From patchwork Wed May 2 21:27:06 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Alexander Marx X-Patchwork-Id: 1744 Return-Path: Received: from mail01.ipfire.org (mail01.ipfire.org [IPv6:2001:470:7183:25::1]) by web02.i.ipfire.org (Postfix) with ESMTP id 5D7FD60366 for ; Wed, 2 May 2018 13:27:33 +0200 (CEST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 0BD4810F8DDE; Wed, 2 May 2018 12:27:33 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1525260453; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:list-id:list-unsubscribe:list-subscribe:list-post; bh=dJQX2lAwSLM1HspMbG5wLSIhLSA4qiJXvXZfSt2W5Zg=; b=qWSzwUYYTE9u25tSja9XcxRUviM6Zbn5POzB+90V6C4OOB9NkP6ELPG/63mGAYA1x5Assg nKTU2CGB9joqC9HXWy5vlPLk0UM5lCzE1fyPo3MDteP1fmIl0qYLlb9gen3T7IWj73Xama AVwB/E8MUhMrflbNZlnUNbQ6hRR2DfeIaroqLlBsyY5HkbA5CWsnAW4J4IlsxpHKUDlFp6 w0vqb+JBbUG3weg9OqHHm01UBEZ0RjxxPUDUb2/lxavA3j6uakh7KSxcklopmqL0sfytqf 27PVs0lcgznuNli5Fg+hyCn+jEWQaEbTSlPSe/6D0KhXgfLF8MDliZ/XfRVh9A== Authentication-Results: auth=pass smtp.auth=amarx smtp.mailfrom=alexander.marx@ipfire.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1525260437; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references; bh=dJQX2lAwSLM1HspMbG5wLSIhLSA4qiJXvXZfSt2W5Zg=; b=VxEHtlVY/E5gmI6tV8NcBa/TwRCtNzYrPpXU1rraPH47T+y9EpnfoDsi5QeoQ9Flxz+uqm 1xzUGK2NvChgYhONQa5EIm0PyzEJ//rXnvXFhlOv6dBEGmGF0DE7U2Zd/Ln4xHLAQuMuBb qXvW5aU5z/YWHf94/S8Z8LuZPwf8Bdlja6aC3UVq8FfY/j6g+MzAeCrcz8kq5LP2ldyQhk i8uvIZfDsv4eMz4Y81OBDFuYhRbDzGjGJwQtppYkXd5UNG2rK5lC6FvodqDD+uXgcTvmt5 lP0KaaO8zgO60c7mmNkuId5pf4fO4ddExpEPN2wunEPNMXnDtcbZCF+k2VwLBA== Received: from EDV1.kappeln2011.lan (business-90-187-3-157.pool2.vodafone-ip.de [90.187.3.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 2723B10F8DD7; Wed, 2 May 2018 12:27:17 +0100 (BST) From: Alexander Marx To: development@lists.ipfire.org Subject: [PATCH 3/4] BUG11559: firewall-lib Date: Wed, 2 May 2018 13:27:06 +0200 Message-Id: <1525260427-6695-3-git-send-email-alexander.marx@ipfire.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1525260427-6695-1-git-send-email-alexander.marx@ipfire.org> References: <1525260427-6695-1-git-send-email-alexander.marx@ipfire.org> X-Spamd-Result: default: False [-6.90 / 11.00]; MID_CONTAINS_FROM(1.00)[]; RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; DKIM_SIGNED(0.00)[]; BAYES_HAM(-3.00)[100.00%]; REPLY(-2.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:31334, ipnet:90.187.0.0/16, country:DE]; NEURAL_HAM(-2.80)[-0.934,0]; RCVD_TLS_ALL(0.00)[] X-Spam-Status: No, score=-6.90 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" When creating firewallrules or using firewall groups, it should be possible to select a single IpSec subnet if there is more than one. This patch has neccessary changes for the firewall-lib. While the network name of the IpSec changes on save (subnet is added to name) we need to split the name or normalise the field before using it. Signed-off-by: Alexander Marx Tested-by: Peter Müller --- config/firewall/firewall-lib.pl | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index eabd9a4..9b7f55c 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -150,6 +150,9 @@ sub get_ipsec_net_ip my $val=shift; my $field=shift; foreach my $key (sort {$a <=> $b} keys %ipsecconf){ + #adapt $val to reflect real name without subnet (if rule with only one ipsec subnet is created) + my @tmpval = split (/\|/, $val); + $val = $tmpval[0]; if($ipsecconf{$key}[1] eq $val){ return $ipsecconf{$key}[$field]; } @@ -390,10 +393,16 @@ sub get_address # IPsec networks. } elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) { - my $network_address = &get_ipsec_net_ip($value, 11); - my @nets = split(/\|/, $network_address); - foreach my $net (@nets) { - push(@ret, [$net, ""]); + #Check if we have multiple subnets and only want one of them + if ( $value =~ /\|/ ){ + my @parts = split(/\|/, $value); + push(@ret, [$parts[1], ""]); + }else{ + my $network_address = &get_ipsec_net_ip($value, 11); + my @nets = split(/\|/, $network_address); + foreach my $net (@nets) { + push(@ret, [$net, ""]); + } } # The firewall's own IP addresses.