[people/pmueller/ipfire-2.x.git] / config / firewall / convert-portfw

#!/usr/bin/perl
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org>                        #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################
#                                                                             #
# This script converts old portforwarding rules from old Firewall             #
# to the new one. This is a 3-step process.                                   #
# STEP1: read old config and normalize settings                               #
# STEP2: create new rules from old ones                                       #
# STEP3: check if rule already exists, when not, put it into                  #
#        /var/ipfire/firewall/config                                          #
###############################################################################
require '/var/ipfire/general-functions.pl';
my @values=();
my @built_rules=();
my %nat=();
my $portfwconfig 	= "${General::swroot}/portfw/config";
my $confignat 		= "${General::swroot}/firewall/config";
my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark);
my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1);
my $count=0;
my $jump;

if (! -e "$portfwconfig") {
        print "Config file for portforward not found. Exiting!\n";
        exit(1);
}

if (! -s "$portfwconfig") {
        print "Empty portforward configuration file. Nothing to do. Exiting...\n";
        exit(0);
}

if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
open(FILE, $portfwconfig) or die 'Unable to open config file.';
my @current = <FILE>;
close(FILE);
open (LOG, ">/var/log/converters/portfw-convert.log") or die $!;
open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
my @alias = <ALIAS>;
close(ALIAS);
&get_config;
&build_rules;
&write_rules;
sub get_config
{
	my $baseipfireport;
	my $basesource;
	print LOG "STEP 1:   Get config from old portforward\n#########################################\n";
	foreach my $line (@current){
		my $u=$count+1;
		($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line);
		($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]);
		if ($key == $key1 && $flag == '0'){
			$baseipfireport = $ipfireport;
		}
		if ($key == $key1 && $flag1 == '1'){
			$count++;
			next;
		}
		my $now=localtime;
		chomp($remark);
		print LOG "$now   processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $baseipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n";
		push (@values,$prot.",".$baseipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark);
		$count++;
	}
}
sub build_rules
{
	print LOG "\nSTEP 2: Convert old portforwardrules in a useable format\n########################################################\n";
	my $src;
	my $src1;
	my $ipfireip;
	my $count=0;
	my $stop;
	#build rules for new firewall
	foreach my $line (@values){
		chomp ($line);
		($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line);
		$count++;
		#get sourcepart
		if($source eq '0.0.0.0/0'){
			$src  = 'std_net_src';
			$src1 = 'ALL';
		}else{
			$src  = 'src_addr';
			my ($a,$b) = split("/",$source);
			if ($b != ''){
				$b = &General::iporsubtocidr($b);
			}else{
				$b = "32";
			}
			$src1 = $a."/".$b;
		}
		#get ipfire ip
		if($alias eq '0.0.0.0' || $alias eq '0'){
			$alias='Default IP';
		}else{
			foreach my $ali (@alias){
				my ($alias_ip,$alias_active,$alias_name) = split (",",$ali);
				if($alias eq $alias_ip){
					chomp($alias_name);
					$alias=$alias_name;
				}
			}
		}
		$active = uc $active;
		$prot   = uc $prot;
		chomp($remark);
		push (@built_rules,"ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat");
		my $now=localtime;
		print LOG "$now    Converted-> KEY: $count ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,*,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n";
	}
}
sub write_rules
{
	my $skip='';
	my $id;
