]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blob - config/forwardfw/rules.pl
projects / people / teissler / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Forward Firewall: Design changes
[people/teissler/ipfire-2.x.git] / config / forwardfw / rules.pl
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21 # #
22 # Hi folks! I hope this code is useful for all. I needed something to handle #
23 # my VPN Connections in a comfortable way. #
24 # This script builds firewallrules from the webinterface #
25 ###############################################################################
26
27 use strict;
28 use Time::Local;
29 no warnings 'uninitialized';
30
31 # enable only the following on debugging purpose
32 #use warnings;
33 #use CGI::Carp 'fatalsToBrowser';
34
35 my %fwdfwsettings=();
36 my %defaultNetworks=();
37 my %configfwdfw=();
38 my %color=();
39 my %icmptypes=();
40 my %ovpnSettings=();
41 my %customgrp=();
42 our %sourcehash=();
43 our %targethash=();
44 my @timeframe=();
45 my %configinputfw=();
46 my %configoutgoingfw=();
47 my %confignatfw=();
48 my %aliases=();
49 my @DPROT=();
50 my @p2ps=();
51 require '/var/ipfire/general-functions.pl';
52 require "${General::swroot}/lang.pl";
53 require "${General::swroot}/forward/bin/firewall-lib.pl";
54
55 my $configfwdfw = "${General::swroot}/forward/config";
56 my $configinput = "${General::swroot}/forward/input";
57 my $configoutgoing = "${General::swroot}/forward/outgoing";
58 my $confignat = "${General::swroot}/forward/nat";
59 my $p2pfile = "${General::swroot}/forward/p2protocols";
60 my $configgrp = "${General::swroot}/fwhosts/customgroups";
61 my $netsettings = "${General::swroot}/ethernet/settings";
62 my $errormessage='';
63 my $orange;
64 my $green;
65 my $blue;
66 my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
67 my $CHAIN="FORWARDFW";
68 my $conexists='off';
69 my $command = 'iptables -A';
70 my $dnat='';
71 my $snat='';
72 &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
73 &General::readhash("$netsettings", \%defaultNetworks);
74 &General::readhasharray($configfwdfw, \%configfwdfw);
75 &General::readhasharray($configinput, \%configinputfw);
76 &General::readhasharray($configoutgoing, \%configoutgoingfw);
77 &General::readhasharray($confignat, \%confignatfw);
78 &General::readhasharray($configgrp, \%customgrp);
79 &General::get_aliases(\%aliases);
80
81 #check if we have an internetconnection
82 open (CONN,"/var/ipfire/red/iface");
83 my $con = <CONN>;
84 close(CONN);
85 if (-f "/var/ipfire/red/active"){
86 $conexists='on';
87 }
88 open (CONN1,"/var/ipfire/red/local-ipaddress");
89 my $redip = <CONN1>;
90 close(CONN1);
91 ################################
92 # DEBUG/TEST #
93 ################################
94 my $MODE=1; # 0 - normal operation
95 # 1 - print configline and rules to console
96 #
97 ################################
98 my $param=shift;
99
100 if($param eq 'flush'){
101 if ($MODE eq '1'){
102 print " Flushing chains...\n";
103 }
104 &flush;
105 }else{
106 if ($MODE eq '1'){
107 print " Flushing chains...\n";
108 }
109 &flush;
110 if ($MODE eq '1'){
111 print " Preparing rules...\n";
112 }
113 &preparerules;
114 if($MODE eq '0'){
115 if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
116 &p2pblock;
117 system ("/usr/sbin/firewall-policy");
118 }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
119 $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
120 $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
121 if ($defaultNetworks{'BLUE_DEV'}){
122 $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
123 $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
124 #set default rules for BLUE
125 system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
126 }
127 if ($defaultNetworks{'ORANGE_DEV'}){
128 $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
129 $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
130 #set default rules for DMZ
131 system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
132 if ($defaultNetworks{'BLUE_DEV'}){
133 system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
134 }
135 }
136 &p2pblock;
137 system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
138 system ("/usr/sbin/firewall-policy");
139 system ("/etc/sysconfig/firewall.local reload");
140 }
141 }
142 }
143 sub flush
144 {
145 system ("iptables -F FORWARDFW");
146 system ("iptables -F INPUTFW");
147 system ("iptables -F OUTGOINGFW");
148 system ("iptables -t nat -F NAT_DESTINATION");
149 system ("iptables -t nat -F NAT_SOURCE");
150 }
151 sub preparerules
152 {
153 if (! -z "${General::swroot}/forward/config"){
154 &buildrules(\%configfwdfw);
155 }
156 if (! -z "${General::swroot}/forward/input"){
157 &buildrules(\%configinputfw);
158 }
159 if (! -z "${General::swroot}/forward/outgoing"){
160 &buildrules(\%configoutgoingfw);
