]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blame - config/firewall/rules.pl
projects / people / teissler / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
firewall: rules.pl: Introduce a more slink debugging mode.
[people/teissler/ipfire-2.x.git] / config / firewall / rules.pl
CommitLineData
2a81ab0d
AM		 1#!/usr/bin/perl
2###############################################################################
3# #
4# IPFire.org - A linux based firewall #
5bee9a9d 5# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
2a81ab0d
AM		 6# #
7# This program is free software: you can redistribute it and/or modify #
8# it under the terms of the GNU General Public License as published by #
9# the Free Software Foundation, either version 3 of the License, or #
10# (at your option) any later version. #
11# #
12# This program is distributed in the hope that it will be useful, #
13# but WITHOUT ANY WARRANTY; without even the implied warranty of #
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15# GNU General Public License for more details. #
16# #
17# You should have received a copy of the GNU General Public License #
18# along with this program. If not, see <http://www.gnu.org/licenses/>. #
19# #
20###############################################################################
2a81ab0d 21
2a81ab0d 22use strict;
472136c9 23use Time::Local;
2a81ab0d
AM		 24no warnings 'uninitialized';
25
97ab0569
MT		 26require '/var/ipfire/general-functions.pl';
27require "${General::swroot}/lang.pl";
28require "/usr/lib/firewall/firewall-lib.pl";
2a81ab0d 29
68d1eb10
MT		 30# Set to one to enable debugging mode.
31my $DEBUG = 0;
32
2a81ab0d
AM		 33my %fwdfwsettings=();
34my %defaultNetworks=();
35my %configfwdfw=();
36my %color=();
37my %icmptypes=();
38my %ovpnSettings=();
39my %customgrp=();
40our %sourcehash=();
41our %targethash=();
42my @timeframe=();
43my %configinputfw=();
5d7faa45 44my %configoutgoingfw=();
a6edca5a 45my %confignatfw=();
2a81ab0d
AM		 46my %aliases=();
47my @DPROT=();
36196d0d 48my @p2ps=();
2a81ab0d 49
6d8eb5de
AM		 50my $configfwdfw = "${General::swroot}/firewall/config";
51my $configinput = "${General::swroot}/firewall/input";
52my $configoutgoing = "${General::swroot}/firewall/outgoing";
53my $p2pfile = "${General::swroot}/firewall/p2protocols";
2a81ab0d 54my $configgrp = "${General::swroot}/fwhosts/customgroups";
210ee67b 55my $netsettings = "${General::swroot}/ethernet/settings";
86a921ee
AM		 56my $errormessage = '';
57my $orange = '';
58my $green = '';
59my $blue = '';
2a81ab0d 60my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
86a921ee
AM		 61my $CHAIN = "FORWARDFW";
62my $conexists = 'off';
a211fee3 63my $command = 'iptables --wait -A';
86a921ee
AM		 64my $dnat ='';
65my $snat ='';
66
6d8eb5de 67&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
210ee67b 68&General::readhash("$netsettings", \%defaultNetworks);
2a81ab0d
AM		 69&General::readhasharray($configfwdfw, \%configfwdfw);
70&General::readhasharray($configinput, \%configinputfw);
5d7faa45 71&General::readhasharray($configoutgoing, \%configoutgoingfw);
2a81ab0d
AM		 72&General::readhasharray($configgrp, \%customgrp);
73&General::get_aliases(\%aliases);
74
ddcec9d3
AM		 75#check if we have an internetconnection
76open (CONN,"/var/ipfire/red/iface");
77my $con = <CONN>;
78close(CONN);
97ab0569 79
ddcec9d3
AM		 80if (-f "/var/ipfire/red/active"){
81 $conexists='on';
82}
97ab0569 83
a6edca5a
AM		 84open (CONN1,"/var/ipfire/red/local-ipaddress");
85my $redip = <CONN1>;
86close(CONN1);
97ab0569 87
86a921ee
AM		 88#################
89# DEBUG/TEST #
90#################
68d1eb10 91my $MODE=!$DEBUG; # 0 - normal operation
14bcb9a2
AM		 92 # 1 - print configline and rules to console
93 #
86a921ee 94#################
2a81ab0d
AM		 95my $param=shift;
96
97if($param eq 'flush'){
98 if ($MODE eq '1'){
99 print " Flushing chains...\n";
100 }
101 &flush;
102}else{
103 if ($MODE eq '1'){
104 print " Flushing chains...\n";
105 }
106 &flush;
107 if ($MODE eq '1'){
108 print " Preparing rules...\n";
109 }
110 &preparerules;
111 if($MODE eq '0'){
112 if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
af49e367 113 &p2pblock;
68d1eb10 114 run("/usr/sbin/firewall-policy");
2a81ab0d 115 }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
6adcf156 116 &p2pblock;
68d1eb10 117 run("/usr/sbin/firewall-policy");
2a81ab0d
AM		 118 }
119 }
120}
97ab0569 121
68d1eb10
MT		 122sub run {
123 # Executes or prints the given shell command.
