From ab2485c063e6a500abc8eccecf0bb579be5d2b3d Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 27 Mar 2024 11:28:21 +0100
Subject: [PATCH 01/10] Unlicense

---
 LICENSE   |  1 +
 UNLICENSE | 24 ++++++++++++++++++++++++
 2 files changed, 25 insertions(+)
 create mode 120000 LICENSE
 create mode 100644 UNLICENSE

diff --git a/LICENSE b/LICENSE
new file mode 120000
index 0000000..4761def
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1 @@
+UNLICENSE
\ No newline at end of file
diff --git a/UNLICENSE b/UNLICENSE
new file mode 100644
index 0000000..68a49da
--- /dev/null
+++ b/UNLICENSE
@@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <http://unlicense.org/>

From d33fec65a2c5dfe8bc009e587b1d8ace177762dc Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Mon, 22 Apr 2024 10:43:50 +0200
Subject: [PATCH 02/10] system: support LDAP queries with no user_group set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Though it might be better to allow multiple groups. On the other hand
the main filter is in the group→ipset settings file anyway; any VPN
user not in one of those groups will not get forwarded to anywhere.
---
 web/system.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/web/system.py b/web/system.py
index 8d2d699..75d77c4 100644
--- a/web/system.py
+++ b/web/system.py
@@ -68,10 +68,18 @@ def save_config():
         user_networks = collections.defaultdict(set)
         ldap = ldap3.Connection(ldap3.Server(settings.get('ldap_host'), use_ssl=True),
                 settings.get('ldap_user'), settings.get('ldap_pass'), auto_bind=True)
+
+        # All of these must match to consider an LDAP object.
+        ldap_query = [
+            '(objectClass=user)', # only users
+            '(objectCategory=person)', # that are people
+            '(!(userAccountControl:1.2.840.113556.1.4.803:=2))', # with enabled accounts
+        ]
+        if group := settings.get('user_group'):
+            ldap_query += [f'(memberOf:1.2.840.113556.1.4.1941:={group})'] # in given group, recursively
+
         ldap.search(settings.get('ldap_base_dn', ''),
-                    '(&(objectClass=user)(objectCategory=person)' + # only people
-                    '(!(userAccountControl:1.2.840.113556.1.4.803:=2))' + # with enabled accounts
-                    f'(memberOf:1.2.840.113556.1.4.1941:={settings.get("user_group", "")}))', # in given group, recursively
+                    f'(&{"".join(ldap_query)})', # conjuction (&(…)(…)(…)) of queries
                     attributes=['userPrincipalName', 'memberOf'])
         for entry in ldap.entries:
             for group in entry.memberOf:

From 880c6b41403cc489256c94aeb6d7c74388568840 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Tue, 23 Apr 2024 12:38:32 +0200
Subject: [PATCH 03/10] friwall: tweak instructions

For no particularly good reason.
---
 web/templates/vpn/index.html | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/web/templates/vpn/index.html b/web/templates/vpn/index.html
index a65bdad..f1291c6 100644
--- a/web/templates/vpn/index.html
+++ b/web/templates/vpn/index.html
@@ -19,7 +19,10 @@ Zaženite WireGuard, izberite <em>Scan from QR code</em> in skenirajte kodo, pri
 <details>
 <summary>Linux / BSD</summary>
 <p>
-Nastavitve shranite (kot skrbnik) v <code>/etc/wireguard/wg-fri.conf</code>. VPN nato (de)aktivirate s <code>sudo wg-quick up wg-fri</code> oz. <code>sudo wg-quick down wg-fri</code>. Povezavo lahko uvozite tudi v <a href="https://www.xmodulo.com/wireguard-vpn-network-manager-gui.html">NetworkManager</a> ali podobno.
+Nastavitve shranite (kot skrbnik) v <code>/etc/wireguard/wg-fri.conf</code>. VPN nato (de)aktivirate s <code>sudo wg-quick up wg-fri</code> oz. <code>sudo wg-quick down wg-fri</code>.
+
+<p>
+Povezavo lahko uvozite tudi v NetworkManager z ukazom <code>nmcli connection import type wireguard file wg-fri.conf</code>.
 </details>
 
 <section id="new-key">
@@ -27,21 +30,23 @@ Nastavitve shranite (kot skrbnik) v <code>/etc/wireguard/wg-fri.conf</code>. VPN
 
 <form id="request">
 <p>
-Vnesite poljubno oznako in kliknite <em>Ustvari ključ</em>. Če vklopite prvo opcijo, bo vaš računalnik čez VPN usmeril ves mrežni promet, ne le tistega, ki je namenjen strežnikom na FRI. Če izklopite drugo opcijo, bodo nekatere storitve dostopne le prek naslova IP. Če ste v dvomih, pustite privzete nastavitve.
+Za vsako napravo, ki jo želite povezati v omrežje FRI, ustvarite nov ključ.
 
 <p>
 <label for="name">Ime naprave</label><br>
 <input id="name" name="name" pattern="[.-_A-Za-z0-9 ]*" maxlength="16" placeholder="A-Z a-z 0-9 . _ - " />
+<button id="submit" type="submit">Ustvari ključ</button>
 <p>
 <input type="checkbox" id="add_default" name="add_default" />
 <label for="add_default">Uporabi VPN za ves promet</label>
 <br>
 <input type="checkbox" id="use_dns" name="use_dns" checked />
 <label for="use_dns">Uporabi imenske strežnike FRI</label>
-<p>
-<button id="submit" type="submit">Ustvari ključ</button>
 </form>
 
+<p>
+Privzete nastavitve čez VPN usmerijo le promet, namenjen strežnikom na FRI in UL. Če vklopite prvo opcijo, bo vaš računalnik čez VPN usmeril ves promet. Če izklopite drugo opcijo, bodo nekateri strežniki dostopni le prek naslova IP. Če ste v dvomih, pustite privzete nastavitve. Podrobnejše informacije so v <a href="https://doku.fri.uni-lj.si/vpn#nastavitve">dokumentaciji</a>.
+
 <section id="settings" style="display: none;">
 <p>
 Nastavitve za povezavo so izpisane spodaj. Zasebni ključ varujte enako skrbno kot geslo, s katerim ste se prijavili; priporočena je raba šifriranega diska. Za nov ključ osvežite to stran.
@@ -59,7 +64,7 @@ V nastavitvah lahko dodate ali odstranite vnose <code>AllowedIPs</code>. Ti dolo
 <section class="keys" style="display: none;">
 <h1>Obstoječi ključi</h1>
 <p>
-Za vsako napravo ustvarite nov ključ. Ključe, ki jih ne uporabljate, lahko tukaj odstranite. Trenutno so registrirani ključi:
+Ključe, ki jih ne uporabljate, lahko tukaj odstranite. Trenutno so registrirani ključi:
 <ul class="keys" style="list-style: none;"></ul>
 <p class="keys" id="active-key-warning" style="margin-top: 0;">
 </section>

From 2ebc87f308e37ea5193bf8d4c5f3e70b4008ac21 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 24 Apr 2024 10:29:49 +0200
Subject: [PATCH 04/10] firewall: tweak instructions some more

---
 web/templates/vpn/index.html | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/web/templates/vpn/index.html b/web/templates/vpn/index.html
index f1291c6..0b51aef 100644
--- a/web/templates/vpn/index.html
+++ b/web/templates/vpn/index.html
@@ -2,18 +2,24 @@
 
 {% block content %}
 <p>
-Za oddeljano povezavo v omrežje FRI namestite <a href="https://www.wireguard.com/install/">WireGuard</a>, ustvarite ključ in sledite napotkom za posamezni sistem.
+Za VPN oziroma oddeljano povezavo v omrežje FRI uporabljamo <a href="https://wireguard.com">WireGuard</a>. Več informacij o uporabi in nastavitvah VPN najdete v <a href="https://doku.fri.uni-lj.si/vpn">dokumentaciji</a>.
+
+<p>
+Za priklop v omrežje spodaj ustvarite nov ključ in prenesite izpisano datoteko. Nato sledite napotkom za posamezni sistem.
 
