X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Ffirewall.cgi;h=fb1c25dfd577a016a3fefdf76456f7c39811fcb9;hb=56947acb12176f397cbd5078c5544cdc4f19b27b;hp=39b732ce36b77d073d064758cbefbc9d77e314b3;hpb=2f2b5105c47db6b8b9ec42e2bbfa28d967fe1178;p=ipfire-2.x.git

diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index 39b732ce36..fb1c25dfd5 100644
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -31,8 +31,10 @@ no warnings 'uninitialized';
 #use CGI::Carp 'fatalsToBrowser';
 
 require '/var/ipfire/general-functions.pl';
+require '/var/ipfire/network-functions.pl';
 require "${General::swroot}/lang.pl";
 require "${General::swroot}/header.pl";
+require "${General::swroot}/geoip-functions.pl";
 require "/usr/lib/firewall/firewall-lib.pl";
 
 unless (-d "${General::swroot}/firewall")			{ system("mkdir ${General::swroot}/firewall"); }
@@ -47,6 +49,7 @@ my %defaultNetworks=();
 my %netsettings=();
 my %customhost=();
 my %customgrp=();
+my %customgeoipgrp=();
 my %customnetworks=();
 my %customservice=();
 my %customservicegrp=();
@@ -74,6 +77,7 @@ my $color;
 my $confignet		= "${General::swroot}/fwhosts/customnetworks";
 my $confighost		= "${General::swroot}/fwhosts/customhosts";
 my $configgrp 		= "${General::swroot}/fwhosts/customgroups";
+my $configgeoipgrp	= "${General::swroot}/fwhosts/customgeoipgrp";
 my $configsrv 		= "${General::swroot}/fwhosts/customservices";
 my $configsrvgrp	= "${General::swroot}/fwhosts/customservicegrp";
 my $configccdnet 	= "${General::swroot}/ovpn/ccd.conf";
@@ -154,6 +158,19 @@ print<<END;
 			\$("#actions").toggle();
 		});
 
+		// Hide SNAT items when DNAT is selected and vice versa.
+		if (\$('input[name=nat]:checked').val() == 'dnat') {
+			\$('.snat').hide();
+		} else {
+			\$('.dnat').hide();
+		}
+
+		// Show/Hide elements when SNAT/DNAT get changed.
+		\$('input[name=nat]').change(function() {
+			\$('.snat').toggle();
+			\$('.dnat').toggle();
+		});
+
 		// Time constraints
 		if(!\$("#USE_TIME_CONSTRAINTS").attr("checked")) {
 			\$("#TIME_CONSTRAINTS").hide();
@@ -224,10 +241,6 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 			$checkorange='on';
 		}
 	}
-	#check useless rules
-	if(	($fwdfwsettings{$fwdfwsettings{'grp1'}} eq 'ORANGE' || $checkorange eq 'on') && $fwdfwsettings{'grp2'} eq 'ipfire'){
-		$errormessage.=$Lang::tr{'fwdfw useless rule'}."<br>";
-	}
 	#check if we try to break rules
 	if(	$fwdfwsettings{'grp1'} eq 'ipfire_src' && $fwdfwsettings{'grp2'} eq 'ipfire'){
 		$errormessage=$Lang::tr{'fwdfw err same'};
@@ -449,6 +462,9 @@ sub checksource
 			}
 		}
 		if ($fwdfwsettings{'isip'} eq 'on'){
+			#remove leading zero
+			$ip = &Network::ip_remove_zero($ip);
+
 			##check if ip is valid
 			if (! &General::validip($ip)){
 				$errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>";
@@ -519,16 +535,6 @@ sub checktarget
 	#check DNAT settings (has to be single Host and single Port or portrange)
 	if ($fwdfwsettings{'USE_NAT'} eq 'ON' && $fwdfwsettings{'nat'} eq 'dnat'){
 		if($fwdfwsettings{'grp2'} eq 'tgt_addr' || $fwdfwsettings{'grp2'} eq 'cust_host_tgt' || $fwdfwsettings{'grp2'} eq 'ovpn_host_tgt'){