124 my $command = shift;
125
126 if ($DEBUG) {
127 print "$command\n";
128 } else {
129 system "$command";
130 }
131}
132
97ab0569 133sub flush {
68d1eb10
MT		 134 run("iptables --wait -F FORWARDFW");
135 run("iptables --wait -F INPUTFW");
136 run("iptables --wait -F OUTGOINGFW");
137 run("iptables --wait -t nat -F NAT_DESTINATION");
138 run("iptables --wait -t nat -F NAT_SOURCE");
86a921ee 139}
97ab0569
MT		 140
141sub preparerules {
6d8eb5de 142 if (! -z "${General::swroot}/firewall/config"){
2a81ab0d
AM		 143 &buildrules(\%configfwdfw);
144 }
6d8eb5de 145 if (! -z "${General::swroot}/firewall/input"){
2a81ab0d
AM		 146 &buildrules(\%configinputfw);
147 }
6d8eb5de 148 if (! -z "${General::swroot}/firewall/outgoing"){
5d7faa45
AM		 149 &buildrules(\%configoutgoingfw);
150 }
2a81ab0d 151}
97ab0569
MT		 152
153sub buildrules {
2a81ab0d 154 my $hash=shift;
b5269091 155 my $STAG;
a6edca5a
AM		 156 my $natip;
157 my $snatport;
158 my $fireport;
bc912c6e 159 my $nat;
98cee89f 160 my $fwaccessdport;
c12392c0 161 my $natchain;
2aeb4b25 162 my $icmptype;
992394d5 163 foreach my $key (sort {$a <=> $b} keys %$hash){
ff4770c7 164 next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
a211fee3 165 $command="iptables --wait -A";
a6edca5a 166 if ($$hash{$key}[28] eq 'ON'){
a211fee3 167 $command='iptables --wait -t nat -A';
08e1c65d 168 $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
a6edca5a 169 if($$hash{$key}[31] eq 'dnat'){
bc912c6e 170 $nat='DNAT';
98cee89f
AM		 171 if ($$hash{$key}[30] =~ /\|/){
172 $$hash{$key}[30]=~ tr/|/,/;
173 $fireport='-m multiport --dport '.$$hash{$key}[30];
174 }else{
175 $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
176 }
a6edca5a 177 }else{
bc912c6e 178 $nat='SNAT';
a6edca5a
AM		 179 }
180 }
b5269091 181 $STAG='';
2a81ab0d
AM		 182 if($$hash{$key}[2] eq 'ON'){
183 #get source ip's
184 if ($$hash{$key}[3] eq 'cust_grp_src'){
992394d5 185 foreach my $grp (sort {$a <=> $b} keys %customgrp){
2a81ab0d
AM		 186 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
187 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
188 }
189 }
190 }else{
191 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
192 }
193 #get target ip's
194 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
992394d5 195 foreach my $grp (sort {$a <=> $b} keys %customgrp){
2a81ab0d
AM		 196 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
197 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
198 }
199 }
a0fb1099 200 }elsif($$hash{$key}[5] eq 'ipfire' ){
05d4f131
AM		 201 if($$hash{$key}[6] eq 'GREEN'){
202 $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
203 }
204 if($$hash{$key}[6] eq 'BLUE'){
205 $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
206 }
207 if($$hash{$key}[6] eq 'ORANGE'){
208 $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
209 }
8762442c
AM		 210 if($$hash{$key}[6] eq 'ALL'){
211 $targethash{$key}[0]='0.0.0.0/0';
212 }
690b0bd7 213 if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
ff4770c7 214 open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
2a81ab0d
AM		 215 $targethash{$key}[0]= <FILE>;
216 close(FILE);
217 }else{
218 foreach my $alias (sort keys %aliases){
219 if ($$hash{$key}[6] eq $alias){
220 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
221 }
222 }
223 }
224 }else{
225 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
226 }
2a81ab0d
AM		 227 ##get source prot and port
228 $SRC_TGT='SRC';
2a81ab0d
AM		 229 $SPORT = &get_port($hash,$key);
230 $SRC_TGT='';
14f7cb87 231
2a81ab0d
AM		 232 ##get target prot and port
233 $DPROT=&get_prot($hash,$key);
14f7cb87 234
a4c7bf6b 235 if ($DPROT eq ''){$DPROT=' ';}
2a81ab0d 236 @DPROT=split(",",$DPROT);
14f7cb87 237
2a81ab0d
AM		 238 #get time if defined
239 if($$hash{$key}[18] eq 'ON'){
472136c9
AM		 240 my ($time1,$time2,$daylight);
241 my $daylight=$$hash{$key}[28];
242 $time1=&get_time($$hash{$key}[26],$daylight);
243 $time2=&get_time($$hash{$key}[27],$daylight);
2a81ab0d
AM		 244 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
245 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
246 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
