[people/pmueller/ipfire-2.x.git] / config / firewall / firewall-lib.pl

#!/usr/bin/perl
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org>                        #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

use strict;
no warnings 'uninitialized';

package fwlib;

my %customnetwork=();
my %customhost=();
my %customgrp=();
my %customgeoipgrp=();
my %customservice=();
my %customservicegrp=();
my %ccdnet=();
my %ccdhost=();
my %ipsecconf=();
my %ipsecsettings=();
my %netsettings=();
my %ovpnsettings=();
my %aliases=();

require '/var/ipfire/general-functions.pl';

my $confignet		= "${General::swroot}/fwhosts/customnetworks";
my $confighost		= "${General::swroot}/fwhosts/customhosts";
my $configgrp 		= "${General::swroot}/fwhosts/customgroups";
my $configgeoipgrp 	= "${General::swroot}/fwhosts/customgeoipgrp";
my $configsrv 		= "${General::swroot}/fwhosts/customservices";
my $configsrvgrp	= "${General::swroot}/fwhosts/customservicegrp";
my $configccdnet 	= "${General::swroot}/ovpn/ccd.conf";
my $configccdhost	= "${General::swroot}/ovpn/ovpnconfig";
my $configipsec		= "${General::swroot}/vpn/config";
my $configovpn		= "${General::swroot}/ovpn/settings";
my $val;
my $field;
my $netsettings		= "${General::swroot}/ethernet/settings";

&General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
&General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings);
&General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings);

&General::readhasharray("$confignet", \%customnetwork);
&General::readhasharray("$confighost", \%customhost);
&General::readhasharray("$configgrp", \%customgrp);
&General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
&General::readhasharray("$configccdnet", \%ccdnet);
&General::readhasharray("$configccdhost", \%ccdhost);
&General::readhasharray("$configipsec", \%ipsecconf);
&General::readhasharray("$configsrv", \%customservice);
&General::readhasharray("$configsrvgrp", \%customservicegrp);
&General::get_aliases(\%aliases);

sub get_srv_prot
{
	my $val=shift;
	foreach my $key (sort {$a <=> $b} keys %customservice){
		if($customservice{$key}[0] eq $val){
			if ($customservice{$key}[0] eq $val){
				return $customservice{$key}[2];
			}
		}
	}
}
sub get_srvgrp_prot
{
	my $val=shift;
	my @ips=();
	my $tcp;
	my $udp;
	my $icmp;
	foreach my $key (sort {$a <=> $b} keys %customservicegrp){
		if($customservicegrp{$key}[0] eq $val){
			if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){ 
				$tcp=1;
			}elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'UDP'){ 
				$udp=1;
			}elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){
				$icmp=1;
			}else{
				#Protocols used in servicegroups
				push (@ips,$customservicegrp{$key}[2]);
			}
		}
	}
	if ($tcp eq '1'){push (@ips,'TCP');}
	if ($udp eq '1'){push (@ips,'UDP');}
	if ($icmp eq '1'){push (@ips,'ICMP');}
	my $back=join(",",@ips);
	return $back;
	
}
sub get_srv_port
{
	my $val=shift;
	my $field=shift;
	my $prot=shift;
	foreach my $key (sort {$a <=> $b} keys %customservice){
		if($customservice{$key}[0] eq $val && $customservice{$key}[2] eq $prot){
			return $customservice{$key}[$field];
		}
	}
}
sub get_srvgrp_port
{
	my $val=shift;
	my $prot=shift;
	my $back;
	my $value;
	my @ips=();
	foreach my $key (sort {$a <=> $b} keys %customservicegrp){
		if($customservicegrp{$key}[0] eq $val){
			if ($prot ne 'ICMP'){
				$value=&get_srv_port($customservicegrp{$key}[2],1,$prot);
			}elsif ($prot eq 'ICMP'){
				$value=&get_srv_port($customservicegrp{$key}[2],3,$prot);
			}
			push (@ips,$value) if ($value ne '') ;
		}
	}
	if($prot ne 'ICMP'){
		if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";}
	}elsif ($prot eq 'ICMP'){
		$back="--icmp-type ";
	}
	
	$back.=join(",",@ips);
	return $back;
}
sub get_ipsec_net_ip
{
	my $val=shift;
	my $field=shift;
	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
		#adapt $val to reflect real name without subnet (if rule with only one ipsec subnet is created)
		my @tmpval = split (/\|/, $val);
		$val = $tmpval[0];
		if($ipsecconf{$key}[1] eq $val){
			return $ipsecconf{$key}[$field];
		}
	}
}
sub get_ipsec_host_ip
{
	my $val=shift;
	my $field=shift;
	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
		if($ipsecconf{$key}[1] eq $val){
			return $ipsecconf{$key}[$field];
		}
	}
}
sub get_ovpn_n2n_ip
{
	my $val=shift;
	my $field=shift;
	foreach my $key (sort {$a <=> $b} keys %ccdhost){
		if($ccdhost{$key}[1] eq $val){
			return $ccdhost{$key}[$field];
		}
	}
}
sub get_ovpn_host_ip
{
	my $val=shift;
	my $field=shift;
	foreach my $key (sort {$a <=> $b} keys %ccdhost){
		if($ccdhost{$key}[1] eq $val){
			return $ccdhost{$key}[$field];
		}
	}
}
sub get_ovpn_net_ip
{
	
	my $val=shift;
	my $field=shift;
	foreach my $key (sort {$a <=> $b} keys %ccdnet){
		if($ccdnet{$key}[0] eq $val){
			return $ccdnet{$key}[$field];
		}
	}
}
sub get_grp_ip
{
	my $val=shift;
	my $src=shift;
	foreach my $key (sort {$a <=> $b} keys %customgrp){
		if ($customgrp{$key}[0] eq $val){
			&get_address($customgrp{$key}[3],$src);
		}
	}		
	
