > 'fwdfw all icmp' => 'Alle ICMP-Typen',
> > +'fwdfw all subnets' => 'Alle Subnetze',
> > 'fwdfw change' => 'Aktualisieren',
> > 'fwdfw copy' => 'Kopieren',
> > 'fwdfw delete' => 'Löschen',
> > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> > index a343b3b..60747f7 100644
> > --- a/langs/en/cgi-bin/en.pl
> > +++ b/langs/en/cgi-bin/en.pl
> > @@ -1092,6 +1092,7 @@
> > 'fwdfw additional' => 'Additional settings',
> > 'fwdfw addrule' => 'Add/Edit rule:',
> > 'fwdfw all icmp' => 'All ICMP types',
> > +'fwdfw all subnets' => 'All subnets',
> > 'fwdfw change' => 'Update',
> > 'fwdfw copy' => 'Copy',
> > 'fwdfw delete' => 'Delete',
> >
>
>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAlrwLUUACgkQgHnw/2+Q
CQec0Q/5AVU4WGh5t4muhkqgQQaN8rZ6sHPMD1I9qPIQWcUV5XRqdFF+9nHAGGN3
USmQoH7eCioC1gW5O5k5IJm1VuD2QczrTQEcuhGszsltOkW33aASU1L+AwppYVGo
BWpTLVO9TlftVVZtBFmKUjPEXbG0AQLMx3PID3vcCeYH9lohqQPhJ2zMqFenvJ/L
JOHwWJwZvmrNCDI6EIzEXTvs5/bo8FLI2571LNn2wcCoed+dKjUVKD32/wK63h55
PY96I+i0/aZPH0IjK7ru1uRKhJWxOU4ng5OiXmjuYEb46G3Gmi3G8KKlclm6p3tU
DHR6EAKFkFmfv8s5YzbTAdekFmXeEHPZ6mCJPZYYIxMVpC9KW2P02K/uB5YD90VF
nTCfTMiVTvKlfUgyPkstjuBNBqxH+od8YkPk5HNo4f0dxhiQ5ssRTzP/VXy6lnA6
YmLFN1VLxwEdNPr9u36JI4S7bJf4sZ/O5nFxhCOyZvcEp4DMXMBY1NWM40SyN3wX
nE+ho22DCBWKqUCryLGf/2Ga8uwzpxN3mQ4ImYHIrCBFAllRsE6I/BzwjxFKCoES
wbmYIyLCuZ7Wk3Vkzgt/Gs6Ntog91FEC0Q5djzQXE+sL1ZA+roOhubQw2QyhcNWt
+MrV8Z82QmOKMqNPOmkn4hmTabQRJrvSNgLgK2SpDCQZ1eKl3Mc=
=JvSO
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 1/4] BUG11559: Languagefiles
2018-05-07 10:41 ` Michael Tremer
@ 2018-05-07 16:25 ` Peter Müller
0 siblings, 0 replies; 11+ messages in thread
From: Peter Müller @ 2018-05-07 16:25 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2019 bytes --]
Hello Michael,
done. I also added the missing "Signed-off-by..."-tags;
hope Alexander does not mind.
Best regards,
Peter Müller
> Hi Peter,
>
> could you please add the appropriate tags to the patches?
>
> Best,
> -Michael
>
> On Sun, 2018-05-06 at 22:02 +0200, Peter Müller wrote:
>> Hello,
>
>> I have tested this patchset and can confirm it is working correctly.
>> It solves https://bugzilla.ipfire.org/show_bug.cgi?id=11559 by adding
>> the ability to select networks announced via IPsec N2N connections
>> for firewall rules or network groups.
>
>> Best regards,
>> Peter Müller
>
>>> When creating firewallrules or using firewall groups,
>>> it should be possible to select a single IpSec subnet if there is more than
>>> one.
>>>
>>> This patch adds a new languagefileword "fwdfw all subnets" which is used in
>>> firewall.cgi and fwhosts.cgi
>>> ---
>>> langs/de/cgi-bin/de.pl | 1 +
>>> langs/en/cgi-bin/en.pl | 1 +
>>> 2 files changed, 2 insertions(+)
>>>
>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
>>> index 07bef90..9cc345a 100644
>>> --- a/langs/de/cgi-bin/de.pl
>>> +++ b/langs/de/cgi-bin/de.pl
>>> @@ -1065,6 +1065,7 @@
>>> 'fwdfw additional' => 'Weitere Einstellungen',
>>> 'fwdfw addrule' => 'Regel hinzufügen/ändern:',
>>> 'fwdfw all icmp' => 'Alle ICMP-Typen',
>>> +'fwdfw all subnets' => 'Alle Subnetze',
>>> 'fwdfw change' => 'Aktualisieren',
>>> 'fwdfw copy' => 'Kopieren',
>>> 'fwdfw delete' => 'Löschen',
>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
>>> index a343b3b..60747f7 100644
>>> --- a/langs/en/cgi-bin/en.pl
>>> +++ b/langs/en/cgi-bin/en.pl
>>> @@ -1092,6 +1092,7 @@
>>> 'fwdfw additional' => 'Additional settings',
>>> 'fwdfw addrule' => 'Add/Edit rule:',
>>> 'fwdfw all icmp' => 'All ICMP types',
>>> +'fwdfw all subnets' => 'All subnets',
>>> 'fwdfw change' => 'Update',
>>> 'fwdfw copy' => 'Copy',
>>> 'fwdfw delete' => 'Delete',
>>>
>
>
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 1/4] BUG11559: Languagefiles
2018-05-02 11:27 [PATCH 1/4] BUG11559: Languagefiles Alexander Marx
` (3 preceding siblings ...)
2018-05-06 20:02 ` [PATCH 1/4] BUG11559: Languagefiles Peter Müller
@ 2018-05-07 16:22 ` Peter Müller
4 siblings, 0 replies; 11+ messages in thread
From: Peter Müller @ 2018-05-07 16:22 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1366 bytes --]
When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.
This patch adds a new languagefileword "fwdfw all subnets" which is used in firewall.cgi and fwhosts.cgi
Signed-off-by: Alexander Marx <alexander.marx(a)ipfire.org>
Tested-by: Peter Müller <peter.mueller(a)link38.eu>
---
langs/de/cgi-bin/de.pl | 1 +
langs/en/cgi-bin/en.pl | 1 +
2 files changed, 2 insertions(+)
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 07bef90..9cc345a 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1065,6 +1065,7 @@
'fwdfw additional' => 'Weitere Einstellungen',
'fwdfw addrule' => 'Regel hinzufügen/ändern:',
'fwdfw all icmp' => 'Alle ICMP-Typen',
+'fwdfw all subnets' => 'Alle Subnetze',
'fwdfw change' => 'Aktualisieren',
'fwdfw copy' => 'Kopieren',
'fwdfw delete' => 'Löschen',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index a343b3b..60747f7 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1092,6 +1092,7 @@
'fwdfw additional' => 'Additional settings',
'fwdfw addrule' => 'Add/Edit rule:',
'fwdfw all icmp' => 'All ICMP types',
+'fwdfw all subnets' => 'All subnets',
'fwdfw change' => 'Update',
'fwdfw copy' => 'Copy',
'fwdfw delete' => 'Delete',
--
2.7.4
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread