From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Re: [PATCH 4/4] BUG11559: fwhosts
Date: Mon, 07 May 2018 18:24:45 +0200
Message-ID: <9fc4b35f-b5e2-24a5-2665-d7da5d551026@link38.eu>
In-Reply-To: <1525260427-6695-4-git-send-email-alexander.marx@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2556148836270731856=="
List-Id: <development.lists.ipfire.org>

--===============2556148836270731856==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than o=
ne.

This patch adds the changes to the firewall groups.
Signed-off-by: Alexander Marx <alexander.marx(a)ipfire.org>
Tested-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
---
 html/cgi-bin/fwhosts.cgi | 87 ++++++++++++++++++++++++++++++----------------=
--
 1 file changed, 55 insertions(+), 32 deletions(-)

diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index a2ade8a..fb33ac6 100644
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -54,6 +54,7 @@ my %fwinp=3D();
 my %fwout=3D();
 my %ovpnsettings=3D();
 my %netsettings=3D();
+my %optionsfw=3D();
=20
 my $errormessage;
 my $hint;
@@ -70,6 +71,7 @@ my $configgeoipgrp	=3D "${General::swroot}/fwhosts/customge=
oipgrp";
 my $fwconfigfwd		=3D "${General::swroot}/firewall/config";
 my $fwconfiginp		=3D "${General::swroot}/firewall/input";
 my $fwconfigout		=3D "${General::swroot}/firewall/outgoing";
+my $fwoptions 		=3D "${General::swroot}/optionsfw/settings";
 my $configovpn		=3D "${General::swroot}/ovpn/settings";
 my $configipsecrw	=3D "${General::swroot}/vpn/settings";
=20
@@ -87,8 +89,9 @@ unless (-e $configgeoipgrp) { system("touch $configgeoipgrp=
"); }
 &General::readhasharray("$configipsec", \%ipsecconf);
 &General::readhash("$configipsecrw", \%ipsecsettings);
 &General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
-&Header::getcgihash(\%fwhostsettings);
+&General::readhash($fwoptions, \%optionsfw);
=20
+&Header::getcgihash(\%fwhostsettings);
 &Header::showhttpheaders();
 &Header::openpage($Lang::tr{'fwhost menu'}, 1, '');
 &Header::openbigbox('100%', 'center');
@@ -1548,27 +1551,30 @@ END
 				print"</select></td></tr>";
 			}
 			#IPsec networks
-			my @IPSEC_N2N=3D();
+
 			foreach my $key (sort { ncmp($ipsecconf{$a}[0],$ipsecconf{$b}[0]) } keys =
%ipsecconf) {
-				if ($ipsecconf{$key}[3] eq 'net'){
-					$show=3D'1';
-					push (@IPSEC_N2N,$ipsecconf{$key}[1]);
-				}
-			}
-			if ($show eq '1'){
-				$show=3D'';
-				print<<END;
-					<td style=3D'width:15em;'>
-						<label>
-							<input type=3D'radio' name=3D'grp2' id=3D'IPSEC_NET' value=3D'ipsec_n=
et' $checked{'grp2'}{'ipsec_net'}>
-							$Lang::tr{'fwhost ipsec net'}
-						</label>
-					</td>
-					<td style=3D'text-align:right;'>
-					<select name=3D'IPSEC_NET' style=3D'width:16em;'>"
-END
-				foreach(@IPSEC_N2N){
-					print"<option value=3D'$_'>$_</option>";
+				if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' =
&& $ipsecconf{$key}[3] ne 'host')){
+					print "<td style=3D'width:15em;'><label><input type=3D'radio' name=3D'g=
rp2' id=3D'IPSEC_NET' value=3D'ipsec_net' $checked{'grp2'}{'ipsec_net'}>$Lang=
::tr{'fwhost ipsec net'}</label></td><td style=3D'text-align:right;'><select =
name=3D'IPSEC_NET' style=3D'width:16em;'>" if $show eq '';
+					$show=3D1;
+					#Check if we have more than one REMOTE subnet in config
+					my @arr1 =3D split /\|/, $ipsecconf{$key}[11];
+					my $cnt1 +=3D @arr1;
+
+					print"<option value=3D$ipsecconf{$key}[1]>";
+					print"$ipsecconf{$key}[1]";
+					print" ($Lang::tr{'fwdfw all subnets'})" if $cnt1 > 1; #If this Conenct=
ion has more than one subnet, print one option for all subnets
+					print"</option>";
+
+					if ($cnt1 > 1){
+						foreach my $val (@arr1){
+							#normalize subnet to cidr notation
+							my ($val1,$val2) =3D split /\//, $val;
+							my $val3 =3D &General::iporsubtocidr($val2);
+							print "<option ";
+							print "value=3D'$ipsecconf{$key}[1]|$val1/$val3'";
+							print ">$ipsecconf{$key}[1] ($val1/$val3)</option>";
+						}
+					}
 				}
 			}
 			print"</select></td></tr>";
@@ -2116,14 +2122,15 @@ sub viewtablegrp
