From patchwork Wed May  2 21:27:04 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Alexander Marx <alexander.marx@ipfire.org>
X-Patchwork-Id: 1742
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.i.ipfire.org (Postfix) with ESMTP id 3407B60366
	for <patchwork@web02.i.ipfire.org>;
	Wed,  2 May 2018 13:27:15 +0200 (CEST)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id A47DB10F8DDB;
	Wed,  2 May 2018 12:27:14 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1525260435;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:mime-version:mime-version:
	content-type:content-type:
	content-transfer-encoding:content-transfer-encoding:in-reply-to:
	references:list-id:list-unsubscribe:list-subscribe:list-post;
	bh=AtImVb2otc+nl6Gdc8DJNPiMmsQx/MAokB3t6wUliOk=;
	b=ERAAWjgmrQVlutX5DsEj7oIaIvsYxiwcxIuwZpBrHmkKu+1/ZcG6Ygq8wSYeR4r42S+SJj
	2xefzF4Digh2CJYALWNeCjgQWRGVd4jnz67PsbX477rDrXvtQTlGvKM8Sd9sEHL5s1XEYH
	l5HhaBVHXxUhhUxbZmH3Ncgulfg5U6RoYzg+pozEr8L9XCF/lQG18+QuCxbBZQC5yXcYDU
	AkZkpdrh7wyBmlh/KAx8aPh4R1Dx4RjQ0YuRJibI2RopaIGRglRBnweoHYOzYtckr1t7j4
	9o9+HTXYuWdxdTZN/gpVSyEamqXWurBWh/akxFrnf0Z4lFN4On5HttaXarY8IA==
Authentication-Results: auth=pass smtp.auth=amarx
	smtp.mailfrom=alexander.marx@ipfire.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1525260431;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	content-type:content-type:
	content-transfer-encoding:content-transfer-encoding:in-reply-to:
	references; bh=AtImVb2otc+nl6Gdc8DJNPiMmsQx/MAokB3t6wUliOk=;
	b=ndz0QB/oeDPov0h5zUZIKQWW/wLWz8mLKV4Fu9qP9Yjd2J1XElPrgHIhrKf3EXJfrsDozI
	9+iremwBAoe0W4vkJKvi4zXqP5P+pYkINWdw3i2heudM+Mn1ymiTuXnzBgGJLAkXcE+S3S
	/2aPA54X3eWVBdt0yh6oUoPb3kn55WdG5pvuR+0l7Pibpc7a+d36hQixcDft9OKHgRaXgp
	N1aYo3oKwcfyrfIYR4vLS/XUF//MnGfgA7/XvNqd2h/sas02smV2fSkCPn/eUmAlwC4FNl
	c0XVXOSopT82CXfmbWyVrkZB0ziRmy1pEjyQEovHmy5PrtFvc9csEuVhx+Jf+A==
Received: from EDV1.kappeln2011.lan
	(business-90-187-3-157.pool2.vodafone-ip.de [90.187.3.157])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id BA38510F8DD7;
	Wed,  2 May 2018 12:27:10 +0100 (BST)
From: Alexander Marx <alexander.marx@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 1/4] BUG11559: Languagefiles
Date: Wed,  2 May 2018 13:27:04 +0200
Message-Id: <1525260427-6695-1-git-send-email-alexander.marx@ipfire.org>
X-Mailer: git-send-email 2.7.4
MIME-Version: 1.0
X-Spamd-Result: default: False [-3.34 / 11.00]; MID_CONTAINS_FROM(1.00)[];
	RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[];
	TO_DN_SOME(0.00)[]; DKIM_SIGNED(0.00)[];
	BAYES_HAM(-3.00)[100.00%]; TO_MATCH_ENVRCPT_ALL(0.00)[];
	FROM_EQ_ENVFROM(0.00)[]; MIME_GOOD(-0.10)[text/plain];
	ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2];
	ASN(0.00)[asn:31334, ipnet:90.187.0.0/16, country:DE];
	NEURAL_HAM(-1.24)[-0.413,0]; RCVD_TLS_ALL(0.00)[]
X-Spam-Status: No, score=-3.34
X-Rspamd-Server: mail01.i.ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.

