]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blame - config/forwardfw/rules.pl
projects / people / teissler / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Forward Firewall: removed NAT table and txt file.
[people/teissler/ipfire-2.x.git] / config / forwardfw / rules.pl
CommitLineData
2a81ab0d
AM		 1#!/usr/bin/perl
2###############################################################################
3# #
4# IPFire.org - A linux based firewall #
5# Copyright (C) 2012 #
6# #
7# This program is free software: you can redistribute it and/or modify #
8# it under the terms of the GNU General Public License as published by #
9# the Free Software Foundation, either version 3 of the License, or #
10# (at your option) any later version. #
11# #
12# This program is distributed in the hope that it will be useful, #
13# but WITHOUT ANY WARRANTY; without even the implied warranty of #
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15# GNU General Public License for more details. #
16# #
17# You should have received a copy of the GNU General Public License #
18# along with this program. If not, see <http://www.gnu.org/licenses/>. #
19# #
20###############################################################################
21# #
22# Hi folks! I hope this code is useful for all. I needed something to handle #
23# my VPN Connections in a comfortable way. #
24# This script builds firewallrules from the webinterface #
25###############################################################################
26
2a81ab0d 27use strict;
472136c9 28use Time::Local;
2a81ab0d
AM		 29no warnings 'uninitialized';
30
31# enable only the following on debugging purpose
32#use warnings;
33#use CGI::Carp 'fatalsToBrowser';
34
35my %fwdfwsettings=();
36my %defaultNetworks=();
37my %configfwdfw=();
38my %color=();
39my %icmptypes=();
40my %ovpnSettings=();
41my %customgrp=();
42our %sourcehash=();
43our %targethash=();
44my @timeframe=();
45my %configinputfw=();
5d7faa45 46my %configoutgoingfw=();
a6edca5a 47my %confignatfw=();
2a81ab0d
AM		 48my %aliases=();
49my @DPROT=();
36196d0d 50my @p2ps=();
2a81ab0d
AM		 51require '/var/ipfire/general-functions.pl';
52require "${General::swroot}/lang.pl";
53require "${General::swroot}/forward/bin/firewall-lib.pl";
54
55my $configfwdfw = "${General::swroot}/forward/config";
56my $configinput = "${General::swroot}/forward/input";
5d7faa45 57my $configoutgoing = "${General::swroot}/forward/outgoing";
a6edca5a 58my $confignat = "${General::swroot}/forward/nat";
36196d0d 59my $p2pfile = "${General::swroot}/forward/p2protocols";
2a81ab0d 60my $configgrp = "${General::swroot}/fwhosts/customgroups";
210ee67b 61my $netsettings = "${General::swroot}/ethernet/settings";
2a81ab0d 62my $errormessage='';
210ee67b
AM		 63my $orange;
64my $green;
6adcf156 65my $blue;
2a81ab0d
AM		 66my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
67my $CHAIN="FORWARDFW";
ddcec9d3 68my $conexists='off';
a6edca5a
AM		 69my $command = 'iptables -A';
70my $dnat='';
71my $snat='';
2a81ab0d 72&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
210ee67b 73&General::readhash("$netsettings", \%defaultNetworks);
2a81ab0d
AM		 74&General::readhasharray($configfwdfw, \%configfwdfw);
75&General::readhasharray($configinput, \%configinputfw);
5d7faa45 76&General::readhasharray($configoutgoing, \%configoutgoingfw);
a6edca5a 77&General::readhasharray($confignat, \%confignatfw);
2a81ab0d
AM		 78&General::readhasharray($configgrp, \%customgrp);
79&General::get_aliases(\%aliases);
80
ddcec9d3
AM		 81#check if we have an internetconnection
82open (CONN,"/var/ipfire/red/iface");
83my $con = <CONN>;
84close(CONN);
85if (-f "/var/ipfire/red/active"){
86 $conexists='on';
87}
a6edca5a
AM		 88open (CONN1,"/var/ipfire/red/local-ipaddress");
89my $redip = <CONN1>;
90close(CONN1);
2a81ab0d
AM		 91################################
92# DEBUG/TEST #
93################################
54cb7ff0 94my $MODE=1; # 0 - normal operation
2a81ab0d
AM		 95 # 1 - print configline and rules to console
96 #
97################################
98my $param=shift;
99
100if($param eq 'flush'){
101 if ($MODE eq '1'){
102 print " Flushing chains...\n";
103 }
104 &flush;
105}else{
106 if ($MODE eq '1'){
107 print " Flushing chains...\n";
108 }
109 &flush;
110 if ($MODE eq '1'){
