[people/teissler/ipfire-2.x.git] / config / firewall / firewall-lib.pl

#!/usr/bin/perl
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org>                        #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

use strict;
no warnings 'uninitialized';

package fwlib;

my %customnetwork=();
my %customhost=();
my %customgrp=();
my %customservice=();
my %customservicegrp=();
my %ccdnet=();
my %ccdhost=();
my %ipsecconf=();
my %ipsecsettings=();
my %netsettings=();
my %ovpnsettings=();
my %defaultNetworks=();
my %aliases=();

require '/var/ipfire/general-functions.pl';

my $confignet		= "${General::swroot}/fwhosts/customnetworks";
my $confighost		= "${General::swroot}/fwhosts/customhosts";
my $configgrp 		= "${General::swroot}/fwhosts/customgroups";
my $configsrv 		= "${General::swroot}/fwhosts/customservices";
my $configsrvgrp	= "${General::swroot}/fwhosts/customservicegrp";
my $configccdnet 	= "${General::swroot}/ovpn/ccd.conf";
my $configccdhost	= "${General::swroot}/ovpn/ovpnconfig";
my $configipsec		= "${General::swroot}/vpn/config";
my $configovpn		= "${General::swroot}/ovpn/settings";
my $val;
my $field;

&General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
&General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings);
&General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings);


&General::readhasharray("$confignet", \%customnetwork);
&General::readhasharray("$confighost", \%customhost);
&General::readhasharray("$configgrp", \%customgrp);
&General::readhasharray("$configccdnet", \%ccdnet);
&General::readhasharray("$configccdhost", \%ccdhost);
&General::readhasharray("$configipsec", \%ipsecconf);
&General::readhasharray("$configsrv", \%customservice);
&General::readhasharray("$configsrvgrp", \%customservicegrp);

sub get_srv_prot
{
	my $val=shift;
	foreach my $key (sort {$a <=> $b} keys %customservice){
		if($customservice{$key}[0] eq $val){
			if ($customservice{$key}[0] eq $val){
				return $customservice{$key}[2];
			}
		}
	}
}
sub get_srvgrp_prot
{
	my $val=shift;
	my @ips=();
	my $tcp;
	my $udp;
	my $icmp;
	foreach my $key (sort {$a <=> $b} keys %customservicegrp){
		if($customservicegrp{$key}[0] eq $val){
			if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){ 
				$tcp=1;
			}elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'UDP'){ 
				$udp=1;
			}elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){
				$icmp=1;
			}else{
				#Protocols used in servicegroups
				push (@ips,$customservicegrp{$key}[2]);
			}
		}
	}
	if ($tcp eq '1'){push (@ips,'TCP');}
	if ($udp eq '1'){push (@ips,'UDP');}
	if ($icmp eq '1'){push (@ips,'ICMP');}
	my $back=join(",",@ips);
	return $back;
	
}
sub get_srv_port
{
	my $val=shift;
	my $field=shift;
	my $prot=shift;
	foreach my $key (sort {$a <=> $b} keys %customservice){
		if($customservice{$key}[0] eq $val && $customservice{$key}[2] eq $prot){
			return $customservice{$key}[$field];
		}
	}
}
sub get_srvgrp_port
{
	my $val=shift;
	my $prot=shift;
	my $back;
	my $value;
	my @ips=();
	foreach my $key (sort {$a <=> $b} keys %customservicegrp){
		if($customservicegrp{$key}[0] eq $val){
			if ($prot ne 'ICMP'){
				$value=&get_srv_port($customservicegrp{$key}[2],1,$prot);
			}elsif ($prot eq 'ICMP'){
				$value=&get_srv_port($customservicegrp{$key}[2],3,$prot);
			}
			push (@ips,$value) if ($value ne '') ;
		}
	}
	if($prot ne 'ICMP'){
		if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";}
	}elsif ($prot eq 'ICMP'){
		$back="--icmp-type ";
	}
	
