sync IPFire fwhosts.cgi
commit 2398cc431a3fb2cd4141b6a846f0cd0742f6a97c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:05:32 2025 +0200
fwhosts.cgi: Escape PROT in the right place
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ad995081302f6b28ea11c74e56306d94a7bee076
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:02:18 2025 +0200
fwhosts.cgi: Check country code before proceeding
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit a2c624b99dbcecb469e6001505731049ef5cbbd3
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:37 2025 +0200
fwhosts.cgi Fix for bug 13876 & bug 13877
Fixes: Bug 13876 savelocationgrp COUNTRY_CODE Stored Cross-Site Scripting
Fixes: Bug 13877 saveservice PROT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 798556ec29207d5131a7600d5489f1ee92a7b87a
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Jun 23 17:16:57 2025 +0000
fwhosts.cgi: Move the tooltip into the usage counter
This will clutter the page less as we don't have any good icon sets.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 61b277aa9c578a9a69e552f593a8bde421b811bc
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Jun 23 17:16:56 2025 +0000
fwhosts.cgi: Don't show anything if a host/group is unused
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ca811a746a79f0e02cfb780cbd4543a057131e3a
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Jun 23 17:16:55 2025 +0000
fwhosts.cgi: Remove whitespace issues
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 5511d94ed0d8ea6fd372d52cba515b4d6726abed
Author: Peer Dietzmann <dietzmann@brecht-schule.hamburg>
Date: Mon Jun 23 17:16:54 2025 +0000
fwhosts.cgi: Show in which firewall rule objects are being used
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 341eb00a821c4254ddd04968beed2e98e5a33aff
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat May 3 15:10:16 2025 +0200
fwhosts.cgi: Correctly show IP addresses for WireGuard RW peers
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 68a3334413efb1a963b7cc6c6dca1ec0126e1cc1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Jul 18 08:42:12 2025 +0000
wireguard-functions.pl: Automatically skip IPv6 subnets
Since we do not support this and some VPN providers generate
configuration files that send any data over to them, we simply ignore
any IPv6 subnets.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit f7565a885b55384a64edd8bd73079143a04da519
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Jul 18 09:57:34 2025 +0000
wireguard-functions.pl: Remove any carriage returns on import
Some files might include carriage returns which won't be removed by
chomp() on Linux. To be extra safe, we remove them manually.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
Choose one IP from client pool and add it to road warrior interface
wg0 so road warrior VPN client could reach firewall through the VPN
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
missing set_defaults sub result in error when generate
flash image during build after add wireguard UI
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 37174e29de670a33f9be4b90c88b0a96c695dad1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Sep 27 17:55:46 2024 +0200
wireguard.cgi: Normalize filenames
This is because Windows clients won't import any configurations that
have spaces in the filename. Therefore we replace it and remove anything
else unwanted on the way.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 06dbc836a47160d51ab10f8b9d4ca356beaa7cdb
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 16 18:06:47 2024 +0200
wireguard.cgi: Add a basic CGI to configure the global settings
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
loxilb 0.9.8 requires --egress flag for firewall
rule to masquerade/SNAT GREEN network source IP
for Internet access. to access host in RED network
another firewall rule is required. see [0].
[0]: https://github.com/loxilb-io/loxilb/issues/957
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
move haproxy to core package
prepare /var/ipfire/haproxy for haproxy UI, use
/var/ipfire/haproxy/haproxy.cfg
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
add the missing config/cfgroot/xdpdns-settings file
and use ENABLE_DNSBLOCK=on by default, so XDP DNS
Blocklist is enabled by default.
also add domainfile so when BPFire reboot first time
and when xdpdns init startup, it will not complain
missing domainfile
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
when loxilb is enabled and started, enable the
firewall SNAT for green network so green network
could have initiate outgoing traffic like internet
access.
we can achieve this by restoring firewall SNAT setting
from default /var/ipfire/loxilb/FWconfig.txt when loxilb
start up with --config-path=/var/ipfire/loxilb thanks
to the enhancement addressed in issue:
https://github.com/loxilb-io/loxilb/issues/706
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
BPFire red0 does not support multicast, need to
have unicast peer configured, then the virtual
ipaddress can be added to red0 interface.
the UI requires /var/ipfire/keepalived/runsettings
/var/ipfire/keepalived/settings to be created, so
add them lfs/configroot
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
since we added loxilb ip management to add ip on
red0 interface, we can select the virtual ip from
red0 interface.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
- If a fresh install is done then only the DROP_HOSTILE_IN & DROP_HOSTILE_OUT
rrd directories are created.
- With the DROP_HOSTILE directory missing then when the fwhits graph is updated an error
message is caused by the inability to open the required files.
- This patch adds an if/else loop into the fwhits graph code to deal with the two cases
of the DROP_HOSTILE being present or not depending on the history and if a backup with
logs has been restored from when DROP_HOSTILE was in use.