}
sub get_std_net_ip
{
	my $val=shift;
	my $con=shift;
	if ($val eq 'ALL'){
		return "0.0.0.0/0.0.0.0";
	}elsif($val eq 'GREEN'){
		return "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
	}elsif($val eq 'ORANGE'){
		return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
	}elsif($val eq 'BLUE'){
		return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
	}elsif($val eq 'RED'){
		return "0.0.0.0/0";
	}elsif($val =~ /OpenVPN/i){
		return "$ovpnsettings{'DOVPN_SUBNET'}";
	}elsif($val =~ /IPsec/i){
		return "$ipsecsettings{'RW_NET'}";
	}elsif($val eq 'IPFire'){
		return ;
	}
}
sub get_interface
{
	my $net=shift;
	if($net eq "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"){
		return "$netsettings{'GREEN_DEV'}";
	}
	if($net eq "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"){
		return "$netsettings{'ORANGE_DEV'}";
	}
	if($net eq "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"){
		return "$netsettings{'BLUE_DEV'}";
	}
	if($net eq "0.0.0.0/0") {
		return &get_external_interface();
	}
	return "";
}
sub get_net_ip
{
	my $val=shift;
	foreach my $key (sort {$a <=> $b} keys %customnetwork){
		if($customnetwork{$key}[0] eq $val){
			return "$customnetwork{$key}[1]/$customnetwork{$key}[2]";
		}  
	}
}
sub get_host_ip
{
	my $val=shift;
	my $src=shift;
	foreach my $key (sort {$a <=> $b} keys %customhost){
		if($customhost{$key}[0] eq $val){
			if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){
			return "-m mac --mac-source $customhost{$key}[2]";
			}elsif($customhost{$key}[1] eq 'ip' && $src eq 'src'){
				return "$customhost{$key}[2]";
			}elsif($customhost{$key}[1] eq 'ip' && $src eq 'tgt'){
				return "$customhost{$key}[2]";
			}elsif($customhost{$key}[1] eq 'mac' && $src eq 'tgt'){
				return "none";
			}
		}  
	}
}
sub get_addresses
{
	my $hash = shift;
	my $key  = shift;
	my $type = shift;

	my @addresses = ();
	my $addr_type;
	my $value;
	my $group_name;

	if ($type eq "src") {
		$addr_type = $$hash{$key}[3];
		$value = $$hash{$key}[4];

	} elsif ($type eq "tgt") {
		$addr_type = $$hash{$key}[5];
		$value = $$hash{$key}[6];
	}

	if ($addr_type ~~ ["cust_grp_src", "cust_grp_tgt"]) {
		foreach my $grp (sort {$a <=> $b} keys %customgrp) {
			if ($customgrp{$grp}[0] eq $value) {
				my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type);

				if (@address) {
					push(@addresses, @address);
				}
			}
		}
	}elsif ($addr_type ~~ ["cust_geoip_src", "cust_geoip_tgt"] && $value =~ "group:") {
		$value=substr($value,6);
		foreach my $grp (sort {$a <=> $b} keys %customgeoipgrp) {
			if ($customgeoipgrp{$grp}[0] eq $value) {
				my @address = &get_address($addr_type, $customgeoipgrp{$grp}[2], $type);

				if (@address) {
					push(@addresses, @address);
				}
			}
		}
	} else {
		my @address = &get_address($addr_type, $value, $type);

		if (@address) {
			push(@addresses, @address);
		}
	}

	return @addresses;
}
sub get_address
{
	my $key   = shift;
	my $value = shift;
	my $type  = shift;

	my @ret = ();

	# If the user manually typed an address, we just check if it is a MAC
	# address. Otherwise, we assume that it is an IP address.
	if ($key ~~ ["src_addr", "tgt_addr"]) {
		if (&General::validmac($value)) {
			push(@ret, ["-m mac --mac-source $value", ""]);
		} else {
			push(@ret, [$value, ""]);
		}

	# If a default network interface (GREEN, BLUE, etc.) is selected, we
	# try to get the corresponding address of the network.
	} elsif ($key ~~ ["std_net_src", "std_net_tgt", "Standard Network"]) {
		my $external_interface = &get_external_interface();

		my $network_address = &get_std_net_ip($value, $external_interface);

		if ($network_address) {
			my $interface = &get_interface($network_address);
			push(@ret, [$network_address, $interface]);
		}

	# Custom networks.
	} elsif ($key ~~ ["cust_net_src", "cust_net_tgt", "Custom Network"]) {
		my $network_address = &get_net_ip($value);
		if ($network_address) {
			push(@ret, [$network_address, ""]);
		}

	# Custom hosts.
	} elsif ($key ~~ ["cust_host_src", "cust_host_tgt", "Custom Host"]) {
		my $host_address = &get_host_ip($value, $type);
		if ($host_address) {
			push(@ret, [$host_address, ""]);
		}

	# OpenVPN networks.
	} elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) {
		my $network_address = &get_ovpn_net_ip($value, 1);
		if ($network_address) {
			push(@ret, [$network_address, ""]);
		}

	# OpenVPN hosts.
	} elsif ($key ~~ ["ovpn_host_src", "ovpn_host_tgt", "OpenVPN static host"]) {
		my $host_address = &get_ovpn_host_ip($value, 33);
		if ($host_address) {
			push(@ret, [$host_address, ""]);
		}

	# OpenVPN N2N.
	} elsif ($key ~~ ["ovpn_n2n_src", "ovpn_n2n_tgt", "OpenVPN N-2-N"]) {
		my $network_address = &get_ovpn_n2n_ip($value, 11);
		if ($network_address) {
			push(@ret, [$network_address, ""]);
		}

	# IPsec networks.
	} elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
		#Check if we have multiple subnets and only want one of them
		if ( $value =~ /\|/ ){
			my @parts = split(/\|/, $value);
			push(@ret, [$parts[1], ""]);
		}else{
			my $network_address = &get_ipsec_net_ip($value, 11);
			my @nets = split(/\|/, $network_address);
			foreach my $net (@nets) {
				push(@ret, [$net, ""]);
			}
		}

	# The firewall's own IP addresses.
	} elsif ($key ~~ ["ipfire", "ipfire_src"]) {
		# ALL
		if ($value eq "ALL") {
			push(@ret, ["0/0", ""]);

		# GREEN
		} elsif ($value eq "GREEN") {
			push(@ret, [$netsettings{"GREEN_ADDRESS"}, ""]);

		# BLUE
		} elsif ($value eq "BLUE") {
			push(@ret, [$netsettings{"BLUE_ADDRESS"}, ""]);

		# ORANGE
		} elsif ($value eq "ORANGE") {
			push(@ret, [$netsettings{"ORANGE_ADDRESS"}, ""]);

		# RED
		} elsif ($value ~~ ["RED", "RED1"]) {
			my $address = &get_external_address();
			if ($address) {
				push(@ret, [$address, ""]);
			}

		# Aliases
		} else {
			my $alias = &get_alias($value);
			if ($alias) {
				push(@ret, [$alias, ""]);
			}
		}

	# Handle rule options with GeoIP as source.
	} elsif ($key eq "cust_geoip_src") {
		# Get external interface.
		my $external_interface = &get_external_interface();

		push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);

	# Handle rule options with GeoIP as target.
	} elsif ($key eq "cust_geoip_tgt") {
		# Get external interface.
		my $external_interface = &get_external_interface();

		push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);

	# If nothing was selected, we assume "any".
	} else {
		push(@ret, ["0/0", ""]);
	}

	return @ret;
}
sub get_external_interface()
{
	open(IFACE, "/var/ipfire/red/iface") or return "";
	my $iface = <IFACE>;
	close(IFACE);

	return $iface;
}
sub get_external_address()
{
	open(ADDR, "/var/ipfire/red/local-ipaddress") or return "";
	my $address = <ADDR>;
	close(ADDR);

	return $address;
}
sub get_alias
{
	my $id = shift;

	foreach my $alias (sort keys %aliases) {
		if ($id eq $alias) {
			return $aliases{$alias}{"IPT"};
		}
	}
}

sub get_nat_address {
	my $zone = shift;
	my $source = shift;

	# Any static address of any zone.
	if ($zone eq "AUTO") {
		if ($source && ($source !~ m/mac/i )) {
			my $firewall_ip = &get_internal_firewall_ip_address($source, 1);
			if ($firewall_ip) {
				return $firewall_ip;
			}

			$firewall_ip = &get_matching_firewall_address($source, 1);
			if ($firewall_ip) {
				return $firewall_ip;
			}
		}

		return &get_external_address();

	} elsif ($zone eq "RED" || $zone eq "GREEN" || $zone eq "ORANGE" || $zone eq "BLUE") {
		return $netsettings{$zone . "_ADDRESS"};

	} elsif ($zone ~~ ["Default IP", "ALL"]) {
		return &get_external_address();

	} else {
		my $alias = &get_alias($zone);
		unless ($alias) {
			$alias = &get_external_address();
		}
		return $alias;
	}

	print_error("Could not find NAT address");
}

sub get_internal_firewall_ip_addresses
{
	my $use_orange = shift;

	my @zones = ("GREEN", "BLUE");
	if ($use_orange) {
		push(@zones, "ORANGE");
	}

	my @addresses = ();
	for my $zone (@zones) {
		next unless (exists $netsettings{$zone . "_ADDRESS"});

		my $zone_address = $netsettings{$zone . "_ADDRESS"};
		push(@addresses, $zone_address);
	}

	return @addresses;
}
sub get_matching_firewall_address
{
	my $addr = shift;
	my $use_orange = shift;

	my ($address, $netmask) = split("/", $addr);

	my @zones = ("GREEN", "BLUE");
	if ($use_orange) {
		push(@zones, "ORANGE");
	}

	foreach my $zone (@zones) {
		next unless (exists $netsettings{$zone . "_ADDRESS"});

		my $zone_subnet = $netsettings{$zone . "_NETADDRESS"};
		my $zone_mask   = $netsettings{$zone . "_NETMASK"};

		if (&General::IpInSubnet($address, $zone_subnet, $zone_mask)) {
			return $netsettings{$zone . "_ADDRESS"};
		}
	}

	return 0;
}
sub get_internal_firewall_ip_address
{
	my $subnet = shift;
	my $use_orange = shift;

	my ($net_address, $net_mask) = split("/", $subnet);
	if ((!$net_mask) || ($net_mask ~~ ["32", "255.255.255.255"])) {
		return 0;
	}

