]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blob - config/firewall/rules.pl
projects / people / teissler / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
firewall: rules.pl: Cleanup rule generation.
[people/teissler/ipfire-2.x.git] / config / firewall / rules.pl
1 #!/usr/bin/perl -w
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 use strict;
23 use Time::Local;
24
25 require '/var/ipfire/general-functions.pl';
26 require "${General::swroot}/lang.pl";
27 require "/usr/lib/firewall/firewall-lib.pl";
28
29 # Set to one to enable debugging mode.
30 my $DEBUG = 0;
31
32 my $IPTABLES = "iptables --wait";
33
34 # iptables chains
35 my $CHAIN = "FORWARDFW";
36 my $CHAIN_NAT_SOURCE = "NAT_SOURCE";
37 my $CHAIN_NAT_DESTINATION = "NAT_DESTINATION";
38
39 my %fwdfwsettings=();
40 my %defaultNetworks=();
41 my %configfwdfw=();
42 my %color=();
43 my %icmptypes=();
44 my %ovpnSettings=();
45 my %customgrp=();
46 our %sourcehash=();
47 our %targethash=();
48 my @timeframe=();
49 my %configinputfw=();
50 my %configoutgoingfw=();
51 my %confignatfw=();
52 my %aliases=();
53 my @DPROT=();
54 my @p2ps=();
55
56 my $configfwdfw = "${General::swroot}/firewall/config";
57 my $configinput = "${General::swroot}/firewall/input";
58 my $configoutgoing = "${General::swroot}/firewall/outgoing";
59 my $p2pfile = "${General::swroot}/firewall/p2protocols";
60 my $configgrp = "${General::swroot}/fwhosts/customgroups";
61 my $netsettings = "${General::swroot}/ethernet/settings";
62 my $errormessage = '';
63 my $orange = '';
64 my $green = '';
65 my $blue = '';
66 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$SRC_TGT);
67 my $conexists = 'off';
68 my $dnat ='';
69 my $snat ='';
70
71 &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
72 &General::readhash("$netsettings", \%defaultNetworks);
73 &General::readhasharray($configfwdfw, \%configfwdfw);
74 &General::readhasharray($configinput, \%configinputfw);
75 &General::readhasharray($configoutgoing, \%configoutgoingfw);
76 &General::readhasharray($configgrp, \%customgrp);
77 &General::get_aliases(\%aliases);
78
79 #check if we have an internetconnection
80 open (CONN,"/var/ipfire/red/iface");
81 my $con = <CONN>;
82 close(CONN);
83
84 if (-f "/var/ipfire/red/active"){
85 $conexists='on';
86 }
87
88 open (CONN1,"/var/ipfire/red/local-ipaddress");
89 my $redip = <CONN1>;
90 close(CONN1);
91
92 # MAIN
93 &main();
94
95 sub main {
96 # Flush all chains.
97 &flush();
98
99 # Reload firewall rules.
100 &preparerules();
101
102 # Load P2P block rules.
103 &p2pblock();
104
105 # Reload firewall policy.
106 run("/usr/sbin/firewall-policy");
107 }
108
109 sub run {
110 # Executes or prints the given shell command.
111 my $command = shift;
112
113 if ($DEBUG) {
114 print "$command\n";
115 } else {
116 system "$command";
117 }
118 }
119
120 sub print_error {
121 my $message = shift;
122
123 print STDERR "$message\n";
124 }
125
126 sub flush {
127 run("$IPTABLES -F FORWARDFW");
128 run("$IPTABLES -F INPUTFW");
129 run("$IPTABLES -F OUTGOINGFW");
130 run("$IPTABLES -t nat -F NAT_DESTINATION");
131 run("$IPTABLES -t nat -F NAT_SOURCE");
132 }
133
134 sub preparerules {
135 if (! -z "${General::swroot}/firewall/config"){
136 &buildrules(\%configfwdfw);
137 }
138 if (! -z "${General::swroot}/firewall/input"){
139 &buildrules(\%configinputfw);
140 }
141 if (! -z "${General::swroot}/firewall/outgoing"){
142 &buildrules(\%configoutgoingfw);
143 }
144 }
145
146 sub buildrules {
147 my $hash=shift;
148 my $STAG;
149 my $snatport;
150 my $fireport;
151 my $fwaccessdport;
152 my $natchain;
153 my $icmptype;
154 foreach my $key (sort {$a <=> $b} keys %$hash){
155 next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
156
157 my $TIME = "";
158 my $TIMEFROM;
159 my $TIMETILL;
160 my $natip = "";
161
162 # Check if logging should be enabled.
