]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blame - config/forwardfw/rules.pl
projects / people / teissler / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Forward Firewall: Version 0.9.9.2
[people/teissler/ipfire-2.x.git] / config / forwardfw / rules.pl
CommitLineData
2a81ab0d
AM		 1#!/usr/bin/perl
2###############################################################################
3# #
4# IPFire.org - A linux based firewall #
5# Copyright (C) 2012 #
6# #
7# This program is free software: you can redistribute it and/or modify #
8# it under the terms of the GNU General Public License as published by #
9# the Free Software Foundation, either version 3 of the License, or #
10# (at your option) any later version. #
11# #
12# This program is distributed in the hope that it will be useful, #
13# but WITHOUT ANY WARRANTY; without even the implied warranty of #
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15# GNU General Public License for more details. #
16# #
17# You should have received a copy of the GNU General Public License #
18# along with this program. If not, see <http://www.gnu.org/licenses/>. #
19# #
20###############################################################################
21# #
22# Hi folks! I hope this code is useful for all. I needed something to handle #
23# my VPN Connections in a comfortable way. #
24# This script builds firewallrules from the webinterface #
25###############################################################################
26
2a81ab0d 27use strict;
472136c9 28use Time::Local;
2a81ab0d
AM		 29no warnings 'uninitialized';
30
31# enable only the following on debugging purpose
32#use warnings;
33#use CGI::Carp 'fatalsToBrowser';
34
35my %fwdfwsettings=();
36my %defaultNetworks=();
37my %configfwdfw=();
38my %color=();
39my %icmptypes=();
40my %ovpnSettings=();
41my %customgrp=();
42our %sourcehash=();
43our %targethash=();
44my @timeframe=();
45my %configinputfw=();
5d7faa45 46my %configoutgoingfw=();
31fef6cc 47my %configdmzfw=();
a6edca5a 48my %confignatfw=();
2a81ab0d
AM		 49my %aliases=();
50my @DPROT=();
36196d0d 51my @p2ps=();
2a81ab0d
AM		 52require '/var/ipfire/general-functions.pl';
53require "${General::swroot}/lang.pl";
54require "${General::swroot}/forward/bin/firewall-lib.pl";
55
31fef6cc 56my $configdmz = "${General::swroot}/forward/dmz";
2a81ab0d
AM		 57my $configfwdfw = "${General::swroot}/forward/config";
58my $configinput = "${General::swroot}/forward/input";
5d7faa45 59my $configoutgoing = "${General::swroot}/forward/outgoing";
a6edca5a 60my $confignat = "${General::swroot}/forward/nat";
36196d0d 61my $p2pfile = "${General::swroot}/forward/p2protocols";
2a81ab0d 62my $configgrp = "${General::swroot}/fwhosts/customgroups";
210ee67b 63my $netsettings = "${General::swroot}/ethernet/settings";
2a81ab0d 64my $errormessage='';
210ee67b
AM		 65my $orange;
66my $green;
6adcf156 67my $blue;
2a81ab0d
AM		 68my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
69my $CHAIN="FORWARDFW";
ddcec9d3 70my $conexists='off';
a6edca5a
AM		 71my $command = 'iptables -A';
72my $dnat='';
73my $snat='';
2a81ab0d 74&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
210ee67b 75&General::readhash("$netsettings", \%defaultNetworks);
31fef6cc 76&General::readhasharray($configdmz, \%configdmzfw);
2a81ab0d
AM		 77&General::readhasharray($configfwdfw, \%configfwdfw);
78&General::readhasharray($configinput, \%configinputfw);
5d7faa45 79&General::readhasharray($configoutgoing, \%configoutgoingfw);
a6edca5a 80&General::readhasharray($confignat, \%confignatfw);
2a81ab0d
AM		 81&General::readhasharray($configgrp, \%customgrp);
82&General::get_aliases(\%aliases);
83
ddcec9d3
AM		 84#check if we have an internetconnection
85open (CONN,"/var/ipfire/red/iface");
86my $con = <CONN>;
87close(CONN);
88if (-f "/var/ipfire/red/active"){
89 $conexists='on';
90}
a6edca5a
AM		 91open (CONN1,"/var/ipfire/red/local-ipaddress");
92my $redip = <CONN1>;
93close(CONN1);
2a81ab0d
AM		 94################################
95# DEBUG/TEST #
