mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 18:45:54 +02:00
firewall: Add support for WireGuard peers to groups
commit 1de96a83d6d6cec5d4d3eda1792aa80bfbd8fafe
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed Apr 23 12:35:52 2025 +0200
firewall: Add support for WireGuard peers to groups
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This commit is contained in:
Vincent Li
@@ -239,6 +239,8 @@ sub get_std_net_ip
|
||||
return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
|
||||
}elsif($val eq 'RED'){
|
||||
return "0.0.0.0/0";
|
||||
}elsif($val eq 'WGRW'){
|
||||
return $Wireguard::settings{'CLIENT_POOL'};
|
||||
}elsif($val =~ /OpenVPN/i){
|
||||
return "$ovpnsettings{'DOVPN_SUBNET'}";
|
||||
}elsif($val =~ /IPsec/i){
|
||||
@@ -259,6 +261,10 @@ sub get_interface
|
||||
if($net eq "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"){
|
||||
return "$netsettings{'BLUE_DEV'}";
|
||||
}
|
||||
# Wireguard
|
||||
if ($net eq $Wireguard::settings{'CLIENT_POOL'}) {
|
||||
return "wg0";
|
||||
}
|
||||
if($net eq "0.0.0.0/0") {
|
||||
return &get_external_interface();
|
||||
}
|
||||
@@ -385,6 +391,25 @@ sub get_address
|
||||
push(@ret, [$host_address, ""]);
|
||||
}
|
||||
|
||||
# WireGuard Peers
|
||||
} elsif ($key eq 'wg_peer' || $key eq 'wg_peer_src' || $key eq 'wg_peer_tgt') {
|
||||
my $peer = &Wireguard::get_peer_by_name($value);
|
||||
if (defined $peer) {
|
||||
my $remotes;
|
||||
|
||||
# Select the remote IP addresses
|
||||
if ($peer->{'TYPE'} eq 'host') {
|
||||
$remotes = $peer->{'CLIENT_ADDRESS'};
|
||||
} elsif ($peer->{'TYPE'} eq 'net') {
|
||||
$remotes = $peer->{'REMOTE_SUBNETS'};
|
||||
}
|
||||
|
||||
# Add all remotes
|
||||
foreach my $remote (@$remotes) {
|
||||
push(@ret, [$remote, $peer->{'INTERFACE'}]);
|
||||
}
|
||||
}
|
||||
|
||||
# OpenVPN networks.
|
||||
} elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) {
|
||||
my $network_address = &get_ovpn_net_ip($value, 1);
|
||||
|
||||
@@ -582,6 +582,13 @@ if ($fwhostsettings{'ACTION'} eq 'savegrp')
|
||||
$fwhostsettings{'grp_name'}='';
|
||||
$fwhostsettings{'remark'}='';
|
||||
}
|
||||
# Fetch the address from a WireGuard Peer
|
||||
if ($fwhostsettings{'grp2'} eq 'wg_peer' && $fwhostsettings{'WG_PEER'} ne ''){
|
||||
@target=$fwhostsettings{'WG_PEER'};
|
||||
$type='wg_peer';
|
||||
}elsif ($fwhostsettings{'grp2'} eq 'wg_peer' && $fwhostsettings{'WG_PEER'} eq ''){
|
||||
$errormessage=$Lang::tr{'fwhost err groupempty'};
|
||||
}
|
||||
#get address from ovpn ccd static net
|
||||
if ($fwhostsettings{'grp2'} eq 'ovpn_net' && $fwhostsettings{'OVPN_CCD_NET'} ne ''){
|
||||
@target=$fwhostsettings{'OVPN_CCD_NET'};
|
||||
@@ -1504,6 +1511,35 @@ END
|
||||
print"</table>";