-			#check if manual ip is a single Host (if set)
-			if ($fwdfwsettings{'grp2'} eq 'tgt_addr'){
-				my @tmp= split (/\./,$fwdfwsettings{$fwdfwsettings{'grp2'}});
-				my @tmp1= split ("/",$tmp[3]);
-				if (($tmp1[0] eq "0") || ($tmp1[0] eq "255"))
-				{
-					$errormessage=$Lang::tr{'fwdfw dnat error'}."<br>";
-					return $errormessage;
-				}
-			}
 			#check if Port is a single Port or portrange
 			if ($fwdfwsettings{'nat'} eq 'dnat' &&  $fwdfwsettings{'grp3'} eq 'TGT_PORT'){
 				if(($fwdfwsettings{'PROT'} ne 'TCP'|| $fwdfwsettings{'PROT'} ne 'UDP') && $fwdfwsettings{'TGT_PORT'} eq ''){
@@ -553,11 +559,15 @@ sub checktarget
 			($ip,$subnet)=split (/\//,$fwdfwsettings{'tgt_addr'});
 			$subnet = &General::iporsubtocidr($subnet);
 		}
+
 		#check if only ip
 		if($fwdfwsettings{'tgt_addr'}=~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
 			$ip=$fwdfwsettings{'tgt_addr'};
 			$subnet='32';
 		}
+		#remove leading zero
+		$ip = &Network::ip_remove_zero($ip);
+
 		#check if ip is valid
 		if (! &General::validip($ip)){
 			$errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>";
@@ -581,7 +591,7 @@ sub checktarget
 		&General::readhasharray("$confighost", \%customhost);
 		foreach my $grpkey (sort keys %customgrp){
 			foreach my $hostkey (sort keys %customhost){
-				if ($customgrp{$grpkey}[2] eq $customhost{$hostkey}[0] && $customhost{$hostkey}[1] eq 'mac'){
+				if ($customgrp{$grpkey}[2] eq $customhost{$hostkey}[0] && $customgrp{$grpkey}[2] eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $customhost{$hostkey}[1] eq 'mac'){
 					$hint=$Lang::tr{'fwdfw hint mac'};
 					return $hint;
 				}
@@ -1060,6 +1070,54 @@ END
 		}
 		print"</select></td>";
 	}
+	# geoip locations / groups.
+	my @geoip_locations = &fwlib::get_geoip_locations();
+
+	print "<tr>\n";
+	print "<td valign='top'><input type='radio' name='$grp' id='cust_geoip_$srctgt' value='cust_geoip_$srctgt' $checked{$grp}{'cust_geoip_'.$srctgt}></td>\n";
+	print "<td>$Lang::tr{'geoip'}</td>\n";
+	print "<td align='right'><select name='cust_geoip_$srctgt' style='width:200px;'>\n";
+
+	# Add GeoIP groups to dropdown.
+	if (!-z $configgeoipgrp) {
+		print "<optgroup label='$Lang::tr{'fwhost cust geoipgroup'}'>\n";
+		foreach my $key (sort { ncmp($customgeoipgrp{$a}[0],$customgeoipgrp{$b}[0]) } keys %customgeoipgrp) {
+			my $selected;
+
+			# Generate stored value for select detection.
+			my $stored = join(':', "group",$customgeoipgrp{$key}[0]);
+
+			# Only show a group once and group with elements.
+			if($helper ne $customgeoipgrp{$key}[0] && $customgeoipgrp{$key}[2] ne 'none') {
+				# Mark current entry as selected.
+				if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $stored) {
+					$selected = "selected='selected'";
+				}
+                                print"<option $selected value='group:$customgeoipgrp{$key}[0]'>$customgeoipgrp{$key}[0]</option>\n";
+                        }
+                        $helper=$customgeoipgrp{$key}[0];
+                }
+		print "</optgroup>\n";
+	}
+
+	# Add locations.
