X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fconnections.cgi;h=7b53c009ec7e189161969a2b9a3bed24e5cc86e2;hp=a331ad3bcce685866f0a97aa40a67e08a8403ea2;hb=f370c68ce3e5b4abf3efaa0a3a3d48269c28ed61;hpb=069680acc102ac9bfa6a656ecd75b3bdb65f80d1 diff --git a/html/cgi-bin/connections.cgi b/html/cgi-bin/connections.cgi index a331ad3bcc..7b53c009ec 100644 --- a/html/cgi-bin/connections.cgi +++ b/html/cgi-bin/connections.cgi @@ -1,15 +1,23 @@ #!/usr/bin/perl -# -# (c) 2001 Jack Beglinger -# -# (c) 2003 Dave Roberts - colour coded netfilter/iptables rewrite for 1.3 -# -# (c) 2006 Franck - add sorting+filtering capability -# -# (c) 2006 Peter Schälchli -inetwork (bug) -# - -# Setup GREEN, ORANGE, IPFIRE, VPN CIDR networks, masklengths and colours only once +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### my @network=(); my @masklen=(); @@ -20,8 +28,8 @@ use Net::IPv4Addr qw( :all ); use strict; # enable only the following on debugging purpose -use warnings; -use CGI::Carp 'fatalsToBrowser'; +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; @@ -36,13 +44,28 @@ undef (@dummy); my %netsettings=(); &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); -open (ACTIVE, "/proc/net/ip_conntrack") or die 'Unable to open ip_conntrack'; +open (ACTIVE, '/usr/local/bin/getiptstate |') or die 'Unable to open ip_conntrack'; my @active = ; close (ACTIVE); -my @vpn = ('none'); -open (ACTIVE, "/proc/net/ipsec_eroute") and @vpn = ; -close (ACTIVE); +if (open(IP, "${General::swroot}/red/local-ipaddress")) { + my $redip = ; + close(IP); + chomp $redip; + push(@network, $redip); + push(@masklen, '255.255.255.255' ); + push(@colour, ${Header::colourfw} ); +} + +my @vpn = `/usr/local/bin/ipsecctrl I|grep erouted|cut -d"]" -f3|cut -d"=" -f4|cut -d";" -f1| sed "s|/| |g"`; + foreach my $route (@vpn) { + chomp($route); + my @temp = split(/[\t ]+/, $route); + if ( $temp[0] eq '$redip' ){next;} + push(@network, $temp[0]); + push(@masklen, $temp[1]); + push(@colour, ${Header::colourvpn} ); + } my $aliasfile = "${General::swroot}/ethernet/aliases"; open(ALIASES, $aliasfile) or die 'Unable to open aliases file.'; @@ -122,15 +145,7 @@ if (-e "${General::swroot}/ovpn/settings") { push(@masklen, $tempovpnsubnet[1]); push(@colour, ${Header::colourovpn} ); - if ( ($ovpnsettings{'ENABLED'} eq 'on') && open(IP, "${General::swroot}/red/local-ipaddress") ) { - # add RED:port / proto - my $redip = ; - close(IP); - chomp $redip; - push(@network, $redip ); - push(@masklen, '255.255.255.255' ); - push(@colour, ${Header::colourovpn} ); - } + if ( ($ovpnsettings{'ENABLED_BLUE'} eq 'on') && $netsettings{'BLUE_DEV'} ) { # add BLUE:port / proto push(@network, $netsettings{'BLUE_ADDRESS'} ); @@ -173,15 +188,6 @@ if ( $vpn[0] ne 'none' ) { push(@colour, ${Header::colourvpn} ); } } -if (open(IP, "${General::swroot}/red/local-ipaddress")) { - my $redip = ; - close(IP); - chomp $redip; - push(@network, $redip); - push(@masklen, '255.255.255.255' ); - push(@colour, ${Header::colourfw} ); -} - #Establish simple filtering&sorting boxes on top of table @@ -212,200 +218,18 @@ our %entries = (); # will hold the lines analyzed correctly my $unknownlines = ''; # should be empty all