161 }
162 if (! -z "${General::swroot}/forward/nat"){
163 &buildrules(\%confignatfw);
164 }
165 }
166 sub buildrules
167 {
168 my $hash=shift;
169 my $STAG;
170 my $natip;
171 my $snatport;
172 my $fireport;
173 my $nat;
174 my $fwaccessdport;
175 my $natchain;
176 foreach my $key (sort {$a <=> $b} keys %$hash){
177 next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
178 if ($$hash{$key}[28] eq 'ON'){
179 $command='iptables -t nat -A';
180 $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
181 if($$hash{$key}[31] eq 'dnat'){
182 $nat='DNAT';
183 if ($$hash{$key}[30] =~ /\|/){
184 $$hash{$key}[30]=~ tr/|/,/;
185 $fireport='-m multiport --dport '.$$hash{$key}[30];
186 }else{
187 $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
188 }
189 }else{
190 $nat='SNAT';
191 }
192 }
193 $STAG='';
194 if($$hash{$key}[2] eq 'ON'){
195 #get source ip's
196 if ($$hash{$key}[3] eq 'cust_grp_src'){
197 foreach my $grp (sort {$a <=> $b} keys %customgrp){
198 if($customgrp{$grp}[0] eq $$hash{$key}[4]){
199 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
200 }
201 }
202 }else{
203 &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
204 }
205 #get target ip's
206 if ($$hash{$key}[5] eq 'cust_grp_tgt'){
207 foreach my $grp (sort {$a <=> $b} keys %customgrp){
208 if($customgrp{$grp}[0] eq $$hash{$key}[6]){
209 &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
210 }
211 }
212 }elsif($$hash{$key}[5] eq 'ipfire' ){
213 if($$hash{$key}[6] eq 'GREEN'){
214 $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
215 }
216 if($$hash{$key}[6] eq 'BLUE'){
217 $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
218 }
219 if($$hash{$key}[6] eq 'ORANGE'){
220 $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
221 }
222 if($$hash{$key}[6] eq 'ALL'){
223 $targethash{$key}[0]='0.0.0.0/0';
224 }
225 if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
226 open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
227 $targethash{$key}[0]= <FILE>;
228 close(FILE);
229 }else{
230 foreach my $alias (sort keys %aliases){
231 if ($$hash{$key}[6] eq $alias){
232 $targethash{$key}[0]=$aliases{$alias}{'IPT'};
233 }
234 }
235 }
236 }else{
237 &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
238 }
239 ##get source prot and port
240 $SRC_TGT='SRC';
241 $SPROT = &get_prot($hash,$key);
242 $SPORT = &get_port($hash,$key);
243 $SRC_TGT='';
244
245 ##get target prot and port
246 $DPROT=&get_prot($hash,$key);
247
248 if ($DPROT eq ''){$DPROT=' ';}
249 @DPROT=split(",",$DPROT);
250
251 #get time if defined
252 if($$hash{$key}[18] eq 'ON'){
253 my ($time1,$time2,$daylight);
254 my $daylight=$$hash{$key}[28];
255 $time1=&get_time($$hash{$key}[26],$daylight);
256 $time2=&get_time($$hash{$key}[27],$daylight);
257 if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
258 if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
259 if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
260 if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
261 if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
262 if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
263 if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
264 $TIME=join(",",@timeframe);
265
266 $TIMEFROM="--timestart $time1 ";
267 $TIMETILL="--timestop $time2 ";
268 $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
269 }
270 if ($MODE eq '1'){
271 print "NR:$key ";
272 foreach my $i (0 .. $#{$$hash{$key}}){
273 print "$i: $$hash{$key}[$i] ";
274 }
275 print "\n";
276 print"##################################\n";
277 #print rules to console
278 foreach my $DPROT (@DPROT){
279 $DPORT = &get_port($hash,$key,$DPROT);
280 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
281 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
282 foreach my $a (sort keys %sourcehash){
283 foreach my $b (sort keys %targethash){
284 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
285 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
286 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
287 if(substr($DPORT, 2, 4) eq 'icmp'){
288 my @icmprule= split(",",substr($DPORT, 12,));
289 foreach (@icmprule){
290 if ($$hash{$key}[17] eq 'ON'){
291 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
292 }
293 print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
294 }
295 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
296 $natchain='NAT_DESTINATION';
297 if ($$hash{$key}[17] eq 'ON'){
298 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
299 }
300 my ($ip,$sub) =split("/",$targethash{$b}[0]);
301 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
302 $DPORT =~ s/\-/:/g;
303 if ($DPORT){
304 $fwaccessdport="--dport ".substr($DPORT,1,);
305 }elsif(! $DPORT && $$hash{$key}[30] ne ''){
306 if ($$hash{$key}[30]=~m/|/i){
307 $$hash{$key}[30] =~ s/\|/,/g;
308 $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
