When creating firewallrules or using firewall groups, it should be possible to select a single IpSec subnet if there is more than one.
This patch adds a new languagefileword "fwdfw all subnets" which is used in firewall.cgi and fwhosts.cgi --- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 2 files changed, 2 insertions(+)
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 07bef90..9cc345a 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1065,6 +1065,7 @@ 'fwdfw additional' => 'Weitere Einstellungen', 'fwdfw addrule' => 'Regel hinzufügen/ändern:', 'fwdfw all icmp' => 'Alle ICMP-Typen', +'fwdfw all subnets' => 'Alle Subnetze', 'fwdfw change' => 'Aktualisieren', 'fwdfw copy' => 'Kopieren', 'fwdfw delete' => 'Löschen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index a343b3b..60747f7 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1092,6 +1092,7 @@ 'fwdfw additional' => 'Additional settings', 'fwdfw addrule' => 'Add/Edit rule:', 'fwdfw all icmp' => 'All ICMP types', +'fwdfw all subnets' => 'All subnets', 'fwdfw change' => 'Update', 'fwdfw copy' => 'Copy', 'fwdfw delete' => 'Delete',
When creating firewallrules or using firewall groups, it should be possible to select a single IpSec subnet if there is more than one.
This patch has the changes for firewall.cgi --- html/cgi-bin/firewall.cgi | 36 +++++++++++++++++++++++++++++++++--- 1 file changed, 33 insertions(+), 3 deletions(-)
diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index face0f4..499f279 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -1161,11 +1161,31 @@ END #IPsec netze foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) { if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){ - print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq ''); + print"<tr><td valign='top'><input type='radio' name='$grp' id='ipsec_net_$srctgt' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq ''); $show='1'; + + #Check if we have more than one REMOTE subnet in config + my @arr1 = split /|/, $ipsecconf{$key}[11]; + my $cnt1 += @arr1; + print "<option "; - print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ipsecconf{$key}[1]); - print ">$ipsecconf{$key}[1]</option>"; + print "value=$ipsecconf{$key}[1]"; + print " selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]"); + print ">$ipsecconf{$key}[1] "; + print "($Lang::tr{'fwdfw all subnets'})" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets + print "</option>"; + + if ($cnt1 > 1){ + foreach my $val (@arr1){ + #normalize subnet to cidr notation + my ($val1,$val2) = split ///, $val; + my $val3 = &General::iporsubtocidr($val2); + print "<option "; + print "value='$ipsecconf{$key}[1]|$val1/$val3'"; + print "selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]|$val1/$val3"); + print ">$ipsecconf{$key}[1] ($val1/$val3)</option>"; + } + } } } if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){ @@ -2575,6 +2595,11 @@ END #SOURCE my $ipfireiface; &getcolor($$hash{$key}[3],$$hash{$key}[4],%customhost); + # Check SRC Host and replace "|" with space + if ($$hash{$key}[4] =~ /|/){ + $$hash{$key}[4] =~ s/|/ (/g; + $$hash{$key}[4] = $$hash{$key}[4].")"; + } print"<td align='center' width='30%' $tdcolor>"; if ($$hash{$key}[3] eq 'ipfire_src'){ $ipfireiface=$Lang::tr{'fwdfw iface'}; @@ -2640,6 +2665,11 @@ END print<<END; <td align='center' $tdcolor> END + # Check TGT Host and replace "|" with space + if ($$hash{$key}[6] =~ /|/){ + $$hash{$key}[6] =~ s/|/ (/g; + $$hash{$key}[6] = $$hash{$key}[6].")"; + } #Is this a DNAT rule? my $natstring; if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
When creating firewallrules or using firewall groups, it should be possible to select a single IpSec subnet if there is more than one.
