├── VERSION
├── AUTHORS
├── README.LDAP.md
├── uif-ipv4-networks.inc
├── uif-ipv6-networks.inc
├── INSTALL.md
├── COPYRIGHT
├── default
├── README.md
├── compare-v4-iptables+nft-results.sh
├── compare-v6-iptables+nft-results.sh
├── uif.spec
├── README.IPv6.md
├── Makefile
├── services
├── docs
    ├── examples.IPv4.txt
    ├── uif.conf.IPv4.tmpl
    └── uif.conf.IPv4+6.tmpl
├── uif.8
├── uif.schema
├── uif.initscript
├── uif.conf
├── uif.conf.5
├── ChangeLog
└── uif.pl


/VERSION:
--------------------------------------------------------------------------------
1 | 1.99.0
2 | 


--------------------------------------------------------------------------------
/AUTHORS:
--------------------------------------------------------------------------------
1 | Alex Owen <r.alex.owen@gmail.com>
2 | Cajus Pollmeier <pollmeier@gonicus.de>
3 | klemens <ka7@github.com>
4 | Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
5 | 


--------------------------------------------------------------------------------
/README.LDAP.md:
--------------------------------------------------------------------------------
 1 | # README.LDAP for UIF 1.99.0
 2 | 
 3 | ## Documentation / LDAP
 4 | 
 5 | There is some LDAP support built into UIF, with that you can handle a big
 6 | farm of diskles router configurations. Use uif(8) and information
 7 | provided in the doc/ directory to configure the firewall fitting your
 8 | needs.
 9 | 
10 | ## Call for help
11 | 
12 | The LDAP support in UIF hasn't been tested for quite a while. Most users
13 | of UIF have use cases with local configuration files. If you feel like
14 | contributing, please dive into the LDAP functionality of UIF and test it,
15 | report bugs, give feedback, etc.
16 | 


--------------------------------------------------------------------------------
/uif-ipv4-networks.inc:
--------------------------------------------------------------------------------
 1 | ## IPv4 network name definitions for UIF
 2 | #  In the network section you're asked to provide informations on all
 3 | #  IPv4 hosts and/or networks running in your setup.
 4 | #
 5 | #  syntax: net_name [ip-address[=mac-address]] [network] [net_name]
 6 | #  examples: webserver 192.168.1.5
 7 | #            intranet  10.1.0.0/16
 8 | #            dmz       10.5.0.0/255.255.0.0
 9 | #            some      intranet dmz 10.2.1.1
10 | #            router    10.1.0.1=0A:32:F2:C7:1A:31
11 | 
12 | network {
13 |     localhost   127.0.0.1
14 |     all         0.0.0.0/0
15 | #   trusted     192.168.1.0/24
16 | }
17 | 


--------------------------------------------------------------------------------
/uif-ipv6-networks.inc:
--------------------------------------------------------------------------------
 1 | ## IPv6 network name definitions for UIF
 2 | #  In the network section you're asked to provide informations on all
 3 | #  IPv6 hosts and/or networks running in your setup.
 4 | #
 5 | #  syntax: net_name [ip-address[=mac-address]] [network] [net_name]
 6 | #  examples: webserver 2001:610:1908:b000::148:14
 7 | #            intranet  fd00:0:0:1::/64
 8 | #            dmz       fd00:0:0:5::/64
 9 | #            some      intranet dmz fd00:0:2:1::1
10 | #            router    fd00:0:0:1::1=0A:32:F2:C7:1A:31
11 | 
12 | network {
13 |     localhost   ::1
14 |     all         ::/0
15 | #   trusted     fd00:1:2:3::/64
16 | }
17 | 


--------------------------------------------------------------------------------
/INSTALL.md:
--------------------------------------------------------------------------------
 1 | # Installation Guide for UIF 1.99.0
 2 | 
 3 | This file contains some quick installation hints for
 4 | the UIF package.
 5 | 
 6 | ## Download
 7 | 
 8 | You can get the newest version at https://github.com/cajus/uif.
 9 | 
10 | ## Dependencies
11 | 
12 | In order to use the script, you need iptables, ip6tables, Perl,
13 | NetAddr::IP (>=3.0), Socket, Data::Validate::IP and optionally Net::LDAP.
14 | 
15 | ## Build
16 | 
17 | Well - there's nothing to build. Just change the PREFIX on top of the
18 | Makefile and do a "make install". If you want to start UIF during bootup
19 | you should add the needed links in /etc/rc*. See file "uif.initscript"
20 | for a working init script.
21 | 
22 | ## Debian
23 | 
24 | The UIF package is regularly released via Debian. Use APT to retrieve
25 | this piece of software directly from the Debian archives:
26 | 
27 | ```
28 |   # apt-get install uif
29 | ```
30 | 
31 | ## Documentation
32 | 
33 | Use "man uif" and "man uif.conf" to see what's possible.
34 | 


--------------------------------------------------------------------------------
/COPYRIGHT:
--------------------------------------------------------------------------------
 1 | Copyright (C) 2002-2015 Jörg Platte <jplatte@gmx.net>
 2 | Copyright (C) 2002-2015 Cajus Pollmeier <pollmeier@gonicus.de>
 3 | Copyright (C) 2013-2015 Alex Owen <r.alex.owen@gmail.com>
 4 | Copyright (C) 2013-2022 Mike Gabriel <mike.gabriel@das-netzwerteam.de>
 5 | 
 6 | All of uif is licensed under the GPL-2.0+ (GPL-2.0 or newer) license:
 7 | 
 8 |  This program is free software; you can redistribute it and/or modify
 9 |  it under the terms of the GNU General Public License as published by
10 |  the Free Software Foundation; either version 2 of the License, or
11 |  (at your option) any later version.
12 | 
13 |  This program is distributed in the hope that it will be useful,
14 |  but WITHOUT ANY WARRANTY; without even the implied warranty of
15 |  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16 |  GNU General Public License for more details.
17 | 
18 |  You should have received a copy of the GNU General Public License
19 |  along with this program; if not, write to the Free Software
20 |  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
21 | 
22 | See the COPYING file for a full text version of the license.
23 | 


--------------------------------------------------------------------------------
/default:
--------------------------------------------------------------------------------
 1 | ## Debian firewall package standard values
 2 | #  See "man 8 uif" for details.
 3 | 
 4 | ### UIF settings, these need to be exported to the environment
 5 | 
 6 | # 'nft', 'iptables', 'iptables-nft' or 'iptables-legacy'?
 7 | export FILTER_COMMAND="nft"
 8 | 
 9 | # the iptables loglevel
10 | export LOGLEVEL="crit"
11 | 
12 | # prefix for all logged incidents 
13 | export LOGPREFIX="FW"
14 | 
15 | # iptables log specific options
16 | export LOGLIMIT="20/minute"
17 | export LOGBURST="5"
18 | 
19 | # iptables limit specific options
20 | export LIMIT="20/minute"
21 | export BURST="5"
22 | 
23 | # firewall testing timeout
24 | export TIMEOUT=30
25 | 
26 | # prefix for accounting rules
27 | export ACCOUNTPREFIX="ACC_"
28 | 
29 | ### UIF init script setting, need not be exported to the environment
30 | 
31 | # specify modules to load before startup
32 | MODULES="ip_conntrack_ftp"
33 | 
34 | # who should get the mails when the script fails
35 | MAILTO="root"
36 | 
37 | # IPV6MODE can be set to 0 or 1. By default it is 0
38 | # If set to 1 then both an IPv4 and an IPv6 firewall will be started
39 | # Uncomment below to enable the IPV6MODE
40 | IPV6MODE=1
41 | 
42 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # README for UIF 1.99.0
 2 | 
 3 | ## Documentation
 4 | 
 5 | The UIF project has been developed for a diskless router system and provides
 6 | a mechanism to create and simplify packet filter rules. It forces you to
 7 | provide names for every value you use in order to make firewalls less
 8 | confusing.
 9 | 
10 | Please have a look at the man pages for uif(8) and uif.conf(5). There
11 | are also example configurations in the docs/ directory.
12 | 
13 | There is some LDAP support built-in, with that you can handle a big farm
14 | of diskles router configurations. Use uif(8) and information provided in
15 | the doc/ directory to configure the firewall fitting your needs.
16 | 
17 | 
18 | ## Bugs / Wishlist
19 | 
20 | UIF is on Github. If you've found a bug, or have suggestions for future
21 | versions please report it via the project's issue tracker:
22 | https://github.com/cajus/uif/issues
23 | 
24 | If you have installed UIF on Debian, you can also use the Debian BTS for
25 | reporting bugs. As the Debian maintainer of UIF is a member of the UIF
26 | upstream development team, the Debian bugs will also reach upstream quickly.
27 | 
28 | 
29 | Have fun,
30 | -Jörg Platte, Cajus Pollmeier, Mike Gabriel, Alex Owen
31 | 


--------------------------------------------------------------------------------
/compare-v4-iptables+nft-results.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Copyright (C) 2022 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
 4 | #
 5 | # This program is free software; you can redistribute it and/or modify
 6 | # it under the terms of the GNU General Public License as published by
 7 | # the Free Software Foundation; either version 2 of the License, or
 8 | # (at your option) any later version.
 9 | #
10 | # This program is distributed in the hope that it will be useful,
11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13 | # GNU General Public License for more details.
14 | #
15 | # You should have received a copy of the GNU General Public License
16 | # along with this program; if not, write to the Free Software
17 | # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
18 | 
19 | # this script requires /etc/uif/ to be in place and configured well
20 | 
21 | tmpresults_nft="$(mktemp)"
22 | tmpresults_iptables="$(mktemp)"
23 | 
24 | sudo nft flush ruleset ip
25 | 
26 | sudo FILTER_COMMAND=nft ./uif.pl
27 | sudo nft list ruleset ip 1> "${tmpresults_nft}"
28 | sudo nft flush ruleset ip
29 | 
30 | sudo FILTER_COMMAND=iptables-nft ./uif.pl
31 | sudo nft list ruleset ip 1> "${tmpresults_iptables}"
32 | #sudo nft flush ruleset ip
33 | 
34 | diff -wu "${tmpresults_iptables}" "${tmpresults_nft}"
35 | 


--------------------------------------------------------------------------------
/compare-v6-iptables+nft-results.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Copyright (C) 2013-2022 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
 4 | #
 5 | # This program is free software; you can redistribute it and/or modify
 6 | # it under the terms of the GNU General Public License as published by
 7 | # the Free Software Foundation; either version 2 of the License, or
 8 | # (at your option) any later version.
 9 | #
10 | # This program is distributed in the hope that it will be useful,
11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13 | # GNU General Public License for more details.
14 | #
15 | # You should have received a copy of the GNU General Public License
16 | # along with this program; if not, write to the Free Software
17 | # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
18 | 
19 | # this script requires /etc/uif/ to be in place and configured well
20 | 
21 | tmpresults_nft="$(mktemp)"
22 | tmpresults_iptables="$(mktemp)"
23 | 
24 | sudo nft flush ruleset ip6
25 | 
26 | sudo FILTER_COMMAND=nft ./uif.pl -6
27 | sudo nft list ruleset ip6 1> "${tmpresults_nft}"
28 | sudo nft flush ruleset ip6
29 | 
30 | sudo FILTER_COMMAND=iptables-nft ./uif.pl -6
31 | sudo nft list ruleset ip6 1> "${tmpresults_iptables}"
32 | #sudo nft flush ruleset ip6
33 | 
34 | diff -wu "${tmpresults_iptables}" "${tmpresults_nft}"
35 | 


--------------------------------------------------------------------------------
/uif.spec:
--------------------------------------------------------------------------------
 1 | Summary: Tool for generating optimized packetfilter rules under GPL
 2 | Name: uif
 3 | Version: 1.99.0
 4 | Release: 0
 5 | License: GPL
 6 | Group: System
 7 | Source: https://github.com/cajus/uif/archive/%{version}.zip
 8 | URL: https://github.com/cajus/uif
 9 | Prereq: perl perl-netaddr-ip perl-ldap iptables
10 | BuildRoot: %{_tmppath}/%{name}-%{version}-root
11 | 
12 | %description
13 | UIF is used to generate optimized iptables(8) packetfilter rules, using a
14 | simple description file specified by the user.
15 | 
16 | Generated rules are provided in iptables-save(8) style.
17 | 
18 | uif can be used to read or write rulesets from or to LDAP servers in your
19 | network, which provides a global storing mechanism. (Note that you need to
20 | include the uif.schema to your slapd configuration in order to use it.)
21 | 
22 | %prep
23 | %setup -q -n %{name}
24 | 
25 | %build
26 | 
27 | %install
28 | rm -rf %{buildroot}
29 | mkdir -p %{buildroot}
30 | 
31 | DESTDIR=%{buildroot} make install
32 | 
33 | 
34 | %clean
35 | rm -rf %{buildroot}
36 | rm -rf %{_builddir}/%{buildsubdir}
37 | 
38 | 
39 | %files
40 | %defattr(-,root,root)
41 | %defattr(0644,root,root,0755)
42 | /etc/uif/services
43 | /etc/default/uif
44 | /etc/init.d/uif
45 | /etc/ldap/schema/uif.schema
46 | /usr/sbin/uif
47 | /usr/share/man/man8/uif.8.gz
48 | /usr/share/man/man5/uif.conf.5.gz
49 | %doc docs/uif.conf.tmpl
50 | %doc docs/examples.txt
51 | 
52 | %changelog
53 | * Thu Jun 13 2002 Andreas Almstadt <almstadt@GONICUS.de>
54 |  - first build
55 | 
56 | * Wed Jan 22 2014 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
57 |  - update version, update download source and project URL
58 | 
59 | * Sun Jan 15 2017 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
60 |  - bump upstream release to 1.1.8
61 | 
62 | * Mon Aug 20 2018 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
63 |  - bump upstream release to 1.1.9
64 | 
65 | * Mon Apr 19 2022 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
66 |  - bump upstream release to 1.99.0
67 | 


--------------------------------------------------------------------------------
/README.IPv6.md:
--------------------------------------------------------------------------------
 1 | # IPv6 support for UIF 1.99.0
 2 | 
 3 | Starting with version 1.1.0 UIF is able to handle IPv6 iptables as well
 4 | as IPv4 iptables. The IPv6 support was originally provided by Alex Owen
 5 | via a patch sent to the Debian bug tracker. Awesome thanks to Alex for
 6 | this initial piece of work!!!
 7 | 
 8 | With IPv6 support added, UIF can now also produce IPv6 firewall rules.
 9 | The init script can, by setting IPV6MODE=1 in /etc/default/uif, be made
10 | to install the IPv4 rules from /etc/uif/uif.conf and the IPv6 rules from
11 | /etc/uif/uif6.conf.
12 | 
13 | Judicious use of the include and include4 and include6 sections of the
14 | config files can mean that the ipv6 and ipv4 rules can be identical
15 | except for including a network section with IPv4 definitions and IPv6
16 | definitions respectivly.
17 | 
18 | ## Configuration Examples
19 | 
20 | The file uif6.conf can be a sym-link to uif.conf or contain:
21 | 
22 | ```
23 | --uif6.conf--
24 | include {
25 |     "/etc/uif/uif.conf"
26 | }
27 | -------------
28 | ```
29 | 
30 | The file uif.conf can then be used for a single set of rules but can include
31 | different network definitions as needed:
32 | 
33 | ```
34 | --uif.conf--
35 | #include common services 
36 | include {
37 |     "/etc/uif/services"
38 | }
39 | # in IPv4 mode include IPv4 network definitions
40 | include4 {
41 |     "/etc/uif/networks4"
42 | }
43 | #In IPv6 mode include IPv6 network defnintions
44 | include6 {
45 |     "/etc/uif/networks6"
46 | }
47 | #common filter block for both ipv4 and ipv6 
48 | filter {
49 | 
50 |   #Put your firewall rules here
51 | 
52 | }
53 | ------------
54 | ```
55 | 
56 | 
57 | As an addition it is possible to append "(4)" or "(6)" to network names in filtering
58 | rules (e.g.: "in+ s=trusted(4)"). This limits the application of this rule to the
59 | specified IP protocol version only.
60 | 
61 | This can be especially helpful, if some of your network names only exist for one IP
62 | protocol version but not for the other.
63 | 
64 | ## AUTHORS
65 | 
66 |  * Alex Owen <r.alex.owen@gmail.com>, Sun, 15 Jul 2012 14:41:22 +0100
67 |  * Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, Wed, 22 Jan 2014 13:50:01 +0100
68 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | # uif-1.1.x Installer Makefile
 2 | 
 3 | #  Copyright (C) 2002-2015, Cajus Pollmeier <pollmeier@gonicus.de>
 4 | #  Copyright (C) 2002-2015, Jörg Platte <jplatte@gmx.net>
 5 | #  Copyright (C) 2013-2022, Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
 6 | #
 7 | # This program is free software; you can redistribute it and/or modify
 8 | # it under the terms of the GNU General Public License as published by
 9 | # the Free Software Foundation; either version 2 of the License, or
10 | # (at your option) any later version.
11 | #
12 | # This program is distributed in the hope that it will be useful,
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 | # GNU General Public License for more details.
16 | #
17 | # You should have received a copy of the GNU General Public License
18 | # along with this program; if not, write to the Free Software
19 | # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
20 | 
21 | # Change here to install to different location
22 | DESTDIR ?=
23 | PREFIX  ?= /usr/local
24 | 
25 | VERSION = `cat VERSION | head -1`
26 | 
27 | all:
28 | 
29 | install:
30 | 	@echo "Installing uif script..."
31 | 
32 | 	@# create directories
33 | 	install -o root -g root -m 700 -d $(DESTDIR)/etc/uif
34 | 	install -o root -g root -m 700 -d $(DESTDIR)/etc/uif/uif.conf.d
35 | 	install -o root -g root -m 700 -d $(DESTDIR)/etc/uif/uif-ipv4-networks.inc.d
36 | 	install -o root -g root -m 700 -d $(DESTDIR)/etc/uif/uif-ipv6-networks.inc.d
37 | 	install -o root -g root -m 755 -d $(DESTDIR)/etc/default
38 | 	install -o root -g root -m 755 -d $(DESTDIR)/etc/init.d
39 | 	install -o root -g root -m 755 -d $(DESTDIR)/etc/ldap/schema
40 | 	install -o root -g root -m 755 -d $(DESTDIR)$(PREFIX)/sbin
41 | 	install -o root -g root -m 755 -d $(DESTDIR)$(PREFIX)/share/doc/uif
42 | 	install -o root -g root -m 755 -d $(DESTDIR)$(PREFIX)/share/man/man8
43 | 	install -o root -g root -m 755 -d $(DESTDIR)$(PREFIX)/share/man/man5
44 | 	
45 | 	@# install files
46 | 	install -o root -g root -m 700 uif.pl $(DESTDIR)$(PREFIX)/sbin/uif
47 | 	install -o root -g root -m 600 default $(DESTDIR)/etc/default/uif
48 | 	install -o root -g root -m 600 services $(DESTDIR)/etc/uif
49 | 	if [ ! -e $(DESTDIR)/etc/uif/uif.conf ]; then install -o root -g root -m 600 uif.conf $(DESTDIR)/etc/uif; fi
50 | 	if [ ! -e $(DESTDIR)/etc/uif/uif-ipv4-networks.inc ]; then install -o root -g root -m 600 uif-ipv4-networks.inc $(DESTDIR)/etc/uif; fi
51 | 	if [ ! -e $(DESTDIR)/etc/uif/uif-ipv6-networks.inc ]; then install -o root -g root -m 600 uif-ipv6-networks.inc $(DESTDIR)/etc/uif; fi
52 | 	install -o root -g root -m 755 uif.initscript $(DESTDIR)/etc/init.d
53 | 	mv $(DESTDIR)/etc/init.d/uif.initscript $(DESTDIR)/etc/init.d/uif
54 | 	install -o root -g root -m 644 uif.schema $(DESTDIR)/etc/ldap/schema
55 | 
56 | 	@# install documentation
57 | 	install -o root -g root -m 644 docs/uif.conf.IPv4.tmpl $(DESTDIR)$(PREFIX)/share/doc/uif
58 | 	install -o root -g root -m 644 docs/uif.conf.IPv4+6.tmpl $(DESTDIR)$(PREFIX)/share/doc/uif
59 | 	install -o root -g root -m 644 docs/examples.IPv4.txt $(DESTDIR)$(PREFIX)/share/doc/uif
60 | 	install -o root -g root -m 644 uif.8 $(DESTDIR)$(PREFIX)/share/man/man8
61 | 	install -o root -g root -m 644 uif.conf.5 $(DESTDIR)$(PREFIX)/share/man/man5
62 | 


--------------------------------------------------------------------------------
/services:
--------------------------------------------------------------------------------
  1 | ## UIF 1.0 sample services file
  2 | 
  3 | #  Copyright (C) 2002-2015, Cajus Pollmeier <pollmeier@gonicus.de>
  4 | #  Copyright (C) 2002-2015, Jörg Platte <jplatte@gmx.net>
  5 | #  Copyright (C) 2013-2015, Alex Owen <r.alex.owen@gmail.com>
  6 | #  Copyright (C) 2013-2022, Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
  7 | #
  8 | # This program is free software; you can redistribute it and/or modify
  9 | # it under the terms of the GNU General Public License as published by
 10 | # the Free Software Foundation; either version 2 of the License, or
 11 | # (at your option) any later version.
 12 | #
 13 | # This program is distributed in the hope that it will be useful,
 14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 16 | # GNU General Public License for more details.
 17 | #
 18 | # You should have received a copy of the GNU General Public License
 19 | # along with this program; if not, write to the Free Software
 20 | # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
 21 | 
 22 | service {
 23 | 	# ICMP & Routing
 24 | 	traceroute	udp(32769:65535/33434:33523)
 25 | 
 26 | 	# ICMP protocol: IPv4 and IPv6 ICMP types
 27 | 	ping			icmp(echo-request) ipv6-icmp(echo-request)
 28 | 	pong			icmp(echo-reply) ipv6-icmp(echo-reply)
 29 | 	noroute			icmp(destination-unreachable) ipv6-icmp(destination-unreachable)
 30 | 	router-advertisement	icmp(router-advertisement) ipv6-icmp(router-advertisement)
 31 | 	router-solicitation	icmp(router-solicitation) ipv6-icmp(router-solicitation)
 32 | 
 33 | 	# ICMP protocol: IPv4-only ICMP types
 34 | 	host-unreachable	icmp(host-unreachable)
 35 | 	ttl-exceeded		icmp(ttl-exceeded)
 36 | 	source-quench		icmp(source-quench)
 37 | 
 38 | 	# ICMP protocol: IPv6-only ICMP types
 39 | 	packet-too-big		ipv6-icmp(packet-too-big)
 40 | 	time-exceeded		ipv6-icmp(time-exceeded)
 41 | 	parameter-problem	ipv6-icmp(parameter-problem)
 42 | 	neighbor-advertisement	ipv6-icmp(neighbor-advertisement)
 43 | 	neighbor-solicitation	ipv6-icmp(neighbor-solicitation)
 44 | 
 45 | 	# Most common services you may want to filter
 46 | 	ftp		tcp(/21)
 47 | 	ssh		tcp(/22)
 48 | 	telnet		tcp(/23)
 49 | 	smtp		tcp(/25)
 50 | 	whois		tcp(/43)
 51 | 	dns		tcp(/53) udp(/53)
 52 | 	bootp		tcp(68/67) udp(68/67)
 53 | 	http		tcp(/80)
 54 | 	kerberos5	tcp(/88)
 55 | 	pop3		tcp(/110)
 56 | 	sunrpc		udp(/111) tcp(/111)
 57 | 	ident		tcp(/113)
 58 | 	ntp		udp(/123)
 59 | 	nntp		tcp(/119)
 60 |         smb             tcp(/137:139) udp(/137:139) tcp(/445) udp(/445)
 61 | 	imap		tcp(/143)
 62 | 	xdmcp		udp(/177)
 63 | 	ldap		tcp(/389)
 64 | 	https		tcp(/443)
 65 | 	ssmtp		tcp(/465)
 66 | 	syslog		udp(/514)
 67 | 	route		udp(/520) icmp(9)
 68 | 	uucp		tcp(/540)
 69 | 	real		tcp(/554)
 70 |         ipp             tcp(/631) udp(/631)
 71 | 	mount		udp(/635)
 72 | 	ldaps		tcp(/636)
 73 | 	kerberos4	tcp(/750)
 74 | 	kerberos-master tcp(/751)
 75 | 	passwd-server   tcp(/752)
 76 | 	krb-prop	tcp(/754)
 77 | 	krbupdate	tcp(/760)
 78 | 	swat		tcp(/901)
 79 | 	imaps		tcp(/993)
 80 | 	pop3s		tcp(/995)
 81 | 	openvpn		udp(/1194) tcp(/1194)
 82 | 	nfs		udp(/2049) tcp(/2049)
 83 | 	cvspserver	tcp(/2401)
 84 | 	squid		tcp(/3128)
 85 | 	mysql		tcp(/3306)
 86 | 	rdp		tcp(/3389)
 87 | 	munin		tcp(/4949)
 88 | 	cfengine	tcp(/5308)
 89 | 	xmpp-client	tcp(/5222) udp(/5222)
 90 | 	xmpp-server	tcp(/5223) udp(/5223)
 91 | 	icinga2         tcp(/5665)
 92 | 	vnc-support	tcp(/5500:5509)
 93 | 	x11		tcp(/6000:6063)
 94 | 	proxy		tcp(/8080)
 95 | 	puppet		tcp(/8140)
 96 | 	webmin		tcp(/10000)
 97 | 	dhis		udp(/58800)
 98 | 
 99 |         # ipsec
100 | 	ipsec           esp(/) udp(/500)
101 | 
102 | 	# some proprietary protocols
103 | 	arkeia		tcp(/617)
104 | 	pcanywhere	udp(/5632) tcp(/5631)
105 |         msterminal	tcp(/3389) udp(/3389)
106 | 
107 | 	# some protocols
108 | 	igmp		igmp()
109 | 	pim		pim()
110 | 	tcp		tcp(0:65535/0:65535)
111 | 	udp		udp(0:65535/0:65535)
112 | 
113 | 	# some useful definitions
114 | 	lowports	udp(/1:1023) tcp(/1:1023)
115 | 	highports	udp(/1024:65535) tcp(/1024:65535)
116 | }
117 | 


--------------------------------------------------------------------------------
/docs/examples.IPv4.txt:
--------------------------------------------------------------------------------
  1 | EXAMPLES for UIF
  2 | ================
  3 | 
  4 | These sample configurations are fully virtual setups but may contain valid
  5 | ip addresses.
  6 | 
  7 | 
  8 | 1) Simple router/proxy setup
  9 | 
 10 | Imagine the following scenario with one packet filter and masquerading:
 11 | 
 12 |                 ppp0   eth0      
 13 | internet-----------filter-------------proxy---------intranet
 14 |         193.174.71.23 192.168.0.1  192.168.0.2   192.168.0.0/24
 15 | 
 16 | The filter masquerades the proxy address and rejects all other internal
 17 | traffic to the internet.
 18 | 
 19 | Don't forget to enable forwarding (sysctl -w net.ipv4.ip_forward=1),
 20 | respectivly adding it to /etc/sysctl.conf.
 21 | 
 22 | 
 23 | 8<---------------------------------------------------------------------
 24 | include {
 25 | 	# include the basic service definitions
 26 | 	"/etc/uif/services"
 27 | }
 28 | 
 29 | service {
 30 | 	# define all valid services from the proxy into the internet
 31 | 	proxytraffic	http https ntp pop3s imaps smtp ssh ftp
 32 | }
 33 | 
 34 | network {
 35 | 	# define all networks and hosts
 36 | 	proxy	192.168.0.2
 37 | 	intern	192.168.0.0/24
 38 | 
 39 | 	gonicus	21.8.6.9
 40 | 	ds	129.27.18.16
 41 | 
 42 | 	# accept external ssh connections from gonicus and ds
 43 | 	sshok	ds gonicus
 44 | }
 45 | 
 46 | interface {
 47 | 	# define all local interfaces
 48 | 	loop	lo
 49 | 	extern	ppp0
 50 | 	intern	eth0
 51 | }
 52 | 
 53 | input {
 54 | 	# permit all loopback traffic
 55 | 	in+	i=loop
 56 | 
 57 | 	# accept local ssh logins
 58 | 	in+	i=intern s=intern p=ssh
 59 | 
 60 | 	# accept external ssh connections from gonicus and ds
 61 | 	in+	i=extern s=sshok  p=ssh
 62 | 
 63 | 	# accept pings
 64 | 	in+	i=extern p=ping
 65 | 
 66 | 	# reject and log all other incoming connentions
 67 | 	in-	f=log(incoming),reject
 68 | }
 69 | 
 70 | output {
 71 | 	# permit all loopback traffic
 72 | 	out+	o=loop
 73 | 
 74 | 	# permit all outgoing traffic to the internal network
 75 | 	out+	o=intern
 76 | 
 77 | 	# permit outgoing ntp and ssh connections
 78 | 	out+	o=extern p=ntp,ssh
 79 | 
 80 | 	# reject all and log all other outgoing connentions
 81 | 	out-	f=log(outgoing),reject
 82 | }
 83 | 
 84 | forward {
 85 | 	# in case of an pppoe dsl line the following line may be useful
 86 | 	# it sets the mss of every forwarded packet to a smaller value
 87 | 	fw>	o=extern
 88 | 
 89 | 	# forward previously defined proxy traffic to external hosts
 90 | 	fw+	o=extern s=proxy p=proxytraffic
 91 | 
 92 | 	# reject all and log all other outgoing connentions
 93 | 	fw-	f=log(forwarding),reject
 94 | }
 95 | 
 96 | masquerade {
 97 | 	# masquerade proxy traffic
 98 | 	masq+	o=extern s=proxy
 99 | }
100 | --------------------------------------------------------------------->8
101 | 
102 | 
103 | 2) Router doing nat and transparent proxys
104 | 
105 | Imagine the following (not really usable) scenario:
106 | 
107 |               eth0    eth1
108 | Internet---------filter------------switch
109 |          80.67.1.53  10.10.0.1        |
110 | 				      +--gatekeeper 10.10.0.15
111 |                                       |
112 | 				      +--[intranet]
113 | 
114 | Imagine "filter" is running squid as a transparent proxy and "gatekeeper"
115 | is your ssh gateway to the intranet. No other connections to the intranet
116 | are allowed. "filter" is acting as nameserver, no additional connections
117 | from the inside to the outside are allowed.
118 | 
119 | 8<---------------------------------------------------------------------
120 | include {
121 |         # include the basic service definitions
122 |         "/etc/uif/services"
123 | }
124 | 
125 | network {
126 |         # define all networks and hosts
127 |         proxy   10.10.0.1
128 |         intern  10.10.0.0/16
129 |         gate    10.10.0.5
130 | }
131 | 
132 | interface {
133 |         # define all local interfaces
134 |         loop    lo
135 |         extern  eth0
136 |         intern  eth1
137 | }
138 | 
139 | filter {
140 |         # permit all loopback traffic
141 |         in+     i=loop
142 |         out+    o=loop
143 | 
144 | 	# permit all outgoing traffic for "filter"
145 |         out+    o=intern,extern
146 | 	
147 |         # accept pings
148 |         in+     i=extern p=ping
149 | 
150 |         # accept local ssh logins, dns, http
151 |         in+     i=intern s=intern p=ssh,dns,http
152 | 
153 | 	# redirect port 80 to 10.10.0.1:3128
154 | 	nat+    i=intern s=intern p=http D=proxy P=squid
155 | 
156 | 	# redirect incomming ssh connections to gatekeeper
157 | 	nat+	i=extern p=ssh D=gatekeeper
158 | 
159 |         # reject and log all other connentions
160 |         in-     f=log(incoming),reject
161 |         out-    f=log(outgoing),reject
162 |         fw-     f=log(forward),reject
163 | }
164 | 
165 | --------------------------------------------------------------------->8
166 | 
167 | 


--------------------------------------------------------------------------------
/docs/uif.conf.IPv4.tmpl:
--------------------------------------------------------------------------------
  1 | ## Debian GNU Linux Firewall Package
  2 | ## This file has been automatically generated by debconf. It will be overwritten
  3 | ## the next time you configure firewall without choosing "don't touch".
  4 | 
  5 | 
  6 | ## Sysconfig definitions
  7 | #  These entries define the global behaviour of the firewall package. Normally
  8 | #  they are preset in /etc/default/uif and may be overwritten by this
  9 | #  section.
 10 | #
 11 | #  syntax:   LogLevel : set the kernel loglevel for iptables rules
 12 | #            LogPrefix: prepend this string to all iptables logs
 13 | #            LogLimit:  set packet log limit per time interval (times/interval)
 14 | #            LogBurst:  set packet log burst
 15 | #            Limit:     set packet limit per time interval (times/interval)
 16 | #            Burst:     set packet burst
 17 | #  example:
 18 | #   sysconfig {
 19 | #      LogLevel      debug
 20 | #      LogPrefix     FW
 21 | #      LogLimit      20/minute
 22 | #      LogBurst      5
 23 | #      Limit         20/minute
 24 | #      Burst         5
 25 | #      AccountPrefix ACC_
 26 | #   }
 27 | 
 28 | 
 29 | ## Include predefined services
 30 | #  The include section takes a bunch of files and includes them into this
 31 | #  configuration file.
 32 | #
 33 | #  syntax:  "filename"
 34 | #include {
 35 | #    "/etc/uif/services"
 36 | #}
 37 | 
 38 | 
 39 | ## Services needed for workstation setup
 40 | #  The service section provides the protocol definitions you're
 41 | #  using in the rules. You're forced to declare everything you
 42 | #  need for your setup.
 43 | #
 44 | #  syntax: service_name [tcp([source:range]/[dest:range])] [udp([source:range]/[dest:range])]
 45 | #                       [protocol_name([source:range][/][dest:range])] [service_name] ...
 46 | #  examples: http  tcp(/80)
 47 | #            dns   tcp(/53) udp(/53)
 48 | #            group http dns tcp(/443)
 49 | #            ipsec esp(/) udp(/500)
 50 | service {
 51 |     traceroute  udp(32769:65535/33434:33523) icmp(11)
 52 |     ping        icmp(8)
 53 | }
 54 | 
 55 | ## Network definitions needed for simple workstation setup
 56 | #  In the network section you're asked to provide informations on all
 57 | #  hosts and/or networks running in your setup.
 58 | #
 59 | #  syntax: net_name [ip-address[:mac-address]] [network] [net_name]
 60 | #  examples: webserver 192.168.1.5
 61 | #            intranet  10.1.0.0/16
 62 | #            dmz       10.5.0.0/255.255.0.0
 63 | #            some      intranet dmz 10.2.1.1
 64 | #            router    10.1.0.1=0A:32:F2:C7:1A:31
 65 | network {
 66 |     localhost   127.0.0.1
 67 |     all         0.0.0.0/0
 68 |     trusted     192.168.1.0/24
 69 | }
 70 | 
 71 | ## Interface definitions
 72 | #  Since all definitions used in the filter section are symbolic,
 73 | #  you've to specify symbolic names for all your interfaces you're
 74 | #  going to use.
 75 | #
 76 | #  syntax: interface_name [unix network interface] [interface_name]
 77 | #  examples: internal eth0
 78 | #            external ippp0 ipsec0
 79 | #            allppp   ppp+
 80 | #            group    external allppp eth3
 81 | interface {
 82 |     loop     lo
 83 | }
 84 | 
 85 | ## Filter definitions
 86 | #  The filter section defines the rules for in, out, forward, masquerading
 87 | #  and nat. All rules make use of the symbolic names defined above. This
 88 | #  section can be used multiple times in one config file. This makes more
 89 | #  senese when using one of these alias names:
 90 | #  filter, nat, input, output, forward, masquerade
 91 | #
 92 | #  syntax: in[-/+]  [i=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
 93 | #          out[-/+] [o=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
 94 | #          fw[>/-/+]  [i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
 95 | #          masq[-/+][i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
 96 | #          nat[-/+] additionally allows [S=from source] [D=to destination] [P=to port:[range]]
 97 | #  additional:
 98 | #          All keys mentioned in the syntax section (in/out/...) can be prefixed with "sl", which
 99 | #          causes the creation of a stateless rule.
100 | #  flags:  limit([count/time[,burst]])
101 | #          reject([reject type])
102 | #          log([name])
103 | #          account(name)
104 | #  examples:
105 | #       masq+  o=extern s=intranet
106 | #       nat+   s=intranet p=http   D=relayintern   P=squid
107 | #       in+    s=trusted  p=ssh,ping,traceroute,http
108 | #       out-   s=intranet p=smb    f=reject
109 | #       fw-    d=microsoft         f=reject,log(ms-alert)
110 | #       slin+  s=testnet
111 | #       slout- d=testnet
112 | #       fw>    o=extern
113 | #       fw+    p=myhttp            f=account(HTTP)
114 | #              Take an attention about the protocol for your accounting rules. If you
115 | #              want to count user http traffice, you may need a "myhttp tcp(80/)".
116 | filter {
117 |     in+  i=loop    s=localhost
118 |     out+ o=loop    d=localhost
119 | 
120 |     in+  p=ping,traceroute
121 |     in+  s=trusted
122 |     out+ d=all
123 | 
124 |     in-  f=log(input),reject
125 |     out- f=log(output),reject
126 |     fw-  f=log(forward),reject
127 | }
128 | 


--------------------------------------------------------------------------------
/docs/uif.conf.IPv4+6.tmpl:
--------------------------------------------------------------------------------
  1 | ## Debian GNU Linux Firewall Package
  2 | ## This file has been automatically generated by debconf. It will be overwritten
  3 | ## the next time you configure firewall without choosing "don't touch".
  4 | 
  5 | 
  6 | ## Sysconfig definitions
  7 | #  These entries define the global behaviour of the firewall package. Normally
  8 | #  they are preset in /etc/default/uif and may be overwritten by this
  9 | #  section.
 10 | #
 11 | #  syntax:   LogLevel : set the kernel loglevel for iptables rules
 12 | #            LogPrefix: prepend this string to all iptables logs
 13 | #            LogLimit:  set packet log limit per time interval (times/interval)
 14 | #            LogBurst:  set packet log burst
 15 | #            Limit:     set packet limit per time interval (times/interval)
 16 | #            Burst:     set packet burst
 17 | #  example:
 18 | #   sysconfig {
 19 | #      LogLevel      debug
 20 | #      LogPrefix     FW
 21 | #      LogLimit      20/minute
 22 | #      LogBurst      5
 23 | #      Limit         20/minute
 24 | #      Burst         5
 25 | #      AccountPrefix ACC_
 26 | #   }
 27 | 
 28 | 
 29 | ## Include predefined services
 30 | #  The include section takes a bunch of files and includes them into this
 31 | #  configuration file.
 32 | #
 33 | #  syntax:  "filename"
 34 | #include {
 35 | #    "/etc/uif/services"
 36 | #}
 37 | 
 38 | 
 39 | ## Services needed for workstation setup
 40 | #  The service section provides the protocol definitions you're
 41 | #  using in the rules. You're forced to declare everything you
 42 | #  need for your setup.
 43 | #
 44 | #  syntax: service_name [tcp([source:range]/[dest:range])] [udp([source:range]/[dest:range])]
 45 | #                       [protocol_name([source:range][/][dest:range])] [service_name] ...
 46 | #  examples: http  tcp(/80)
 47 | #            dns   tcp(/53) udp(/53)
 48 | #            group http dns tcp(/443)
 49 | #            ipsec esp(/) udp(/500)
 50 | service {
 51 |     traceroute  udp(32769:65535/33434:33523) icmp(11)
 52 |     ping        icmp(8)
 53 | }
 54 | 
 55 | ## Network definitions needed for simple workstation setup
 56 | #  In the network section you're asked to provide informations on all
 57 | #  hosts and/or networks running in your setup.
 58 | #
 59 | #  syntax: net_name [ip-address[:mac-address]] [network] [net_name]
 60 | #  examples: webserver 192.168.1.5
 61 | #            intranet  10.1.0.0/16
 62 | #            dmz       10.5.0.0/255.255.0.0
 63 | #            some      intranet dmz 10.2.1.1
 64 | #            router    10.1.0.1=0A:32:F2:C7:1A:31
 65 | network {
 66 |     localhost   127.0.0.1
 67 |     all         0.0.0.0/0
 68 |     trusted4    192.168.1.0/24
 69 |     trusted6    fd00:1:2:3::/64
 70 | }
 71 | 
 72 | ## Interface definitions
 73 | #  Since all definitions used in the filter section are symbolic,
 74 | #  you've to specify symbolic names for all your interfaces you're
 75 | #  going to use.
 76 | #
 77 | #  syntax: interface_name [unix network interface] [interface_name]
 78 | #  examples: internal eth0
 79 | #            external ippp0 ipsec0
 80 | #            allppp   ppp+
 81 | #            group    external allppp eth3
 82 | interface {
 83 |     loop     lo
 84 | }
 85 | 
 86 | ## Filter definitions
 87 | #  The filter section defines the rules for in, out, forward, masquerading
 88 | #  and nat. All rules make use of the symbolic names defined above. This
 89 | #  section can be used multiple times in one config file. This makes more
 90 | #  senese when using one of these alias names:
 91 | #  filter, nat, input, output, forward, masquerade
 92 | #
 93 | #  syntax: in[-/+]  [i=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
 94 | #          out[-/+] [o=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
 95 | #          fw[>/-/+]  [i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
 96 | #          masq[-/+][i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
 97 | #          nat[-/+] additionally allows [S=from source] [D=to destination] [P=to port:[range]]
 98 | #  additional:
 99 | #          All keys mentioned in the syntax section (in/out/...) can be prefixed with "sl", which
100 | #          causes the creation of a stateless rule.
101 | #  flags:  limit([count/time[,burst]])
102 | #          reject([reject type])
103 | #          log([name])
104 | #          account(name)
105 | #  examples:
106 | #       masq+  o=extern s=intranet
107 | #       nat+   s=intranet p=http   D=relayintern   P=squid
108 | #       in+    s=trusted  p=ssh,ping,traceroute,http
109 | #       out-   s=intranet p=smb    f=reject
110 | #       fw-    d=microsoft         f=reject,log(ms-alert)
111 | #       slin+  s=testnet
112 | #       slout- d=testnet
113 | #       fw>    o=extern
114 | #       fw+    p=myhttp            f=account(HTTP)
115 | #              Take an attention about the protocol for your accounting rules. If you
116 | #              want to count user http traffice, you may need a "myhttp tcp(80/)".
117 | filter {
118 |     in+  i=loop    s=localhost
119 |     out+ o=loop    d=localhost
120 | 
121 | 
122 |     # allow incoming pings for IPv4
123 |     in+  s=all(4) p=ping
124 |     # these IPv6-ICMP types are a MUST for IPv6
125 |     in+  s=all(6) p=ping,pong,noroute,packet-too-big,time-exceeded,parameter-problem,neighbor-advertisement,neighbor-solicitation
126 | 
127 |     in+  p=traceroute
128 | 
129 |     in+  s=trusted4(4)
130 |     in+  s=trusted6(6)
131 | 
132 |     out+ d=all
133 | 
134 |     in-  f=log(input),reject
135 |     out- f=log(output),reject
136 |     fw-  f=log(forward),reject
137 | }
138 | 


