webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-25 10:22:59 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
e3cbe60f5d46bbef7e4e257fbbae5a49f91d06df
bpfire/config/firewall/convert-portfw
Stefan Schantl 37c84696a2 Make firewall convert scripts more robust. 
The converter scripts procude a lot of error, when they get executed on a system with
a previously installed version of the New Firewall or they get run twice.

In this case the scripts will detect that their input files are missing and will exit with
an error message. The scripts now also check if the input files are empty (no corresponding
rules created) and will exit with an nothing to do message.
2014-01-18 18:28:07 +01:00

177 lines
7.4 KiB
Perl
Executable File
Raw Blame History

#!/usr/bin/perl
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
# #
# This script converts old portforwarding rules from old Firewall #
# to the new one. This is a 3-step process. #
# STEP1: read old config and normalize settings #
# STEP2: create new rules from old ones #
# STEP3: check if rule already exists, when not, put it into #
# /var/ipfire/firewall/config #
###############################################################################
require '/var/ipfire/general-functions.pl';
my @values=();
my @built_rules=();
my %nat=();
my $portfwconfig = "${General::swroot}/portfw/config";
my $confignat = "${General::swroot}/firewall/config";
my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark);
my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1);
my $count=0;
my $jump;
if (! -e "$portfwconfig") {
print "Config file for portforward not found. Exiting!\n";
exit(1);
}
if (! -s "$portfwconfig") {
print "Empty portforward configuration file. Nothing to do. Exiting...\n";
exit(0);
}
if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
open(FILE, $portfwconfig) or die 'Unable to open config file.';
my @current = <FILE>;
close(FILE);
open (LOG, ">/var/log/converters/portfw-convert.log") or die $!;
open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
my @alias = <ALIAS>;
close(ALIAS);
&get_config;
&build_rules;
&write_rules;
sub get_config
{
print LOG "STEP 1: Get config from old portforward\n#########################################\n";
foreach my $line (@current){
if($jump eq '1'){
$jump='';
$count++;
next;
}
my $u=$count+1;
($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line);
($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]);
if ($flag1 eq '1'){
$source=$source1;
$jump='1';
}
my $now=localtime;
chomp($remark);
print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n";
push (@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark);
$count++;
}
}
sub build_rules
{
print LOG "\nSTEP 2: Convert old portforwardrules in a useable format\n########################################################\n";
my $src;
my $src1;
my $ipfireip;
my $count=0;
my $stop;
#build rules for new firewall
foreach my $line (@values){
chomp ($line);
($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line);
$count++;
#get sourcepart
if($source eq '0.0.0.0/0'){
$src = 'std_net_src';
$src1 = 'ALL';
}else{
$src = 'src_addr';
my ($a,$b) = split("/",$source);
$src1 = $a."/32";
}
#get ipfire ip
if($alias eq '0.0.0.0'){
$alias='ALL';
}else{
foreach my $ali (@alias){
my ($alias_ip,$alias_active,$alias_name) = split (",",$ali);
if($alias eq $alias_ip){
chomp($alias_name);
$alias=$alias_name;
}
}
}
$active = uc $active;
$prot = uc $prot;
chomp($remark);
push (@built_rules,"ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat");
my $now=localtime;
print LOG "$now Converted-> KEY: $count ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,*,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n";
}
}
sub write_rules
{
my $skip='';
my $id;
print LOG "\nSTEP 3: Create DNAT rules in new firewall\n#########################################\n";
&General::readhasharray($confignat,\%nat);
foreach my $line (@built_rules){
$skip='';
my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$dummy,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) = split (",",$line);
foreach my $key (sort keys %nat){
if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[7],$nat{$key}[8],$nat{$key}[11],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){
my $now=localtime;
print LOG "$now SKIP-> Rule $nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$nat{$key}[6],$nat{$key}[7],$nat{$key}[8],$nat{$key}[11],$nat{$key}[14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] ->EXISTS\n";
$skip='1';
}
}
if ($skip ne '1'){
if ( $prot eq 'GRE'){
$tgt_port='';
$tgt_port1='';
$use_port='';
$ipfireport='';
$use_prot='';
}
$id = &General::findhasharraykey(\%nat);
$nat{$id}[0] = $action;
$nat{$id}[1] = $chain;
$nat{$id}[2] = $active;
$nat{$id}[3] = $src;
$nat{$id}[4] = $src1;
$nat{$id}[5] = $tgt;
$nat{$id}[6] = $tgt1;
$nat{$id}[7] = $dummy;
$nat{$id}[8] = $prot;
$nat{$id}[11] = $use_port;
$nat{$id}[14] = $tgt_port;
$nat{$id}[15] = $tgt_port1;
$nat{$id}[16] = $remark;
$nat{$id}[26] = $from;
$nat{$id}[27] = $to;
$nat{$id}[28] = $use_port;
$nat{$id}[29] = $alias;
$nat{$id}[30] = $ipfireport;
$nat{$id}[31] = $dnat;
my $now=localtime;
print LOG "$now NEW RULE-> Rule $nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[16],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n";
}
}
&General::writehasharray($confignat,\%nat);
}
close (LOG);
Reference in New Issue View Git Blame Copy Permalink