 <details>
 <summary>Windows / Mac</summary>
 <p>
-Zaženite WireGuard, kliknite <em>Import tunnel(s) from file</em> in izberite preneseno datoteko z nastavitvami. VPN nato (de)aktivirate s klikom na gumb <em>(De)activate</em>.
+Namestite in zaženite WireGuard za <a href="https://download.wireguard.com/windows-client/wireguard-installer.exe">Windows</a> ali <a href="https://itunes.apple.com/us/app/wireguard/id1451685025?ls=1&mt=12">Mac</a>. Kliknite <em>Import tunnel(s) from file</em> in izberite preneseno datoteko z nastavitvami <code>wg-fri.conf</code>. VPN nato aktivirate oziroma deaktivirate s klikom na gumb <em>(De)activate</em>.
 </details>
 
 <details>
 <summary>Android / iOS</summary>
 <p>
-Zaženite WireGuard, izberite <em>Scan from QR code</em> in skenirajte kodo, prikazano ob izdelavi novega ključa.
+Namestite WireGuard za <a href="https://play.google.com/store/apps/details?id=com.wireguard.android">Android</a> ali <a href="https://itunes.apple.com/us/app/wireguard/id1441195209?ls=1&mt=8">iOS</a>. Zaženite WireGuard, dodajte novo povezavo z <em>Import from file</em> in izberite preneseno datoteko z nastavitvami.
+
+<p>
+Ključ lahko ustvarite tudi na računalniku in ga v telefon dodate s <em>Scan from QR code</em> s kodo, prikazano ob novem ključu.
 </details>
 
 <details>
@@ -30,7 +36,7 @@ Povezavo lahko uvozite tudi v NetworkManager z ukazom <code>nmcli connection imp
 
 <form id="request">
 <p>
-Za vsako napravo, ki jo želite povezati v omrežje FRI, ustvarite nov ključ.
+Na vsaki napravi, ki jo želite povezati v omrežje FRI, ustvarite nov ključ. Privzete nastavitve usmerijo čez VPN le promet, namenjen strežnikom na FRI in UL.
 
 <p>
 <label for="name">Ime naprave</label><br>
@@ -45,7 +51,7 @@ Za vsako napravo, ki jo želite povezati v omrežje FRI, ustvarite nov ključ.
 </form>
 
 <p>
-Privzete nastavitve čez VPN usmerijo le promet, namenjen strežnikom na FRI in UL. Če vklopite prvo opcijo, bo vaš računalnik čez VPN usmeril ves promet. Če izklopite drugo opcijo, bodo nekateri strežniki dostopni le prek naslova IP. Če ste v dvomih, pustite privzete nastavitve. Podrobnejše informacije so v <a href="https://doku.fri.uni-lj.si/vpn#nastavitve">dokumentaciji</a>.
+Če vklopite prvo opcijo, bo vaš računalnik čez VPN usmerjal ves promet. Če izklopite drugo opcijo, bodo nekateri strežniki dostopni le prek naslova IP. Če ste v dvomih, pustite privzete nastavitve.
 
 <section id="settings" style="display: none;">
 <p>

From f8d71b7b065e0f3a5341bd511a94e8960f2bef8f Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Thu, 25 Apr 2024 12:20:51 +0200
Subject: [PATCH 05/10] vpn: fix key name regex

---
 web/templates/vpn/index.html | 2 +-
 web/vpn.py                   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/web/templates/vpn/index.html b/web/templates/vpn/index.html
index 0b51aef..5002f01 100644
--- a/web/templates/vpn/index.html
+++ b/web/templates/vpn/index.html
@@ -40,7 +40,7 @@ Na vsaki napravi, ki jo želite povezati v omrežje FRI, ustvarite nov ključ. P
 
 <p>
 <label for="name">Ime naprave</label><br>
-<input id="name" name="name" pattern="[.-_A-Za-z0-9 ]*" maxlength="16" placeholder="A-Z a-z 0-9 . _ - " />
+<input id="name" name="name" pattern="[-._A-Za-z0-9 ]*" maxlength="16" placeholder="A-Z a-z 0-9 . _ - " />
 <button id="submit" type="submit">Ustvari ključ</button>
 <p>
 <input type="checkbox" id="add_default" name="add_default" />
diff --git a/web/vpn.py b/web/vpn.py
index 8a5b818..bb09540 100644
--- a/web/vpn.py
+++ b/web/vpn.py
@@ -63,7 +63,7 @@ def new():
         else:
             return flask.Response('no more available IP addresses', status=500, mimetype='text/plain')
         now = datetime.datetime.utcnow()
-        name = re.sub('[^\w ]', '', flask.request.json.get('name', ''))
+        name = re.sub('[^-._A-Za-z0-9]', '', flask.request.json.get('name', ''))
 
         keys[str(ip)] = {
             'key': pubkey,

From cac76585669d7f7e1bc6fabc154163caa0ab9b68 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Tue, 30 Apr 2024 09:38:14 +0200
Subject: [PATCH 06/10] Fix handling default settings

If a setting has ben set to empty string, dict.get will return it and
not default argument. This is wrong when default is something else.
---
 web/system.py | 4 ++--
 web/vpn.py    | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/web/system.py b/web/system.py
index 75d77c4..8347718 100644
--- a/web/system.py
+++ b/web/system.py
@@ -90,7 +90,7 @@ def save_config():
         # config files, then increment version before unlocking.
         with db.locked():
             settings = db.read('settings')
-            version = settings['version'] = int(settings.get('version', 0)) + 1
+            version = settings['version'] = int(settings.get('version') or '0') + 1
 
             # Populate IP sets.
             ipsets = collections.defaultdict(set)
@@ -155,7 +155,7 @@ def save_config():
             # Print wireguard config.
             with open(output / 'etc/wireguard/wg.conf', 'w', encoding='utf-8') as f:
                 f.write(wg_intf.format(
-                    port=settings.get('wg_port', 51820),
+                    port=settings.get('wg_port') or 51820,
                     key=settings.get('wg_key')))
                 for ip, data in wireguard.items():
                     f.write(wg_peer.format(
diff --git a/web/vpn.py b/web/vpn.py
index bb09540..ce82fe4 100644
--- a/web/vpn.py
+++ b/web/vpn.py
@@ -50,7 +50,7 @@ def new():
     server_pubkey = subprocess.run([f'wg pubkey'], input=settings.get('wg_key'),
             text=True, capture_output=True, shell=True).stdout.strip()
 
