'Re: [PATCH] BUG11559: There was no possibillity to select single IpSec subnets (if any) in the firew'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfire-development
Subject:    Re: [PATCH] BUG11559: There was no possibillity to select single IpSec subnets (if any) in the firew
From:       Michael Tremer <michael.tremer () ipfire ! org>
Date:       2018-04-30 11:12:20
Message-ID: 1525086740.2479471.129.camel () ipfire ! org
[Download RAW message or body]

On Mon, 2018-04-30 at 08:12 +0200, Alexander Marx wrote:
> Another patch will follow to make these changes in the firewall groups with
> the language changes ("All subnets" instead of "all")

Please submit all patches that belong together as a single patchset.

-M

> 
> fixes: #11559
> ---
>  config/firewall/firewall-lib.pl | 19 +++++++++++++++----
>  html/cgi-bin/firewall.cgi       | 36 +++++++++++++++++++++++++++++++++---
>  2 files changed, 48 insertions(+), 7 deletions(-)
> 
> diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
> index eabd9a4..668eb9e 100644
> --- a/config/firewall/firewall-lib.pl
> +++ b/config/firewall/firewall-lib.pl
> @@ -150,6 +150,9 @@ sub get_ipsec_net_ip
>  	my $val=shift;
>  	my $field=shift;
>  	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
> +		#adapt $val to reflect real name without subnet (if rule with
> only one ipsec subnet is created)
> +		my @tmpval = split (/\|/, $val);
> +		$val = $tmpval[0];
>  		if($ipsecconf{$key}[1] eq $val){
>  			return $ipsecconf{$key}[$field];
>  		}
> @@ -390,10 +393,18 @@ sub get_address
>  
>  	# IPsec networks.
>  	} elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"])
> {
> -		my $network_address = &get_ipsec_net_ip($value, 11);
> -		my @nets = split(/\|/, $network_address);
> -		foreach my $net (@nets) {
> -			push(@ret, [$net, ""]);
> +		#Check if we have multiple subnets and only want one of them
> +		
> +		if ( $value =~ /\|/ ){
> +			my @parts = split(/\|/, $value);
> +			push(@ret, [$parts[1], ""]);
> +			
> +		}else{
> +			my $network_address = &get_ipsec_net_ip($value, 11);
> +			my @nets = split(/\|/, $network_address);
> +			foreach my $net (@nets) {
> +				push(@ret, [$net, ""]);
> +			}
>  		}
>  
>  	# The firewall's own IP addresses.
> diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
> index face0f4..65e43a1 100644
> --- a/html/cgi-bin/firewall.cgi
> +++ b/html/cgi-bin/firewall.cgi
> @@ -1161,11 +1161,31 @@ END
>  	#IPsec netze
>  	foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) }
> keys %ipsecconf) {
>  		if ($ipsecconf{$key}[3] eq 'net' ||
> ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){
> -			print"<tr><td valign='top'><input type='radio'
> name='$grp' value='ipsec_net_$srctgt'
> $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec
> net'}</td><td align='right'><select name='ipsec_net_$srctgt'
> style='width:200px;'>" if ($show eq '');
> +			print"<tr><td valign='top'><input type='radio'
> name='$grp' id='ipsec_net_$srctgt' value='ipsec_net_$srctgt'
> $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec
> net'}</td><td align='right'><select name='ipsec_net_$srctgt'
> style='width:200px;'>" if ($show eq '');
>  			$show='1';
> +
> +			#Check if we have more than one REMOTE subnet in
> config
> +			my @arr1 = split /\|/, $ipsecconf{$key}[11];
> +			my $cnt1 += @arr1;
> +
>  			print "<option ";
> -			print "selected='selected'" if
> ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ipsecconf{$key}[1]);
> -			print ">$ipsecconf{$key}[1]</option>";
> +			print "value=$ipsecconf{$key}[1]";
> +			print " selected " if
> ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]");
> +			print ">$ipsecconf{$key}[1] ";
> +			print "$Lang::tr{'all'}" if $cnt1 > 1; #If this
> Conenction has more than one subnet, print one option for all subnets
> +			print "</option>";
> +
> +			if ($cnt1 > 1){
> +				foreach my $val (@arr1){
> +					#normalize subnet to cidr notation
> +					my ($val1,$val2) = split /\//, $val;
> +					my $val3 =
> &General::iporsubtocidr($val2);
> +					print "<option ";
> +					print
> "value='$ipsecconf{$key}[1]|$val1/$val3'";
> +					print "selected " if
> ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]|$val1/$val3");
> +					print ">$ipsecconf{$key}[1]
> $val1/$val3</option>";
> +				}
> +			}
>  		}
>  	}
>  	if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
> @@ -2575,6 +2595,11 @@ END
>  			#SOURCE
>  			my $ipfireiface;
>  			&getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhos
> t);
> +			# Check SRC Host and replace "|" with space
> +			if ($$hash{$key}[4] =~ /\|/){
> +				$$hash{$key}[4] =~ s/\|/ (/g;
> +				$$hash{$key}[4] = $$hash{$key}[4].")";
> +			}
>  			print"<td align='center' width='30%' $tdcolor>";
>  			if ($$hash{$key}[3] eq 'ipfire_src'){
>  				$ipfireiface=$Lang::tr{'fwdfw iface'};
> @@ -2640,6 +2665,11 @@ END
>  			print<<END;
>  					<td align='center' $tdcolor>
>  END
> +			# Check TGT Host and replace "|" with space
> +			if ($$hash{$key}[6] =~ /\|/){
> +				$$hash{$key}[6] =~ s/\|/ (/g;
> +				$$hash{$key}[6] = $$hash{$key}[6].")";
> +			}
>  			#Is this a DNAT rule?
>  			my $natstring;
>  			if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq
> 'ON'){
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic