[people/pmueller/ipfire-2.x.git] / config / forwardfw / convert-portfw

#!/usr/bin/perl
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2013                                                          #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################
# Author: Alexander Marx (amarx@ipfire.org)                                   #
###############################################################################
#                                                                             #
# This script converts old portforwarding rules from old Firewall             #
# to the new one. This is a 3-step process.                                   #
# STEP1: read old config and normalize settings                               #
# STEP2: create new rules from old ones                                       #
# STEP3: check if rule already exists, when not, put it into                  #
#        /var/ipfire/forward/nat                                              #
###############################################################################
require '/var/ipfire/general-functions.pl';
my @values=();
my @built_rules=();
my %nat=();
my $portfwconfig 	= "${General::swroot}/portfw/config";
my $confignat 		= "${General::swroot}/forward/config";
my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark);
my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1);
my $count=0;
my $jump;
if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
open(FILE, $portfwconfig) or die 'Unable to open config file.';
my @current = <FILE>;
close(FILE);
open (LOG, ">/var/log/converters/portfw-convert.log") or die $!;
open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
my @alias = <ALIAS>;
close(ALIAS);
&get_config;
&build_rules;
&write_rules;
sub get_config
{
	print LOG "STEP 1:   Get config from old portforward\n#########################################\n";
	foreach my $line (@current){
		if($jump eq '1'){
			$jump='';
			$count++;
			next;
		}
		my $u=$count+1;
		($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line);
		($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]);
		if ($flag1 eq '1'){
			$source=$source1;
			$jump='1';
		}
		my $now=localtime;
		chomp($remark);
		print LOG "$now   processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n";
		push (@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark);
		$count++;
	}
}
sub build_rules
{
	print LOG "\nSTEP 2: Convert old portforwardrules in a useable format\n########################################################\n";
	my $src;
	my $src1;
	my $ipfireip;
	my $count=0;
	my $stop;
	#build rules for new firewall
	foreach my $line (@values){
		chomp ($line);
		($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line);
		$count++;
		#get sourcepart
		if($source eq '0.0.0.0/0'){
			$src  = 'std_net_src';
			$src1 = 'ALL';
		}else{
			$src  = 'src_addr';
			my ($a,$b) = split("/",$source);
			$src1 = $a."/32";
		}
		#get ipfire ip
		if($alias eq '0.0.0.0'){
			$alias='ALL';
		}else{
			foreach my $ali (@alias){
				my ($alias_ip,$alias_active,$alias_name) = split (",",$ali);
				if($alias eq $alias_ip){
					chomp($alias_name);
					$alias=$alias_name;
				}
			}
		}
		$active = uc $active;
		$prot   = uc $prot;
		chomp($remark);
		push (@built_rules,"ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat");
		my $now=localtime;
		print LOG "$now    Converted-> KEY: $count ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n";
	}
}
sub write_rules
{
	my $skip='';
	my $id;
	print LOG "\nSTEP 3: Create DNAT rules in new firewall\n#########################################\n";
	&General::readhasharray($confignat,\%nat);
	foreach my $line (@built_rules){
		$skip='';
		my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$use_prot,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) = split (",",$line);
		foreach my $key (sort keys %nat){
			if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){
				my $now=localtime;
				print LOG "$now         SKIP->  Rule  $nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] ->EXISTS\n";
				$skip='1';
			}
		}
		if ($skip ne '1'){
			$id = &General::findhasharraykey(\%nat);
			$nat{$id}[0]  = $action;
			$nat{$id}[1]  = $chain;
			$nat{$id}[2]  = $active;
			$nat{$id}[3]  = $src;
			$nat{$id}[4]  = $src1;
			$nat{$id}[5]  = $tgt;
			$nat{$id}[6]  = $tgt1;
			$nat{$id}[11] = $use_prot;
			$nat{$id}[12] = $prot;
			$nat{$id}[13] = $dummy;
			$nat{$id}[14] = $tgt_port;
			$nat{$id}[15] = $tgt_port1;
			$nat{$id}[16] = $remark;
			$nat{$id}[26] = $from;
			$nat{$id}[27] = $to;
			$nat{$id}[28] = $use_port;
			$nat{$id}[29] = $alias;
			$nat{$id}[30] = $ipfireport;
			$nat{$id}[31] = $dnat;
			my $now=localtime;
			print LOG "$now     NEW RULE->  Rule  $nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[16],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n";
		}
	}
	&General::writehasharray($confignat,\%nat);
}
close (LOG);
Commit	Line	Data