the time... my $index = 0; # just a counter to make unique entryies in entries -foreach my $line (@active) { - my $protocol=''; - my $expires=''; - my $status=''; - my $orgsip=''; - my $orgdip=''; - my $orgsp=''; - my $orgdp=''; - my $exsip=''; - my $exdip=''; - my $exsp=''; - my $exdp=''; - my $marked=''; - my $use=''; - - chomp($line); - my @temp = split(' ',$line); - - if ($temp[0] eq 'icmp') { - $protocol = $temp[0]; - $status = $Lang::tr{'all'}; - $orgsip = substr $temp[3], 4; - $orgdip = substr $temp[4], 4; - $marked = $temp[8] eq '[UNREPLIED]' ? '[UNREPLIED]' : ' '; - } - if ($temp[0] eq 'udp') { - $protocol = $temp[0]; - $status = $Lang::tr{'all'}; - $orgsip = substr $temp[3], 4; - $orgdip = substr $temp[4], 4; - $marked = $temp[7] eq '[UNREPLIED]' ? '[UNREPLIED]' : defined ($temp[12]) ? $temp[11] : ' '; - } - if ($temp[0] eq 'tcp') { - $protocol = $temp[0]; - $status = $temp[3]; - $orgsip = substr $temp[4], 4; - $orgdip = substr $temp[5], 4; - $marked = $temp[8] eq '[UNREPLIED]' ? '[UNREPLIED]' : defined ($temp[13]) ? $temp[12] : ' '; - } - - # filter the line if we found a known proto - next if( !( - (($cgiparams{'SEE_PROTO'} eq $Lang::tr{'all'}) || ($protocol eq $cgiparams{'SEE_PROTO'} )) - && (($cgiparams{'SEE_STATE'} eq $Lang::tr{'all'}) || ($status eq $cgiparams{'SEE_STATE'} )) - && (($cgiparams{'SEE_MARK'} eq $Lang::tr{'all'}) || ($marked eq $cgiparams{'SEE_MARK'} )) - && (($cgiparams{'SEE_SRC'} eq "*.*.*.*") || ($orgsip eq $cgiparams{'SEE_SRC'} )) - && (($cgiparams{'SEE_DEST'} eq "*.*.*.*") || ($orgdip eq $cgiparams{'SEE_DEST'} )) - )); - - if ($temp[0] eq 'icmp') { - my $offset = 0; - $protocol = $temp[0] . " (" . $temp[1] . ")"; - $expires = $temp[2]; - $status = ' '; - if ($temp[8] eq '[UNREPLIED]' ) { - $offset = +1; - } - $orgsip = substr $temp[3], 4; - $orgdip = substr $temp[4], 4; - $orgsp = &General::GetIcmpDescription(substr( $temp[5], 5)) . "/" . substr( $temp[6], 5);; - $orgdp = 'id=' . substr( $temp[7], 3); - $exsip = substr $temp[8 + $offset], 4; - $exdip = substr $temp[9 + $offset], 4; - $exsp = &General::GetIcmpDescription(substr( $temp[10 + $offset], 5)). "/" . substr( $temp[11 + $offset], 5); - $exdp = 'id=' . substr( $temp[11 + $offset], 5); - $marked = $temp[8] eq '[UNREPLIED]' ? '[UNREPLIED]' : ' '; - $use = substr( $temp[13 + $offset], 4 ); - } - if ($temp[0] eq 'udp') { - my $offset = 0; - $marked = ''; - $protocol = $temp[0] . " (" . $temp[1] . ")"; - $expires = $temp[2]; - $status = ' '; - $orgsip = substr $temp[3], 4; - $orgdip = substr $temp[4], 4; - $orgsp = substr $temp[5], 6; - $orgdp = substr $temp[6], 6; - if ($temp[7] eq '[UNREPLIED]') { - $offset = 1; - $marked = $temp[7]; - $use = substr $temp[12], 4; - } else { - if ((substr $temp[11], 0, 3) eq 'use' ) { - $marked = ''; - $use = substr $temp[11], 4; - } else { - $marked = $temp[11]; - $use = substr $temp[12], 4; - } - } - $exsip = substr $temp[7 + $offset], 4; - $exdip = substr $temp[8 + $offset], 4; - $exsp = substr $temp[9 + $offset], 6; - $exdp = substr $temp[10 + $offset], 6; - } - if ($temp[0] eq 'tcp') { - my $offset = 0; - $protocol = $temp[0] . " (" . $temp[1] . ")"; - $expires = $temp[2]; - $status = $temp[3]; - $orgsip = substr $temp[4], 4; - $orgdip = substr $temp[5], 4; - $orgsp = substr $temp[6], 6; - $orgdp = substr $temp[7], 6; - if ($temp[8] eq '[UNREPLIED]') { - $marked = $temp[8]; - $offset = 1; - } else { - $marked = $temp[16]; - } - $exsip = substr $temp[10 + $offset], 4; - $exdip = substr $temp[11 + $offset], 4; - $exsp = substr $temp[12 + $offset], 6; - $exdp = substr $temp[13 + $offset], 6; - $use = substr $temp[18], 4; - } - if ($temp[0] eq 'unknown') { - my $offset = 0; - $protocol = "??? (" . $temp[1] . ")"; - $protocol = "esp (" . $temp[1] . ")" if ($temp[1] == 50); - $protocol = "ah (" . $temp[1] . ")" if ($temp[1] == 51); - $expires = $temp[2]; - $status = ' '; - $orgsip = substr $temp[3], 4; - $orgdip = substr $temp[4], 4; - $orgsp = ' '; - $orgdp = ' '; - $exsip = substr $temp[5], 4; - $exdip = substr $temp[6], 4; - $exsp = ' '; - $exdp = ' '; - $marked = ' '; - $use = ' '; - } - if ($temp[0] eq 'gre') { - my $offset = 0; - $protocol = $temp[0] . " (" . $temp[1] . ")"; - $expires = $temp[2]; - $orgsip = substr $temp[5], 4; - $orgdip = substr $temp[6], 4; - $orgsp = ' '; - $orgdp = ' '; - $exsip = substr $temp[11], 4; - $exdip = substr $temp[12], 4; - $exsp = ' '; - $exdp = ' '; - $marked = $temp[17]; - $use = $temp[18]; - } - # Only from this point, lines have the same known format/field - # The floating fields [UNREPLIED] [ASSURED] etc are ok. - - # Store the line in a hash array for sorting - if ( $protocol ) { # line is decoded ? - my @record = ( 'index', $index++, - 'protocol', $protocol, - 'expires', $expires, - 'status', $status, - 'orgsip', $orgsip, - 'orgdip', $orgdip, - 'orgsp', $orgsp, - 'orgdp', $orgdp, - 'exsip', $exsip, - 'exdip', $exdip, - 'exsp', $exsp, - 'exdp', $exdp, - 'marked', $marked, - 'use', $use); - my $record = {}; # create a reference to empty hash - %{$record} = @record; # populate that hash with @record - $entries{$record->{index}} = $record; # add this to a hash of hashes - } else { # it was not a known line - $unknownlines .= ""; - $unknownlines .= " unknown:$line>"; - } -} - -# Build listbox objects -my $menu_proto = &make_select ('SEE_PROTO', $cgiparams{'SEE_PROTO'}, @list_proto); -my $menu_state = &make_select ('SEE_STATE', $cgiparams{'SEE_STATE'}, @list_state); -my $menu_src = &make_select ('SEE_SRC', $cgiparams{'SEE_SRC'}, &get_known_ips('orgsip')); -my $menu_dest = &make_select ('SEE_DEST', $cgiparams{'SEE_DEST'}, &get_known_ips('orgdip')); -my $menu_mark = &make_select ('SEE_MARK', $cgiparams{'SEE_MARK'}, @list_mark); -my $menu_sort = &make_select ('SEE_SORT', $cgiparams{'SEE_SORT'}, @list_sort); - &Header::showhttpheaders(); &Header::openpage($Lang::tr{'connections'}, 1, ''); &Header::openbigbox('100%', 'left'); &Header::openbox('100%', 'left', $Lang::tr{'connection tracking'}); +# Build listbox objects +my $menu_proto = &make_select ('SEE_PROTO', $cgiparams{'SEE_PROTO'}, @list_proto); +my $menu_state = &make_select ('SEE_STATE', $cgiparams{'SEE_STATE'}, @list_state); + print < - +
@@ -417,64 +241,110 @@ print <
$Lang::tr{'legend'} : $Lang::tr{'lan'} $Lang::tr{'internet'}

- - - - - - - - - - +
$Lang::tr{'protocol'}$Lang::tr{'expires'}
($Lang::tr{'seconds'})
$Lang::tr{'connection'}
$Lang::tr{'status'}
