mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-28 11:43:25 +02:00
firewall: Add support for WireGuard peers to groups
commit 1de96a83d6d6cec5d4d3eda1792aa80bfbd8fafe Author: Michael Tremer <michael.tremer@ipfire.org> Date: Wed Apr 23 12:35:52 2025 +0200 firewall: Add support for WireGuard peers to groups Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This commit is contained in:
Vincent Li
@@ -239,6 +239,8 @@ sub get_std_net_ip
|
|||||||
return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
|
return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
|
||||||
}elsif($val eq 'RED'){
|
}elsif($val eq 'RED'){
|
||||||
return "0.0.0.0/0";
|
return "0.0.0.0/0";
|
||||||
|
}elsif($val eq 'WGRW'){
|
||||||
|
return $Wireguard::settings{'CLIENT_POOL'};
|
||||||
}elsif($val =~ /OpenVPN/i){
|
}elsif($val =~ /OpenVPN/i){
|
||||||
return "$ovpnsettings{'DOVPN_SUBNET'}";
|
return "$ovpnsettings{'DOVPN_SUBNET'}";
|
||||||
}elsif($val =~ /IPsec/i){
|
}elsif($val =~ /IPsec/i){
|
||||||
@@ -259,6 +261,12 @@ sub get_interface
|
|||||||
if($net eq "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"){
|
if($net eq "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"){
|
||||||
return "$netsettings{'BLUE_DEV'}";
|
return "$netsettings{'BLUE_DEV'}";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Wireguard
|
||||||
|
if ($net eq $Wireguard::settings{'CLIENT_POOL'}) {
|
||||||
|
return "wg0";
|
||||||
|
}
|
||||||
|
|
||||||
if($net eq "0.0.0.0/0") {
|
if($net eq "0.0.0.0/0") {
|
||||||
return &get_external_interface();
|
return &get_external_interface();
|
||||||
}
|
}
|
||||||
@@ -385,6 +393,25 @@ sub get_address
|
|||||||
push(@ret, [$host_address, ""]);
|
push(@ret, [$host_address, ""]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# WireGuard Peers
|
||||||
|
} elsif ($key eq 'wg_peer' || $key eq 'wg_peer_src' || $key eq 'wg_peer_tgt') {
|
||||||
|
my $peer = &Wireguard::get_peer_by_name($value);
|
||||||
|
if (defined $peer) {
|
||||||
|
my $remotes;
|
||||||
|
|
||||||
|
# Select the remote IP addresses
|
||||||
|
if ($peer->{'TYPE'} eq 'host') {
|
||||||
|
$remotes = $peer->{'CLIENT_ADDRESS'};
|
||||||
|
} elsif ($peer->{'TYPE'} eq 'net') {
|
||||||
|
$remotes = $peer->{'REMOTE_SUBNETS'};
|
||||||
|
}
|
||||||
|
|
||||||
|
# Add all remotes
|
||||||
|
foreach my $remote (@$remotes) {
|
||||||
|
push(@ret, [$remote, $peer->{'INTERFACE'}]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# OpenVPN networks.
|
# OpenVPN networks.
|
||||||
} elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) {
|
} elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) {
|
||||||
my $network_address = &get_ovpn_net_ip($value, 1);
|
my $network_address = &get_ovpn_net_ip($value, 1);
|
||||||
|
|||||||
@@ -582,6 +582,13 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
|
|||||||
$fwhostsettings{'grp_name'}='';
|
$fwhostsettings{'grp_name'}='';
|
||||||
$fwhostsettings{'remark'}='';
|
$fwhostsettings{'remark'}='';
|
||||||
}
|
}
|
||||||
|
# Fetch the address from a WireGuard Peer
|
||||||
|
if ($fwhostsettings{'grp2'} eq 'wg_peer' && $fwhostsettings{'WG_PEER'} ne ''){
|
||||||
|
@target=$fwhostsettings{'WG_PEER'};
|
||||||
|
$type='wg_peer';
|
||||||
|
}elsif ($fwhostsettings{'grp2'} eq 'wg_peer' && $fwhostsettings{'WG_PEER'} eq ''){
|
||||||
|
$errormessage=$Lang::tr{'fwhost err groupempty'};
|
||||||
|
}
|
||||||
#get address from ovpn ccd static net
|
#get address from ovpn ccd static net
|
||||||
if ($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} ne ''){
|
if ($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} ne ''){
|
||||||
@target=$fwhostsettings{'OVPN_CCD_NET'};
|
@target=$fwhostsettings{'OVPN_CCD_NET'};
|
||||||
@@ -1504,6 +1511,34 @@ END
|
|||||||
print"</table>";
|
print"</table>";
|