309 }else{
310 $fwaccessdport="--dport $$hash{$key}[30]";
311 }
312 }
313 print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
314 next;
315 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
316 $natchain='NAT_SOURCE';
317 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
318 }
319 if ($$hash{$key}[17] eq 'ON'){
320 print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
321 }
322 print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
323 }
324 }
325 }
326 }
327 print"\n";
328 }
329 }elsif($MODE eq '0'){
330 foreach my $DPROT (@DPROT){
331 $DPORT = &get_port($hash,$key,$DPROT);
332 if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
333 $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
334 foreach my $a (sort keys %sourcehash){
335 foreach my $b (sort keys %targethash){
336 if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
337 if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
338 if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
339 if(substr($DPORT, 2, 4) eq 'icmp'){
340 my @icmprule= split(",",substr($DPORT, 12,));
341 foreach (@icmprule){
342 if ($$hash{$key}[17] eq 'ON'){
343 system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
344 }
345 system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
346 }
347 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
348 $natchain='NAT_DESTINATION';
349 if ($$hash{$key}[17] eq 'ON'){
350 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
351 }
352 my ($ip,$sub) =split("/",$targethash{$b}[0]);
353 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
354 $DPORT =~ s/\-/:/g;
355 if ($DPORT){
356 $fwaccessdport="--dport ".substr($DPORT,1,);
357 }elsif(! $DPORT && $$hash{$key}[30] ne ''){
358 if ($$hash{$key}[30]=~m/|/i){
359 $$hash{$key}[30] =~ s/\|/,/g;
360 $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
361 }else{
362 $fwaccessdport="--dport $$hash{$key}[30]";
363 }
364 }
365 system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
366 next;
367 }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
368 $natchain='NAT_SOURCE';
369 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
370 }
371 if ($$hash{$key}[17] eq 'ON'){
372 system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
373 }
374 system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
375 }
376 }
377 }
378 }
379 }
380 }
381 }
382 %sourcehash=();
383 %targethash=();
384 undef $TIME;
385 undef $TIMEFROM;
386 undef $TIMETILL;
387 undef $fireport;
388 }
389 }
390 sub get_nat_ip
391 {
392 my $val=shift;
393 my $type=shift;
394 my $result;
395 if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
396 $result=$defaultNetworks{$val.'_ADDRESS'};
397 }elsif($val eq 'ALL'){
398 $result='-i '.$con;
399 }elsif($val eq 'Default IP' && $type eq 'dnat'){
400 $result='-d '.$redip;
401 }elsif($val eq 'Default IP' && $type eq 'snat'){
402 $result=$redip;
403 }else{
404 foreach my $al (sort keys %aliases){
405 if($val eq $al && $type eq 'dnat'){
406 $result='-d '.$aliases{$al}{'IPT'};
407 }elsif($val eq $al && $type eq 'snat'){
408 $result=$aliases{$al}{'IPT'};
409 }
410 }
411 }
412 return $result;
413 }
414 sub get_time
415 {
416 my $val=shift;
417 my $val1=shift;
418 my $time;
419 my $minutes;
420 my $ruletime;
421 $minutes = &utcmin($val);
422 $ruletime = $minutes + &time_get_utc($val);
423 if ($ruletime < 0){$ruletime +=1440;}
424 if ($ruletime > 1440){$ruletime -=1440;}
425 $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
426 return $time;
427 }
428 sub time_get_utc
429 {
430 # Calculates the UTCtime from a given time
431 my $val=shift;
432 my @localtime=localtime(time);
433 my @gmtime=gmtime(time);
434 my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
435 return $diff;
436 }
437 sub utcmin
438 {
439 my $ruletime=shift;
440 my ($hrs,$min) = split(":",$ruletime);
441 my $newtime = $hrs*60+$min;
442 return $newtime;
443 }
444 sub p2pblock
445 {
446 my $P2PSTRING;
447 my $DO;
448 open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
449 @p2ps = <FILE>;
450 close FILE;
451 my $CMD = "-m ipp2p";
452 foreach my $p2pentry (sort @p2ps) {
453 my @p2pline = split( /\;/, $p2pentry );
454 if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
455 $DO = "ACCEPT";
456 if ("$p2pline[2]" eq "on") {
457 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
458 }
459 }else {
460 $DO = "RETURN";
461 if ("$p2pline[2]" eq "off") {
462 $P2PSTRING = "$P2PSTRING --$p2pline[1]";
463 }
464 }
465 }
466 if ($MODE eq 1){
467 if($P2PSTRING){
468 print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
469 }
470 }else{
471 if($P2PSTRING){
472 system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
473 }
474 }
475 }
476 sub get_address
477 {
478 my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
479 my $base2=shift;
480 my $type=shift; #src or tgt
481 my $hash;
482 if ($type eq 'src'){
