]>
Commit | Line | Data |
---|---|---|
27f4a6b1 | 1 | #!/usr/bin/perl |
dc21519f AM |
2 | ############################################################################### |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5bee9a9d | 5 | # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> # |
dc21519f AM |
6 | # # |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
dc21519f AM |
21 | # # |
22 | # This script converts old groups and firewallrules # | |
23 | # to the new one. This is a 3-step process. # | |
24 | # STEP1: convert groups ->LOG /var/log/converters # | |
25 | # STEP2: convert rules ->LOG /var/log/converters # | |
26 | # STEP3: convert P2P rules # | |
27 | # # | |
28 | ############################################################################### | |
27f4a6b1 AM |
29 | |
30 | require '/var/ipfire/general-functions.pl'; | |
454d47a9 | 31 | require "${General::swroot}/lang.pl"; |
5a9fd5db | 32 | |
27f4a6b1 | 33 | use Socket; |
8f0b047b | 34 | use File::Path; |
5a9fd5db AM |
35 | use File::Copy; |
36 | ||
27f4a6b1 AM |
37 | my $ipgrouppath = "${General::swroot}/outgoing/groups/ipgroups/"; |
38 | my $macgrouppath = "${General::swroot}/outgoing/groups/macgroups/"; | |
39 | my $outgoingrules = "${General::swroot}/outgoing/rules"; | |
40 | my $outfwsettings = "${General::swroot}/outgoing/settings"; | |
41 | my $host = "Converted "; | |
42 | my $confighosts = "${General::swroot}/fwhosts/customhosts"; | |
43 | my $confignets = "${General::swroot}/fwhosts/customnetworks"; | |
44 | my $configgroups = "${General::swroot}/fwhosts/customgroups"; | |
45 | my $ovpnsettings = "${General::swroot}/ovpn/settings"; | |
46 | my $ovpnconfig = "${General::swroot}/ovpn/ovpnconfig"; | |
47 | my $ccdconfig = "${General::swroot}/ovpn/ccd.conf"; | |
6d8eb5de AM |
48 | my $fwdfwconfig = "${General::swroot}/firewall/config"; |
49 | my $outfwconfig = "${General::swroot}/firewall/outgoing"; | |
50 | my $fwdfwsettings = "${General::swroot}/firewall/settings"; | |
37c84696 SS |
51 | my @ipgroups = qx(ls $ipgrouppath 2>/dev/null); |
52 | my @macgroups = qx(ls $macgrouppath 2>/dev/null); | |
27f4a6b1 AM |
53 | my @hostarray=(); |
54 | my %outsettings=(); | |
55 | my %hosts=(); | |
56 | my %nets=(); | |
57 | my %groups=(); | |
58 | my %settingsovpn=(); | |
59 | my %configovpn=(); | |
60 | my %ccdconf=(); | |
6128ded8 AM |
61 | my %fwconfig=(); |
62 | my %fwconfigout=(); | |
27f4a6b1 | 63 | my %fwdsettings=(); |
7326051e AM |
64 | my %ownnet=(); |
65 | my %ovpnSettings = (); | |
02cb636c | 66 | my @active= ('Aktiv', 'aktiv', 'Active', 'Activo', 'Actif', 'Actief', 'Aktywne', 'Активен', 'Aktif'); |
7326051e | 67 | &General::readhash("${General::swroot}/ovpn/settings", \%ovpnSettings); |
7326051e | 68 | &General::readhash("${General::swroot}/ethernet/settings", \%ownnet); |
454d47a9 | 69 | |
37c84696 SS |
70 | if (-e "$outfwsettings") { |
71 | &General::readhash($outfwsettings,\%outsettings); | |
72 | } | |
73 | else | |
74 | { | |
75 | print "Config file for outgoing-firewall not found. Exiting!\n"; | |
76 | exit(1); | |
77 | } | |
78 | ||
79 | if (! -s "$outfwsettings") { | |
80 | print "Empty DMZ configuration file. Nothing to do. Exiting...\n"; | |
a3f2459f AM |
81 | #Fill the firewall settings file |
82 | open (SETTINGS, ">/var/ipfire/firewall/settings"); | |
83 | print SETTINGS "POLICY=MODE2\n"; | |
84 | print SETTINGS "POLICY1=MODE2\n"; | |
85 | close (SETTINGS); | |
37c84696 SS |
86 | exit(0); |
87 | } | |
88 | ||
8343fd12 AM |
89 | #ONLY RUN if /var/ipfire/outgoing exists |