	$back.=join(",",@ips);
	return $back;
}
sub get_ipsec_net_ip
{
	my $val=shift;
	my $field=shift;
	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
		if($ipsecconf{$key}[1] eq $val){
			return $ipsecconf{$key}[$field];
		}
	}
}
sub get_ipsec_host_ip
{
	my $val=shift;
	my $field=shift;
	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
		if($ipsecconf{$key}[1] eq $val){
			return $ipsecconf{$key}[$field];
		}
	}
}
sub get_ovpn_n2n_ip
{
	my $val=shift;
	my $field=shift;
	foreach my $key (sort {$a <=> $b} keys %ccdhost){
		if($ccdhost{$key}[1] eq $val){
			return $ccdhost{$key}[$field];
		}
	}
}
sub get_ovpn_host_ip
{
	my $val=shift;
	my $field=shift;
	foreach my $key (sort {$a <=> $b} keys %ccdhost){
		if($ccdhost{$key}[1] eq $val){
			return $ccdhost{$key}[$field];
		}
	}
}
sub get_ovpn_net_ip
{
	
	my $val=shift;
	my $field=shift;
	foreach my $key (sort {$a <=> $b} keys %ccdnet){
		if($ccdnet{$key}[0] eq $val){
			return $ccdnet{$key}[$field];
		}
	}
}
sub get_grp_ip
{
	my $val=shift;
	my $src=shift;
	foreach my $key (sort {$a <=> $b} keys %customgrp){
		if ($customgrp{$key}[0] eq $val){
			&get_address($customgrp{$key}[3],$src);
		}
	}		
	
}
sub get_std_net_ip
{
	my $val=shift;
	my $con=shift;
	if ($val eq 'ALL'){
		return "0.0.0.0/0.0.0.0";
	}elsif($val eq 'GREEN'){
		return "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
	}elsif($val eq 'ORANGE'){
		return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
	}elsif($val eq 'BLUE'){
		return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
	}elsif($val eq 'RED'){
		return "0.0.0.0/0 -o $con";
	}elsif($val =~ /OpenVPN/i){
		return "$ovpnsettings{'DOVPN_SUBNET'}";
	}elsif($val =~ /IPsec/i){
		return "$ipsecsettings{'RW_NET'}";
	}elsif($val eq 'IPFire'){
		return ;
	}
}
sub get_net_ip
{
	my $val=shift;
	foreach my $key (sort {$a <=> $b} keys %customnetwork){
		if($customnetwork{$key}[0] eq $val){
			return "$customnetwork{$key}[1]/$customnetwork{$key}[2]";
		}  
	}
}
sub get_host_ip
{
	my $val=shift;
	my $src=shift;
	foreach my $key (sort {$a <=> $b} keys %customhost){
		if($customhost{$key}[0] eq $val){
			if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){
			return "-m mac --mac-source $customhost{$key}[2]";
			}elsif($customhost{$key}[1] eq 'ip' && $src eq 'src'){
				return "$customhost{$key}[2]";
			}elsif($customhost{$key}[1] eq 'ip' && $src eq 'tgt'){
				return "$customhost{$key}[2]";
			}elsif($customhost{$key}[1] eq 'mac' && $src eq 'tgt'){
				return "none";
			}
		}  
	}
}
# Functions used by rules.pl
sub get_addresses {
	my $hash = shift;
	my $key  = shift;
	my $type = shift;

	my @addresses = ();
	my $addr_type;
	my $value;
	my $group_name;

	if ($type eq "src") {
		$addr_type = $$hash{$key}[3];
		$value = $$hash{$key}[4];

	} elsif ($type eq "tgt") {
		$addr_type = $$hash{$key}[5];
		$value = $$hash{$key}[6];
	}

	if ($addr_type ~~ ["cust_grp_src", "cust_grp_tgt"]) {
		foreach my $grp (sort {$a <=> $b} keys %customgrp) {
			if ($customgrp{$grp}[0] eq $value) {
				my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type);

				if (@address) {
					push(@addresses, @address);
				}
			}
		}
	} else {
		my @address = &get_address($addr_type, $value, $type);

		if (@address) {
			push(@addresses, @address);
		}
	}

	return @addresses;
}
sub get_address {
	my $key   = shift;
	my $value = shift;
	my $type  = shift;

	my @ret = ();

