[ipfire-2.x.git] / config / firewall / convert-dmz

#!/usr/bin/perl

###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org>                        #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################
#                                                                             #
# This script converts old dmz holes rules from old firewall                  #
# to the new one. This is a 2-step process.                                   #
# STEP1: read old config and normalize settings                               #
# STEP2: check valid ip and save valid rules to new firewall                  #
#                                                                             #
###############################################################################
my @current=();
my @alias=();
my %configdmz=();
my %ifaces=();
my %configfwdfw=();
require '/var/ipfire/general-functions.pl';
my $dmzconfig 	  = "${General::swroot}/dmzholes/config";
my $fwdfwconfig   = "${General::swroot}/firewall/config";
my $ifacesettings = "${General::swroot}/ethernet/settings";
my $field0	= 'ACCEPT';
my $field1	= 'FORWARDFW';
my $field2	= ''; #ON or emtpy
my $field3	= ''; #std_net_src or src_addr
my $field4	= ''; #ALL or IP-Address with /32
my $field5	= ''; #std_net_tgt or tgt_addr
my $field6	= ''; #IP or network name
my $field11	= 'ON'; #use target port 
my $field12	= ''; #TCP or UDP
my $field13	= 'All ICMP-Types';
my $field14	= 'TGT_PORT';
my $field15	= ''; #Port Number
my $field16	= ''; #remark
my $field26	= '00:00';
my $field27	= '00:00';
my $field28 = '';
my $field29 = 'ALL';
my $field30 = '';
my $field31 = 'dnat';

if (! -e "$dmzconfig") {
	print "DMZ config file not found. Exiting!\n";
	exit(1);
}

if (! -s "$dmzconfig") {
	print "Empty DMZ configuration file. Nothing to do. Exiting...\n";
	exit(0);
}

open(FILE, $dmzconfig) or die 'Unable to open config file.';
my @current = <FILE>;
close(FILE);
#open LOGFILE
open (LOG, ">/var/log/converters/dmz-convert.log") or die $!;
&General::readhash($ifacesettings, \%ifaces);
&General::readhasharray($fwdfwconfig,\%configfwdfw);
&process_rules;
sub process_rules{
	foreach my $line (@current){
		my $now=localtime;
		#get values from old configfile
		my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line);
		$h =~ s/\s*\n//gi;
		print LOG "$now Processing A: $a   B: $b   C: $c   D: $d   E: $e   F: $f   G: $g   H: $h\n";
		#Now convert values and check ip addresses
		$a=uc($a);
		$e=uc($e);
		$field2=$e if($e eq 'ON');
		#SOURCE IP-check
		$b=&check_ip($b);
		if (&General::validipandmask($b)){
			#When ip valid, check if we have a network
			my ($ip,$subnet) = split ("/",$b);
			if ($f eq 'orange' && $ip eq $ifaces{'ORANGE_NETADDRESS'}){
				$field3='std_net_src';
				$field4='ORANGE';
			}elsif($f eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
				$field3='std_net_src';
				$field4='BLUE';
			}elsif($f eq 'orange' && &General::IpInSubnet($ip,$ifaces{'ORANGE_NETADDRESS'},$ifaces{'ORANGE_NETMASK'})){
				$field3='src_addr';
				$field4=$b;
			}elsif($f eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
				$field3='src_addr';
				$field4=$b;
			}else{
				print LOG "$now ->NOT Converted, source ip $b not part of source network $f \n\n";
				next;
			}
		}else{
			print LOG "$now -> SOURCE IP INVALID. \n\n";
			next;
		}
		#TARGET IP-check
		$c=&check_ip($c);
		if (&General::validipandmask($c)){
			my $now=localtime;