This patch adds a new languagefileword "fwdfw all subnets" which is used in firewall.cgi and fwhosts.cgi
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Tested-by: Peter Müller <peter.mueller@link38.eu>
---
 langs/de/cgi-bin/de.pl | 1 +
 langs/en/cgi-bin/en.pl | 1 +
 2 files changed, 2 insertions(+)

diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 07bef90..9cc345a 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1065,6 +1065,7 @@
 'fwdfw additional' => 'Weitere Einstellungen',
 'fwdfw addrule' => 'Regel hinzufügen/ändern:',
 'fwdfw all icmp' => 'Alle ICMP-Typen',
+'fwdfw all subnets' => 'Alle Subnetze',
 'fwdfw change' => 'Aktualisieren',
 'fwdfw copy' => 'Kopieren',
 'fwdfw delete' => 'Löschen',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index a343b3b..60747f7 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1092,6 +1092,7 @@
 'fwdfw additional' => 'Additional settings',
 'fwdfw addrule' => 'Add/Edit rule:',
 'fwdfw all icmp' => 'All ICMP types',
+'fwdfw all subnets' => 'All subnets',
 'fwdfw change' => 'Update',
 'fwdfw copy' => 'Copy',
 'fwdfw delete' => 'Delete',

From patchwork Wed May  2 21:27:05 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Alexander Marx <alexander.marx@ipfire.org>
X-Patchwork-Id: 1743
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.i.ipfire.org (Postfix) with ESMTP id CA3EA60366
	for <patchwork@web02.i.ipfire.org>;
	Wed,  2 May 2018 13:27:30 +0200 (CEST)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 877C510F8DE2;
	Wed,  2 May 2018 12:27:30 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1525260450;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:in-reply-to:
	references:references:list-id:list-unsubscribe:list-subscribe:list-post;
	bh=VeM8H+p7NIhMA4P21krcpb5VfbEkXhtrWMO5ILwxUsI=;
	b=SNx+hdbQUL/6qeTySs5UvAXPa/+rKXvVmUI0XtD1JQVtwh+VDDw1kV0jJsJtc01iyWLiOK
	y2tLuM+yGVJgp51i7Bxk/RbVcHr4tUTuo1TCNMa7p2FMX5hF0spG9dGTWxakoaSqKF2jkH
	E9Br3XiiTKx43fn4l3+7IschM3GzX8nNeSIRb009YjA3pdGG5XxTVJu1MyePeH4AS97sRc
	6aK/bpmdfq/Ijt3Y7caBJhp9sTYGre9c7MPJ0tr815jEPoTtfB6rlfTO4v1pU2fnlleRQ5
	uCPGve0mmm/pHtkQ9bX4diO6VqX0jcsN0nda1iIxNZBbOEeuwj2pi948m/c8Pg==
Authentication-Results: auth=pass smtp.auth=amarx
	smtp.mailfrom=alexander.marx@ipfire.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1525260435;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:in-reply-to: references:references;
	bh=VeM8H+p7NIhMA4P21krcpb5VfbEkXhtrWMO5ILwxUsI=;
	b=Pb9wklr9hiBp+/MXEH0PTxd7xzTuAmx2f4oPXo3PuKiYXWPhN2ByqkIyEcF2rjtUsOZyR0
	cR5B7C+Ib8uBbCcuw/45XEfPeDCiSncuwfB+dhPwx5HIW1o44g4OWoIyzIjjJ7vowZ6pil
	5ZtrYTb1NCBvt8dZ7TBWvalpnyE+sYTpWkR4pV9fqyNVdWybRMYDoT2n1WsuyO4kr1gP17
	fWMf5xVvIQiktJi27VXEc09CZUqNonmnEEiy9bV0gNMi1u9jOS170ooLX6qpFCkB0lqdWP
	mROYnDT+KHAjQ7pqwVDUzzRCeZRWQkHOZ07ZUWCysz8z0zNgQeMWwlC0JsU3xg==
Received: from EDV1.kappeln2011.lan
	(business-90-187-3-157.pool2.vodafone-ip.de [90.187.3.157])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 41D9B10F8DDE;
	Wed,  2 May 2018 12:27:15 +0100 (BST)
From: Alexander Marx <alexander.marx@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 2/4] BUG11559: firewall.cgi
Date: Wed,  2 May 2018 13:27:05 +0200