247 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
248 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
249 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
250 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
251 $TIME=join(",",@timeframe);
86a921ee 252
472136c9
AM		 253 $TIMEFROM="--timestart $time1 ";
254 $TIMETILL="--timestop $time2 ";
a0f267b9 255 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
2a81ab0d 256 }
b57edbd8
MT		 257 foreach my $DPROT (@DPROT){
258 $DPORT = &get_port($hash,$key,$DPROT);
259 $PROT=$DPROT;
260 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
261 if ($DPROT ne 'TCP' && $DPROT ne'UDP' && $DPROT ne 'ICMP' ){
262 $DPORT='';
2a81ab0d 263 }
b57edbd8
MT		 264 foreach my $a (sort keys %sourcehash){
265 foreach my $b (sort keys %targethash){
266 if(! $sourcehash{$a}[0] || ! $targethash{$b}[0] || ($natip eq '-d ' && $$hash{$key}[28] eq 'ON') || (!$natip && $$hash{$key}[28] eq 'ON')){
267 #Skip rules when no RED IP is set (DHCP,DSL)
268 next;
269 }
270 next if ($targethash{$b}[0] eq 'none');
271 $STAG='';
272 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
273 if($DPROT ne ''){
274 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
275 #Process ICMP RULE
276 if(substr($DPORT, 2, 4) eq 'icmp'){
277 my @icmprule= split(",",substr($DPORT, 12,));
278 foreach (@icmprule){
279 $icmptype="--icmp-type ";
280 if ($_ eq "BLANK") {
281 $icmptype="";
282 $_="";
8cb1afc8 283 }
28640b73 284 if ($$hash{$key}[17] eq 'ON'){
68d1eb10 285 run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
cdb3536b 286 }
68d1eb10 287 run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
2a81ab0d 288 }
b57edbd8
MT		 289 #PROCESS DNAT RULE (Portforward)
290 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
291 $natchain='NAT_DESTINATION';
292 if ($$hash{$key}[17] eq 'ON'){
68d1eb10 293 run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT'");
86a921ee 294 }
b57edbd8
MT		 295 my ($ip,$sub) =split("/",$targethash{$b}[0]);
296 #Process NAT with servicegroup used
297 if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
68d1eb10 298 run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT");
b57edbd8
MT		 299 $fwaccessdport=$DPORT;
300 }else{
68d1eb10 301 run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip$DPORT");
b57edbd8
MT		 302 $DPORT =~ s/\-/:/g;
303 if ($DPORT){
304 $fwaccessdport="--dport ".substr($DPORT,1,);
305 }elsif(! $DPORT && $$hash{$key}[30] ne ''){
306 if ($$hash{$key}[30]=~m/|/i){
307 $$hash{$key}[30] =~ s/\|/,/g;
308 $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
309 }else{
310 $fwaccessdport="--dport $$hash{$key}[30]";
98cee89f
AM		 311 }
312 }
c12392c0 313 }
68d1eb10 314 run("iptables --wait -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]");
b57edbd8
MT		 315 next;
316 #PROCESS SNAT RULE
317 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
318 $natchain='NAT_SOURCE';
319 if ($$hash{$key}[17] eq 'ON' ){
68d1eb10 320 run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT'");
93c2de1c 321 }
68d1eb10 322 run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to-source $natip");
b57edbd8
MT		 323 }
324 #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
325 if ($PROT ne '-p ICMP'){
326 if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
68d1eb10 327 run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
b57edbd8 328 }
68d1eb10 329 run("iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
b57edbd8
MT		 330 }
331 #PROCESS Prot ICMP and type = All ICMP-Types
332 if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
333 if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
68d1eb10 334 run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
86a921ee 335 }
68d1eb10 336 run("iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
86a921ee 337 }
2a81ab0d
AM		 338 }
339 }
340 }
2a81ab0d
AM		 341 }
342 }
343 }
344 %sourcehash=();
345 %targethash=();
346 undef $TIME;
347 undef $TIMEFROM;
348 undef $TIMETILL;
a6edca5a 349 undef $fireport;
2a81ab0d
AM		 350 }
351}
97ab0569
MT		 352
353sub get_nat_ip {
a6edca5a 354 my $val=shift;
