]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blob - config/forwardfw/rules.pl
projects / people / teissler / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Forward Firewall: Bugfix: ICMP rules where applied double
[people/teissler/ipfire-2.x.git] / config / forwardfw / rules.pl
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21 # #
22 # Hi folks! I hope this code is useful for all. I needed something to handle #
23 # my VPN Connections in a comfortable way. #
24 # This script builds firewallrules from the webinterface #
25 ###############################################################################
26
27 use strict;
28 use Time::Local;
29 no warnings 'uninitialized';
30
31 # enable only the following on debugging purpose
32 #use warnings;
33 #use CGI::Carp 'fatalsToBrowser';
34
35 my %fwdfwsettings=();
36 my %defaultNetworks=();
37 my %configfwdfw=();
38 my %color=();
39 my %icmptypes=();
40 my %ovpnSettings=();
41 my %customgrp=();
42 our %sourcehash=();
43 our %targethash=();
44 my @timeframe=();
45 my %configinputfw=();
46 my %configoutgoingfw=();
47 my %confignatfw=();
48 my %aliases=();
49 my @DPROT=();
50 my @p2ps=();
51 require '/var/ipfire/general-functions.pl';
52 require "${General::swroot}/lang.pl";
53 require "${General::swroot}/forward/bin/firewall-lib.pl";
54
55 my $configfwdfw = "${General::swroot}/forward/config";
56 my $configinput = "${General::swroot}/forward/input";
57 my $configoutgoing = "${General::swroot}/forward/outgoing";
58 my $p2pfile = "${General::swroot}/forward/p2protocols";
59 my $configgrp = "${General::swroot}/fwhosts/customgroups";
60 my $netsettings = "${General::swroot}/ethernet/settings";
61 my $errormessage='';
62 my $orange;
63 my $green;
64 my $blue;
65 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
66 my $CHAIN="FORWARDFW";
67 my $conexists='off';
68 my $command = 'iptables -A';
69 my $dnat='';
70 my $snat='';
71 &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
72 &General::readhash("$netsettings", \%defaultNetworks);
73 &General::readhasharray($configfwdfw, \%configfwdfw);
74 &General::readhasharray($configinput, \%configinputfw);
75 &General::readhasharray($configoutgoing, \%configoutgoingfw);
76 &General::readhasharray($configgrp, \%customgrp);
77 &General::get_aliases(\%aliases);
78
79 #check if we have an internetconnection
80 open (CONN,"/var/ipfire/red/iface");
81 my $con = <CONN>;
82 close(CONN);
83 if (-f "/var/ipfire/red/active"){
84 $conexists='on';
85 }
86 open (CONN1,"/var/ipfire/red/local-ipaddress");
87 my $redip = <CONN1>;
88 close(CONN1);
89 ################################
90 # DEBUG/TEST #
91 ################################
92 my $MODE=1; # 0 - normal operation
93 # 1 - print configline and rules to console
94 #
95 ################################
96 my $param=shift;
97
98 if($param eq 'flush'){
99 if ($MODE eq '1'){
100 print " Flushing chains...\n";
101 }
102 &flush;
103 }else{
104 if ($MODE eq '1'){
105 print " Flushing chains...\n";
106 }
107 &flush;
108 if ($MODE eq '1'){
109 print " Preparing rules...\n";
110 }
111 &preparerules;
112 if($MODE eq '0'){
113 if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
114 &p2pblock;
115 system ("/usr/sbin/firewall-policy");
116 }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
117 &p2pblock;
118 system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
119 system ("/usr/sbin/firewall-policy");
120 system ("/etc/sysconfig/firewall.local reload");
121 }
122 }
123 }
124 sub flush
125 {
126 system ("iptables -F FORWARDFW");
127 system ("iptables -F INPUTFW");
128 system ("iptables -F OUTGOINGFW");
129 system ("iptables -t nat -F NAT_DESTINATION");
130 system ("iptables -t nat -F NAT_SOURCE");
131 }
132 sub preparerules
133 {
134 if (! -z "${General::swroot}/forward/config"){
135 &buildrules(\%configfwdfw);
136 }
137 if (! -z "${General::swroot}/forward/input"){
138 &buildrules(\%configinputfw);
139 }
140 if (! -z "${General::swroot}/forward/outgoing"){
141 &buildrules(\%configoutgoingfw);
142 }
143 }
144 sub buildrules
145 {
146 my $hash=shift;
147 my $STAG;
148 my $natip;
149 my $snatport;
150 my $fireport;
151 my $nat;
152 my $fwaccessdport;
153 my $natchain;
154 foreach my $key (sort {$a <=> $b} keys %$hash){
155 next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
156 if ($$hash{$key}[28] eq 'ON'){
157 $command='iptables -t nat -A';
158 $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
159 if($$hash{$key}[31] eq 'dnat'){
160 $nat='DNAT';
161 if ($$hash{$key}[30] =~ /\|/){
162 $$hash{$key}[30]=~ tr/|/,/;
163 $fireport='-m multiport --dport '.$$hash{$key}[30];
164 }else{