	print LOG "\nSTEP 3: Create DNAT rules in new firewall\n#########################################\n";
	&General::readhasharray($confignat,\%nat);
	foreach my $line (@built_rules){
		$skip='';
		my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$dummy,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) = split (",",$line);
		foreach my $key (sort keys %nat){
			if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[7],$nat{$key}[8],$nat{$key}[11],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){
				my $now=localtime;
				print LOG "$now         SKIP->  Rule  $nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[7],$nat{$key}[8],$nat{$key}[11],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] ->EXISTS\n";
				$skip='1';
			}
		}
		if ($skip ne '1'){
			if ( $prot eq 'GRE'){
				$tgt_port='';
				$tgt_port1='';
				$use_port='';
				$ipfireport='';
				$use_prot='';
			}
			$id = &General::findhasharraykey(\%nat);
			$nat{$id}[0]  = $action;
			$nat{$id}[1]  = $chain;
			$nat{$id}[2]  = $active;
			$nat{$id}[3]  = $src;
			$nat{$id}[4]  = $src1;
			$nat{$id}[5]  = $tgt;
			$nat{$id}[6]  = $tgt1;
			$nat{$id}[7]  = $dummy;
			$nat{$id}[8]  = $prot;
			$nat{$id}[11] = $use_port;
			$nat{$id}[14] = $tgt_port;
			$nat{$id}[15] = $tgt_port1;
			$nat{$id}[16] = $remark;
			$nat{$id}[26] = $from;
			$nat{$id}[27] = $to;
			$nat{$id}[28] = $use_port;
			$nat{$id}[29] = $alias;
			$nat{$id}[30] = $ipfireport;
			$nat{$id}[31] = $dnat;
			my $now=localtime;
			print LOG "$now     NEW RULE->  Rule  $nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[16],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n";
		}
	}
	&General::writehasharray($confignat,\%nat);
}
close (LOG);
Commit	Line	Data
6b681c40	1	#!/usr/bin/perl
dc21519f AM	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
5bee9a9d	5	# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
dc21519f AM	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
dc21519f AM	21	# #
	22	# This script converts old portforwarding rules from old Firewall #
	23	# to the new one. This is a 3-step process. #
	24	# STEP1: read old config and normalize settings #
	25	# STEP2: create new rules from old ones #
	26	# STEP3: check if rule already exists, when not, put it into #
6d8eb5de	27	# /var/ipfire/firewall/config #
dc21519f	28	###############################################################################
6b681c40 AM	29	require '/var/ipfire/general-functions.pl';
	30	my @values=();
	31	my @built_rules=();
	32	my %nat=();
	33	my $portfwconfig = "${General::swroot}/portfw/config";
6d8eb5de	34	my $confignat = "${General::swroot}/firewall/config";
6b681c40 AM	35	my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark);
	36	my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1);
	37	my $count=0;
	38	my $jump;
37c84696 SS	39
	40	if (! -e "$portfwconfig") {
	41	print "Config file for portforward not found. Exiting!\n";
	42	exit(1);
	43	}
	44
	45	if (! -s "$portfwconfig") {
	46	print "Empty portforward configuration file. Nothing to do. Exiting...\n";
	47	exit(0);
	48	}
	49
6b681c40 AM	50	if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
	51	open(FILE, $portfwconfig) or die 'Unable to open config file.';
	52	my @current = <FILE>;
	53	close(FILE);
	54	open (LOG, ">/var/log/converters/portfw-convert.log") or die $!;
	55	open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
	56	my @alias = <ALIAS>;
	57	close(ALIAS);
	58	&get_config;
	59	&build_rules;
	60	&write_rules;
	61	sub get_config
	62	{
0cf6baca AM	63	my $baseipfireport;
0cf6baca AM	64	my $basesource;
6b681c40 AM	65	print LOG "STEP 1: Get config from old portforward\n#########################################\n";
6b681c40 AM	66	foreach my $line (@current){
6b681c40 AM	67	my $u=$count+1;
	68	($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line);
	69	($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]);
0cf6baca AM	70	if ($key == $key1 && $flag == '0'){