This patch has the changes for firewall.cgi Signed-off-by: Alexander Marx alexander.marx@ipfire.org Tested-by: Peter Müller peter.mueller@link38.eu --- html/cgi-bin/firewall.cgi | 36 +++++++++++++++++++++++++++++++++--- 1 file changed, 33 insertions(+), 3 deletions(-)
diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index face0f4..499f279 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -1161,11 +1161,31 @@ END #IPsec netze foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) { if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){ - print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq ''); + print"<tr><td valign='top'><input type='radio' name='$grp' id='ipsec_net_$srctgt' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq ''); $show='1'; + + #Check if we have more than one REMOTE subnet in config + my @arr1 = split /|/, $ipsecconf{$key}[11]; + my $cnt1 += @arr1; + print "<option "; - print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ipsecconf{$key}[1]); - print ">$ipsecconf{$key}[1]</option>"; + print "value=$ipsecconf{$key}[1]"; + print " selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]"); + print ">$ipsecconf{$key}[1] "; + print "($Lang::tr{'fwdfw all subnets'})" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets + print "</option>"; + + if ($cnt1 > 1){ + foreach my $val (@arr1){ + #normalize subnet to cidr notation + my ($val1,$val2) = split ///, $val; + my $val3 = &General::iporsubtocidr($val2); + print "<option "; + print "value='$ipsecconf{$key}[1]|$val1/$val3'"; + print "selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]|$val1/$val3"); + print ">$ipsecconf{$key}[1] ($val1/$val3)</option>"; + } + } } } if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){ @@ -2575,6 +2595,11 @@ END #SOURCE my $ipfireiface; &getcolor($$hash{$key}[3],$$hash{$key}[4],%customhost); + # Check SRC Host and replace "|" with space + if ($$hash{$key}[4] =~ /|/){ + $$hash{$key}[4] =~ s/|/ (/g; + $$hash{$key}[4] = $$hash{$key}[4].")"; + } print"<td align='center' width='30%' $tdcolor>"; if ($$hash{$key}[3] eq 'ipfire_src'){ $ipfireiface=$Lang::tr{'fwdfw iface'}; @@ -2640,6 +2665,11 @@ END print<<END; <td align='center' $tdcolor> END + # Check TGT Host and replace "|" with space + if ($$hash{$key}[6] =~ /|/){ + $$hash{$key}[6] =~ s/|/ (/g; + $$hash{$key}[6] = $$hash{$key}[6].")"; + } #Is this a DNAT rule? my $natstring; if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
When creating firewallrules or using firewall groups, it should be possible to select a single IpSec subnet if there is more than one.
This patch has neccessary changes for the firewall-lib. While the network name of the IpSec changes on save (subnet is added to name) we need to split the name or normalise the field before using it. --- config/firewall/firewall-lib.pl | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index eabd9a4..9b7f55c 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -150,6 +150,9 @@ sub get_ipsec_net_ip my $val=shift; my $field=shift; foreach my $key (sort {$a <=> $b} keys %ipsecconf){ + #adapt $val to reflect real name without subnet (if rule with only one ipsec subnet is created) + my @tmpval = split (/|/, $val); + $val = $tmpval[0]; if($ipsecconf{$key}[1] eq $val){ return $ipsecconf{$key}[$field]; } @@ -390,10 +393,16 @@ sub get_address
# IPsec networks. } elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) { - my $network_address = &get_ipsec_net_ip($value, 11); - my @nets = split(/|/, $network_address); - foreach my $net (@nets) { - push(@ret, [$net, ""]); + #Check if we have multiple subnets and only want one of them + if ( $value =~ /|/ ){ + my @parts = split(/|/, $value); + push(@ret, [$parts[1], ""]); + }else{ + my $network_address = &get_ipsec_net_ip($value, 11); + my @nets = split(/|/, $network_address); + foreach my $net (@nets) { + push(@ret, [$net, ""]); + } }
# The firewall's own IP addresses.
When creating firewallrules or using firewall groups, it should be possible to select a single IpSec subnet if there is more than one.
This patch has neccessary changes for the firewall-lib. While the network name of the IpSec changes on save (subnet is added to name) we need to split the name or normalise the field before using it.