96################################
54cb7ff0 97my $MODE=1; # 0 - normal operation
2a81ab0d
AM		 98 # 1 - print configline and rules to console
99 #
100################################
101my $param=shift;
102
103if($param eq 'flush'){
104 if ($MODE eq '1'){
105 print " Flushing chains...\n";
106 }
107 &flush;
108}else{
109 if ($MODE eq '1'){
110 print " Flushing chains...\n";
111 }
112 &flush;
113 if ($MODE eq '1'){
114 print " Preparing rules...\n";
115 }
116 &preparerules;
117 if($MODE eq '0'){
118 if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
af49e367 119 &p2pblock;
5d7faa45 120 system ("/usr/sbin/firewall-policy");
2a81ab0d 121 }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
6adcf156
AM		 122 $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
123 $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
6adcf156
AM		 124 if ($defaultNetworks{'BLUE_DEV'}){
125 $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
126 $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
127 #set default rules for BLUE
128 system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
129 }
5b7ed8bb
AM		 130 if ($defaultNetworks{'ORANGE_DEV'}){
131 $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
132 $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
133 #set default rules for DMZ
134 system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
135 if ($defaultNetworks{'BLUE_DEV'}){
136 system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
137 }
138 }
6adcf156 139 &p2pblock;
fd10a52c 140 system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
5d7faa45 141 system ("/usr/sbin/firewall-policy");
2a81ab0d
AM		 142 }
143 }
144}
2a81ab0d
AM		 145sub flush
146{
147 system ("iptables -F FORWARDFW");
148 system ("iptables -F INPUTFW");
5d7faa45 149 system ("iptables -F OUTGOINGFW");
28640b73
AM		 150 system ("iptables -F PORTFWACCESS");
151 system ("iptables -t nat -F NAT_DESTINATION");
152 system ("iptables -t nat -F NAT_SOURCE");
2a81ab0d
AM		 153}
154sub preparerules
155{
31fef6cc
AM		 156 if (! -z "${General::swroot}/forward/dmz"){
157 &buildrules(\%configdmzfw);
158 }
2a81ab0d
AM		 159 if (! -z "${General::swroot}/forward/config"){
160 &buildrules(\%configfwdfw);
161 }
162 if (! -z "${General::swroot}/forward/input"){
163 &buildrules(\%configinputfw);
164 }
5d7faa45
AM		 165 if (! -z "${General::swroot}/forward/outgoing"){
166 &buildrules(\%configoutgoingfw);
167 }
a6edca5a
AM		 168 if (! -z "${General::swroot}/forward/nat"){
169 &buildrules(\%confignatfw);
170 }
2a81ab0d
AM		 171}
172sub buildrules
173{
174 my $hash=shift;
b5269091 175 my $STAG;
a6edca5a
AM		 176 my $natip;
177 my $snatport;
178 my $fireport;
bc912c6e 179 my $nat;
992394d5 180 foreach my $key (sort {$a <=> $b} keys %$hash){
ddcec9d3 181 next if ($$hash{$key}[6] eq 'RED' && $conexists eq 'off' );
a6edca5a
AM		 182 if ($$hash{$key}[28] eq 'ON'){
183 $command='iptables -t nat -A';
184 $natip=&get_nat_ip($$hash{$key}[29]);
185 if($$hash{$key}[31] eq 'dnat'){
bc912c6e 186 $nat='DNAT';
a6edca5a
AM		 187 $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
188 }else{
bc912c6e 189 $nat='SNAT';
a6edca5a
AM		 190 }
191 }
b5269091 192 $STAG='';
2a81ab0d
AM		 193 if($$hash{$key}[2] eq 'ON'){
194 #get source ip's
195 if ($$hash{$key}[3] eq 'cust_grp_src'){
992394d5 196 foreach my $grp (sort {$a <=> $b} keys %customgrp){
2a81ab0d
AM		 197 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
198 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
199 }
200 }
201 }else{
202 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
203 }
204 #get target ip's
205 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
992394d5 206 foreach my $grp (sort {$a <=> $b} keys %customgrp){
2a81ab0d
AM		 207 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
208 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
209 }
210 }
211 }elsif($$hash{$key}[5] eq 'ipfire'){
2a81ab0d
AM		 212 if($$hash{$key}[6] eq 'Default IP'){
213 open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
214 $targethash{$key}[0]= <FILE>;