Message-Id: <1525260427-6695-2-git-send-email-alexander.marx@ipfire.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1525260427-6695-1-git-send-email-alexander.marx@ipfire.org>
References: <1525260427-6695-1-git-send-email-alexander.marx@ipfire.org>
X-Spamd-Result: default: False [-6.89 / 11.00]; MID_CONTAINS_FROM(1.00)[];
	RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[];
	TO_DN_SOME(0.00)[]; DKIM_SIGNED(0.00)[];
	BAYES_HAM(-3.00)[100.00%]; REPLY(-2.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[];
	MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	ASN(0.00)[asn:31334, ipnet:90.187.0.0/16, country:DE];
	NEURAL_HAM(-2.79)[-0.929,0]; RCVD_TLS_ALL(0.00)[]
X-Spam-Status: No, score=-6.89
X-Rspamd-Server: mail01.i.ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.

This patch has the changes for firewall.cgi
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Tested-by: Peter Müller <peter.mueller@link38.eu>
---
 html/cgi-bin/firewall.cgi | 36 +++++++++++++++++++++++++++++++++---
 1 file changed, 33 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index face0f4..499f279 100644
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -1161,11 +1161,31 @@ END
 	#IPsec netze
 	foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) {
 		if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){
-			print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq '');
+			print"<tr><td valign='top'><input type='radio' name='$grp' id='ipsec_net_$srctgt' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq '');
 			$show='1';
+
+			#Check if we have more than one REMOTE subnet in config
+			my @arr1 = split /\|/, $ipsecconf{$key}[11];
+			my $cnt1 += @arr1;
+
 			print "<option ";
-			print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ipsecconf{$key}[1]);
-			print ">$ipsecconf{$key}[1]</option>";
+			print "value=$ipsecconf{$key}[1]";
+			print " selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]");
+			print ">$ipsecconf{$key}[1] ";
+			print "($Lang::tr{'fwdfw all subnets'})" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets
+			print "</option>";
+
+			if ($cnt1 > 1){
+				foreach my $val (@arr1){
+					#normalize subnet to cidr notation
+					my ($val1,$val2) = split /\//, $val;
+					my $val3 = &General::iporsubtocidr($val2);
+					print "<option ";
+					print "value='$ipsecconf{$key}[1]|$val1/$val3'";
+					print "selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]|$val1/$val3");
+					print ">$ipsecconf{$key}[1] ($val1/$val3)</option>";
+				}
+			}
 		}
 	}
 	if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
@@ -2575,6 +2595,11 @@ END
 			#SOURCE
 			my $ipfireiface;
 			&getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost);
+			# Check SRC Host and replace "|" with space
+			if ($$hash{$key}[4] =~ /\|/){
+				$$hash{$key}[4] =~ s/\|/ (/g;
+				$$hash{$key}[4] = $$hash{$key}[4].")";
+			}
 			print"<td align='center' width='30%' $tdcolor>";
 			if ($$hash{$key}[3] eq 'ipfire_src'){
 				$ipfireiface=$Lang::tr{'fwdfw iface'};
@@ -2640,6 +2665,11 @@ END
 			print<<END;
 					<td align='center' $tdcolor>
 END
+			# Check TGT Host and replace "|" with space
+			if ($$hash{$key}[6] =~ /\|/){
+				$$hash{$key}[6] =~ s/\|/ (/g;
+				$$hash{$key}[6] = $$hash{$key}[6].")";
+			}
 			#Is this a DNAT rule?