			#When ip valid, check if we have a network
			my ($ip,$subnet) = split ("/",$c);
			if ($g eq 'green' && $ip eq $ifaces{'GREEN_NETADDRESS'}){
				$field5='std_net_tgt';
				$field6='GREEN';
			}elsif($g eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
				$field5='std_net_tgt';
				$field6='BLUE';
			}elsif($g eq 'green' && &General::IpInSubnet($ip,$ifaces{'GREEN_NETADDRESS'},$ifaces{'GREEN_NETMASK'})){
				$field5='tgt_addr';
				$field6=$c;
			}elsif($g eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
				$field5='tgt_addr';
				$field6=$c;
			}else{
				print LOG "$now ->NOT Converted, target ip $c not part of target network $g \n\n";
				next;
			}
		}else{
			print LOG "$now -> TARGET IP INVALID. \n\n";
			next;
		}
		$field12=$a;
		#convert portrange
		$d =~ tr/-/:/;
		$field15=$d;
		$field16=$h;
		my $key = &General::findhasharraykey (\%configfwdfw);
		foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";}
		$configfwdfw{$key}[0] = $field0;
		$configfwdfw{$key}[1] = $field1;
		$configfwdfw{$key}[2] = $field2;
		$configfwdfw{$key}[3] = $field3;
		$configfwdfw{$key}[4] = $field4;
		$configfwdfw{$key}[5] = $field5;
		$configfwdfw{$key}[6] = $field6;
		$configfwdfw{$key}[7] = '';
		$configfwdfw{$key}[8] = $field12;
		$configfwdfw{$key}[9] = '';
		$configfwdfw{$key}[10] = '';
		$configfwdfw{$key}[11] = $field11;
		$configfwdfw{$key}[12] = '';
		$configfwdfw{$key}[13] = '';
		$configfwdfw{$key}[14] = $field14;
		$configfwdfw{$key}[15] = $field15;
		$configfwdfw{$key}[16] = $field16;
		$configfwdfw{$key}[17] = '';
		$configfwdfw{$key}[18] = '';
		$configfwdfw{$key}[19] = '';
		$configfwdfw{$key}[20] = '';
		$configfwdfw{$key}[21] = '';
		$configfwdfw{$key}[22] = '';
		$configfwdfw{$key}[23] = '';
		$configfwdfw{$key}[24] = '';
		$configfwdfw{$key}[25] = '';
		$configfwdfw{$key}[26] = $field26;
		$configfwdfw{$key}[27] = $field27;
		$configfwdfw{$key}[28] = $field28;
		$configfwdfw{$key}[29] = $field29;
		$configfwdfw{$key}[30] = $field30;
		$configfwdfw{$key}[31] = $field31;
		print LOG "$Now -> Converted to $field0,$field1,$field2,$field3,$field4,$field5,$field6,,$field12,,,$field11,,,$field14,$field15,$field16,,,,,,,,,,$field26,$field27,$field28,$field29,$field30,$field31\n";
	}
	&General::writehasharray($fwdfwconfig,\%configfwdfw);
close (LOG);
}

sub check_ip
{
	my $adr=shift;
	my $a;
	#ip with subnet in decimal
	if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){
		$adr=int($1).".".int($2).".".int($3).".".int($4);
		my $b = &General::iporsubtodec($5);
		$a=$adr."/".$b;
	}elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
		$adr=int($1).".".int($2).".".int($3).".".int($4);
		if(&General::validip($adr)){
			$a=$adr."/32";
		}
	}
	if(&General::validipandmask($adr)){
		$a=&General::iporsubtodec($adr);
	}
	return $a;
}
Commit	Line	Data
a60dbb4b AM	1	#!/usr/bin/perl
a60dbb4b AM	2
dc21519f AM	3	###############################################################################
	4	# #
	5	# IPFire.org - A linux based firewall #
5bee9a9d	6	# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
dc21519f AM	7	# #
	8	# This program is free software: you can redistribute it and/or modify #
	9	# it under the terms of the GNU General Public License as published by #
	10	# the Free Software Foundation, either version 3 of the License, or #
	11	# (at your option) any later version. #
	12	# #
	13	# This program is distributed in the hope that it will be useful, #