||||||
#Inner table right
|
#Inner table right
|
||||||
print"</td><td align='right' style='vertical-align:top;'><table width='90%' border='0'>";
|
print"</td><td align='right' style='vertical-align:top;'><table width='90%' border='0'>";
|
||||||
|
# WireGuard Peers
|
||||||
|
if (%Wireguard::peers) {
|
||||||
|
print <<EOF;
|
||||||
|
<tr>
|
||||||
|
<td style='width:15em;'>
|
||||||
|
<label>
|
||||||
|
<input type='radio' name='grp2' value='wg_peer' $checked{'grp2'}{'wg_peer'}>
|
||||||
|
$Lang::tr{'fwhost wg peers'}
|
||||||
|
</label>
|
||||||
|
</td>
|
||||||
|
<td style='text-align:right;'>
|
||||||
|
<select name='WG_PEER' style='width:16em;'>"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
foreach my $key (sort { $Wireguard::peers{$a}[2] cmp $Wireguard::peers{$b}[2] } keys %Wireguard::peers) {
|
||||||
|
my $peer = &Wireguard::load_peer($key);
|
||||||
|
|
||||||
|
print <<EOF;
|
||||||
|
<option value="$peer->{"NAME"}">$peer->{"NAME"}</option>
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
print <<EOF;
|
||||||
|
</select>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
EOF
|
||||||
|
}
|
||||||
#OVPN networks
|
#OVPN networks
|
||||||
if (! -z $configccdnet){
|
if (! -z $configccdnet){
|
||||||
print<<END;
|
print<<END;
|
||||||
@@ -1954,6 +1989,14 @@ sub getcolor
|
|||||||
$tdcolor="<font style='color: $Header::colourred;'>$c</font>";
|
$tdcolor="<font style='color: $Header::colourred;'>$c</font>";
|
||||||
return $tdcolor;
|
return $tdcolor;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# WireGuard Roadwarrior
|
||||||
|
if ($Wireguard::settings{'CLIENT_POOL'}) {
|
||||||
|
if (&Network::ip_address_in_network($sip, $Wireguard::settings{'CLIENT_POOL'})) {
|
||||||
|
return "<font style='color: $Header::colourwg;'>$c</font>"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#Check if IP is part of OpenVPN N2N subnet
|
#Check if IP is part of OpenVPN N2N subnet
|
||||||
foreach my $key (sort keys %ccdhost){
|
foreach my $key (sort keys %ccdhost){
|
||||||
if ($ccdhost{$key}[3] eq 'net'){
|
if ($ccdhost{$key}[3] eq 'net'){
|
||||||
@@ -1965,13 +2008,6 @@ sub getcolor
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# WireGuard Roadwarrior
|
|
||||||
if ($Wireguard::settings{'CLIENT_POOL'}) {
|
|
||||||
if (&Network::ip_address_in_network($sip, $Wireguard::settings{'CLIENT_POOL'})) {
|
|
||||||
return "<font style='color: $Header::colourwg;'>$c</font>"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#Check if IP is part of OpenVPN dynamic subnet
|
#Check if IP is part of OpenVPN dynamic subnet
|
||||||
my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'});
|
my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'});
|
||||||
if (&General::IpInSubnet($sip,$a,$b)){
|
if (&General::IpInSubnet($sip,$a,$b)){
|
||||||
@@ -2967,6 +3003,23 @@ sub getipforgroup
|
|||||||
&deletefromgrp($name,$configgrp);
|
&deletefromgrp($name,$configgrp);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# WireGuard Peers
|
||||||
|
if ($type eq "wg_peer") {
|
||||||
|
my $peer = &Wireguard::get_peer_by_name($name);
|
||||||
|
|
||||||
|
if (defined $peer) {
|
||||||
|
my @addresses = ();
|
||||||
|
|
||||||
|
if ($peer->{"TYPE"} eq "host") {
|
||||||
|
push(@addresses, @{ $peer->{"CLIENT_ADDRESS"} });
|
||||||
|
} elsif ($peer->{"TYPE"} eq "net") {
|
||||||
|
push(@addresses, @{ $peer->{"REMOTE_SUBNETS"} });
|
||||||
|
}
|
||||||
|
|
||||||
|
return join(", ", @addresses);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#get address from ovpn ccd Net-2-Net
|
#get address from ovpn ccd Net-2-Net
|
||||||
if ($type eq 'OpenVPN N-2-N'){
|
if ($type eq 'OpenVPN N-2-N'){
|
||||||
foreach my $key (keys %ccdhost) {
|
foreach my $key (keys %ccdhost) {
|
||||||
|
|||||||
Reference in New Issue
Block a user