 			print "<td width=3D'39%' align=3D'left' $col>";
 			if($customgrp{$key}[3] eq 'Standard Network'){
 				print &get_name($customgrp{$key}[2])."</td>";
+			}elsif($customgrp{$key}[3] eq "IpSec Network" && $customgrp{$key}[2] =3D~=
 /\|/){
+				my ($a,$b) =3D split /\|/, $customgrp{$key}[2];
+					print "$a</td>";
 			}else{
 				print "$customgrp{$key}[2]</td>";
 			}
 			if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost err emptytable'=
}){
 				print "<td align=3D'center' $col>$Lang::tr{'fwhost deleted'}</td><td ali=
gn=3D'center' $col>$Lang::tr{'fwhost '.$customgrp{$key}[3]}</td><td width=3D'=
1%' $col><form method=3D'post'>";
 			}else{
-				my ($colip,$colsub) =3D split("/",$ip);
-				$ip=3D"$colip/".&General::iporsubtocidr($colsub) if ($colsub);
 				print"<td align=3D'center' $col>".&getcolor($ip)."</td><td align=3D'cent=
er' $col>$Lang::tr{'fwhost '.$customgrp{$key}[3]}</td><td width=3D'1%' $col><=
form method=3D'post'>";
 			}
 			if ($delflag > 0 && $ip ne ''){
@@ -2896,7 +2903,23 @@ sub getipforgroup
 	if ($type eq 'IpSec Network'){
 		foreach my $key (keys %ipsecconf) {
 			if ($ipsecconf{$key}[1] eq $name){
-				return $ipsecconf{$key}[11];
+				if ($ipsecconf{$key}[11] =3D~ /\|/) {
+					my $string;
+					my @parts =3D split /\|/ , $ipsecconf{$key}[11];
+					foreach my $key1 (@parts){
+						my ($val1,$val2) =3D split (/\//, $key1);
+						my $val3 =3D &Network::convert_netmask2prefix($val2) || $val2;
+						$string .=3D "$val1/$val3<br>";
+					}
+					return $string;
+				}else{
+					return $ipsecconf{$key}[11];
+				}
+			}else{
+				if ($name =3D~ /\|/) {
+					my ($a,$b) =3D split /\|/, $name;
+					return $b;
+				}
 			}
 		}
 		&deletefromgrp($name,$configgrp);
@@ -2917,7 +2940,7 @@ sub getipforgroup
 		foreach my $key (keys %ccdhost) {
 			if($ccdhost{$key}[1] eq $name){
 				my ($a,$b) =3D split ("/",$ccdhost{$key}[11]);
-				$b=3D&General::iporsubtodec($b);
+				$b=3D&Network::convert_netmask2prefix($b) || ($b);
 				return "$a/$b";
 			}
 		}
@@ -2929,7 +2952,7 @@ sub getipforgroup
 		foreach my $key (keys %ccdhost) {
 			if($ccdhost{$key}[1] eq $name){
 				my ($a,$b) =3D split (/\//,$ccdhost{$key}[33]);
-				$b=3D&General::iporsubtodec($b);
+				$b=3D&Network::convert_netmask2prefix($b) || ($b) ;
 				return "$a/$b";
 			}
 		}
@@ -2941,7 +2964,7 @@ sub getipforgroup
 		foreach my $key (keys %ccdnet) {
 			if ($ccdnet{$key}[0] eq $name){
 				my ($a,$b) =3D split (/\//,$ccdnet{$key}[1]);
-				$b=3D&General::iporsubtodec($b);
+				$b=3D&Network::convert_netmask2prefix($b) || ($b);
 				return "$a/$b";
 			}
 		}
@@ -2961,7 +2984,7 @@ sub getipforgroup
 	if ($type eq 'Custom Network'){
 		foreach my $key (keys %customnetwork) {
 			if($customnetwork{$key}[0] eq $name){
-				return $customnetwork{$key}[1]."/".$customnetwork{$key}[2];
+				return $customnetwork{$key}[1]."/".&Network::convert_netmask2prefix($cus=
tomnetwork{$key}[2]) || $customnetwork{$key}[2];
 			}
 		}
 	}
@@ -2976,20 +2999,20 @@ sub getipforgroup
 		if ($name eq 'GREEN'){
 			my %hash=3D();
 			&General::readhash("${General::swroot}/ethernet/settings",\%hash);
-			return $hash{'GREEN_NETADDRESS'}."/".$hash{'GREEN_NETMASK'};
+			return $hash{'GREEN_NETADDRESS'}."/".&Network::convert_netmask2prefix($ha=
sh{'GREEN_NETMASK'}) || $hash{'GREEN_NETMASK'};
 		}
 		if ($name eq 'BLUE'){
 			my %hash=3D();
 			&General::readhash("${General::swroot}/ethernet/settings",\%hash);
-			return $hash{'BLUE_NETADDRESS'}."/".$hash{'BLUE_NETMASK'};
+			return $hash{'BLUE_NETADDRESS'}."/".&Network::convert_netmask2prefix($has=
h{'BLUE_NETMASK'}) || $hash{'BLUE_NETMASK'};
 		}
 		if ($name eq 'ORANGE'){
 			my %hash=3D();
 			&General::readhash("${General::swroot}/ethernet/settings",\%hash);
-			return $hash{'ORANGE_NETADDRESS'}."/".$hash{'ORANGE_NETMASK'};
+			return $hash{'ORANGE_NETADDRESS'}."/".&Network::convert_netmask2prefix($h=
ash{'ORANGE_NETMASK'}) || $hash{'ORANGE_NETMASK'};
 		}
 		if ($name eq 'ALL'){
-			return "0.0.0.0/0.0.0.0";
+			return "0.0.0.0/0";
 		}
 		if ($name =3D~ /IPsec/i){
 			my %hash=3D();
--=20
2.7.4



