#!/usr/bin/perl
-
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+# #
+# This script converts old groups and firewallrules #
+# to the new one. This is a 3-step process. #
+# STEP1: convert groups ->LOG /var/log/converters #
+# STEP2: convert rules ->LOG /var/log/converters #
+# STEP3: convert P2P rules #
+# #
+###############################################################################
require '/var/ipfire/general-functions.pl';
my %fwconfig=();
my %fwconfigout=();
my %fwdsettings=();
+my %ownnet=();
+my %ovpnSettings = ();
+&General::readhash("${General::swroot}/ovpn/settings", \%ovpnSettings);
&General::readhash($outfwsettings,\%outsettings);
-
-&process_groups;
-&process_rules;
-&process_p2p;
+&General::readhash("${General::swroot}/ethernet/settings", \%ownnet);
+#ONLY RUN if /var/ipfire/outgoing exists
+if ( -d "/var/ipfire/outgoing"){
+ &process_groups;
+ &process_rules;
+ &process_p2p;
+}
system("/usr/local/bin/forwardfwctrl");
sub process_groups
{
open (LOG, ">/var/log/converters/groups-convert.log") or die $!;
#IP Group processing
foreach my $group (@ipgroups){
+ my $now=localtime;
chomp $group;
- print LOG "\nProcessing IP-GROUP: $group...\n";
+ print LOG "\n$now Processing IP-GROUP: $group...\n";
open (DATEI, "<$ipgrouppath/$group");
my @zeilen = <DATEI>;
foreach my $ip (@zeilen){
chomp($ip);
$ip =~ s/\s//gi;
- print LOG "Check IP $ip from Group $group ";
+ print LOG "$now Check IP $ip from Group $group ";
my $val=&check_ip($ip);
if($val){
push(@hostarray,$val.",ip");
- print LOG "-> OK\n";
+ print LOG "$now -> OK\n";
}
else{
- print LOG "-> IP \"$ip\" from group $group not converted (invalid IP) \n";
+ print LOG "$now -> IP \"$ip\" from group $group not converted (invalid IP) \n";
}
$val='';
}
foreach my $mac (@zeilen){
chomp($mac);
$mac =~ s/\s//gi;
- print LOG "Checking MAC $mac from group $group ";
+ print LOG "$now Checking MAC $mac from group $group ";
#MAC checking
if(&General::validmac($mac)){
$val=$mac;
}
if($val){
push(@hostarray,$val.",mac");
- print LOG "-> OK\n";
+ print LOG "$now -> OK\n";
}
else{
- print LOG "-> Mac $mac from group $group not converted (invalid MAC)\n";
+ print LOG "$now -> Mac $mac from group $group not converted (invalid MAC)\n";
}
$val='';
}
&new_hostgrp($group,'mac');
@hostarray=();
+ @zeilen=();
}
close (LOG);
}
$hosts{$key}[0] = $name2;
$hosts{$key}[1] = $type;
$hosts{$key}[2] = $ip;
- $hosts{$key}[3] = 1;
+ $hosts{$key}[3] = '';
+ $hosts{$key}[4] = 1;
print LOG "->Host (IP) $ip added to custom hosts\n"
}else{
- print LOG "->Host (IP) $ip already exists\n";
+ print LOG "->Host (IP) $ip already exists in custom hosts\n";
+ $name="host ";
+ $name2=$name.$ippart;
+ foreach my $key (sort keys %hosts){
+ if($hosts{$key}[0] eq $name2){
+ $hosts{$key}[4]++;
+ }
+ }
+ $name="host ";
+ $name2=$name.$ippart;
+ $name3="Custom Host";
}
}elsif($byte4 < '255'){
print LOG "Processing NETWORK $ippart/$subnet from Group $grp\n";
if(!&check_net($ippart,$subnet)){
- my $netkey = &General::findhasharraykey(\%nets);
+ #Check if this network is one one of IPFire internal networks
+ if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'GREEN_NETADDRESS'},$ownnet{'GREEN_NETMASK'}))
+ {
+ $name2='GREEN';
+ $name3='Standard Network';
+ }elsif (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'ORANGE_NETADDRESS'},$ownnet{'ORANGE_NETMASK'}))
+ {
+ $name2='ORANGE';
+ $name3='Standard Network';
+ }elsif (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'BLUE_NETADDRESS'},$ownnet{'BLUE_NETMASK'}))
+ {
+ $name2='BLUE';
+ $name3='Standard Network';
+ }elsif ($ippart eq '0.0.0.0')
+ {
+ $name2='ALL';
+ $name3='Standard Network';
+ }elsif(defined($ovpnSettings{'DOVPN_SUBNET'}) && "$ippart/".&General::iporsubtodec($subnet) eq $ovpnSettings{'DOVPN_SUBNET'})
+ {
+ $name2='OpenVPN-Dyn';
+ $name3='Standard Network';
+ }else{
+ my $netkey = &General::findhasharraykey(\%nets);
+ $name="net ";
+ $name2=$name.$ippart;
+ $name3="Custom Network";
+ $nets{$netkey}[0] = $name2;
+ $nets{$netkey}[1] = $ippart;
+ $nets{$netkey}[2] = $subnet;
+ $nets{$netkey}[3] = '';
+ $nets{$netkey}[4] = 1;
+ print LOG "->Network $ippart/$subnet added to custom networks\n";
+ }
+ }else{
+ print LOG "Network $ippart already exists in custom networks\n";
+ $name="net ";
+ $name2=$name.$ippart;
+ foreach my $key (sort keys %nets){
