my @p2ps=();
require '/var/ipfire/general-functions.pl';
require "${General::swroot}/lang.pl";
-require "${General::swroot}/firewall/bin/firewall-lib.pl";
+require "/usr/lib/firewall/firewall-lib.pl";
my $configfwdfw = "${General::swroot}/firewall/config";
my $configinput = "${General::swroot}/firewall/input";
my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
my $CHAIN = "FORWARDFW";
my $conexists = 'off';
-my $command = 'iptables -A';
+my $command = 'iptables --wait -A';
my $dnat ='';
my $snat ='';
system ("/usr/sbin/firewall-policy");
}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
&p2pblock;
- system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
system ("/usr/sbin/firewall-policy");
- system ("/etc/sysconfig/firewall.local reload");
}
}
}
sub flush
{
- system ("iptables -F FORWARDFW");
- system ("iptables -F INPUTFW");
- system ("iptables -F OUTGOINGFW");
- system ("iptables -t nat -F NAT_DESTINATION");
- system ("iptables -t nat -F NAT_SOURCE");
+ system ("iptables --wait -F FORWARDFW");
+ system ("iptables --wait -F INPUTFW");
+ system ("iptables --wait -F OUTGOINGFW");
+ system ("iptables --wait -t nat -F NAT_DESTINATION");
+ system ("iptables --wait -t nat -F NAT_SOURCE");
}
sub preparerules
{
my $icmptype;
foreach my $key (sort {$a <=> $b} keys %$hash){
next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
- $command="iptables -A";
+ $command="iptables --wait -A";
if ($$hash{$key}[28] eq 'ON'){
- $command='iptables -t nat -A';
+ $command='iptables --wait -t nat -A';
$natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
if($$hash{$key}[31] eq 'dnat'){
$nat='DNAT';
$TIMETILL="--timestop $time2 ";
$TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
}
- if ($MODE eq '1'){
- print "NR:$key ";
- foreach my $i (0 .. $#{$$hash{$key}}){
- print "$i: $$hash{$key}[$i] ";
+ foreach my $DPROT (@DPROT){
+ $DPORT = &get_port($hash,$key,$DPROT);
+ $PROT=$DPROT;
+ $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
+ if ($DPROT ne 'TCP' && $DPROT ne'UDP' && $DPROT ne 'ICMP' ){
+ $DPORT='';
}
- print "\n";
- print"##################################\n";
- #print rules to console
- foreach my $DPROT (@DPROT){
- $DPORT = &get_port($hash,$key,$DPROT);
- if ($DPROT ne 'TCP' && $DPROT ne 'UDP' && $DPROT ne 'ICMP' ){
- $DPORT='';
- }
- $PROT=$DPROT;
- $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
- foreach my $a (sort keys %sourcehash){
- foreach my $b (sort keys %targethash){
- next if ($targethash{$b}[0] eq 'none');
- $STAG='';
- if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
- if($DPROT ne ''){
- if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
- #Process ICMP RULE
- if(substr($DPORT, 2, 4) eq 'icmp'){
- my @icmprule= split(",",substr($DPORT, 12,));
- foreach (@icmprule){
- $icmptype="--icmp-type ";
- if ($_ eq "BLANK") {
- $icmptype="";
- $_="";
- }
- if ($$hash{$key}[17] eq 'ON'){
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG\n";
- }
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n";
+ foreach my $a (sort keys %sourcehash){
+ foreach my $b (sort keys %targethash){
+ if(! $sourcehash{$a}[0] || ! $targethash{$b}[0] || ($natip eq '-d ' && $$hash{$key}[28] eq 'ON') || (!$natip && $$hash{$key}[28] eq 'ON')){
+ #Skip rules when no RED IP is set (DHCP,DSL)
+ next;
+ }
+ next if ($targethash{$b}[0] eq 'none');
+ $STAG='';
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
+ if($DPROT ne ''){
+ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
+ #Process ICMP RULE
+ if(substr($DPORT, 2, 4) eq 'icmp'){
+ my @icmprule= split(",",substr($DPORT, 12,));
+ foreach (@icmprule){
+ $icmptype="--icmp-type ";
+ if ($_ eq "BLANK") {
+ $icmptype="";
+ $_="";
}
- #PROCESS DNAT RULE (Portforward)
- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
- $natchain='NAT_DESTINATION';
if ($$hash{$key}[17] eq 'ON'){
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
- }
- my ($ip,$sub) =split("/",$targethash{$b}[0]);
- #Process NAT with servicegroup used
- if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n";
- $fwaccessdport=$DPORT;
- }else{
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
- $DPORT =~ s/\-/:/g;
- if ($DPORT){
- $fwaccessdport="--dport ".substr($DPORT,1,);
- }elsif(! $DPORT && $$hash{$key}[30] ne ''){
- if ($$hash{$key}[30]=~m/|/i){
- $$hash{$key}[30] =~ s/\|/,/g;
- $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
- }else{
- $fwaccessdport="--dport $$hash{$key}[30]";
- }
- }
- }
- print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
- next;
- #PROCESS SNAT RULE
- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
- $natchain='NAT_SOURCE';
- if ($$hash{$key}[17] eq 'ON' ){
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n";
+ system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
}
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
+ system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
}
- #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
- if ($PROT ne '-p ICMP'){
- if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