-    host = ipaddress.ip_interface(settings.get('wg_net', '10.0.0.1/24'))
+    host = ipaddress.ip_interface(settings.get('wg_net') or '10.0.0.1/24')
     ip6 = None
     with db.locked():
         # Find a free address for the new key.
@@ -80,7 +80,7 @@ def new():
     # Template arguments.
     args = {
         'server': settings.get('wg_endpoint'),
-        'port': settings.get('wg_port', '51820'),
+        'port': settings.get('wg_port') or '51820',
         'server_key': server_pubkey,
         'pubkey': pubkey,
         'ip': str(ip),
@@ -88,7 +88,7 @@ def new():
         'timestamp': now,
         'name': name,
         'dns': settings.get('wg_dns') if flask.request.json.get('use_dns', True) else False,
-        'allowed_nets': settings.get('wg_allowed_nets', []),
+        'allowed_nets': settings.get('wg_allowed_nets', ''),
         'add_default': flask.request.json.get('add_default', False),
     }
     return flask.render_template('vpn/wg-fri.conf', **args)

From d123db4e645f351d9a9b37c482fd5979256d3286 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Tue, 30 Apr 2024 15:13:50 +0200
Subject: [PATCH 07/10] Consolidate NAT and VPN settings into IP sets

I have tried every possible permutation and I think this is the one.

NetBox-managed IP prefixes are pushed with ansible to firewall master.
The managed prefixes are added to custom IP sets defined in the app,
but only NAT addresses and VPN groups can be configured for them.

This way all NAT and VPN policy is (again) configured in the app. Also
both NetBox-managed and user-defined networks are treated the same.

Also improve^Wtweak config generation. Also templates.
---
 web/__init__.py                 |   3 -
 web/ipsets.py                   |  29 ++++---
 web/nat.py                      |  26 ------
 web/rules.py                    |   2 -
 web/system.py                   | 147 ++++++++++++++++----------------
 web/templates/base.html         |   8 ++
 web/templates/index.html        |  12 +--
 web/templates/ipsets/index.html |  35 +++++---
 web/templates/nat/index.html    |  19 -----
 web/templates/rules/edit.html   |  35 ++++++--
 10 files changed, 154 insertions(+), 162 deletions(-)
 delete mode 100644 web/nat.py
 delete mode 100644 web/templates/nat/index.html

diff --git a/web/__init__.py b/web/__init__.py
index afc1256..92da140 100644
--- a/web/__init__.py
+++ b/web/__init__.py
@@ -54,9 +54,6 @@ def create_app(test_config=None):
     from . import ipsets
     app.register_blueprint(ipsets.blueprint, url_prefix='/ipsets')
 
-    from . import nat
-    app.register_blueprint(nat.blueprint, url_prefix='/nat')
-
     from . import rules
     app.register_blueprint(rules.blueprint, url_prefix='/rules')
 
diff --git a/web/ipsets.py b/web/ipsets.py
index 63f8c04..203a78e 100644
--- a/web/ipsets.py
+++ b/web/ipsets.py
@@ -15,18 +15,27 @@ def index():
         return flask.Response('forbidden', status=403, mimetype='text/plain')
 
     with db.locked():
-        ipsets = db.read('ipsets')
-        networks = db.read('networks')
         if flask.request.method == 'POST':
-            form = flask.request.form
-            ipsets = {}
-            for name, ip, ip6 in zip(form.getlist('name'), form.getlist('ip'), form.getlist('ip6')):
-                if name and name not in networks:
-                    ipsets[name] = {
-                        'ip': ip.split(),
-                        'ip6': ip6.split()
-                    }
+            # read network data from NetBox, merge in custom definitions and dump the lot
+            ipsets = db.read('networks')
+            formdata = zip(*(flask.request.form.getlist(e) for e in ('name', 'ip', 'ip6', 'nat', 'vpn')))
+            for name, ip, ip6, nat, vpn in formdata:
+                # drop sets with empty names
+                if not name:
+                    continue
+                # assign IPs for custom networks only
+                if name not in ipsets:
+                    ipsets[name] = { 'ip': ip.split(), 'ip6': ip6.split() }
+                # assign NAT and VPN for all networks
+                ipsets[name] |= { 'nat': nat, 'vpn': vpn }
             db.write('ipsets', ipsets)
             system.run(system.save_config)
             return flask.redirect(flask.url_for('ipsets.index'))
+
+        # read network data from NetBox and merge in custom definitions
+        ipsets = db.read('networks')
+        for name, data in db.read('ipsets').items():
+            # keep static IPs if there are any, otherwise set custom flag for this set
+            ipsets[name] = data | ipsets.get(name, {'custom': True})
+
         return flask.render_template('ipsets/index.html', ipsets=ipsets)
diff --git a/web/nat.py b/web/nat.py
deleted file mode 100644
index 3172125..0000000
--- a/web/nat.py
+++ /dev/null
@@ -1,26 +0,0 @@
-import flask
-import flask_login
-
-from . import db
-from . import system
-
-blueprint = flask.Blueprint('nat', __name__)
-
-@blueprint.route('/', methods=('GET', 'POST'))
-@flask_login.login_required
-def index():
-    if not flask_login.current_user.is_admin:
-        return flask.Response('forbidden', status=403, mimetype='text/plain')
-
-    with db.locked():
-        nat = { network: "" for network in db.read('networks') }
-        nat |= db.read('nat')
-        if flask.request.method == 'POST':
-            form = flask.request.form
-            for network, address in form.items():
-                if network in nat:
-                    nat[network] = address
-            db.write('nat', nat)
-            system.run(system.save_config)
-            return flask.redirect(flask.url_for('nat.index'))
-        return flask.render_template('nat/index.html', nat=nat)
diff --git a/web/rules.py b/web/rules.py
index 04cecb4..bc52edb 100644
--- a/web/rules.py
+++ b/web/rules.py
@@ -46,8 +46,6 @@ def edit(index):
 
         with db.locked():
             ipsets = db.read('ipsets')
-            for network, data in db.read('networks').items():
-                ipsets[network] = {'ip': data.get('ip', []), 'ip6': data.get('ip6', [])}
         return flask.render_template('rules/edit.html', index=index, rule=db.load('rules')[index], ipsets=ipsets)
     except IndexError as e:
         return flask.Response(f'invalid rule: {index}', status=400, mimetype='text/plain')
diff --git a/web/system.py b/web/system.py
index 8347718..08c0318 100644
--- a/web/system.py
+++ b/web/system.py
@@ -19,6 +19,10 @@ import ldap3
 
 from . import db
 
+def init_app(app):
+    app.cli.add_command(generate)
+    app.cli.add_command(push)
+
 def mail(rcpt, subject, body):
     try:
         msg = email.message.EmailMessage()
@@ -31,10 +35,6 @@ def mail(rcpt, subject, body):
     except Exception as e:
         syslog.syslog(f'error sending mail: {e}')
 
-def init_app(app):
-    app.cli.add_command(generate)
-    app.cli.add_command(push)
-
 def run(fun, args=()):
     def task():
         if os.fork() == 0:
@@ -42,73 +42,52 @@ def run(fun, args=()):
             fun(*args)
     multiprocessing.Process(target=task).start()
 