 			my $natstring;
 			if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){

From patchwork Wed May  2 21:27:06 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Alexander Marx <alexander.marx@ipfire.org>
X-Patchwork-Id: 1744
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.ipfire.org
	[IPv6:2001:470:7183:25::1])
	by web02.i.ipfire.org (Postfix) with ESMTP id 5D7FD60366
	for <patchwork@web02.i.ipfire.org>;
	Wed,  2 May 2018 13:27:33 +0200 (CEST)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 0BD4810F8DDE;
	Wed,  2 May 2018 12:27:33 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1525260453;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:in-reply-to:
	references:references:list-id:list-unsubscribe:list-subscribe:list-post;
	bh=dJQX2lAwSLM1HspMbG5wLSIhLSA4qiJXvXZfSt2W5Zg=;
	b=qWSzwUYYTE9u25tSja9XcxRUviM6Zbn5POzB+90V6C4OOB9NkP6ELPG/63mGAYA1x5Assg
	nKTU2CGB9joqC9HXWy5vlPLk0UM5lCzE1fyPo3MDteP1fmIl0qYLlb9gen3T7IWj73Xama
	AVwB/E8MUhMrflbNZlnUNbQ6hRR2DfeIaroqLlBsyY5HkbA5CWsnAW4J4IlsxpHKUDlFp6
	w0vqb+JBbUG3weg9OqHHm01UBEZ0RjxxPUDUb2/lxavA3j6uakh7KSxcklopmqL0sfytqf
	27PVs0lcgznuNli5Fg+hyCn+jEWQaEbTSlPSe/6D0KhXgfLF8MDliZ/XfRVh9A==
Authentication-Results: auth=pass smtp.auth=amarx
	smtp.mailfrom=alexander.marx@ipfire.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1525260437;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:in-reply-to: references:references;
	bh=dJQX2lAwSLM1HspMbG5wLSIhLSA4qiJXvXZfSt2W5Zg=;
	b=VxEHtlVY/E5gmI6tV8NcBa/TwRCtNzYrPpXU1rraPH47T+y9EpnfoDsi5QeoQ9Flxz+uqm
	1xzUGK2NvChgYhONQa5EIm0PyzEJ//rXnvXFhlOv6dBEGmGF0DE7U2Zd/Ln4xHLAQuMuBb
	qXvW5aU5z/YWHf94/S8Z8LuZPwf8Bdlja6aC3UVq8FfY/j6g+MzAeCrcz8kq5LP2ldyQhk
	i8uvIZfDsv4eMz4Y81OBDFuYhRbDzGjGJwQtppYkXd5UNG2rK5lC6FvodqDD+uXgcTvmt5
	lP0KaaO8zgO60c7mmNkuId5pf4fO4ddExpEPN2wunEPNMXnDtcbZCF+k2VwLBA==
Received: from EDV1.kappeln2011.lan
	(business-90-187-3-157.pool2.vodafone-ip.de [90.187.3.157])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 2723B10F8DD7;
	Wed,  2 May 2018 12:27:17 +0100 (BST)
From: Alexander Marx <alexander.marx@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 3/4] BUG11559: firewall-lib
Date: Wed,  2 May 2018 13:27:06 +0200
Message-Id: <1525260427-6695-3-git-send-email-alexander.marx@ipfire.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1525260427-6695-1-git-send-email-alexander.marx@ipfire.org>
References: <1525260427-6695-1-git-send-email-alexander.marx@ipfire.org>
X-Spamd-Result: default: False [-6.90 / 11.00]; MID_CONTAINS_FROM(1.00)[];
	RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[];
	TO_DN_SOME(0.00)[]; DKIM_SIGNED(0.00)[];
	BAYES_HAM(-3.00)[100.00%]; REPLY(-2.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[];
	MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	ASN(0.00)[asn:31334, ipnet:90.187.0.0/16, country:DE];
	NEURAL_HAM(-2.80)[-0.934,0]; RCVD_TLS_ALL(0.00)[]
X-Spam-Status: No, score=-6.90
X-Rspamd-Server: mail01.i.ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.

