]>
Commit | Line | Data |
---|---|---|
1 | #!/usr/bin/perl | |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
5 | # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> # | |
6 | # # | |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | use strict; | |
23 | no warnings 'uninitialized'; | |
24 | ||
25 | package fwlib; | |
26 | ||
27 | my %customnetwork=(); | |
28 | my %customhost=(); | |
29 | my %customgrp=(); | |
30 | my %customservice=(); | |
31 | my %customservicegrp=(); | |
32 | my %ccdnet=(); | |
33 | my %ccdhost=(); | |
34 | my %ipsecconf=(); | |
35 | my %ipsecsettings=(); | |
36 | my %netsettings=(); | |
37 | my %ovpnsettings=(); | |
38 | my %defaultNetworks=(); | |
39 | my %aliases=(); | |
40 | ||
41 | require '/var/ipfire/general-functions.pl'; | |
42 | ||
43 | my $confignet = "${General::swroot}/fwhosts/customnetworks"; | |
44 | my $confighost = "${General::swroot}/fwhosts/customhosts"; | |
45 | my $configgrp = "${General::swroot}/fwhosts/customgroups"; | |
46 | my $configsrv = "${General::swroot}/fwhosts/customservices"; | |
47 | my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; | |
48 | my $configccdnet = "${General::swroot}/ovpn/ccd.conf"; | |
49 | my $configccdhost = "${General::swroot}/ovpn/ovpnconfig"; | |
50 | my $configipsec = "${General::swroot}/vpn/config"; | |
51 | my $configovpn = "${General::swroot}/ovpn/settings"; | |
52 | my $val; | |
53 | my $field; | |
54 | ||
55 | &General::readhash("/var/ipfire/ethernet/settings", \%netsettings); | |
56 | &General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings); | |
57 | &General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings); | |
58 | ||
59 | ||
60 | &General::readhasharray("$confignet", \%customnetwork); | |
61 | &General::readhasharray("$confighost", \%customhost); | |
62 | &General::readhasharray("$configgrp", \%customgrp); | |
63 | &General::readhasharray("$configccdnet", \%ccdnet); | |
64 | &General::readhasharray("$configccdhost", \%ccdhost); | |
65 | &General::readhasharray("$configipsec", \%ipsecconf); | |
66 | &General::readhasharray("$configsrv", \%customservice); | |
67 | &General::readhasharray("$configsrvgrp", \%customservicegrp); | |
68 | ||
69 | sub get_srv_prot | |
70 | { | |
71 | my $val=shift; | |
72 | foreach my $key (sort {$a <=> $b} keys %customservice){ | |
73 | if($customservice{$key}[0] eq $val){ | |
74 | if ($customservice{$key}[0] eq $val){ | |
75 | return $customservice{$key}[2]; | |
76 | } | |
77 | } | |
78 | } | |
79 | } | |
80 | sub get_srvgrp_prot | |
81 | { | |
82 | my $val=shift; | |
83 | my @ips=(); | |
84 | my $tcp; | |
85 | my $udp; | |
86 | my $icmp; | |
87 | foreach my $key (sort {$a <=> $b} keys %customservicegrp){ | |
88 | if($customservicegrp{$key}[0] eq $val){ | |
89 | if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){ | |
90 | $tcp=1; | |
91 | }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'UDP'){ | |
92 | $udp=1; | |
93 | }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){ | |
94 | $icmp=1; | |
95 | }else{ | |
96 | #Protocols used in servicegroups | |
97 | push (@ips,$customservicegrp{$key}[2]); | |
98 | } | |
99 | } | |
100 | } | |
101 | if ($tcp eq '1'){push (@ips,'TCP');} | |
102 | if ($udp eq '1'){push (@ips,'UDP');} | |
