[people/teissler/ipfire-2.x.git] / config / forwardfw / rules.pl

#!/usr/bin/perl
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2012														  #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################
#																			  #
# Hi folks! I hope this code is useful for all. I needed something to handle  #
# my VPN Connections in a comfortable way. 				      				  #
# This script builds firewallrules from the webinterface                      #
###############################################################################


use strict;
no warnings 'uninitialized';

# enable only the following on debugging purpose
#use warnings;
#use CGI::Carp 'fatalsToBrowser';

my %fwdfwsettings=();
my %defaultNetworks=();
my %configfwdfw=();
my %color=();
my %icmptypes=();
my %ovpnSettings=();
my %customgrp=();
our %sourcehash=();
our %targethash=();
my @timeframe=();
my %configinputfw=();
my %aliases=();
my @DPROT=();
require '/var/ipfire/general-functions.pl';
require "${General::swroot}/lang.pl";
require "${General::swroot}/forward/bin/firewall-lib.pl";

my $configfwdfw		= "${General::swroot}/forward/config";
my $configinput	    = "${General::swroot}/forward/input";
my $configgrp		= "${General::swroot}/fwhosts/customgroups";
my $errormessage='';
my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
my $CHAIN="FORWARDFW";


&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
&General::readhasharray($configfwdfw, \%configfwdfw);
&General::readhasharray($configinput, \%configinputfw);
&General::readhasharray($configgrp, \%customgrp);
&General::get_aliases(\%aliases);

################################
#    DEBUG/TEST                #
################################
my $MODE=0;     # 0 - normal operation
				# 1 - print configline and rules to console	
				# 
################################		
my $param=shift;

if($param eq 'flush'){
	if ($MODE eq '1'){
		print " Flushing chains...\n";
	}
	&flush;
}else{
	if ($MODE eq '1'){
		print " Flushing chains...\n";
	}
	&flush;
	if ($MODE eq '1'){
		print " Preparing rules...\n";
	}
	&preparerules;
	if($MODE eq '0'){
		if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
			system ("iptables -A $CHAIN -j DROP"); 
		}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
			system ("iptables -A $CHAIN -j ACCEPT");
		}
	}
}

sub flush
{
	system ("iptables -F FORWARDFW");
	system ("iptables -F INPUTFW");
}			
sub preparerules
{
	if (! -z  "${General::swroot}/forward/config"){
		&buildrules(\%configfwdfw);
	}
	if (! -z  "${General::swroot}/forward/input"){
		&buildrules(\%configinputfw);
	}
}
sub buildrules
{
	my $hash=shift;
	foreach my $key (sort keys %$hash){
		if($$hash{$key}[2] eq 'ON'){
			#get source ip's
			if ($$hash{$key}[3] eq 'cust_grp_src'){
				foreach my $grp (sort keys %customgrp){
						if($customgrp{$grp}[0] eq $$hash{$key}[4]){
						&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
					}
				}
			}else{
				&get_address($$hash{$key}[3],$$hash{$key}[4],"src");
			}
			#get target ip's
			if ($$hash{$key}[5] eq 'cust_grp_tgt'){
				foreach my $grp (sort keys %customgrp){
					if($customgrp{$grp}[0] eq $$hash{$key}[6]){
						&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
					}
				}
			}elsif($$hash{$key}[5] eq 'ipfire'){
				
				if($$hash{$key}[6] eq 'Default IP'){
					open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
					$targethash{$key}[0]= <FILE>;
					close(FILE);
				}else{
					foreach my $alias (sort keys %aliases){
						if ($$hash{$key}[6] eq $alias){
							$targethash{$key}[0]=$aliases{$alias}{'IPT'};
						}
					}
				}
			}else{
				&get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
			}
			
			##get source prot and port
			$SRC_TGT='SRC';
			$SPROT = &get_prot($hash,$key);
			$SPORT = &get_port($hash,$key);
			$SRC_TGT='';
			
			##get target prot and port
			$DPROT=&get_prot($hash,$key);
					
			if ($DPROT eq ''){$DPROT=' ';}				
			@DPROT=split(",",$DPROT);
				
						
			#get time if defined
			if($$hash{$key}[18] eq 'ON'){
				if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
				if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
				if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
				if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
				if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
				if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
				if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
				$TIME=join(",",@timeframe);
				$TIMEFROM="--timestart $$hash{$key}[26] ";
				$TIMETILL="--timestop $$hash{$key}[27] ";
				$TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
			}
					
			if ($MODE eq '1'){	
				print "NR:$key ";
				foreach my $i (0 .. $#{$$hash{$key}}){
					print "$i: $$hash{$key}[$i]  ";
				}
				print "\n";
				print"##################################\n";
				#print rules to console
				
				foreach my $DPROT (@DPROT){
					$DPORT = &get_port($hash,$key,$DPROT);
					if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
					$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
					foreach my $a (sort keys %sourcehash){
						foreach my $b (sort keys %targethash){
							if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
								if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
									if ($$hash{$key}[17] eq 'ON'){
										print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
									}
									print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; 
								}				
							}
						}
					}
					print"\n";
				}
			