+	print "<optgroup label='$Lang::tr{'fwhost cust geoiplocation'}'>\n";
+	foreach my $location (@geoip_locations) {
+		# Get country name.
+		my $country_name = &GeoIP::get_full_country_name($location);
+
+		# Mark current entry as selected.
+		my $selected;
+		if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $location) {
+			$selected = "selected='selected'";
+		}
+		print "<option $selected value='$location'>$location - $country_name</option>\n";
+	}
+	print "</optgroup>\n";
+
+	# Close GeoIP dropdown.
+	print "</select></td>\n";
+
 	#End left table. start right table (vpn)
 	print"</tr></table></td><td valign='top'><table width='95%' border='0' align='right'><tr>";
 	# CCD networks
@@ -1099,11 +1157,31 @@ END
 	#IPsec netze
 	foreach my $key (sort { ncmp($ipsecconf{$a}[1],$ipsecconf{$b}[1]) } keys %ipsecconf) {
 		if ($ipsecconf{$key}[3] eq 'net' || ($optionsfw{'SHOWDROPDOWN'} eq 'on' && $ipsecconf{$key}[3] ne 'host')){
-			print"<tr><td valign='top'><input type='radio' name='$grp' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq '');
+			print"<tr><td valign='top'><input type='radio' name='$grp' id='ipsec_net_$srctgt' value='ipsec_net_$srctgt' $checked{$grp}{'ipsec_net_'.$srctgt}></td><td >$Lang::tr{'fwhost ipsec net'}</td><td align='right'><select name='ipsec_net_$srctgt' style='width:200px;'>" if ($show eq '');
 			$show='1';
+
+			#Check if we have more than one REMOTE subnet in config
+			my @arr1 = split /\|/, $ipsecconf{$key}[11];
+			my $cnt1 += @arr1;
+
 			print "<option ";
-			print "selected='selected'" if ($fwdfwsettings{$fwdfwsettings{$grp}} eq $ipsecconf{$key}[1]);
-			print ">$ipsecconf{$key}[1]</option>";
+			print "value=$ipsecconf{$key}[1]";
+			print " selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]");
+			print ">$ipsecconf{$key}[1] ";
+			print "($Lang::tr{'fwdfw all subnets'})" if $cnt1 > 1; #If this Conenction has more than one subnet, print one option for all subnets
+			print "</option>";
+
+			if ($cnt1 > 1){
+				foreach my $val (@arr1){
+					#normalize subnet to cidr notation
+					my ($val1,$val2) = split /\//, $val;
+					my $val3 = &General::iporsubtocidr($val2);
+					print "<option ";
+					print "value='$ipsecconf{$key}[1]|$val1/$val3'";
+					print "selected " if ($fwdfwsettings{$fwdfwsettings{$grp}} eq "$ipsecconf{$key}[1]|$val1/$val3");
+					print ">$ipsecconf{$key}[1] ($val1/$val3)</option>";
+				}
+			}
 		}
 	}
 	if($optionsfw{'SHOWDROPDOWN'} eq 'on' && $show eq ''){
@@ -1397,6 +1475,7 @@ sub newrule
 	&General::readhasharray("$confighost", \%customhost);
 	&General::readhasharray("$configccdhost", \%ccdhost);
 	&General::readhasharray("$configgrp", \%customgrp);
+	&General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
 	&General::readhasharray("$configipsec", \%ipsecconf);
 	&General::get_aliases(\%aliases);
 	my %checked=();
@@ -1591,7 +1670,7 @@ END
 				$Lang::tr{'fwdfw use nat'}
 			</label>
 			<div class="NAT">