Signed-off-by: Alexander Marx alexander.marx@ipfire.org Tested-by: Peter Müller peter.mueller@link38.eu --- config/firewall/firewall-lib.pl | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index eabd9a4..9b7f55c 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -150,6 +150,9 @@ sub get_ipsec_net_ip my $val=shift; my $field=shift; foreach my $key (sort {$a <=> $b} keys %ipsecconf){ + #adapt $val to reflect real name without subnet (if rule with only one ipsec subnet is created) + my @tmpval = split (/|/, $val); + $val = $tmpval[0]; if($ipsecconf{$key}[1] eq $val){ return $ipsecconf{$key}[$field]; } @@ -390,10 +393,16 @@ sub get_address
# IPsec networks. } elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) { - my $network_address = &get_ipsec_net_ip($value, 11); - my @nets = split(/|/, $network_address); - foreach my $net (@nets) { - push(@ret, [$net, ""]); + #Check if we have multiple subnets and only want one of them + if ( $value =~ /|/ ){ + my @parts = split(/|/, $value); + push(@ret, [$parts[1], ""]); + }else{ + my $network_address = &get_ipsec_net_ip($value, 11); + my @nets = split(/|/, $network_address); + foreach my $net (@nets) { + push(@ret, [$net, ""]); + } }
# The firewall's own IP addresses.
When creating firewallrules or using firewall groups, it should be possible to select a single IpSec subnet if there is more than one.
This patch adds the changes to the firewall groups. --- html/cgi-bin/fwhosts.cgi | 87 ++++++++++++++++++++++++++++++------------------ 1 file changed, 55 insertions(+), 32 deletions(-)
diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index a2ade8a..fb33ac6 100644 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -54,6 +54,7 @@ my %fwinp=(); my %fwout=(); my %ovpnsettings=(); my %netsettings=(); +my %optionsfw=();
my $errormessage; my $hint; @@ -70,6 +71,7 @@ my $configgeoipgrp = "${General::swroot}/fwhosts/customgeoipgrp"; my $fwconfigfwd = "${General::swroot}/firewall/config"; my $fwconfiginp = "${General::swroot}/firewall/input"; my $fwconfigout = "${General::swroot}/firewall/outgoing"; +my $fwoptions = "${General::swroot}/optionsfw/settings"; my $configovpn = "${General::swroot}/ovpn/settings"; my $configipsecrw = "${General::swroot}/vpn/settings";
@@ -87,8 +89,9 @@ unless (-e $configgeoipgrp) { system("touch $configgeoipgrp"); } &General::readhasharray("$configipsec", %ipsecconf); &General::readhash("$configipsecrw", %ipsecsettings); &General::readhash("/var/ipfire/ethernet/settings", %netsettings); -&Header::getcgihash(%fwhostsettings); +&General::readhash($fwoptions, %optionsfw);
+&Header::getcgihash(%fwhostsettings); &Header::showhttpheaders(); &Header::openpage($Lang::tr{'fwhost menu'}, 1, ''); &Header::openbigbox('100%', 'center'); @@ -1548,27 +1551,30 @@ END print"</select></td></tr>"; } #IPsec networks - my @IPSEC_N2N=(); + foreach my $key (sort { ncmp($ipsecconf{$a}[0],$ipsecconf{$b}[0]) } keys %ipsecconf) { - if ($ipsecconf{$key}[3] eq 'net'){ - $show='1'; - push (@IPSEC_N2N,$ipsecconf{$key}[1]); - } - } - if ($show eq '1'){ - $show=''; - print<<END; - <td style='width:15em;'> - <label> - <input type='radio' name='grp2' id='IPSEC_NET' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}> - $Lang::tr{'fwhost ipsec net'} - </label> - </td> - <td style='text-align:right;'> - <select name='IPSEC_NET' style='width:16em;'>" -END - foreach(@IPSEC_N2N){ - print"<option