	14	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	15	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	16	# GNU General Public License for more details. #
	17	# #
	18	# You should have received a copy of the GNU General Public License #
	19	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	20	# #
	21	###############################################################################
dc21519f AM	22	# #
	23	# This script converts old dmz holes rules from old firewall #
	24	# to the new one. This is a 2-step process. #
	25	# STEP1: read old config and normalize settings #
	26	# STEP2: check valid ip and save valid rules to new firewall #
	27	# #
	28	###############################################################################
a60dbb4b AM	29	my @current=();
	30	my @alias=();
	31	my %configdmz=();
	32	my %ifaces=();
	33	my %configfwdfw=();
	34	require '/var/ipfire/general-functions.pl';
	35	my $dmzconfig = "${General::swroot}/dmzholes/config";
6d8eb5de	36	my $fwdfwconfig = "${General::swroot}/firewall/config";
a60dbb4b AM	37	my $ifacesettings = "${General::swroot}/ethernet/settings";
	38	my $field0 = 'ACCEPT';
	39	my $field1 = 'FORWARDFW';
	40	my $field2 = ''; #ON or emtpy
	41	my $field3 = ''; #std_net_src or src_addr
	42	my $field4 = ''; #ALL or IP-Address with /32
	43	my $field5 = ''; #std_net_tgt or tgt_addr
	44	my $field6 = ''; #IP or network name
	45	my $field11 = 'ON'; #use target port
	46	my $field12 = ''; #TCP or UDP
	47	my $field13 = 'All ICMP-Types';
	48	my $field14 = 'TGT_PORT';
	49	my $field15 = ''; #Port Number
	50	my $field16 = ''; #remark
	51	my $field26 = '00:00';
	52	my $field27 = '00:00';
ac9e77e3 AM	53	my $field28 = '';
	54	my $field29 = 'ALL';
	55	my $field30 = '';
	56	my $field31 = 'dnat';
	57
37c84696 SS	58	if (! -e "$dmzconfig") {
	59	print "DMZ config file not found. Exiting!\n";
	60	exit(1);
	61	}
	62
	63	if (! -s "$dmzconfig") {
	64	print "Empty DMZ configuration file. Nothing to do. Exiting...\n";
	65	exit(0);
	66	}
ac9e77e3	67
a60dbb4b AM	68	open(FILE, $dmzconfig) or die 'Unable to open config file.';
	69	my @current = <FILE>;
	70	close(FILE);
	71	#open LOGFILE
	72	open (LOG, ">/var/log/converters/dmz-convert.log") or die $!;
	73	&General::readhash($ifacesettings, \%ifaces);
	74	&General::readhasharray($fwdfwconfig,\%configfwdfw);
	75	&process_rules;
	76	sub process_rules{
	77	foreach my $line (@current){
	78	my $now=localtime;
	79	#get values from old configfile
	80	my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line);
f7e649dd AM	81	$h =~ s/\s*\n//gi;
f7e649dd AM	82	print LOG "$now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n";
a60dbb4b AM	83	#Now convert values and check ip addresses
	84	$a=uc($a);
	85	$e=uc($e);
	86	$field2=$e if($e eq 'ON');
	87	#SOURCE IP-check
	88	$b=&check_ip($b);
	89	if (&General::validipandmask($b)){
	90	#When ip valid, check if we have a network
	91	my ($ip,$subnet) = split ("/",$b);
	92	if ($f eq 'orange' && $ip eq $ifaces{'ORANGE_NETADDRESS'}){
	93	$field3='std_net_src';
	94	$field4='ORANGE';
	95	}elsif($f eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
	96	$field3='std_net_src';
	97	$field4='BLUE';
	98	}elsif($f eq 'orange' && &General::IpInSubnet($ip,$ifaces{'ORANGE_NETADDRESS'},$ifaces{'ORANGE_NETMASK'})){
	99	$field3='src_addr';
	100	$field4=$b;
	101	}elsif($f eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
	102	$field3='src_addr';
	103	$field4=$b;
	104	}else{