--------------------------------------------------------------------------------
/uif.8:
--------------------------------------------------------------------------------
  1 | .TH uif 8 "Apr 19th, 2022" "Version 1.99.0" "Universal Internet Firewall"
  2 | .SH NAME
  3 | uif \- Universal Internet Firewall
  4 | .SH SYNOPSIS
  5 | 'nh
  6 | .fi
  7 | .ad l
  8 | \fBuif\fR \kx
  9 | .if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
 10 | 'in \n(.iu+\nxu
 11 | [-c \fI<configfile>\fR] [-n] [-p [-l]] [\fI-6\fR]
 12 | 'in \n(.iu-\nxu
 13 | \fBuif\fR \kx
 14 | .if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
 15 | 'in \n(.iu+\nxu
 16 | -d [\fI-6\fR]
 17 | 'in \n(.iu-\nxu
 18 | \fBuif\fR \kx
 19 | .if (\nx>(\n(.l/2)) .nr x (\n(.l/5)
 20 | 'in \n(.iu+\nxu
 21 | [<ldap-options>]
 22 | 'in \n(.iu-\nxu
 23 | .ad b
 24 | 'hy
 25 | 
 26 | .SH DESCRIPTION
 27 | .PP
 28 | This manual page documents the \fBuif\fR command. It is used to generate
 29 | optimized
 30 | .BR nft (8)
 31 | or
 32 | .BR iptables (8)
 33 | packetfilter rules, using a simple description file specified by the
 34 | user. Generated rules are provided in
 35 | .BR nft (8)
 36 | (with option \fI-f <filename>\fR) or
 37 | .BR iptables\-save 8
 38 | style. \fBuif\fR can be used to read or write rulesets from or to LDAP
 39 | servers in your network, which provides a global storing mechanism (LDAP
 40 | support hasn't been tested for a long time). Note that you need to
 41 | include the \fIuif.schema\fR to your slapd configuration in order to use it.
 42 | .PP
 43 | .BR uif.conf (5)
 44 | provides an easy way to specify rules, without exact knowledge of the nft
 45 | / iptables syntax. It provides groups and aliases to make your
 46 | packetfilter human readable.
 47 | .PP
 48 | Keep in mind that \fBuif\fR uif is intended to assist you when designing
 49 | firewalls, but will not tell you what to filter.
 50 | 
 51 | .SH OPTIONS
 52 | The options are as follows:
 53 | .TP
 54 | \fI\-6\fR
 55 | Turn on IPv6 mode so as to manipulate IPv6 rules.  Default configuration
 56 | file is changed to /etc/uif/uif6.conf see \-c below. It should be noted
 57 | that nat rules are silently ignored if \-6 is used.
 58 | .TP
 59 | \fI\-b <basedn>\fR
 60 | Specify the base DN to act on when using LDAP based firewall
 61 | configuration. \fBuif\fR will look in the subtree
 62 | ou=filter,ou=sysconfig,<basedn> for your rulesets.
 63 | .TP
 64 | \fI\-c <configfile>\fR
 65 | This option specifies the configuration file to be read by
 66 | \fBuif\fR\.
 67 | See
 68 | .BR uif.conf (5)
 69 | for detailed information on the fileformat. It defaults to /etc/uif/uif.conf.
 70 | .TP
 71 | \fI\-C <configfile>\fR
 72 | When reading configuration data from other sources than specified with
 73 | \-c  you may want to convert this information into a textual
 74 | configuration file. This options writes the parsed config back to the
 75 | file specified by <configfile>.
 76 | .TP
 77 | \fI\-d\fR
 78 | Clears all firewall rules immediately.
 79 | .TP
 80 | \fI\-D <bind_dn>\fR
 81 | If a special account is needed to bind to the LDAP database, the
 82 | account's DN can be specified at this point. Note: you should use this
 83 | when writing an existing configuration to the LDAP. Reading the
 84 | configuration may be done with an anonymous bind.
 85 | .TP
 86 | \fI\-p\fR
 87 | Prints rules specified in the configuration to stdout. This option is
 88 | mainly used for debugging the rule simplifier.
 89 | .TP
 90 | \fI\-l\fR
 91 | If printing rules (see \-p) prepend line numbers to the print-out.
 92 | .TP
 93 | \fI\-r <ruleset>\fR
 94 | Specifies the name of the ruleset to load from the LDAP database.
 95 | Remember to use the \-b option to set the base. Rulesets are stored using
 96 | the following dn: \fIcn=<ruleset>, ou=rulesets, ou=filter, ou=sysconfig,
 97 | basedn\fR, where <ruleset> will be replaced by the ruleset specified.
 98 | .TP
 99 | \fI\-R <ruleset>\fR
100 | Specifies the name of the ruleset to write to the LDAP database. This
101 | option can be used to convert i.e. a textual configuration to an LDAP
102 | based ruleset. Like with using \-r you've to specify the LDAP base to
103 | use. Target is \fIcn=<ruleset>, ou=rulesets, ou=filter, ou=sysconfig,
104 | <basedn>\fR, where <ruleset> will be replaced by the ruleset specified.
105 | .TP
106 | \fI\-s <server>\fR
107 | This option specifies the LDAP server to be used.
108 | .TP
109 | \fI\-t\fR
110 | This option is used to validate the packetfilter configuration without applying
111 | any rules. Mainly used for debugging.
112 | .TP
113 | \fI\-T <time>\fR
114 | When changing your packetfiltering rules remotely, it is
115 | useful to have a test option. Specify this one to apply
116 | your rules for a period of <time> (in seconds). After that the original
117 | rules will be restored.
118 | .TP
119 | \fI\-w <password>\fR
120 | When connecting to an LDAP server, you may need to  authenticate via a
121 | password. If you really need to specify a password on the command line
122 | (discouraged!), use this option, otherwise use \-W and enter it
123 | interactively.
124 | .TP
125 | \fI\-W\fR
126 | Activate interactive password query for LDAP authentication.
127 | .PP
128 | \fBuif\fR
129 | is meant to leave the packetfilter rules in a defined state, so if
130 | something went wrong during the initialisation, or \fBuif\fR is aborted
131 | by the user, the rules that were active before starting will be restored.
132 | .PP
133 | Normally you will not need to call this binary directly. Use the init
134 | script instead, since it does the most common steps for you.
135 | .SH FILES
136 | Configuration files are located in /etc/uif.
137 | .SH SEE ALSO
138 | uif.conf(5)
139 | nft(8)
140 | iptables(8)
141 | .PP
142 | .SH AUTHOR
143 | This manual page was written by Cajus Pollmeier <pollmeier@gonicus.de>
144 | and Jörg Platte <joerg.platte@gmx.de> and adjusted to nft support by Mike
145 | Gabriel <mike.gabriel@das-netzwerkteam.de>.
146 | 


--------------------------------------------------------------------------------
/uif.schema:
--------------------------------------------------------------------------------
  1 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.1 NAME 'UIFdevice'
  2 | 	DESC 'Firewall definitions'
  3 | 	EQUALITY caseIgnoreMatch
  4 | 	SUBSTR caseExactIA5Match
  5 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
  6 | 
  7 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.2 NAME 'UIFinDevice'
  8 | 	DESC 'Firewall definitions'
  9 | 	EQUALITY caseIgnoreMatch
 10 | 	SUBSTR caseExactIA5Match
 11 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
 12 | 
 13 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.3 NAME 'UIFoutDevice'
 14 | 	DESC 'Firewall definitions'
 15 | 	EQUALITY caseIgnoreMatch
 16 | 	SUBSTR caseExactIA5Match
 17 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
 18 | 
 19 | 
 20 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.4 NAME 'UIFtype'
 21 | 	DESC 'Firewall definitions'
 22 | 	EQUALITY caseIgnoreMatch
 23 | 	SUBSTR caseExactIA5Match
 24 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 25 | 	SINGLE-VALUE)
 26 | 	
 27 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.5 NAME 'UIFsource'
 28 | 	DESC 'Firewall definitions'
 29 | 	EQUALITY caseIgnoreMatch
 30 | 	SUBSTR caseExactIA5Match
 31 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
 32 | 
 33 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.6 NAME 'UIFdest'
 34 | 	DESC 'Firewall definitions'
 35 | 	EQUALITY caseIgnoreMatch
 36 | 	SUBSTR caseExactIA5Match
 37 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
 38 | 
 39 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.7 NAME 'UIFservice'
 40 | 	DESC 'Firewall definitions'
 41 | 	EQUALITY caseIgnoreMatch
 42 | 	SUBSTR caseExactIA5Match
 43 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
 44 | 
 45 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.8 NAME 'UIFtransSource'
 46 | 	DESC 'Firewall definitions'
 47 | 	EQUALITY caseIgnoreMatch
 48 | 	SUBSTR caseExactIA5Match
 49 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
 50 | 
 51 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.9 NAME 'UIFtransDest'
 52 | 	DESC 'Firewall definitions'
 53 | 	EQUALITY caseIgnoreMatch
 54 | 	SUBSTR caseExactIA5Match
 55 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
 56 | 
 57 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.10 NAME 'UIFtransService'
 58 | 	DESC 'Firewall definitions'
 59 | 	EQUALITY caseIgnoreMatch
 60 | 	SUBSTR caseExactIA5Match
 61 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
 62 | 
 63 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.11 NAME 'UIFprotocol'
 64 | 	DESC 'Firewall definitions'
 65 | 	EQUALITY caseIgnoreMatch
 66 | 	SUBSTR caseExactIA5Match
 67 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
 68 | 
 69 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.12 NAME 'UIFflag'
 70 | 	DESC 'Firewall definitions'
 71 | 	EQUALITY caseIgnoreMatch
 72 | 	SUBSTR caseExactIA5Match
 73 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
 74 | 
 75 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.13 NAME 'UIFnetwork'
 76 | 	DESC 'Firewall definitions'
 77 | 	EQUALITY caseIgnoreMatch
 78 | 	SUBSTR caseExactIA5Match
 79 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
 80 | 
 81 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.14 NAME 'UIFlist'
 82 | 	DESC 'Firewall definitions'
 83 | 	EQUALITY caseIgnoreMatch
 84 | 	SUBSTR caseExactIA5Match
 85 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 86 | 	SINGLE-VALUE)
 87 | 
 88 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.15 NAME 'UIFdisabled'
 89 | 	DESC 'Firewall definitions'
 90 | 	EQUALITY caseIgnoreMatch
 91 | 	SUBSTR caseExactIA5Match
 92 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
 93 | 	SINGLE-VALUE)
 94 | 
 95 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.16 NAME 'UIFid'
 96 | 	DESC 'Firewall definitions'
 97 | 	EQUALITY caseIgnoreMatch
 98 | 	SUBSTR caseExactIA5Match
 99 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
100 | 	SINGLE-VALUE)
101 | 
102 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.17 NAME 'UIFcomment'
103 | 	DESC 'Firewall definitions'
104 | 	EQUALITY caseIgnoreMatch
105 | 	SUBSTR caseExactIA5Match
106 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
107 | 	SINGLE-VALUE)
108 | 
109 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.18 NAME 'UIFsysCtlEntry'
110 | 	DESC 'Keep SysCtl values'
111 | 	EQUALITY caseIgnoreMatch
112 | 	SUBSTR caseExactIA5Match
113 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
114 | 
115 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.19 NAME 'UIFlogLevel'
116 | 	EQUALITY caseIgnoreMatch
117 | 	SUBSTR caseExactIA5Match
118 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
119 | 
120 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.20 NAME 'UIFlogPrefix'
121 | 	EQUALITY caseIgnoreMatch
122 | 	SUBSTR caseExactIA5Match
123 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
124 | 
125 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.21 NAME 'UIFlogLimit'
126 | 	EQUALITY caseIgnoreMatch
127 | 	SUBSTR caseExactIA5Match
128 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
129 | 
130 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.22 NAME 'UIFlogBurst'
131 | 	EQUALITY caseIgnoreMatch
132 | 	SUBSTR caseExactIA5Match
133 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
134 | 
135 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.23 NAME 'UIFaccountPrefix'
136 | 	EQUALITY caseIgnoreMatch
137 | 	SUBSTR caseExactIA5Match
138 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
139 | 
140 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.24 NAME 'UIFmark'
141 | 	DESC 'Firewall definitions'
142 | 	EQUALITY caseIgnoreMatch
143 | 	SUBSTR caseExactIA5Match
144 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
145 | 	
146 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.25 NAME 'UIFlimit'
147 | 	DESC 'Firewall definitions'
148 | 	EQUALITY caseIgnoreMatch
149 | 	SUBSTR caseExactIA5Match
150 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
151 | 	
152 | attributetype ( 1.3.6.1.4.1.10098.1.1.1.26 NAME 'UIFburst'
153 | 	DESC 'Firewall definitions'
154 | 	EQUALITY caseIgnoreMatch
155 | 	SUBSTR caseExactIA5Match
156 | 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
157 | 	
158 | objectclass (1.3.6.1.4.1.10098.1.2.1.1 NAME 'UIFrule'
159 | 	DESC 'Firewall rule definition' SUP top AUXILIARY
160 | 	MUST ( cn $ UIFtype )
161 | 	MAY ( UIFdevice $ UIFinDevice $ UIFoutDevice $ UIFsource $ UIFdest $ UIFservice $ UIFprotocol $
162 | 	      UIFflag $ UIFid $ UIFcomment $ UIFtransSource $ UIFtransDest $ UIFtransService $ UIFmark )) 
163 | 
164 | objectclass (1.3.6.1.4.1.10098.1.2.1.2 NAME 'UIFgroup'
165 | 	DESC 'Firewall group definition' SUP top AUXILIARY
166 | 	MUST ( cn )
167 | 	MAY ( UIFnetwork $ UIFmark $ UIFdevice $ UIFservice $ UIFid $ UIFcomment ))
168 | 
169 | objectclass (1.3.6.1.4.1.10098.1.2.1.3 NAME 'UIFruleSet'
170 | 	DESC 'Firewall ruleset definition' SUP top AUXILIARY
171 | 	MUST ( cn )
172 | 	MAY ( UIFlist $ UIFdisabled $ UIFid $ UIFcomment $ UIFlogLevel $ UIFlogPrefix $ UIFlogLimit $
173 | 	      UIFlogBurst $ UIFburst $ UIFlimit $ UIFaccountPrefix ))
174 | 
175 | objectclass (1.3.6.1.4.1.10098.1.2.1.4 NAME 'UIFsysCtl'
176 | 	DESC 'Objectclass to keep complete SysCtl Information'
177 | 	MUST ( cn )
178 | 	MAY ( UIFsysCtlEntry ))
179 | 


