[people/teissler/ipfire-2.x.git] / config / forwardfw / firewall-lib.pl

#!/usr/bin/perl
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2012														  #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################


use strict;
no warnings 'uninitialized';

package fwlib;

my %customnetwork=();
my %customhost=();
my %customgrp=();
my %customservice=();
my %customservicegrp=();
my %ccdnet=();
my %ccdhost=();
my %ipsecconf=();
my %ipsecsettings=();
my %netsettings=();
my %ovpnsettings=();

require '/var/ipfire/general-functions.pl';

my $confignet		= "${General::swroot}/fwhosts/customnetworks";
my $confighost		= "${General::swroot}/fwhosts/customhosts";
my $configgrp 		= "${General::swroot}/fwhosts/customgroups";
my $configsrv 		= "${General::swroot}/fwhosts/customservices";
my $configsrvgrp	= "${General::swroot}/fwhosts/customservicegrp";
my $configccdnet 	= "${General::swroot}/ovpn/ccd.conf";
my $configccdhost	= "${General::swroot}/ovpn/ovpnconfig";
my $configipsec		= "${General::swroot}/vpn/config";
my $configovpn		= "${General::swroot}/ovpn/settings";
my $val;
my $field;

&General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
&General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings);
&General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings);


&General::readhasharray("$confignet", \%customnetwork);
&General::readhasharray("$confighost", \%customhost);
&General::readhasharray("$configgrp", \%customgrp);
&General::readhasharray("$configccdnet", \%ccdnet);
&General::readhasharray("$configccdhost", \%ccdhost);
&General::readhasharray("$configipsec", \%ipsecconf);
&General::readhasharray("$configsrv", \%customservice);
&General::readhasharray("$configsrvgrp", \%customservicegrp);

sub get_srv_prot
{
	my $val=shift;
	foreach my $key (sort {$a <=> $b} keys %customservice){
		if($customservice{$key}[0] eq $val){
			if ($customservice{$key}[0] eq $val){
				return $customservice{$key}[2];
			}
		}
	}
}
sub get_srvgrp_prot
{
	my $val=shift;
	my @ips=();
	my $tcp;
	my $udp;
	my $icmp;
	foreach my $key (sort {$a <=> $b} keys %customservicegrp){
		if($customservicegrp{$key}[0] eq $val){
			if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){ 
				$tcp=1;
			}elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'UDP'){ 
				$udp=1;
			}elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){
				$icmp=1;
			} 
		}
	}
	if ($tcp eq '1'){push (@ips,'TCP');}
	if ($udp eq '1'){push (@ips,'UDP');}
	if ($icmp eq '1'){push (@ips,'ICMP');}
	my $back=join(",",@ips);
	return $back;
	
}


sub get_srv_port
{
	my $val=shift;
	my $field=shift;
	my $prot=shift;
	foreach my $key (sort {$a <=> $b} keys %customservice){
		if($customservice{$key}[0] eq $val){
			if($customservice{$key}[2] eq $prot){
				return $customservice{$key}[$field];
			}
		}
	}
}
sub get_srvgrp_port
{
	my $val=shift;
	my $prot=shift;
	my $back;
	my $value;
	my @ips=();
	foreach my $key (sort {$a <=> $b} keys %customservicegrp){
		if($customservicegrp{$key}[0] eq $val){
			if ($prot ne 'ICMP'){
				$value=&get_srv_port($customservicegrp{$key}[2],1,$prot);
			}elsif ($prot eq 'ICMP'){
				$value=&get_srv_port($customservicegrp{$key}[2],3,$prot);
			}
			push (@ips,$value) if ($value ne '') ;
		}
	}
	if($prot ne 'ICMP'){
		if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";}
	}elsif ($prot eq 'ICMP'){
		$back="--icmp-type ";
	}
	