-def ipset_add(ipsets, name, ip=None, ip6=None):
-    ipsets[name].update(ip or ())
-    ipsets[f'{name}/6'].update(ip6 or ())
-
+# Generate configuration files and create a config tarball.
 def save_config():
-    # Format strings for creating firewall config files.
-    nft_set = 'set {name} {{\n    type ipv{family}_addr; flags interval; {elements}\n}}\n\n'
-    nft_map = 'map {name} {{\n    type ipv4_addr : interval ipv4_addr; flags interval; {elements}\n}}\n\n'
-    nft_forward = '# {index}. {name}\n{text}\n\n'
-    wg_intf = '[Interface]\nListenPort = {port}\nPrivateKey = {key}\n\n'
-    wg_peer = '# {user}\n[Peer]\nPublicKey = {key}\nAllowedIPs = {ips}\n\n'
-
     output = None
     try:
-        # Just load the settings here but keep the database unlocked
+        # Just load required settings here but keep the database unlocked
         # while we load group memberships from LDAP.
         with db.locked():
+            ipsets = db.read('ipsets')
             settings = db.read('settings')
-            groups = db.read('groups')
 
-        # For each user build a list of networks they have access to, based on
-        # group membership in AD. Only query groups associated with at least one
-        # network, and query each group only once.
-        user_networks = collections.defaultdict(set)
-        ldap = ldap3.Connection(ldap3.Server(settings.get('ldap_host'), use_ssl=True),
-                settings.get('ldap_user'), settings.get('ldap_pass'), auto_bind=True)
-
-        # All of these must match to consider an LDAP object.
-        ldap_query = [
+        # Build LDAP query for users and groups.
+        filters = [
             '(objectClass=user)', # only users
             '(objectCategory=person)', # that are people
             '(!(userAccountControl:1.2.840.113556.1.4.803:=2))', # with enabled accounts
         ]
         if group := settings.get('user_group'):
-            ldap_query += [f'(memberOf:1.2.840.113556.1.4.1941:={group})'] # in given group, recursively
+            filters += [f'(memberOf:1.2.840.113556.1.4.1941:={group})'] # in given group, recursively
 
+        # Run query and store group membership data.
+        server = ldap3.Server(settings['ldap_host'], use_ssl=True)
+        ldap = ldap3.Connection(server, settings['ldap_user'], settings['ldap_pass'], auto_bind=True)
         ldap.search(settings.get('ldap_base_dn', ''),
-                    f'(&{"".join(ldap_query)})', # conjuction (&(…)(…)(…)) of queries
-                    attributes=['userPrincipalName', 'memberOf'])
-        for entry in ldap.entries:
-            for group in entry.memberOf:
-                if group in groups:
-                    user_networks[entry.userPrincipalName.value].add(groups[group])
+                f'(&{"".join(filters)})', # conjuction (&(…)(…)(…)) of queries
+                attributes=['userPrincipalName', 'memberOf'])
+        user_groups = { e.userPrincipalName.value: set(e.memberOf) for e in ldap.entries }
 
-        # Now read the settings again and lock the database while generating
-        # config files, then increment version before unlocking.
+        # Now read the settings again while keeping the database locked until
+        # config files are generated, and increment version before unlocking.
         with db.locked():
+            ipsets = db.read('ipsets')
+            wireguard = db.read('wireguard')
             settings = db.read('settings')
             version = settings['version'] = int(settings.get('version') or '0') + 1
 
-            # Populate IP sets.
-            ipsets = collections.defaultdict(set)
-            # Sets corresponding to VLANs in NetBox. Prefixes for these sets are configured on firewall nodes with ansible.
-            for name, network in db.read('networks').items():
-                ipset_add(ipsets, name)
-            # Sets defined by user in friwall app.
-            for name, network in db.read('ipsets').items():
-                ipset_add(ipsets, name, network.get('ip'), network.get('ip6'))
-
-            # Add registered VPN addresses for each network based on
-            # LDAP group membership.
-            wireguard = db.read('wireguard')
+            # Update IP sets with VPN addresses based on AD group membership.
+            vpn_groups = set([e['vpn'] for e in ipsets.values() if e.get('vpn')])
+            group_networks = {
+                group: [name for name, data in ipsets.items() if data['vpn'] == group] for group in vpn_groups
+            }
             for ip, key in wireguard.items():
-                ip4 = [f'{ip}/32']
-                ip6 = [f'{key["ip6"]}'] if key.get('ip6') else None
-                for network in user_networks.get(key.get('user', ''), ()):
-                    ipset_add(ipsets, network, ip4, ip6)
+                for group in user_groups.get(key.get('user', ''), ()):
+                    for network in group_networks.get(group, ()):
+                        ipsets[network]['ip'].append(f'{ip}/32')
+                        if ip6 := key.get('ip6'):
+                            ipsets[network]['ip6'].append(ip6)
 
             # Create config files.
             output = pathlib.Path.home() / 'config' / f'{version}'
@@ -122,51 +101,69 @@ def save_config():
 
             # Print nftables sets.
             with open(output / 'etc/nftables.d/sets.nft', 'w', encoding='utf-8') as f:
-                for name, ips in ipsets.items():
-                    f.write(nft_set.format(
-                        name=name,
-                        family='6' if name.endswith('/6') else '4',
-                        elements=f'{"" if ips else "# "}elements = {{ {", ".join(ips)} }}'))
+                nft_set = 'set {name} {{\n    type ipv4_addr; flags interval; {ips}\n}}\n'
+                nft_set6 = 'set {name}/6 {{\n    type ipv6_addr; flags interval; {ips}\n}}\n'
+                def make_set(ips):
+                    # return "elements = { ip1, ip2, … }", prefixed with "# " if no ips
+                    return f'{"" if ips else "# "}elements = {{ {", ".join(ips)} }}'
+                for name, data in ipsets.items():
+                    f.write(nft_set.format(name=name, ips=make_set(data.get('ip', ()))))
+                    f.write(nft_set6.format(name=name, ips=make_set(data.get('ip6', ()))))
+                    f.write('\n')
 
             # Print static NAT (1:1) rules.
             with open(output / 'etc/nftables.d/netmap.nft', 'w', encoding='utf-8') as f:
-                netmap = db.read('netmap') # { private range: public range… }
-                if netmap:
-                    f.write(nft_map.format(
-                        name='netmap-out',
-                        elements='elements = {' + ',\n'.join(f'{a}: {b}' for a, b in netmap.items()) + '}'))
-                    f.write(nft_map.format(
-                        name='netmap-in',
-                        elements='elements = {' + ',\n'.join(f'{b}: {a}' for a, b in netmap.items()) + '}'))
+                nft_map = 'map {name} {{\n    type ipv4_addr : interval ipv4_addr; flags interval; elements = {{\n{ips}\n    }}\n}}\n'
+                def make_map(ips, reverse=False):
+                    # return "{ from1: to1, from2: to2, … }" with possibly reversed from and to
+                    return ',\n'.join(f"{b if reverse else a}: {a if reverse else b}" for a, b in ips)
+                if netmap := db.read('netmap'): # { private range: public range… }
+                    f.write(nft_map.format(name='netmap-out', ips=make_map(netmap.items())))
+                    f.write('\n')
+                    f.write(nft_map.format(name='netmap-in', ips=make_map(netmap.items(), reverse=True)))
 