	# If the user manually typed an address, we just check if it is a MAC
	# address. Otherwise, we assume that it is an IP address.
	if ($key ~~ ["src_addr", "tgt_addr"]) {
		if (&General::validmac($value)) {
			push(@ret, "-m mac --mac-source $value");
		} else {
			push(@ret, $value);
		}

	# If a default network interface (GREEN, BLUE, etc.) is selected, we
	# try to get the corresponding address of the network.
	} elsif ($key ~~ ["std_net_src", "std_net_tgt", "Standard Network"]) {
		my $external_interface = &get_external_interface();

		my $network_address = &get_std_net_ip($value, $external_interface);
		if ($network_address) {
			push(@ret, $network_address);
		}

	# Custom networks.
	} elsif ($key ~~ ["cust_net_src", "cust_net_tgt", "Custom Network"]) {
		my $network_address = &get_net_ip($value);
		if ($network_address) {
			push(@ret, $network_address);
		}

	# Custom hosts.
	} elsif ($key ~~ ["cust_host_src", "cust_host_tgt", "Custom Host"]) {
		my $host_address = &get_host_ip($value, $type);
		if ($host_address) {
			push(@ret, $host_address);
		}

	# OpenVPN networks.
	} elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) {
		my $network_address = &get_ovpn_net_ip($value, 1);
		if ($network_address) {
			push(@ret, $network_address);
		}

	# OpenVPN hosts.
	} elsif ($key ~~ ["ovpn_host_src", "ovpn_host_tgt", "OpenVPN static host"]) {
		my $host_address = &get_ovpn_host_ip($value, 33);
		if ($host_address) {
			push(@ret, $host_address);
		}

	# OpenVPN N2N.
	} elsif ($key ~~ ["ovpn_n2n_src", "ovpn_n2n_tgt", "OpenVPN N-2-N"]) {
		my $network_address = &get_ovpn_n2n_ip($value, 11);
		if ($network_address) {
			push(@ret, $network_address);
		}

	# IPsec networks.
	} elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
		my $network_address = &get_ipsec_net_ip($value, 11);
		if ($network_address) {
			push(@ret, $network_address);
		}

	# The firewall's own IP addresses.
	} elsif ($key ~~ ["ipfire", "ipfire_src"]) {
		# ALL
		if ($value eq "ALL") {
			push(@ret, "0/0");

		# GREEN
		} elsif ($value eq "GREEN") {
			push(@ret, $defaultNetworks{"GREEN_ADDRESS"});

		# BLUE
		} elsif ($value eq "BLUE") {
			push(@ret, $defaultNetworks{"BLUE_ADDRESS"});

		# ORANGE
		} elsif ($value eq "ORANGE") {
			push(@ret, $defaultNetworks{"ORANGE_ADDRESS"});

		# RED
		} elsif ($value ~~ ["RED", "RED1"]) {
			my $address = &get_external_address();
			if ($address) {
				push(@ret, $address);
			}

		# Aliases
		} else {
			my %alias = &get_alias($value);
			if (%alias) {
				push(@ret, $alias{"IPT"});
			}
		}

	# If nothing was selected, we assume "any".
	} else {
		push(@ret, "0/0");
	}

	return @ret;
}
sub get_external_interface() {
	open(IFACE, "/var/ipfire/red/iface") or return "";
	my $iface = <IFACE>;
	close(IFACE);

	return $iface;
}
sub get_external_address() {
	open(ADDR, "/var/ipfire/red/local-ipaddress") or return "";
	my $address = <ADDR>;
	close(ADDR);

	return $address;
}
sub get_alias {
	my $id = shift;

	foreach my $alias (sort keys %aliases) {
		if ($id eq $alias) {
			return $aliases{$alias};
		}
	}
}
sub get_nat_address {
	my $zone = shift;
	my $source = shift;