			}elsif($MODE eq '0'){
				foreach my $DPROT (@DPROT){
					$DPORT = &get_port($hash,$key,$DPROT);
					if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
					$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
					foreach my $a (sort keys %sourcehash){
						foreach my $b (sort keys %targethash){
							if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
								if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
									if ($$hash{$key}[17] eq 'ON'){
										system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
									}
									system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); 
								}				
							}
						}
					}
					print"\n";
				}
			}
		}
		%sourcehash=();
		%targethash=();
		undef $TIME;
		undef $TIMEFROM;
		undef $TIMETILL;
	}
}
sub get_address
{
	my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
	my $base2=shift;
	my $type=shift; #src or tgt
	my $hash;
	if ($type eq 'src'){
		$hash=\%sourcehash;	
	}else{
		$hash=\%targethash;
	}
	my $key = &General::findhasharraykey($hash);
	if($base eq 'src_addr' || $base eq 'tgt_addr' ){
		$$hash{$key}[0] = $configfwdfw{$key}[4];
	}elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
		$$hash{$key}[0]=&fwlib::get_std_net_ip($base2);
	}elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
		$$hash{$key}[0]=&fwlib::get_net_ip($base2);
	}elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
		$$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
	}elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
		$$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
	}elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
		$$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
	}elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
		$$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27);
	}elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
		$$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
	}
}
sub get_prot
{
	my $hash=shift;
	my $key=shift;
	if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
		if ($$hash{$key}[10] ne ''){
			return"$$hash{$key}[8]";
		}elsif($$hash{$key}[9] ne ''){
			return"$$hash{$key}[8]";
		}else{
			return "$$hash{$key}[8]";
		}
	}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
		if ($$hash{$key}[14] eq 'TGT_PORT'){
			if ($$hash{$key}[15] ne ''){
				return "$$hash{$key}[12]";
			}elsif($$hash{$key}[13] ne ''){
				return "$$hash{$key}[12]";
			}else{
				return "$$hash{$key}[12]";
			}
		}elsif($$hash{$key}[14] eq 'cust_srv'){
			return &fwlib::get_srv_prot($$hash{$key}[15]);
			
		}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
			return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
		}
	}
}
sub get_port
{
	my $hash=shift;
	my $key=shift;
	my $prot=shift;
	if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
		if ($$hash{$key}[10] ne ''){
			return "--sport $$hash{$key}[10] ";
		}elsif($$hash{$key}[9] ne ''){
			return "--icmp-type $$hash{$key}[9] ";
		}
	}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
		
		if($$hash{$key}[14] eq 'TGT_PORT'){
			if ($$hash{$key}[15] ne ''){
				return "--dport $$hash{$key}[15] ";
			}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
				return "--icmp-type $$hash{$key}[13] ";
			}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
				return;
			}
		}elsif($$hash{$key}[14] eq 'cust_srv'){
			if ($prot ne 'ICMP'){
				return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
			}elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
				return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
			}elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
				return;
			}
		}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
			if 	($prot ne 'ICMP'){
				return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
			}
			elsif($prot eq 'ICMP'){
				return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
			}
			