             # Print dynamic NAT rules.
             with open(output / 'etc/nftables.d/nat.nft', 'w', encoding='utf-8') as f:
-                nat = db.read('nat') # { network name: public range… }
-                for network, address in nat.items():
-                    if address:
-                        f.write(f'iif @inside oif @outside ip saddr @{network} snat to {address}\n')
+                nft_nat = 'iif @inside oif @outside ip saddr @{name} snat to {nat}\n'
+                for name, data in ipsets.items():
+                    if nat := data.get('nat'):
+                        f.write(nft_nat.format(name=name, nat=nat))
 
             # Print forwarding rules.
             with open(output / 'etc/nftables.d/forward.nft', 'w', encoding='utf-8') as f:
+                # Forwarding rules for VPN users.
+                if vpn_networks := sorted(name for name, data in ipsets.items() if data.get('vpn')):
+                    nft_forward = 'iif @inside oif @inside ip saddr @{name} ip daddr @{name} accept\n'
+                    f.write('# forward from the VPN interface to physical networks and back\n')
+                    for name in vpn_networks:
+                        f.write(nft_forward.format(name=name))
+                    for name in vpn_networks:
+                        f.write(nft_forward.format(name=f'{name}/6'))
+                    f.write('\n')
+
+                # Custom forwarding rules.
+                nft_rule = '# {index}. {name}\n{text}\n\n'
                 for index, rule in enumerate(db.read('rules')):
                     if rule.get('enabled') and rule.get('text'):
-                        f.write(nft_forward.format(index=index, name=rule.get('name', ''), text=rule['text']))
+                        f.write(nft_rule.format(index=index, name=rule.get('name', ''), text=rule['text']))
 
             # Print wireguard config.
             with open(output / 'etc/wireguard/wg.conf', 'w', encoding='utf-8') as f:
-                f.write(wg_intf.format(
-                    port=settings.get('wg_port') or 51820,
-                    key=settings.get('wg_key')))
+                # Server configuration.
+                wg_intf = '[Interface]\nListenPort = {port}\nPrivateKey = {key}\n\n'
+                f.write(wg_intf.format(port=settings.get('wg_port') or 51820, key=settings.get('wg_key')))
+
+                # Client configuration.
+                wg_peer = '# {user}\n[Peer]\nPublicKey = {key}\nAllowedIPs = {ips}\n\n'
                 for ip, data in wireguard.items():
                     f.write(wg_peer.format(
                         user=data.get('user'),
                         key=data.get('key'),
                         ips=', '.join(filter(None, [ip, data.get('ip6')]))))
 
-            # Make a config archive in a temporary place, so we don’t send incomplete tars.
+            # Make a temporary config archive and move it to the final location,
+            # so we avoid sending incomplete tars.
             tar_file = shutil.make_archive(f'{output}-tmp', 'gztar', root_dir=output, owner='root', group='root')
-
-            # Move config archive to the final destination.
             os.rename(tar_file, f'{output}.tar.gz')
 
             # If we get here, write settings with the new version.
diff --git a/web/templates/base.html b/web/templates/base.html
index 2da3f8f..911c0a4 100644
--- a/web/templates/base.html
+++ b/web/templates/base.html
@@ -27,6 +27,9 @@ h1 > a {
     color: unset;
     text-decoration: none;
 }
+input:read-only {
+    border-style: dotted;
+}
 pre {
     background-color: #eeeeee;
     border: 1px solid black;
@@ -39,6 +42,9 @@ th {
 th, td {
     padding-right: 1em;
 }
+th {
+    border-bottom: 1px solid black;
+}
 ul.keys {
     margin: 0 0.5em 0.5em;
     padding-left: 1em;
@@ -48,6 +54,8 @@ ul.keys a {
 }
 </style>
 
+{% block header %}{% endblock %}
+
 <title>FRIwall</title>
 
 {% if current_user.is_authenticated %}
diff --git a/web/templates/index.html b/web/templates/index.html
index 27b8375..8fd1a84 100644
--- a/web/templates/index.html
+++ b/web/templates/index.html
@@ -14,18 +14,14 @@
 <dl>
 <dt><a href="{{ url_for('nodes') }}">Status</a>
 <dd>status opek v požarnem zidu
-<dt><a href="{{ url_for('config.index') }}">Nastavitve</a>
-<dd>nastavitve aplikacije FRIwall
-<dt><a href="{{ url_for('ipsets.index') }}">Območja IP</a>
-<dd>definicije območij IP
+<dt><a href="{{ url_for('ipsets.index') }}">Omrežja</a>
+<dd>območja IP, naslovi NAT in skupine za VPN
 <dt><a href="{{ url_for('rules.index') }}">Urejanje pravil</a>
 <dd>pravila za posredovanje prometa
-<dt><a href="{{ url_for('nat.index') }}">NAT</a>
-<dd>javni naslovi za pisarniška omrežja
 <dt><a href="{{ url_for('config.edit', name='netmap') }}">Netmap</a>
 <dd>statične 1:1 preslikave naslovov za strežniška omrežja
-<dt><a href="{{ url_for('config.edit', name='groups') }}">Skupine</a>
-<dd>preslikave uporabnikov LDAP v pisarniška omrežja
+<dt><a href="{{ url_for('config.index') }}">Nastavitve</a>
+<dd>nastavitve aplikacije FRIwall
 </dl>
 </section>
 {% endif %}
diff --git a/web/templates/ipsets/index.html b/web/templates/ipsets/index.html
index 6e80bad..44df071 100644
--- a/web/templates/ipsets/index.html
+++ b/web/templates/ipsets/index.html
@@ -1,25 +1,38 @@
 {% extends 'base.html' %}
+{% block header %}
+<style>
+td > input {
+    width: 100%;
+}
+</style>
+{% endblock %}
 
 {% block content %}
 <p>
-Urejate območja IP. Za vsako območje lahko dodate enega ali več obsegov IP in/ali IPv6, ločenih s presledki.
+Urejate naslovna območja. Za statična omrežja lahko določimo naslov NAT in skupino za VPN. Za lastna območja lahko poleg tega definiramo enega ali več obsegov IP, ločenih s presledki.
+
+<p>
+NAT se izvaja na območjih, kjer je nastavljen. Uporabniki VPN imajo glede na skupine v AD enake dostope kot območja, za katera so nastavljene te skupine.
 