90 | if ( -d "/var/ipfire/outgoing"){ | |
91 | &process_groups; | |
92 | &process_rules; | |
93 | &process_p2p; | |
94 | } | |
37c84696 SS |
95 | else |
96 | { | |
97 | print "/var/ipfire/outgoing not found. Exiting!\n"; | |
98 | exit 1 | |
99 | } | |
100 | ||
8039a710 | 101 | system("/usr/local/bin/firewallctrl"); |
37c84696 | 102 | |
27f4a6b1 AM |
103 | sub process_groups |
104 | { | |
2833f567 | 105 | if(! -d "/var/log/converters"){ mkdir("/var/log/converters");} |
8f0b047b | 106 | if( -f "/var/log/converters/groups-convert.log"){rmtree("var/log/converters");} |
2833f567 | 107 | open (LOG, ">/var/log/converters/groups-convert.log") or die $!; |
27f4a6b1 AM |
108 | #IP Group processing |
109 | foreach my $group (@ipgroups){ | |
e09884e0 | 110 | my $now=localtime; |
27f4a6b1 | 111 | chomp $group; |
e09884e0 | 112 | print LOG "\n$now Processing IP-GROUP: $group...\n"; |
27f4a6b1 AM |
113 | open (DATEI, "<$ipgrouppath/$group"); |
114 | my @zeilen = <DATEI>; | |
115 | foreach my $ip (@zeilen){ | |
116 | chomp($ip); | |
117 | $ip =~ s/\s//gi; | |
e09884e0 | 118 | print LOG "$now Check IP $ip from Group $group "; |
27f4a6b1 AM |
119 | my $val=&check_ip($ip); |
120 | if($val){ | |
121 | push(@hostarray,$val.",ip"); | |
e09884e0 | 122 | print LOG "$now -> OK\n"; |
27f4a6b1 AM |
123 | } |
124 | else{ | |
e09884e0 | 125 | print LOG "$now -> IP \"$ip\" from group $group not converted (invalid IP) \n"; |
27f4a6b1 AM |
126 | } |
127 | $val=''; | |
128 | } | |
129 | &new_hostgrp($group,'ip'); | |
130 | @hostarray=(); | |
131 | } | |
132 | $group=''; | |
133 | @zeilen=(); | |
134 | @hostarray=(); | |
135 | #MAC Group processing | |
136 | foreach my $group (@macgroups){ | |
137 | chomp $group; | |
5a9fd5db | 138 | print LOG "\nProcessing MAC-GROUP: $group...\n"; |
37c84696 | 139 | open (DATEI, "<$macgrouppath/$group") or die 'Unable to open config file.'; |
27f4a6b1 AM |
140 | my @zeilen = <DATEI>; |
141 | foreach my $mac (@zeilen){ | |
142 | chomp($mac); | |
143 | $mac =~ s/\s//gi; | |
e09884e0 | 144 | print LOG "$now Checking MAC $mac from group $group "; |
27f4a6b1 AM |
145 | #MAC checking |
146 | if(&General::validmac($mac)){ | |
147 | $val=$mac; | |
148 | } | |
149 | if($val){ | |
150 | push(@hostarray,$val.",mac"); | |
e09884e0 | 151 | print LOG "$now -> OK\n"; |
27f4a6b1 AM |
152 | } |
153 | else{ | |
e09884e0 | 154 | print LOG "$now -> Mac $mac from group $group not converted (invalid MAC)\n"; |
27f4a6b1 AM |
155 | } |
156 | $val=''; | |
157 | } | |
158 | &new_hostgrp($group,'mac'); | |
159 | @hostarray=(); | |
05612a54 | 160 | @zeilen=(); |
27f4a6b1 AM |
161 | } |
162 | close (LOG); | |
163 | } | |
164 | sub check_ip | |
165 | { | |
166 | my $adr=shift; | |
167 | my $a; | |
168 | #ip with subnet in decimal | |
169 | if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){ | |
170 | $adr=int($1).".".int($2).".".int($3).".".int($4); | |
171 | my $b = &General::iporsubtodec($5); | |
172 | $a=$adr."/".$b; | |
e3afaf88 | 173 | }elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ |
27f4a6b1 AM |
174 | $adr=int($1).".".int($2).".".int($3).".".int($4); |
175 | if(&General::validip($adr)){ | |
176 | $a=$adr."/255.255.255.255"; | |
177 | } | |
178 | } | |
179 | if(&General::validipandmask($adr)){ | |
180 | $a=&General::iporsubtodec($adr); | |
181 | } | |
182 | return $a; | |
183 | } | |
184 | sub new_hostgrp | |
185 | { | |
186 | &General::readhasharray($confighosts,\%hosts); | |
187 | &General::readhasharray($confignets,\%nets); | |
188 | &General::readhasharray($configgroups,\%groups); | |
189 | my $grp=shift; | |
