firewall: Write correct rules bound to interface for routes IPsec tunnels

[people/pmueller/ipfire-2.x.git] / config / firewall / firewall-lib.pl
diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl

index b389fac3c351230ec354d27579c692b387249b01..118744fd6e60b831a21305e2a943b91769845585 100644 (file)
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -39,6 +39,7 @@ my %ovpnsettings=();
  my %aliases=();
  
  require '/var/ipfire/general-functions.pl';
+require '/var/ipfire/geoip-functions.pl';
  
  my $confignet          = "${General::swroot}/fwhosts/customnetworks";
  my $confighost         = "${General::swroot}/fwhosts/customhosts";
@@ -150,6 +151,9 @@ sub get_ipsec_net_ip
         my $val=shift;
         my $field=shift;
         foreach my $key (sort {$a <=> $b} keys %ipsecconf){
+               #adapt $val to reflect real name without subnet (if rule with only one ipsec subnet is created)
+               my @tmpval = split (/\|/, $val);
+               $val = $tmpval[0];
                 if($ipsecconf{$key}[1] eq $val){
                         return $ipsecconf{$key}[$field];
                 }
@@ -165,6 +169,15 @@ sub get_ipsec_host_ip
                 }
         }
  }
+sub get_ipsec_id {
+       my $val = shift;
+
+       foreach my $key (keys %ipsecconf) {
+               if ($ipsecconf{$key}[1] eq $val) {
+                       return $key;
+               }
+       }
+}
  sub get_ovpn_n2n_ip
  {
         my $val=shift;
@@ -390,9 +403,22 @@ sub get_address
  
         # IPsec networks.
         } elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
-               my $network_address = &get_ipsec_net_ip($value, 11);
-               if ($network_address) {
-                       push(@ret, [$network_address, ""]);
+               #Check if we have multiple subnets and only want one of them
+               if ( $value =~ /\|/ ){
+                       my @parts = split(/\|/, $value);
+                       push(@ret, [$parts[1], ""]);
+               }else{
+                       my $interface_mode = &get_ipsec_net_ip($value, 36);
+                       if ($interface_mode ~~ ["gre", "vti"]) {
+                               my $id = &get_ipsec_id($value);
+                               push(@ret, ["0.0.0.0/0", "${interface_mode}${id}"]);
+                       } else {
+                               my $network_address = &get_ipsec_net_ip($value, 11);
+                               my @nets = split(/\|/, $network_address);
+                               foreach my $net (@nets) {
+                                       push(@ret, [$net, ""]);
+                               }
+                       }
                 }
  
         # The firewall's own IP addresses.
@@ -581,36 +607,7 @@ sub get_internal_firewall_ip_address
  }
  
  sub get_geoip_locations() {
-       # Path to the directory which contains the binary geoip
-       # databases.
-       my $directory="/usr/share/xt_geoip/LE";
-
-       # Array to store the final country list.
-       my @country_codes = ();
-
-       # Open location and do a directory listing.
-       opendir(DIR, "$directory");
-       my @locations = readdir(DIR);
-       closedir(DIR);
-
-       # Loop through the directory listing, and cut of the file extensions.
-       foreach my $location (sort @locations) {
-               # skip . and ..
-               next if($location =~ /^\.$/);
-               next if($location =~ /^\.\.$/);
-
-               # Remove whitespaces.
-               chomp($location);
-
-               # Cut-off file extension.
-               my ($country_code, $extension) = split(/\./, $location);
-
-               # Add country code to array.
-               push(@country_codes, $country_code);
-       }
-
-       # Return final array.
-       return @country_codes;
+       return &GeoIP::get_geoip_locations();
  }
  
  return 1;