 <form id="request" method="POST">
-<table>
+<table style="width: 100%;">
 <thead>
-<th>Ime<th>IP<th>IPv6
+<th>Ime<th>IP<th>IPv6<th>NAT<th>VPN
 <tbody>
-<tbody>
-{% for name, addresses in ipsets.items() %}
+{% for name, data in ipsets.items() %}
 <tr>
-<td><input name="name" value="{{ name }}" />
-<td><input name="ip" value="{{ addresses.ip|join(' ') }}" />
-<td><input name="ip6" value="{{ addresses.ip6|join(' ') }}" />
+<td style="max-width: 4em;"><input name="name" value="{{ name }}" {% if not data.custom %}readonly{% endif %} />
+<td style="max-width: 5em;"><input name="ip" value="{{ data.ip|join(' ') }}" {% if not data.custom %}readonly{% endif %} />
+<td style="max-width: 8em;"><input name="ip6" value="{{ data.ip6|join(' ') }}" {% if not data.custom %}readonly{% endif %} />
+<td style="max-width: 5em;"><input name="nat" value="{{ data.nat }}" />
+<td style=""><input name="vpn" value="{{ data.vpn }}" />
 {% endfor %}
 <tr>
-<td><input name="name" />
-<td><input name="ip" />
-<td><input name="ip6" />
+<td style="max-width: 4em;"><input name="name" />
+<td style="max-width: 5em;"><input name="ip" />
+<td style="max-width: 8em;"><input name="ip6" />
+<td style="max-width: 5em;"><input name="nat" />
+<td><input name="vpn" />
 </table>
 <p><button id="submit" type="submit">Shrani</button>
 </form>
diff --git a/web/templates/nat/index.html b/web/templates/nat/index.html
deleted file mode 100644
index 1c2244d..0000000
--- a/web/templates/nat/index.html
+++ /dev/null
@@ -1,19 +0,0 @@
-{% extends 'base.html' %}
-
-{% block content %}
-<p>
-Urejate naslove NAT za pisarniška omrežja.
-
-<form id="request" method="POST">
-<table>
-<tbody>
-{% for office, address in nat.items() %}
-<tr>
-<td><label for="{{ office }}">{{ office }}</label>
-<td><input id="{{ office }}" name="{{ office }}" value="{{ address }}" />
-{% endfor %}
-</table>
-<p><button id="submit" type="submit">Shrani</button>
-</form>
-
-{% endblock %}
diff --git a/web/templates/rules/edit.html b/web/templates/rules/edit.html
index 2e26e1e..dd57d9c 100644
--- a/web/templates/rules/edit.html
+++ b/web/templates/rules/edit.html
@@ -1,8 +1,18 @@
 {% extends 'base.html' %}
+{% block header %}
+<style>
+tbody > tr:nth-child(odd) {
+    background-color: #eeeeee;
+}
+td {
+    vertical-align: top;
+}
+</style>
+{% endblock %}
 
 {% block content %}
 <p>
-Urejate pravilo #{{ index }}. V pravilih lahko uporabljate imena območij IP, prikazana spodaj. <a href="{{ url_for('rules.index') }}">Seznam pravil.</a>
+Urejate pravilo #{{ index }}. <a href="{{ url_for('rules.index') }}">Seznam pravil.</a>
 
 <form id="request" method="POST">
 <p>
@@ -18,19 +28,28 @@ Uporabniki, ki lahko o(ne)mogočijo pravilo<br>
 
 <p>
 <label for="text">Pravila nftables</label>
-<textarea id="text" name="text" style="width: 100%; height: 20em;">{{ rule.text }}</textarea>
+<textarea id="text" name="text" style="width: 100%; height: 20em;" placeholder="iif @inside ip saddr @from ip daddr @to accept
iif @inside ip6 saddr @from/6 ip6 daddr @to/6 accept">
+{{- rule.text }}
+</textarea>
 <p><button id="submit" type="submit">Shrani</button>
 </form>
 
-<table>
+<p>
+V pravilih lahko uporabljamo spodnja območja IP, npr. <code>@pr5</code> in <code>@pr5/6</code> za območji IPv4 in IPv6 učilnice 5. Za notranja omrežja uporabimo vmesnik <code>@inside</code>, za zunanja pa vmesnik <code>@outside</code>. Primere z razlago najdemo v <a href="https://wiki.nftables.org">dokumentaciji nftables</a>.
+
+<table style="width: 100%;">
 <thead>
-<th>Območje<th>IP<th>IPv6
+<th>Omrežje
+<th>IP
+<th>IPv6
+<th>VPN
 <tbody>
-{% for network, addresses in ipsets.items() %}
+{% for name, data in ipsets.items() %}
 <tr>
-<td>{{ network }}
-<td>{{ addresses.ip|join('<br>')|safe }}
-<td>{{ addresses.ip6|join('<br>')|safe }}
+<td>{{ name }}
+<td>{{ data.ip|join('<br>')|safe }}
+<td>{{ data.ip6|join('<br>')|safe }}
+<td>{{ data.vpn }}
 {% endfor %}
 </table>
 

From 32af5a43c0fd717f036a57f84f383a8937085015 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Thu, 2 May 2024 17:27:18 +0200
Subject: [PATCH 08/10] Oops, missed a six

---
 web/system.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/web/system.py b/web/system.py
index 08c0318..3bb66b9 100644
--- a/web/system.py
+++ b/web/system.py
@@ -134,11 +134,12 @@ def save_config():
                 # Forwarding rules for VPN users.
                 if vpn_networks := sorted(name for name, data in ipsets.items() if data.get('vpn')):
                     nft_forward = 'iif @inside oif @inside ip saddr @{name} ip daddr @{name} accept\n'
+                    nft_forward6 = 'iif @inside oif @inside ip6 saddr @{name}/6 ip6 daddr @{name}/6 accept\n'
                     f.write('# forward from the VPN interface to physical networks and back\n')
                     for name in vpn_networks:
                         f.write(nft_forward.format(name=name))
                     for name in vpn_networks:
-                        f.write(nft_forward.format(name=f'{name}/6'))
+                        f.write(nft_forward6.format(name=name))
                     f.write('\n')
 
                 # Custom forwarding rules.

From 0e9d1ce6f0c8a0edfcabdf4cbd24d3ecbbdad5a2 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Thu, 2 May 2024 23:33:13 +0200
Subject: [PATCH 09/10] Add some words to templates

Also some tags. Also remove some other words and some other tags.
---
 web/templates/base.html         |  3 +--
 web/templates/index.html        |  2 +-
 web/templates/ipsets/index.html | 17 ++++++++++-------
 web/templates/rules/edit.html   | 29 ++++++++++++++++++++++-------
 web/templates/rules/index.html  |  6 ++++--
 web/templates/rules/manage.html |  8 ++++++++
 web/templates/vpn/index.html    |  8 ++++----
 7 files changed, 50 insertions(+), 23 deletions(-)

diff --git a/web/templates/base.html b/web/templates/base.html
index 911c0a4..add9ed1 100644
--- a/web/templates/base.html
+++ b/web/templates/base.html
@@ -32,9 +32,8 @@ input:read-only {
 }
 pre {
     background-color: #eeeeee;
-    border: 1px solid black;
+    border: 1px solid #cccccc;
     padding: 0.5em;
-    margin: 0;
 }
 th {
     text-align: left;
diff --git a/web/templates/index.html b/web/templates/index.html
index 8fd1a84..01320ba 100644
--- a/web/templates/index.html
+++ b/web/templates/index.html
@@ -16,7 +16,7 @@
 <dd>status opek v požarnem zidu
 <dt><a href="{{ url_for('ipsets.index') }}">Omrežja</a>
 <dd>območja IP, naslovi NAT in skupine za VPN
-<dt><a href="{{ url_for('rules.index') }}">Urejanje pravil</a>
+<dt><a href="{{ url_for('rules.index') }}">Pravila</a>
 <dd>pravila za posredovanje prometa
 <dt><a href="{{ url_for('config.edit', name='netmap') }}">Netmap</a>
 <dd>statične 1:1 preslikave naslovov za strežniška omrežja
diff --git a/web/templates/ipsets/index.html b/web/templates/ipsets/index.html
index 44df071..7164f87 100644
--- a/web/templates/ipsets/index.html
+++ b/web/templates/ipsets/index.html
@@ -9,15 +9,18 @@ td > input {
 
 {% block content %}
 <p>
-Urejate naslovna območja. Za statična omrežja lahko določimo naslov NAT in skupino za VPN. Za lastna območja lahko poleg tega definiramo enega ali več obsegov IP, ločenih s presledki.
+Urejate območja IP za <a href="{{ url_for('rules.index') }}">posredovalna pravila</a> na požarnem zidu.
 
