#!/usr/bin/perl ######################################################################## # Script: convert-portfw # Date: 21.03.2013 # Author: Alexander Marx (amarx@ipfire.org) ######################################################################## # # This script converts old portforwarding rules from old Firewall # to the new one. This is a 3-step process. # STEP1: read old config and normalize settings # STEP2: create new rules from old ones # STEP3: check if rule already exists, when not, put it into # /var/ipfire/forward/nat ######################################################################## require '/var/ipfire/general-functions.pl'; my @values=(); my @built_rules=(); my %nat=(); my $portfwconfig = "${General::swroot}/portfw/config"; my $confignat = "${General::swroot}/forward/config"; my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark); my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1); my $count=0; my $jump; if(! -d "/var/log/converters"){ mkdir("/var/log/converters");} open(FILE, $portfwconfig) or die 'Unable to open config file.'; my @current = ; close(FILE); open (LOG, ">/var/log/converters/portfw-convert.log") or die $!; open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; my @alias = ; close(ALIAS); &get_config; &build_rules; &write_rules; sub get_config { print LOG "STEP 1: Get config from old portforward\n#########################################\n"; foreach my $line (@current){ if($jump eq '1'){ $jump=''; $count++; next; } my $u=$count+1; ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line); ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]); if ($flag1 eq '1'){ $source=$source1; $jump='1'; } my $now=localtime; chomp($remark); print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n"; push (@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark); $count++; } } sub build_rules { print LOG "\nSTEP 2: Convert old portforwardrules in a useable format\n########################################################\n"; my $src; my $src1; my $ipfireip; my $count=0; my $stop; #build rules for new firewall foreach my $line (@values){ chomp ($line); ($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line); $count++; #get sourcepart if($source eq '0.0.0.0/0'){ $src = 'std_net_src'; $src1 = 'ALL'; }else{ $src = 'src_addr'; my ($a,$b) = split("/",$source); $src1 = $a."/32"; } #get ipfire ip if($alias eq '0.0.0.0'){ $alias='ALL'; }else{ foreach my $ali (@alias){ my ($alias_ip,$alias_active,$alias_name) = split (",",$ali); if($alias eq $alias_ip){ chomp($alias_name); $alias=$alias_name; } } } $active = uc $active; $prot = uc $prot; chomp($remark); push (@built_rules,"ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat"); my $now=localtime; print LOG "$now Converted-> KEY: $count ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n"; } } sub write_rules { my $skip=''; my $id; print LOG "\nSTEP 3: Create DNAT rules in new firewall\n#########################################\n"; &General::readhasharray($confignat,\%nat); foreach my $line (@built_rules){ $skip=''; my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$use_prot,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) = split (",",$line); foreach my $key (sort keys %nat){ if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){ my $now=localtime; print LOG "$now SKIP-> Rule $nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] ->EXISTS\n"; $skip='1'; } } if ($skip ne '1'){ $id = &General::findhasharraykey(\%nat); $nat{$id}[0] = $action; $nat{$id}[1] = $chain; $nat{$id}[2] = $active; $nat{$id}[3] = $src; $nat{$id}[4] = $src1; $nat{$id}[5] = $tgt; $nat{$id}[6] = $tgt1; $nat{$id}[11] = $use_prot; $nat{$id}[12] = $prot; $nat{$id}[13] = $dummy; $nat{$id}[14] = $tgt_port; $nat{$id}[15] = $tgt_port1; $nat{$id}[16] = $remark; $nat{$id}[26] = $from; $nat{$id}[27] = $to; $nat{$id}[28] = $use_port; $nat{$id}[29] = $alias; $nat{$id}[30] = $ipfireport; $nat{$id}[31] = $dnat; my $now=localtime; print LOG "$now NEW RULE-> Rule $nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[16],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n"; } } &General::writehasharray($confignat,\%nat); } close (LOG);