	71	$baseipfireport = $ipfireport;
	72	}
	73	if ($key == $key1 && $flag1 == '1'){
	74	$count++;
	75	next;
6b681c40 AM	76	}
	77	my $now=localtime;
	78	chomp($remark);
0cf6baca AM	79	print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $baseipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n";
0cf6baca AM	80	push (@values,$prot.",".$baseipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark);
6b681c40 AM	81	$count++;
	82	}
	83	}
	84	sub build_rules
	85	{
	86	print LOG "\nSTEP 2: Convert old portforwardrules in a useable format\n########################################################\n";
	87	my $src;
	88	my $src1;
	89	my $ipfireip;
	90	my $count=0;
	91	my $stop;
	92	#build rules for new firewall
	93	foreach my $line (@values){
	94	chomp ($line);
	95	($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line);
	96	$count++;
	97	#get sourcepart
	98	if($source eq '0.0.0.0/0'){
	99	$src = 'std_net_src';
	100	$src1 = 'ALL';
	101	}else{
	102	$src = 'src_addr';
	103	my ($a,$b) = split("/",$source);
0cf6baca AM	104	if ($b != ''){
	105	$b = &General::iporsubtocidr($b);
	106	}else{
	107	$b = "32";
	108	}
	109	$src1 = $a."/".$b;
6b681c40 AM	110	}
6b681c40 AM	111	#get ipfire ip
0cf6baca	112	if($alias eq '0.0.0.0' \|\| $alias eq '0'){
1d9c1c30	113	$alias='Default IP';
6b681c40 AM	114	}else{
	115	foreach my $ali (@alias){
	116	my ($alias_ip,$alias_active,$alias_name) = split (",",$ali);
54d68637 AM	117	if($alias eq $alias_ip){
54d68637 AM	118	chomp($alias_name);
6b681c40 AM	119	$alias=$alias_name;
	120	}
	121	}
	122	}
	123	$active = uc $active;
	124	$prot = uc $prot;
54d68637	125	chomp($remark);
6ee90535	126	push (@built_rules,"ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat");
6b681c40	127	my $now=localtime;
6ee90535	128	print LOG "$now Converted-> KEY: $count ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,*,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n";
6b681c40 AM	129	}
	130	}
	131	sub write_rules
	132	{
	133	my $skip='';
	134	my $id;
	135	print LOG "\nSTEP 3: Create DNAT rules in new firewall\n#########################################\n";
	136	&General::readhasharray($confignat,\%nat);
	137	foreach my $line (@built_rules){
	138	$skip='';
6ee90535	139	my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$dummy,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) = split (",",$line);
6b681c40	140	foreach my $key (sort keys %nat){
6ee90535	141	if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[7],$nat{$key}[8],$nat{$key}[11],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){
6b681c40	142	my $now=localtime;
6ee90535	143	print LOG "$now SKIP-> Rule $nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[7],$nat{$key}[8],$nat{$key}[11],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] ->EXISTS\n";
6b681c40 AM	144	$skip='1';
	145	}
	146	}
	147	if ($skip ne '1'){
6ee90535 AM	148	if ( $prot eq 'GRE'){
	149	$tgt_port='';
	150	$tgt_port1='';
	151	$use_port='';
	152	$ipfireport='';
	153	$use_prot='';
	154	}
6b681c40 AM	155	$id = &General::findhasharraykey(\%nat);
	156	$nat{$id}[0] = $action;
	157	$nat{$id}[1] = $chain;
	158	$nat{$id}[2] = $active;
	159	$nat{$id}[3] = $src;
	160	$nat{$id}[4] = $src1;
	161	$nat{$id}[5] = $tgt;
	162	$nat{$id}[6] = $tgt1;
6ee90535 AM	163	$nat{$id}[7] = $dummy;
	164	$nat{$id}[8] = $prot;
	165	$nat{$id}[11] = $use_port;
6b681c40 AM	166	$nat{$id}[14] = $tgt_port;
	167	$nat{$id}[15] = $tgt_port1;
	168	$nat{$id}[16] = $remark;
	169	$nat{$id}[26] = $from;
	170	$nat{$id}[27] = $to;
	171	$nat{$id}[28] = $use_port;
	172	$nat{$id}[29] = $alias;
	173	$nat{$id}[30] = $ipfireport;
	174	$nat{$id}[31] = $dnat;
	175	my $now=localtime;
	176	print LOG "$now NEW RULE-> Rule $nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[16],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n";
	177	}
	178	}
	179	&General::writehasharray($confignat,\%nat);
	180	}
	181	close (LOG);