103 | if ($icmp eq '1'){push (@ips,'ICMP');} | |
104 | my $back=join(",",@ips); | |
105 | return $back; | |
106 | ||
107 | } | |
108 | sub get_srv_port | |
109 | { | |
110 | my $val=shift; | |
111 | my $field=shift; | |
112 | my $prot=shift; | |
113 | foreach my $key (sort {$a <=> $b} keys %customservice){ | |
114 | if($customservice{$key}[0] eq $val && $customservice{$key}[2] eq $prot){ | |
115 | return $customservice{$key}[$field]; | |
116 | } | |
117 | } | |
118 | } | |
119 | sub get_srvgrp_port | |
120 | { | |
121 | my $val=shift; | |
122 | my $prot=shift; | |
123 | my $back; | |
124 | my $value; | |
125 | my @ips=(); | |
126 | foreach my $key (sort {$a <=> $b} keys %customservicegrp){ | |
127 | if($customservicegrp{$key}[0] eq $val){ | |
128 | if ($prot ne 'ICMP'){ | |
129 | $value=&get_srv_port($customservicegrp{$key}[2],1,$prot); | |
130 | }elsif ($prot eq 'ICMP'){ | |
131 | $value=&get_srv_port($customservicegrp{$key}[2],3,$prot); | |
132 | } | |
133 | push (@ips,$value) if ($value ne '') ; | |
134 | } | |
135 | } | |
136 | if($prot ne 'ICMP'){ | |
137 | if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";} | |
138 | }elsif ($prot eq 'ICMP'){ | |
139 | $back="--icmp-type "; | |
140 | } | |
141 | ||
142 | $back.=join(",",@ips); | |
143 | return $back; | |
144 | } | |
145 | sub get_ipsec_net_ip | |
146 | { | |
147 | my $val=shift; | |
148 | my $field=shift; | |
149 | foreach my $key (sort {$a <=> $b} keys %ipsecconf){ | |
150 | if($ipsecconf{$key}[1] eq $val){ | |
151 | return $ipsecconf{$key}[$field]; | |
152 | } | |
153 | } | |
154 | } | |
155 | sub get_ipsec_host_ip | |
156 | { | |
157 | my $val=shift; | |
158 | my $field=shift; | |
159 | foreach my $key (sort {$a <=> $b} keys %ipsecconf){ | |
160 | if($ipsecconf{$key}[1] eq $val){ | |
161 | return $ipsecconf{$key}[$field]; | |
162 | } | |
163 | } | |
164 | } | |
165 | sub get_ovpn_n2n_ip | |
166 | { | |
167 | my $val=shift; | |
168 | my $field=shift; | |
169 | foreach my $key (sort {$a <=> $b} keys %ccdhost){ | |
170 | if($ccdhost{$key}[1] eq $val){ | |
171 | return $ccdhost{$key}[$field]; | |
172 | } | |
173 | } | |
174 | } | |
175 | sub get_ovpn_host_ip | |
176 | { | |
177 | my $val=shift; | |
178 | my $field=shift; | |
179 | foreach my $key (sort {$a <=> $b} keys %ccdhost){ | |
180 | if($ccdhost{$key}[1] eq $val){ | |
181 | return $ccdhost{$key}[$field]; | |
182 | } | |
183 | } | |
184 | } | |
185 | sub get_ovpn_net_ip | |
186 | { | |
187 | ||
188 | my $val=shift; | |
189 | my $field=shift; | |
190 | foreach my $key (sort {$a <=> $b} keys %ccdnet){ | |
191 | if($ccdnet{$key}[0] eq $val){ | |
192 | return $ccdnet{$key}[$field]; | |
193 | } | |
194 | } | |
195 | } | |
196 | sub get_grp_ip | |
197 | { | |
198 | my $val=shift; | |
199 | my $src=shift; | |
200 | foreach my $key (sort {$a <=> $b} keys %customgrp){ | |
201 | if ($customgrp{$key}[0] eq $val){ | |
202 | &get_address($customgrp{$key}[3],$src); | |
203 | } | |
204 | } | |
205 | ||
206 | } | |
207 | sub get_std_net_ip | |
208 | { | |
209 | my $val=shift; | |
210 | my $con=shift; | |
211 | if ($val eq 'ALL'){ | |
212 | return "0.0.0.0/0.0.0.0"; | |
213 | }elsif($val eq 'GREEN'){ | |
214 | return "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; | |