	# Convert net mask into correct format for &General::IpInSubnet().
	$net_mask = &General::iporsubtodec($net_mask);

	my @addresses = &get_internal_firewall_ip_addresses($use_orange);
	foreach my $zone_address (@addresses) {
		if (&General::IpInSubnet($zone_address, $net_address, $net_mask)) {
			return $zone_address;
		}
	}

	return 0;
}

sub get_geoip_locations() {
	# Path to the directory which contains the binary geoip
	# databases.
	my $directory="/usr/share/xt_geoip/LE";

	# Array to store the final country list.
	my @country_codes = ();

	# Open location and do a directory listing.
	opendir(DIR, "$directory");
	my @locations = readdir(DIR);
	closedir(DIR);

	# Loop through the directory listing, and cut of the file extensions.
	foreach my $location (sort @locations) {
		# skip . and ..
		next if($location =~ /^\.$/);
		next if($location =~ /^\.\.$/);

		# Remove whitespaces.
		chomp($location);

		# Cut-off file extension.
		my ($country_code, $extension) = split(/\./, $location);

		# Add country code to array.
		push(@country_codes, $country_code);
	}

	# Return final array.
	return @country_codes;
}

return 1;
Commit	Line	Data
2a81ab0d AM	1	#!/usr/bin/perl
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
5bee9a9d	5	# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
2a81ab0d AM	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
2a81ab0d AM	21
	22	use strict;
	23	no warnings 'uninitialized';
	24
	25	package fwlib;
	26
	27	my %customnetwork=();
	28	my %customhost=();
	29	my %customgrp=();
b9ca2fa6	30	my %customgeoipgrp=();
2a81ab0d AM	31	my %customservice=();
	32	my %customservicegrp=();
	33	my %ccdnet=();
	34	my %ccdhost=();
	35	my %ipsecconf=();
	36	my %ipsecsettings=();
	37	my %netsettings=();
	38	my %ovpnsettings=();
4e54e3c6	39	my %aliases=();
2a81ab0d AM	40
	41	require '/var/ipfire/general-functions.pl';
	42
	43	my $confignet = "${General::swroot}/fwhosts/customnetworks";
	44	my $confighost = "${General::swroot}/fwhosts/customhosts";
	45	my $configgrp = "${General::swroot}/fwhosts/customgroups";
b9ca2fa6	46	my $configgeoipgrp = "${General::swroot}/fwhosts/customgeoipgrp";
2a81ab0d AM	47	my $configsrv = "${General::swroot}/fwhosts/customservices";
	48	my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp";
	49	my $configccdnet = "${General::swroot}/ovpn/ccd.conf";
	50	my $configccdhost = "${General::swroot}/ovpn/ovpnconfig";
	51	my $configipsec = "${General::swroot}/vpn/config";
	52	my $configovpn = "${General::swroot}/ovpn/settings";
	53	my $val;
	54	my $field;
fd169d0a	55	my $netsettings = "${General::swroot}/ethernet/settings";
2a81ab0d AM	56
	57	&General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
	58	&General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings);
	59	&General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings);
2a81ab0d AM	60
	61	&General::readhasharray("$confignet", \%customnetwork);
	62	&General::readhasharray("$confighost", \%customhost);
	63	&General::readhasharray("$configgrp", \%customgrp);
b9ca2fa6	64	&General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
2a81ab0d AM	65	&General::readhasharray("$configccdnet", \%ccdnet);
	66	&General::readhasharray("$configccdhost", \%ccdhost);
	67	&General::readhasharray("$configipsec", \%ipsecconf);
	68	&General::readhasharray("$configsrv", \%customservice);
	69	&General::readhasharray("$configsrvgrp", \%customservicegrp);
085a20ec	70	&General::get_aliases(\%aliases);
2a81ab0d AM	71
	72	sub get_srv_prot
	73	{
	74	my $val=shift;
992394d5	75	foreach my $key (sort {$a <=> $b} keys %customservice){
2a81ab0d AM	76	if($customservice{$key}[0] eq $val){
	77	if ($customservice{$key}[0] eq $val){
	78	return $customservice{$key}[2];
	79	}
	80	}
	81	}
	82	}
	83	sub get_srvgrp_prot
	84	{
	85	my $val=shift;
	86	my @ips=();
	87	my $tcp;
	88	my $udp;
	89	my $icmp;
992394d5	90	foreach my $key (sort {$a <=> $b} keys %customservicegrp){
2a81ab0d AM	91	if($customservicegrp{$key}[0] eq $val){