215 close(FILE);
216 }else{
217 foreach my $alias (sort keys %aliases){
218 if ($$hash{$key}[6] eq $alias){
219 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
220 }
221 }
222 }
223 }else{
224 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
225 }
2a81ab0d
AM		 226 ##get source prot and port
227 $SRC_TGT='SRC';
228 $SPROT = &get_prot($hash,$key);
229 $SPORT = &get_port($hash,$key);
230 $SRC_TGT='';
14f7cb87 231
2a81ab0d
AM		 232 ##get target prot and port
233 $DPROT=&get_prot($hash,$key);
14f7cb87 234
2a81ab0d
AM		 235 if ($DPROT eq ''){$DPROT=' ';}
236 @DPROT=split(",",$DPROT);
14f7cb87 237
2a81ab0d
AM		 238 #get time if defined
239 if($$hash{$key}[18] eq 'ON'){
472136c9
AM		 240 my ($time1,$time2,$daylight);
241 my $daylight=$$hash{$key}[28];
242 $time1=&get_time($$hash{$key}[26],$daylight);
243 $time2=&get_time($$hash{$key}[27],$daylight);
2a81ab0d
AM		 244 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
245 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
246 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
247 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
248 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
249 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
250 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
251 $TIME=join(",",@timeframe);
472136c9
AM		 252
253 $TIMEFROM="--timestart $time1 ";
254 $TIMETILL="--timestop $time2 ";
a0f267b9 255 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
2a81ab0d 256 }
2a81ab0d
AM		 257 if ($MODE eq '1'){
258 print "NR:$key ";
259 foreach my $i (0 .. $#{$$hash{$key}}){
260 print "$i: $$hash{$key}[$i] ";
261 }
262 print "\n";
263 print"##################################\n";
264 #print rules to console
2a81ab0d
AM		 265 foreach my $DPROT (@DPROT){
266 $DPORT = &get_port($hash,$key,$DPROT);
267 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
268 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
269 foreach my $a (sort keys %sourcehash){
270 foreach my $b (sort keys %targethash){
d7dc9718 271 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
2a81ab0d 272 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
5d7faa45 273 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
8cb1afc8
AM		 274 if(substr($DPORT, 2, 4) eq 'icmp'){
275 my @icmprule= split(",",substr($DPORT, 12,));
276 foreach (@icmprule){
277 if ($$hash{$key}[17] eq 'ON'){
a6edca5a 278 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
8cb1afc8 279 }
a6edca5a 280 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
8cb1afc8 281 }
a6edca5a 282 }elsif($$hash{$key}[28] ne 'ON'){
8cb1afc8 283 if ($$hash{$key}[17] eq 'ON'){
a6edca5a 284 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
8cb1afc8 285 }
a6edca5a 286 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
28640b73
AM		 287 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
288 if ($$hash{$key}[17] eq 'ON'){
289 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
290 }
28640b73 291 my ($ip,$sub) =split("/",$targethash{$b}[0]);
bc912c6e 292 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
829697d0
AM		 293 $DPORT =~ s/\-/:/g;
294 my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
bc912c6e 295 print "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
a6edca5a 296 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[32] eq 'snat'){
bc912c6e 297 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n";
2a81ab0d 298 }
2a81ab0d
AM		 299 }
300 }
301 }
302 }
303 print"\n";
304 }
2a81ab0d
AM		 305 }elsif($MODE eq '0'){
306 foreach my $DPROT (@DPROT){
307 $DPORT = &get_port($hash,$key,$DPROT);
308 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
309 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
310 foreach my $a (sort keys %sourcehash){
311 foreach my $b (sort keys %targethash){
d7dc9718 312 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
2a81ab0d 313 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
5d7faa45 314 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
8cb1afc8