--===============2556148836270731856==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUVC
Q2dBR0JRSmE4SDNPQUFvSkVObEk4Zzk5ZTU5bzRpb1AvalpaVi9qZFgzcmZjVUhwb29VYTNqb1AK
ZUJLZlBNeVdyRXdMdzhCQlBrY3hhajROZ2JZa24wWmc1SENZNTZNd0ZQWk9WWDRzblRETklGbTZK
MDFqK2xSTgpZRGtnN0ZaOFdKWDEyYThjSnJTYmVLemYzd0M0NmgyOUgyL052RTJwcXhLbFpOQXdm
K3dpa3puc3lwMWh0cE9JCmxkTUpPU1o5dE9WMlBUelBwTGZaZ3QzZU8zMEp0OXIxTllFNDA2Y2pS
Vm0waHBpWHZyTzBCSEJXOG1EOWFuU2sKS3NOR0lZVTNhUjlKVWJlODdHdFNJVUMyVjhOcFNMTU15
eHV2ZHpwKzY3VnhDellqdVJCUGZPL0FhSzZRUUxsZgowS1dZRVpXODFpcDh4LzZrdVF2Uy85SUlV
Y01hZEswdlJ6N0p0aXZvemcrcEJ4WlU5RXBUWEQ4MzI4dmNiaDVrCnJlU213eDJVaGx1azQ4enc3
a200V3JRT1p5d3dIVFB3eFRTZkJIU1Z3bmtIeTcvUVE1T0oxQmhpNTgzSk8yaWUKQTdCQklSTFRL
YnFxbCsyUlowMUVtK2NmRE9TTmx0L05kOUJnbXYwS1cwT1BZSEtPZTAxblZDUnAyN0YzbFNmSAp1
WVZNZm55YUhaWVFMN2xLRncxR2F4Q0N1RDFuMVVGZVQ1WDN5aTNMZjNwSktYcDhtR3lsdzVQUWFk
UzJCa3JBClJCaEhNZkZKUjRldkVsMzQvMk11Qm1LSHFxQUs4L0ErOTFMR1lIeGlsQlkwZWtUd0Rk
bDFNcDlqb29YMDE5NU0KaFZxZXpLaE8wRnBRSmszQU1sMjZCVzZEaGpXVkNHaVI3MWNheGFTQ2Zu
OWQvL29NaFlSOWpnV3JIR25ZSWpXYgpSRzJwb3RHSlVwcmp5czY1b2poMAo9Qk8zUQotLS0tLUVO
RCBQR1AgU0lHTkFUVVJFLS0tLS0K

--===============2556148836270731856==--