	92	if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){
	93	$tcp=1;
	94	}elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'UDP'){
	95	$udp=1;
	96	}elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){
	97	$icmp=1;
82b837cf AM	98	}else{
	99	#Protocols used in servicegroups
	100	push (@ips,$customservicegrp{$key}[2]);
	101	}
2a81ab0d AM	102	}
	103	}
	104	if ($tcp eq '1'){push (@ips,'TCP');}
	105	if ($udp eq '1'){push (@ips,'UDP');}
	106	if ($icmp eq '1'){push (@ips,'ICMP');}
	107	my $back=join(",",@ips);
	108	return $back;
	109
	110	}
2a81ab0d AM	111	sub get_srv_port
	112	{
	113	my $val=shift;
	114	my $field=shift;
	115	my $prot=shift;
992394d5	116	foreach my $key (sort {$a <=> $b} keys %customservice){
14bcb9a2 AM	117	if($customservice{$key}[0] eq $val && $customservice{$key}[2] eq $prot){
14bcb9a2 AM	118	return $customservice{$key}[$field];
2a81ab0d AM	119	}
	120	}
	121	}
	122	sub get_srvgrp_port
	123	{
	124	my $val=shift;
	125	my $prot=shift;
	126	my $back;
	127	my $value;
	128	my @ips=();
992394d5	129	foreach my $key (sort {$a <=> $b} keys %customservicegrp){
2a81ab0d AM	130	if($customservicegrp{$key}[0] eq $val){
	131	if ($prot ne 'ICMP'){
	132	$value=&get_srv_port($customservicegrp{$key}[2],1,$prot);
	133	}elsif ($prot eq 'ICMP'){
	134	$value=&get_srv_port($customservicegrp{$key}[2],3,$prot);
	135	}
	136	push (@ips,$value) if ($value ne '') ;
	137	}
	138	}
	139	if($prot ne 'ICMP'){
	140	if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";}
	141	}elsif ($prot eq 'ICMP'){
	142	$back="--icmp-type ";
	143	}
	144
	145	$back.=join(",",@ips);
	146	return $back;
	147	}
	148	sub get_ipsec_net_ip
	149	{
	150	my $val=shift;
	151	my $field=shift;
992394d5	152	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
8b20ca2d AM	153	#adapt $val to reflect real name without subnet (if rule with only one ipsec subnet is created)
	154	my @tmpval = split (/\\|/, $val);
	155	$val = $tmpval[0];
2a81ab0d AM	156	if($ipsecconf{$key}[1] eq $val){
	157	return $ipsecconf{$key}[$field];
	158	}
	159	}
	160	}
	161	sub get_ipsec_host_ip
	162	{
	163	my $val=shift;
	164	my $field=shift;
992394d5	165	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
2a81ab0d AM	166	if($ipsecconf{$key}[1] eq $val){
	167	return $ipsecconf{$key}[$field];
	168	}
	169	}
	170	}
	171	sub get_ovpn_n2n_ip
	172	{
	173	my $val=shift;
	174	my $field=shift;
992394d5	175	foreach my $key (sort {$a <=> $b} keys %ccdhost){
2a81ab0d AM	176	if($ccdhost{$key}[1] eq $val){
	177	return $ccdhost{$key}[$field];
	178	}
	179	}
	180	}
	181	sub get_ovpn_host_ip
	182	{
	183	my $val=shift;
	184	my $field=shift;
992394d5	185	foreach my $key (sort {$a <=> $b} keys %ccdhost){
2a81ab0d AM	186	if($ccdhost{$key}[1] eq $val){
	187	return $ccdhost{$key}[$field];
	188	}
	189	}
	190	}
	191	sub get_ovpn_net_ip
	192	{
	193
	194	my $val=shift;
	195	my $field=shift;
992394d5	196	foreach my $key (sort {$a <=> $b} keys %ccdnet){
2a81ab0d AM	197	if($ccdnet{$key}[0] eq $val){
	198	return $ccdnet{$key}[$field];
	199	}
	200	}
	201	}
	202	sub get_grp_ip
	203	{
	204	my $val=shift;
	205	my $src=shift;
992394d5	206	foreach my $key (sort {$a <=> $b} keys %customgrp){
2a81ab0d AM	207	if ($customgrp{$key}[0] eq $val){
	208	&get_address($customgrp{$key}[3],$src);
	209	}
	210	}
	211
	212	}
	213	sub get_std_net_ip
	214	{
	215	my $val=shift;
ddcec9d3	216	my $con=shift;
2a81ab0d AM	217	if ($val eq 'ALL'){
	218	return "0.0.0.0/0.0.0.0";
	219	}elsif($val eq 'GREEN'){
	220	return "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
	221	}elsif($val eq 'ORANGE'){
	222	return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
	223	}elsif($val eq 'BLUE'){
	224	return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
62fc8511	225	}elsif($val eq 'RED'){
48f07c19	226	return "0.0.0.0/0";
2a81ab0d AM	227	}elsif($val =~ /OpenVPN/i){
	228	return "$ovpnsettings{'DOVPN_SUBNET'}";
	229	}elsif($val =~ /IPsec/i){
	230	return "$ipsecsettings{'RW_NET'}";
5d7faa45 AM	231	}elsif($val eq 'IPFire'){