	# Any static address of any zone.
	if ($zone eq "AUTO") {
		if ($source) {
			my $firewall_ip = &get_internal_firewall_ip_address($source, 1);
			if ($firewall_ip) {
				return $firewall_ip;
			}

			$firewall_ip = &get_matching_firewall_address($source, 1);
			if ($firewall_ip) {
				return $firewall_ip;
			}
		}

		return &get_external_address();

	} elsif ($zone eq "RED" || $zone eq "GREEN" || $zone eq "ORANGE" || $zone eq "BLUE") {
		return $defaultNetworks{$zone . "_ADDRESS"};

	} elsif ($zone eq "Default IP") {
		return &get_external_address();

	} else {
		return &get_alias($zone);
	}

	print_error("Could not find NAT address");
}
sub get_internal_firewall_ip_addresses {
	my $use_orange = shift;

	my @zones = ("GREEN", "BLUE");
	if ($use_orange) {
		push(@zones, "ORANGE");
	}

	my @addresses = ();
	for my $zone (@zones) {
		next unless (exists $defaultNetworks{$zone . "_ADDRESS"});

		my $zone_address = $defaultNetworks{$zone . "_ADDRESS"};
		push(@addresses, $zone_address);
	}

	return @addresses;
}
sub get_matching_firewall_address {
	my $addr = shift;
	my $use_orange = shift;

	my ($address, $netmask) = split("/", $addr);

	my @zones = ("GREEN", "BLUE");
	if ($use_orange) {
		push(@zones, "ORANGE");
	}

	foreach my $zone (@zones) {
		next unless (exists $defaultNetworks{$zone . "_ADDRESS"});

		my $zone_subnet = $defaultNetworks{$zone . "_NETADDRESS"};
		my $zone_mask   = $defaultNetworks{$zone . "_NETMASK"};

		if (&General::IpInSubnet($address, $zone_subnet, $zone_mask)) {
			return $defaultNetworks{$zone . "_ADDRESS"};
		}
	}

	return 0;
}
sub get_internal_firewall_ip_address {
	my $subnet = shift;
	my $use_orange = shift;

	my ($net_address, $net_mask) = split("/", $subnet);
	if ((!$net_mask) || ($net_mask ~~ ["32", "255.255.255.255"])) {
		return 0;
	}

	my @addresses = &get_internal_firewall_ip_addresses($use_orange);
	foreach my $zone_address (@addresses) {
		if (&General::IpInSubnet($zone_address, $net_address, $net_mask)) {
			return $zone_address;
		}
	}