AM		 315 if(substr($DPORT, 2, 4) eq 'icmp'){
316 my @icmprule= split(",",substr($DPORT, 12,));
317 foreach (@icmprule){
318 if ($$hash{$key}[17] eq 'ON'){
a6edca5a 319 system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
8cb1afc8 320 }
a6edca5a
AM		 321 system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
322 }
323 }elsif($$hash{$key}[28] ne 'ON'){
324 if ($$hash{$key}[17] eq 'ON'){
325 system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
326 }
327 system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
328 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
329 if ($$hash{$key}[17] eq 'ON'){
330 system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
8cb1afc8 331 }
a6edca5a 332 my ($ip,$sub) =split("/",$targethash{$b}[0]);
bc912c6e 333 system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
829697d0
AM		 334 $DPORT =~ s/\-/:/g;
335 my $fwaccessdport="--dport ".substr($DPORT,1,) if ($DPORT);
bc912c6e 336 system "iptables -A PORTFWACCESS $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
829697d0 337
a6edca5a 338 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
8cb1afc8 339 if ($$hash{$key}[17] eq 'ON'){
a6edca5a 340 system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT '\n";
8cb1afc8 341 }
bc912c6e 342 system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip$fireport\n";
2a81ab0d 343 }
2a81ab0d
AM		 344 }
345 }
346 }
347 }
2a81ab0d
AM		 348 }
349 }
350 }
351 %sourcehash=();
352 %targethash=();
353 undef $TIME;
354 undef $TIMEFROM;
355 undef $TIMETILL;
a6edca5a 356 undef $fireport;
2a81ab0d
AM		 357 }
358}
a6edca5a
AM		 359sub get_nat_ip
360{
361 my $val=shift;
362 my $result;
363 if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
364 $result=$defaultNetworks{$val.'_ADDRESS'};
365 }elsif($val eq 'ALL'){
366 $result='-i '.$con;
367 }elsif($val eq 'Default IP'){
368 $result='-d '.$redip;
369 }else{
370 foreach my $al (sort keys %aliases){
371 if($val eq $al){
372 $result='-d '.$aliases{$al}{'IPT'};
373 }
374 }
375 }
376 return $result;
377}
472136c9
AM		 378sub get_time
379{
380 my $val=shift;
381 my $val1=shift;
382 my $time;
383 my $minutes;
384 my $ruletime;
385 $minutes = &utcmin($val);
386 $ruletime = $minutes + &time_get_utc($val);
387 if ($ruletime < 0){$ruletime +=1440;}
388 if ($ruletime > 1440){$ruletime -=1440;}
389 $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
390 return $time;
391}
392sub time_get_utc
393{
394 # Calculates the UTCtime from a given time
395 my $val=shift;
396 my @localtime=localtime(time);
397 my @gmtime=gmtime(time);
398 my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
399 return $diff;
400}
401sub utcmin
402{
403 my $ruletime=shift;
404 my ($hrs,$min) = split(":",$ruletime);
405 my $newtime = $hrs*60+$min;
406 return $newtime;
407}
36196d0d
AM		 408sub p2pblock
409{
410 my $P2PSTRING;
411 my $DO;
412 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
413 @p2ps = <FILE>;
414 close FILE;
415 my $CMD = "-m ipp2p";
416 foreach my $p2pentry (sort @p2ps) {
417 my @p2pline = split( /\;/, $p2pentry );
8d1beadc
AM		 418 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
419 $DO = "ACCEPT";
5238a871 420 if ("$p2pline[2]" eq "on") {
36196d0d
AM		 421 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
422 }
8d1beadc 423 }else {
36196d0d 424 $DO = "RETURN";
5238a871 425 if ("$p2pline[2]" eq "off") {
36196d0d
AM		 426 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
427 }
428 }
429 }
430 if ($MODE eq 1){
431 if($P2PSTRING){
432 print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
433 }
434 }else{
435 if($P2PSTRING){
436 system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
437 }
438 }
439}
2a81ab0d
AM		 440sub get_address
441{
442 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
443 my $base2=shift;
444 my $type=shift; #src or tgt
445 my $hash;
446 if ($type eq 'src'){
447 $hash=\%sourcehash;
448 }else{
449 $hash=\%targethash;
450 }
451 my $key = &General::findhasharraykey($hash);
452 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
b5269091