163 my $LOG = 0;
164 if ($$hash{$key}[17] eq 'ON') {
165 $LOG = 1;
166 }
167
168 my $NAT = 0;
169 my $NAT_MODE;
170
171 # Check if NAT is enabled and initialize variables, that we use for that.
172 if ($$hash{$key}[28] eq 'ON') {
173 $NAT = 1;
174
175 # Destination NAT
176 if ($$hash{$key}[31] eq 'dnat') {
177 $NAT_MODE = "DNAT";
178
179 if ($$hash{$key}[30] =~ /\|/) {
180 $$hash{$key}[30]=~ tr/|/,/;
181 $fireport='-m multiport --dport '.$$hash{$key}[30];
182 } else {
183 $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
184 }
185
186 # Source NAT
187 } elsif ($$hash{$key}[31] eq 'snat') {
188 $NAT_MODE = "SNAT";
189
190 } else {
191 print_error("Invalid NAT mode: $$hash{$key}[31]");
192 next;
193 }
194
195 $natip = &get_nat_ip($$hash{$key}[29], $NAT_MODE);
196 }
197
198 $STAG='';
199 if($$hash{$key}[2] eq 'ON'){
200 #get source ip's
201 if ($$hash{$key}[3] eq 'cust_grp_src'){
202 foreach my $grp (sort {$a <=> $b} keys %customgrp){
203 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
204 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
205 }
206 }
207 }else{
208 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
209 }
210 #get target ip's
211 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
212 foreach my $grp (sort {$a <=> $b} keys %customgrp){
213 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
214 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
215 }
216 }
217 }elsif($$hash{$key}[5] eq 'ipfire' ){
218 if($$hash{$key}[6] eq 'GREEN'){
219 $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
220 }
221 if($$hash{$key}[6] eq 'BLUE'){
222 $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
223 }
224 if($$hash{$key}[6] eq 'ORANGE'){
225 $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
226 }
227 if($$hash{$key}[6] eq 'ALL'){
228 $targethash{$key}[0]='0.0.0.0/0';
229 }
230 if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
231 open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
232 $targethash{$key}[0]= <FILE>;
233 close(FILE);
234 }else{
235 foreach my $alias (sort keys %aliases){
236 if ($$hash{$key}[6] eq $alias){
237 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
238 }
239 }
240 }
241 }else{
242 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
243 }
244 ##get source prot and port
245 $SRC_TGT='SRC';
246 $SPORT = &get_port($hash,$key);
247 $SRC_TGT='';
248
249 ##get target prot and port
250 $DPROT=&get_prot($hash,$key);
251
252 if ($DPROT eq ''){$DPROT=' ';}
253 @DPROT=split(",",$DPROT);
254
255 #get time if defined
256 if($$hash{$key}[18] eq 'ON'){
257 my ($time1,$time2,$daylight);
258 $daylight=$$hash{$key}[28];
259 $time1=&get_time($$hash{$key}[26],$daylight);
260 $time2=&get_time($$hash{$key}[27],$daylight);
261 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
262 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
263 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
264 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
265 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
266 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
267 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
268 $TIME=join(",",@timeframe);
269
270 $TIMEFROM="--timestart $time1 ";
271 $TIMETILL="--timestop $time2 ";
272 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
273 }
274 foreach my $DPROT (@DPROT){
275 $DPORT = &get_port($hash,$key,$DPROT);
276 $PROT=$DPROT;
277 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
278 if ($DPROT ne 'TCP' && $DPROT ne'UDP' && $DPROT ne 'ICMP' ){
279 $DPORT='';
280 }
281 foreach my $a (sort keys %sourcehash){
282 foreach my $b (sort keys %targethash){
283 if(! $sourcehash{$a}[0] || ! $targethash{$b}[0] || ($natip eq '-d ' && $NAT) || (!$natip && $NAT)){
284 #Skip rules when no RED IP is set (DHCP,DSL)
285 next;
286 }
287 next if ($targethash{$b}[0] eq 'none');
288 $STAG='';
289 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
290 if($DPROT ne ''){
291 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
292 #Process ICMP RULE
293 if(substr($DPORT, 2, 4) eq 'icmp'){
294 my @icmprule= split(",",substr($DPORT, 12,));
295 foreach (@icmprule){
296 $icmptype="--icmp-type ";
297 if ($_ eq "BLANK") {
298 $icmptype="";
299 $_="";
300 }
301 if ($LOG) {
302 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
303 }
304 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
305 }
306 #PROCESS DNAT RULE (Portforward)
307 } elsif ($NAT && $NAT_MODE eq "DNAT") {
308 if ($LOG) {