--------------------------------------------------------------------------------
/uif.initscript:
--------------------------------------------------------------------------------
  1 | #! /bin/bash
  2 | ### BEGIN INIT INFO
  3 | # Provides:          uif
  4 | # Required-Start:    $network $syslog $remote_fs
  5 | # Required-Stop:     $network $syslog $remote_fs
  6 | # Default-Start:     2 3 4 5
  7 | # Default-Stop:      0 1 6
  8 | # Short-Description: Universal Internet Firewall
  9 | # Description:       Start the firewall defined in /etc/uif/uif.conf.
 10 | ### END INIT INFO
 11 | #
 12 | # Version:      @(#)/etc/init.d/uif  1.99.0  August-2018 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
 13 | #
 14 | 
 15 | # RedHat specific settings - ignore for real systems ---------------------------
 16 | # chkconfig: - 60 95
 17 | # description: provides iptables packet filtering
 18 | 
 19 | . /lib/lsb/init-functions
 20 | 
 21 | PATH=/usr/sbin:/sbin:$PATH
 22 | UIF=/usr/sbin/uif
 23 | 
 24 | IPV6MODE=0
 25 | 
 26 | # Include firewall defaults if available
 27 | if [ -f /etc/default/uif ] ; then
 28 | 	. /etc/default/uif
 29 | fi
 30 | 
 31 | #THIS IS DEFAULT ANYWAY#[ -z "$OPTIONS" ] && OPTIONS="-c /etc/uif/uif.conf"
 32 | 
 33 | # Binaries installed?
 34 | if [ ! -f /sbin/iptables ]; then
 35 | 	log_failure_msg "uif: iptables not found - aborting"
 36 | 	exit 1
 37 | fi
 38 | 
 39 | if [ $IPV6MODE = 1 -a ! -f /sbin/ip6tables ] ; then
 40 | 	log_failure_msg "uif: ip6tables not found - aborting"
 41 | 	exit 1
 42 | fi
 43 | 
 44 | # uif installed? Without this script makes no sense...
 45 | [ -f $UIF ] || exit 1
 46 | 
 47 | 
 48 | # As the name says. If the kernel supports modules, it'll try to load
 49 | # the ones listed in "MODULES".
 50 | load_modules() {
 51 | 	[ -f /proc/modules ] || return
 52 | 	LIST=`/sbin/lsmod|awk '!/Module/ {print $1}'`
 53 | 
 54 | 	for mod in $MODULES; do
 55 | 		echo $LIST | grep -q $mod || modprobe $mod || /bin/true
 56 | 	done
 57 | }
 58 | 
 59 | 
 60 | case "$1" in
 61 | 
 62 | start)
 63 | 	log_daemon_msg "Starting uif"
 64 | 	logger "Starting uif"
 65 | 	[ -f /proc/modules ] && { log_progress_msg "modules"; load_modules; }
 66 | 
 67 | 	log_progress_msg "IPv4-rules"
 68 | 	EMSG=`$UIF $OPTIONS 2>&1`
 69 | 	RET4=$?
 70 | 	if [ $RET4 -ne 0 ]; then
 71 | 
 72 | 		logger "Starting uif failed: $EMSG"
 73 | 
 74 | 		[ -n "$MAILTO" ] && \
 75 | 		echo -e "Hi. This is your firewall script - which has failed" \
 76 | 		"to execute in a proper way.\nHere is the error message:\n" \
 77 | 		"\n$EMSG\n\nPlease fix to be sure..." | mail -s "Firewall script failure" $MAILTO
 78 | 
 79 | 		log_end_msg $RET4
 80 | 		echo
 81 | 		echo -e "Error message: $EMSG\n"
 82 | 		exit 1
 83 | 	fi
 84 | 	if [ $IPV6MODE = 1 ] ; then
 85 | 		log_progress_msg "IPv6-rules"
 86 | 		EMSG=`$UIF -6 $OPTIONS 2>&1`
 87 | 		RET6=$?
 88 | 		if [ $RET6 -ne 0 ]; then
 89 | 
 90 | 			logger "Starting uif failed: $EMSG"
 91 | 
 92 | 			[ -n "$MAILTO" ] && \
 93 | 			echo -e "Hi. This is your IPv6 firewall script - which has failed" \
 94 | 			"to execute in a proper way.\nHere is the error message:\n" \
 95 | 			"\n$EMSG\n\nPlease fix to be sure..." | mail -s "Firewall script failure" $MAILTO
 96 | 
 97 | 			log_end_msg $RET6
 98 | 			echo
 99 | 			echo -e "Error message: $EMSG\n"
100 | 			exit 1
101 | 		fi
102 | 	else
103 | 		RET6=0;
104 | 	fi
105 | 
106 | 	log_end_msg $(($RET4+$RET6))
107 | 	;;
108 | 
109 | stop)
110 | 	log_daemon_msg "Stopping uif"
111 | 	logger "Stopping uif"
112 | 	if [ $IPV6MODE = 1 ] ; then
113 | 		log_progress_msg "IPv4"
114 | 	fi
115 | 	$UIF -d
116 | 	if [ $IPV6MODE = 1 ] ; then
117 | 		log_progress_msg "IPv6"
118 | 		$UIF -6 -d
119 | 	fi
120 | 	log_end_msg 0
121 | 	;;
122 | 
123 | print)
124 | 	echo "Printing rules based on your current configuration"
125 | 	$UIF $OPTIONS -pt
126 | 	if [ $IPV6MODE = 1 ] ; then
127 | 		$UIF -6 $OPTIONS -pt
128 | 	fi
129 | 
130 | 	;;
131 | 
132 | test|test4)
133 | 	if [ $IPV6MODE = 1 ] ; then
134 | 		echo -n "IPv4 Test: "
135 | 	fi
136 | 	echo -n "Activating IPv4 ruleset for $TIMEOUT seconds: modules, "
137 | 	trap 'echo "aborted, IPv4 rules restored"; exit 0' SIGINT
138 | 	load_modules
139 | 
140 | 	echo -n "IPv4 rules - active, waiting - "
141 | 	EMSG=`$UIF -T $TIMEOUT $OPTIONS`
142 | 	if [ $? -eq 0 ]; then
143 | 		echo ok
144 | 		exit 0
145 | 	fi
146 | 	echo failed
147 | 	echo -e "Error message: $EMSG\n"
148 | 	;;
149 | test6)
150 | 	if [ $IPV6MODE = 1 ] ; then
151 | 		echo -n "IPv6 Test: "
152 | 		echo -n "Activating IPv6 ruleset for $TIMEOUT seconds: modules, "
153 | 		trap 'echo "aborted, IPv6 rules restored"; exit 0' SIGINT
154 | 		load_modules
155 | 
156 | 		echo -n "IPv6 rules - active, waiting - "
157 | 		EMSG=`$UIF -6 -T $TIMEOUT $OPTIONS`
158 | 		if [ $? -eq 0 ]; then
159 | 			echo ok
160 | 			exit 0
161 | 		fi
162 | 		echo failed
163 | 	echo -e "Error message: $EMSG\n"
164 | 	fi
165 | 	;;
166 | 
167 | status)
168 | 	if [ "`id -u`" != "0" ]; then
169 | 		echo "Can't retrieve status information. You need to be root."
170 | 		exit 1
171 | 	fi
172 | 	if [ $IPV6MODE = 1 ] ; then
173 | 		echo "IPv4 STATUS:"
174 | 	fi
175 | 	# Simple rule listing
176 | 	echo -e "\nRule listing:\n"
177 | 	iptables-save | sed "/^#/d"
178 | 
179 | 	# Show accounting data
180 | 	if [ -n "$ACCOUNTPREFIX" ]; then
181 | 		echo -e "\n\nCurrent accounting information:\n"
182 | 		iptables -vnx -L 2>&1 | sed "/pkts/d" | sed -ne "/^Chain $ACCOUNTPREFIX/N" -e "s/\n/ /p" | \
183 | 			sed "s/[ ][ ]*/ /g" | awk '{ print $2"\t"$6" Bytes"; }'
184 | 	fi
185 | 	if [ $IPV6MODE = 1 ] ; then
186 | 		echo "IPv6 STATUS:"
187 | 		# Simple rule listing
188 | 		echo -e "\nRule listing:\n"
189 | 		ip6tables-save | sed "/^#/d"
190 | 
191 | 		# Show accounting data
192 | 		if [ -n "$ACCOUNTPREFIX" ]; then
193 | 			echo -e "\n\nCurrent accounting information:\n"
194 | 			ip6tables -vnx -L 2>&1 | sed "/pkts/d" | sed -ne "/^Chain $ACCOUNTPREFIX/N" -e "s/\n/ /p" | \
195 | 			    sed "s/[ ][ ]*/ /g" | awk '{ print $2"\t"$6" Bytes"; }'
196 | 		fi
197 | 	fi
198 | 	# Show last 10 policy violations
199 | 	if [ -n "$LOGPREFIX" ]; then
200 | 		if [ $IPV6MODE = 1 ] ; then
201 | 			echo -e "\n\nLast 10 policy violations (IPv4 & IPv6 combined):"
202 | 		else
203 | 			echo -e "\n\nLast 10 policy violations (IPv4 only):"
204 | 		fi
205 | 		dmesg | grep "`hostname`.* $LOGPREFIX .*:" 2> /dev/null | tail -n 10
206 | 	fi
207 | 
208 | 	echo -e "\n\n"
209 | 	;;
210 | 
211 | 
212 | restart|reload|force-reload)
213 | 	$0 start
214 | 	;;
215 | 
216 | flush)
217 | 	echo -n "Flushing IPv4 packet counters: "
218 | 	iptables -Z &> /dev/null
219 | 	if [ $? -eq 0 ]; then
220 | 		echo ok
221 | 	else
222 | 		echo failed
223 | 	fi
224 | 	if [ $IPV6MODE = 1 ] ; then
225 | 		echo -n "Flushing IPv6 packet counters: "
226 | 		ip6tables -Z &> /dev/null
227 | 		if [ $? -eq 0 ]; then
228 | 			echo ok
229 | 		else
230 | 			echo failed
231 | 		fi
232 | 	fi
233 | 
234 | 	;;
235 | 
236 | *)
237 | 	echo "Usage: $0 {start|stop|status|restart|reload|flush|print}"
238 | 	exit 1
239 | esac
240 | 
241 | exit 0
242 | 