190 | my $run=shift; | |
191 | my $name; #"converted" | |
192 | my $name2; | |
193 | my $name3; #custom host/custom net | |
454d47a9 | 194 | my $mac2; |
27f4a6b1 AM |
195 | foreach my $adr (@hostarray){ |
196 | if($run eq 'ip'){ | |
197 | my ($ip,$type) = split(",",$adr); | |
198 | my ($ippart,$subnet) = split("/",$ip); | |
199 | my ($byte1,$byte2,$byte3,$byte4) = split(/\./,$subnet); | |
5a9fd5db AM |
200 | if($byte4 eq '255'){ |
201 | print LOG "Processing SINGLE HOST $ippart/$subnet from group $grp\n"; | |
27f4a6b1 AM |
202 | if(!&check_host($ip)){ |
203 | my $key = &General::findhasharraykey(\%hosts); | |
204 | $name="host "; | |
205 | $name2=$name.$ippart; | |
206 | $name3="Custom Host"; | |
207 | $hosts{$key}[0] = $name2; | |
208 | $hosts{$key}[1] = $type; | |
209 | $hosts{$key}[2] = $ip; | |
05612a54 | 210 | $hosts{$key}[3] = ''; |
5a9fd5db | 211 | print LOG "->Host (IP) $ip added to custom hosts\n" |
27f4a6b1 | 212 | }else{ |
05612a54 AM |
213 | print LOG "->Host (IP) $ip already exists in custom hosts\n"; |
214 | $name="host "; | |
215 | $name2=$name.$ippart; | |
8343fd12 AM |
216 | $name="host "; |
217 | $name2=$name.$ippart; | |
05612a54 | 218 | $name3="Custom Host"; |
27f4a6b1 AM |
219 | } |
220 | }elsif($byte4 < '255'){ | |
5a9fd5db | 221 | print LOG "Processing NETWORK $ippart/$subnet from Group $grp\n"; |
27f4a6b1 | 222 | if(!&check_net($ippart,$subnet)){ |
7326051e AM |
223 | #Check if this network is one one of IPFire internal networks |
224 | if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'GREEN_NETADDRESS'},$ownnet{'GREEN_NETMASK'})) | |
225 | { | |
226 | $name2='GREEN'; | |
227 | $name3='Standard Network'; | |
228 | }elsif (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'ORANGE_NETADDRESS'},$ownnet{'ORANGE_NETMASK'})) | |
229 | { | |
230 | $name2='ORANGE'; | |
231 | $name3='Standard Network'; | |
232 | }elsif (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'BLUE_NETADDRESS'},$ownnet{'BLUE_NETMASK'})) | |
233 | { | |
234 | $name2='BLUE'; | |
235 | $name3='Standard Network'; | |
236 | }elsif ($ippart eq '0.0.0.0') | |
237 | { | |
238 | $name2='ALL'; | |
239 | $name3='Standard Network'; | |
240 | }elsif(defined($ovpnSettings{'DOVPN_SUBNET'}) && "$ippart/".&General::iporsubtodec($subnet) eq $ovpnSettings{'DOVPN_SUBNET'}) | |
241 | { | |
242 | $name2='OpenVPN-Dyn'; | |
243 | $name3='Standard Network'; | |
244 | }else{ | |
245 | my $netkey = &General::findhasharraykey(\%nets); | |
246 | $name="net "; | |
247 | $name2=$name.$ippart; | |
248 | $name3="Custom Network"; | |
249 | $nets{$netkey}[0] = $name2; | |
250 | $nets{$netkey}[1] = $ippart; | |
251 | $nets{$netkey}[2] = $subnet; | |
252 | $nets{$netkey}[3] = ''; | |
7326051e AM |
253 | print LOG "->Network $ippart/$subnet added to custom networks\n"; |
254 | } | |
27f4a6b1 | 255 | }else{ |
05612a54 AM |
256 | print LOG "Network $ippart already exists in custom networks\n"; |
257 | $name="net "; | |
258 | $name2=$name.$ippart; | |
8343fd12 AM |
259 | $name="net "; |
260 | $name2=$name.$ippart; | |
05612a54 | 261 | $name3="Custom Network"; |
27f4a6b1 AM |
262 | } |
263 | } | |
f2ab6fba | 264 | if($name2 && !&check_grp($grp,$name2)){ |
27f4a6b1 AM |
265 | my $grpkey = &General::findhasharraykey(\%groups); |
266 | $groups{$grpkey}[0] = $grp; | |
267 | $groups{$grpkey}[1] = ''; | |
268 | $groups{$grpkey}[2] = $name2; | |
269 | $groups{$grpkey}[3] = $name3; | |
5a9fd5db | 270 | print LOG "->$name2 added to group $grp\n"; |
27f4a6b1 AM |
271 | } |
272 | }elsif($run eq 'mac'){ | |
273 | #MACRUN | |
