webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-28 11:43:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

firewall: rules.pl: Cleanup time constraints generation.

Browse Source
This commit is contained in:
Michael Tremer
2014-03-01 20:20:56 +01:00
parent 6178953be5
commit b05ec50ac9
1 changed files with 90 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

147
config/firewall/rules.pl
View File

@@ -20,7 +20,6 @@
############################################################################### ###############################################################################
use strict; use strict;
use Time::Local;
require '/var/ipfire/general-functions.pl'; require '/var/ipfire/general-functions.pl';
require "${General::swroot}/lang.pl"; require "${General::swroot}/lang.pl";
@@ -154,9 +153,7 @@ sub buildrules {
foreach my $key (sort {$a <=> $b} keys %$hash){ foreach my $key (sort {$a <=> $b} keys %$hash){
next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' ); next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq 'off' );
my $TIME = ""; my $time_constraints = "";
my $TIMEFROM;
my $TIMETILL;
my $natip = ""; my $natip = "";
# Check if logging should be enabled. # Check if logging should be enabled.
@@ -252,25 +249,53 @@ sub buildrules {
if ($DPROT eq ''){$DPROT=' ';} if ($DPROT eq ''){$DPROT=' ';}
@DPROT=split(",",$DPROT); @DPROT=split(",",$DPROT);
#get time if defined # Set up time constraints.
if($$hash{$key}[18] eq 'ON'){ if ($$hash{$key}[18] eq 'ON') {
my ($time1,$time2,$daylight); my @time_args = ("-m", "time");
$daylight=$$hash{$key}[28];
$time1=&get_time($$hash{$key}[26],$daylight);
$time2=&get_time($$hash{$key}[27],$daylight);
if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
$TIME=join(",",@timeframe);
$TIMEFROM="--timestart $time1 "; # Select all days of the week this match is active.
$TIMETILL="--timestop $time2 "; my @weekdays = ();
$TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL"; if ($$hash{$key}[19] ne '') {
push (@weekdays, "Mon");
}
if ($$hash{$key}[20] ne '') {
push (@weekdays, "Tue");
}
if ($$hash{$key}[21] ne '') {
push (@weekdays, "Wed");
}
if ($$hash{$key}[22] ne '') {
push (@weekdays, "Thu");
}
if ($$hash{$key}[23] ne '') {
push (@weekdays, "Fri");
}
if ($$hash{$key}[24] ne '') {
push (@weekdays, "Sat");
}
if ($$hash{$key}[25] ne '') {
push (@weekdays, "Sun");
}
if (@weekdays) {
push(@time_args, ("--weekdays", join(",", @weekdays)));
}
# Convert start time.
my $time_start = &format_time($$hash{$key}[26]);
if ($time_start) {
push(@time_args, ("--timestart", $time_start));
}
# Convert end time.
my $time_stop = &format_time($$hash{$key}[27]);
if ($time_stop) {
push(@time_args, ("--timestop", $time_stop));
}
# Format command line.
$time_constraints = join(" ", @time_args);
} }
foreach my $DPROT (@DPROT){ foreach my $DPROT (@DPROT){
$DPORT = &get_port($hash,$key,$DPROT); $DPORT = &get_port($hash,$key,$DPROT);
$PROT=$DPROT; $PROT=$DPROT;
@@ -299,22 +324,22 @@ sub buildrules {
$_=""; $_="";
} }
if ($LOG) { if ($LOG) {
run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j LOG"); run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $time_constraints -j LOG");
} }
run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]"); run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $time_constraints -j $$hash{$key}[0]");
} }
#PROCESS DNAT RULE (Portforward) #PROCESS DNAT RULE (Portforward)
} elsif ($NAT && $NAT_MODE eq "DNAT") { } elsif ($NAT && $NAT_MODE eq "DNAT") {
if ($LOG) { if ($LOG) {
run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT'"); run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $time_constraints -j LOG --log-prefix 'DNAT'");
} }
my ($ip,$sub) =split("/",$targethash{$b}[0]); my ($ip,$sub) =split("/",$targethash{$b}[0]);
#Process NAT with servicegroup used #Process NAT with servicegroup used