This patch has neccessary changes for the firewall-lib. While the network name of the IpSec changes
on save (subnet is added to name) we need to split the name or normalise the field before using it.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Tested-by: Peter Müller <peter.mueller@link38.eu>
---
 config/firewall/firewall-lib.pl | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index eabd9a4..9b7f55c 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -150,6 +150,9 @@ sub get_ipsec_net_ip
 	my $val=shift;
 	my $field=shift;
 	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
+		#adapt $val to reflect real name without subnet (if rule with only one ipsec subnet is created)
+		my @tmpval = split (/\|/, $val);
+		$val = $tmpval[0];
 		if($ipsecconf{$key}[1] eq $val){
 			return $ipsecconf{$key}[$field];
 		}
@@ -390,10 +393,16 @@ sub get_address
 
 	# IPsec networks.
 	} elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
-		my $network_address = &get_ipsec_net_ip($value, 11);
-		my @nets = split(/\|/, $network_address);
-		foreach my $net (@nets) {
-			push(@ret, [$net, ""]);
+		#Check if we have multiple subnets and only want one of them
+		if ( $value =~ /\|/ ){
+			my @parts = split(/\|/, $value);
+			push(@ret, [$parts[1], ""]);
+		}else{
+			my $network_address = &get_ipsec_net_ip($value, 11);
+			my @nets = split(/\|/, $network_address);
+			foreach my $net (@nets) {
+				push(@ret, [$net, ""]);
+			}
 		}
 
 	# The firewall's own IP addresses.

From patchwork Wed May  2 21:27:07 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Alexander Marx <alexander.marx@ipfire.org>
X-Patchwork-Id: 1745
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.ipfire.org
	[IPv6:2001:470:7183:25::1])
	by web02.i.ipfire.org (Postfix) with ESMTP id 6E9FF60366
	for <patchwork@web02.i.ipfire.org>;
	Wed,  2 May 2018 13:27:35 +0200 (CEST)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 2D26910F8DD8;
	Wed,  2 May 2018 12:27:35 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1525260455;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:in-reply-to:
	references:references:list-id:list-unsubscribe:list-subscribe:list-post;
	bh=kT17z9m7Hnhn9wqsUXszWzoo6HO5i3s84y4MsAq4jJ8=;
	b=emJiuy4XEB7vwaw2RNQNV7jl2CoabSHJXGrH5IpYS5m1aVLkx92QKp2F6b1LcbtkTy7ax7
	0eBInwyK1UudAhJNaVErthx3dbd0PQwK5isIBVRIuWaFvpJ8EAhbO1hamBlyd/m1NMJWJQ
	K/pnbAptmT7ZgwHgIDoSAGfneFmVgMrU3Z0CLBr9HYc2WEXa8meAldusY671KhSG5FakJ8
	+5MgyXdXdBGRx5mtSQknbzoYuqzVwRJz2dyD9zYrWA85rKoi435OXvskiZOXurbAEVVg+C
	gHuJJHmg18KNMA511ZZimGVDn7nATsOJzdezJ3k2HSGzfz7p5zO7eIS5R93Y2g==
Authentication-Results: auth=pass smtp.auth=amarx
	smtp.mailfrom=alexander.marx@ipfire.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801;
	t=1525260438;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:content-type:
	content-transfer-encoding:in-reply-to:in-reply-to: references:references;
	bh=kT17z9m7Hnhn9wqsUXszWzoo6HO5i3s84y4MsAq4jJ8=;
