[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfire-development
Subject: Re: [PATCH] BUG11559: There was no possibillity to select single IpSec subnets (if any) in the firew
From: Michael Tremer <michael.tremer () ipfire ! org>
Date: 2018-04-30 11:12:20
Message-ID: 1525086740.2479471.129.camel () ipfire ! org
[Download RAW message or body]
On Mon, 2018-04-30 at 08:12 +0200, Alexander Marx wrote:
> Another patch will follow to make these changes in the firewall groups with
> the language changes ("All subnets" instead of "all")
Please submit all patches that belong together as a single patchset.
-M
>
> fixes: #11559
> ---
> config/firewall/firewall-lib.pl | 19 +++++++++++++++----
> html/cgi-bin/firewall.cgi | 36 +++++++++++++++++++++++++++++++++---
> 2 files changed, 48 insertions(+), 7 deletions(-)
>
> diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
> index eabd9a4..668eb9e 100644
> --- a/config/firewall/firewall-lib.pl
> +++ b/config/firewall/firewall-lib.pl
> @@ -150,6 +150,9 @@ sub get_ipsec_net_ip
> my $val=shift;
> my $field=shift;
> foreach my $key (sort {$a <=> $b} keys %ipsecconf){
> + #adapt $val to reflect real name without subnet (if rule with
> only one ipsec subnet is created)
> + my @tmpval = split (/\|/, $val);
> + $val = $tmpval[0];
> if($ipsecconf{$key}[1] eq $val){
> return $ipsecconf{$key}[$field];
> }
> @@ -390,10 +393,18 @@ sub get_address
>
> # IPsec networks.
> } elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"])
> {
> - my $network_address = &get_ipsec_net_ip($value, 11);
> - my @nets = split(/\|/, $network_address);
> - foreach my $net (@nets) {
> - push(@ret, [$net, ""]);
> + #Check if we have multiple subnets and only want one of them
> +
> + if ( $value =~ /\|/ ){
> + my @parts = split(/\|/, $value);
> + push(@ret, [$parts[1], ""]);
> +
> + }else{
> + my $network_address = &get_ipsec_net_ip($value, 11);
> + my @nets = split(/\|/, $network_address);
> + foreach my $net (@nets) {
> + push(@ret, [$net, ""]);
> + }
> }
>
> # The firewall's own IP addresses.
> diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
> index face0f4..65e43a1 100644
> --- a/html/cgi-bin/firewall.cgi
> +++ b/html/cgi-bin/firewall.cgi
> @@ -1161,11 +1161,31 @@ END
> #IPsec netze
> foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) }
> keys %ipsecconf) {
> if ($ipsecconf{$key}[3] eq 'net' ||
> ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){
> - print"<tr><td valign='top'><input type='radio'
> name='$grp' value='ipsec_net_$srctgt'
> $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec
> net'}</td><td align='right'><select name='ipsec_net_$srctgt'
> style='width:200px;'>" if ($show eq '');
> + print"<tr><td valign='top'><input type='radio'
> name='$grp' id='ipsec_net_$srctgt' value='ipsec_net_$srctgt'
> $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec
> net'}</td><td align='right'><select name='ipsec_net_$srctgt'
> style='width:200px;'>" if ($show eq '');
> $show='1';
> +
> + #Check if we have more than one REMOTE subnet in
> config
> + my @arr1 = split /\|/, $ipsecconf{$key}[11];
> + my $cnt1 += @arr1;
> +
> print "<option ";
> - print "selected='selected'" if
> ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ipsecconf{$key}[1]);
> - print ">$ipsecconf{$key}[1]</option>";
> + print "value=$ipsecconf{$key}[1]";
> + print " selected " if
> ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]");
> + print ">$ipsecconf{$key}[1] ";
> + print "$Lang::tr{'all'}" if $cnt1 > 1; #If this
> Conenction has more than one subnet, print one option for all subnets
> + print "</option>";
> +
> + if ($cnt1 > 1){
> + foreach my $val (@arr1){
> + #normalize subnet to cidr notation
> + my ($val1,$val2) = split /\//, $val;
> + my $val3 =
> &General::iporsubtocidr($val2);
> + print "<option ";
> + print
> "value='$ipsecconf{$key}[1]|$val1/$val3'";
> + print "selected " if
> ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]|$val1/$val3");
> + print ">$ipsecconf{$key}[1]
> $val1/$val3</option>";
> + }
> + }
> }
> }
> if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
> @@ -2575,6 +2595,11 @@ END
> #SOURCE
> my $ipfireiface;
> &getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhos
> t);
> + # Check SRC Host and replace "|" with space
> + if ($$hash{$key}[4] =~ /\|/){
> + $$hash{$key}[4] =~ s/\|/ (/g;
> + $$hash{$key}[4] = $$hash{$key}[4].")";
> + }
> print"<td align='center' width='30%' $tdcolor>";
> if ($$hash{$key}[3] eq 'ipfire_src'){
> $ipfireiface=$Lang::tr{'fwdfw iface'};
> @@ -2640,6 +2665,11 @@ END
> print<<END;
> <td align='center' $tdcolor>
> END
> + # Check TGT Host and replace "|" with space
> + if ($$hash{$key}[6] =~ /\|/){
> + $$hash{$key}[6] =~ s/\|/ (/g;
> + $$hash{$key}[6] = $$hash{$key}[6].")";
> + }
> #Is this a DNAT rule?
> my $natstring;
> if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq
> 'ON'){
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic