From patchwork Mon Apr 30 16:12:00 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Marx <alexander.marx@ipfire.org>
X-Patchwork-Id: 1735
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.i.ipfire.org (Postfix) with ESMTP id 17A0D60573
	for <patchwork@web02.i.ipfire.org>;
	Mon, 30 Apr 2018 08:12:11 +0200 (CEST)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id C7F671109335;
	Mon, 30 Apr 2018 07:12:09 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1525068730;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:references:list-id:
	list-unsubscribe:list-subscribe:list-post;
	bh=bcvYyBt8X4K80PTNo6ftz3B7zrq87EOJJ+M3/ArC2+Q=;
	b=ldkBjcbzOroX7YvWF/CREFllg5AtR2N+QzAFk2/aztBzw8Midy90bHWK7xljqcV9MAJ3ES
	tI6w+emAHxv1PTlF2beglwwcH5yQpG0TkvG3SR/EZbSH1kAWY0jZTnvqNUog8Zl1fnPxRG
	wJC/OPVZDnTPSkdcMrdq56/oV30YfR6dJN8Z2MFwAhdiKUpk1c4PC51PUzFVgoDLchMo4O
	e5byKQ0E0DIIb23nW+lN5SfKcae+NkGR16Y3btq49rasXqwcl5tPMkhRQsEzjYw9cch3x6
	MF2FSiCdrzhomRog6RJyKmYZFGWOuReu9bo/Wqqkr0fRuW4XpGv3vvBy4eHYCw==
Authentication-Results: auth=pass smtp.auth=amarx
	smtp.mailfrom=alexander.marx@ipfire.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1525068728;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:references;
	bh=bcvYyBt8X4K80PTNo6ftz3B7zrq87EOJJ+M3/ArC2+Q=;
	b=YquwEeefxw1jI508Y+uzoPKLc7M58iHqy1QPWgCg2jexPly/XQZpZUMtQKS4nTJtJv7CTl
	11r6vx925E9WwmpVPxW2zgmkIgyiSajeS7UajJTxIgwDGKIK//9/fmO2XCH+VKu3bwnD8a
	0rTTlyatiu5oM97LS1Hm2tkR2PlLmNK3Sy/SFxbENthDxLvgyoJSvzy+kgiSxPar8N3jTt
	kUKQ+VQ9astIbHHbPKwSdJmo7cyqGbJSrRS8JVk6wtZVP0xNO+95hTxvEWK/i+pGExXH59
	z7HScYRkEPjeNN4iPx8M2iAo3EVCb2ozmUDW0OF5B5IFPoD4CruxNrQd4uD+Kg==
ARC-Authentication-Results: i=1; auth=pass smtp.auth=amarx
	smtp.mailfrom=alexander.marx@ipfire.org
ARC-Seal: i=1; s=201801; d=ipfire.org; t=1525068728; a=rsa-sha256; cv=none;
	b=yFK5CvFuR1iHi+gmNF8hsiVaBM7S44PRWfyaZaCGF5xBC4f2OE3CMc4aSDC8bsHf/tXoLT6xNAOYegrhoz0ymhpzik1McasJj1q0P/S/gB+GF15oux6PzVIP1eVtjeEVhv/zIMOoao36rsTOcmRtzDnpUCi1Qfk4IU+CjXVgxbLGDSkoHi6NVBjpEZLPyWnT4BU0D0MP0KJGYossdpjPhvFt95awNBQ8qXfuFzZaCya0C3mKUOsDFhso3Kr36D2hOC86MTMl3OHSJJStJdiwowiaPcKBtKJRiJB97z2SsfXyty41dHBdPVdIHBnNk7gBiuRNVopkYY2UvySWBOdN3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=201801; t=1525068728;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:references;
	bh=bcvYyBt8X4K80PTNo6ftz3B7zrq87EOJJ+M3/ArC2+Q=;
	b=q6biCJJVyPFWwh+AZ56BdHDU69e55LhNslwn1jjr0fH8YyzNrgN611WIbFbMOn4ZeyzFda
	maBwgrGI8Gk//NliQnibzTSyGwl5CWhxdWWp/5zoNGu+EEoJh0pG/nboaQlNlfkXWq61pS
	kQmnnl9klFe715Plicpg84drem2OKRIShbAFZtGa9KEerUbjSp+aJ9UzcRc8kVD5w08IQf
	Z8OLn2jd9EkTtVq+m67vBamFEYh+FvZ6hSTysIsZpfNCq78aiDDTIgFU0qIhPrybbsGpjd
	nw2uvq119/ZPhaPP7Ewg1AXY6LU+QwpdLKuohH5ZL0V44yWV43KKN8YmhRcD9A==
Received: from EDV1.kappeln2011.lan (unknown [90.187.3.157])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 06A3A105FDFC;
	Mon, 30 Apr 2018 07:12:07 +0100 (BST)
From: Alexander Marx <alexander.marx@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] BUG11559: There was no possibillity to select single IpSec
	subnets (if any) in the firewall creation site. Now the dropdown
	for IpSec is adapted to reflect the single TARGET subnets.
Date: Mon, 30 Apr 2018 08:12:00 +0200
Message-Id: <1525068720-8894-1-git-send-email-alexander.marx@ipfire.org>
X-Mailer: git-send-email 2.7.4
X-Spamd-Result: default: False [-2.10 / 11.00]; MID_CONTAINS_FROM(1.00)[];
	RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[];
	TO_DN_SOME(0.00)[]; DKIM_SIGNED(0.00)[]; ARC_SIGNED(0.00)[i=1];
	BAYES_HAM(-3.00)[100.00%]; TO_MATCH_ENVRCPT_ALL(0.00)[];
	FROM_EQ_ENVFROM(0.00)[]; MIME_GOOD(-0.10)[text/plain];
	ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2];
	ASN(0.00)[asn:31334, ipnet:90.187.0.0/16, country:DE];
	RCVD_TLS_ALL(0.00)[]
X-Spam-Status: No, score=-2.10
X-Rspamd-Server: mail01.i.ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Another patch will follow to make these changes in the firewall groups with the language changes ("All subnets" instead of "all")