value='$_'>$_</option>"; + if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){ + print "<td style='width:15em;'><label><input type='radio' name='grp2' id='IPSEC_NET' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}>$Lang::tr{'fwhost ipsec net'}</label></td><td style='text-align:right;'><select name='IPSEC_NET' style='width:16em;'>" if $show eq ''; + $show=1; + #Check if we have more than one REMOTE subnet in config + my @arr1 = split /|/, $ipsecconf{$key}[11]; + my $cnt1 += @arr1; + + print"<option value=$ipsecconf{$key}[1]>"; + print"$ipsecconf{$key}[1]"; + print" ($Lang::tr{'fwdfw all subnets'})" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets + print"</option>"; + + if ($cnt1 > 1){ + foreach my $val (@arr1){ + #normalize subnet to cidr notation + my ($val1,$val2) = split ///, $val; + my $val3 = &General::iporsubtocidr($val2); + print "<option "; + print "value='$ipsecconf{$key}[1]|$val1/$val3'"; + print ">$ipsecconf{$key}[1] ($val1/$val3)</option>"; + } + } } } print"</select></td></tr>"; @@ -2116,14 +2122,15 @@ sub viewtablegrp print "<td width='39%' align='left' $col>"; if($customgrp{$key}[3] eq 'Standard Network'){ print &get_name($customgrp{$key}[2])."</td>"; + }elsif($customgrp{$key}[3] eq "IpSec Network" && $customgrp{$key}[2] =~ /|/){ + my ($a,$b) = split /|/, $customgrp{$key}[2]; + print "$a</td>"; }else{ print "$customgrp{$key}[2]</td>"; } if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost err emptytable'}){ print "<td align='center' $col>$Lang::tr{'fwhost deleted'}</td><td align='center' $col>$Lang::tr{'fwhost '.$customgrp{$key}[3]}</td><td width='1%' $col><form method='post'>"; }else{ - my ($colip,$colsub) = split("/",$ip); - $ip="$colip/".&General::iporsubtocidr($colsub) if ($colsub); print"<td align='center' $col>".&getcolor($ip)."</td><td align='center' $col>$Lang::tr{'fwhost '.$customgrp{$key}[3]}</td><td width='1%' $col><form method='post'>"; } if ($delflag > 0 && $ip ne ''){ @@ -2896,7 +2903,23 @@ sub getipforgroup if ($type eq 'IpSec Network'){ foreach my $key (keys %ipsecconf) { if ($ipsecconf{$key}[1] eq $name){ - return $ipsecconf{$key}[11]; + if ($ipsecconf{$key}[11] =~ /|/) { + my $string; + my @parts = split /|/ , $ipsecconf{$key}[11]; + foreach my $key1 (@parts){ + my ($val1,$val2) = split (///, $key1); + my $val3 = &Network::convert_netmask2prefix($val2) || $val2; + $string .= "$val1/$val3<br>"; + } + return $string; + }else{ + return $ipsecconf{$key}[11]; + } + }else{ + if ($name =~ /|/) { + my ($a,$b) = split /|/, $name; + return $b; + } } } &deletefromgrp($name,$configgrp); @@ -2917,7 +2940,7 @@ sub getipforgroup foreach my $key (keys %ccdhost) { if($ccdhost{$key}[1] eq $name){ my ($a,$b) = split ("/",$ccdhost{$key}[11]); - $b=&General::iporsubtodec($b); + $b=&Network::convert_netmask2prefix($b) || ($b); return "$a/$b"; } } @@ -2929,7 +2952,7 @@ sub getipforgroup foreach my $key (keys %ccdhost) { if($ccdhost{$key}[1] eq $name){ my ($a,$b) = split (///,$ccdhost{$key}[33]); - $b=&General::iporsubtodec($b); + $b=&Network::convert_netmask2prefix($b) || ($b) ; return "$a/$b"; } } @@ -2941,7 +2964,7 @@ sub getipforgroup foreach my $key (keys %ccdnet) { if ($ccdnet{$key}[0] eq $name){ my ($a,$b) = split (///,$ccdnet{$key}[1]); - $b=&General::iporsubtodec($b); + $b=&Network::convert_netmask2prefix($b) || ($b); return "$a/$b"; } } @@ -2961,7 +2984,7 @@ sub getipforgroup if ($type eq 'Custom Network'){ foreach my $key (keys %customnetwork) { if($customnetwork{$key}[0] eq $name){ - return $customnetwork{$key}[1]."