From 1de96a83d6d6cec5d4d3eda1792aa80bfbd8fafe Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 23 Apr 2025 12:35:52 +0200
Subject: [PATCH] firewall: Add support for WireGuard peers to groups

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/firewall/firewall-lib.pl | 10 ++++++-
 html/cgi-bin/fwhosts.cgi        | 48 +++++++++++++++++++++++++++++++++
 2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index 1977be19f..2dfc44a94 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -239,6 +239,8 @@ sub get_std_net_ip
 		return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
 	}elsif($val eq 'RED'){
 		return "0.0.0.0/0";
+	}elsif($val eq 'WGRW'){
+		return $Wireguard::settings{'CLIENT_POOL'};
 	}elsif($val =~ /OpenVPN/i){
 		return "$ovpnsettings{'DOVPN_SUBNET'}";
 	}elsif($val =~ /IPsec/i){
@@ -259,6 +261,12 @@ sub get_interface
 	if($net eq "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"){
 		return "$netsettings{'BLUE_DEV'}";
 	}
+
+	# Wireguard
+	if ($net eq $Wireguard::settings{'CLIENT_POOL'}) {
+		return "wg0";
+	}
+
 	if($net eq "0.0.0.0/0") {
 		return &get_external_interface();
 	}
@@ -386,7 +394,7 @@ sub get_address
 		}
 
 	# WireGuard Peers
-	} elsif ($key eq 'wg_peer_src' || $key eq 'wg_peer_tgt') {
+	} elsif ($key eq 'wg_peer' || $key eq 'wg_peer_src' || $key eq 'wg_peer_tgt') {
 		my $peer = &Wireguard::get_peer_by_name($value);
 		if (defined $peer) {
 			my $remotes;
diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index bbe2acc3c..67a0f863a 100644
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -582,6 +582,13 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
 			$fwhostsettings{'grp_name'}='';
 			$fwhostsettings{'remark'}='';
 		}
+		# Fetch the address from a WireGuard Peer
+		if ($fwhostsettings{'grp2'} eq 'wg_peer' && $fwhostsettings{'WG_PEER'} ne ''){
+			@target=$fwhostsettings{'WG_PEER'};
+			$type='wg_peer';
+		}elsif ($fwhostsettings{'grp2'} eq 'wg_peer' && $fwhostsettings{'WG_PEER'} eq ''){
+			$errormessage=$Lang::tr{'fwhost err groupempty'};
+		}
 		#get address from  ovpn ccd static net
 		if ($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} ne ''){
 			@target=$fwhostsettings{'OVPN_CCD_NET'};
@@ -1523,6 +1530,34 @@ END
 			print"</table>";
 			#Inner table right
 			print"</td><td align='right' style='vertical-align:top;'><table width='90%' border='0'>";
+			# WireGuard Peers
+			if (%Wireguard::peers) {
+				print <<EOF;
+					<tr>
+						<td style='width:15em;'>
+							<label>
+								<input type='radio' name='grp2' value='wg_peer' $checked{'grp2'}{'wg_peer'}>
+								$Lang::tr{'fwhost wg peers'}
+							</label>
+						</td>
+						<td style='text-align:right;'>
+							<select name='WG_PEER' style='width:16em;'>"
+EOF
+
+				foreach my $key (sort { $Wireguard::peers{$a}[2] cmp $Wireguard::peers{$b}[2] } keys %Wireguard::peers) {
+					my $peer = &Wireguard::load_peer($key);
+
+					print <<EOF;
+								<option value="$peer->{"NAME"}">$peer->{"NAME"}</option>
+EOF
+				}
+
+				print <<EOF;
+							</select>
+						</td>
+					</tr>
+EOF
+			}
 			#OVPN networks
 			if (! -z $configccdnet){
 				print<<END;
@@ -2987,6 +3022,19 @@ sub getipforgroup
 		&deletefromgrp($name,$configgrp);
 	}
 
+	# WireGuard Peers
+	if ($type eq "wg_peer") {
+		my $peer = &Wireguard::get_peer_by_name($name);
+
+		if (defined $peer) {
+			if ($peer->{"TYPE"} eq "host") {
+				return $peer->{"CLIENT_ADDRESS"};
+			} elsif ($peer->{"TYPE"} eq "net") {
+				return join(", ", @{ $peer->{"REMOTE_SUBNETS"} });
+			}
+		}
+	}
+
 	#get address from ovpn ccd Net-2-Net
 	if ($type eq 'OpenVPN N-2-N'){
 		foreach my $key (keys %ccdhost) {
-- 
2.39.5