454d47a9 | 274 | my ($mac,$type) = split(",",$adr); |
5a9fd5db | 275 | print LOG "Processing HOST (MAC) $mac\n"; |
27f4a6b1 | 276 | if(!&check_host($mac)){ |
454d47a9 | 277 | my $key = &General::findhasharraykey(\%hosts); |
27f4a6b1 | 278 | $name="host "; |
454d47a9 AM |
279 | $mac2=$mac; |
280 | $mac2 =~ s/:/-/g; | |
281 | $name2=$name.$mac2; | |
27f4a6b1 AM |
282 | $name3="Custom Host"; |
283 | $hosts{$key}[0] = $name2; | |
284 | $hosts{$key}[1] = $type; | |
285 | $hosts{$key}[2] = $mac; | |
5a9fd5db | 286 | print LOG "->Host (MAC) $mac added to custom hosts\n"; |
27f4a6b1 | 287 | }else{ |
454d47a9 AM |
288 | $mac2=mac; |
289 | $mac2 =~ s/:/-/g; | |
05612a54 AM |
290 | print LOG "->Host (MAC) $mac already exists in custom hosts \n"; |
291 | $name="host "; | |
454d47a9 | 292 | $name2=$name.$mac2; |
05612a54 | 293 | $name3="Custom Host"; |
27f4a6b1 | 294 | } |
f2ab6fba | 295 | if($name2 && !&check_grp($grp,$name2)){ |
27f4a6b1 AM |
296 | my $grpkey = &General::findhasharraykey(\%groups); |
297 | $groups{$grpkey}[0] = $grp; | |
298 | $groups{$grpkey}[1] = ''; | |
299 | $groups{$grpkey}[2] = $name2; | |
300 | $groups{$grpkey}[3] = $name3; | |
5a9fd5db | 301 | print LOG "->$name2 added to group $grp\n"; |
27f4a6b1 AM |
302 | } |
303 | } | |
304 | } | |
5a9fd5db | 305 | @hostarray=(); |
27f4a6b1 AM |
306 | &General::writehasharray($confighosts,\%hosts); |
307 | &General::writehasharray($configgroups,\%groups); | |
308 | &General::writehasharray($confignets,\%nets); | |
70d38e50 | 309 | |
27f4a6b1 AM |
310 | } |
311 | sub check_host | |
312 | { | |
313 | my $ip=shift; | |
314 | foreach my $key (sort keys %hosts) | |
315 | { | |
316 | if($hosts{$key}[2] eq $ip) | |
317 | { | |
318 | return 1; | |
319 | } | |
320 | } | |
321 | return 0; | |
322 | } | |
323 | sub check_net | |
324 | { | |
325 | my $ip=shift; | |
326 | my $sub=shift; | |
327 | foreach my $key (sort keys %nets) | |
328 | { | |
329 | if($nets{$key}[1] eq $ip && $nets{$key}[2] eq $sub) | |
330 | { | |
331 | return 1; | |
332 | } | |
333 | } | |
334 | return 0; | |
335 | } | |
336 | sub check_grp | |
337 | { | |
338 | my $grp=shift; | |
339 | my $value=shift; | |
340 | foreach my $key (sort keys %groups) | |
341 | { | |
342 | if($groups{$key}[0] eq $grp && $groups{$key}[2] eq $value) | |
343 | { | |
344 | return 1; | |
345 | } | |
346 | } | |
347 | return 0; | |
348 | } | |
349 | sub process_rules | |
350 | { | |
6128ded8 | 351 | my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to); |
e09884e0 AM |
352 | #open LOG |
353 | if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");} | |
354 | open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!; | |
355 | ||
27f4a6b1 | 356 | &General::readhash($fwdfwsettings,\%fwdsettings); |
12a43202 | 357 | if ($outsettings{'POLICY'} eq 'MODE1'){ |
e09884e0 AM |
358 | $fwdsettings{'POLICY'}='MODE1'; |
359 | $fwdsettings{'POLICY1'}='MODE2'; | |
27f4a6b1 AM |
360 | $type='ALLOW'; |
361 | $action='ACCEPT'; | |
e09884e0 | 362 | }else{ |
fccf52cf | 363 | $fwdsettings{'POLICY'}='MODE2'; |
e09884e0 | 364 | $fwdsettings{'POLICY1'}='MODE2'; |
27f4a6b1 AM |
365 | $type='DENY'; |
366 | $action='DROP'; | |
27f4a6b1 | 367 | } |
fccf52cf | 368 | &General::writehash($fwdfwsettings,\%fwdsettings); |
27f4a6b1 AM |
369 | open (DATEI, "<$outgoingrules"); |
370 | my @lines = <DATEI>; | |
371 | foreach my $rule (@lines) | |
372 | { | |
454d47a9 AM |
373 | &General::readhasharray($fwdfwconfig,\%fwconfig); |
374 | &General::readhasharray($outfwconfig,\%fwconfigout); | |
e09884e0 | 375 | my $now=localtime; |