	$back.=join(",",@ips);
	return $back;
}
sub get_ipsec_net_ip
{
	my $val=shift;
	my $field=shift;
	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
		if($ipsecconf{$key}[1] eq $val){
			return $ipsecconf{$key}[$field];
		}
	}
}
sub get_ipsec_host_ip
{
	my $val=shift;
	my $field=shift;
	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
		if($ipsecconf{$key}[1] eq $val){
			return $ipsecconf{$key}[$field];
		}
	}
}
sub get_ovpn_n2n_ip
{
	my $val=shift;
	my $field=shift;
	foreach my $key (sort {$a <=> $b} keys %ccdhost){
		if($ccdhost{$key}[1] eq $val){
			return $ccdhost{$key}[$field];
		}
	}
}
sub get_ovpn_host_ip
{
	my $val=shift;
	my $field=shift;
	foreach my $key (sort {$a <=> $b} keys %ccdhost){
		if($ccdhost{$key}[1] eq $val){
			return $ccdhost{$key}[$field];
		}
	}
}
sub get_ovpn_net_ip
{
	
	my $val=shift;
	my $field=shift;
	foreach my $key (sort {$a <=> $b} keys %ccdnet){
		if($ccdnet{$key}[0] eq $val){
			return $ccdnet{$key}[$field];
		}
	}
}
sub get_grp_ip
{
	my $val=shift;
	my $src=shift;
	foreach my $key (sort {$a <=> $b} keys %customgrp){
		if ($customgrp{$key}[0] eq $val){
			&get_address($customgrp{$key}[3],$src);
		}
	}		
	
}
sub get_std_net_ip
{
	my $val=shift;
	my $con=shift;
	if ($val eq 'ALL'){
		return "0.0.0.0/0.0.0.0";
	}elsif($val eq 'GREEN'){
		return "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
	}elsif($val eq 'ORANGE'){
		return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
	}elsif($val eq 'BLUE'){
		return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
	}elsif($val eq 'RED'){
		return "0.0.0.0/0 -o $con";
	}elsif($val =~ /OpenVPN/i){
		return "$ovpnsettings{'DOVPN_SUBNET'}";
	}elsif($val =~ /IPsec/i){
		return "$ipsecsettings{'RW_NET'}";
	}elsif($val eq 'IPFire'){
		return ;
	}
}
sub get_net_ip
{
	my $val=shift;
	foreach my $key (sort {$a <=> $b} keys %customnetwork){
		if($customnetwork{$key}[0] eq $val){
			return "$customnetwork{$key}[1]/$customnetwork{$key}[2]";
		}  
	}
}
sub get_host_ip
{
	my $val=shift;
	my $src=shift;
	foreach my $key (sort {$a <=> $b} keys %customhost){
		if($customhost{$key}[0] eq $val){
			if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){
			return "-m mac --mac-source $customhost{$key}[2]";
			}elsif($customhost{$key}[1] eq 'ip' && $src eq 'src'){
				return "$customhost{$key}[2]";
			}elsif($customhost{$key}[1] eq 'ip' && $src eq 'tgt'){
				return "$customhost{$key}[2]";
			}elsif($customhost{$key}[1] eq 'mac' && $src eq 'tgt'){
				return "none";
			}
		}  
	}
}