|
||||
#Inner table right
|
||||
print"</td><td align='right' style='vertical-align:top;'><table width='90%' border='0'>";
|
||||
# WireGuard Peers
|
||||
if (%Wireguard::peers) {
|
||||
print <<EOF;
|
||||
<tr>
|
||||
<td style='width:15em;'>
|
||||
<label>
|
||||
<input type='radio' name='grp2' value='wg_peer' $checked{'grp2'}{'wg_peer'}>
|
||||
$Lang::tr{'fwhost wg peers'}
|
||||
</label>
|
||||
</td>
|
||||
<td style='text-align:right;'>
|
||||
<select name='WG_PEER' style='width:16em;'>"
|
||||
EOF
|
||||
|
||||
foreach my $key (sort { $Wireguard::peers{$a}[2] cmp $Wireguard::peers{$b}[2] } keys %Wireguard::peers) {
|
||||
my $peer = &Wireguard::load_peer($key);
|
||||
|
||||
print <<EOF;
|
||||
<option value="$peer->{"NAME"}">$peer->{"NAME"}</option>
|
||||
EOF
|
||||
}
|
||||
|
||||
print <<EOF;
|
||||
</select>
|
||||
</td>
|
||||
</tr>
|
||||
EOF
|
||||
}
|
||||
|
||||
#OVPN networks
|
||||
if (! -z $configccdnet){
|
||||
print<<END;
|
||||
@@ -1954,6 +1990,14 @@ sub getcolor
|
||||
$tdcolor="<font style='color: $Header::colourred;'>$c</font>";
|
||||
return $tdcolor;
|
||||
}
|
||||
|
||||
# WireGuard Roadwarrior
|
||||
if ($Wireguard::settings{'CLIENT_POOL'}) {
|
||||
if (&Network::ip_address_in_network($sip, $Wireguard::settings{'CLIENT_POOL'})) {
|
||||
return "<font style='color: $Header::colourwg;'>$c</font>"
|
||||
}
|
||||
}
|
||||
|
||||
#Check if IP is part of OpenVPN N2N subnet
|
||||
foreach my $key (sort keys %ccdhost){
|
||||
if ($ccdhost{$key}[3] eq 'net'){
|
||||
@@ -1965,13 +2009,6 @@ sub getcolor
|
||||
}
|
||||
}
|
||||
|
||||
# WireGuard Roadwarrior
|
||||
if ($Wireguard::settings{'CLIENT_POOL'}) {
|
||||
if (&Network::ip_address_in_network($sip, $Wireguard::settings{'CLIENT_POOL'})) {
|
||||
return "<font style='color: $Header::colourwg;'>$c</font>"
|
||||
}
|
||||
}
|
||||
|
||||
#Check if IP is part of OpenVPN dynamic subnet
|
||||
my ($a,$b) = split("/",$ovpnsettings{'DOVPN_SUBNET'});
|
||||
if (&General::IpInSubnet($sip,$a,$b)){
|
||||
@@ -2967,6 +3004,23 @@ sub getipforgroup
|
||||
&deletefromgrp($name,$configgrp);
|
||||
}
|
||||
|
||||
# WireGuard Peers
|
||||
if ($type eq "wg_peer") {
|
||||
my $peer = &Wireguard::get_peer_by_name($name);
|
||||
|
||||
if (defined $peer) {
|
||||
my @addresses = ();
|
||||
|
||||
if ($peer->{"TYPE"} eq "host") {
|
||||
push(@addresses, @{ $peer->{"CLIENT_ADDRESS"} });
|
||||
} elsif ($peer->{"TYPE"} eq "net") {
|
||||
push(@addresses, @{ $peer->{"REMOTE_SUBNETS"} });
|
||||
}
|
||||
|
||||
return join(", ", @addresses);
|
||||
}
|
||||
}
|
||||
|
||||
#get address from ovpn ccd Net-2-Net
|
||||
if ($type eq 'OpenVPN N-2-N'){
|
||||
foreach my $key (keys %ccdhost) {
|
||||
|
||||
Reference in New Issue
Block a user