27f4a6b1 | 376 | chomp($rule); |
99e698d0 | 377 | $port=''; |
e09884e0 | 378 | print LOG "$now processing: $rule\n"; |
99e698d0 AM |
379 | my @configline=(); |
380 | @configline = split( /\;/, $rule ); | |
27f4a6b1 AM |
381 | my @prot=(); |
382 | if($configline[0] eq $type){ | |
383 | #some variables we can use from old config | |
384 | if($configline[1] eq 'on'){ $active='ON';}else{$active='';} | |
5238a871 AM |
385 | if($configline[3] eq 'all' && $configline[8] ne ''){ |
386 | push(@prot,"TCP"); | |
387 | push(@prot,"UDP"); | |
388 | }elsif($configline[3] eq 'all' && $configline[8] eq ''){ | |
5a9fd5db | 389 | push(@prot,""); |
27f4a6b1 AM |
390 | }else{ |
391 | push(@prot,$configline[3]); | |
27f4a6b1 | 392 | } |
5238a871 AM |
393 | if($configline[4] ne ''){ |
394 | $configline[4] =~ s/,/;/g; | |
395 | $remark = $configline[4]; | |
396 | }else{$remark = '';} | |
02cb636c AM |
397 | #find all "active" tags in all language files and check them against the old config |
398 | my $logging='0'; | |
399 | foreach (@active){ | |
400 | $logging='1' if ($_ eq $configline[9]); | |
401 | } | |
402 | if($logging eq '1' ){ $log='ON';}else{$log='';} | |
27f4a6b1 AM |
403 | if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){ |
404 | if($configline[17] eq '00:00' && $configline[18] eq '00:00'){ | |
405 | $time=''; | |
406 | }else{ | |
407 | $time='ON'; | |
408 | } | |
409 | }else{ | |
410 | $time='ON'; | |
411 | } | |
412 | $time_mon=$configline[10]; | |
413 | $time_tue=$configline[11]; | |
414 | $time_wed=$configline[12]; | |
415 | $time_thu=$configline[13]; | |
416 | $time_fri=$configline[14]; | |
417 | $time_sat=$configline[15]; | |
418 | $time_sun=$configline[16]; | |
419 | $time_from=$configline[17]; | |
420 | $time_to=$configline[18]; | |
421 | ############################################################ | |
422 | #sourcepart | |
423 | if ($configline[2] eq 'green') { | |
424 | $grp1='std_net_src'; | |
425 | $source='GREEN'; | |
426 | }elsif ($configline[2] eq 'orange') { | |
427 | $grp1='std_net_src'; | |
428 | $source='ORANGE'; | |
429 | }elsif ($configline[2] eq 'red') { | |
a43c9b6a AM |
430 | $grp1='ipfire_src'; |
431 | $source='RED1'; | |
6128ded8 AM |
432 | &General::readhash($fwdfwsettings,\%fwdsettings); |
433 | $fwdsettings{'POLICY1'}=$outsettings{'POLICY'}; | |
fccf52cf | 434 | $fwdsettings{'POLICY'}=$outsettings{'POLICY'}; |
6128ded8 | 435 | &General::writehash($fwdfwsettings,\%fwdsettings); |
27f4a6b1 AM |
436 | }elsif ($configline[2] eq 'blue') { |
437 | $grp1='std_net_src'; | |
438 | $source='BLUE'; | |
439 | }elsif ($configline[2] eq 'ipsec') { | |
e09884e0 | 440 | print LOG "$now -> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n"; |
27f4a6b1 AM |
441 | next; |
442 | }elsif ($configline[2] eq 'ovpn') { | |
e09884e0 | 443 | print LOG "$now ->Creating networks/groups for OpenVPN...\n"; |
99e698d0 AM |
444 | &build_ovpn_grp; |
445 | $grp1='cust_grp_src'; | |
446 | $source='ovpn' | |
27f4a6b1 AM |
447 | }elsif ($configline[2] eq 'ip') { |
448 | my $z=&check_ip($configline[5]); | |
449 | if($z){ | |
3b81fad4 AM |
450 | my ($ipa,$subn) = split("/",$z); |
451 | $subn=&General::iporsubtocidr($subn); | |
27f4a6b1 | 452 | $grp1='src_addr'; |
3b81fad4 | 453 | $source="$ipa/$subn"; |
27f4a6b1 | 454 | }else{ |
e09884e0 | 455 | print LOG "$now -> Rule not converted, missing/invalid source ip \"$configline[5]\"\n"; |
27f4a6b1 AM |
456 | next; |
457 | } | |
458 | }elsif ($configline[2] eq 'mac') { | |
459 | if(&General::validmac($configline[6])){ | |