 <p>
-NAT se izvaja na območjih, kjer je nastavljen. Uporabniki VPN imajo glede na skupine v AD enake dostope kot območja, za katera so nastavljene te skupine.
+NAT se izvaja za notranja omrežja, kjer je nastavljen. Če nastavimo skupino AD, bodo omrežju dodane naprave, ki so jih v VPN povezali uporabniki v tej skupini. Vse naprave v posameznem omrežju so dostopne med sabo in za njih veljajo ista posredovalna pravila.
+
+<p>
+Imen in naslovnih prostorov fizičnih omrežij ne moremo spreminjati. Za svoja omrežja lahko definiramo vsa polja. Omrežje odstranimo tako, da mu pobrišemo ime.
 
 <form id="request" method="POST">
 <table style="width: 100%;">
 <thead>
-<th>Ime<th>IP<th>IPv6<th>NAT<th>VPN
+<th>Omrežje<th>IP<th>IPv6<th>NAT<th>VPN
 <tbody>
 {% for name, data in ipsets.items() %}
 <tr>
@@ -28,11 +31,11 @@ NAT se izvaja na območjih, kjer je nastavljen. Uporabniki VPN imajo glede na sk
 <td style=""><input name="vpn" value="{{ data.vpn }}" />
 {% endfor %}
 <tr>
-<td style="max-width: 4em;"><input name="name" />
-<td style="max-width: 5em;"><input name="ip" />
-<td style="max-width: 8em;"><input name="ip6" />
+<td style="max-width: 4em;"><input name="name" placeholder="novo območje" />
+<td style="max-width: 5em;"><input name="ip" placeholder="10.0.0.0/8" />
+<td style="max-width: 8em;"><input name="ip6" placeholder="fc00:1::/64 fc00:2::/64" />
 <td style="max-width: 5em;"><input name="nat" />
-<td><input name="vpn" />
+<td><input name="vpn" placeholder="skupina v AD" />
 </table>
 <p><button id="submit" type="submit">Shrani</button>
 </form>
diff --git a/web/templates/rules/edit.html b/web/templates/rules/edit.html
index dd57d9c..36b487c 100644
--- a/web/templates/rules/edit.html
+++ b/web/templates/rules/edit.html
@@ -1,6 +1,11 @@
 {% extends 'base.html' %}
 {% block header %}
 <style>
+hr {
+    border-style: dotted;
+    border-color: gray;
+    border-width: 1px 0 0;
+}
 tbody > tr:nth-child(odd) {
     background-color: #eeeeee;
 }
@@ -12,30 +17,40 @@ td {
 
 {% block content %}
 <p>
-Urejate pravilo #{{ index }}. <a href="{{ url_for('rules.index') }}">Seznam pravil.</a>
-
+Urejate pravilo #{{ index }} (<a href="{{ url_for('rules.index') }}">seznam pravil</a>). Pravila so vključena v <a href="https://wiki.nftables.org">nftables</a> <em>filter chain</em> na požarnem zidu. Povzetek filtrov najdemo <a href="https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Matches">v dokumentaciji</a>.
 <form id="request" method="POST">
 <p>
 <label for="name">Ime</label><br>
-<input name="name" value="{{ rule.name }}" />
+<input id="name" name="name" value="{{ rule.name }}" />
 
 <p>
-Uporabniki, ki lahko o(ne)mogočijo pravilo<br>
+<label for="newmanager">Skupine, ki lahko o(ne)mogočijo pravilo</label>
+<br>
 {% for manager in rule.managers %}
 <input name="manager" type="text" style="width: 50%" value="{{ manager }}" /><br>
 {% endfor %}
-<input name="manager" type="text" style="width: 50%" value="" />
+<input id="newmanager" name="manager" type="text" style="width: 50%" value="" />
 
 <p>
 <label for="text">Pravila nftables</label>
-<textarea id="text" name="text" style="width: 100%; height: 20em;" placeholder="iif @inside ip saddr @from ip daddr @to accept
iif @inside ip6 saddr @from/6 ip6 daddr @to/6 accept">
+<textarea id="text" name="text" style="width: 100%; height: 8em;" placeholder="iif @inside ip saddr @from ip daddr @to accept
iif @inside ip6 saddr @from/6 ip6 daddr @to/6 accept">
 {{- rule.text }}
 </textarea>
 <p><button id="submit" type="submit">Shrani</button>
 </form>
 
+<hr>
+
 <p>
-V pravilih lahko uporabljamo spodnja območja IP, npr. <code>@pr5</code> in <code>@pr5/6</code> za območji IPv4 in IPv6 učilnice 5. Za notranja omrežja uporabimo vmesnik <code>@inside</code>, za zunanja pa vmesnik <code>@outside</code>. Primere z razlago najdemo v <a href="https://wiki.nftables.org">dokumentaciji nftables</a>.
+Promet z naslova <em>src</em> iz zunanjega omrežja na naslov <em>dst</em> na notranjem dovolimo z
+
+<pre><code>iif @outside oif @inside ip saddr src ip daddr dst accept</code></pre>
+
+<p>
+Za naslova <em>src</em> in <em>dst</em> lahko uporabimo <a href="{{ url_for('ipsets.index') }}">definirana omrežja</a>, prikazana v spodnji tabeli. Za omrežje <code>net</code> uporabimo oznaki <code>@net</code> in <code>@net/6</code> za naslove IPv4 in IPv6. Da npr. preprečimo povezave iz omrežja <code>classroom</code> izven omrežja FRI, uporabimo pravili
+
+<pre><code>iif @inside ip saddr @classroom ip daddr != @fri drop
+iif @inside ip6 saddr @classroom/6 ip6 daddr != @fri/6 drop</code></pre>
 
 <table style="width: 100%;">
 <thead>
diff --git a/web/templates/rules/index.html b/web/templates/rules/index.html
index a0a638b..fe62c35 100644
--- a/web/templates/rules/index.html
+++ b/web/templates/rules/index.html
@@ -2,10 +2,12 @@
 
 {% block content %}
 <p>
-Urejate prioritete pravil za požarni zid. Pravilo odstranite tako, da izbrišete pripadajočo številko. V zadnji vrstici lahko dodate novo pravilo.
+Urejate posredovalna pravila. Pravila razvrstimo s stolpcem <em>N</em>. Če vrednost pobrišemo, pravilo odstranimo.
 