	return 0;
}


return 1;
Commit	Line	Data
	1	#!/usr/bin/perl
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	use strict;
	23	no warnings 'uninitialized';
	24
	25	package fwlib;
	26
	27	my %customnetwork=();
	28	my %customhost=();
	29	my %customgrp=();
	30	my %customservice=();
	31	my %customservicegrp=();
	32	my %ccdnet=();
	33	my %ccdhost=();
	34	my %ipsecconf=();
	35	my %ipsecsettings=();
	36	my %netsettings=();
	37	my %ovpnsettings=();
	38	my %defaultNetworks=();
	39	my %aliases=();
	40
	41	require '/var/ipfire/general-functions.pl';
	42
	43	my $confignet = "${General::swroot}/fwhosts/customnetworks";
	44	my $confighost = "${General::swroot}/fwhosts/customhosts";
	45	my $configgrp = "${General::swroot}/fwhosts/customgroups";
	46	my $configsrv = "${General::swroot}/fwhosts/customservices";
	47	my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp";
	48	my $configccdnet = "${General::swroot}/ovpn/ccd.conf";
	49	my $configccdhost = "${General::swroot}/ovpn/ovpnconfig";
	50	my $configipsec = "${General::swroot}/vpn/config";
	51	my $configovpn = "${General::swroot}/ovpn/settings";
	52	my $val;
	53	my $field;
	54
	55	&General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
	56	&General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings);
	57	&General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings);
	58
	59
	60	&General::readhasharray("$confignet", \%customnetwork);
	61	&General::readhasharray("$confighost", \%customhost);
	62	&General::readhasharray("$configgrp", \%customgrp);
	63	&General::readhasharray("$configccdnet", \%ccdnet);
	64	&General::readhasharray("$configccdhost", \%ccdhost);
	65	&General::readhasharray("$configipsec", \%ipsecconf);
	66	&General::readhasharray("$configsrv", \%customservice);
	67	&General::readhasharray("$configsrvgrp", \%customservicegrp);
	68
	69	sub get_srv_prot
	70	{
	71	my $val=shift;
	72	foreach my $key (sort {$a <=> $b} keys %customservice){
	73	if($customservice{$key}[0] eq $val){
	74	if ($customservice{$key}[0] eq $val){
	75	return $customservice{$key}[2];
	76	}
	77	}
	78	}
	79	}
	80	sub get_srvgrp_prot
	81	{
	82	my $val=shift;
	83	my @ips=();
	84	my $tcp;
	85	my $udp;
	86	my $icmp;
	87	foreach my $key (sort {$a <=> $b} keys %customservicegrp){
	88	if($customservicegrp{$key}[0] eq $val){
	89	if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){
	90	$tcp=1;
	91	}elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'UDP'){
	92	$udp=1;
	93	}elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){
	94	$icmp=1;
	95	}else{
	96	#Protocols used in servicegroups
	97	push (@ips,$customservicegrp{$key}[2]);
	98	}
	99	}
	100	}
	101	if ($tcp eq '1'){push (@ips,'TCP');}
	102	if ($udp eq '1'){push (@ips,'UDP');}
	103	if ($icmp eq '1'){push (@ips,'ICMP');}
	104	my $back=join(",",@ips);
	105	return $back;
	106
	107	}
	108	sub get_srv_port
	109	{
	110	my $val=shift;
	111	my $field=shift;
	112	my $prot=shift;
	113	foreach my $key (sort {$a <=> $b} keys %customservice){
	114	if($customservice{$key}[0] eq $val && $customservice{$key}[2] eq $prot){
	115	return $customservice{$key}[$field];
	116	}
	117	}
	118	}
	119	sub get_srvgrp_port
	120	{
	121	my $val=shift;
	122	my $prot=shift;
	123	my $back;
	124	my $value;
	125	my @ips=();
	126	foreach my $key (sort {$a <=> $b} keys %customservicegrp){
	127	if($customservicegrp{$key}[0] eq $val){
	128	if ($prot ne 'ICMP'){
	129	$value=&get_srv_port($customservicegrp{$key}[2],1,$prot);
