From 1d9414d76174b7dc78acdcafbc76fe19c00c0732 Mon Sep 17 00:00:00 2001
From: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri, 27 Jun 2025 22:56:34 -0700
Subject: [PATCH] firewall: Add support for WireGuard peers to groups

commit 1de96a83d6d6cec5d4d3eda1792aa80bfbd8fafe
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Wed Apr 23 12:35:52 2025 +0200

    firewall: Add support for WireGuard peers to groups

    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
---
 config/firewall/firewall-lib.pl | 27 +++++++++++++
 html/cgi-bin/fwhosts.cgi        | 67 +++++++++++++++++++++++++++++----
 2 files changed, 87 insertions(+), 7 deletions(-)

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index 7d35d5686..094832333 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -239,6 +239,8 @@ sub get_std_net_ip
 		return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
 	}elsif($val eq 'RED'){
 		return "0.0.0.0/0";
+	}elsif($val eq 'WGRW'){
+                return $Wireguard::settings{'CLIENT_POOL'};
 	}elsif($val =~ /OpenVPN/i){
 		return "$ovpnsettings{'DOVPN_SUBNET'}";
 	}elsif($val =~ /IPsec/i){
@@ -259,6 +261,12 @@ sub get_interface
 	if($net eq "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"){
 		return "$netsettings{'BLUE_DEV'}";
 	}
+
+        # Wireguard
+        if ($net eq $Wireguard::settings{'CLIENT_POOL'}) {
+                return "wg0";
+        }
+
 	if($net eq "0.0.0.0/0") {
 		return &get_external_interface();
 	}
@@ -385,6 +393,25 @@ sub get_address
 			push(@ret, [$host_address, ""]);
 		}
 
+        # WireGuard Peers
+        } elsif ($key eq 'wg_peer' || $key eq 'wg_peer_src' || $key eq 'wg_peer_tgt') {
+                my $peer = &Wireguard::get_peer_by_name($value);
+                if (defined $peer) {
+                        my $remotes;
+
+                        # Select the remote IP addresses
+                        if ($peer->{'TYPE'} eq 'host') {
+                                $remotes = $peer->{'CLIENT_ADDRESS'};
+                        } elsif ($peer->{'TYPE'} eq 'net') {
+                                $remotes = $peer->{'REMOTE_SUBNETS'};
+                        }
+
+                        # Add all remotes
+                        foreach my $remote (@$remotes) {
+                                push(@ret, [$remote, $peer->{'INTERFACE'}]);
+                        }
+                }
+
 	# OpenVPN networks.
 	} elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) {
 		my $network_address = &get_ovpn_net_ip($value, 1);
diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index ec6a06cde..b4468feed 100644
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -582,6 +582,13 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
 			$fwhostsettings{'grp_name'}='';
 			$fwhostsettings{'remark'}='';
 		}
+		# Fetch the address from a WireGuard Peer
+		if ($fwhostsettings{'grp2'} eq 'wg_peer' && $fwhostsettings{'WG_PEER'} ne ''){
+			@target=$fwhostsettings{'WG_PEER'};
+			$type='wg_peer';
+		}elsif ($fwhostsettings{'grp2'} eq 'wg_peer' && $fwhostsettings{'WG_PEER'} eq ''){
+			$errormessage=$Lang::tr{'fwhost err groupempty'};
+		}
 		#get address from  ovpn ccd static net
 		if ($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} ne ''){
 			@target=$fwhostsettings{'OVPN_CCD_NET'};
@@ -1504,6 +1511,34 @@ END
 			print"</table>";
 			#Inner table right
 			print"</td><td align='right' style='vertical-align:top;'><table width='90%' border='0'>";
+			# WireGuard Peers
+			if (%Wireguard::peers) {
+				print <<EOF;
+					<tr>
+						<td style='width:15em;'>
+							<label>
+								<input type='radio' name='grp2' value='wg_peer' $checked{'grp2'}{'wg_peer'}>
+								$Lang::tr{'fwhost wg peers'}
+							</label>
+						</td>
+						<td style='text-align:right;'>
+							<select name='WG_PEER' style='width:16em;'>"
+EOF
+
+				foreach my $key (sort { $Wireguard::peers{$a}[2] cmp $Wireguard::peers{$b}[2] } keys %Wireguard::peers) {
+					my $peer = &Wireguard::load_peer($key);
+
+					print <<EOF;
+								<option value="$peer->{"NAME"}">$peer->{"NAME"}</option>
+EOF
+				}
+
+				print <<EOF;
+							</select>
+						</td>
+					</tr>
+EOF
+			}
 			#OVPN networks
 			if (! -z $configccdnet){
 				print<<END;
@@ -1954,6 +1989,14 @@ sub getcolor
 			$tdcolor="<font style='color: $Header::colourred;'>$c</font>";
 			return $tdcolor;
 		}
+
+		# WireGuard Roadwarrior
+		if ($Wireguard::settings{'CLIENT_POOL'}) {
+			if (&Network::ip_address_in_network($sip, $Wireguard::settings{'CLIENT_POOL'})) {
+				return "<font style='color: $Header::colourwg;'>$c</font>"
+			}
+		}
+
 		#Check if IP is part of OpenVPN N2N subnet
 		foreach my $key (sort keys %ccdhost){
 			if ($ccdhost{$key}[3] eq 'net'){
@@ -1965,13 +2008,6 @@ sub getcolor
 			}
 		}
 
-		# WireGuard Roadwarrior
-		if ($Wireguard::settings{'CLIENT_POOL'}) {
-			if (&Network::ip_address_in_network($sip, $Wireguard::settings{'CLIENT_POOL'})) {
-				return "<font style='color: $Header::colourwg;'>$c</font>"
-			}
-		}
-
 		#Check if IP is part of OpenVPN dynamic subnet
 		my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'});
 		if (&General::IpInSubnet($sip,$a,$b)){
@@ -2967,6 +3003,23 @@ sub getipforgroup
 		&deletefromgrp($name,$configgrp);
 	}
 
+	# WireGuard Peers
+	if ($type eq "wg_peer") {
+		my $peer = &Wireguard::get_peer_by_name($name);
+
+		if (defined $peer) {
+			my @addresses = ();
+
+			if ($peer->{"TYPE"} eq "host") {
+				push(@addresses, @{ $peer->{"CLIENT_ADDRESS"} });
+			} elsif ($peer->{"TYPE"} eq "net") {
+				push(@addresses, @{ $peer->{"REMOTE_SUBNETS"} });
+			}
+
+			return join(", ", @addresses);
+		}
+	}
+
 	#get address from ovpn ccd Net-2-Net
 	if ($type eq 'OpenVPN N-2-N'){
 		foreach my $key (keys %ccdhost) {