 <form id="request" method="POST">
 <table>
+<thead>
+<th>N<th>Pravilo
 <tbody>
 {% for rule in rules %}
 <tr>
@@ -15,7 +17,7 @@ Urejate prioritete pravil za požarni zid. Pravilo odstranite tako, da izbrišet
 {% endfor %}
 <tr>
 <td><input name="index" type="number" min="0" size="4" />
-<td><input name="name" type="text" size="40" />
+<td><input name="name" type="text" size="40" placeholder="novo pravilo" />
 </table>
 <p><button id="submit" type="submit">Shrani</button>
 </form>
diff --git a/web/templates/rules/manage.html b/web/templates/rules/manage.html
index 4ceaaf0..d6924ba 100644
--- a/web/templates/rules/manage.html
+++ b/web/templates/rules/manage.html
@@ -1,5 +1,13 @@
 {% extends 'base.html' %}
 
+{% block header %}
+<style>
+pre {
+    margin: 0;
+}
+</style>
+{% endblock %}
+
 {% block content %}
 <p>
 Tu lahko vklopite in izklopite posamezna pravila za požarni zid.
diff --git a/web/templates/vpn/index.html b/web/templates/vpn/index.html
index 5002f01..473704d 100644
--- a/web/templates/vpn/index.html
+++ b/web/templates/vpn/index.html
@@ -48,17 +48,17 @@ Na vsaki napravi, ki jo želite povezati v omrežje FRI, ustvarite nov ključ. P
 <br>
 <input type="checkbox" id="use_dns" name="use_dns" checked />
 <label for="use_dns">Uporabi imenske strežnike FRI</label>
-</form>
 
 <p>
 Če vklopite prvo opcijo, bo vaš računalnik čez VPN usmerjal ves promet. Če izklopite drugo opcijo, bodo nekateri strežniki dostopni le prek naslova IP. Če ste v dvomih, pustite privzete nastavitve.
+</form>
 
 <section id="settings" style="display: none;">
 <p>
 Nastavitve za povezavo so izpisane spodaj. Zasebni ključ varujte enako skrbno kot geslo, s katerim ste se prijavili; priporočena je raba šifriranega diska. Za nov ključ osvežite to stran.
 
 <section style="display: flex; align-items: center;">
-<pre style="flex-grow: 3;"><a id="download" href="" style="float: right; padding: 0.5em;">Prenesi</a><code id="config"></code></pre>
+<pre style="flex-grow: 3; margin: 0;"><a id="download" href="" style="float: right; padding: 0.5em;">Prenesi</a><code id="config"></code></pre>
 <div id="qr" style="flex-grow: 1; text-align: center;"></div>
 </section>
 
@@ -68,9 +68,9 @@ V nastavitvah lahko dodate ali odstranite vnose <code>AllowedIPs</code>. Ti dolo
 </section>
 
 <section class="keys" style="display: none;">
-<h1>Obstoječi ključi</h1>
+<h1>Ključi</h1>
 <p>
-Ključe, ki jih ne uporabljate, lahko tukaj odstranite. Trenutno so registrirani ključi:
+Če ključa ne uporabljamo, smo ga izgubili ali so nam ga ukradli, ga tukaj odstranimo. Trenutno so registrirani ključi:
 <ul class="keys" style="list-style: none;"></ul>
 <p class="keys" id="active-key-warning" style="margin-top: 0;">
 </section>

From 25ee4e8a442bcf828358031ba2d4d53422aa2ac5 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 29 May 2024 11:10:31 +0200
Subject: [PATCH 10/10] Improve rule management page
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Address rules by name instead of index. Still problematic if the rules
are changed while someone is managing them, but with names it’s
more likely to just not work instead of enabling or disabling the
wrong rule.

Also prevent bringing down the whole network with a single click.
---
 web/rules.py                    | 34 ++++++++++++++++-----------------
 web/templates/rules/manage.html | 17 +++++++++++------
 2 files changed, 28 insertions(+), 23 deletions(-)

diff --git a/web/rules.py b/web/rules.py
index bc52edb..349dd5f 100644
--- a/web/rules.py
+++ b/web/rules.py
@@ -53,24 +53,24 @@ def edit(index):
 def can_toggle(user, rule):
     return user.is_admin or not user.groups.isdisjoint(rule.get('managers', ()))
 
-@blueprint.route('/manage')
+@blueprint.route('/manage', methods=('GET', 'POST'))
 @flask_login.login_required
 def manage():
-    rules = [rule|{'index': index} for index, rule in enumerate(db.load('rules'))
-                if can_toggle(flask_login.current_user, rule)]
-    return flask.render_template('rules/manage.html', rules=rules)
-
-@blueprint.route('/toggle/<int:index>/<enable>')
-@flask_login.login_required
-def toggle(index, enable):
-    try:
-        with db.locked():
-            rules = db.read('rules')
-            if not can_toggle(flask_login.current_user, rules[index]):
+    with db.locked():
+        rules = db.read('rules')
+        allowed = set(rule['name'] for rule in rules if can_toggle(flask_login.current_user, rule))
+        if flask.request.method == 'POST':
+            # check that all posted rules are allowed for this user
+            posted = set(flask.request.form.getlist('rule'))
+            if posted - allowed:
                 return flask.Response('forbidden', status=403, mimetype='text/plain')
-            rules[index]['enabled'] = (enable == 'true')
+
+            # set status for posted rules
+            enabled = set(flask.request.form.getlist('enabled'))
+            for rule in rules:
+                if rule['name'] in posted:
+                    rule['enabled'] = (rule['name'] in enabled)
             db.write('rules', rules)
-        system.run(system.save_config)
-        return flask.redirect(flask.url_for('rules.manage'))
-    except IndexError as e:
-        return flask.Response(f'invalid rule: {index}', status=400, mimetype='text/plain')
+            system.run(system.save_config)
+            return flask.redirect(flask.url_for('rules.manage'))
+    return flask.render_template('rules/manage.html', rules=[rule for rule in rules if rule['name'] in allowed])
diff --git a/web/templates/rules/manage.html b/web/templates/rules/manage.html
index d6924ba..bc770fb 100644
--- a/web/templates/rules/manage.html
+++ b/web/templates/rules/manage.html
@@ -3,7 +3,10 @@
 {% block header %}
 <style>
 pre {
-    margin: 0;
+    margin: 0.5em 2em;
+}
+summary {
+    list-style: none;
 }
 </style>
 {% endblock %}
@@ -12,17 +15,19 @@ pre {
 <p>
 Tu lahko vklopite in izklopite posamezna pravila za požarni zid.
 
+<form id="request" method="POST">
 {% for rule in rules %}
 <details>
 <summary>
-{% if rule.enabled %}
-<font color="green">●</font> {{ rule.name }} <a href="{{ url_for('rules.toggle', index=rule.index, enable='false') }}">izklopi</a>
-{% else %}
-<font color="red">●</font> {{ rule.name }} <a href="{{ url_for('rules.toggle', index=rule.index, enable='true') }}">vklopi</a>
-{% endif %}
+<input name="rule" type="hidden" value="{{ rule.name }}" />
+<input name="enabled" type="checkbox" value="{{ rule.name }}" autocomplete="off"{% if rule.enabled %} checked{% endif %} />
+{{ rule.name }}
 </summary>
 <pre><code>{{ rule.text }}</code></pre>
 </details>
 {% endfor %}
+<p>
+<button>Potrdi</button>
+</form>
 
 {% endblock %}