--------------------------------------------------------------------------------
/uif.conf:
--------------------------------------------------------------------------------
  1 | #  Copyright (C) 2002-2015, Cajus Pollmeier <pollmeier@gonicus.de>
  2 | #  Copyright (C) 2002-2015, Jörg Platte <jplatte@gmx.net>
  3 | #  Copyright (C) 2013-2015, Alex Owen <r.alex.owen@gmail.com>
  4 | #  Copyright (C) 2013-2022, Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
  5 | #
  6 | # This program is free software; you can redistribute it and/or modify
  7 | # it under the terms of the GNU General Public License as published by
  8 | # the Free Software Foundation; either version 2 of the License, or
  9 | # (at your option) any later version.
 10 | #
 11 | # This program is distributed in the hope that it will be useful,
 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 14 | # GNU General Public License for more details.
 15 | #
 16 | # You should have received a copy of the GNU General Public License
 17 | # along with this program; if not, write to the Free Software
 18 | # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
 19 | 
 20 | ## uif Firewall Configuration
 21 | 
 22 | ## Sysconfig definitions
 23 | #  These entries define the global behaviour of the firewall package. Normally
 24 | #  they are preset in /etc/default/uif and may be overwritten by this
 25 | #  section.
 26 | #
 27 | #  syntax:   LogLevel : set the kernel loglevel for iptables rules
 28 | #            LogPrefix: prepend this string to all iptables logs
 29 | #            LogLimit:  set packet log limit per time interval (times/interval)
 30 | #            LogBurst:  set packet log burst
 31 | #            Limit:     set packet limit per time interval (times/interval)
 32 | #            Burst:     set packet burst
 33 | #  example:
 34 | #   sysconfig {
 35 | #      LogLevel      debug
 36 | #      LogPrefix     FW
 37 | #      LogLimit      20/minute
 38 | #      LogBurst      5
 39 | #      Limit         20/minute
 40 | #      Burst         5
 41 | #      AccountPrefix ACC_
 42 | #   }
 43 | 
 44 | 
 45 | ## Include predefined services
 46 | #  The include section takes a bunch of files and includes them into this
 47 | #  configuration file.
 48 | #
 49 | #  syntax:  "filename"
 50 | include {
 51 |     "/etc/uif/services"
 52 | }
 53 | 
 54 | 
 55 | ## Services needed for workstation setup
 56 | #  The service section provides the protocol definitions you're
 57 | #  using in the rules. You're forced to declare everything you
 58 | #  need for your setup.
 59 | #
 60 | #  syntax: service_name [tcp([source:range]/[dest:range])] [udp([source:range]/[dest:range])]
 61 | #                       [protocol_name([source:range][/][dest:range])] [service_name] ...
 62 | #  examples: http  tcp(/80)
 63 | #            dns   tcp(/53) udp(/53)
 64 | #            group http dns tcp(/443)
 65 | #            ipsec esp(/) udp(/500)
 66 | service {
 67 |     traceroute  udp(32769:65535/33434:33523) icmp(11)
 68 |     ping        icmp(8)
 69 | }
 70 | 
 71 | ## Network definitions needed for simple workstation setup
 72 | # The network definitions are included from two separate files.
 73 | #   1. /etc/uif/uif-ipv4-networks.inc
 74 | #   2. /etc/uif/uif-ipv6-networks.inc
 75 | #
 76 | # If you want to setup IPv4 and IPv6 firewalling easily,
 77 | # make sure that all network names you use in your ruleset
 78 | # in both include files.
 79 | #
 80 | # Additionally make /etc/uif/uif6.conf a symlink that points to
 81 | # /etc/uif/uif.conf.
 82 | #
 83 | 
 84 | # IPv4 network definitions
 85 | #
 86 | # If you update from a version of UIF that supported IPv4 only, then
 87 | # you probably want to leave the uif.conf file untouched for now and
 88 | # move your network definitions block from uif.conf to uif-ipv4-networks.inc
 89 | # manually later.
 90 | 
 91 | include4 {
 92 |     "/etc/uif/uif-ipv4-networks.inc"
 93 |     "/etc/uif/uif-ipv4-networks.inc.d/*"
 94 | }
 95 | 
 96 | # IPv6 network definitions
 97 | #
 98 | # Make sure IPV6MODE is set to 1 in /etc/default/uif if you want to use
 99 | # IPv6 support on your UIF based firewall.
100 | 
101 | include6 {
102 |     "/etc/uif/uif-ipv6-networks.inc"
103 |     "/etc/uif/uif-ipv6-networks.inc.d/*"
104 | }
105 | 
106 | # conf.d config snippet support for UIF.
107 | #
108 | # After all network definitions have been loaded, let's include config snippets
109 | # placed by other providers (packages) into /etc/uif/uif.conf.d/.
110 | 
111 | include {
112 |     "/etc/uif/uif.conf.d/*"
113 | }
114 | 
115 | ## Interface definitions
116 | #  Since all definitions used in the filter section are symbolic,
117 | #  you've to specify symbolic names for all your interfaces you're
118 | #  going to use.
119 | #
120 | #  syntax: interface_name [unix network interface] [interface_name]
121 | #  examples: internal eth0
122 | #            external ippp0 ipsec0
123 | #            allppp   ppp+
124 | #            group    external allppp eth3
125 | interface {
126 |     loop     lo
127 | }
128 | 
129 | ## Filter definitions
130 | #  The filter section defines the rules for in, out, forward, masquerading
131 | #  and nat. All rules make use of the symbolic names defined above. This
132 | #  section can be used multiple times in one config file. This makes more
133 | #  senese when using one of these alias names:
134 | #  filter, nat, input, output, forward, masquerade
135 | #
136 | #  syntax: in[-/+]  [i=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
137 | #          out[-/+] [o=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
138 | #          fw[>/-/+]  [i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
139 | #          masq[-/+][i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n]
140 | #          nat[-/+] additionally allows [S=from source] [D=to destination] [P=to port:[range]]
141 | #  additional:
142 | #          All keys mentioned in the syntax section (in/out/...) can be prefixed with "sl", which
143 | #          causes the creation of a stateless rule.
144 | #  flags:  limit([count/time[,burst]])
145 | #          reject([reject type])
146 | #          log([name])
147 | #          account(name)
148 | #  examples:
149 | #       masq+  o=extern s=intranet
150 | #       nat+   s=intranet p=http   D=relayintern   P=squid
151 | #       in+    s=trusted  p=ssh,ping,traceroute,http
152 | #       out-   s=intranet p=smb    f=reject
153 | #       fw-    d=microsoft         f=reject,log(ms-alert)
154 | #       slin+  s=testnet
155 | #       slout- d=testnet
156 | #       fw>    o=extern
157 | #       fw+    p=myhttp            f=account(HTTP)
158 | #              Take an attention about the protocol for your accounting rules. If you
159 | #              want to count user http traffice, you may need a "myhttp tcp(80/)".
160 | filter {
161 |     in+  i=loop    s=localhost
162 |     out+ o=loop    d=localhost
163 | 
164 |     in+  s=all(4) p=ping
165 | 
166 |     # these IPv6-ICMP types are a MUST for IPv6
167 |     in+  s=all(6) p=ping,pong,noroute,packet-too-big,time-exceeded,parameter-problem,neighbor-advertisement,neighbor-solicitation
168 | 
169 |     in+  p=traceroute
170 | 
171 | #   in+  s=trusted(4)
172 | #   in+  s=trusted(6)
173 |     out+ d=all
174 | 
175 |     in-  f=log(input),reject
176 |     out- f=log(output),reject
177 |     fw-  f=log(forward),reject
178 | }
179 | 


--------------------------------------------------------------------------------
/uif.conf.5:
--------------------------------------------------------------------------------
  1 | .TH uif.conf 5 "Apr 19th, 2022" "Version 1.99.0" "Configuration File for UIF"
  2 | 
  3 | .SH NAME
  4 | uif.conf \- default configuration file for the Universal Internet Firewall
  5 | 
  6 | .SH DESCRIPTION
  7 | \fI/etc/uif/uif.conf\fR
  8 | is the default configuration file for
  9 | .BR uif (8).
 10 | This file may contain several sections and comments. Each
 11 | section begins with the section name and the left curly brace and ends with
 12 | the right curly brace in a single line. A comment starts with a hash mark (#)
 13 | at the beginning of a line. Blank lines are silently ignored.
 14 | .PP
 15 | The following sections are valid: \fIinclude\fR, \fIinclude4\fR, \fIinclude6\fR,
 16 | \fIsysconfig\fR, \fIservice\fR, \fInetwork\fR, \fIinterface\fR, \Imarker\fR, \fIfilter\fR,
 17 | \fInat\fR, \fIinput\fR, \fIoutput\fR, \fIforward\fR, \fImasquerade\fR and \fIstateless\fR.
 18 | .PP
 19 | The sections
 20 | \fIservice\fR, \fInetwork\fR, \fImarker\fR and \fIinterface\fR
 21 | have all a very similar syntax.
 22 | Each line starts with an identifier followed by one or more blanks and one
 23 | or more section specific entries or defined identifiers separated by blanks.
 24 | A valid identifier is case sensitive and consists of letters, digits,
 25 | underscores and hyphens.
 26 | .PP
 27 | If two or more identifiers in one section are equal, the corresponding
 28 | entries are merged to the first identifier. Hence, it's not possible to
 29 | overwrite previously defined identifiers. As a result the order of the
 30 | section entries is irrelevant and it's possible to define a section more
 31 | than once.
 32 | .SS include section
 33 | Include other configuration files. Each line in this section, enclosed in
 34 | quotation marks ("), must be a valid filename or a valid file globbing
 35 | pattern (it is ok, if no files match this pattern). The contents of this
 36 | file / these files are added to the actual configuration and each file
 37 | should contain at least one section (a comment only file is not really
 38 | useful...).
 39 | .SS include4 section
 40 | Include other configuration files but ONLY in IPv4 mode (WITHOUT \-6 switch to uif).
 41 | Otherwise equivalent to the include section above.
 42 | .SS include6 section
 43 | Include other configuration files but ONLY in IPv6 mode (WITH \-6 switch to uif).
 44 | Otherwise equivalent to the include section above.
 45 | .SS sysconfig section
 46 | Set some global settings. Each line in this section starts with one of the
 47 | following identifiers followed by one or more blanks and the desired value:
 48 | \fILogLevel\fR, \fILogPrefix\fR, \fILogLimit\fR, \fILogBurst\fR, \fILimit\fR, \fIBurst\fR
 49 | or \fIAccountPrefix\fR.
 50 | If there are multiple definitions of one entry the last definition is stored.
 51 | .TP
 52 | \fILogLevel\fR
 53 | A valid default log priority (see
 54 | .BR syslog.conf (5)).
 55 | .TP
 56 | \fILogPrefix\fR
 57 | The default log prefix. Each netfilter (or iptables) log message starts with this prefix.
 58 | .TP
 59 | \fILogLimit\fR
 60 | The default limit value for log messages (see
 61 | .BR nft (8)
 62 | or
 63 | .BR iptables (8)).
 64 | .TP
 65 | \fILogBurst\fR
 66 | The default burst value for log messages (see
 67 | .BR nft (8)
 68 | or
 69 | .BR iptables (8)).
 70 | .TP
 71 | \fILimit\fR
 72 | The default limit value (see
 73 | .BR nft (8)
 74 | or
 75 | .BR iptables (8)).
 76 | .TP
 77 | \fIBurst\fR
 78 | The default burst value (see
 79 | .BR nft (8)
 80 | or
 81 | .BR iptables (8)).
 82 | .TP
 83 | \fIAccountPrefix\fR
 84 | The default prefix for accounting chains.
 85 | .PP
 86 | .SS service section
 87 | This section defines all needed services. A service
 88 | description starts with the
 89 | protocol (see
 90 | .BR protocols (5))
 91 | followed by parameters in parenthesis. Most
 92 | protocols don't need any parameters. The only exceptions are tcp, udp and
 93 | icmp. The tcp and udp parameters define the source and destionation
 94 | port(\-range). The source and destination ports are separated by a slash (/)
 95 | and port ranges are separated by a colon (eg. tcp(123:333/99): tcp protocol,
 96 | source port range 123\-333, destination port 99). Empty source or destination
 97 | ports are expanded to 1:65535. The icmp protocol parameter must be a valid
 98 | icmp type (see iptables \-p icmp \-\-help).
 99 | 
100 | .SS network section
101 | This section defines all needed networks and hosts. A network description
102 | starts with a valid IPv4 address (dotted quad), a valid IPv6 address
103 | (colon syntax, square brackets not needed), an optional netmask in cidr
104 | notation (number of bits) or an optional MAC\-address (with a prefixed
105 | equal sign (=). Some valid entries are: 127.0.0.1, 127.0.0.0/8, ::1, fd00:1:2:3::/64,
106 |  and 192.168.0.1=00:00:00:00:00:FF.
107 | 
108 | .SS interface section
109 | This section defines all needed (physical and bridged) interfaces (eg. eth0, lo, ppp0).
110 | .SS marker section
111 | This section defines all needed numerical (decimal) values for packet
112 | marking purposes.
113 | .SS filter, nat, input, output, forward, masquerade and stateless sections
114 | Due to better partitioning of the packetfilter, rules can be split into
115 | these sections. Internally they are equivalent and contain all
116 | rules. As an exception to all other sections the order of entries in
117 | these sections is important.
118 | .PP
119 | The default policy for the chains INPUT, OUTPUT and FORWARD is DROP (see
120 | .BR nft (8)
121 | or
122 | .BR iptables (8))
123 | and it's not possible to change this.
124 | .PP
125 | Each line in in this section begins with
126 | \fIin\fR, \fIout\fR, \fIfw\fR, \fInat\fR, \fImasq\fR, \fIslin\fR, \fIslout\fR
127 | or \fI slfw\fR,
128 | followed by '+', '\-' or a mark identifier enclosed in curly braces (or, in
129 | case of fw followed by '>').  The identifiers
130 | \fIin\fR, \fIout\fR and \fIfw\fR
131 | define rules for incoming, outgoing and forwarded
132 | IP\-packets. Each packet with an INVALID state (see
133 | .BR nft (8)
134 | or
135 | .BR iptables (8))
136 | is matched by
137 | \fIslin\fR, \fIslout\fR and \fIslfw\fR.
138 | The lines starting with
139 | \fInat\fR and \fImasq\fR
140 | define rules to modify the source
141 | or destination address or the destination port.
142 | .PP
143 | \fBNote:\fR The identifiers nat and masq are non-operational in IPv6
144 | mode. They simply get ignored as NAT and Masquerading are not supported by
145 | the IPv6 protocol.
146 | .PP
147 | The plus and minus signs specify the type of the rule: '+' accepts matching
148 | packets and '\-' drops them. As a special case the identifier out and fw
149 | accept the greater than (>) sign to modify the MSS depending on the PMTU
150 | (see
151 | .BR iptables (8)).
152 | .PP
153 | A very basic ruleset may look like this:
154 | .I out+
155 | .PP
156 | This allows every outgoing traffic and rejects all incoming connections
157 | (because of the default policy).
158 | .PP
159 | To be more specific, each line may contain several parameters. Each
160 | parameter starts with a single character followed by an equal sign (=) and
161 | one or more previously defined identifiers (in the corresponding sections)
162 | separated by commas. The following parameters are valid:
163 | .TP
164 | \fIs\fR
165 | The source address or network. Append "(4)" or "(6)" to the network name to make this rule apply to IPv4 or IPv6 only.
166 | .TP
167 | \fId\fR
168 | The destination address or network. Append "(4)" or "(6)" to the network name to make this rule apply to IPv4 or IPv6 only.
169 | .TP
170 | \fIi\fR
171 | The input interface.
172 | .TP
173 | \fIo\fR
174 | The output interface.
175 | .TP
176 | \fIpi\fR
177 | The physical input interface (only useful when used with bridged interfaces, not supported with nft as deprecated there).
178 | .TP
179 | \fIpo\fR
180 | The physical output interface (only useful when used with bridged interfaces, not supported with nft as deprecated there).
181 | .TP
182 | \fIp\fR
183 | The service description (protocol).
184 | .TP
185 | \fIm\fR
186 | The mark field associated with a packet.
187 | .TP
188 | \fIS\fR
189 | The the new source address in nat rules. Supported in IPv4 mode only. Ignored in IPv6 mode.
190 | .TP
191 | \fID\fR
192 | The the new destination address in nat rules. Supported in IPv4 mode only. Ignored in IPv6 mode.
193 | .TP
194 | \fIP\fR
195 | The the new service description in nat rules. This is only valid with tcp or
196 | udp packets.
197 | .TP
198 | \fIf\fR
199 | This parameter sets some 'flags'. A flag definition starts with the flag
200 | identifier and optional parameters in parenthesis. Valid flags are:
201 | .PP
202 | .I log
203 | \- Logs matching packages to syslog. The given parameter is included in the log
204 | entry. The number of logged packets and the loglevel can be set in the
205 | sysconfig section.
206 | .PP
207 | .I reject
208 | \- Only valid in DROP rules. This is used to send back an error packet in
209 | response to the matched packet. The default behaviour is a packet with set
210 | RST flag on tcp connections and a destination\-unreachable icmp packet in
211 | every other case. Valid parameters are listed in
212 | .BR iptables(8)
213 | in the REJECT section.
214 | .PP
215 | .I account
216 | \- Create an accounting chain for all matching packages and possible responses.
217 | The optional parameter is a part of the name of the chain.
218 | .PP
219 | .I limit
220 | \- Limits the number of matching packets. The default values are set in the
221 | sysconfig section. Other values can be defined with the optional parameter.
222 | The first entry sets a new limit and the second parameter (separated by a
223 | comma (,)) sets the burst value (see Limit and Burst in sysconfig section).
224 | .PP
225 | It's possible to invert the identifier of one of following parameters \- if it
226 | expands to ecactly one object \- by prepending a exclamation mark (!):
227 | \fIs\fR, \fId\fR, \fIi\fR, \fIo\fR, \fIp\fR
228 | (eg.: s=!local p=!http).
229 | .SH FILES
230 | Configuration files are located in /etc/uif. There is a sample configuration
231 | in /usr/share/doc/uif/uif.conf.tmpl.gz.
232 | .SH SEE ALSO
233 | nft(8)
234 | iptables(8)
235 | uif(8)
236 | .SH AUTHOR
237 | This manual page was written by Jörg Platte <joerg.platte@gmx.de> and
238 | Cajus Pollmeier <pollmeier@gonicus.de>, and has been adjusted for nft
239 | support by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>.
240 | 