$Lang::tr{'original'}
$Lang::tr{'source ip and port'}
$Lang::tr{'original'}
$Lang::tr{'dest ip and port'}
$Lang::tr{'expected'}
$Lang::tr{'source ip and port'}
$Lang::tr{'expected'}
$Lang::tr{'dest ip and port'}
$Lang::tr{'marked'}$Lang::tr{'use'}
+ + + + + + + + - - - + + - - - - - + + + + + + + + END ; -foreach my $entry (sort sort_entries keys %entries) { - my $orgsipcolour = &ipcolour( $entries{$entry}->{orgsip} ); - my $orgdipcolour = &ipcolour( $entries{$entry}->{orgdip} ); - my $exsipcolour = &ipcolour( $entries{$entry}->{exsip} ); - my $exdipcolour = &ipcolour( $entries{$entry}->{exdip} ); - print < - - - - - - - - - - +my $i=0; +foreach my $line (@active) { + $i++; + if ($i < 3) { + next; + } + chomp($line); + my @temp = split(' ',$line); + + my ($sip, $sport) = split(':', $temp[0]); + my ($dip, $dport) = split(':', $temp[1]); + my $proto = $temp[2]; + my $state; my $ttl; + if ( $proto eq "esp" ){$state = "";$ttl = $temp[3];} + elsif ( $proto eq "icmp" ){$state = "";$ttl = $temp[4];} + else{$state = $temp[3];$ttl = $temp[4];} + + next if( !( + (($cgiparams{'SEE_PROTO'} eq $Lang::tr{'all'}) || ($proto eq $cgiparams{'SEE_PROTO'} )) + && (($cgiparams{'SEE_STATE'} eq $Lang::tr{'all'}) || ($state eq $cgiparams{'SEE_STATE'} )) + && (($cgiparams{'SEE_SRC'} eq "*.*.*.*") || ($sip eq $cgiparams{'SEE_SRC'} )) + && (($cgiparams{'SEE_DEST'} eq "*.*.*.*") || ($dip eq $cgiparams{'SEE_DEST'} )) + )); + + if (($proto eq 'udp') && ($ttl eq '')) { + $ttl = $state; + $state = ' '; + } + + my $sipcol = ipcolour($sip); + my $dipcol = ipcolour($dip); + + my $sserv = ''; + if ($sport < 1024) { + $sserv = uc(getservbyport($sport, lc($proto))); + if ($sserv ne '') { + $sserv = " ($sserv)"; + } + } + + my $dserv = ''; + if ($dport < 1024) { + $dserv = uc(getservbyport($dport, lc($proto))); + if ($dserv ne '') { + $dserv = " ($dserv)"; + } + } + + print < + + + + + + + + END ; } -print "$unknownlines
$Lang::tr{'source ip and port'} $Lang::tr{'dest ip and port'} $Lang::tr{'protocol'}$Lang::tr{'connection'}

$Lang::tr{'status'}
$Lang::tr{'expires'}

($Lang::tr{'seconds'})
$menu_proto 
 $menu_proto $menu_state$menu_src$menu_dest$Lang::tr{'sort ascending'}:$menu_sort $menu_mark 
$entries{$entry}->{protocol}$entries{$entry}->{expires}$entries{$entry}->{status} - - $entries{$entry}->{orgsip} - :$entries{$entry}->{orgsp} - - $entries{$entry}->{orgdip} - :$entries{$entry}->{orgdp} - - $entries{$entry}->{exsip} - :$entries{$entry}->{exsp} - - $entries{$entry}->{exdip} - :$entries{$entry}->{exdp}$entries{$entry}->{marked}$entries{$entry}->{use}
+ + $sip + + + + $sport$sserv + + + + $dip + + + + $dport$dserv + + $proto$state$ttl
"; +print ""; &Header::closebox(); &Header::closebigbox(); @@ -487,15 +357,15 @@ sub ipcolour($) { my ($ip) = $_[0]; my $found = 0; foreach $line (@network) { - if ($network[$id] eq '') { - $id++; - } else { - if (!$found && ipv4_in_network( $network[$id] , $masklen[$id], $ip) ) { - $found = 1; - $colour = $colour[$id]; - } - $id++; - } + if ($network[$id] eq '') { + $id++; + } else { + if (!$found && ipv4_in_network( $network[$id] , $masklen[$id], $ip) ) { + $found = 1; + $colour = $colour[$id]; + } + $id++; + } } return $colour }