111 print " Preparing rules...\n";
112 }
113 &preparerules;
114 if($MODE eq '0'){
115 if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
af49e367 116 &p2pblock;
5d7faa45 117 system ("/usr/sbin/firewall-policy");
2a81ab0d 118 }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
6adcf156
AM		 119 $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
120 $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
6adcf156
AM		 121 if ($defaultNetworks{'BLUE_DEV'}){
122 $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
123 $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
124 #set default rules for BLUE
125 system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
126 }
5b7ed8bb
AM		 127 if ($defaultNetworks{'ORANGE_DEV'}){
128 $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
129 $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
130 #set default rules for DMZ
131 system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
132 if ($defaultNetworks{'BLUE_DEV'}){
133 system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
134 }
135 }
6adcf156 136 &p2pblock;
fd10a52c 137 system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
5d7faa45 138 system ("/usr/sbin/firewall-policy");
674f4e9d 139 system ("/etc/sysconfig/firewall.local reload");
2a81ab0d
AM		 140 }
141 }
142}
2a81ab0d
AM		 143sub flush
144{
145 system ("iptables -F FORWARDFW");
146 system ("iptables -F INPUTFW");
5d7faa45 147 system ("iptables -F OUTGOINGFW");
28640b73
AM		 148 system ("iptables -F PORTFWACCESS");
149 system ("iptables -t nat -F NAT_DESTINATION");
150 system ("iptables -t nat -F NAT_SOURCE");
2a81ab0d
AM		 151}
152sub preparerules
153{
154 if (! -z "${General::swroot}/forward/config"){
155 &buildrules(\%configfwdfw);
156 }
157 if (! -z "${General::swroot}/forward/input"){
158 &buildrules(\%configinputfw);
159 }
5d7faa45
AM		 160 if (! -z "${General::swroot}/forward/outgoing"){
161 &buildrules(\%configoutgoingfw);
162 }
a6edca5a
AM		 163 if (! -z "${General::swroot}/forward/nat"){
164 &buildrules(\%confignatfw);
165 }
2a81ab0d
AM		 166}
167sub buildrules
168{
169 my $hash=shift;
b5269091 170 my $STAG;
a6edca5a
AM		 171 my $natip;
172 my $snatport;
173 my $fireport;
bc912c6e 174 my $nat;
98cee89f 175 my $fwaccessdport;
c12392c0 176 my $natchain;
992394d5 177 foreach my $key (sort {$a <=> $b} keys %$hash){
ff4770c7 178 next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
a6edca5a
AM		 179 if ($$hash{$key}[28] eq 'ON'){
180 $command='iptables -t nat -A';
08e1c65d 181 $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
a6edca5a 182 if($$hash{$key}[31] eq 'dnat'){
bc912c6e 183 $nat='DNAT';
98cee89f
AM		 184 if ($$hash{$key}[30] =~ /\|/){
185 $$hash{$key}[30]=~ tr/|/,/;
186 $fireport='-m multiport --dport '.$$hash{$key}[30];
187 }else{
188 $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
189 }
a6edca5a 190 }else{
bc912c6e 191 $nat='SNAT';
a6edca5a
AM		 192 }
193 }
b5269091 194 $STAG='';
2a81ab0d
AM		 195 if($$hash{$key}[2] eq 'ON'){
196 #get source ip's
197 if ($$hash{$key}[3] eq 'cust_grp_src'){
992394d5 198 foreach my $grp (sort {$a <=> $b} keys %customgrp){
2a81ab0d
AM		 199 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
200 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
201 }
202 }
203 }else{
204 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
205 }
206 #get target ip's
207 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
992394d5 208 foreach my $grp (sort {$a <=> $b} keys %customgrp){
2a81ab0d
AM		 209 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
210 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
211 }
212 }
213 }elsif($$hash{$key}[5] eq 'ipfire'){
05d4f131
AM		 214 if($$hash{$key}[6] eq 'GREEN'){
215 $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
216 }
217 if($$hash{$key}[6] eq 'BLUE'){
218 $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
219 }
220 if($$hash{$key}[6] eq 'ORANGE'){
221 $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
222 }
8762442c
AM		 223 if($$hash{$key}[6] eq 'ALL'){
224 $targethash{$key}[0]='0.0.0.0/0';
225 }
690b0bd7 226 if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
ff4770c7 227 open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
2a81ab0d
AM		 228 $targethash{$key}[0]= <FILE>;
229 close(FILE);
230 }else{
231 foreach my $alias (sort keys %aliases){