08e1c65d 355 my $type=shift;
a6edca5a
AM		 356 my $result;
357 if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
358 $result=$defaultNetworks{$val.'_ADDRESS'};
359 }elsif($val eq 'ALL'){
360 $result='-i '.$con;
08e1c65d 361 }elsif($val eq 'Default IP' && $type eq 'dnat'){
a6edca5a 362 $result='-d '.$redip;
08e1c65d
AM		 363 }elsif($val eq 'Default IP' && $type eq 'snat'){
364 $result=$redip;
a6edca5a
AM		 365 }else{
366 foreach my $al (sort keys %aliases){
08e1c65d 367 if($val eq $al && $type eq 'dnat'){
a6edca5a 368 $result='-d '.$aliases{$al}{'IPT'};
08e1c65d
AM		 369 }elsif($val eq $al && $type eq 'snat'){
370 $result=$aliases{$al}{'IPT'};
a6edca5a
AM		 371 }
372 }
373 }
374 return $result;
375}
97ab0569
MT		 376
377sub get_time {
472136c9
AM		 378 my $val=shift;
379 my $val1=shift;
380 my $time;
381 my $minutes;
382 my $ruletime;
383 $minutes = &utcmin($val);
384 $ruletime = $minutes + &time_get_utc($val);
385 if ($ruletime < 0){$ruletime +=1440;}
386 if ($ruletime > 1440){$ruletime -=1440;}
387 $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
388 return $time;
389}
97ab0569
MT		 390
391sub time_get_utc {
472136c9
AM		 392 # Calculates the UTCtime from a given time
393 my $val=shift;
394 my @localtime=localtime(time);
395 my @gmtime=gmtime(time);
396 my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
397 return $diff;
398}
97ab0569
MT		 399
400sub utcmin {
472136c9
AM		 401 my $ruletime=shift;
402 my ($hrs,$min) = split(":",$ruletime);
403 my $newtime = $hrs*60+$min;
404 return $newtime;
405}
97ab0569
MT		 406
407sub p2pblock {
36196d0d
AM		 408 my $P2PSTRING;
409 my $DO;
410 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
411 @p2ps = <FILE>;
412 close FILE;
413 my $CMD = "-m ipp2p";
414 foreach my $p2pentry (sort @p2ps) {
415 my @p2pline = split( /\;/, $p2pentry );
8d1beadc
AM		 416 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
417 $DO = "ACCEPT";
5238a871 418 if ("$p2pline[2]" eq "on") {
36196d0d
AM		 419 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
420 }
8d1beadc 421 }else {
36196d0d 422 $DO = "RETURN";
5238a871 423 if ("$p2pline[2]" eq "off") {
36196d0d
AM		 424 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
425 }
426 }
427 }
68d1eb10
MT		 428
429 if($P2PSTRING) {
430 run("/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO");
36196d0d
AM		 431 }
432}
97ab0569
MT		 433
434sub get_address {
2a81ab0d
AM		 435 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
436 my $base2=shift;
437 my $type=shift; #src or tgt
438 my $hash;
439 if ($type eq 'src'){
86a921ee 440 $hash=\%sourcehash;
2a81ab0d
AM		 441 }else{
442 $hash=\%targethash;
443 }
444 my $key = &General::findhasharraykey($hash);
445 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
b5269091
AM		 446 if (&General::validmac($base2)){
447 $$hash{$key}[0] = "-m mac --mac-source $base2";
448 }else{
449 $$hash{$key}[0] = $base2;
450 }
2a81ab0d 451 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
ddcec9d3 452 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
2a81ab0d
AM		 453 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
454 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
455 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
456 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
457 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
458 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
459 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
460 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
461 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
6fab5bca 462 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
2a81ab0d
AM		 463 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
464 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
a0fb1099
AM		 465 }elsif($base eq 'ipfire_src' ){
466 if($base2 eq 'GREEN'){
467 $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
468 }
469 if($base2 eq 'BLUE'){
470 $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
471 }
472 if($base2 eq 'ORANGE'){
473 $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
474 }
475 if($base2 eq 'ALL'){
