use Time::Local;
no warnings 'uninitialized';
-# enable only the following on debugging purpose
-#use warnings;
-#use CGI::Carp 'fatalsToBrowser';
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/lang.pl";
+require "/usr/lib/firewall/firewall-lib.pl";
+
+# Set to one to enable debugging mode.
+my $DEBUG = 0;
my %fwdfwsettings=();
my %defaultNetworks=();
my %aliases=();
my @DPROT=();
my @p2ps=();
-require '/var/ipfire/general-functions.pl';
-require "${General::swroot}/lang.pl";
-require "/usr/lib/firewall/firewall-lib.pl";
my $configfwdfw = "${General::swroot}/firewall/config";
my $configinput = "${General::swroot}/firewall/input";
open (CONN,"/var/ipfire/red/iface");
my $con = <CONN>;
close(CONN);
+
if (-f "/var/ipfire/red/active"){
$conexists='on';
}
+
open (CONN1,"/var/ipfire/red/local-ipaddress");
my $redip = <CONN1>;
close(CONN1);
-#################
-# DEBUG/TEST #
-#################
-my $MODE=0; # 0 - normal operation
- # 1 - print configline and rules to console
- #
-#################
-my $param=shift;
-
-if($param eq 'flush'){
- if ($MODE eq '1'){
- print " Flushing chains...\n";
- }
- &flush;
-}else{
- if ($MODE eq '1'){
- print " Flushing chains...\n";
- }
- &flush;
- if ($MODE eq '1'){
- print " Preparing rules...\n";
- }
- &preparerules;
- if($MODE eq '0'){
- if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
- &p2pblock;
- system ("/usr/sbin/firewall-policy");
- }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
- &p2pblock;
- system ("/usr/sbin/firewall-policy");
- }
+
+# MAIN
+&main();
+
+sub main {
+ # Flush all chains.
+ &flush();
+
+ # Reload firewall rules.
+ &preparerules();
+
+ # Load P2P block rules.
+ &p2pblock();
+
+ # Reload firewall policy.
+ run("/usr/sbin/firewall-policy");
+}
+
+sub run {
+ # Executes or prints the given shell command.
+ my $command = shift;
+
+ if ($DEBUG) {
+ print "$command\n";
+ } else {
+ system "$command";
}
}
-sub flush
-{
- system ("iptables --wait -F FORWARDFW");
- system ("iptables --wait -F INPUTFW");
- system ("iptables --wait -F OUTGOINGFW");
- system ("iptables --wait -t nat -F NAT_DESTINATION");
- system ("iptables --wait -t nat -F NAT_SOURCE");
+
+sub flush {
+ run("iptables --wait -F FORWARDFW");
+ run("iptables --wait -F INPUTFW");
+ run("iptables --wait -F OUTGOINGFW");
+ run("iptables --wait -t nat -F NAT_DESTINATION");
+ run("iptables --wait -t nat -F NAT_SOURCE");
}
-sub preparerules
-{
+
+sub preparerules {
if (! -z "${General::swroot}/firewall/config"){
&buildrules(\%configfwdfw);
}
&buildrules(\%configoutgoingfw);
}
}
-sub buildrules
-{
+
+sub buildrules {
my $hash=shift;
my $STAG;
my $natip;
$_="";
}
if ($$hash{$key}[17] eq 'ON'){
- system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
+ run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
}
- system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
+ run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
}
#PROCESS DNAT RULE (Portforward)
}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
$natchain='NAT_DESTINATION';
if ($$hash{$key}[17] eq 'ON'){
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n";
+ run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT'");
}
my ($ip,$sub) =split("/",$targethash{$b}[0]);
#Process NAT with servicegroup used
if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[14] eq 'cust_srvgrp'){
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT\n";
+ run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT");
$fwaccessdport=$DPORT;
}else{
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip$DPORT\n";
+ run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip$DPORT");
$DPORT =~ s/\-/:/g;
if ($DPORT){
$fwaccessdport="--dport ".substr($DPORT,1,);
}
}
}
- system "iptables --wait -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
+ run("iptables --wait -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]");
next;
#PROCESS SNAT RULE
}elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
$natchain='NAT_SOURCE';
if ($$hash{$key}[17] eq 'ON' ){
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n";
+ run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT'");
}
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to-source $natip\n";
+ run("$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to-source $natip");
}
#PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
if ($PROT ne '-p ICMP'){
if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
}
- system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ run("iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
}
#PROCESS Prot ICMP and type = All ICMP-Types
if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){
- system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ run("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
}
- system "iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ run("iptables --wait -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
}
}
}
undef $fireport;
}
}
-sub get_nat_ip
-{
+
+sub get_nat_ip {
my $val=shift;
my $type=shift;
my $result;
}
return $result;
}
-sub get_time
-{
+
+sub get_time {
my $val=shift;
my $val1=shift;
my $time;
$time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
return $time;
}
-sub time_get_utc
-{
+
+sub time_get_utc {
# Calculates the UTCtime from a given time
my $val=shift;
my @localtime=localtime(time);
my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
return $diff;
}
-sub utcmin
-{
+
+sub utcmin {
my $ruletime=shift;
my ($hrs,$min) = split(":",$ruletime);
my $newtime = $hrs*60+$min;
return $newtime;
}
-sub p2pblock
-{
+
+sub p2pblock {
my $P2PSTRING;
my $DO;
open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
}
}
}
- if ($MODE eq 1){
- if($P2PSTRING){
- print"/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
- }
- }else{
- if($P2PSTRING){
- system("/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO");
- }
+
+ if($P2PSTRING) {
+ run("/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO");
}
}
-sub get_address
-{
+
+sub get_address {
my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
my $base2=shift;
my $type=shift; #src or tgt
}
}
}
-sub get_prot
-{
+
+sub get_prot {
my $hash=shift;
my $key=shift;
#check AH,GRE,ESP or ICMP
return "$$hash{$key}[8]";
}
}
-sub get_port
-{
+
+sub get_port {
my $hash=shift;
my $key=shift;
my $prot=shift;