--------------------------------------------------------------------------------
/ChangeLog:
--------------------------------------------------------------------------------
  1 | 2022-04-19 Mike Gabriel
  2 | 
  3 |         * release 1.99.0 (HEAD -> master, tag: 1.99.0)
  4 |         * uif.8: Update uif man page (esp. for nft support, but also convert
  5 |           from nroff to groff). (c52a64c)
  6 |         * uif.conf.5: Update uif.conf man page (esp. for nft support, but
  7 |           also convert from nroff to groff). (fa7ba69)
  8 |         * Makefile: Assure presence of new config dirs (for dropping
  9 |           snippets). (574181c)
 10 |         * uif.pl: With nft backend, fix port based rules. (4d74c0b)
 11 |         * Support file globbing and introcuce conf.d directories for dropping
 12 |           config snippets. (96ed4c7)
 13 |         * Update copyright/license information. (bd7fe84)
 14 |         * compare-v(4|6)-iptables+nft-results.sh: Add test scripts that
 15 |           compare iptables-nft and nft results. (f76c2a8)
 16 |         * uif.pl: With nft backend, resolve remaining FIXMEs. This complete
 17 |           the nft backend support. (222559a)
 18 |         * uif.pl: With nft backend, drop 'meta l4proto ipv6-icmp' prefix
 19 |           before type-wise ICMPv6 packet accepts. (945c6e0)
 20 |         * Revert "uif.pl: With nft backend, use proper counter expressions."
 21 |           (f52b023)
 22 | 
 23 | 2022-04-18 Mike Gabriel
 24 | 
 25 |         * uif.pl: With nft backend, use pre-defined priority keywords instead
 26 |           of hard-coded priority numbers. (7100eb4)
 27 |         * uif.pl: With nft backend, use single ports only if ranges start and
 28 |           end with the same port. (ff27dfe)
 29 |         * uif.pl: Use camel-case key for 'FilterCommand' in $Sysconfig hash.
 30 |           (26b0453)
 31 |         * uif.pl: With nft backend, use proper counter expressions. (123c3c3)
 32 | 
 33 | 2022-04-17 Mike Gabriel
 34 | 
 35 |         * uif.pl: Introduce line numbering in print mode, add cmdline option
 36 |           '-l'. (97f5523)
 37 | 
 38 | 2022-04-16 Mike Gabriel
 39 | 
 40 |         * uif.pl: Convert another "-j" iptables option into "counter jump".
 41 |           (8b830a7)
 42 | 
 43 | 2019-12-07 Mike Gabriel
 44 | 
 45 |         * uif.pl: Fix snat/dnat multiport rules in nft. (6fcfd7a)
 46 | 
 47 | 2019-12-06 Mike Gabriel
 48 | 
 49 |         * uif.pl: Fix icmpv6 rules for nftables. (7874781)
 50 |         * uif.pl: Resolve one FIXME: snat/dnat rules for native nft command.
 51 |           (c3edde5)
 52 |         * uif.pl: Drop not required (and flawed) <FIXME> (8a85e2e)
 53 |         * mark TODOs with FIXME tags (aae4ab1)
 54 |         * Turn genRuleDump_NFT so that now generates a native nft command
 55 |           set. (a1b95d1)
 56 | 
 57 | 2019-12-05 Mike Gabriel
 58 | 
 59 |         * uif.pl: Introduce FILTER_COMMAND environment parameter and support
 60 |           nft command sets as well as iptables* command sets.
 61 |           (d598df0)
 62 | 
 63 | 2019-12-06 Mike Gabriel
 64 | 
 65 |         * Send "Skipping..." messages to STDERR. (98a57ec)
 66 | 
 67 | 2019-12-05 Mike Gabriel
 68 | 
 69 |         * default: Parameter that shall be perceived by the uif Perl script
 70 |           need to be exported to the environment. (99d6e86)
 71 |         * uif.pl: white lines removed / added (8f2746e)
 72 |         * Prepend targets starting with ${id} by CHAIN_ (so that target names
 73 |           work in nftables, too). (d72d1d7)
 74 |         * The Linux firewall is shifting towards nftables, so let's prepare
 75 |           for that (by using the legacy iptables commands).
 76 |           (55ba357)
 77 | 
 78 | 2018-08-20 Mike Gabriel
 79 | 
 80 |         * release 1.1.9 (a7ec235) (tag: 1.1.9)
 81 |         * Makefile: Fix flawed usage of DESTDIR and PREFIX. (1448fd3)
 82 | 
 83 | 2017-01-16 Mike Gabriel
 84 | 
 85 |         * uif.spec: Date fix in changelog. (ee38674)
 86 | 
 87 | 2017-01-15 Mike Gabriel
 88 | 
 89 |         * release 1.1.8 (1123e0c) (tag: 1.1.8)
 90 |         * validateData: Prevent from using networks with MAC addresses
 91 |           neither for outward bound nor for destination networks.
 92 |           (d913b96)
 93 |         * Better test and fix MAC address based source filtering. (477c55b)
 94 |         * release 1.1.7 (9d20e8e) (tag: 1.1.7)
 95 |         * MAC-source filtering, regression fix: Re-add push of $ip to
 96 |           @netobjects if network object contains a MAC address.
 97 |           (bd85804)
 98 |         * UIF: Allow MAC syntax in network items only with real IP addresses,
 99 |           not with DNS resolvable host names. (36d6d86)
100 |         * release 1.1.6 (3435812) (tag: 1.1.6)
101 |         * Makefile: Fix installation of uif.initscript. (0038831)
102 |         * uif.conf.5: Add some hints and notes about IPv6 support. (9c01c91)
103 |         * doc files: consistently use UIF in capital letters. (6d01761)
104 |         * services file: Add some more services (kerberos5 et al., ldaps,
105 |           swat, openvpn, mysql, munin, cfenging, xmpp-client,
106 |           xmpp-server, icinga2, webmin and puppet). (868ac44)
107 |         * COPYRIGHT: Update copyright date for Mike Gabriel. (cfee841)
108 |         * ChangeLog: Convert to GNU ChangeLog style, generated from Git
109 |           history. (577cc6b)
110 |         * INSTALL.md: Typo fix in Perl module name. (d75e0ed)
111 |         * Drop former uif initscript, replaced by new uif.initscript file.
112 |           (8766e7b)
113 |         * Revert "release 1.1.6" (26c5c19)
114 |         * Rename README.IPv6 -> README.IPv6.md (465c6da)
115 |         * release 1.1.6 (ed896f4)
116 |         * Update most documentation files and convert to markdown syntax.
117 |           (f2f7bf2)
118 |         * init script: Adopting Debian's init script as an example into
119 |           upstream code. (13adace)
120 |         * Add VERSION file (with last released version number). (402d8f5)
121 |         * Drop debian/ packaging folder, we are an upstream project.
122 |           (6aae291)
123 |         * IPv6 name resolution: Work around broken IPv6 name resolution in
124 |           NetAddr::IP (see: CPAN issue #119858). (91d3907)
125 | 
126 | 2017-01-13 Mike Gabriel
127 | 
128 |         * IPv6 support: More locations in the code spotted, where we need to
129 |           differentiate between IPv4 and IPv6 mode. (2baab0e)
130 | 
131 | 2016-04-18 Mike Gabriel
132 | 
133 |         * Merge branch 'ka7-spelling_fix' (91cb12b)
134 | 
135 | 2016-04-16 klemens
136 | 
137 |         * spelling fix, as of lintian.debian.org (ae13340)
138 | 
139 | 2015-03-11 Mike Gabriel
140 | 
141 |         * release 1.1.5 (01892a9) (tag: 1.1.5)
142 |         * bump version and dates (45b9141)
143 |         * Fix severe flaw in IPv4-only/IPv6-only rule setup. Don't open IPv4
144 |           wholes when setting up IPv6-only rules and vice versa.
145 |           (d8c8700)
146 | 
147 | 2014-12-09 Mike Gabriel
148 | 
149 |         * Fix another typo in same error message. (3ffeb89)
150 |         * Fix spelling of Debian in error message. (Closes: Debian bug
151 |           #772496). (5cb7c81)
152 | 
153 | 2014-07-01 Mike Gabriel
154 | 
155 |         * release 1.1.4 (2754565) (tag: 1.1.4)
156 |         * debian/rules: Update from Debian package. (47e10a2)
157 |         * debian/copyright: Update from Debian package. (da54e44)
158 |         * Make sure that masq|snat|dnat|nat rules get ignored in IPv6 mode.
159 |           (2a5b7ae)
160 | 
161 | 2014-06-13 Mike Gabriel
162 | 
163 |         * release 1.1.3 (f6505c5) (tag: 1.1.3)
164 | 
165 | 2014-06-03 Mike Gabriel
166 | 
167 |         * uif.conf: Drop the fw+ filter for ICMPv6 rules. (23707ba)
168 |         * debian/uif.postinst: Provide a DebConf mediated workstation config
169 |           that also protects from IPv6 attacks. (244cbdd)
170 |         * IPv6: make neighbor-solicitation (packet type 135) a must for the
171 |           incoming filter (f888b00)
172 |         * examples: Provide an IPv4+6 config file example (d318892)
173 | 
174 | 2014-05-20 Mike Gabriel
175 | 
176 |         * uif.conf: Allow packet type 136 (neighbor-advertisement). Allow
177 |           forwarding _and_ inbound ICMP messages. (76474e5)
178 |         * release 1.1.2 (a62ad68) (tag: 1.1.2)
179 |         * uif.spec: Update version+release field. (01513a7)
180 |         * debian/changelog: drop non-sense at EOF (d91cdce)
181 |         * uif.conf: Enable inclusion of services file by default. (f68c9e4)
182 |         * services: Use more appropriate icmp packet type names. (2fdbae3)
183 |         * debian/changelog: Use revison -0 in package version. (4bf5f76)
184 | 
185 | 2014-01-28 Mike Gabriel
186 | 
187 |         * Add services "rdp" and "vnc-support" to services file. (3c10099)
188 |         * Provide new protocol: ipv6-icmp. Rework ICMP types in services
189 |           file. (5debe50)
190 | 
191 | 2014-01-22 Mike Gabriel
192 | 
193 |         * release 1.1.1 (e384b5b) (tag: 1.1.1)
194 |         * Alioth-canonicalize Vcs-Git: field. (2084ea5)
195 |         * Install lintian overrides. Override issue false-positive issue
196 |           maintainer-script-should-not-use-service. (46b887e)
197 |         * Make sure that hostnames resolve to IPv6 addresses when setting up
198 |           the IPv6 filtering rules. (3872ce4)
199 |         * Default log level for iptables: crit (not debug). (9bac303)
200 |         * debian/uif.init: Leave reporting startup failures to
201 |           init-functions. Beautify init script when failures occur.
202 |           (f12a8bb)
203 |         * Fix typos and mal-used minus signs in uif.conf.5 man page.
204 |           (25cee2a)
205 |         * Continue development... debian/rules: Add get-orig-source rule.
206 |           (a3ce0ba)
207 |         * release 1.1.0 (1a2ffc9) (tag: 1.1.0)
208 |         * Calls of update-rc.d are now handled by debhelper. Add #DEBHELPER#
209 |           macro after the new uif configuration has been created.
210 |           (43a6cdc)
211 |         * debian/uif.init: typo fix (cfc350b)
212 |         * Bump Standards: to 3.9.5. No changes needed. (2afe691)
213 |         * debian/rules: syntax fix (e99b29f)
214 |         * debian/uif.init: Provide an LSB compliant init script for Debian.
215 |           debian/uif.install: Don't install upstream's init script
216 |           on Debian system. (44f01b3)
217 |         * cosmetic removals of "/" before debian/ folder name (2e5c2f0)
218 |         * debian/uif.postinst: Adapt Debianic configuration of workstation
219 |           profile to IPv6 capabilities. Enable IPv6 by default, as
220 |           well, on Debian systems. (dc52d1b)
221 |         * add EOL at EOF (b7650fb)
222 |         * Enable IPv6 support by default. (2ce5855)
223 |         * remove Debian specific comment in upstream uif.conf, hint to
224 |           IPv4-only / IPv6-only network names usage in uif.conf
225 |           (faf5264)
226 |         * Support filtering rules that apply to IPv4/IPv6 only. (fff07b9)
227 |         * Add /me and Alex Owen as copyright holders. (3c31d9d)
228 |         * uif.spec: update RPM build script (fdeef77)
229 |         * service: fix author name (convert to UTF-8) (5638602)
230 |         * README.IPv6: typo fix (96ad6d6)
231 |         * Keep lines in README below 80 characters. (207e3cd)
232 |         * Drop deb: rule vom Makefile. (a665b56)
233 |         * Update upstream download source in INSTALL file. Mark Net::LDAP as
234 |           optional dependency. (03b3a8f)
235 |         * Update COPYRIGHT file. Add /me as copyright co-holder and update
236 |           FSF address. (3645e5e)
237 | 
238 | 2013-10-31 Mike Gabriel
239 | 
240 |         * Init script: be more explicit on whether init script actions are
241 |           IPv4 or IPv6 actions. (2fbf3e6)
242 |         * debian/rules: run dh_link during (4a7215c)
243 | 
244 | 2013-08-07 Mike Gabriel
245 | 
246 |         * debian scripts: whitespace/tab fixes (16186ec)
247 |         * /debian/uif.config: whitespace/tab fixes (0be6dd8)
248 |         * Makefile: fix installation of doc files (c7acd0b)
249 |         * Provide IPv4/IPv6 capable set of default configuration files.
250 |           Rename example files to denote that they show IPv4-only
251 |           examples. (019c78e)
252 |         * fix encoding in copyright file (2b99d66)
253 | 
254 | 2013-08-06 Mike Gabriel
255 | 
256 |         * /debian/control: Drop separate package uif-ldap again. Sync in
257 |           packaging folder from Debian. (9f3554a)
258 | 
259 | 2013-06-11 Mike Gabriel
260 | 
261 |         * /debian/rules: Run dh_link during install. (cd1fd5a)
262 |         * version fix, encoding fix, whitespace fix in Makefile (7fbbaad)
263 |         * /debian/*.docs: Install README* files into bin:packages. (61a192d)
264 |         * whitespace cleanup (17225ff)
265 |         * coherent spelling of IPv4 and IPv6 in man page (9e77348)
266 |         * coherent spelling of IPv4 and IPv6 in init script (2336ea3)
267 |         * propely tab'ify init script (9f7f2bb)
268 |         * Create README.IPv6 as upstream file. (341e532)
269 |         * /debian/rules: Leaving clean-up to dh_clean. (b51cf05)
270 |         * Update README, mention issue trackers. (a4fd6bf)
271 |         * update changelog (6b40a6e)
272 | 
273 | 2013-06-11 Alex Owen
274 | 
275 |         * IPv6 patch (0ffa361)
276 | 
277 | 2013-06-11 Mike Gabriel
278 | 
279 |         * import packaging from Debian package (a374f15)
280 |         * now really fix umlaut in uif.pl (48c887d)
281 |         * Continue development... (d0b9dbf)
282 |         * release 1.0.8 (44a1201) (tag: 1.0.8)
283 |         * update ChangeLog (e694cb0)
284 |         * convert Umlaut to UTF-8, fix FSF address (2ee8df9)
285 |         * fix hyphens and spelling errors in man pages (bc4d0f9)
286 |         * import packaging files from Debian package (1cccc49)
287 |         * Continue development... (1d3bc90)
288 |         * add Description: keyword to LSB header (327a5ba)
289 | 
290 | 2013-06-10 Mike Gabriel
291 | 
292 |         * release 1.0.7 (d1f04b6)
293 |         * add myself to the list of upstream people (234f4f6)
294 |         * /debian/control: Add uif-ldap to Suggests: field (f3f6a1a)
295 |         * split uif into bin:packages uif and uif-ldap (15ef174)
296 |         * Provide a default (nothing-in/all-out) uif.conf. (c1d0f4d)
297 |         * ChangeLog: moving credits over to Alex Owen (c7606c1)
298 |         * abusing /debian/changelog as upstream changelog (2573ad5)
299 |         * Run dh_clean in clean stanza. (252c79a)
300 |         * fix mailadress in changelog footer (d86b092)
301 |         * remove build cruft from /debian folder (3ba49af)
302 |         * remove stray templates files: templates.de (7775ed3)
303 |         * upstream projects are easier to handle with source format 3.0
304 |           (native) (7b14060)
305 |         * Make LDAP dependency optional. (5907709)
306 |         * use my NWT address for this upstream project, set changelog to
307 |           UNRELEASED (1a74530)
308 |         * rewrite /debian/changelog, use as upstream changelog from now on
309 |           (16f44c2)
310 |         * import all gains from the latest Debian package of uif
311 |           (debian/1.0.6-3) (369914e)
312 | 
313 | 2011-08-24 Cajus Pollmeier
314 | 
315 |         * Fixed mail (78811fa) (tag: 1.0.6)
316 |         * Fixed encoding (f97ce59)
317 |         * Initial checkin (d15aeda)
318 | 