/".$customnetwork{$key}[2]; + return $customnetwork{$key}[1]."/".&Network::convert_netmask2prefix($customnetwork{$key}[2]) || $customnetwork{$key}[2]; } } } @@ -2976,20 +2999,20 @@ sub getipforgroup if ($name eq 'GREEN'){ my %hash=(); &General::readhash("${General::swroot}/ethernet/settings",%hash); - return $hash{'GREEN_NETADDRESS'}."/".$hash{'GREEN_NETMASK'}; + return $hash{'GREEN_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'GREEN_NETMASK'}) || $hash{'GREEN_NETMASK'}; } if ($name eq 'BLUE'){ my %hash=(); &General::readhash("${General::swroot}/ethernet/settings",%hash); - return $hash{'BLUE_NETADDRESS'}."/".$hash{'BLUE_NETMASK'}; + return $hash{'BLUE_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'BLUE_NETMASK'}) || $hash{'BLUE_NETMASK'}; } if ($name eq 'ORANGE'){ my %hash=(); &General::readhash("${General::swroot}/ethernet/settings",%hash); - return $hash{'ORANGE_NETADDRESS'}."/".$hash{'ORANGE_NETMASK'}; + return $hash{'ORANGE_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'ORANGE_NETMASK'}) || $hash{'ORANGE_NETMASK'}; } if ($name eq 'ALL'){ - return "0.0.0.0/0.0.0.0"; + return "0.0.0.0/0"; } if ($name =~ /IPsec/i){ my %hash=();
When creating firewallrules or using firewall groups, it should be possible to select a single IpSec subnet if there is more than one.
This patch adds the changes to the firewall groups. Signed-off-by: Alexander Marx alexander.marx@ipfire.org Tested-by: Peter Müller peter.mueller@link38.eu --- html/cgi-bin/fwhosts.cgi | 87 ++++++++++++++++++++++++++++++------------------ 1 file changed, 55 insertions(+), 32 deletions(-)
diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index a2ade8a..fb33ac6 100644 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -54,6 +54,7 @@ my %fwinp=(); my %fwout=(); my %ovpnsettings=(); my %netsettings=(); +my %optionsfw=();
my $errormessage; my $hint; @@ -70,6 +71,7 @@ my $configgeoipgrp = "${General::swroot}/fwhosts/customgeoipgrp"; my $fwconfigfwd = "${General::swroot}/firewall/config"; my $fwconfiginp = "${General::swroot}/firewall/input"; my $fwconfigout = "${General::swroot}/firewall/outgoing"; +my $fwoptions = "${General::swroot}/optionsfw/settings"; my $configovpn = "${General::swroot}/ovpn/settings"; my $configipsecrw = "${General::swroot}/vpn/settings";
@@ -87,8 +89,9 @@ unless (-e $configgeoipgrp) { system("touch $configgeoipgrp"); } &General::readhasharray("$configipsec", %ipsecconf); &General::readhash("$configipsecrw", %ipsecsettings); &General::readhash("/var/ipfire/ethernet/settings", %netsettings); -&Header::getcgihash(%fwhostsettings); +&General::readhash($fwoptions, %optionsfw);
+&Header::getcgihash(%fwhostsettings); &Header::showhttpheaders(); &Header::openpage($Lang::tr{'fwhost menu'}, 1, ''); &Header::openbigbox('100%', 'center'); @@ -1548,27 +1551,30 @@ END print"</select></td></tr>"; } #IPsec networks - my @IPSEC_N2N=(); + foreach my $key (sort { ncmp($ipsecconf{$a}[0],$ipsecconf{$b}[0]) } keys %ipsecconf) { - if ($ipsecconf{$key}[3] eq 'net'){ - $show='1'; - push (@IPSEC_N2N,$ipsecconf{$key}[1]); - } - } - if ($show eq '1'){ - $show=''; - print<<END; - <td style='width:15em;'> - <label> - <input type='radio' name='grp2' id='IPSEC_NET' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}> - $Lang::tr{'fwhost ipsec net'} - </label> - </td> - <td