483 $hash=\%sourcehash;
484 }else{
485 $hash=\%targethash;
486 }
487 my $key = &General::findhasharraykey($hash);
488 if($base eq 'src_addr' || $base eq 'tgt_addr' ){
489 if (&General::validmac($base2)){
490 $$hash{$key}[0] = "-m mac --mac-source $base2";
491 }else{
492 $$hash{$key}[0] = $base2;
493 }
494 }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
495 $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
496 }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
497 $$hash{$key}[0]=&fwlib::get_net_ip($base2);
498 }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host'){
499 $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
500 }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network'){
501 $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
502 }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host'){
503 $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
504 }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N'){
505 $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
506 }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network'){
507 $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
508 }elsif($base eq 'ipfire_src' ){
509 if($base2 eq 'GREEN'){
510 $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
511 }
512 if($base2 eq 'BLUE'){
513 $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
514 }
515 if($base2 eq 'ORANGE'){
516 $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
517 }
518 if($base2 eq 'ALL'){
519 $$hash{$key}[0]='0.0.0.0/0';
520 }
521 if($base2 eq 'RED' || $base2 eq 'RED1'){
522 open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
523 $$hash{$key}[0]= <FILE>;
524 close(FILE);
525 }else{
526 foreach my $alias (sort keys %aliases){
527 if ($base2 eq $alias){
528 $$hash{$key}[0]=$aliases{$alias}{'IPT'};
529 }
530 }
531 }
532 }
533 }
534 sub get_prot
535 {
536 my $hash=shift;
537 my $key=shift;
538 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
539 if ($$hash{$key}[10] ne ''){
540 return"$$hash{$key}[8]";
541 }elsif($$hash{$key}[9] ne ''){
542 return"$$hash{$key}[8]";
543 }else{
544 return "$$hash{$key}[8]";
545 }
546 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
547 if ($$hash{$key}[14] eq 'TGT_PORT'){
548 if ($$hash{$key}[15] ne ''){
549 return "$$hash{$key}[12]";
550 }elsif($$hash{$key}[13] ne ''){
551 return "$$hash{$key}[12]";
552 }else{
553 return "$$hash{$key}[12]";
554 }
555 }elsif($$hash{$key}[14] eq 'cust_srv'){
556 return &fwlib::get_srv_prot($$hash{$key}[15]);
557
558 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
559 return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
560 }
561 }
562 #DNAT
563 if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && $$hash{$key}[12] ne ''){
564 return "$$hash{$key}[12]";
565 }
566 }
567 sub get_port
568 {
569 my $hash=shift;
570 my $key=shift;
571 my $prot=shift;
572 if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
573 if ($$hash{$key}[10] ne ''){
574 $$hash{$key}[10] =~ s/\|/,/g;
575 if(index($$hash{$key}[10],",") > 0){
576 return "-m multiport --sport $$hash{$key}[10] ";
577 }else{
578 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){
579 return "--sport $$hash{$key}[10] ";
580 }else{
581 return ":$$hash{$key}[10]";
582 }
583 }
584 }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
585 return "--icmp-type $$hash{$key}[9] ";
586 }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
587 return;
588 }
589 }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
590 if($$hash{$key}[14] eq 'TGT_PORT'){
591 if ($$hash{$key}[15] ne ''){
592 $$hash{$key}[15] =~ s/\|/,/g;
593 if(index($$hash{$key}[15],",") > 0){
594 return "-m multiport --dport $$hash{$key}[15] ";
595 }else{
596 if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat') ){
597 return "--dport $$hash{$key}[15] ";
598 }else{
599 $$hash{$key}[15] =~ s/\:/-/g;
600 return ":$$hash{$key}[15]";
601 }
602 }
603 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
604 return "--icmp-type $$hash{$key}[13] ";
605 }elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
606 return;
607 }
608 }elsif($$hash{$key}[14] eq 'cust_srv'){
609 if ($prot ne 'ICMP'){
610 if($$hash{$key}[31] eq 'dnat'){
611 return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
612 }else{
613 return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
614 }
615 }elsif($prot eq 'ICMP' && $$hash{$key}[15] ne 'All ICMP-Types'){
616 return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
617 }elsif($prot eq 'ICMP' && $$hash{$key}[15] eq 'All ICMP-Types'){
618 return;
619 }
620 }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
621 if ($prot ne 'ICMP'){
622 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
623 }
624 elsif($prot eq 'ICMP'){
625 return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
626 }
627 }
628 }
629 }
Timo's tree of IPFire 2.x