	b=hR+C348ebtWHC7vDKhJt0WM3hj0cFMxb70qqb8OQ4NL3/Xf5UC1VA+osQIF6bipGqzgLom
	gYDWerCQIggy5/6b/sF0Jrl4jHY9efaMGzNp5Qt3RI6Y8rzhsqz/FqTVntd/HPN89svBvG
	cVaX32sG2drJlyAdFviz5GY5LM6m/nOCL/RXLN8gPcxYCesaZ/aERK2/TTN4bsJ2qO/ZtB
	Be1GB1jvHPa7IcQLIQ4pVxWo20QhrJfnGlNWilCIWubljMl4hdo7pgG+ir+q11u9BY3YUX
	HUQbl1XhvNcqTCUE6Ihg75DGVZkIGUzhljSfOcNm+TnQ6GN1mdIh8Hq/ieJH7g==
Received: from EDV1.kappeln2011.lan
	(business-90-187-3-157.pool2.vodafone-ip.de [90.187.3.157])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id BC58110F8DD7;
	Wed,  2 May 2018 12:27:18 +0100 (BST)
From: Alexander Marx <alexander.marx@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 4/4] BUG11559: fwhosts
Date: Wed,  2 May 2018 13:27:07 +0200
Message-Id: <1525260427-6695-4-git-send-email-alexander.marx@ipfire.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1525260427-6695-1-git-send-email-alexander.marx@ipfire.org>
References: <1525260427-6695-1-git-send-email-alexander.marx@ipfire.org>
X-Spamd-Result: default: False [-6.84 / 11.00]; MID_CONTAINS_FROM(1.00)[];
	RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[];
	TO_DN_SOME(0.00)[]; DKIM_SIGNED(0.00)[];
	BAYES_HAM(-3.00)[100.00%]; REPLY(-2.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[];
	MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	ASN(0.00)[asn:31334, ipnet:90.187.0.0/16, country:DE];
	NEURAL_HAM(-2.74)[-0.915,0]; RCVD_TLS_ALL(0.00)[]
X-Spam-Status: No, score=-6.84
X-Rspamd-Server: mail01.i.ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.

This patch adds the changes to the firewall groups.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Tested-by: Peter Müller <peter.mueller@link38.eu>
---
 html/cgi-bin/fwhosts.cgi | 87 ++++++++++++++++++++++++++++++------------------
 1 file changed, 55 insertions(+), 32 deletions(-)

diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index a2ade8a..fb33ac6 100644
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -54,6 +54,7 @@ my %fwinp=();
 my %fwout=();
 my %ovpnsettings=();
 my %netsettings=();
+my %optionsfw=();
 
 my $errormessage;
 my $hint;
@@ -70,6 +71,7 @@ my $configgeoipgrp	= "${General::swroot}/fwhosts/customgeoipgrp";
 my $fwconfigfwd		= "${General::swroot}/firewall/config";
 my $fwconfiginp		= "${General::swroot}/firewall/input";
 my $fwconfigout		= "${General::swroot}/firewall/outgoing";
+my $fwoptions 		= "${General::swroot}/optionsfw/settings";
 my $configovpn		= "${General::swroot}/ovpn/settings";
 my $configipsecrw	= "${General::swroot}/vpn/settings";
 
@@ -87,8 +89,9 @@ unless (-e $configgeoipgrp) { system("touch $configgeoipgrp"); }
 &General::readhasharray("$configipsec", \%ipsecconf);
 &General::readhash("$configipsecrw", \%ipsecsettings);
 &General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
-&Header::getcgihash(\%fwhostsettings);
+&General::readhash($fwoptions, \%optionsfw);
 
+&Header::getcgihash(\%fwhostsettings);
 &Header::showhttpheaders();
 &Header::openpage($Lang::tr{'fwhost menu'}, 1, '');