style='text-align:right;'> - <select name='IPSEC_NET' style='width:16em;'>" -END - foreach(@IPSEC_N2N){ - print"<option value='$_'>$_</option>"; + if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){ + print "<td style='width:15em;'><label><input type='radio' name='grp2' id='IPSEC_NET' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}>$Lang::tr{'fwhost ipsec net'}</label></td><td style='text-align:right;'><select name='IPSEC_NET' style='width:16em;'>" if $show eq ''; + $show=1; + #Check if we have more than one REMOTE subnet in config + my @arr1 = split /|/, $ipsecconf{$key}[11]; + my $cnt1 += @arr1; + + print"<option value=$ipsecconf{$key}[1]>"; + print"$ipsecconf{$key}[1]"; + print" ($Lang::tr{'fwdfw all subnets'})" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets + print"</option>"; + + if ($cnt1 > 1){ + foreach my $val (@arr1){ + #normalize subnet to cidr notation + my ($val1,$val2) = split ///, $val; + my $val3 = &General::iporsubtocidr($val2); + print "<option "; + print "value='$ipsecconf{$key}[1]|$val1/$val3'"; + print ">$ipsecconf{$key}[1] ($val1/$val3)</option>"; + } + } } } print"</select></td></tr>"; @@ -2116,14 +2122,15 @@ sub viewtablegrp print "<td width='39%' align='left' $col>"; if($customgrp{$key}[3] eq 'Standard Network'){ print &get_name($customgrp{$key}[2])."</td>"; + }elsif($customgrp{$key}[3] eq "IpSec Network" && $customgrp{$key}[2] =~ /|/){ + my ($a,$b) = split /|/, $customgrp{$key}[2]; + print "$a</td>"; }else{ print "$customgrp{$key}[2]</td>"; } if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost err emptytable'}){ print "<td align='center' $col>$Lang::tr{'fwhost deleted'}</td><td align='center' $col>$Lang::tr{'fwhost '.$customgrp{$key}[3]}</td><td width='1%' $col><form method='post'>"; }else{ - my ($colip,$colsub) = split("/",$ip); - $ip="$colip/".&General::iporsubtocidr($colsub) if ($colsub); print"<td align='center' $col>".&getcolor($ip)."</td><td align='center' $col>$Lang::tr{'fwhost '.$customgrp{$key}[3]}</td><td width='1%' $col><form method='post'>"; } if ($delflag > 0 && $ip ne ''){ @@ -2896,7 +2903,23 @@ sub getipforgroup if ($type eq 'IpSec Network'){ foreach my $key (keys %ipsecconf) { if ($ipsecconf{$key}[1] eq $name){ - return $ipsecconf{$key}[11]; + if ($ipsecconf{$key}[11] =~ /|/) { + my $string; + my @parts = split /|/ , $ipsecconf{$key}[11]; + foreach my $key1 (@parts){ + my ($val1,$val2) = split (///, $key1); + my $val3 = &Network::convert_netmask2prefix($val2) || $val2; + $string .= "$val1/$val3<br>"; + } + return $string; + }else{ + return $ipsecconf{$key}[11]; + } + }else{ + if ($name =~ /|/) { + my ($a,$b) = split /|/, $name; + return $b; + } } } &deletefromgrp($name,$configgrp); @@ -2917,7 +2940,7 @@ sub getipforgroup foreach my $key (keys %ccdhost) { if($ccdhost{$key}[1] eq $name){ my ($a,$b) = split ("/",$ccdhost{$key}[11]); - $b=&General::iporsubtodec($b); + $b=&Network::convert_netmask2prefix($b) || ($b); return "$a/$b"; } } @@ -2929,7 +2952,7 @@ sub getipforgroup foreach my $key (keys %ccdhost) { if($ccdhost{$key}[1] eq $name){ my ($a,$b) = split (///,$ccdhost{$key}[33]); - $b=&General::iporsubtodec($b); + $b=&Network::convert_netmask2prefix($b) || ($b) ; return "$a/$b"; } } @@ -2941,7 +2964,7 @@ sub getipforgroup foreach my $key (keys %ccdnet) { if ($ccdnet{$key}[0] eq $name){ my ($a,$b) = split (///,$ccdnet{$key}[1]); - $b=&General::iporsubtodec($b); + $b=&Network::convert_netmask2prefix($b) || ($b); return "$a/$b"; } } @@ -2961,7 +2984,7 @@ sub getipforgroup if ($type eq 'Custom Network'){ foreach my $key (keys %customnetwork) { if($customnetwork{$key}[0] eq $name){ - return $customnetwork{$key}[1]."