476 $$hash{$key}[0]='0.0.0.0/0';
477 }
478 if($base2 eq 'RED' || $base2 eq 'RED1'){
800077a6 479 open(FILE, "/var/ipfire/red/local-ipaddress");
a0fb1099
AM		 480 $$hash{$key}[0]= <FILE>;
481 close(FILE);
482 }else{
483 foreach my $alias (sort keys %aliases){
484 if ($base2 eq $alias){
485 $$hash{$key}[0]=$aliases{$alias}{'IPT'};
486 }
487 }
488 }
2a81ab0d
AM		 489 }
490}
97ab0569
MT		 491
492sub get_prot {
2a81ab0d
AM		 493 my $hash=shift;
494 my $key=shift;
a4c7bf6b
AM		 495 #check AH,GRE,ESP or ICMP
496 if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){
497 return "$$hash{$key}[8]";
498 }
499 if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){
500 #check if servicegroup or service
501 if($$hash{$key}[14] eq 'cust_srv'){
2a81ab0d 502 return &fwlib::get_srv_prot($$hash{$key}[15]);
2a81ab0d
AM		 503 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
504 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
a4c7bf6b
AM		 505 }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq ''){ #when ports are used and prot set to "all"
506 return "TCP,UDP";
507 }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq 'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or "udp"
508 return "$$hash{$key}[8]";
509 }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne 'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP"
510 return "$$hash{$key}[8]";
511 }else{
512 return "$$hash{$key}[8]";
2a81ab0d
AM		 513 }
514 }
98cee89f
AM		 515 #DNAT
516 if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){
fadcfb73 517 return "$$hash{$key}[8]";
98cee89f 518 }
2a81ab0d 519}
97ab0569
MT		 520
521sub get_port {
2a81ab0d
AM		 522 my $hash=shift;
523 my $key=shift;
524 my $prot=shift;
14bcb9a2 525 #Get manual defined Ports from SOURCE
2a81ab0d
AM		 526 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
527 if ($$hash{$key}[10] ne ''){
8f0b047b 528 $$hash{$key}[10] =~ s/\|/,/g;
93a5f4a5
AM		 529 if(index($$hash{$key}[10],",") > 0){
530 return "-m multiport --sport $$hash{$key}[10] ";
531 }else{
a6edca5a
AM		 532 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){
533 return "--sport $$hash{$key}[10] ";
534 }else{
535 return ":$$hash{$key}[10]";
536 }
93a5f4a5 537 }
2a81ab0d 538 }
14bcb9a2 539 #Get manual ports from TARGET
2a81ab0d 540 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
2a81ab0d
AM		 541 if($$hash{$key}[14] eq 'TGT_PORT'){
542 if ($$hash{$key}[15] ne ''){
8f0b047b 543 $$hash{$key}[15] =~ s/\|/,/g;
93a5f4a5
AM		 544 if(index($$hash{$key}[15],",") > 0){
545 return "-m multiport --dport $$hash{$key}[15] ";
546 }else{
a6edca5a
AM		 547 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
548 return "--dport $$hash{$key}[15] ";
549 }else{
829697d0 550 $$hash{$key}[15] =~ s/\:/-/g;
653a71b9 551 return ":$$hash{$key}[15]";
a6edca5a 552 }
93a5f4a5 553 }
2a81ab0d 554 }
14bcb9a2 555 #Get ports defined in custom Service (firewall-groups)
2a81ab0d
AM		 556 }elsif($$hash{$key}[14] eq 'cust_srv'){
557 if ($prot ne 'ICMP'){
653a71b9 558 if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
14bcb9a2
AM		 559 my $ports =&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
560 $ports =~ s/\:/-/g;
561 return ":".$ports
6be32fe5
AM		 562 }else{
563 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
564 }
e6e9a811
AM		 565 }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service
566 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
2a81ab0d 567 }
14bcb9a2 568 #Get ports from services which are used in custom servicegroups (firewall-groups)
2a81ab0d
AM		 569 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
570 if ($prot ne 'ICMP'){
571 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
572 }
573 elsif($prot eq 'ICMP'){
574 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
575 }
2a81ab0d
AM		 576 }
577 }
a4c7bf6b
AM		 578 #CHECK ICMP
579 if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){
580 if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
581 return "--icmp-type $$hash{$key}[9] ";
582 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
583 return;
584 }
585 }
2a81ab0d 586}
Timo's tree of IPFire 2.x