215 | }elsif($val eq 'ORANGE'){ | |
216 | return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"; | |
217 | }elsif($val eq 'BLUE'){ | |
218 | return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"; | |
219 | }elsif($val eq 'RED'){ | |
220 | return "0.0.0.0/0 -o $con"; | |
221 | }elsif($val =~ /OpenVPN/i){ | |
222 | return "$ovpnsettings{'DOVPN_SUBNET'}"; | |
223 | }elsif($val =~ /IPsec/i){ | |
224 | return "$ipsecsettings{'RW_NET'}"; | |
225 | }elsif($val eq 'IPFire'){ | |
226 | return ; | |
227 | } | |
228 | } | |
229 | sub get_net_ip | |
230 | { | |
231 | my $val=shift; | |
232 | foreach my $key (sort {$a <=> $b} keys %customnetwork){ | |
233 | if($customnetwork{$key}[0] eq $val){ | |
234 | return "$customnetwork{$key}[1]/$customnetwork{$key}[2]"; | |
235 | } | |
236 | } | |
237 | } | |
238 | sub get_host_ip | |
239 | { | |
240 | my $val=shift; | |
241 | my $src=shift; | |
242 | foreach my $key (sort {$a <=> $b} keys %customhost){ | |
243 | if($customhost{$key}[0] eq $val){ | |
244 | if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){ | |
245 | return "-m mac --mac-source $customhost{$key}[2]"; | |
246 | }elsif($customhost{$key}[1] eq 'ip' && $src eq 'src'){ | |
247 | return "$customhost{$key}[2]"; | |
248 | }elsif($customhost{$key}[1] eq 'ip' && $src eq 'tgt'){ | |
249 | return "$customhost{$key}[2]"; | |
250 | }elsif($customhost{$key}[1] eq 'mac' && $src eq 'tgt'){ | |
251 | return "none"; | |
252 | } | |
253 | } | |
254 | } | |
255 | } | |
256 | # Functions used by rules.pl | |
257 | sub get_addresses { | |
258 | my $hash = shift; | |
259 | my $key = shift; | |
260 | my $type = shift; | |
261 | ||
262 | my @addresses = (); | |
263 | my $addr_type; | |
264 | my $value; | |
265 | my $group_name; | |
266 | ||
267 | if ($type eq "src") { | |
268 | $addr_type = $$hash{$key}[3]; | |
269 | $value = $$hash{$key}[4]; | |
270 | ||
271 | } elsif ($type eq "tgt") { | |
272 | $addr_type = $$hash{$key}[5]; | |
273 | $value = $$hash{$key}[6]; | |
274 | } | |
275 | ||
276 | if ($addr_type ~~ ["cust_grp_src", "cust_grp_tgt"]) { | |
277 | foreach my $grp (sort {$a <=> $b} keys %customgrp) { | |
278 | if ($customgrp{$grp}[0] eq $value) { | |
279 | my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type); | |
280 | ||
281 | if (@address) { | |
282 | push(@addresses, @address); | |
283 | } | |
284 | } | |
285 | } | |
286 | } else { | |
287 | my @address = &get_address($addr_type, $value, $type); | |
288 | ||
289 | if (@address) { | |
290 | push(@addresses, @address); | |
291 | } | |
292 | } | |
293 | ||
294 | return @addresses; | |
295 | } | |
296 | sub get_address { | |
297 | my $key = shift; | |
298 | my $value = shift; | |
299 | my $type = shift; | |
300 | ||
301 | my @ret = (); | |
302 | ||
303 | # If the user manually typed an address, we just check if it is a MAC | |
304 | # address. Otherwise, we assume that it is an IP address. | |
305 | if ($key ~~ ["src_addr", "tgt_addr"]) { | |
306 | if (&General::validmac($value)) { | |
307 | push(@ret, "-m mac --mac-source $value"); | |
308 | } else { | |
309 | push(@ret, $value); | |
310 | } | |
311 | ||
312 | # If a default network interface (GREEN, BLUE, etc.) is selected, we | |
313 | # try to get the corresponding address of the network. | |