/".$customnetwork{$key}[2]; + return $customnetwork{$key}[1]."/".&Network::convert_netmask2prefix($customnetwork{$key}[2]) || $customnetwork{$key}[2]; } } } @@ -2976,20 +2999,20 @@ sub getipforgroup if ($name eq 'GREEN'){ my %hash=(); &General::readhash("${General::swroot}/ethernet/settings",%hash); - return $hash{'GREEN_NETADDRESS'}."/".$hash{'GREEN_NETMASK'}; + return $hash{'GREEN_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'GREEN_NETMASK'}) || $hash{'GREEN_NETMASK'}; } if ($name eq 'BLUE'){ my %hash=(); &General::readhash("${General::swroot}/ethernet/settings",%hash); - return $hash{'BLUE_NETADDRESS'}."/".$hash{'BLUE_NETMASK'}; + return $hash{'BLUE_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'BLUE_NETMASK'}) || $hash{'BLUE_NETMASK'}; } if ($name eq 'ORANGE'){ my %hash=(); &General::readhash("${General::swroot}/ethernet/settings",%hash); - return $hash{'ORANGE_NETADDRESS'}."/".$hash{'ORANGE_NETMASK'}; + return $hash{'ORANGE_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'ORANGE_NETMASK'}) || $hash{'ORANGE_NETMASK'}; } if ($name eq 'ALL'){ - return "0.0.0.0/0.0.0.0"; + return "0.0.0.0/0"; } if ($name =~ /IPsec/i){ my %hash=();
Hello,
I have tested this patchset and can confirm it is working correctly. It solves https://bugzilla.ipfire.org/show_bug.cgi?id=11559 by adding the ability to select networks announced via IPsec N2N connections for firewall rules or network groups.
Best regards, Peter Müller
When creating firewallrules or using firewall groups, it should be possible to select a single IpSec subnet if there is more than one.
This patch adds a new languagefileword "fwdfw all subnets" which is used in firewall.cgi and fwhosts.cgi
langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 2 files changed, 2 insertions(+)
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 07bef90..9cc345a 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1065,6 +1065,7 @@ 'fwdfw additional' => 'Weitere Einstellungen', 'fwdfw addrule' => 'Regel hinzufügen/ändern:', 'fwdfw all icmp' => 'Alle ICMP-Typen', +'fwdfw all subnets' => 'Alle Subnetze', 'fwdfw change' => 'Aktualisieren', 'fwdfw copy' => 'Kopieren', 'fwdfw delete' => 'Löschen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index a343b3b..60747f7 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1092,6 +1092,7 @@ 'fwdfw additional' => 'Additional settings', 'fwdfw addrule' => 'Add/Edit rule:', 'fwdfw all icmp' => 'All ICMP types', +'fwdfw all subnets' => 'All subnets', 'fwdfw change' => 'Update', 'fwdfw copy' => 'Copy', 'fwdfw delete' => 'Delete',
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi Peter,
could you please add the appropriate tags to the patches?
Best, - -Michael
On Sun, 2018-05-06 at 22:02 +0200, Peter Müller wrote:
Hello,
I have tested this patchset and can confirm it is working correctly. It solves https://bugzilla.ipfire.org/show_bug.cgi?id=11559 by adding the ability to select networks announced via IPsec N2N connections for firewall rules or network groups.
Best regards, Peter Müller
When creating firewallrules or using firewall groups, it should be possible to select a single IpSec subnet if there is more than one.