460 | $grp1='src_addr'; | |
461 | $source=$configline[6]; | |
462 | }else{ | |
e09884e0 | 463 | print LOG"$now -> Rule not converted, invalid MAC \"$configline[6]\" \n"; |
27f4a6b1 AM |
464 | next; |
465 | } | |
466 | }elsif ($configline[2] eq 'all') { | |
467 | $grp1='std_net_src'; | |
468 | $source='ALL'; | |
469 | }else{ | |
27f4a6b1 AM |
470 | foreach my $key (sort keys %groups){ |
471 | if($groups{$key}[0] eq $configline[2]){ | |
472 | $grp1='cust_grp_src'; | |
473 | $source=$configline[2]; | |
474 | } | |
475 | } | |
476 | if ($grp1 eq '' || $source eq ''){ | |
e09884e0 | 477 | print LOG "$now -> Rule not converted, no valid source recognised\n"; |
27f4a6b1 AM |
478 | } |
479 | } | |
480 | ############################################################ | |
481 | #destinationpart | |
454d47a9 | 482 | if($configline[7] ne '' && $configline[7] ne '0.0.0.0'){ |
27f4a6b1 AM |
483 | my $address=&check_ip($configline[7]); |
484 | if($address){ | |
3b81fad4 AM |
485 | my ($dip,$dsub) = split("/",$address); |
486 | $dsub=&General::iporsubtocidr($dsub); | |
27f4a6b1 | 487 | $grp2='tgt_addr'; |
3b81fad4 | 488 | $target="$dip/$dsub"; |
27f4a6b1 AM |
489 | }elsif(!$address){ |
490 | my $getwebsiteip=&get_ip_from_domain($configline[7]); | |
491 | if ($getwebsiteip){ | |
492 | $grp2='tgt_addr'; | |
493 | $target=$getwebsiteip; | |
5a9fd5db | 494 | $remark.=" $configline[7]"; |
27f4a6b1 | 495 | }else{ |
e09884e0 | 496 | print LOG "$now -> Rule not converted, invalid domain \"$configline[7]\"\n"; |
27f4a6b1 AM |
497 | next; |
498 | } | |
499 | } | |
500 | }else{ | |
501 | $grp2='std_net_tgt'; | |
502 | $target='ALL'; | |
503 | } | |
87946296 | 504 | if($configline[8] ne '' && $configline[3] ne 'gre' && $configline[3] ne 'esp'){ |
8f0b047b AM |
505 | my @values=(); |
506 | my @parts=split(",",$configline[8]); | |
507 | foreach (@parts){ | |
fccf52cf | 508 | $_=~ tr/-/:/; |
8f0b047b AM |
509 | if (!($_ =~ /^(\d+)\:(\d+)$/)) { |
510 | if(&General::validport($_)){ | |
511 | $useport='ON'; | |
8f0b047b AM |
512 | push (@values,$_); |
513 | $grp3='TGT_PORT'; | |
514 | }else{ | |
e09884e0 | 515 | print LOG "$now -> Rule not converted, invalid destination Port \"$configline[8]\"\n"; |
8f0b047b AM |
516 | next; |
517 | } | |
27f4a6b1 | 518 | }else{ |
8b3dd791 AM |
519 | my ($a1,$a2) = split(/\:/,$_); |
520 | if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){ | |
8f0b047b | 521 | $useport='ON'; |
8f0b047b AM |
522 | push (@values,"$a1:$a2"); |
523 | $grp3='TGT_PORT'; | |
8b3dd791 | 524 | }else{ |
e09884e0 | 525 | print LOG "$now -> Rule not converted, invalid destination Port \"$configline[8]\"\n"; |
8f0b047b | 526 | next; |
8b3dd791 | 527 | } |
8f0b047b | 528 | } |
27f4a6b1 | 529 | } |
8b3dd791 AM |
530 | $port=join("|",@values); |
531 | @values=(); | |
99e698d0 | 532 | @parts=(); |
27f4a6b1 AM |
533 | } |
534 | }else{ | |
535 | print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n"; | |
536 | } | |
27f4a6b1 | 537 | my $check; |
6128ded8 | 538 | my $chain; |
27f4a6b1 | 539 | foreach my $protocol (@prot){ |
e09884e0 | 540 | my $now=localtime; |
a43c9b6a | 541 | if ($source eq 'RED1'){ |
6128ded8 AM |
542 | $chain='OUTGOINGFW'; |
543 | }else{ | |
544 | $chain='FORWARDFW'; | |
545 | } | |
27f4a6b1 | 546 | $protocol=uc($protocol); |
454d47a9 | 547 | print LOG "$now -> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,$protocol,,,$useport,,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n"; |
27f4a6b1 AM |
548 | #Put rules into system.... |
549 | ########################### | |
27f4a6b1 AM |