232 if ($$hash{$key}[6] eq $alias){
233 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
234 }
235 }
236 }
237 }else{
238 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
239 }
2a81ab0d
AM		 240 ##get source prot and port
241 $SRC_TGT='SRC';
242 $SPROT = &get_prot($hash,$key);
243 $SPORT = &get_port($hash,$key);
244 $SRC_TGT='';
14f7cb87 245
2a81ab0d
AM		 246 ##get target prot and port
247 $DPROT=&get_prot($hash,$key);
14f7cb87 248
2a81ab0d
AM		 249 if ($DPROT eq ''){$DPROT=' ';}
250 @DPROT=split(",",$DPROT);
14f7cb87 251
2a81ab0d
AM		 252 #get time if defined
253 if($$hash{$key}[18] eq 'ON'){
472136c9
AM		 254 my ($time1,$time2,$daylight);
255 my $daylight=$$hash{$key}[28];
256 $time1=&get_time($$hash{$key}[26],$daylight);
257 $time2=&get_time($$hash{$key}[27],$daylight);
2a81ab0d
AM		 258 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
259 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
260 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
261 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
262 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
263 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
264 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
265 $TIME=join(",",@timeframe);
472136c9
AM		 266
267 $TIMEFROM="--timestart $time1 ";
268 $TIMETILL="--timestop $time2 ";
a0f267b9 269 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
2a81ab0d 270 }
2a81ab0d
AM		 271 if ($MODE eq '1'){
272 print "NR:$key ";
273 foreach my $i (0 .. $#{$$hash{$key}}){
274 print "$i: $$hash{$key}[$i] ";
275 }
276 print "\n";
277 print"##################################\n";
278 #print rules to console
2a81ab0d
AM		 279 foreach my $DPROT (@DPROT){
280 $DPORT = &get_port($hash,$key,$DPROT);
281 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
282 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
283 foreach my $a (sort keys %sourcehash){
284 foreach my $b (sort keys %targethash){
d7dc9718 285 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
2a81ab0d 286 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
5d7faa45 287 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
8cb1afc8
AM		 288 if(substr($DPORT, 2, 4) eq 'icmp'){
289 my @icmprule= split(",",substr($DPORT, 12,));
290 foreach (@icmprule){
291 if ($$hash{$key}[17] eq 'ON'){
a6edca5a 292 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
8cb1afc8 293 }
a6edca5a 294 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
8cb1afc8 295 }
28640b73 296 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
c12392c0 297 $natchain='NAT_DESTINATION';
28640b73 298 if ($$hash{$key}[17] eq 'ON'){
c12392c0 299 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
28640b73 300 }
28640b73 301 my ($ip,$sub) =split("/",$targethash{$b}[0]);
c12392c0 302 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
829697d0 303 $DPORT =~ s/\-/:/g;
98cee89f
AM		 304 if ($DPORT){
305 $fwaccessdport="--dport ".substr($DPORT,1,);
306 }elsif(! $DPORT && $$hash{$key}[30] ne ''){
307 if ($$hash{$key}[30]=~m/|/i){
308 $$hash{$key}[30] =~ s/\|/,/g;
309 $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
310 }else{
311 $fwaccessdport="--dport $$hash{$key}[30]";
312 }
313 }
c12392c0
AM		 314 print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
315 next;
08e1c65d 316 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
c12392c0
AM		 317 $natchain='NAT_SOURCE';
318 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
2a81ab0d 319 }
c12392c0
AM		 320 if ($$hash{$key}[17] eq 'ON'){
321 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
322 }
323 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
2a81ab0d
AM		 324 }
325 }
326 }
327 }
328 print"\n";
329 }
2a81ab0d
AM		 330 }elsif($MODE eq '0'){
331 foreach my $DPROT (@DPROT){
332 $DPORT = &get_port($hash,$key,$DPROT);
333 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
334 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
335 foreach my $a (sort keys %sourcehash){
336 foreach my $b (sort keys %targethash){
d7dc9718 337 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
2a81ab0d 338 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
5d7faa45 339 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
8cb1afc8
AM		 340 if(substr($DPORT, 2, 4) eq 'icmp'){