309 run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT'");
310 }
311 my ($ip,$sub) =split("/",$targethash{$b}[0]);
312 #Process NAT with servicegroup used
313 if ($$hash{$key}[14] eq 'cust_srvgrp') {
314 run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j DNAT --to-destination $ip $DPORT");
315 $fwaccessdport=$DPORT;
316 } else {
317 run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j DNAT --to-destination $ip$DPORT");
318 $DPORT =~ s/\-/:/g;
319 if ($DPORT){
320 $fwaccessdport="--dport ".substr($DPORT,1,);
321 }elsif(! $DPORT && $$hash{$key}[30] ne ''){
322 if ($$hash{$key}[30]=~m/|/i){
323 $$hash{$key}[30] =~ s/\|/,/g;
324 $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
325 }else{
326 $fwaccessdport="--dport $$hash{$key}[30]";
327 }
328 }
329 }
330 run("$IPTABLES -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]");
331 next;
332 #PROCESS SNAT RULE
333 } elsif ($NAT && $NAT_MODE eq "SNAT") {
334 if ($LOG) {
335 run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT'");
336 }
337 run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j SNAT --to-source $natip");
338 }
339 #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
340 if ($PROT ne '-p ICMP'){
341 if ($LOG && !$NAT) {
342 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
343 }
344 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
345 }
346 #PROCESS Prot ICMP and type = All ICMP-Types
347 if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
348 if ($LOG && !$NAT) {
349 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
350 }
351 run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
352 }
353 }
354 }
355 }
356 }
357 }
358 }
359 %sourcehash=();
360 %targethash=();
361 undef $fireport;
362 }
363 }
364
365 sub get_nat_ip {
366 my $val=shift;
367 my $type=shift;
368 my $result;
369 if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
370 $result=$defaultNetworks{$val.'_ADDRESS'};
371 }elsif($val eq 'ALL'){
372 $result='-i '.$con;
373 }elsif($val eq 'Default IP' && $type eq "DNAT"){
374 $result='-d '.$redip;
375 }elsif($val eq 'Default IP' && $type eq "SNAT"){
376 $result=$redip;
377 }else{
378 foreach my $al (sort keys %aliases){
379 if($val eq $al && $type eq "DNAT"){
380 $result='-d '.$aliases{$al}{'IPT'};
381 }elsif($val eq $al && $type eq "SNAT"){
382 $result=$aliases{$al}{'IPT'};
383 }
384 }
385 }
386 return $result;
387 }
388
389 sub get_time {
390 my $val=shift;
391 my $val1=shift;
392 my $time;
393 my $minutes;
394 my $ruletime;
395 $minutes = &utcmin($val);
396 $ruletime = $minutes + &time_get_utc($val);
397 if ($ruletime < 0){$ruletime +=1440;}
398 if ($ruletime > 1440){$ruletime -=1440;}
399 $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
400 return $time;
401 }
402
403 sub time_get_utc {
404 # Calculates the UTCtime from a given time
405 my $val=shift;
406 my @localtime=localtime(time);
407 my @gmtime=gmtime(time);
408 my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
409 return $diff;
410 }
411
412 sub utcmin {
413 my $ruletime=shift;
414 my ($hrs,$min) = split(":",$ruletime);
415 my $newtime = $hrs*60+$min;
416 return $newtime;
417 }
418
419 sub p2pblock {
420 my $P2PSTRING = "";
421 my $DO;
422 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
423 @p2ps = <FILE>;
424 close FILE;
425 my $CMD = "-m ipp2p";
426 foreach my $p2pentry (sort @p2ps) {
427 my @p2pline = split( /\;/, $p2pentry );
428 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
429 $DO = "ACCEPT";
430 if ("$p2pline[2]" eq "on") {
431 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
432 }
433 }else {
434 $DO = "RETURN";
435 if ("$p2pline[2]" eq "off") {
436 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
437 }
438 }
439 }
440
441 if($P2PSTRING) {
442 run("$IPTABLES -A FORWARDFW $CMD $P2PSTRING -j $DO");
443 }
444 }
445
446 sub get_address {
447 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
448 my $base2=shift;
449 my $type=shift; #src or tgt
450 my $hash;
451 if ($type eq 'src'){
452 $hash=\%sourcehash;
453 }else{
454 $hash=\%targethash;
455 }
456 my $key = &General::findhasharraykey($hash);
457 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
458 if (&General::validmac($base2)){
459 $$hash{$key}[0] = "-m mac --mac-source $base2";
460 }else{
461 $$hash{$key}[0] = $base2;
462 }
463 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
464 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
465 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
466 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