	130	}elsif ($prot eq 'ICMP'){
	131	$value=&get_srv_port($customservicegrp{$key}[2],3,$prot);
	132	}
	133	push (@ips,$value) if ($value ne '') ;
	134	}
	135	}
	136	if($prot ne 'ICMP'){
	137	if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";}
	138	}elsif ($prot eq 'ICMP'){
	139	$back="--icmp-type ";
	140	}
	141
	142	$back.=join(",",@ips);
	143	return $back;
	144	}
	145	sub get_ipsec_net_ip
	146	{
	147	my $val=shift;
	148	my $field=shift;
	149	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
	150	if($ipsecconf{$key}[1] eq $val){
	151	return $ipsecconf{$key}[$field];
	152	}
	153	}
	154	}
	155	sub get_ipsec_host_ip
	156	{
	157	my $val=shift;
	158	my $field=shift;
	159	foreach my $key (sort {$a <=> $b} keys %ipsecconf){
	160	if($ipsecconf{$key}[1] eq $val){
	161	return $ipsecconf{$key}[$field];
	162	}
	163	}
	164	}
	165	sub get_ovpn_n2n_ip
	166	{
	167	my $val=shift;
	168	my $field=shift;
	169	foreach my $key (sort {$a <=> $b} keys %ccdhost){
	170	if($ccdhost{$key}[1] eq $val){
	171	return $ccdhost{$key}[$field];
	172	}
	173	}
	174	}
	175	sub get_ovpn_host_ip
	176	{
	177	my $val=shift;
	178	my $field=shift;
	179	foreach my $key (sort {$a <=> $b} keys %ccdhost){
	180	if($ccdhost{$key}[1] eq $val){
	181	return $ccdhost{$key}[$field];
	182	}
	183	}
	184	}
	185	sub get_ovpn_net_ip
	186	{
	187
	188	my $val=shift;
	189	my $field=shift;
	190	foreach my $key (sort {$a <=> $b} keys %ccdnet){
	191	if($ccdnet{$key}[0] eq $val){
	192	return $ccdnet{$key}[$field];
	193	}
	194	}
	195	}
	196	sub get_grp_ip
	197	{
	198	my $val=shift;
	199	my $src=shift;
	200	foreach my $key (sort {$a <=> $b} keys %customgrp){
	201	if ($customgrp{$key}[0] eq $val){
	202	&get_address($customgrp{$key}[3],$src);
	203	}
	204	}
	205
	206	}
	207	sub get_std_net_ip
	208	{
	209	my $val=shift;
	210	my $con=shift;
	211	if ($val eq 'ALL'){
	212	return "0.0.0.0/0.0.0.0";
	213	}elsif($val eq 'GREEN'){
	214	return "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
	215	}elsif($val eq 'ORANGE'){
	216	return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
	217	}elsif($val eq 'BLUE'){
	218	return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
	219	}elsif($val eq 'RED'){
	220	return "0.0.0.0/0 -o $con";
	221	}elsif($val =~ /OpenVPN/i){
	222	return "$ovpnsettings{'DOVPN_SUBNET'}";
	223	}elsif($val =~ /IPsec/i){
	224	return "$ipsecsettings{'RW_NET'}";
	225	}elsif($val eq 'IPFire'){
	226	return ;
	227	}
	228	}
	229	sub get_net_ip
	230	{
	231	my $val=shift;
	232	foreach my $key (sort {$a <=> $b} keys %customnetwork){
	233	if($customnetwork{$key}[0] eq $val){
	234	return "$customnetwork{$key}[1]/$customnetwork{$key}[2]";
	235	}
	236	}
	237	}
	238	sub get_host_ip
	239	{
	240	my $val=shift;
	241	my $src=shift;
	242	foreach my $key (sort {$a <=> $b} keys %customhost){
	243	if($customhost{$key}[0] eq $val){
	244	if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){
	245	return "-m mac --mac-source $customhost{$key}[2]";
	246	}elsif($customhost{$key}[1] eq 'ip' && $src eq 'src'){
	247	return "$customhost{$key}[2]";
	248	}elsif($customhost{$key}[1] eq 'ip' && $src eq 'tgt'){
	249	return "$customhost{$key}[2]";
	250	}elsif($customhost{$key}[1] eq 'mac' && $src eq 'tgt'){
	251	return "none";
	252	}
	253	}
	254	}
	255	}
	256	# Functions used by rules.pl
	257	sub get_addresses {
	258	my $hash = shift;
	259	my $key = shift;
	260	my $type = shift;
	261
	262	my @addresses = ();