return 1;
Commit	Line	Data
2a81ab0d AM	1	#!/usr/bin/perl
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2012 #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22
	23	use strict;
	24	no warnings 'uninitialized';
	25
	26	package fwlib;
	27
	28	my %customnetwork=();
	29	my %customhost=();
	30	my %customgrp=();
	31	my %customservice=();
	32	my %customservicegrp=();
	33	my %ccdnet=();
	34	my %ccdhost=();
	35	my %ipsecconf=();
	36	my %ipsecsettings=();
	37	my %netsettings=();
	38	my %ovpnsettings=();
	39
	40	require '/var/ipfire/general-functions.pl';
	41
	42	my $confignet = "${General::swroot}/fwhosts/customnetworks";
	43	my $confighost = "${General::swroot}/fwhosts/customhosts";
	44	my $configgrp = "${General::swroot}/fwhosts/customgroups";
	45	my $configsrv = "${General::swroot}/fwhosts/customservices";
	46	my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp";
	47	my $configccdnet = "${General::swroot}/ovpn/ccd.conf";
	48	my $configccdhost = "${General::swroot}/ovpn/ovpnconfig";
	49	my $configipsec = "${General::swroot}/vpn/config";
	50	my $configovpn = "${General::swroot}/ovpn/settings";
	51	my $val;
	52	my $field;
	53
	54	&General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
	55	&General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings);
	56	&General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings);
	57
	58
	59	&General::readhasharray("$confignet", \%customnetwork);
	60	&General::readhasharray("$confighost", \%customhost);
	61	&General::readhasharray("$configgrp", \%customgrp);
	62	&General::readhasharray("$configccdnet", \%ccdnet);
	63	&General::readhasharray("$configccdhost", \%ccdhost);
	64	&General::readhasharray("$configipsec", \%ipsecconf);
65	&General::readhasharray("$configsrv", \%customservice);
66	&General::readhasharray("$configsrvgrp", \%customservicegrp);
67
68	sub get_srv_prot
69	{
70	my $val=shift;
992394d5	71	foreach my $key (sort {$a <=> $b} keys %customservice){
2a81ab0d AM	72	if($customservice{$key}[0] eq $val){
	73	if ($customservice{$key}[0] eq $val){
	74	return $customservice{$key}[2];
	75	}
	76	}
	77	}
	78	}
	79	sub get_srvgrp_prot
	80	{
	81	my $val=shift;
	82	my @ips=();
	83	my $tcp;
	84	my $udp;
	85	my $icmp;
992394d5	86	foreach my $key (sort {$a <=> $b} keys %customservicegrp){
2a81ab0d AM	87	if($customservicegrp{$key}[0] eq $val){
	88	if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){
	89	$tcp=1;
	90	}elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'UDP'){
	91	$udp=1;
	92	}elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){
	93	$icmp=1;
	94	}
	95	}
	96	}
	97	if ($tcp eq '1'){push (@ips,'TCP');}
	98	if ($udp eq '1'){push (@ips,'UDP');}
	99	if ($icmp eq '1'){push (@ips,'ICMP');}
	100	my $back=join(",",@ips);
	101	return $back;
	102
	103	}
	104
	105
	106	sub get_srv_port
	107	{
	108	my $val=shift;
	109	my $field=shift;
	110	my $prot=shift;
992394d5	111	foreach my $key (sort {$a <=> $b} keys %customservice){
2a81ab0d AM	112	if($customservice{$key}[0] eq $val){
	113	if($customservice{$key}[2] eq $prot){
	114	return $customservice{$key}[$field];
	115	}
	116	}
	117	}
	118	}
	119	sub get_srvgrp_port
	120	{
	121	my $val=shift;
	122	my $prot=shift;
	123	my $back;
	124	my $value;
	125	my @ips=();
992394d5	126	foreach my $key (sort {$a <=> $b} keys %customservicegrp){
2a81ab0d AM	127	if($customservicegrp{$key}[0] eq $val){
	128	if ($prot ne 'ICMP'){
	129	$value=&get_srv_port($customservicegrp{$key}[2],1,$prot);
	130	}elsif ($prot eq 'ICMP'){