467 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
468 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
469 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
470 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
471 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
472 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
473 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
474 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
475 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
476 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
477 }elsif($base eq 'ipfire_src' ){
478 if($base2 eq 'GREEN'){
479 $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
480 }
481 if($base2 eq 'BLUE'){
482 $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
483 }
484 if($base2 eq 'ORANGE'){
485 $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
486 }
487 if($base2 eq 'ALL'){
488 $$hash{$key}[0]='0.0.0.0/0';
489 }
490 if($base2 eq 'RED' || $base2 eq 'RED1'){
491 open(FILE, "/var/ipfire/red/local-ipaddress");
492 $$hash{$key}[0]= <FILE>;
493 close(FILE);
494 }else{
495 foreach my $alias (sort keys %aliases){
496 if ($base2 eq $alias){
497 $$hash{$key}[0]=$aliases{$alias}{'IPT'};
498 }
499 }
500 }
501 }
502 }
503
504 sub get_prot {
505 my $hash=shift;
506 my $key=shift;
507 #check AH,GRE,ESP or ICMP
508 if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){
509 return "$$hash{$key}[8]";
510 }
511 if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){
512 #check if servicegroup or service
513 if($$hash{$key}[14] eq 'cust_srv'){
514 return &fwlib::get_srv_prot($$hash{$key}[15]);
515 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
516 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
517 }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq ''){ #when ports are used and prot set to "all"
518 return "TCP,UDP";
519 }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq 'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or "udp"
520 return "$$hash{$key}[8]";
521 }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne 'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP"
522 return "$$hash{$key}[8]";
523 }else{
524 return "$$hash{$key}[8]";
525 }
526 }
527 #DNAT
528 if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){
529 return "$$hash{$key}[8]";
530 }
531 }
532
533 sub get_port {
534 my $hash=shift;
535 my $key=shift;
536 my $prot=shift;
537 #Get manual defined Ports from SOURCE
538 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
539 if ($$hash{$key}[10] ne ''){
540 $$hash{$key}[10] =~ s/\|/,/g;
541 if(index($$hash{$key}[10],",") > 0){
542 return "-m multiport --sport $$hash{$key}[10] ";
543 }else{
544 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){
545 return "--sport $$hash{$key}[10] ";
546 }else{
547 return ":$$hash{$key}[10]";
548 }
549 }
550 }
551 #Get manual ports from TARGET
552 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
553 if($$hash{$key}[14] eq 'TGT_PORT'){
554 if ($$hash{$key}[15] ne ''){
555 $$hash{$key}[15] =~ s/\|/,/g;
556 if(index($$hash{$key}[15],",") > 0){
557 return "-m multiport --dport $$hash{$key}[15] ";
558 }else{
559 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
560 return "--dport $$hash{$key}[15] ";
561 }else{
562 $$hash{$key}[15] =~ s/\:/-/g;
563 return ":$$hash{$key}[15]";
564 }
565 }
566 }
567 #Get ports defined in custom Service (firewall-groups)
568 }elsif($$hash{$key}[14] eq 'cust_srv'){
569 if ($prot ne 'ICMP'){
570 if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
571 my $ports =&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
572 $ports =~ s/\:/-/g;
573 return ":".$ports
574 }else{
575 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
576 }
577 }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service
578 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
579 }
580 #Get ports from services which are used in custom servicegroups (firewall-groups)
581 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
582 if ($prot ne 'ICMP'){
583 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
584 }
585 elsif($prot eq 'ICMP'){
586 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
587 }
588 }
589 }
590 #CHECK ICMP
591 if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){
592 if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
593 return "--icmp-type $$hash{$key}[9] ";
594 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
595 return;
596 }
597 }
598 }
Timo's tree of IPFire 2.x