 &Header::openbigbox('100%', 'center');
@@ -1548,27 +1551,30 @@ END
 				print"</select></td></tr>";
 			}
 			#IPsec networks
-			my @IPSEC_N2N=();
+
 			foreach my $key (sort { ncmp($ipsecconf{$a}[0],$ipsecconf{$b}[0]) } keys %ipsecconf) {
-				if ($ipsecconf{$key}[3] eq 'net'){
-					$show='1';
-					push (@IPSEC_N2N,$ipsecconf{$key}[1]);
-				}
-			}
-			if ($show eq '1'){
-				$show='';
-				print<<END;
-					<td style='width:15em;'>
-						<label>
-							<input type='radio' name='grp2' id='IPSEC_NET' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}>
-							$Lang::tr{'fwhost ipsec net'}
-						</label>
-					</td>
-					<td style='text-align:right;'>
-					<select name='IPSEC_NET' style='width:16em;'>"
-END
-				foreach(@IPSEC_N2N){
-					print"<option value='$_'>$_</option>";
+				if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){
+					print "<td style='width:15em;'><label><input type='radio' name='grp2' id='IPSEC_NET' value='ipsec_net' $checked{'grp2'}{'ipsec_net'}>$Lang::tr{'fwhost ipsec net'}</label></td><td style='text-align:right;'><select name='IPSEC_NET' style='width:16em;'>" if $show eq '';
+					$show=1;
+					#Check if we have more than one REMOTE subnet in config
+					my @arr1 = split /\|/, $ipsecconf{$key}[11];
+					my $cnt1 += @arr1;
+
+					print"<option value=$ipsecconf{$key}[1]>";
+					print"$ipsecconf{$key}[1]";
+					print" ($Lang::tr{'fwdfw all subnets'})" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets
+					print"</option>";
+
+					if ($cnt1 > 1){
+						foreach my $val (@arr1){
+							#normalize subnet to cidr notation
+							my ($val1,$val2) = split /\//, $val;
+							my $val3 = &General::iporsubtocidr($val2);
+							print "<option ";
+							print "value='$ipsecconf{$key}[1]|$val1/$val3'";
+							print ">$ipsecconf{$key}[1] ($val1/$val3)</option>";
+						}
+					}
 				}
 			}
 			print"</select></td></tr>";
@@ -2116,14 +2122,15 @@ sub viewtablegrp
 			print "<td width='39%' align='left' $col>";
 			if($customgrp{$key}[3] eq 'Standard Network'){
 				print &get_name($customgrp{$key}[2])."</td>";
+			}elsif($customgrp{$key}[3] eq "IpSec Network" && $customgrp{$key}[2] =~ /\|/){
+				my ($a,$b) = split /\|/, $customgrp{$key}[2];
+					print "$a</td>";
 			}else{
 				print "$customgrp{$key}[2]</td>";
 			}
 			if ($ip eq '' && $customgrp{$key}[2] ne $Lang::tr{'fwhost err emptytable'}){
 				print "<td align='center' $col>$Lang::tr{'fwhost deleted'}</td><td align='center' $col>$Lang::tr{'fwhost '.$customgrp{$key}[3]}</td><td width='1%' $col><form method='post'>";
 			}else{
-				my ($colip,$colsub) = split("/",$ip);
-				$ip="$colip/".&General::iporsubtocidr($colsub) if ($colsub);
 				print"<td align='center' $col>".&getcolor($ip)."</td><td align='center' $col>$Lang::tr{'fwhost '.$customgrp{$key}[3]}</td><td width='1%' $col><form method='post'>";
 			}
 			if ($delflag > 0 && $ip ne ''){
@@ -2896,7 +2903,23 @@ sub getipforgroup
 	if ($type eq 'IpSec Network'){