			
		}
	}
}
Commit	Line	Data
	1	#!/usr/bin/perl
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2012 #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21	# #
	22	# Hi folks! I hope this code is useful for all. I needed something to handle #
	23	# my VPN Connections in a comfortable way. #
	24	# This script builds firewallrules from the webinterface #
	25	###############################################################################
	26
	27
	28	use strict;
	29	no warnings 'uninitialized';
	30
	31	# enable only the following on debugging purpose
	32	#use warnings;
	33	#use CGI::Carp 'fatalsToBrowser';
	34
	35	my %fwdfwsettings=();
	36	my %defaultNetworks=();
	37	my %configfwdfw=();
	38	my %color=();
	39	my %icmptypes=();
	40	my %ovpnSettings=();
	41	my %customgrp=();
	42	our %sourcehash=();
	43	our %targethash=();
	44	my @timeframe=();
	45	my %configinputfw=();
	46	my %aliases=();
	47	my @DPROT=();
	48	require '/var/ipfire/general-functions.pl';
	49	require "${General::swroot}/lang.pl";
	50	require "${General::swroot}/forward/bin/firewall-lib.pl";
	51
	52	my $configfwdfw = "${General::swroot}/forward/config";
	53	my $configinput = "${General::swroot}/forward/input";
	54	my $configgrp = "${General::swroot}/fwhosts/customgroups";
	55	my $errormessage='';
	56	my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
	57	my $CHAIN="FORWARDFW";
	58
	59
	60	&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
	61	&General::readhasharray($configfwdfw, \%configfwdfw);
	62	&General::readhasharray($configinput, \%configinputfw);
	63	&General::readhasharray($configgrp, \%customgrp);
	64	&General::get_aliases(\%aliases);
	65
	66	################################
	67	# DEBUG/TEST #
	68	################################
	69	my $MODE=0; # 0 - normal operation
	70	# 1 - print configline and rules to console
	71	#
	72	################################
	73	my $param=shift;
	74
	75	if($param eq 'flush'){
	76	if ($MODE eq '1'){
	77	print " Flushing chains...\n";
	78	}
	79	&flush;
	80	}else{
	81	if ($MODE eq '1'){
	82	print " Flushing chains...\n";
	83	}
	84	&flush;
	85	if ($MODE eq '1'){
	86	print " Preparing rules...\n";
	87	}
	88	&preparerules;
	89	if($MODE eq '0'){
	90	if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
	91	system ("iptables -A $CHAIN -j DROP");
	92	}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
	93	system ("iptables -A $CHAIN -j ACCEPT");
	94	}
	95	}
	96	}
	97
	98	sub flush
	99	{
	100	system ("iptables -F FORWARDFW");
	101	system ("iptables -F INPUTFW");
	102	}
	103	sub preparerules
	104	{
	105	if (! -z "${General::swroot}/forward/config"){
	106	&buildrules(\%configfwdfw);
	107	}
	108	if (! -z "${General::swroot}/forward/input"){
	109	&buildrules(\%configinputfw);
	110	}
	111	}
	112	sub buildrules
	113	{
	114	my $hash=shift;
	115	foreach my $key (sort keys %$hash){
	116	if($$hash{$key}[2] eq 'ON'){
	117	#get source ip's
	118	if ($$hash{$key}[3] eq 'cust_grp_src'){
	119	foreach my $grp (sort keys %customgrp){
	120	if($customgrp{$grp}[0] eq $$hash{$key}[4]){
	121	&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
	122	}
	123	}
	124	}else{
	125	&get_address($$hash{$key}[3],$$hash{$key}[4],"src");
	126	}
	127	#get target ip's
	128	if ($$hash{$key}[5] eq 'cust_grp_tgt'){
	129	foreach my $grp (sort keys %customgrp){
	130	if($customgrp{$grp}[0] eq $$hash{$key}[6]){
	131	&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
	132	}
	133	}
	134	}elsif($$hash{$key}[5] eq 'ipfire'){
	135
	136	if($$hash{$key}[6] eq 'Default IP'){
	137	open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
	138	$targethash{$key}[0]= <FILE>;
	139	close(FILE);
	140	}else{
	141	foreach my $alias (sort keys %aliases){
	142	if ($$hash{$key}[6] eq $alias){
	143	$targethash{$key}[0]=$aliases{$alias}{'IPT'};
	144	}
	145	}
	146	}
	147	}else{
	148	&get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
	149	}
	150
	151	##get source prot and port
	152	$SRC_TGT='SRC';
	153	$SPROT = &get_prot($hash,$key);
	154	$SPORT = &get_port($hash,$key);
	155	$SRC_TGT='';
	156
	157	##get target prot and port
	158	$DPROT=&get_prot($hash,$key);
	159
	160	if ($DPROT eq ''){$DPROT=' ';}
	161	@DPROT=split(",",$DPROT);
	162
	163
	164	#get time if defined
	165	if($$hash{$key}[18] eq 'ON'){
	166	if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
	167	if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
	168	if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
	169	if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
	170	if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
	171	if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
	172	if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
	173	$TIME=join(",",@timeframe);
	174	$TIMEFROM="--timestart $$hash{$key}[26] ";
	175	$TIMETILL="--timestop $$hash{$key}[27] ";
	176	$TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
	177	}
	178
	179	if ($MODE eq '1'){
	180	print "NR:$key ";
	181	foreach my $i (0 .. $#{$$hash{$key}}){
	182	print "$i: $$hash{$key}[$i] ";
	183	}
	184	print "\n";
	185	print"##################################\n";
	186	#print rules to console
	187