165 $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
166 }
167 }else{
168 $nat='SNAT';
169 }
170 }
171 $STAG='';
172 if($$hash{$key}[2] eq 'ON'){
173 #get source ip's
174 if ($$hash{$key}[3] eq 'cust_grp_src'){
175 foreach my $grp (sort {$a <=> $b} keys %customgrp){
176 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
177 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
178 }
179 }
180 }else{
181 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
182 }
183 #get target ip's
184 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
185 foreach my $grp (sort {$a <=> $b} keys %customgrp){
186 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
187 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
188 }
189 }
190 }elsif($$hash{$key}[5] eq 'ipfire' ){
191 if($$hash{$key}[6] eq 'GREEN'){
192 $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
193 }
194 if($$hash{$key}[6] eq 'BLUE'){
195 $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
196 }
197 if($$hash{$key}[6] eq 'ORANGE'){
198 $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
199 }
200 if($$hash{$key}[6] eq 'ALL'){
201 $targethash{$key}[0]='0.0.0.0/0';
202 }
203 if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
204 open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
205 $targethash{$key}[0]= <FILE>;
206 close(FILE);
207 }else{
208 foreach my $alias (sort keys %aliases){
209 if ($$hash{$key}[6] eq $alias){
210 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
211 }
212 }
213 }
214 }else{
215 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
216 }
217 ##get source prot and port
218 $SRC_TGT='SRC';
219 $SPROT = &get_prot($hash,$key);
220 $SPORT = &get_port($hash,$key);
221 $SRC_TGT='';
222
223 ##get target prot and port
224 $DPROT=&get_prot($hash,$key);
225
226 if ($DPROT eq ''){$DPROT=' ';}
227 @DPROT=split(",",$DPROT);
228
229 #get time if defined
230 if($$hash{$key}[18] eq 'ON'){
231 my ($time1,$time2,$daylight);
232 my $daylight=$$hash{$key}[28];
233 $time1=&get_time($$hash{$key}[26],$daylight);
234 $time2=&get_time($$hash{$key}[27],$daylight);
235 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
236 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
237 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
238 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
239 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
240 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
241 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
242 $TIME=join(",",@timeframe);
243
244 $TIMEFROM="--timestart $time1 ";
245 $TIMETILL="--timestop $time2 ";
246 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
247 }
248 if ($MODE eq '1'){
249 print "NR:$key ";
250 foreach my $i (0 .. $#{$$hash{$key}}){
251 print "$i: $$hash{$key}[$i] ";
252 }
253 print "\n";
254 print"##################################\n";
255 #print rules to console
256 foreach my $DPROT (@DPROT){
257 $DPORT = &get_port($hash,$key,$DPROT);
258 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
259 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
260 foreach my $a (sort keys %sourcehash){
261 foreach my $b (sort keys %targethash){
262 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
263 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
264 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
265 if(substr($DPORT, 2, 4) eq 'icmp'){
266 my @icmprule= split(",",substr($DPORT, 12,));
267 foreach (@icmprule){
268 if ($$hash{$key}[17] eq 'ON'){
269 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
270 }
271 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
272 }
273 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
274 $natchain='NAT_DESTINATION';
275 if ($$hash{$key}[17] eq 'ON'){
276 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
277 }
278 my ($ip,$sub) =split("/",$targethash{$b}[0]);
279 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
280 $DPORT =~ s/\-/:/g;
281 if ($DPORT){
282 $fwaccessdport="--dport ".substr($DPORT,1,);
283 }elsif(! $DPORT && $$hash{$key}[30] ne ''){
284 if ($$hash{$key}[30]=~m/|/i){
285 $$hash{$key}[30] =~ s/\|/,/g;
286 $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
287 }else{
288 $fwaccessdport="--dport $$hash{$key}[30]";
289 }
290 }
291 print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
292 next;
293 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
294 $natchain='NAT_SOURCE';
295 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
296 }
297 if ($$hash{$key}[17] eq 'ON'){
298 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
299 }
300 if ($PROT ne '-p ICMP'){
301 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
302 }
303 }