fixes: #11559
---
 config/firewall/firewall-lib.pl | 19 +++++++++++++++----
 html/cgi-bin/firewall.cgi       | 36 +++++++++++++++++++++++++++++++++---
 2 files changed, 48 insertions(+), 7 deletions(-)

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index eabd9a4..668eb9e 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -150,6 +150,9 @@ sub get_ipsec_net_ip
 	my $val=shift;
 	my $field=shift;
 	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
+		#adapt $val to reflect real name without subnet (if rule with only one ipsec subnet is created)
+		my @tmpval = split (/\|/, $val);
+		$val = $tmpval[0];
 		if($ipsecconf{$key}[1] eq $val){
 			return $ipsecconf{$key}[$field];
 		}
@@ -390,10 +393,18 @@ sub get_address
 
 	# IPsec networks.
 	} elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
-		my $network_address = &get_ipsec_net_ip($value, 11);
-		my @nets = split(/\|/, $network_address);
-		foreach my $net (@nets) {
-			push(@ret, [$net, ""]);
+		#Check if we have multiple subnets and only want one of them
+		
+		if ( $value =~ /\|/ ){
+			my @parts = split(/\|/, $value);
+			push(@ret, [$parts[1], ""]);
+			
+		}else{
+			my $network_address = &get_ipsec_net_ip($value, 11);
+			my @nets = split(/\|/, $network_address);
+			foreach my $net (@nets) {
+				push(@ret, [$net, ""]);
+			}
 		}
 
 	# The firewall's own IP addresses.
diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index face0f4..65e43a1 100644
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -1161,11 +1161,31 @@ END
 	#IPsec netze
 	foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) {
 		if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){
-			print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq '');
+			print"<tr><td valign='top'><input type='radio' name='$grp' id='ipsec_net_$srctgt' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq '');
 			$show='1';
+
+			#Check if we have more than one REMOTE subnet in config
+			my @arr1 = split /\|/, $ipsecconf{$key}[11];
+			my $cnt1 += @arr1;
+
 			print "<option ";
-			print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ipsecconf{$key}[1]);
-			print ">$ipsecconf{$key}[1]</option>";
+			print "value=$ipsecconf{$key}[1]";
+			print " selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]");
+			print ">$ipsecconf{$key}[1] ";
+			print "$Lang::tr{'all'}" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets
+			print "</option>";
+
+			if ($cnt1 > 1){
+				foreach my $val (@arr1){
+					#normalize subnet to cidr notation
+					my ($val1,$val2) = split /\//, $val;
+					my $val3 = &General::iporsubtocidr($val2);
+					print "<option ";
+					print "value='$ipsecconf{$key}[1]|$val1/$val3'";
+					print "selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]|$val1/$val3");
+					print ">$ipsecconf{$key}[1] $val1/$val3</option>";
+				}
+			}
 		}
 	}
 	if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
@@ -2575,6 +2595,11 @@ END
 			#SOURCE
 			my $ipfireiface;
 			&getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost);
+			# Check SRC Host and replace "|" with space
+			if ($$hash{$key}[4] =~ /\|/){
+				$$hash{$key}[4] =~ s/\|/ (/g;
+				$$hash{$key}[4] = $$hash{$key}[4].")";
+			}
 			print"<td align='center' width='30%' $tdcolor>";
 			if ($$hash{$key}[3] eq 'ipfire_src'){
 				$ipfireiface=$Lang::tr{'fwdfw iface'};
@@ -2640,6 +2665,11 @@ END
 			print<<END;
 					<td align='center' $tdcolor>
 END
+			# Check TGT Host and replace "|" with space
+			if ($$hash{$key}[6] =~ /\|/){
+				$$hash{$key}[6] =~ s/\|/ (/g;
+				$$hash{$key}[6] = $$hash{$key}[6].")";
+			}
 			#Is this a DNAT rule?
 			my $natstring;
 			if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){