5d7faa45 AM	232	return ;
2a81ab0d AM	233	}
2a81ab0d AM	234	}
48f07c19 AM	235	sub get_interface
	236	{
	237	my $net=shift;
	238	if($net eq "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"){
	239	return "$netsettings{'GREEN_DEV'}";
	240	}
	241	if($net eq "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"){
	242	return "$netsettings{'ORANGE_DEV'}";
	243	}
	244	if($net eq "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"){
	245	return "$netsettings{'BLUE_DEV'}";
	246	}
a21f2f6a MT	247	if($net eq "0.0.0.0/0") {
a21f2f6a MT	248	return &get_external_interface();
48f07c19 AM	249	}
	250	return "";
	251	}
2a81ab0d AM	252	sub get_net_ip
	253	{
	254	my $val=shift;
992394d5	255	foreach my $key (sort {$a <=> $b} keys %customnetwork){
2a81ab0d AM	256	if($customnetwork{$key}[0] eq $val){
	257	return "$customnetwork{$key}[1]/$customnetwork{$key}[2]";
	258	}
	259	}
	260	}
	261	sub get_host_ip
	262	{
	263	my $val=shift;
	264	my $src=shift;
992394d5	265	foreach my $key (sort {$a <=> $b} keys %customhost){
2a81ab0d AM	266	if($customhost{$key}[0] eq $val){
	267	if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){
	268	return "-m mac --mac-source $customhost{$key}[2]";
	269	}elsif($customhost{$key}[1] eq 'ip' && $src eq 'src'){
	270	return "$customhost{$key}[2]";
	271	}elsif($customhost{$key}[1] eq 'ip' && $src eq 'tgt'){
	272	return "$customhost{$key}[2]";
	273	}elsif($customhost{$key}[1] eq 'mac' && $src eq 'tgt'){
	274	return "none";
	275	}
	276	}
	277	}
	278	}
fd169d0a AM	279	sub get_addresses
fd169d0a AM	280	{
4e54e3c6 AM	281	my $hash = shift;
	282	my $key = shift;
	283	my $type = shift;
	284
	285	my @addresses = ();
	286	my $addr_type;
	287	my $value;
	288	my $group_name;
	289
	290	if ($type eq "src") {
	291	$addr_type = $$hash{$key}[3];
	292	$value = $$hash{$key}[4];
	293
	294	} elsif ($type eq "tgt") {
	295	$addr_type = $$hash{$key}[5];
	296	$value = $$hash{$key}[6];
	297	}
	298
	299	if ($addr_type ~~ ["cust_grp_src", "cust_grp_tgt"]) {
	300	foreach my $grp (sort {$a <=> $b} keys %customgrp) {
	301	if ($customgrp{$grp}[0] eq $value) {
	302	my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type);
	303
b9ca2fa6 AM	304	if (@address) {
	305	push(@addresses, @address);
	306	}
	307	}
	308	}
	309	}elsif ($addr_type ~~ ["cust_geoip_src", "cust_geoip_tgt"] && $value =~ "group:") {
	310	$value=substr($value,6);
	311	foreach my $grp (sort {$a <=> $b} keys %customgeoipgrp) {
	312	if ($customgeoipgrp{$grp}[0] eq $value) {
	313	my @address = &get_address($addr_type, $customgeoipgrp{$grp}[2], $type);
	314
4e54e3c6 AM	315	if (@address) {
	316	push(@addresses, @address);
	317	}
	318	}
	319	}
	320	} else {
	321	my @address = &get_address($addr_type, $value, $type);
	322
	323	if (@address) {
	324	push(@addresses, @address);
	325	}
	326	}
	327
	328	return @addresses;
	329	}
fd169d0a AM	330	sub get_address
fd169d0a AM	331	{
4e54e3c6 AM	332	my $key = shift;
	333	my $value = shift;
	334	my $type = shift;
	335
	336	my @ret = ();
	337
	338	# If the user manually typed an address, we just check if it is a MAC
	339	# address. Otherwise, we assume that it is an IP address.
	340	if ($key ~~ ["src_addr", "tgt_addr"]) {
	341	if (&General::validmac($value)) {
48f07c19	342	push(@ret, ["-m mac --mac-source $value", ""]);
4e54e3c6	343	} else {
48f07c19	344	push(@ret, [$value, ""]);
4e54e3c6 AM	345	}
	346
	347	# If a default network interface (GREEN, BLUE, etc.) is selected, we
	348	# try to get the corresponding address of the network.
	349	} elsif ($key ~~ ["std_net_src", "std_net_tgt", "Standard Network"]) {
	350	my $external_interface = &get_external_interface();
	351
	352	my $network_address = &get_std_net_ip($value, $external_interface);
48f07c19	353
4e54e3c6	354	if ($network_address) {
48f07c19 AM	355	my $interface = &get_interface($network_address);
48f07c19 AM	356	push(@ret, [$network_address, $interface]);
4e54e3c6 AM	357	}
	358
	359	# Custom networks.
	360	} elsif ($key ~~ ["cust_net_src", "cust_net_tgt", "Custom Network"]) {