314 | } elsif ($key ~~ ["std_net_src", "std_net_tgt", "Standard Network"]) { | |
315 | my $external_interface = &get_external_interface(); | |
316 | ||
317 | my $network_address = &get_std_net_ip($value, $external_interface); | |
318 | if ($network_address) { | |
319 | push(@ret, $network_address); | |
320 | } | |
321 | ||
322 | # Custom networks. | |
323 | } elsif ($key ~~ ["cust_net_src", "cust_net_tgt", "Custom Network"]) { | |
324 | my $network_address = &get_net_ip($value); | |
325 | if ($network_address) { | |
326 | push(@ret, $network_address); | |
327 | } | |
328 | ||
329 | # Custom hosts. | |
330 | } elsif ($key ~~ ["cust_host_src", "cust_host_tgt", "Custom Host"]) { | |
331 | my $host_address = &get_host_ip($value, $type); | |
332 | if ($host_address) { | |
333 | push(@ret, $host_address); | |
334 | } | |
335 | ||
336 | # OpenVPN networks. | |
337 | } elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) { | |
338 | my $network_address = &get_ovpn_net_ip($value, 1); | |
339 | if ($network_address) { | |
340 | push(@ret, $network_address); | |
341 | } | |
342 | ||
343 | # OpenVPN hosts. | |
344 | } elsif ($key ~~ ["ovpn_host_src", "ovpn_host_tgt", "OpenVPN static host"]) { | |
345 | my $host_address = &get_ovpn_host_ip($value, 33); | |
346 | if ($host_address) { | |
347 | push(@ret, $host_address); | |
348 | } | |
349 | ||
350 | # OpenVPN N2N. | |
351 | } elsif ($key ~~ ["ovpn_n2n_src", "ovpn_n2n_tgt", "OpenVPN N-2-N"]) { | |
352 | my $network_address = &get_ovpn_n2n_ip($value, 11); | |
353 | if ($network_address) { | |
354 | push(@ret, $network_address); | |
355 | } | |
356 | ||
357 | # IPsec networks. | |
358 | } elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) { | |
359 | my $network_address = &get_ipsec_net_ip($value, 11); | |
360 | if ($network_address) { | |
361 | push(@ret, $network_address); | |
362 | } | |
363 | ||
364 | # The firewall's own IP addresses. | |
365 | } elsif ($key ~~ ["ipfire", "ipfire_src"]) { | |
366 | # ALL | |
367 | if ($value eq "ALL") { | |
368 | push(@ret, "0/0"); | |
369 | ||
370 | # GREEN | |
371 | } elsif ($value eq "GREEN") { | |
372 | push(@ret, $defaultNetworks{"GREEN_ADDRESS"}); | |
373 | ||
374 | # BLUE | |
375 | } elsif ($value eq "BLUE") { | |
376 | push(@ret, $defaultNetworks{"BLUE_ADDRESS"}); | |
377 | ||
378 | # ORANGE | |
379 | } elsif ($value eq "ORANGE") { | |
380 | push(@ret, $defaultNetworks{"ORANGE_ADDRESS"}); | |
381 | ||
382 | # RED | |
383 | } elsif ($value ~~ ["RED", "RED1"]) { | |
384 | my $address = &get_external_address(); | |
385 | if ($address) { | |
386 | push(@ret, $address); | |
387 | } | |
388 | ||
389 | # Aliases | |
390 | } else { | |
391 | my %alias = &get_alias($value); | |
392 | if (%alias) { | |
393 | push(@ret, $alias{"IPT"}); | |
394 | } | |
395 | } | |
396 | ||
397 | # If nothing was selected, we assume "any". | |
398 | } else { | |
399 | push(@ret, "0/0"); | |
400 | } | |
401 | ||
402 | return @ret; | |
403 | } | |
404 | sub get_external_interface() { | |
405 | open(IFACE, "/var/ipfire/red/iface") or return ""; | |
406 | my $iface = <IFACE>; | |
407 | close(IFACE); | |
408 | ||
409 | return $iface; | |
410 | } | |
411 | sub get_external_address() { | |
412 | open(ADDR, "/var/ipfire/red/local-ipaddress") or return ""; | |