-				<table width='100%' border='0'>
+				<table class='fw-nat' width='100%' border='0'>
 					<tr>
 						<td width='5%'></td>
 						<td width='40%'>
@@ -1603,9 +1682,9 @@ END
 END
 
 	print <<END;
-						<td width='25%' align='right'>$Lang::tr{'dnat address'}:</td>
+						<td width='25%' align='right'><span class='dnat'>$Lang::tr{'dnat address'}:</span></td>
 						<td width='30%'>
-							<select name='dnat' style='width: 100%;'>
+							<select name='dnat' class='dnat' style='width: 100%;'>
 								<option value='AUTO' $selected{'dnat'}{'AUTO'}>- $Lang::tr{'automatic'} -</option>
 								<option value='Default IP' $selected{'dnat'}{'Default IP'}>$Lang::tr{'red1'} ($redip)</option>
 END
@@ -1636,9 +1715,9 @@ END
 								$Lang::tr{'fwdfw snat'}
 							</label>
 						</td>
-						<td width='25%' align='right'>$Lang::tr{'snat new source ip address'}:</td>
+						<td width='25%' align='right'><span class='snat'>$Lang::tr{'snat new source ip address'}:</span></td>
 						<td width='30%'>
-							<select name='snat' style='width: 100%;'>
+							<select name='snat' class='snat' style='width: 100%;'>
 END
 
 		foreach my $alias (sort keys %aliases) {
@@ -2512,6 +2591,11 @@ END
 			#SOURCE
 			my $ipfireiface;
 			&getcolor($$hash{$key}[3],$$hash{$key}[4],\%customhost);
+			# Check SRC Host and replace "|" with space
+			if ($$hash{$key}[4] =~ /\|/){
+				$$hash{$key}[4] =~ s/\|/ (/g;
+				$$hash{$key}[4] = $$hash{$key}[4].")";
+			}
 			print"<td align='center' width='30%' $tdcolor>";
 			if ($$hash{$key}[3] eq 'ipfire_src'){
 				$ipfireiface=$Lang::tr{'fwdfw iface'};
@@ -2525,6 +2609,13 @@ END
 				}else{
 					print $$hash{$key}[4];
 				}
+			}elsif ($$hash{$key}[3] eq 'cust_geoip_src') {
+				my ($split1,$split2) = split(":", $$hash{$key}[4]);
+				if ($split2) {
+					print "$split2\n";
+				}else{
+					print "$Lang::tr{'geoip'}: $$hash{$key}[4]\n";
+				}
 			}elsif ($$hash{$key}[4] eq 'RED1'){
 				print "$ipfireiface $Lang::tr{'fwdfw red'}";
 			}elsif ($$hash{$key}[4] eq 'ALL'){
@@ -2570,6 +2661,11 @@ END
 			print<<END;
 					<td align='center' $tdcolor>
 END
+			# Check TGT Host and replace "|" with space
+			if ($$hash{$key}[6] =~ /\|/){
+				$$hash{$key}[6] =~ s/\|/ (/g;
+				$$hash{$key}[6] = $$hash{$key}[6].")";
+			}
 			#Is this a DNAT rule?
 			my $natstring;
 			if ($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
@@ -2601,6 +2697,13 @@ END
 				}else{
 					print $$hash{$key}[6];
 				}
+			}elsif ($$hash{$key}[5] eq 'cust_geoip_tgt') {
+				my ($split1,$split2) = split(":", $$hash{$key}[6]);
+				if ($split2) {
+					print "$split2\n";
+				}else{
+					print "$Lang::tr{'geoip'}: $$hash{$key}[6]\n";
+				}
 			}elsif ($$hash{$key}[5] eq 'tgt_addr'){
 				my ($split1,$split2) = split("/",$$hash{$key}[6]);
 				if ($split2 eq '32'){
@@ -2618,7 +2721,6 @@ END
 			#RULE ACTIVE
 			if($$hash{$key}[2] eq 'ON'){
 				$gif="/images/on.gif"
-				
 			}else{
 				$gif="/images/off.gif"
 			}