	188	foreach my $DPROT (@DPROT){
	189	$DPORT = &get_port($hash,$key,$DPROT);
	190	if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
	191	$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
	192	foreach my $a (sort keys %sourcehash){
	193	foreach my $b (sort keys %targethash){
	194	if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
	195	if($SPROT eq '' \|\| $SPROT eq $DPROT \|\| $DPROT eq ' '){
	196	if ($$hash{$key}[17] eq 'ON'){
	197	print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
	198	}
	199	print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
	200	}
	201	}
	202	}
	203	}
	204	print"\n";
	205	}
	206
	207	}elsif($MODE eq '0'){
	208	foreach my $DPROT (@DPROT){
	209	$DPORT = &get_port($hash,$key,$DPROT);
	210	if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
	211	$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
	212	foreach my $a (sort keys %sourcehash){
	213	foreach my $b (sort keys %targethash){
	214	if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
	215	if($SPROT eq '' \|\| $SPROT eq $DPROT \|\| $DPROT eq ' '){
	216	if ($$hash{$key}[17] eq 'ON'){
	217	system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
	218	}
	219	system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
	220	}
	221	}
	222	}
	223	}
	224	print"\n";
	225	}
	226	}
	227	}
	228	%sourcehash=();
	229	%targethash=();
	230	undef $TIME;
	231	undef $TIMEFROM;
	232	undef $TIMETILL;
	233	}
	234	}
	235	sub get_address
	236	{
	237	my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
	238	my $base2=shift;
	239	my $type=shift; #src or tgt
	240	my $hash;
	241	if ($type eq 'src'){
	242	$hash=\%sourcehash;
	243	}else{
	244	$hash=\%targethash;
	245	}
	246	my $key = &General::findhasharraykey($hash);
	247	if($base eq 'src_addr' \|\| $base eq 'tgt_addr' ){
	248	$$hash{$key}[0] = $configfwdfw{$key}[4];
	249	}elsif($base eq 'std_net_src' \|\| $base eq 'std_net_tgt' \|\| $base eq 'Standard Network'){
	250	$$hash{$key}[0]=&fwlib::get_std_net_ip($base2);
	251	}elsif($base eq 'cust_net_src' \|\| $base eq 'cust_net_tgt' \|\| $base eq 'Custom Network'){
	252	$$hash{$key}[0]=&fwlib::get_net_ip($base2);
	253	}elsif($base eq 'cust_host_src' \|\| $base eq 'cust_host_tgt' \|\| $base eq 'Custom Host'){
	254	$$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
	255	}elsif($base eq 'ovpn_net_src' \|\| $base eq 'ovpn_net_tgt' \|\| $base eq 'OpenVPN static network'){
	256	$$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
	257	}elsif($base eq 'ovpn_host_src' \|\|$base eq 'ovpn_host_tgt' \|\| $base eq 'OpenVPN static host'){
	258	$$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
	259	}elsif($base eq 'ovpn_n2n_src' \|\|$base eq 'ovpn_n2n_tgt' \|\| $base eq 'OpenVPN N-2-N'){
	260	$$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,27);
	261	}elsif($base eq 'ipsec_net_src' \|\| $base eq 'ipsec_net_tgt' \|\| $base eq 'IpSec Network'){
	262	$$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
	263	}
	264	}
	265	sub get_prot
	266	{
	267	my $hash=shift;
	268	my $key=shift;
	269	if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
	270	if ($$hash{$key}[10] ne ''){
	271	return"$$hash{$key}[8]";
	272	}elsif($$hash{$key}[9] ne ''){
	273	return"$$hash{$key}[8]";
	274	}else{
	275	return "$$hash{$key}[8]";
	276	}
	277	}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
	278	if ($$hash{$key}[14] eq 'TGT_PORT'){
	279	if ($$hash{$key}[15] ne ''){
	280	return "$$hash{$key}[12]";
	281	}elsif($$hash{$key}[13] ne ''){
	282	return "$$hash{$key}[12]";
	283	}else{
	284	return "$$hash{$key}[12]";
	285	}
	286	}elsif($$hash{$key}[14] eq 'cust_srv'){
	287	return &fwlib::get_srv_prot($$hash{$key}[15]);
	288
	289	}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
	290	return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
	291	}
	292	}
	293	}
	294	sub get_port
	295	{
	296	my $hash=shift;
	297	my $key=shift;
	298	my $prot=shift;
	299	if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
	300	if ($$hash{$key}[10] ne ''){
	301	return "--sport $$hash{$key}[10] ";
	302	}elsif($$hash{$key}[9] ne ''){
	303	return "--icmp-type $$hash{$key}[9] ";
	304	}
	305	}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
	306
	307	if($$hash{$key}[14] eq 'TGT_PORT'){
	308	if ($$hash{$key}[15] ne ''){
	309	return "--dport $$hash{$key}[15] ";
	310	}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
	311	return "--icmp-type $$hash{$key}[13] ";
	312	}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
	313	return;
	314	}
	315	}elsif($$hash{$key}[14] eq 'cust_srv'){
	316	if ($prot ne 'ICMP'){
	317	return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
	318	}elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
	319	return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
	320	}elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
	321	return;
	322	}
	323	}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
	324	if ($prot ne 'ICMP'){
	325	return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
	326	}
	327	elsif($prot eq 'ICMP'){
	328	return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
	329	}
	330
	331
	332	}
	333	}
	334	}