Another patch will follow to make these changes in the firewall groups with the language changes ("All subnets" instead of "all")
fixes: #11559 --- config/firewall/firewall-lib.pl | 19 +++++++++++++++---- html/cgi-bin/firewall.cgi | 36 +++++++++++++++++++++++++++++++++--- 2 files changed, 48 insertions(+), 7 deletions(-)
diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index eabd9a4..668eb9e 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -150,6 +150,9 @@ sub get_ipsec_net_ip my $val=shift; my $field=shift; foreach my $key (sort {$a <=> $b} keys %ipsecconf){ + #adapt $val to reflect real name without subnet (if rule with only one ipsec subnet is created) + my @tmpval = split (/|/, $val); + $val = $tmpval[0]; if($ipsecconf{$key}[1] eq $val){ return $ipsecconf{$key}[$field]; } @@ -390,10 +393,18 @@ sub get_address
# IPsec networks. } elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) { - my $network_address = &get_ipsec_net_ip($value, 11); - my @nets = split(/|/, $network_address); - foreach my $net (@nets) { - push(@ret, [$net, ""]); + #Check if we have multiple subnets and only want one of them + + if ( $value =~ /|/ ){ + my @parts = split(/|/, $value); + push(@ret, [$parts[1], ""]); + + }else{ + my $network_address = &get_ipsec_net_ip($value, 11); + my @nets = split(/|/, $network_address); + foreach my $net (@nets) { + push(@ret, [$net, ""]); + } }
# The firewall's own IP addresses. diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index face0f4..65e43a1 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -1161,11 +1161,31 @@ END #IPsec netze foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) { if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){ - print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq ''); + print"<tr><td valign='top'><input type='radio' name='$grp' id='ipsec_net_$srctgt' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq ''); $show='1'; + + #Check if we have more than one REMOTE subnet in config + my @arr1 = split /|/, $ipsecconf{$key}[11]; + my $cnt1 += @arr1; + print "<option "; - print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ipsecconf{$key}[1]); - print ">$ipsecconf{$key}[1]</option>"; + print "value=$ipsecconf{$key}[1]"; + print " selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]"); + print ">$ipsecconf{$key}[1] "; + print "$Lang::tr{'all'}" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets + print "</option>"; + + if ($cnt1 > 1){ + foreach my $val (@arr1){ + #normalize subnet to cidr notation + my ($val1,$val2) = split ///, $val; + my $val3 = &General::iporsubtocidr($val2); + print "<option "; + print "value='$ipsecconf{$key}[1]|$val1/$val3'"; + print "selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]|$val1/$val3"); + print ">$ipsecconf{$key}[1] $val1/$val3</option>"; + } + } } } if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){ @@ -2575,6 +2595,11 @@ END #SOURCE my $ipfireiface; &getcolor($$hash{$key}[3],$$hash{$key}[4],%customhost); + # Check SRC Host and replace "|" with space + if ($$hash{$key}[4] =~ /|/){ + $$hash{$key}[4] =~ s/|/ (/g; + $$hash{$key}[4] = $$hash{$key}[4].")"; + } print"<td align='center' width='30%' $tdcolor>"; if ($$hash{$key}[3] eq 'ipfire_src'){ $ipfireiface=$Lang::tr{'fwdfw iface'}; @@ -2640,6 +2665,11 @@ END print<<END; <td align='center' $tdcolor> END + # Check TGT Host and replace "|" with space + if ($$hash{$key}[6] =~ /|/){ + $$hash{$key}[6] =~ s/|/ (/g; + $$hash{$key}[6] = $$hash{$key}[6].")"; + } #Is this a DNAT rule? my $natstring; if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){