	263	my $addr_type;
	264	my $value;
	265	my $group_name;
	266
	267	if ($type eq "src") {
	268	$addr_type = $$hash{$key}[3];
	269	$value = $$hash{$key}[4];
	270
	271	} elsif ($type eq "tgt") {
	272	$addr_type = $$hash{$key}[5];
	273	$value = $$hash{$key}[6];
	274	}
	275
	276	if ($addr_type ~~ ["cust_grp_src", "cust_grp_tgt"]) {
	277	foreach my $grp (sort {$a <=> $b} keys %customgrp) {
	278	if ($customgrp{$grp}[0] eq $value) {
	279	my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type);
	280
	281	if (@address) {
	282	push(@addresses, @address);
	283	}
	284	}
	285	}
	286	} else {
	287	my @address = &get_address($addr_type, $value, $type);
	288
	289	if (@address) {
	290	push(@addresses, @address);
	291	}
	292	}
	293
	294	return @addresses;
	295	}
	296	sub get_address {
	297	my $key = shift;
	298	my $value = shift;
	299	my $type = shift;
	300
	301	my @ret = ();
	302
	303	# If the user manually typed an address, we just check if it is a MAC
	304	# address. Otherwise, we assume that it is an IP address.
	305	if ($key ~~ ["src_addr", "tgt_addr"]) {
	306	if (&General::validmac($value)) {
	307	push(@ret, "-m mac --mac-source $value");
	308	} else {
	309	push(@ret, $value);
	310	}
	311
	312	# If a default network interface (GREEN, BLUE, etc.) is selected, we
	313	# try to get the corresponding address of the network.
	314	} elsif ($key ~~ ["std_net_src", "std_net_tgt", "Standard Network"]) {
	315	my $external_interface = &get_external_interface();
	316
	317	my $network_address = &get_std_net_ip($value, $external_interface);
	318	if ($network_address) {
	319	push(@ret, $network_address);
	320	}
	321
	322	# Custom networks.
	323	} elsif ($key ~~ ["cust_net_src", "cust_net_tgt", "Custom Network"]) {
	324	my $network_address = &get_net_ip($value);
	325	if ($network_address) {
	326	push(@ret, $network_address);
	327	}
	328
	329	# Custom hosts.
	330	} elsif ($key ~~ ["cust_host_src", "cust_host_tgt", "Custom Host"]) {
	331	my $host_address = &get_host_ip($value, $type);
	332	if ($host_address) {
	333	push(@ret, $host_address);
	334	}
	335
	336	# OpenVPN networks.
	337	} elsif ($key ~~ ["ovpn_net_src", "ovpn_net_tgt", "OpenVPN static network"]) {
	338	my $network_address = &get_ovpn_net_ip($value, 1);
	339	if ($network_address) {
	340	push(@ret, $network_address);
	341	}
	342
	343	# OpenVPN hosts.
	344	} elsif ($key ~~ ["ovpn_host_src", "ovpn_host_tgt", "OpenVPN static host"]) {
	345	my $host_address = &get_ovpn_host_ip($value, 33);
	346	if ($host_address) {
	347	push(@ret, $host_address);
	348	}
	349
	350	# OpenVPN N2N.
	351	} elsif ($key ~~ ["ovpn_n2n_src", "ovpn_n2n_tgt", "OpenVPN N-2-N"]) {
	352	my $network_address = &get_ovpn_n2n_ip($value, 11);
	353	if ($network_address) {
	354	push(@ret, $network_address);
	355	}
	356
	357	# IPsec networks.
	358	} elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) {
	359	my $network_address = &get_ipsec_net_ip($value, 11);
	360	if ($network_address) {
	361	push(@ret, $network_address);
	362	}
	363
	364	# The firewall's own IP addresses.
	365	} elsif ($key ~~ ["ipfire", "ipfire_src"]) {
	366	# ALL
	367	if ($value eq "ALL") {
	368	push(@ret, "0/0");
	369
	370	# GREEN
	371	} elsif ($value eq "GREEN") {
	372	push(@ret, $defaultNetworks{"GREEN_ADDRESS"});
	373
	374	# BLUE
	375	} elsif ($value eq "BLUE") {
	376	push(@ret, $defaultNetworks{"BLUE_ADDRESS"});
	377
	378	# ORANGE
	379	} elsif ($value eq "ORANGE") {