6b681c40	1	#!/usr/bin/perl
dc21519f AM	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2013 #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21	# Author: Alexander Marx (amarx@ipfire.org) #
	22	###############################################################################
	23	# #
	24	# This script converts old portforwarding rules from old Firewall #
	25	# to the new one. This is a 3-step process. #
	26	# STEP1: read old config and normalize settings #
	27	# STEP2: create new rules from old ones #
	28	# STEP3: check if rule already exists, when not, put it into #
	29	# /var/ipfire/forward/nat #
	30	###############################################################################
6b681c40 AM	31	require '/var/ipfire/general-functions.pl';
	32	my @values=();
	33	my @built_rules=();
	34	my %nat=();
	35	my $portfwconfig = "${General::swroot}/portfw/config";
c12392c0	36	my $confignat = "${General::swroot}/forward/config";
6b681c40 AM	37	my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark);
	38	my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1);
	39	my $count=0;
	40	my $jump;
	41	if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
	42	open(FILE, $portfwconfig) or die 'Unable to open config file.';
	43	my @current = <FILE>;
	44	close(FILE);
	45	open (LOG, ">/var/log/converters/portfw-convert.log") or die $!;
	46	open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
	47	my @alias = <ALIAS>;
	48	close(ALIAS);
	49	&get_config;
	50	&build_rules;
	51	&write_rules;
	52	sub get_config
	53	{
	54	print LOG "STEP 1: Get config from old portforward\n#########################################\n";
	55	foreach my $line (@current){
	56	if($jump eq '1'){
	57	$jump='';
	58	$count++;
	59	next;
	60	}
	61	my $u=$count+1;
	62	($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line);
	63	($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]);
	64	if ($flag1 eq '1'){
	65	$source=$source1;
	66	$jump='1';
	67	}
	68	my $now=localtime;
	69	chomp($remark);
	70	print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n";
	71	push (@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark);
	72	$count++;
	73	}
	74	}
	75	sub build_rules
	76	{
	77	print LOG "\nSTEP 2: Convert old portforwardrules in a useable format\n########################################################\n";
	78	my $src;
	79	my $src1;
	80	my $ipfireip;
	81	my $count=0;
	82	my $stop;
	83	#build rules for new firewall
	84	foreach my $line (@values){
	85	chomp ($line);
	86	($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line);
	87	$count++;
	88	#get sourcepart
	89	if($source eq '0.0.0.0/0'){
	90	$src = 'std_net_src';
	91	$src1 = 'ALL';
	92	}else{
	93	$src = 'src_addr';
	94	my ($a,$b) = split("/",$source);
	95	$src1 = $a."/32";
	96	}
	97	#get ipfire ip
	98	if($alias eq '0.0.0.0'){
	99	$alias='ALL';
	100	}else{
101	foreach my $ali (@alias){
102	my ($alias_ip,$alias_active,$alias_name) = split (",",$ali);
54d68637 AM	103	if($alias eq $alias_ip){
54d68637 AM	104	chomp($alias_name);
6b681c40 AM	105	$alias=$alias_name;
	106	}
	107	}
	108	}
	109	$active = uc $active;
	110	$prot = uc $prot;
54d68637	111	chomp($remark);
c12392c0	112	push (@built_rules,"ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat");
6b681c40	113	my $now=localtime;
c12392c0	114	print LOG "$now Converted-> KEY: $count ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n";
6b681c40 AM	115	}
	116	}
	117	sub write_rules
	118	{
	119	my $skip='';
	120	my $id;
	121	print LOG "\nSTEP 3: Create DNAT rules in new firewall\n#########################################\n";
	122	&General::readhasharray($confignat,\%nat);
	123	foreach my $line (@built_rules){
	124	$skip='';
	125	my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$use_prot,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) = split (",",$line);
	126	foreach my $key (sort keys %nat){
	127	if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){
	128	my $now=localtime;
	129	print LOG "$now SKIP-> Rule $nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] ->EXISTS\n";
	130	$skip='1';
	131	}
	132	}
	133	if ($skip ne '1'){
	134	$id = &General::findhasharraykey(\%nat);
	135	$nat{$id}[0] = $action;
	136	$nat{$id}[1] = $chain;
	137	$nat{$id}[2] = $active;
	138	$nat{$id}[3] = $src;
	139	$nat{$id}[4] = $src1;
	140	$nat{$id}[5] = $tgt;
	141	$nat{$id}[6] = $tgt1;
	142	$nat{$id}[11] = $use_prot;
	143	$nat{$id}[12] = $prot;
	144	$nat{$id}[13] = $dummy;
	145	$nat{$id}[14] = $tgt_port;
	146	$nat{$id}[15] = $tgt_port1;
	147	$nat{$id}[16] = $remark;
	148	$nat{$id}[26] = $from;
	149	$nat{$id}[27] = $to;
	150	$nat{$id}[28] = $use_port;
	151	$nat{$id}[29] = $alias;
	152	$nat{$id}[30] = $ipfireport;
	153	$nat{$id}[31] = $dnat;
	154	my $now=localtime;
	155	print LOG "$now NEW RULE-> Rule $nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[16],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n";
	156	}
	157	}
	158	&General::writehasharray($confignat,\%nat);
	159	}
	160	close (LOG);