+ if($nets{$key}[0] eq $name2){
+ $nets{$key}[4]++;
+ }
+ }
$name="net ";
$name2=$name.$ippart;
$name3="Custom Network";
- $nets{$netkey}[0] = $name2;
- $nets{$netkey}[1] = $ippart;
- $nets{$netkey}[2] = $subnet;
- $nets{$netkey}[3] = 1;
- print LOG "->Network $ippart/$subnet added to custom networks\n";
- }else{
- print LOG "Network $ippart already exists\n";
}
}
- if($name2){
+ if($name2 && !&check_grp($grp,$name2)){
my $grpkey = &General::findhasharraykey(\%groups);
$groups{$grpkey}[0] = $grp;
$groups{$grpkey}[1] = '';
$hosts{$key}[4] = 1;
print LOG "->Host (MAC) $mac added to custom hosts\n";
}else{
- print LOG "->Host (MAC) $mac already exists\n";
+ print LOG "->Host (MAC) $mac already exists in custom hosts \n";
+ $name="host ";
+ $name2=$name.$mac;
+ foreach my $key (sort keys %hosts){
+ if($hosts{$key}[0] eq $name2){
+ $hosts{$key}[4]++;
+ }
+ }
+ $name="host ";
+ $name2=$name.$mac;
+ $name3="Custom Host";
}
- if($name2){
+ if($name2 && !&check_grp($grp,$name2)){
my $grpkey = &General::findhasharraykey(\%groups);
$groups{$grpkey}[0] = $grp;
$groups{$grpkey}[1] = '';
sub process_rules
{
my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to);
+ #open LOG
+ if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");}
+ open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!;
+
&General::readhash($fwdfwsettings,\%fwdsettings);
if ($outsettings{'POLICY'} eq 'MODE1'){
- $fwdfwsettings{'POLICY'}='MODE1';
+ $fwdsettings{'POLICY'}='MODE1';
+ $fwdsettings{'POLICY1'}='MODE2';
$type='ALLOW';
$action='ACCEPT';
- }elsif($outsettings{'POLICY'} eq 'MODE2'){
+ }else{
$fwdsettings{'POLICY'}='MODE2';
+ $fwdsettings{'POLICY1'}='MODE2';
$type='DENY';
$action='DROP';
- }else{
- return;
}
&General::writehash($fwdfwsettings,\%fwdsettings);
-
- #open LOG
- if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");}
- open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!;
open (DATEI, "<$outgoingrules");
my @lines = <DATEI>;
foreach my $rule (@lines)
{
+ my $now=localtime;
chomp($rule);
$port='';
- print LOG "processing: $rule\n";
+ print LOG "$now processing: $rule\n";
my @configline=();
@configline = split( /\;/, $rule );
my @prot=();
$grp1='std_net_src';
$source='BLUE';
}elsif ($configline[2] eq 'ipsec') {
- print LOG "-> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n";
+ print LOG "$now -> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n";
next;
}elsif ($configline[2] eq 'ovpn') {
+ print LOG "$now ->Creating networks/groups for OpenVPN...\n";
&build_ovpn_grp;
$grp1='cust_grp_src';
$source='ovpn'
$grp1='src_addr';
$source="$ipa/$subn";
}else{
- print LOG "-> Rule not converted, missing/invalid source ip \"$configline[5]\"\n";
+ print LOG "$now -> Rule not converted, missing/invalid source ip \"$configline[5]\"\n";
next;
}
}elsif ($configline[2] eq 'mac') {
$grp1='src_addr';
$source=$configline[6];
}else{
- print LOG"-> Rule not converted, invalid MAC \"$configline[6]\" \n";
+ print LOG"$now -> Rule not converted, invalid MAC \"$configline[6]\" \n";
next;
}
}elsif ($configline[2] eq 'all') {
}
}
if ($grp1 eq '' || $source eq ''){
- print LOG "-> Rule not converted, no valid source recognised\n";
+ print LOG "$now -> Rule not converted, no valid source recognised\n";
}
}
############################################################
$target=$getwebsiteip;
$remark.=" $configline[7]";
}else{
- print LOG "-> Rule not converted, invalid domain \"$configline[7]\"\n";
+ print LOG "$now -> Rule not converted, invalid domain \"$configline[7]\"\n";
next;
}
}
push (@values,$_);
$grp3='TGT_PORT';
}else{
- print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n";
+ print LOG "$now -> Rule not converted, invalid destination Port \"$configline[8]\"\n";
next;
}
}else{
push (@values,"$a1:$a2");
$grp3='TGT_PORT';
}else{
- print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n";
+ print LOG "$now -> Rule not converted, invalid destination Port \"$configline[8]\"\n";
next;
}
}
my $check;
my $chain;
foreach my $protocol (@prot){
+ my $now=localtime;
if ($source eq 'IPFire'){
$chain='OUTGOINGFW';
}else{
$chain='FORWARDFW';
}
$protocol=uc($protocol);
- print LOG "-> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n";
+ print LOG "$now -> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n";
#Put rules into system....
