]>
Commit | Line | Data |
---|---|---|
6b681c40 | 1 | #!/usr/bin/perl |
dc21519f AM |
2 | ############################################################################### |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5bee9a9d | 5 | # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> # |
dc21519f AM |
6 | # # |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
dc21519f AM |
21 | # # |
22 | # This script converts old portforwarding rules from old Firewall # | |
23 | # to the new one. This is a 3-step process. # | |
24 | # STEP1: read old config and normalize settings # | |
25 | # STEP2: create new rules from old ones # | |
26 | # STEP3: check if rule already exists, when not, put it into # | |
6d8eb5de | 27 | # /var/ipfire/firewall/config # |
dc21519f | 28 | ############################################################################### |
6b681c40 AM |
29 | require '/var/ipfire/general-functions.pl'; |
30 | my @values=(); | |
31 | my @built_rules=(); | |
32 | my %nat=(); | |
33 | my $portfwconfig = "${General::swroot}/portfw/config"; | |
6d8eb5de | 34 | my $confignat = "${General::swroot}/firewall/config"; |
6b681c40 AM |
35 | my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark); |
36 | my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1); | |
37 | my $count=0; | |
38 | my $jump; | |
39 | if(! -d "/var/log/converters"){ mkdir("/var/log/converters");} | |
40 | open(FILE, $portfwconfig) or die 'Unable to open config file.'; | |
41 | my @current = <FILE>; | |
42 | close(FILE); | |
43 | open (LOG, ">/var/log/converters/portfw-convert.log") or die $!; | |
44 | open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; | |
45 | my @alias = <ALIAS>; | |
46 | close(ALIAS); | |
47 | &get_config; | |
48 | &build_rules; | |
49 | &write_rules; | |
50 | sub get_config | |
51 | { | |
52 | print LOG "STEP 1: Get config from old portforward\n#########################################\n"; | |
53 | foreach my $line (@current){ | |
54 | if($jump eq '1'){ | |
55 | $jump=''; | |
56 | $count++; | |
57 | next; | |
58 | } | |
59 | my $u=$count+1; | |
60 | ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line); | |
61 | ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]); | |
62 | if ($flag1 eq '1'){ | |
63 | $source=$source1; | |
64 | $jump='1'; | |
65 | } | |
66 | my $now=localtime; | |
67 | chomp($remark); | |
68 | print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n"; | |
69 | push (@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark); | |
70 | $count++; | |
71 | } | |
72 | } | |
73 | sub build_rules | |
74 | { | |
75 | print LOG "\nSTEP 2: Convert old portforwardrules in a useable format\n########################################################\n"; | |
76 | my $src; | |
77 | my $src1; | |
78 | my $ipfireip; | |
79 | my $count=0; | |
80 | my $stop; | |
81 | #build rules for new firewall | |
82 | foreach my $line (@values){ | |
83 | chomp ($line); | |
84 | ($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line); | |
85 | $count++; | |
86 | #get sourcepart | |
87 | if($source eq '0.0.0.0/0'){ | |
88 | $src = 'std_net_src'; | |
89 | $src1 = 'ALL'; | |
90 | }else{ | |
91 | $src = 'src_addr'; | |
92 | my ($a,$b) = split("/",$source); | |
93 | $src1 = $a."/32"; | |
94 | } | |
95 | #get ipfire ip | |
96 | if($alias eq '0.0.0.0'){ | |
97 | $alias='ALL'; | |
98 | }else{ | |
99 | foreach my $ali (@alias){ | |
100 | my ($alias_ip,$alias_active,$alias_name) = split (",",$ali); | |
54d68637 AM |
101 | if($alias eq $alias_ip){ |
102 | chomp($alias_name); | |
6b681c40 AM |
103 | $alias=$alias_name; |
104 | } | |
105 | } | |
106 | } | |
107 | $active = uc $active; | |
108 | $prot = uc $prot; | |
54d68637 | 109 | chomp($remark); |
6ee90535 | 110 | push (@built_rules,"ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat"); |
6b681c40 | 111 | my $now=localtime; |
6ee90535 | 112 | print LOG "$now Converted-> KEY: $count ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,*,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n"; |
6b681c40 AM |
113 | } |
114 | } | |
115 | sub write_rules | |
116 | { | |
117 | my $skip=''; | |
118 | my $id; | |
119 | print LOG "\nSTEP 3: Create DNAT rules in new firewall\n#########################################\n"; | |
120 | &General::readhasharray($confignat,\%nat); | |
121 | foreach my $line (@built_rules){ | |
122 | $skip=''; | |
6ee90535 | 123 | my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$dummy,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) = split (",",$line); |
6b681c40 | 124 | foreach my $key (sort keys %nat){ |
6ee90535 | 125 | if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[7],$nat{$key}[8],$nat{$key}[11],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){ |
6b681c40 | 126 | my $now=localtime; |
6ee90535 | 127 | print LOG "$now SKIP-> Rule $nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[7],$nat{$key}[8],$nat{$key}[11],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] ->EXISTS\n"; |
6b681c40 AM |
128 | $skip='1'; |
129 | } | |
130 | } | |
131 | if ($skip ne '1'){ | |
6ee90535 AM |
132 | if ( $prot eq 'GRE'){ |
133 | $tgt_port=''; | |
134 | $tgt_port1=''; | |
135 | $use_port=''; | |
136 | $ipfireport=''; | |
137 | $use_prot=''; | |
138 | } | |
6b681c40 AM |
139 | $id = &General::findhasharraykey(\%nat); |
140 | $nat{$id}[0] = $action; | |
141 | $nat{$id}[1] = $chain; | |
142 | $nat{$id}[2] = $active; | |
143 | $nat{$id}[3] = $src; | |
144 | $nat{$id}[4] = $src1; | |
145 | $nat{$id}[5] = $tgt; | |
146 | $nat{$id}[6] = $tgt1; | |
6ee90535 AM |
147 | $nat{$id}[7] = $dummy; |
148 | $nat{$id}[8] = $prot; | |
149 | $nat{$id}[11] = $use_port; | |
6b681c40 AM |
150 | $nat{$id}[14] = $tgt_port; |
151 | $nat{$id}[15] = $tgt_port1; | |
152 | $nat{$id}[16] = $remark; | |
153 | $nat{$id}[26] = $from; | |
154 | $nat{$id}[27] = $to; | |
155 | $nat{$id}[28] = $use_port; | |
156 | $nat{$id}[29] = $alias; | |
157 | $nat{$id}[30] = $ipfireport; | |
158 | $nat{$id}[31] = $dnat; | |
159 | my $now=localtime; | |
160 | print LOG "$now NEW RULE-> Rule $nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[16],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n"; | |
161 | } | |
162 | } | |
163 | &General::writehasharray($confignat,\%nat); | |
164 | } | |
165 | close (LOG); |