	131	$value=&get_srv_port($customservicegrp{$key}[2],3,$prot);
	132	}
	133	push (@ips,$value) if ($value ne '') ;
	134	}
	135	}
	136	if($prot ne 'ICMP'){
	137	if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";}
	138	}elsif ($prot eq 'ICMP'){
	139	$back="--icmp-type ";
	140	}
	141
	142	$back.=join(",",@ips);
	143	return $back;
	144	}
	145	sub get_ipsec_net_ip
	146	{
	147	my $val=shift;
	148	my $field=shift;
992394d5	149	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
2a81ab0d AM	150	if($ipsecconf{$key}[1] eq $val){
	151	return $ipsecconf{$key}[$field];
	152	}
	153	}
	154	}
	155	sub get_ipsec_host_ip
	156	{
	157	my $val=shift;
	158	my $field=shift;
992394d5	159	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
2a81ab0d AM	160	if($ipsecconf{$key}[1] eq $val){
	161	return $ipsecconf{$key}[$field];
	162	}
	163	}
	164	}
	165	sub get_ovpn_n2n_ip
	166	{
	167	my $val=shift;
	168	my $field=shift;
992394d5	169	foreach my $key (sort {$a <=> $b} keys %ccdhost){
2a81ab0d AM	170	if($ccdhost{$key}[1] eq $val){
	171	return $ccdhost{$key}[$field];
	172	}
	173	}
	174	}
	175	sub get_ovpn_host_ip
	176	{
	177	my $val=shift;
	178	my $field=shift;
992394d5	179	foreach my $key (sort {$a <=> $b} keys %ccdhost){
2a81ab0d AM	180	if($ccdhost{$key}[1] eq $val){
	181	return $ccdhost{$key}[$field];
	182	}
	183	}
	184	}
	185	sub get_ovpn_net_ip
	186	{
	187
	188	my $val=shift;
	189	my $field=shift;
992394d5	190	foreach my $key (sort {$a <=> $b} keys %ccdnet){
2a81ab0d AM	191	if($ccdnet{$key}[0] eq $val){
	192	return $ccdnet{$key}[$field];
	193	}
	194	}
	195	}
	196	sub get_grp_ip
	197	{
	198	my $val=shift;
	199	my $src=shift;
992394d5	200	foreach my $key (sort {$a <=> $b} keys %customgrp){
2a81ab0d AM	201	if ($customgrp{$key}[0] eq $val){
	202	&get_address($customgrp{$key}[3],$src);
	203	}
	204	}
	205
	206	}
	207	sub get_std_net_ip
	208	{
	209	my $val=shift;
ddcec9d3	210	my $con=shift;
2a81ab0d AM	211	if ($val eq 'ALL'){
	212	return "0.0.0.0/0.0.0.0";
	213	}elsif($val eq 'GREEN'){
	214	return "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
	215	}elsif($val eq 'ORANGE'){
	216	return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
	217	}elsif($val eq 'BLUE'){
	218	return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
62fc8511	219	}elsif($val eq 'RED'){
ddcec9d3	220	return "0.0.0.0/0 -o $con";
2a81ab0d AM	221	}elsif($val =~ /OpenVPN/i){
	222	return "$ovpnsettings{'DOVPN_SUBNET'}";
	223	}elsif($val =~ /IPsec/i){
	224	return "$ipsecsettings{'RW_NET'}";
5d7faa45 AM	225	}elsif($val eq 'IPFire'){
5d7faa45 AM	226	return ;
2a81ab0d AM	227	}
	228	}
	229	sub get_net_ip
	230	{
	231	my $val=shift;
992394d5	232	foreach my $key (sort {$a <=> $b} keys %customnetwork){
2a81ab0d AM	233	if($customnetwork{$key}[0] eq $val){
	234	return "$customnetwork{$key}[1]/$customnetwork{$key}[2]";
	235	}
	236	}
	237	}
	238	sub get_host_ip
	239	{
	240	my $val=shift;
	241	my $src=shift;
992394d5	242	foreach my $key (sort {$a <=> $b} keys %customhost){
2a81ab0d AM	243	if($customhost{$key}[0] eq $val){
	244	if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){
	245	return "-m mac --mac-source $customhost{$key}[2]";
	246	}elsif($customhost{$key}[1] eq 'ip' && $src eq 'src'){
	247	return "$customhost{$key}[2]";
	248	}elsif($customhost{$key}[1] eq 'ip' && $src eq 'tgt'){
	249	return "$customhost{$key}[2]";
	250	}elsif($customhost{$key}[1] eq 'mac' && $src eq 'tgt'){
	251	return "none";
	252	}
	253	}
	254	}
	255	}
	256
	257	return 1;