	380	push(@ret, $defaultNetworks{"ORANGE_ADDRESS"});
	381
	382	# RED
	383	} elsif ($value ~~ ["RED", "RED1"]) {
	384	my $address = &get_external_address();
	385	if ($address) {
	386	push(@ret, $address);
	387	}
	388
	389	# Aliases
	390	} else {
	391	my %alias = &get_alias($value);
	392	if (%alias) {
	393	push(@ret, $alias{"IPT"});
	394	}
	395	}
	396
	397	# If nothing was selected, we assume "any".
	398	} else {
	399	push(@ret, "0/0");
	400	}
	401
	402	return @ret;
	403	}
	404	sub get_external_interface() {
	405	open(IFACE, "/var/ipfire/red/iface") or return "";
	406	my $iface = <IFACE>;
	407	close(IFACE);
	408
	409	return $iface;
	410	}
	411	sub get_external_address() {
	412	open(ADDR, "/var/ipfire/red/local-ipaddress") or return "";
	413	my $address = <ADDR>;
	414	close(ADDR);
	415
	416	return $address;
	417	}
	418	sub get_alias {
	419	my $id = shift;
	420
	421	foreach my $alias (sort keys %aliases) {
	422	if ($id eq $alias) {
	423	return $aliases{$alias};
	424	}
	425	}
	426	}
	427	sub get_nat_address {
	428	my $zone = shift;
	429	my $source = shift;
	430
	431	# Any static address of any zone.
	432	if ($zone eq "AUTO") {
	433	if ($source) {
	434	my $firewall_ip = &get_internal_firewall_ip_address($source, 1);
	435	if ($firewall_ip) {
	436	return $firewall_ip;
	437	}
	438
	439	$firewall_ip = &get_matching_firewall_address($source, 1);
	440	if ($firewall_ip) {
	441	return $firewall_ip;
	442	}
	443	}
	444
	445	return &get_external_address();
	446
	447	} elsif ($zone eq "RED" \|\| $zone eq "GREEN" \|\| $zone eq "ORANGE" \|\| $zone eq "BLUE") {
	448	return $defaultNetworks{$zone . "_ADDRESS"};
	449
	450	} elsif ($zone eq "Default IP") {
	451	return &get_external_address();
	452
	453	} else {
	454	return &get_alias($zone);
	455	}
	456
	457	print_error("Could not find NAT address");
	458	}
	459	sub get_internal_firewall_ip_addresses {
	460	my $use_orange = shift;
	461
	462	my @zones = ("GREEN", "BLUE");
	463	if ($use_orange) {
	464	push(@zones, "ORANGE");
	465	}
	466
	467	my @addresses = ();
	468	for my $zone (@zones) {
	469	next unless (exists $defaultNetworks{$zone . "_ADDRESS"});
	470
	471	my $zone_address = $defaultNetworks{$zone . "_ADDRESS"};
	472	push(@addresses, $zone_address);
	473	}
	474
	475	return @addresses;
	476	}
	477	sub get_matching_firewall_address {
	478	my $addr = shift;
	479	my $use_orange = shift;
	480
	481	my ($address, $netmask) = split("/", $addr);
	482
	483	my @zones = ("GREEN", "BLUE");
	484	if ($use_orange) {
	485	push(@zones, "ORANGE");
	486	}
	487
	488	foreach my $zone (@zones) {
	489	next unless (exists $defaultNetworks{$zone . "_ADDRESS"});
	490
	491	my $zone_subnet = $defaultNetworks{$zone . "_NETADDRESS"};
	492	my $zone_mask = $defaultNetworks{$zone . "_NETMASK"};
	493
	494	if (&General::IpInSubnet($address, $zone_subnet, $zone_mask)) {
	495	return $defaultNetworks{$zone . "_ADDRESS"};
	496	}
	497	}
	498
	499	return 0;
	500	}
	501	sub get_internal_firewall_ip_address {
	502	my $subnet = shift;
	503	my $use_orange = shift;
	504
	505	my ($net_address, $net_mask) = split("/", $subnet);
	506	if ((!$net_mask) \|\| ($net_mask ~~ ["32", "255.255.255.255"])) {
	507	return 0;
	508	}
	509
	510	my @addresses = &get_internal_firewall_ip_addresses($use_orange);
	511	foreach my $zone_address (@addresses) {
	512	if (&General::IpInSubnet($zone_address, $net_address, $net_mask)) {
	513	return $zone_address;
	514	}
	515	}
	516
	517	return 0;
	518	}
	519
	520
	521	return 1;