	361	my $network_address = &get_net_ip($value);
	362	if ($network_address) {
48f07c19	363	push(@ret, [$network_address, ""]);
4e54e3c6 AM	364	}
	365
	366	# Custom hosts.
	367	} elsif ($key ~~ ["cust_host_src", "cust_host_tgt", "Custom Host"]) {
	368	my $host_address = &get_host_ip($value, $type);
	369	if ($host_address) {
48f07c19	370	push(@ret, [$host_address, ""]);
4e54e3c6 AM	371	}
	372
	373	# OpenVPN networks.
	374	} elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) {
	375	my $network_address = &get_ovpn_net_ip($value, 1);
	376	if ($network_address) {
48f07c19	377	push(@ret, [$network_address, ""]);
4e54e3c6 AM	378	}
	379
	380	# OpenVPN hosts.
	381	} elsif ($key ~~ ["ovpn_host_src", "ovpn_host_tgt", "OpenVPN static host"]) {
	382	my $host_address = &get_ovpn_host_ip($value, 33);
	383	if ($host_address) {
48f07c19	384	push(@ret, [$host_address, ""]);
4e54e3c6 AM	385	}
	386
	387	# OpenVPN N2N.
	388	} elsif ($key ~~ ["ovpn_n2n_src", "ovpn_n2n_tgt", "OpenVPN N-2-N"]) {
	389	my $network_address = &get_ovpn_n2n_ip($value, 11);
	390	if ($network_address) {
48f07c19	391	push(@ret, [$network_address, ""]);
4e54e3c6 AM	392	}
	393
	394	# IPsec networks.
	395	} elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
8b20ca2d AM	396	#Check if we have multiple subnets and only want one of them
	397	if ( $value =~ /\\|/ ){
	398	my @parts = split(/\\|/, $value);
	399	push(@ret, [$parts[1], ""]);
	400	}else{
	401	my $network_address = &get_ipsec_net_ip($value, 11);
	402	my @nets = split(/\\|/, $network_address);
	403	foreach my $net (@nets) {
	404	push(@ret, [$net, ""]);
	405	}
4e54e3c6 AM	406	}
	407
	408	# The firewall's own IP addresses.
	409	} elsif ($key ~~ ["ipfire", "ipfire_src"]) {
	410	# ALL
	411	if ($value eq "ALL") {
48f07c19	412	push(@ret, ["0/0", ""]);
4e54e3c6 AM	413
	414	# GREEN
	415	} elsif ($value eq "GREEN") {
48f07c19	416	push(@ret, [$netsettings{"GREEN_ADDRESS"}, ""]);
4e54e3c6 AM	417
	418	# BLUE
	419	} elsif ($value eq "BLUE") {
48f07c19	420	push(@ret, [$netsettings{"BLUE_ADDRESS"}, ""]);
4e54e3c6 AM	421
	422	# ORANGE
	423	} elsif ($value eq "ORANGE") {
48f07c19	424	push(@ret, [$netsettings{"ORANGE_ADDRESS"}, ""]);
4e54e3c6 AM	425
	426	# RED
	427	} elsif ($value ~~ ["RED", "RED1"]) {
	428	my $address = &get_external_address();
	429	if ($address) {
48f07c19	430	push(@ret, [$address, ""]);
4e54e3c6 AM	431	}
	432
	433	# Aliases
	434	} else {
085a20ec MT	435	my $alias = &get_alias($value);
085a20ec MT	436	if ($alias) {
48f07c19	437	push(@ret, [$alias, ""]);
4e54e3c6 AM	438	}
	439	}
	440
b9ca2fa6 AM	441	# Handle rule options with GeoIP as source.
	442	} elsif ($key eq "cust_geoip_src") {
	443	# Get external interface.
	444	my $external_interface = &get_external_interface();
	445
	446	push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
	447
	448	# Handle rule options with GeoIP as target.
	449	} elsif ($key eq "cust_geoip_tgt") {
	450	# Get external interface.
	451	my $external_interface = &get_external_interface();
	452
	453	push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
	454
4e54e3c6 AM	455	# If nothing was selected, we assume "any".
4e54e3c6 AM	456	} else {
48f07c19	457	push(@ret, ["0/0", ""]);
4e54e3c6 AM	458	}
	459
	460	return @ret;
	461	}
fd169d0a AM	462	sub get_external_interface()
fd169d0a AM	463	{
4e54e3c6 AM	464	open(IFACE, "/var/ipfire/red/iface") or return "";
	465	my $iface = <IFACE>;
	466	close(IFACE);
	467
	468	return $iface;
	469	}
fd169d0a AM	470	sub get_external_address()
fd169d0a AM	471	{
4e54e3c6 AM	472	open(ADDR, "/var/ipfire/red/local-ipaddress") or return "";
	473	my $address = <ADDR>;
	474	close(ADDR);
	475
	476	return $address;
	477	}
fd169d0a AM	478	sub get_alias
fd169d0a AM	479	{
4e54e3c6 AM	480	my $id = shift;
	481
	482	foreach my $alias (sort keys %aliases) {
	483	if ($id eq $alias) {
085a20ec	484	return $aliases{$alias}{"IPT"};
4e54e3c6 AM	485	}
	486	}
	487	}
085a20ec MT	488
085a20ec MT	489	sub get_nat_address {