- }
- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
- }
- #PROCESS Prot ICMP and type = All ICMP-Types
- if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
- if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
- }
- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ #PROCESS DNAT RULE (Portforward)
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
+ $natchain='NAT_DESTINATION';
+ if ($$hash{$key}[17] eq 'ON'){
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
}
- }
- }
- }
- }
- print"\n";
- }
- }elsif($MODE eq '0'){
- foreach my $DPROT (@DPROT){
- $DPORT = &get_port($hash,$key,$DPROT);
- $PROT=$DPROT;
- $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
- if ($DPROT ne 'TCP' && $DPROT ne'UDP' && $DPROT ne 'ICMP' ){
- $DPORT='';
- }
- foreach my $a (sort keys %sourcehash){
- foreach my $b (sort keys %targethash){
- next if ($targethash{$b}[0] eq 'none');
- $STAG='';
- if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
- if($DPROT ne ''){
- if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
- #Process ICMP RULE
- if(substr($DPORT, 2, 4) eq 'icmp'){
- my @icmprule= split(",",substr($DPORT, 12,));
- foreach (@icmprule){
- $icmptype="--icmp-type ";
- if ($_ eq "BLANK") {
- $icmptype="";
- $_="";
- }
- if ($$hash{$key}[17] eq 'ON'){
- system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
- }
- system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
- }
- #PROCESS DNAT RULE (Portforward)
- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
- $natchain='NAT_DESTINATION';
- if ($$hash{$key}[17] eq 'ON'){
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
- }
- my ($ip,$sub) =split("/",$targethash{$b}[0]);
- #Process NAT with servicegroup used
- if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n";
- $fwaccessdport=$DPORT;
- }else{
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip$DPORT\n";
- $DPORT =~ s/\-/:/g;
- if ($DPORT){
- $fwaccessdport="--dport ".substr($DPORT,1,);
- }elsif(! $DPORT && $$hash{$key}[30] ne ''){
- if ($$hash{$key}[30]=~m/|/i){
- $$hash{$key}[30] =~ s/\|/,/g;
- $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
- }else{
- $fwaccessdport="--dport $$hash{$key}[30]";
- }
+ my ($ip,$sub) =split("/",$targethash{$b}[0]);
+ #Process NAT with servicegroup used
+ if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT\n";
+ $fwaccessdport=$DPORT;
+ }else{
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip$DPORT\n";
+ $DPORT =~ s/\-/:/g;
+ if ($DPORT){
+ $fwaccessdport="--dport ".substr($DPORT,1,);
+ }elsif(! $DPORT && $$hash{$key}[30] ne ''){
+ if ($$hash{$key}[30]=~m/|/i){
+ $$hash{$key}[30] =~ s/\|/,/g;
+ $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
+ }else{
+ $fwaccessdport="--dport $$hash{$key}[30]";
}
}
- system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
- next;
- #PROCESS SNAT RULE
- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
- $natchain='NAT_SOURCE';
- if ($$hash{$key}[17] eq 'ON' ){
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n";
- }
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
}
- #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
- if ($PROT ne '-p ICMP'){
- if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
- }
- system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ system "iptables --wait -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+ next;
+ #PROCESS SNAT RULE
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
+ $natchain='NAT_SOURCE';
+ if ($$hash{$key}[17] eq 'ON' ){
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n";
}
- #PROCESS Prot ICMP and type = All ICMP-Types
- if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
- if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
- }
- system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to-source $natip\n";
+ }
+ #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
+ if ($PROT ne '-p ICMP'){
+ if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
+ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ }
+ system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ }
+ #PROCESS Prot ICMP and type = All ICMP-Types
+ if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
+ if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
+ system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
}
+ system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}
}
}
}
if ($MODE eq 1){
if($P2PSTRING){
- print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
+ print"/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
}
}else{
if($P2PSTRING){
- system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
+ system("/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO");
}
}
}
$$hash{$key}[0]='0.0.0.0/0';
}
if($base2 eq 'RED' || $base2 eq 'RED1'){
- open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open local-ipaddress";
+ open(FILE, "/var/ipfire/red/local-ipaddress");
$$hash{$key}[0]= <FILE>;
close(FILE);
}else{
projects / people / teissler / ipfire-2.x.git / blobdiff