This patch adds a new languagefileword "fwdfw all subnets" which is used in firewall.cgi and fwhosts.cgi
langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 2 files changed, 2 insertions(+)
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 07bef90..9cc345a 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1065,6 +1065,7 @@ 'fwdfw additional' => 'Weitere Einstellungen', 'fwdfw addrule' => 'Regel hinzufügen/ändern:', 'fwdfw all icmp' => 'Alle ICMP-Typen', +'fwdfw all subnets' => 'Alle Subnetze', 'fwdfw change' => 'Aktualisieren', 'fwdfw copy' => 'Kopieren', 'fwdfw delete' => 'Löschen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index a343b3b..60747f7 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1092,6 +1092,7 @@ 'fwdfw additional' => 'Additional settings', 'fwdfw addrule' => 'Add/Edit rule:', 'fwdfw all icmp' => 'All ICMP types', +'fwdfw all subnets' => 'All subnets', 'fwdfw change' => 'Update', 'fwdfw copy' => 'Copy', 'fwdfw delete' => 'Delete',
Hello Michael,
done. I also added the missing "Signed-off-by..."-tags; hope Alexander does not mind.
Best regards, Peter Müller
Hi Peter,
could you please add the appropriate tags to the patches?
Best, -Michael
On Sun, 2018-05-06 at 22:02 +0200, Peter Müller wrote:
Hello,
I have tested this patchset and can confirm it is working correctly. It solves https://bugzilla.ipfire.org/show_bug.cgi?id=11559 by adding the ability to select networks announced via IPsec N2N connections for firewall rules or network groups.
Best regards, Peter Müller
When creating firewallrules or using firewall groups, it should be possible to select a single IpSec subnet if there is more than one.
This patch adds a new languagefileword "fwdfw all subnets" which is used in firewall.cgi and fwhosts.cgi
langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 2 files changed, 2 insertions(+)
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 07bef90..9cc345a 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1065,6 +1065,7 @@ 'fwdfw additional' => 'Weitere Einstellungen', 'fwdfw addrule' => 'Regel hinzufügen/ändern:', 'fwdfw all icmp' => 'Alle ICMP-Typen', +'fwdfw all subnets' => 'Alle Subnetze', 'fwdfw change' => 'Aktualisieren', 'fwdfw copy' => 'Kopieren', 'fwdfw delete' => 'Löschen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index a343b3b..60747f7 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1092,6 +1092,7 @@ 'fwdfw additional' => 'Additional settings', 'fwdfw addrule' => 'Add/Edit rule:', 'fwdfw all icmp' => 'All ICMP types', +'fwdfw all subnets' => 'All subnets', 'fwdfw change' => 'Update', 'fwdfw copy' => 'Copy', 'fwdfw delete' => 'Delete',
When creating firewallrules or using firewall groups, it should be possible to select a single IpSec subnet if there is more than one.
This patch adds a new languagefileword "fwdfw all subnets" which is used in firewall.cgi and fwhosts.cgi Signed-off-by: Alexander Marx alexander.marx@ipfire.org Tested-by: Peter Müller peter.mueller@link38.eu --- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 2 files changed, 2 insertions(+)
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 07bef90..9cc345a 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1065,6 +1065,7 @@ 'fwdfw additional' => 'Weitere Einstellungen', 'fwdfw addrule' => 'Regel hinzufügen/ändern:', 'fwdfw all icmp' => 'Alle ICMP-Typen', +'fwdfw all subnets' => 'Alle Subnetze', 'fwdfw change' => 'Aktualisieren', 'fwdfw copy' => 'Kopieren', 'fwdfw delete' => 'Löschen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index a343b3b..60747f7 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1092,6 +1092,7 @@ 'fwdfw additional' => 'Additional settings', 'fwdfw addrule' => 'Add/Edit rule:', 'fwdfw all icmp' => 'All ICMP types', +'fwdfw all subnets' => 'All subnets', 'fwdfw change' => 'Update', 'fwdfw copy' => 'Copy', 'fwdfw delete' => 'Delete',
-
Alexander Marx -
Michael Tremer -
Peter Müller