From ebe9d58594f801a5daf3da4c2cea226a27867e26 Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Mon, 27 Dec 2021 13:08:26 -0800
Subject: [PATCH] Add support for editing IPset match rules

---
 firewall/edit_rule.cgi | 12 +++++++++++-
 firewall/index.cgi     |  2 +-
 firewall/lang/en       |  7 +++++--
 firewall/save_rule.cgi |  7 +++++++
 4 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/firewall/edit_rule.cgi b/firewall/edit_rule.cgi
index c375438ae..169688fab 100755
--- a/firewall/edit_rule.cgi
+++ b/firewall/edit_rule.cgi
@@ -345,10 +345,20 @@ print &ui_table_row($text{'edit_physdevisbridged'},
 	&print_mode("physdevisbridged", $rule->{'physdev-is-bridged'},
 		    $text{'yes'}, $text{'no'}));
 
+# IPset to match
+print &ui_table_row($text{'edit_matchset'},
+	&print_mode("matchset", $rule->{'match-set'})." ".
+	&ui_select("matchset", $rule->{'match-set'}->[1],
+		   [ map { $_->{'Name'} } &get_ipsets_active() ])." ".
+	&ui_select("matchset2", $rule->{'match-set'}->[2],
+		   [ [ "src", $text{'edit_matchsetsrc'} ],
+		     [ "dst", $text{'edit_matchsetdst'} ] ], 1, 0,
+		   $rule->{'match-set'}->[2] ? 1 : 0));
+
 print &ui_table_hr();
 
 # Show unknown modules
-@mods = grep { !/^(tcp|udp|icmp${ipvx_icmp}|multiport|mac|limit|owner|state|conntrack|tos|comment|physdev)$/ } map { $_->[1] } @{$rule->{'m'}};
+@mods = grep { !/^(tcp|udp|icmp${ipvx_icmp}|multiport|mac|limit|owner|state|conntrack|tos|comment|physdev|set)$/ } map { $_->[1] } @{$rule->{'m'}};
 print &ui_table_row($text{'edit_mods'},
 	&ui_textbox("mods", join(" ", @mods), 60));
 
diff --git a/firewall/index.cgi b/firewall/index.cgi
index 617abcb1e..4fb221a6b 100755
--- a/firewall/index.cgi
+++ b/firewall/index.cgi
@@ -433,7 +433,7 @@ else {
 
 	# Show ipset overview if ipsets are availibe
         # may need to check if they are used by firewall rules
-	@ipsets  = &get_ipsets_active();
+	@ipsets = &get_ipsets_active();
 	if (@ipsets) {	
 	    print &ui_hr();
 	    print "<b>$text{'index_ipset_title'}</b>";
diff --git a/firewall/lang/en b/firewall/lang/en
index 713b18c9e..f366dfa10 100644
--- a/firewall/lang/en
+++ b/firewall/lang/en
@@ -140,8 +140,8 @@ desc_ctstate=state of connection is $1
 desc_ctstate!=state of connection is not $1
 desc_tos=type of service field is $1
 desc_tos!=type of service field is not $1
-desc_match-set=$2 matches set $1
-desc_match-set!=$2 does not match set $1
+desc_match-set=$2 matches IPset $1
+desc_match-set!=$2 does not match IPset $1
 desc_physdev-in=input physical interface is $1
 desc_physdev-in!=input physical interface is not $1
 desc_physdev-out=output physical interface is $1
@@ -229,6 +229,9 @@ edit_physdevout=Outgoing physical interface
 edit_physdevisin=Packet incoming on bridge interface
 edit_physdevisout=Packet outgoing on bridge interface
 edit_physdevisbridged=Packet is being bridged
+edit_matchset=Matching IPset
+edit_matchsetsrc=on incoming traffic
+edit_matchsetdst=on outgoing traffic
 
 save_err=Failed to save rule
 save_echain=Missing or invalid chain to run
diff --git a/firewall/save_rule.cgi b/firewall/save_rule.cgi
index 57f22907c..3b0cf0ca8 100755
--- a/firewall/save_rule.cgi
+++ b/firewall/save_rule.cgi
@@ -362,6 +362,13 @@ else {
 		push(@mods, "physdev");
 		}
 
+	# Parse IPset
+	if (&parse_mode("matchset", $rule, "match-set")) {
+		$rule->{'match-set'}->[1] = $in{'matchset'};
+		$rule->{'match-set'}->[2] = $in{'matchset2'};
+		push(@mods, "set");
+		}
+
 	# Add custom parameters and modules
 	$rule->{'args'} = $in{'args'};
 	push(@mods, split(/\s+/, $in{'mods'}));