550 | #check for double rules |
551 | foreach my $key (sort keys %fwconfig){ | |
454d47a9 AM |
552 | if("$action,$chain,$active,$grp1,$source,$grp2,$target,$protocol,$useport,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to" |
553 | eq "$fwconfig{$key}[0],$fwconfig{$key}[1],$fwconfig{$key}[2],$fwconfig{$key}[3],$fwconfig{$key}[4],$fwconfig{$key}[5],$fwconfig{$key}[6],$fwconfig{$key}[8],$fwconfig{$key}[11],$fwconfig{$key}[14],$fwconfig{$key}[15],$fwconfig{$key}[16],$fwconfig{$key}[17],$fwconfig{$key}[18],$fwconfig{$key}[19],$fwconfig{$key}[20],$fwconfig{$key}[21],$fwconfig{$key}[22],$fwconfig{$key}[23],$fwconfig{$key}[24],$fwconfig{$key}[25],$fwconfig{$key}[26],$fwconfig{$key}[27]"){ | |
27f4a6b1 AM |
554 | $check='on'; |
555 | next; | |
556 | } | |
557 | } | |
558 | if($check ne 'on'){ | |
6128ded8 AM |
559 | if ($chain eq 'FORWARDFW'){ |
560 | my $key = &General::findhasharraykey(\%fwconfig); | |
561 | $fwconfig{$key}[0] = $action; | |
562 | $fwconfig{$key}[1] = $chain; | |
563 | $fwconfig{$key}[2] = $active; | |
564 | $fwconfig{$key}[3] = $grp1; | |
565 | $fwconfig{$key}[4] = $source; | |
566 | $fwconfig{$key}[5] = $grp2; | |
567 | $fwconfig{$key}[6] = $target; | |
454d47a9 | 568 | $fwconfig{$key}[8] = $protocol; |
6128ded8 | 569 | $fwconfig{$key}[11] = $useport; |
6128ded8 AM |
570 | $fwconfig{$key}[14] = $grp3; |
571 | $fwconfig{$key}[15] = $port; | |
572 | $fwconfig{$key}[16] = $remark; | |
573 | $fwconfig{$key}[17] = $log; | |
574 | $fwconfig{$key}[18] = $time; | |
575 | $fwconfig{$key}[19] = $time_mon; | |
576 | $fwconfig{$key}[20] = $time_tue; | |
577 | $fwconfig{$key}[21] = $time_wed; | |
578 | $fwconfig{$key}[22] = $time_thu; | |
579 | $fwconfig{$key}[23] = $time_fri; | |
580 | $fwconfig{$key}[24] = $time_sat; | |
581 | $fwconfig{$key}[25] = $time_sun; | |
582 | $fwconfig{$key}[26] = $time_from; | |
583 | $fwconfig{$key}[27] = $time_to; | |
ac9e77e3 AM |
584 | $fwconfig{$key}[28] = ''; |
585 | $fwconfig{$key}[29] = 'ALL'; | |
586 | $fwconfig{$key}[30] = ''; | |
587 | $fwconfig{$key}[31] = 'dnat'; | |
454d47a9 | 588 | &General::writehasharray($fwdfwconfig,\%fwconfig); |
6128ded8 AM |
589 | }else{ |
590 | my $key = &General::findhasharraykey(\%fwconfigout); | |
591 | $fwconfigout{$key}[0] = $action; | |
592 | $fwconfigout{$key}[1] = $chain; | |
593 | $fwconfigout{$key}[2] = $active; | |
594 | $fwconfigout{$key}[3] = $grp1; | |
595 | $fwconfigout{$key}[4] = $source; | |
596 | $fwconfigout{$key}[5] = $grp2; | |
597 | $fwconfigout{$key}[6] = $target; | |
454d47a9 | 598 | $fwconfigout{$key}[8] = $protocol; |
6128ded8 | 599 | $fwconfigout{$key}[11] = $useport; |
6128ded8 AM |
600 | $fwconfigout{$key}[14] = $grp3; |
601 | $fwconfigout{$key}[15] = $port; | |
602 | $fwconfigout{$key}[16] = $remark; | |
603 | $fwconfigout{$key}[17] = $log; | |
604 | $fwconfigout{$key}[18] = $time; | |
605 | $fwconfigout{$key}[19] = $time_mon; | |
606 | $fwconfigout{$key}[20] = $time_tue; | |
607 | $fwconfigout{$key}[21] = $time_wed; | |
608 | $fwconfigout{$key}[22] = $time_thu; | |
609 | $fwconfigout{$key}[23] = $time_fri; | |
610 | $fwconfigout{$key}[24] = $time_sat; | |
611 | $fwconfigout{$key}[25] = $time_sun; | |
612 | $fwconfigout{$key}[26] = $time_from; | |
613 | $fwconfigout{$key}[27] = $time_to; | |
ac9e77e3 AM |
614 | $fwconfigout{$key}[28] = ''; |
615 | $fwconfigout{$key}[29] = 'ALL'; | |
616 | $fwconfigout{$key}[30] = ''; | |
617 | $fwconfigout{$key}[31] = 'dnat'; | |
454d47a9 | 618 | &General::writehasharray($outfwconfig,\%fwconfigout); |
6128ded8 | 619 | } |
27f4a6b1 AM |
620 | } |
