X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=config%2Ffirewall%2Ffirewall-lib.pl;h=9b7f55c9d66e0ceb930a5778efa320da3e3f8609;hb=2678d600f98cfbef73faabc15f19ce85723ad698;hp=f3cd67fb099e2f03da1e3db5413f23a86d1521cc;hpb=3906cf7e852872556728191a234152acf213db05;p=people%2Fpmueller%2Fipfire-2.x.git

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
old mode 100755
new mode 100644
index f3cd67fb09..9b7f55c9d6
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -27,6 +27,7 @@ package fwlib;
 my %customnetwork=();
 my %customhost=();
 my %customgrp=();
+my %customgeoipgrp=();
 my %customservice=();
 my %customservicegrp=();
 my %ccdnet=();
@@ -42,6 +43,7 @@ require '/var/ipfire/general-functions.pl';
 my $confignet		= "${General::swroot}/fwhosts/customnetworks";
 my $confighost		= "${General::swroot}/fwhosts/customhosts";
 my $configgrp 		= "${General::swroot}/fwhosts/customgroups";
+my $configgeoipgrp 	= "${General::swroot}/fwhosts/customgeoipgrp";
 my $configsrv 		= "${General::swroot}/fwhosts/customservices";
 my $configsrvgrp	= "${General::swroot}/fwhosts/customservicegrp";
 my $configccdnet 	= "${General::swroot}/ovpn/ccd.conf";
@@ -59,6 +61,7 @@ my $netsettings		= "${General::swroot}/ethernet/settings";
 &General::readhasharray("$confignet", \%customnetwork);
 &General::readhasharray("$confighost", \%customhost);
 &General::readhasharray("$configgrp", \%customgrp);
+&General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
 &General::readhasharray("$configccdnet", \%ccdnet);
 &General::readhasharray("$configccdhost", \%ccdhost);
 &General::readhasharray("$configipsec", \%ipsecconf);
@@ -147,6 +150,9 @@ sub get_ipsec_net_ip
 	my $val=shift;
 	my $field=shift;
 	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
+		#adapt $val to reflect real name without subnet (if rule with only one ipsec subnet is created)
+		my @tmpval = split (/\|/, $val);
+		$val = $tmpval[0];
 		if($ipsecconf{$key}[1] eq $val){
 			return $ipsecconf{$key}[$field];
 		}
@@ -295,6 +301,17 @@ sub get_addresses
 			if ($customgrp{$grp}[0] eq $value) {
 				my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type);
 
+				if (@address) {
+					push(@addresses, @address);
+				}
+			}
+		}
+	}elsif ($addr_type ~~ ["cust_geoip_src", "cust_geoip_tgt"] && $value =~ "group:") {
+		$value=substr($value,6);
+		foreach my $grp (sort {$a <=> $b} keys %customgeoipgrp) {
+			if ($customgeoipgrp{$grp}[0] eq $value) {
+				my @address = &get_address($addr_type, $customgeoipgrp{$grp}[2], $type);
+
 				if (@address) {
 					push(@addresses, @address);
 				}
@@ -376,9 +393,16 @@ sub get_address
 
 	# IPsec networks.
 	} elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
-		my $network_address = &get_ipsec_net_ip($value, 11);
-		if ($network_address) {
-			push(@ret, [$network_address, ""]);
+		#Check if we have multiple subnets and only want one of them
+		if ( $value =~ /\|/ ){
+			my @parts = split(/\|/, $value);
+			push(@ret, [$parts[1], ""]);
+		}else{
+			my $network_address = &get_ipsec_net_ip($value, 11);
+			my @nets = split(/\|/, $network_address);
+			foreach my $net (@nets) {
+				push(@ret, [$net, ""]);
+			}
 		}
 
 	# The firewall's own IP addresses.
@@ -414,6 +438,20 @@ sub get_address
 			}
 		}
 
+	# Handle rule options with GeoIP as source.
+	} elsif ($key eq "cust_geoip_src") {
+		# Get external interface.
+		my $external_interface = &get_external_interface();
+
+		push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
+
+	# Handle rule options with GeoIP as target.
+	} elsif ($key eq "cust_geoip_tgt") {
+		# Get external interface.
+		my $external_interface = &get_external_interface();
+
+		push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
+
 	# If nothing was selected, we assume "any".
 	} else {
 		push(@ret, ["0/0", ""]);
@@ -552,4 +590,37 @@ sub get_internal_firewall_ip_address
 	return 0;
 }
 
+sub get_geoip_locations() {
+	# Path to the directory which contains the binary geoip
+	# databases.
+	my $directory="/usr/share/xt_geoip/LE";
+
+	# Array to store the final country list.
+	my @country_codes = ();
+
+	# Open location and do a directory listing.
+	opendir(DIR, "$directory");
+	my @locations = readdir(DIR);
+	closedir(DIR);
+
+	# Loop through the directory listing, and cut of the file extensions.
+	foreach my $location (sort @locations) {
+		# skip . and ..
+		next if($location =~ /^\.$/);
+		next if($location =~ /^\.\.$/);
+
+		# Remove whitespaces.
+		chomp($location);
+
+		# Cut-off file extension.
+		my ($country_code, $extension) = split(/\./, $location);
+
+		# Add country code to array.
+		push(@country_codes, $country_code);
+	}
+
+	# Return final array.
+	return @country_codes;
+}
+
 return 1;