304 }
305 }
306 }
307 print"\n";
308 }
309 }elsif($MODE eq '0'){
310 foreach my $DPROT (@DPROT){
311 $DPORT = &get_port($hash,$key,$DPROT);
312 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
313 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
314 foreach my $a (sort keys %sourcehash){
315 foreach my $b (sort keys %targethash){
316 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
317 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
318 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
319 #Process ICMP RULE
320 if(substr($DPORT, 2, 4) eq 'icmp'){
321 my @icmprule= split(",",substr($DPORT, 12,));
322 foreach (@icmprule){
323 if ($$hash{$key}[17] eq 'ON'){
324 system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
325 }
326 system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
327 }
328 #PROCESS DNAT RULE (Portforward)
329 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
330 $natchain='NAT_DESTINATION';
331 if ($$hash{$key}[17] eq 'ON'){
332 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
333 }
334 my ($ip,$sub) =split("/",$targethash{$b}[0]);
335 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
336 $DPORT =~ s/\-/:/g;
337 if ($DPORT){
338 $fwaccessdport="--dport ".substr($DPORT,1,);
339 }elsif(! $DPORT && $$hash{$key}[30] ne ''){
340 if ($$hash{$key}[30]=~m/|/i){
341 $$hash{$key}[30] =~ s/\|/,/g;
342 $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
343 }else{
344 $fwaccessdport="--dport $$hash{$key}[30]";
345 }
346 }
347 system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
348 next;
349 #PROCESS SNAT RULE
350 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
351 $natchain='NAT_SOURCE';
352 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
353 }
354 if ($$hash{$key}[17] eq 'ON'){
355 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
356 }
357 #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
358 if ($PROT ne '-p ICMP'){
359 system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
360 }
361 }
362 }
363 }
364 }
365 }
366 }
367 }
368 %sourcehash=();
369 %targethash=();
370 undef $TIME;
371 undef $TIMEFROM;
372 undef $TIMETILL;
373 undef $fireport;
374 }
375 }
376 sub get_nat_ip
377 {
378 my $val=shift;
379 my $type=shift;
380 my $result;
381 if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
382 $result=$defaultNetworks{$val.'_ADDRESS'};
383 }elsif($val eq 'ALL'){
384 $result='-i '.$con;
385 }elsif($val eq 'Default IP' && $type eq 'dnat'){
386 $result='-d '.$redip;
387 }elsif($val eq 'Default IP' && $type eq 'snat'){
388 $result=$redip;
389 }else{
390 foreach my $al (sort keys %aliases){
391 if($val eq $al && $type eq 'dnat'){
392 $result='-d '.$aliases{$al}{'IPT'};
393 }elsif($val eq $al && $type eq 'snat'){
394 $result=$aliases{$al}{'IPT'};
395 }
396 }
397 }
398 return $result;
399 }
400 sub get_time
401 {
402 my $val=shift;
403 my $val1=shift;
404 my $time;
405 my $minutes;
406 my $ruletime;
407 $minutes = &utcmin($val);
408 $ruletime = $minutes + &time_get_utc($val);
409 if ($ruletime < 0){$ruletime +=1440;}
410 if ($ruletime > 1440){$ruletime -=1440;}
411 $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
412 return $time;
413 }
414 sub time_get_utc
415 {
416 # Calculates the UTCtime from a given time
417 my $val=shift;
418 my @localtime=localtime(time);
419 my @gmtime=gmtime(time);
420 my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
421 return $diff;
422 }
423 sub utcmin
424 {
425 my $ruletime=shift;
426 my ($hrs,$min) = split(":",$ruletime);
427 my $newtime = $hrs*60+$min;
428 return $newtime;
429 }
430 sub p2pblock
431 {
432 my $P2PSTRING;
433 my $DO;
434 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
435 @p2ps = <FILE>;
436 close FILE;
437 my $CMD = "-m ipp2p";
438 foreach my $p2pentry (sort @p2ps) {
439 my @p2pline = split( /\;/, $p2pentry );
440 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
441 $DO = "ACCEPT";
442 if ("$p2pline[2]" eq "on") {
443 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
444 }
445 }else {
446 $DO = "RETURN";
447 if ("$p2pline[2]" eq "off") {
448 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
449 }
450 }
451 }
452 if ($MODE eq 1){
453 if($P2PSTRING){
454 print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
455 }
456 }else{
457 if($P2PSTRING){
458 system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
459 }
460 }
461 }
462 sub get_address
463 {
464 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
465 my $base2=shift;
466 my $type=shift; #src or tgt
467 my $hash;
468 if ($type eq 'src'){
469 $hash=\%sourcehash;
470 }else{
471 $hash=\%targethash;
472 }
473 my $key = &General::findhasharraykey($hash);