341 my @icmprule= split(",",substr($DPORT, 12,));
342 foreach (@icmprule){
343 if ($$hash{$key}[17] eq 'ON'){
a6edca5a 344 system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
8cb1afc8 345 }
a6edca5a
AM		 346 system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
347 }
a6edca5a 348 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
c12392c0 349 $natchain='NAT_DESTINATION';
a6edca5a 350 if ($$hash{$key}[17] eq 'ON'){
c12392c0 351 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
8cb1afc8 352 }
a6edca5a 353 my ($ip,$sub) =split("/",$targethash{$b}[0]);
c12392c0 354 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
829697d0 355 $DPORT =~ s/\-/:/g;
98cee89f
AM		 356 if ($DPORT){
357 $fwaccessdport="--dport ".substr($DPORT,1,);
358 }elsif(! $DPORT && $$hash{$key}[30] ne ''){
359 if ($$hash{$key}[30]=~m/|/i){
360 $$hash{$key}[30] =~ s/\|/,/g;
361 $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
362 }else{
363 $fwaccessdport="--dport $$hash{$key}[30]";
364 }
365 }
c12392c0
AM		 366 system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
367 next;
a6edca5a 368 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
c12392c0
AM		 369 $natchain='NAT_SOURCE';
370 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
371 }
372 if ($$hash{$key}[17] eq 'ON'){
373 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
2a81ab0d 374 }
c12392c0 375 system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
2a81ab0d
AM		 376 }
377 }
378 }
379 }
2a81ab0d
AM		 380 }
381 }
382 }
383 %sourcehash=();
384 %targethash=();
385 undef $TIME;
386 undef $TIMEFROM;
387 undef $TIMETILL;
a6edca5a 388 undef $fireport;
2a81ab0d
AM		 389 }
390}
a6edca5a
AM		 391sub get_nat_ip
392{
393 my $val=shift;
08e1c65d 394 my $type=shift;
a6edca5a
AM		 395 my $result;
396 if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
397 $result=$defaultNetworks{$val.'_ADDRESS'};
398 }elsif($val eq 'ALL'){
399 $result='-i '.$con;
08e1c65d 400 }elsif($val eq 'Default IP' && $type eq 'dnat'){
a6edca5a 401 $result='-d '.$redip;
08e1c65d
AM		 402 }elsif($val eq 'Default IP' && $type eq 'snat'){
403 $result=$redip;
a6edca5a
AM		 404 }else{
405 foreach my $al (sort keys %aliases){
08e1c65d 406 if($val eq $al && $type eq 'dnat'){
a6edca5a 407 $result='-d '.$aliases{$al}{'IPT'};
08e1c65d
AM		 408 }elsif($val eq $al && $type eq 'snat'){
409 $result=$aliases{$al}{'IPT'};
a6edca5a
AM		 410 }
411 }
412 }
413 return $result;
414}
472136c9
AM		 415sub get_time
416{
417 my $val=shift;
418 my $val1=shift;
419 my $time;
420 my $minutes;
421 my $ruletime;
422 $minutes = &utcmin($val);
423 $ruletime = $minutes + &time_get_utc($val);
424 if ($ruletime < 0){$ruletime +=1440;}
425 if ($ruletime > 1440){$ruletime -=1440;}
426 $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
427 return $time;
428}
429sub time_get_utc
430{
431 # Calculates the UTCtime from a given time
432 my $val=shift;
433 my @localtime=localtime(time);
434 my @gmtime=gmtime(time);
435 my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
436 return $diff;
437}
438sub utcmin
439{
440 my $ruletime=shift;
441 my ($hrs,$min) = split(":",$ruletime);
442 my $newtime = $hrs*60+$min;
443 return $newtime;
444}
36196d0d
AM		 445sub p2pblock
446{
447 my $P2PSTRING;
448 my $DO;
449 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
450 @p2ps = <FILE>;
451 close FILE;
452 my $CMD = "-m ipp2p";
453 foreach my $p2pentry (sort @p2ps) {
454 my @p2pline = split( /\;/, $p2pentry );
8d1beadc
AM		 455 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
456 $DO = "ACCEPT";
5238a871 457 if ("$p2pline[2]" eq "on") {
36196d0d
AM		 458 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
459 }
8d1beadc 460 }else {
36196d0d 461 $DO = "RETURN";
5238a871 462 if ("$p2pline[2]" eq "off") {
36196d0d
AM		 463 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
464 }
465 }
466 }
467 if ($MODE eq 1){
468 if($P2PSTRING){
469 print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
470 }
471 }else{
472 if($P2PSTRING){
473 system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
474 }
475 }
476}
2a81ab0d
AM		 477sub get_address
478{
479 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
480 my $base2=shift;
481 my $type=shift; #src or tgt
482 my $hash;
483 if ($type eq 'src'){
484 $hash=\%sourcehash;
485 }else{
486 $hash=\%targethash;
487 }
