Add excelusion option to firewall GUI

2025-03-01 10:31:47 +00:00 · 2021-07-20 21:56:00 +02:00
parent 721e576779
commit e049dd6d45
2 changed files with 32 additions and 8 deletions
--- a/includes/firewall.php
+++ b/includes/firewall.php
@@ -103,9 +103,9 @@ function configureFirewall() {
 }

 function WriteFirewallConf($conf) {
-    $ret = false;
-    if ( is_array($conf) ) $ret = write_php_ini($conf,RASPAP_FIREWALL_CONF);
-    return $ret;
+	$ret = false;
+     	if ( is_array($conf) ) write_php_ini($conf,RASPAP_FIREWALL_CONF);
+	return $ret;
 }


@@ -127,7 +127,7 @@ function ReadFirewallConf() {
       $conf["client-device"] = "";
       $conf["restricted-ips"] = "";
    }
-    
+
 # get openvpn server IP (if existing)
    if ( RASPI_OPENVPN_ENABLED && file_exists(RASPI_OPENVPN_CLIENT_CONFIG) ) {
      exec('cat '.RASPI_OPENVPN_CLIENT_CONFIG.' |  sed -rn "s/^remote\s*([a-z0-9\.\-\_]*)\s*([0-9]*).*$/\1/ip" ', $ret);
@@ -142,7 +142,7 @@ function ReadFirewallConf() {
    }
 # get wireguard server IP (if existing)
    if ( RASPI_WIREGUARD_ENABLED && file_exists(RASPI_WIREGUARD_CONFIG) ) {
-# search for endpoint       
+# search for endpoint
    }
    return $conf;
 }
@@ -158,6 +158,13 @@ function DisplayFirewallConfig()
    getWifiInterface();
    $ap_device = $_SESSION['ap_interface'];
    $clients = getClients();
+    $str_clients = "";
+    foreach( $clients["device"] as $dev ) {
+       if ( !$dev["isAP"] ) {
+          if ( !empty($str_clients) ) $str_clients .= ", ";
+          $str_clients .= $dev["name"];
+       }
+    }
    $fw_conf = ReadFirewallConf();
    $fw_conf["ap-device"] = $ap_device;
    $id=findCurrentClientIndex($clients);
@@ -170,13 +177,21 @@ function DisplayFirewallConfig()
        if ( isset($_POST['apply-firewall']) )  $status->addMessage(_('Firewall settings changed'), 'success');
        if ( isset($_POST['firewall-disable']) ) $status->addMessage(_('Firewall is now disabled'), 'warning');
        if ( isset($_POST['save-firewall']) )  $status->addMessage(_('Firewall settings saved. Firewall is still disabled.'), 'success');
+        if ( isset($_POST['excl-devices'])  ) {
+           $excl = filter_var($_POST['excl-devices'], FILTER_SANITIZE_STRING);
+           $excl = str_replace(' ', '', $excl);
+           if ( !empty($excl) && $fw_conf["excl-devices"] != $excl ) {
+               $status->addMessage(_('Exclude devices '. $excl), 'success');
+               $fw_conf["excl-devices"] = $excl;
+           }
+        }
        WriteFirewallConf($fw_conf);
        configureFirewall();
    }
    echo renderTemplate("firewall", compact(
                "status",
                "ap_device",
-                "clients",
+                "str_clients",
                "fw_conf",
                "ipt_rules")
    );
--- a/templates/firewall.php
+++ b/templates/firewall.php
@@ -18,10 +18,9 @@
        <?php endif ?>
        <div class="row">
          <div class="col-md-6">
-            <p class="mr-2"><small><?php echo _("The default firewall will allow only outgoing and already established traffic. No UDP traffic is allowed.") ?></small></p>
+            <p class="mr-2"><small><?php echo _("The default firewall will allow only outgoing and already established traffic. No UDP traffic is allowed. There are no restrictions for the access point.") ?></small></p>
          </div>
        </div>
-
        <form id="frm-firewall" action="firewall_conf" method="POST" >
          <?php echo CSRFTokenFieldTag(); ?>
          <h5><?php echo _("Exceptions for Services"); ?></h4>
@@ -40,6 +39,16 @@
                </p>
            </div>
          </div>
+          <h5><?php echo _("Exclusions from the firewall"); ?></h4>
+          <div class="row">
+            <div class="form-group col-md-6">
+                <label for="excl-device"><?php echo _("Exclude device(s)") ?></label>
+                <input class="form-control" id="excl-devices" type="text" name="excl-devices" value="<?php echo $fw_conf["excl-devices"] ?>" aria-describedby="exclusion-description"  >
+                <p class="mb-0" id="exclusion-description">
+                    <small><?php echo _("Exclude the given network device(s) (separated by a comma) from firewall rules.<br>Current client devices: <code>$str_clients</code><br>The access point <code>". $ap_device ."</code> is per default excluded.") ?></small>
+                </p>
+            </div>
+          </div>
          <?php if ($fw_conf["firewall-enable"]) : ?>
              <input type="submit" class="btn btn-outline btn-primary" value="<?php echo _("Apply changes"); ?>" name="apply-firewall" />
              <input type="submit" class="btn btn-warning firewall-apply" value="<?php echo _("Disable Firewall") ?>"  name="firewall-disable" data-toggle="modal" data-target="#firewallModal"/>