4e54e3c6 AM	490	my $zone = shift;
	491	my $source = shift;
	492
	493	# Any static address of any zone.
	494	if ($zone eq "AUTO") {
fd169d0a	495	if ($source && ($source !~ m/mac/i )) {
4e54e3c6 AM	496	my $firewall_ip = &get_internal_firewall_ip_address($source, 1);
	497	if ($firewall_ip) {
	498	return $firewall_ip;
	499	}
	500
	501	$firewall_ip = &get_matching_firewall_address($source, 1);
	502	if ($firewall_ip) {
	503	return $firewall_ip;
	504	}
	505	}
	506
	507	return &get_external_address();
	508
	509	} elsif ($zone eq "RED" \|\| $zone eq "GREEN" \|\| $zone eq "ORANGE" \|\| $zone eq "BLUE") {
c71499d8	510	return $netsettings{$zone . "_ADDRESS"};
4e54e3c6	511
085a20ec	512	} elsif ($zone ~~ ["Default IP", "ALL"]) {
4e54e3c6 AM	513	return &get_external_address();
	514
	515	} else {
085a20ec MT	516	my $alias = &get_alias($zone);
	517	unless ($alias) {
	518	$alias = &get_external_address();
	519	}
	520	return $alias;
4e54e3c6 AM	521	}
	522
	523	print_error("Could not find NAT address");
	524	}
085a20ec	525
fd169d0a AM	526	sub get_internal_firewall_ip_addresses
fd169d0a AM	527	{
4e54e3c6 AM	528	my $use_orange = shift;
	529
	530	my @zones = ("GREEN", "BLUE");
	531	if ($use_orange) {
	532	push(@zones, "ORANGE");
	533	}
	534
	535	my @addresses = ();
	536	for my $zone (@zones) {
c71499d8	537	next unless (exists $netsettings{$zone . "_ADDRESS"});
4e54e3c6	538
c71499d8	539	my $zone_address = $netsettings{$zone . "_ADDRESS"};
4e54e3c6 AM	540	push(@addresses, $zone_address);
	541	}
	542
	543	return @addresses;
	544	}
fd169d0a AM	545	sub get_matching_firewall_address
fd169d0a AM	546	{
4e54e3c6 AM	547	my $addr = shift;
	548	my $use_orange = shift;
	549
	550	my ($address, $netmask) = split("/", $addr);
	551
	552	my @zones = ("GREEN", "BLUE");
	553	if ($use_orange) {
	554	push(@zones, "ORANGE");
	555	}
	556
	557	foreach my $zone (@zones) {
c71499d8	558	next unless (exists $netsettings{$zone . "_ADDRESS"});
4e54e3c6	559
c71499d8 AM	560	my $zone_subnet = $netsettings{$zone . "_NETADDRESS"};
c71499d8 AM	561	my $zone_mask = $netsettings{$zone . "_NETMASK"};
4e54e3c6 AM	562
4e54e3c6 AM	563	if (&General::IpInSubnet($address, $zone_subnet, $zone_mask)) {
c71499d8	564	return $netsettings{$zone . "_ADDRESS"};
4e54e3c6 AM	565	}
	566	}
	567
	568	return 0;
	569	}
fd169d0a AM	570	sub get_internal_firewall_ip_address
fd169d0a AM	571	{
4e54e3c6 AM	572	my $subnet = shift;
	573	my $use_orange = shift;
	574
	575	my ($net_address, $net_mask) = split("/", $subnet);
	576	if ((!$net_mask) \|\| ($net_mask ~~ ["32", "255.255.255.255"])) {
	577	return 0;
	578	}
	579
aa5f4b65 MT	580	# Convert net mask into correct format for &General::IpInSubnet().
	581	$net_mask = &General::iporsubtodec($net_mask);
	582
4e54e3c6 AM	583	my @addresses = &get_internal_firewall_ip_addresses($use_orange);
	584	foreach my $zone_address (@addresses) {
	585	if (&General::IpInSubnet($zone_address, $net_address, $net_mask)) {
	586	return $zone_address;
	587	}
	588	}
	589
	590	return 0;
	591	}
	592
593c3227 SS	593	sub get_geoip_locations() {
	594	# Path to the directory which contains the binary geoip
	595	# databases.
	596	my $directory="/usr/share/xt_geoip/LE";
	597
	598	# Array to store the final country list.
	599	my @country_codes = ();
	600
	601	# Open location and do a directory listing.
	602	opendir(DIR, "$directory");
	603	my @locations = readdir(DIR);
	604	closedir(DIR);
	605
	606	# Loop through the directory listing, and cut of the file extensions.
	607	foreach my $location (sort @locations) {
	608	# skip . and ..
	609	next if($location =~ /^\.$/);
	610	next if($location =~ /^\.\.$/);
	611
	612	# Remove whitespaces.
	613	chomp($location);
	614
	615	# Cut-off file extension.
192a8266	616	my ($country_code, $extension) = split(/\./, $location);
593c3227 SS	617
593c3227 SS	618	# Add country code to array.
192a8266	619	push(@country_codes, $country_code);
593c3227 SS	620	}
	621
	622	# Return final array.
	623	return @country_codes;
	624	}
	625
2a81ab0d	626	return 1;