488 my $key = &General::findhasharraykey($hash);
489 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
b5269091
AM		 490 if (&General::validmac($base2)){
491 $$hash{$key}[0] = "-m mac --mac-source $base2";
492 }else{
493 $$hash{$key}[0] = $base2;
494 }
2a81ab0d 495 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
ddcec9d3 496 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
2a81ab0d
AM		 497 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
498 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
499 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
500 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
501 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
502 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
503 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
504 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
505 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
6fab5bca 506 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
2a81ab0d
AM		 507 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
508 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
509 }
510}
511sub get_prot
512{
513 my $hash=shift;
514 my $key=shift;
515 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
516 if ($$hash{$key}[10] ne ''){
517 return"$$hash{$key}[8]";
518 }elsif($$hash{$key}[9] ne ''){
519 return"$$hash{$key}[8]";
520 }else{
521 return "$$hash{$key}[8]";
522 }
523 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
524 if ($$hash{$key}[14] eq 'TGT_PORT'){
525 if ($$hash{$key}[15] ne ''){
526 return "$$hash{$key}[12]";
527 }elsif($$hash{$key}[13] ne ''){
528 return "$$hash{$key}[12]";
529 }else{
530 return "$$hash{$key}[12]";
531 }
532 }elsif($$hash{$key}[14] eq 'cust_srv'){
533 return &fwlib::get_srv_prot($$hash{$key}[15]);
534
535 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
536 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
537 }
538 }
98cee89f
AM		 539 #DNAT
540 if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){
541 return "$$hash{$key}[12]";
542 }
2a81ab0d
AM		 543}
544sub get_port
545{
546 my $hash=shift;
547 my $key=shift;
548 my $prot=shift;
549 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
550 if ($$hash{$key}[10] ne ''){
8f0b047b 551 $$hash{$key}[10] =~ s/\|/,/g;
93a5f4a5
AM		 552 if(index($$hash{$key}[10],",") > 0){
553 return "-m multiport --sport $$hash{$key}[10] ";
554 }else{
a6edca5a
AM		 555 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){
556 return "--sport $$hash{$key}[10] ";
557 }else{
558 return ":$$hash{$key}[10]";
559 }
93a5f4a5 560 }
62fc8511 561 }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
2a81ab0d 562 return "--icmp-type $$hash{$key}[9] ";
62fc8511
AM		 563 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
564 return;
2a81ab0d
AM		 565 }
566 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
2a81ab0d
AM		 567 if($$hash{$key}[14] eq 'TGT_PORT'){
568 if ($$hash{$key}[15] ne ''){
8f0b047b 569 $$hash{$key}[15] =~ s/\|/,/g;
93a5f4a5
AM		 570 if(index($$hash{$key}[15],",") > 0){
571 return "-m multiport --dport $$hash{$key}[15] ";
572 }else{
a6edca5a
AM		 573 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
574 return "--dport $$hash{$key}[15] ";
575 }else{
829697d0 576 $$hash{$key}[15] =~ s/\:/-/g;
a6edca5a
AM		 577 return ":$$hash{$key}[15]";
578 }
93a5f4a5 579 }
2a81ab0d
AM		 580 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
581 return "--icmp-type $$hash{$key}[13] ";
582 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
583 return;
584 }
585 }elsif($$hash{$key}[14] eq 'cust_srv'){
586 if ($prot ne 'ICMP'){
6be32fe5
AM		 587 if($$hash{$key}[31] eq 'dnat'){
588 return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
589 }else{
590 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
591 }
2a81ab0d
AM		 592 }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
593 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
594 }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
595 return;
596 }
597 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
598 if ($prot ne 'ICMP'){
599 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
600 }
601 elsif($prot eq 'ICMP'){
602 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
603 }
2a81ab0d
AM		 604 }
605 }
606}
Timo's tree of IPFire 2.x