AM		 453 if (&General::validmac($base2)){
454 $$hash{$key}[0] = "-m mac --mac-source $base2";
455 }else{
456 $$hash{$key}[0] = $base2;
457 }
2a81ab0d 458 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
ddcec9d3 459 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
2a81ab0d
AM		 460 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
461 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
462 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
463 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
464 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
465 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
466 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
467 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
468 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
469 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27);
470 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
471 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
472 }
473}
474sub get_prot
475{
476 my $hash=shift;
477 my $key=shift;
478 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
479 if ($$hash{$key}[10] ne ''){
480 return"$$hash{$key}[8]";
481 }elsif($$hash{$key}[9] ne ''){
482 return"$$hash{$key}[8]";
483 }else{
484 return "$$hash{$key}[8]";
485 }
486 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
487 if ($$hash{$key}[14] eq 'TGT_PORT'){
488 if ($$hash{$key}[15] ne ''){
489 return "$$hash{$key}[12]";
490 }elsif($$hash{$key}[13] ne ''){
491 return "$$hash{$key}[12]";
492 }else{
493 return "$$hash{$key}[12]";
494 }
495 }elsif($$hash{$key}[14] eq 'cust_srv'){
496 return &fwlib::get_srv_prot($$hash{$key}[15]);
497
498 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
499 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
500 }
501 }
502}
503sub get_port
504{
505 my $hash=shift;
506 my $key=shift;
507 my $prot=shift;
508 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
509 if ($$hash{$key}[10] ne ''){
8f0b047b 510 $$hash{$key}[10] =~ s/\|/,/g;
93a5f4a5
AM		 511 if(index($$hash{$key}[10],",") > 0){
512 return "-m multiport --sport $$hash{$key}[10] ";
513 }else{
a6edca5a
AM		 514 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){
515 return "--sport $$hash{$key}[10] ";
516 }else{
517 return ":$$hash{$key}[10]";
518 }
93a5f4a5 519 }
62fc8511 520 }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
2a81ab0d 521 return "--icmp-type $$hash{$key}[9] ";
62fc8511
AM		 522 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
523 return;
2a81ab0d
AM		 524 }
525 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
2a81ab0d
AM		 526 if($$hash{$key}[14] eq 'TGT_PORT'){
527 if ($$hash{$key}[15] ne ''){
8f0b047b 528 $$hash{$key}[15] =~ s/\|/,/g;
93a5f4a5
AM		 529 if(index($$hash{$key}[15],",") > 0){
530 return "-m multiport --dport $$hash{$key}[15] ";
531 }else{
a6edca5a
AM		 532 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
533 return "--dport $$hash{$key}[15] ";
534 }else{
829697d0 535 $$hash{$key}[15] =~ s/\:/-/g;
a6edca5a
AM		 536 return ":$$hash{$key}[15]";
537 }
93a5f4a5 538 }
2a81ab0d
AM		 539 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
540 return "--icmp-type $$hash{$key}[13] ";
541 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
542 return;
543 }
544 }elsif($$hash{$key}[14] eq 'cust_srv'){
545 if ($prot ne 'ICMP'){
6be32fe5
AM		 546 if($$hash{$key}[31] eq 'dnat'){
547 return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
548 }else{
549 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
550 }
2a81ab0d
AM		 551 }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
552 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
553 }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
554 return;
555 }
556 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
557 if ($prot ne 'ICMP'){
558 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
559 }
560 elsif($prot eq 'ICMP'){
561 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
562 }
2a81ab0d
AM		 563 }
564 }
565}
Timo's tree of IPFire 2.x