if ($$hash{$key}[14] eq 'cust_srvgrp') { if ($$hash{$key}[14] eq 'cust_srvgrp') {
run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j DNAT --to-destination $ip $DPORT"); run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $time_constraints -j DNAT --to-destination $ip $DPORT");
$fwaccessdport=$DPORT; $fwaccessdport=$DPORT;
} else { } else {
run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j DNAT --to-destination $ip$DPORT"); run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $time_constraints -j DNAT --to-destination $ip$DPORT");
$DPORT =~ s/\-/:/g; $DPORT =~ s/\-/:/g;
if ($DPORT){ if ($DPORT){
$fwaccessdport="--dport ".substr($DPORT,1,); $fwaccessdport="--dport ".substr($DPORT,1,);
@@ -327,28 +352,28 @@ sub buildrules {
} }
} }
} }
run("$IPTABLES -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]"); run("$IPTABLES -A FORWARDFW $PROT $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $time_constraints -j $$hash{$key}[0]");
next; next;
#PROCESS SNAT RULE #PROCESS SNAT RULE
} elsif ($NAT && $NAT_MODE eq "SNAT") { } elsif ($NAT && $NAT_MODE eq "SNAT") {
if ($LOG) { if ($LOG) {
run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT'"); run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j LOG --log-prefix 'SNAT'");
} }
run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j SNAT --to-source $natip"); run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j SNAT --to-source $natip");
} }
#PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
if ($PROT ne '-p ICMP'){ if ($PROT ne '-p ICMP'){
if ($LOG && !$NAT) { if ($LOG && !$NAT) {
run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j LOG");
} }
run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j $$hash{$key}[0]");
} }
#PROCESS Prot ICMP and type = All ICMP-Types #PROCESS Prot ICMP and type = All ICMP-Types
if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
if ($LOG && !$NAT) { if ($LOG && !$NAT) {
run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG"); run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j LOG");
} }
run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]"); run("$IPTABLES -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $time_constraints -j $$hash{$key}[0]");
} }
} }
} }
@@ -386,34 +411,42 @@ sub get_nat_ip {
return $result; return $result;
} }
sub get_time { # Formats the given timestamp into the iptables format which is "hh:mm" UTC.
my $val=shift; sub format_time {
my $val1=shift; my $val = shift;
my $time;
my $minutes; # Convert the given time into minutes.
my $ruletime; my $minutes = &time_convert_to_minutes($val);
$minutes = &utcmin($val);
$ruletime = $minutes + &time_get_utc($val); # Move the timestamp into UTC.
if ($ruletime < 0){$ruletime +=1440;} $minutes += &time_utc_offset();
if ($ruletime > 1440){$ruletime -=1440;}
$time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60; # Make sure $minutes is between 00:00 and 23:59.
return $time; if ($minutes < 0) {
$minutes += 1440;
}
if ($minutes > 1440) {
$minutes -= 1440;
}
# Format as hh:mm.
return sprintf("%02d:%02d", $minutes / 60, $minutes % 60);
} }
sub time_get_utc { # Calculates the offsets in minutes from the local timezone to UTC.
# Calculates the UTCtime from a given time sub time_utc_offset {
my $val=shift; my @localtime = localtime(time);
my @localtime=localtime(time); my @gmtime = gmtime(time);
my @gmtime=gmtime(time);
my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60); return ($gmtime[2] * 60 + $gmtime[1] % 60) - ($localtime[2] * 60 + $localtime[1] % 60);
return $diff;
} }
sub utcmin { # Takes a timestamp like "14:00" and converts it into minutes since midnight.
my $ruletime=shift; sub time_convert_to_minutes {
my ($hrs,$min) = split(":",$ruletime); my ($hrs, $min) = split(":", shift);
my $newtime = $hrs*60+$min;
return $newtime; return ($hrs * 60) + $min;
} }
sub p2pblock { sub p2pblock {