Firewall: Fixed portfw-converter (rules where not converted correctly) And Standard...
[people/teissler/ipfire-2.x.git] / config / firewall / convert-portfw
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21 # #
22 # This script converts old portforwarding rules from old Firewall #
23 # to the new one. This is a 3-step process. #
24 # STEP1: read old config and normalize settings #
25 # STEP2: create new rules from old ones #
26 # STEP3: check if rule already exists, when not, put it into #
27 # /var/ipfire/firewall/config #
28 ###############################################################################
29 require '/var/ipfire/general-functions.pl';
30 my @values=();
31 my @built_rules=();
32 my %nat=();
33 my $portfwconfig = "${General::swroot}/portfw/config";
34 my $confignat = "${General::swroot}/firewall/config";
35 my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark);
36 my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1);
37 my $count=0;
38 my $jump;
39 if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
40 open(FILE, $portfwconfig) or die 'Unable to open config file.';
41 my @current = <FILE>;
42 close(FILE);
43 open (LOG, ">/var/log/converters/portfw-convert.log") or die $!;
44 open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
45 my @alias = <ALIAS>;
46 close(ALIAS);
47 &get_config;
48 &build_rules;
49 &write_rules;
50 sub get_config
51 {
52 print LOG "STEP 1: Get config from old portforward\n#########################################\n";
53 foreach my $line (@current){
54 if($jump eq '1'){
55 $jump='';
56 $count++;
57 next;
58 }
59 my $u=$count+1;
60 ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line);
61 ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]);
62 if ($flag1 eq '1'){
63 $source=$source1;
64 $jump='1';
65 }
66 my $now=localtime;
67 chomp($remark);
68 print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n";
69 push (@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark);
70 $count++;
71 }
72 }
73 sub build_rules
74 {
75 print LOG "\nSTEP 2: Convert old portforwardrules in a useable format\n########################################################\n";
76 my $src;
77 my $src1;
78 my $ipfireip;
79 my $count=0;
80 my $stop;
81 #build rules for new firewall
82 foreach my $line (@values){
83 chomp ($line);
84 ($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line);
85 $count++;
86 #get sourcepart
87 if($source eq '0.0.0.0/0'){
88 $src = 'std_net_src';
89 $src1 = 'ALL';
90 }else{
91 $src = 'src_addr';
92 my ($a,$b) = split("/",$source);
93 $src1 = $a."/32";
94 }
95 #get ipfire ip
96 if($alias eq '0.0.0.0'){
97 $alias='ALL';
98 }else{
99 foreach my $ali (@alias){
100 my ($alias_ip,$alias_active,$alias_name) = split (",",$ali);
101 if($alias eq $alias_ip){
102 chomp($alias_name);
103 $alias=$alias_name;
104 }
105 }
106 }
107 $active = uc $active;
108 $prot = uc $prot;
109 chomp($remark);
110 push (@built_rules,"ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat");
111 my $now=localtime;
112 print LOG "$now Converted-> KEY: $count ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,*,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n";
113 }
114 }
115 sub write_rules
116 {
117 my $skip='';
118 my $id;
119 print LOG "\nSTEP 3: Create DNAT rules in new firewall\n#########################################\n";
120 &General::readhasharray($confignat,\%nat);
121 foreach my $line (@built_rules){
122 $skip='';
123 my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$dummy,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) = split (",",$line);
124 foreach my $key (sort keys %nat){
125 if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[7],$nat{$key}[8],$nat{$key}[11],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){
126 my $now=localtime;
127 print LOG "$now SKIP-> Rule $nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[7],$nat{$key}[8],$nat{$key}[11],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] ->EXISTS\n";
128 $skip='1';
129 }
130 }
131 if ($skip ne '1'){
132 if ( $prot eq 'GRE'){
133 $tgt_port='';
134 $tgt_port1='';
135 $use_port='';
136 $ipfireport='';
137 $use_prot='';
138 }
139 $id = &General::findhasharraykey(\%nat);
140 $nat{$id}[0] = $action;
141 $nat{$id}[1] = $chain;
142 $nat{$id}[2] = $active;
143 $nat{$id}[3] = $src;
144 $nat{$id}[4] = $src1;
145 $nat{$id}[5] = $tgt;
146 $nat{$id}[6] = $tgt1;
147 $nat{$id}[7] = $dummy;
148 $nat{$id}[8] = $prot;
149 $nat{$id}[11] = $use_port;
150 $nat{$id}[14] = $tgt_port;
151 $nat{$id}[15] = $tgt_port1;
152 $nat{$id}[16] = $remark;
153 $nat{$id}[26] = $from;
154 $nat{$id}[27] = $to;
155 $nat{$id}[28] = $use_port;
156 $nat{$id}[29] = $alias;
157 $nat{$id}[30] = $ipfireport;
158 $nat{$id}[31] = $dnat;
159 my $now=localtime;
160 print LOG "$now NEW RULE-> Rule $nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[16],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n";
161 }
162 }
163 &General::writehasharray($confignat,\%nat);
164 }
165 close (LOG);