413 | my $address = <ADDR>; | |
414 | close(ADDR); | |
415 | ||
416 | return $address; | |
417 | } | |
418 | sub get_alias { | |
419 | my $id = shift; | |
420 | ||
421 | foreach my $alias (sort keys %aliases) { | |
422 | if ($id eq $alias) { | |
423 | return $aliases{$alias}; | |
424 | } | |
425 | } | |
426 | } | |
427 | sub get_nat_address { | |
428 | my $zone = shift; | |
429 | my $source = shift; | |
430 | ||
431 | # Any static address of any zone. | |
432 | if ($zone eq "AUTO") { | |
433 | if ($source) { | |
434 | my $firewall_ip = &get_internal_firewall_ip_address($source, 1); | |
435 | if ($firewall_ip) { | |
436 | return $firewall_ip; | |
437 | } | |
438 | ||
439 | $firewall_ip = &get_matching_firewall_address($source, 1); | |
440 | if ($firewall_ip) { | |
441 | return $firewall_ip; | |
442 | } | |
443 | } | |
444 | ||
445 | return &get_external_address(); | |
446 | ||
447 | } elsif ($zone eq "RED" || $zone eq "GREEN" || $zone eq "ORANGE" || $zone eq "BLUE") { | |
448 | return $defaultNetworks{$zone . "_ADDRESS"}; | |
449 | ||
450 | } elsif ($zone eq "Default IP") { | |
451 | return &get_external_address(); | |
452 | ||
453 | } else { | |
454 | return &get_alias($zone); | |
455 | } | |
456 | ||
457 | print_error("Could not find NAT address"); | |
458 | } | |
459 | sub get_internal_firewall_ip_addresses { | |
460 | my $use_orange = shift; | |
461 | ||
462 | my @zones = ("GREEN", "BLUE"); | |
463 | if ($use_orange) { | |
464 | push(@zones, "ORANGE"); | |
465 | } | |
466 | ||
467 | my @addresses = (); | |
468 | for my $zone (@zones) { | |
469 | next unless (exists $defaultNetworks{$zone . "_ADDRESS"}); | |
470 | ||
471 | my $zone_address = $defaultNetworks{$zone . "_ADDRESS"}; | |
472 | push(@addresses, $zone_address); | |
473 | } | |
474 | ||
475 | return @addresses; | |
476 | } | |
477 | sub get_matching_firewall_address { | |
478 | my $addr = shift; | |
479 | my $use_orange = shift; | |
480 | ||
481 | my ($address, $netmask) = split("/", $addr); | |
482 | ||
483 | my @zones = ("GREEN", "BLUE"); | |
484 | if ($use_orange) { | |
485 | push(@zones, "ORANGE"); | |
486 | } | |
487 | ||
488 | foreach my $zone (@zones) { | |
489 | next unless (exists $defaultNetworks{$zone . "_ADDRESS"}); | |
490 | ||
491 | my $zone_subnet = $defaultNetworks{$zone . "_NETADDRESS"}; | |
492 | my $zone_mask = $defaultNetworks{$zone . "_NETMASK"}; | |
493 | ||
494 | if (&General::IpInSubnet($address, $zone_subnet, $zone_mask)) { | |
495 | return $defaultNetworks{$zone . "_ADDRESS"}; | |
496 | } | |
497 | } | |
498 | ||
499 | return 0; | |
500 | } | |
501 | sub get_internal_firewall_ip_address { | |
502 | my $subnet = shift; | |
503 | my $use_orange = shift; | |
504 | ||
505 | my ($net_address, $net_mask) = split("/", $subnet); | |
506 | if ((!$net_mask) || ($net_mask ~~ ["32", "255.255.255.255"])) { | |
507 | return 0; | |
508 | } | |
509 | ||
510 | my @addresses = &get_internal_firewall_ip_addresses($use_orange); | |
511 | foreach my $zone_address (@addresses) { | |
512 | if (&General::IpInSubnet($zone_address, $net_address, $net_mask)) { | |
513 | return $zone_address; | |
514 | } | |
515 | } | |
516 | ||
517 | return 0; | |
518 | } | |
519 | ||
520 | ||
521 | return 1; |