621 | } | |
27f4a6b1 AM |
622 | @prot=(); |
623 | } | |
624 | close(LOG); | |
625 | @lines=(); | |
626 | } | |
627 | sub get_ip_from_domain | |
628 | { | |
629 | $web=shift; | |
630 | my $resolvedip; | |
631 | my $checked; | |
632 | my ($name,$aliases,$addrtype,$length,@addrs) = gethostbyname($web); | |
633 | if(@addrs){ | |
634 | $resolvedip=inet_ntoa($addrs[0]); | |
635 | return $resolvedip; | |
636 | } | |
637 | return; | |
638 | } | |
639 | sub build_ovpn_grp | |
640 | { | |
e09884e0 | 641 | my $now=localtime; |
27f4a6b1 AM |
642 | &General::readhasharray($confighosts,\%hosts); |
643 | &General::readhasharray($confignets,\%nets); | |
644 | &General::readhasharray($configgroups,\%groups); | |
645 | &General::readhasharray($ovpnconfig,\%configovpn); | |
646 | &General::readhasharray($ccdconfig,\%ccdconf); | |
647 | &General::readhash($ovpnsettings,\%settingsovpn); | |
648 | #get ovpn nets | |
649 | my @ovpnnets=(); | |
650 | if($settingsovpn{'DOVPN_SUBNET'}){ | |
651 | my ($net,$subnet)=split("/",$settingsovpn{'DOVPN_SUBNET'}); | |
652 | push (@ovpnnets,"$net,$subnet,dynamic"); | |
e09884e0 | 653 | print LOG "$now ->found dynamic OpenVPN net\n"; |
27f4a6b1 AM |
654 | } |
655 | foreach my $key (sort keys %ccdconf){ | |
656 | my ($net,$subnet)=split("/",$ccdconf{$key}[1]); | |
657 | $subnet=&General::iporsubtodec($subnet); | |
658 | push (@ovpnnets,"$net,$subnet,$ccdconf{$key}[0]"); | |
e09884e0 | 659 | print LOG "$now ->found OpenVPN static net $net/$subnet\n"; |
27f4a6b1 AM |
660 | } |
661 | foreach my $key (sort keys %configovpn){ | |
662 | if ($configovpn{$key}[3] eq 'net'){ | |
663 | my ($net,$subnet)=split("/",$configovpn{$key}[27]); | |
664 | push (@ovpnnets,"$net,$subnet,$configovpn{$key}[2]"); | |
e09884e0 | 665 | print LOG "$now ->found OpenVPN $net/$subnet $configovpn{$key}[2]\n"; |
27f4a6b1 AM |
666 | } |
667 | } | |
668 | #add ovpn nets to customnetworks/groups | |
669 | foreach my $line (@ovpnnets){ | |
e09884e0 | 670 | my $now=localtime; |
27f4a6b1 AM |
671 | my ($net,$subnet,$name) = split(",",$line); |
672 | if (!&check_net($net,$subnet)){ | |
673 | my $netkey = &General::findhasharraykey(\%nets); | |
674 | $name2=$name."(ovpn)".$net; | |
675 | $name3="Custom Network"; | |
676 | $nets{$netkey}[0] = $name2; | |
677 | $nets{$netkey}[1] = $net; | |
678 | $nets{$netkey}[2] = $subnet; | |
e09884e0 | 679 | $nets{$netkey}[3] = ''; |
e09884e0 | 680 | print LOG "$now ->added $name2 $net/$subnet to customnetworks\n"; |
27f4a6b1 AM |
681 | }else{ |
682 | print LOG "-> Custom Network with same IP already exist \"$net/$subnet\" (you can ignore this, if this run was manual from shell)\n"; | |
683 | } | |
684 | if($name2){ | |
685 | my $grpkey = &General::findhasharraykey(\%groups); | |
686 | $groups{$grpkey}[0] = "ovpn"; | |
687 | $groups{$grpkey}[1] = ''; | |
688 | $groups{$grpkey}[2] = $name2; | |
689 | $groups{$grpkey}[3] = "Custom Network"; | |
e09884e0 | 690 | print LOG "$now ->added $name2 to customgroup ovpn\n"; |
27f4a6b1 AM |
691 | } |
692 | $name2=''; | |
693 | } | |
694 | @ovpnnets=(); | |
695 | &General::writehasharray($confighosts,\%hosts); | |
696 | &General::writehasharray($configgroups,\%groups); | |
697 | &General::writehasharray($confignets,\%nets); | |
e09884e0 | 698 | print LOG "$now ->finished OVPN\n"; |
27f4a6b1 | 699 | } |
5a9fd5db AM |
700 | sub process_p2p |
701 | { | |
6d8eb5de | 702 | copy("/var/ipfire/outgoing/p2protocols","/var/ipfire/firewall/p2protocols"); |
7514fe47 | 703 | chown 99, 99, '/var/ipfire/firewall/p2protocols'; |
5a9fd5db | 704 | } |