- Tested on vm testbed and created a historical line for the hostile data when it was not
split
- There might be a simpler or better approach than this but it was the only option I
could identify. I couldn't find anything about being able to use if loops within the
RRD::Graph loop
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- This v3 version of the patch set splits the single hostile networks graph entry into
incoming hostile networks and outgoing hostile networks entries.
Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
* The script needs to run with root permissions in order to
do the ipset operations. So remove code to drop the permissions
on startup.
* Adjust execute calls to use the proper functions from
general functions.
* Add some code to set the correct ownership (nobody:nobody) for
changed files during script runtime.
Fixes#13072.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
- With change of common css entries into header.pl with commit
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=b52a84ddc77f9db7e4ad7b129f21fbf528c6f990
I had missed that color20 and color22 etc, that come from colors.txt, are not known in
header.pl so that the alternate colours in tables were missing. Even though I tested the
previous commit I obviously did not look well enough because I missed that the tables
had no alternate colours. I just found it now when looking at Core Update 174 Testing.
- Confirmed by copying this version of header.pl into my CU174 Testing system and the
alternate colour rows came back again as they should be. I am sure now that they are
correct.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Tested-by: Bernhard Bitsch <bbitsch@ipfire.org>
- This updates the updatexlrator.cgi page to the same central use of extraHead from
header.pl and simplifying of css variables where appropriate.
- The variables for the percentage bar will also be able to be used in other cgi pages
with a percent bar.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- After looking at other .cgi files I realised that I had named the variables based on
their dhcp usage only. However colouryellow or color20 etc can be used not only in a
row but also in a cell or a column. Rather than ending up with multiple copies of the
same colour for rows, cells, columns etc I have simplified the variable names to just
the colour. They can then be used in whatever situation is wanted. The rest of the cgi
code will give the view of what structure the colour is being applied to.
- This will limit the number of different css variables defined in the header.pl file
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Now the rules files in a subfolder like "<provider>-rules" also will get
extracted.
Fixes rule file extraction for Snort Community ruleset.
Fixes#12948.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
- This v2 patch has moved the extraHead variable into header.pl
- This patch marks all IP's that are in the Fixed list but are also in the dynamic range
that has been defined, in red.
- Additional function created to check if an ip address is in a defined range.
- Added an additional key item under the Fixed Leases table for Fixed IP in dynamic range
- Added line to English Language file for this key item.
- ./make lang run before commit.
- Tested in vm testbed and confirmed that any ip address in the Fixed Leases table that
is in the defined dynamic range is highlighted in red
- This uses the css background-color appoach from the first patch in this set.
- This patch only highlights those IP's that overlap in red but does nothing more. So a
user can still create new ones if they want but they will all show up in red.
- This patch flags up if people are doing things that they shouldn't be doing but allows
them to continue doing so without changing anything if they don't want to and so will
not break existing setups.
Fixes: Bug#10629
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Tested-by: Bernhard Bitsch <bbitsch@ipfire.org>
- This v2 version moves the extraHead variable to header.pl as many of the css values
will be used in many other WUI cgi pages so makes sense to not define anew in every
location using the bgcolor or other colour variables.
- I will submit patches to follow the same approach in all other WUI cgi pages once this
has been submitted into next
- bgcolor was deprecated in HTML 4.01 and is not supported by HTML 5
- The orange colour for IP's that are outside the IPFire green and blue subnets does not
work on any browser I am using.
- I used the CSS approach that @Leo used in the Zone Configuration cgi page
- This patch changes all existing bgcolor entries to the css based background-color
- Tested on my vm testbed and confirmed to work. The Orange colour for IP's outside of
the subnet now shows up.
Fixes: Bug#10629
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Tested-by: Bernhard Bitsch <bbitsch@ipfire.org>
- add help links for two new ipblocklist WebGUI pages
- update help links to proxy accounting
- add links to OpenVPN Net-to-Net Statistics,
MD Raid State, Update Accelerator,
OpenVPN Roadwarrior Connections Log
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Network (other) help link was set to go to Network (internal) wiki page
Link modified
- Running the check_manualpages.pl script requires it to be executable so the build
changed the permissions mode from 644 to 755
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
given list.
The function will return the rate in seconds based on the configured
rate value in the blocklist sources file and the given blocklist.
Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
not parse-able.
In case the downloaded list is empty or the parser is not able to parse
it properly, the download_and_create_blocklist() function now exits and
will return "empty_list" as new error code.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This vendor has a different list format and therefore requires an
own parser.
Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function is responisible for downloading and converting the
blocklist into an ipset compatible format.
The only required argument is the blocklist (in upper letter format) which should be
performed. It automatically will setup an upstream proxy (if configured)
and grab the file specified in the blocklist vendor configuration hash.
There is a maximum amount of five attempts until the script gives up and
returns a "dl_error". In case the server responses with "Not Modified"
(Code 304) a "not_modified" will be returned.
If the blocklist successfully has been grabbed, the modification date
get stored for further purposes and the list content will be converted
and stored in an ipset compatible format.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Inspired-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