 		foreach my $key (keys %ipsecconf) {
 			if ($ipsecconf{$key}[1] eq $name){
-				return $ipsecconf{$key}[11];
+				if ($ipsecconf{$key}[11] =~ /\|/) {
+					my $string;
+					my @parts = split /\|/ , $ipsecconf{$key}[11];
+					foreach my $key1 (@parts){
+						my ($val1,$val2) = split (/\//, $key1);
+						my $val3 = &Network::convert_netmask2prefix($val2) || $val2;
+						$string .= "$val1/$val3<br>";
+					}
+					return $string;
+				}else{
+					return $ipsecconf{$key}[11];
+				}
+			}else{
+				if ($name =~ /\|/) {
+					my ($a,$b) = split /\|/, $name;
+					return $b;
+				}
 			}
 		}
 		&deletefromgrp($name,$configgrp);
@@ -2917,7 +2940,7 @@ sub getipforgroup
 		foreach my $key (keys %ccdhost) {
 			if($ccdhost{$key}[1] eq $name){
 				my ($a,$b) = split ("/",$ccdhost{$key}[11]);
-				$b=&General::iporsubtodec($b);
+				$b=&Network::convert_netmask2prefix($b) || ($b);
 				return "$a/$b";
 			}
 		}
@@ -2929,7 +2952,7 @@ sub getipforgroup
 		foreach my $key (keys %ccdhost) {
 			if($ccdhost{$key}[1] eq $name){
 				my ($a,$b) = split (/\//,$ccdhost{$key}[33]);
-				$b=&General::iporsubtodec($b);
+				$b=&Network::convert_netmask2prefix($b) || ($b) ;
 				return "$a/$b";
 			}
 		}
@@ -2941,7 +2964,7 @@ sub getipforgroup
 		foreach my $key (keys %ccdnet) {
 			if ($ccdnet{$key}[0] eq $name){
 				my ($a,$b) = split (/\//,$ccdnet{$key}[1]);
-				$b=&General::iporsubtodec($b);
+				$b=&Network::convert_netmask2prefix($b) || ($b);
 				return "$a/$b";
 			}
 		}
@@ -2961,7 +2984,7 @@ sub getipforgroup
 	if ($type eq 'Custom Network'){
 		foreach my $key (keys %customnetwork) {
 			if($customnetwork{$key}[0] eq $name){
-				return $customnetwork{$key}[1]."/".$customnetwork{$key}[2];
+				return $customnetwork{$key}[1]."/".&Network::convert_netmask2prefix($customnetwork{$key}[2]) || $customnetwork{$key}[2];
 			}
 		}
 	}
@@ -2976,20 +2999,20 @@ sub getipforgroup
 		if ($name eq 'GREEN'){
 			my %hash=();
 			&General::readhash("${General::swroot}/ethernet/settings",\%hash);
-			return $hash{'GREEN_NETADDRESS'}."/".$hash{'GREEN_NETMASK'};
+			return $hash{'GREEN_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'GREEN_NETMASK'}) || $hash{'GREEN_NETMASK'};
 		}
 		if ($name eq 'BLUE'){
 			my %hash=();
 			&General::readhash("${General::swroot}/ethernet/settings",\%hash);
-			return $hash{'BLUE_NETADDRESS'}."/".$hash{'BLUE_NETMASK'};
+			return $hash{'BLUE_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'BLUE_NETMASK'}) || $hash{'BLUE_NETMASK'};
 		}
 		if ($name eq 'ORANGE'){
 			my %hash=();
 			&General::readhash("${General::swroot}/ethernet/settings",\%hash);
-			return $hash{'ORANGE_NETADDRESS'}."/".$hash{'ORANGE_NETMASK'};
+			return $hash{'ORANGE_NETADDRESS'}."/".&Network::convert_netmask2prefix($hash{'ORANGE_NETMASK'}) || $hash{'ORANGE_NETMASK'};
 		}
 		if ($name eq 'ALL'){
-			return "0.0.0.0/0.0.0.0";
+			return "0.0.0.0/0";
 		}
 		if ($name =~ /IPsec/i){
 			my %hash=();