474 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
475 if (&General::validmac($base2)){
476 $$hash{$key}[0] = "-m mac --mac-source $base2";
477 }else{
478 $$hash{$key}[0] = $base2;
479 }
480 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
481 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
482 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
483 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
484 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
485 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
486 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
487 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
488 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
489 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
490 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
491 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
492 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
493 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
494 }elsif($base eq 'ipfire_src' ){
495 if($base2 eq 'GREEN'){
496 $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
497 }
498 if($base2 eq 'BLUE'){
499 $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
500 }
501 if($base2 eq 'ORANGE'){
502 $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
503 }
504 if($base2 eq 'ALL'){
505 $$hash{$key}[0]='0.0.0.0/0';
506 }
507 if($base2 eq 'RED' || $base2 eq 'RED1'){
508 open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
509 $$hash{$key}[0]= <FILE>;
510 close(FILE);
511 }else{
512 foreach my $alias (sort keys %aliases){
513 if ($base2 eq $alias){
514 $$hash{$key}[0]=$aliases{$alias}{'IPT'};
515 }
516 }
517 }
518 }
519 }
520 sub get_prot
521 {
522 my $hash=shift;
523 my $key=shift;
524 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
525 if ($$hash{$key}[10] ne ''){
526 return"$$hash{$key}[8]";
527 }elsif($$hash{$key}[9] ne ''){
528 return"$$hash{$key}[8]";
529 }else{
530 return "$$hash{$key}[8]";
531 }
532 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
533 if ($$hash{$key}[14] eq 'TGT_PORT'){
534 if ($$hash{$key}[15] ne ''){
535 return "$$hash{$key}[12]";
536 }elsif($$hash{$key}[13] ne ''){
537 return "$$hash{$key}[12]";
538 }else{
539 return "$$hash{$key}[12]";
540 }
541 }elsif($$hash{$key}[14] eq 'cust_srv'){
542 return &fwlib::get_srv_prot($$hash{$key}[15]);
543
544 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
545 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
546 }
547 }
548 #DNAT
549 if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){
550 return "$$hash{$key}[12]";
551 }
552 }
553 sub get_port
554 {
555 my $hash=shift;
556 my $key=shift;
557 my $prot=shift;
558 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
559 if ($$hash{$key}[10] ne ''){
560 $$hash{$key}[10] =~ s/\|/,/g;
561 if(index($$hash{$key}[10],",") > 0){
562 return "-m multiport --sport $$hash{$key}[10] ";
563 }else{
564 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){
565 return "--sport $$hash{$key}[10] ";
566 }else{
567 return ":$$hash{$key}[10]";
568 }
569 }
570 }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
571 return "--icmp-type $$hash{$key}[9] ";
572 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
573 return;
574 }
575 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
576 if($$hash{$key}[14] eq 'TGT_PORT'){
577 if ($$hash{$key}[15] ne ''){
578 $$hash{$key}[15] =~ s/\|/,/g;
579 if(index($$hash{$key}[15],",") > 0){
580 return "-m multiport --dport $$hash{$key}[15] ";
581 }else{
582 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
583 return "--dport $$hash{$key}[15] ";
584 }else{
585 $$hash{$key}[15] =~ s/\:/-/g;
586 return ":$$hash{$key}[15]";
587 }
588 }
589 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
590 return "--icmp-type $$hash{$key}[13] ";
591 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
592 return;
593 }
594 }elsif($$hash{$key}[14] eq 'cust_srv'){
595 if ($prot ne 'ICMP'){
596 if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
597 return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
598 }else{
599 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
600 }
601 }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
602 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
603 }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
604 return;
605 }
606 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
607 if ($prot ne 'ICMP'){
608 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
609 }
610 elsif($prot eq 'ICMP'){
611 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
612 }
613 }
614 }
615 }
Timo's tree of IPFire 2.x