###########################
#check for double rules
$fwconfig{$key}[25] = $time_sun;
$fwconfig{$key}[26] = $time_from;
$fwconfig{$key}[27] = $time_to;
+ $fwconfig{$key}[28] = '';
+ $fwconfig{$key}[29] = 'ALL';
+ $fwconfig{$key}[30] = '';
+ $fwconfig{$key}[31] = 'dnat';
}else{
my $key = &General::findhasharraykey(\%fwconfigout);
$fwconfigout{$key}[0] = $action;
$fwconfigout{$key}[25] = $time_sun;
$fwconfigout{$key}[26] = $time_from;
$fwconfigout{$key}[27] = $time_to;
+ $fwconfigout{$key}[28] = '';
+ $fwconfigout{$key}[29] = 'ALL';
+ $fwconfigout{$key}[30] = '';
+ $fwconfigout{$key}[31] = 'dnat';
}
&General::writehasharray($fwdfwconfig,\%fwconfig);
&General::writehasharray($outfwconfig,\%fwconfigout);
}
sub build_ovpn_grp
{
+ my $now=localtime;
&General::readhasharray($confighosts,\%hosts);
&General::readhasharray($confignets,\%nets);
&General::readhasharray($configgroups,\%groups);
if($settingsovpn{'DOVPN_SUBNET'}){
my ($net,$subnet)=split("/",$settingsovpn{'DOVPN_SUBNET'});
push (@ovpnnets,"$net,$subnet,dynamic");
+ print LOG "$now ->found dynamic OpenVPN net\n";
}
foreach my $key (sort keys %ccdconf){
my ($net,$subnet)=split("/",$ccdconf{$key}[1]);
$subnet=&General::iporsubtodec($subnet);
push (@ovpnnets,"$net,$subnet,$ccdconf{$key}[0]");
+ print LOG "$now ->found OpenVPN static net $net/$subnet\n";
}
foreach my $key (sort keys %configovpn){
if ($configovpn{$key}[3] eq 'net'){
my ($net,$subnet)=split("/",$configovpn{$key}[27]);
push (@ovpnnets,"$net,$subnet,$configovpn{$key}[2]");
+ print LOG "$now ->found OpenVPN $net/$subnet $configovpn{$key}[2]\n";
}
}
#add ovpn nets to customnetworks/groups
foreach my $line (@ovpnnets){
+ my $now=localtime;
my ($net,$subnet,$name) = split(",",$line);
if (!&check_net($net,$subnet)){
my $netkey = &General::findhasharraykey(\%nets);
$nets{$netkey}[0] = $name2;
$nets{$netkey}[1] = $net;
$nets{$netkey}[2] = $subnet;
- $nets{$netkey}[3] = 1;
+ $nets{$netkey}[3] = '';
+ $nets{$netkey}[4] = 1;
+ print LOG "$now ->added $name2 $net/$subnet to customnetworks\n";
}else{
print LOG "-> Custom Network with same IP already exist \"$net/$subnet\" (you can ignore this, if this run was manual from shell)\n";
}
$groups{$grpkey}[2] = $name2;
$groups{$grpkey}[3] = "Custom Network";
$groups{$grpkey}[4] = 0;
+ print LOG "$now ->added $name2 to customgroup ovpn\n";
}
$name2='';
}
&General::writehasharray($confighosts,\%hosts);
&General::writehasharray($configgroups,\%groups);
&General::writehasharray($confignets,\%nets);
+ print LOG "$now ->finished OVPN\n";
}
sub process_p2p
{