	105	print LOG "$now ->NOT Converted, source ip $b not part of source network $f \n\n";
	106	next;
	107	}
	108	}else{
	109	print LOG "$now -> SOURCE IP INVALID. \n\n";
	110	next;
	111	}
	112	#TARGET IP-check
	113	$c=&check_ip($c);
	114	if (&General::validipandmask($c)){
	115	my $now=localtime;
	116	#When ip valid, check if we have a network
	117	my ($ip,$subnet) = split ("/",$c);
	118	if ($g eq 'green' && $ip eq $ifaces{'GREEN_NETADDRESS'}){
	119	$field5='std_net_tgt';
	120	$field6='GREEN';
	121	}elsif($g eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
	122	$field5='std_net_tgt';
	123	$field6='BLUE';
	124	}elsif($g eq 'green' && &General::IpInSubnet($ip,$ifaces{'GREEN_NETADDRESS'},$ifaces{'GREEN_NETMASK'})){
	125	$field5='tgt_addr';
	126	$field6=$c;
	127	}elsif($g eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
	128	$field5='tgt_addr';
	129	$field6=$c;
	130	}else{
f7e649dd	131	print LOG "$now ->NOT Converted, target ip $c not part of target network $g \n\n";
a60dbb4b AM	132	next;
	133	}
	134	}else{
f7e649dd	135	print LOG "$now -> TARGET IP INVALID. \n\n";
a60dbb4b AM	136	next;
	137	}
	138	$field12=$a;
	139	#convert portrange
	140	$d =~ tr/-/:/;
	141	$field15=$d;
	142	$field16=$h;
a60dbb4b AM	143	my $key = &General::findhasharraykey (\%configfwdfw);
	144	foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";}
	145	$configfwdfw{$key}[0] = $field0;
	146	$configfwdfw{$key}[1] = $field1;
	147	$configfwdfw{$key}[2] = $field2;
	148	$configfwdfw{$key}[3] = $field3;
	149	$configfwdfw{$key}[4] = $field4;
	150	$configfwdfw{$key}[5] = $field5;
	151	$configfwdfw{$key}[6] = $field6;
	152	$configfwdfw{$key}[7] = '';
27d4d481	153	$configfwdfw{$key}[8] = $field12;
a60dbb4b AM	154	$configfwdfw{$key}[9] = '';
	155	$configfwdfw{$key}[10] = '';
	156	$configfwdfw{$key}[11] = $field11;
27d4d481 AM	157	$configfwdfw{$key}[12] = '';
27d4d481 AM	158	$configfwdfw{$key}[13] = '';
a60dbb4b AM	159	$configfwdfw{$key}[14] = $field14;
	160	$configfwdfw{$key}[15] = $field15;
	161	$configfwdfw{$key}[16] = $field16;
	162	$configfwdfw{$key}[17] = '';
	163	$configfwdfw{$key}[18] = '';
	164	$configfwdfw{$key}[19] = '';
	165	$configfwdfw{$key}[20] = '';
	166	$configfwdfw{$key}[21] = '';
	167	$configfwdfw{$key}[22] = '';
	168	$configfwdfw{$key}[23] = '';
	169	$configfwdfw{$key}[24] = '';
	170	$configfwdfw{$key}[25] = '';
	171	$configfwdfw{$key}[26] = $field26;
	172	$configfwdfw{$key}[27] = $field27;
ac9e77e3 AM	173	$configfwdfw{$key}[28] = $field28;
	174	$configfwdfw{$key}[29] = $field29;
	175	$configfwdfw{$key}[30] = $field30;
	176	$configfwdfw{$key}[31] = $field31;
27d4d481	177	print LOG "$Now -> Converted to $field0,$field1,$field2,$field3,$field4,$field5,$field6,,$field12,,,$field11,,,$field14,$field15,$field16,,,,,,,,,,$field26,$field27,$field28,$field29,$field30,$field31\n";
a60dbb4b AM	178	}
	179	&General::writehasharray($fwdfwconfig,\%configfwdfw);
	180	close (LOG);
	181	}
	182
	183	sub check_ip
	184	{
	185	my $adr=shift;
	186	my $a;
	187	#ip with subnet in decimal
	188	if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){
	189	$adr=int($1).".".int($2).".".int($3).".".int($4);
	190	my $b = &General::iporsubtodec($5);
	191	$a=$adr."/".$b;
	192	}elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
	193	$adr=int($1).".".int($2).".".int($3).".".int($4);
	194	if(&General::validip($adr)){
	195	$a=$adr."/32";
	196	}
	197	}
	198	if(&General::validipandmask($adr)){
	199	$a=&General::iporsubtodec($adr);
	200	}
	201	return $a;
	202	}