--------------------------------------------------------------------------------
/uif.pl:
--------------------------------------------------------------------------------
   1 | #!/usr/bin/perl -w
   2 | 
   3 | # Copyright (C) 2002-2015 Jörg Platte <joergplatte@gmx.de>
   4 | # Copyright (C) 2002-2015 Cajus Pollmeier <pollmeier@gonicus.de>
   5 | # Copyright (C) 2013-2015 Alex Owen <r.alex.owen@gmail.com>
   6 | # Copyright (C) 2013-2022 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
   7 | #
   8 | # This program is free software; you can redistribute it and/or modify
   9 | # it under the terms of the GNU General Public License as published by
  10 | # the Free Software Foundation; either version 2 of the License, or
  11 | # (at your option) any later version.
  12 | #
  13 | # This program is distributed in the hope that it will be useful,
  14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
  15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16 | # GNU General Public License for more details.
  17 | #
  18 | # You should have received a copy of the GNU General Public License
  19 | # along with this program; if not, write to the Free Software
  20 | # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
  21 | 
  22 | use strict;
  23 | my $LDAPENABLED = eval "use Net::LDAP; 1" ? '1' : '0';
  24 | 
  25 | use Getopt::Std;
  26 | use NetAddr::IP;
  27 | use Data::Validate::IP qw(is_ipv6 is_ipv4);
  28 | use Socket qw(:addrinfo SOCK_RAW AF_INET AF_INET6);
  29 | 
  30 | my $SignalCatched=0;
  31 | 
  32 | my $configfile="/etc/uif/uif.conf";
  33 | my $configfile6="/etc/uif/uif6.conf";
  34 | my $ipv6=0;
  35 | 
  36 | my @icmpv6_types_mapping = ( [ 'neighbor-advertisement',  'nd-neighbor-advert'  ],
  37 |                              [ 'neighbour-advertisement', 'nd-neighbor-advert'  ],
  38 |                              [ 'neighbor-solicitation',   'nd-neighbor-solicit' ],
  39 |                              [ 'neighbour-solicitation',  'nd-neighbor-solicit' ],
  40 |                              [ 'router-advertisement',    'nd-router-advert' ],
  41 |                              [ 'router-solicitation',     'nd-router-solicit' ]);
  42 | 
  43 | my @mapping = (	[ 'n', 'uifid', 'Name' ],
  44 | 		[ 's', 'uifsource', 'Source'],
  45 | 		[ 'i', 'uifindevice', 'InputInterface'],
  46 | 		[ 'd', 'uifdest', 'Destination'],
  47 | 		[ 'o', 'uifoutdevice', 'OutputInterface'],
  48 | 		[ 'p', 'uifservice', 'Service'],
  49 | 		[ 'm', 'uifmark', 'MarkMatch'],
  50 | 		[ 'S', 'uiftranssource', 'TranslatedSource'],
  51 | 		[ 'D', 'uiftransdest', 'TranslatedDestination'],
  52 | 		[ 'P', 'uiftransservice', 'TranslatedService'],
  53 | 		[ '',  'uiftype', 'Type'],
  54 | 		[ 'f', 'uifflag', 'Flags'],
  55 | # only supported with old iptables backend... deprecated with nftables
  56 | # FIXME: disable these options in the uif.conf parser code at some point
  57 | 		[ 'pi', 'uifpindevice', 'PhysicalInputInterface'],
  58 | 		[ 'po', 'uifpoutdevice', 'PhysicalOutputInterface']);
  59 | 
  60 | my %charstringmap;
  61 | my %ldapstringmap;
  62 | my %ldapwritemap;
  63 | my %stringcharmap;
  64 | 
  65 | foreach (@mapping) {
  66 | 	$charstringmap{${$_}[0]}=${$_}[2];
  67 | 	$stringcharmap{${$_}[2]}=${$_}[0];
  68 | 	if (${$_}[0]) {
  69 | 		$ldapstringmap{${$_}[1]}=${$_}[2];
  70 | 	}
  71 | 	$ldapwritemap{${$_}[2]}=${$_}[1];
  72 | }
  73 | 
  74 | sub readConfig {
  75 | 	my ($configfile, $Networks, $Services, $Interfaces, $Protocols, $Rules, $Id, $Sysconfig, $Marker) = @_;
  76 | 	my @conflines;
  77 | 	my @protlines;
  78 | 	my $state='NONE';
  79 | 	my $line;
  80 | 
  81 | 	unless (defined($$Protocols{'OK'})) {
  82 | 		$$Protocols{'OK'}=1;
  83 | 		open (PROT, '/etc/protocols') || die "Can't read '/etc/protocols'\n";
  84 | 		@protlines = <PROT>;
  85 | 		close (PROT);
  86 | 
  87 | 		foreach $line (@protlines) {
  88 | 			if ($line =~ /^\s*(#|$)/) {
  89 | 				next;
  90 | 			}
  91 | 			chomp($line);
  92 | 			if ($line =~ /^([a-z0-9-.]+)\s+(\d+)\s+/) {
  93 | 				$$Protocols{$1}=$2;
  94 | 				$$Protocols{$2}=$1;
  95 | 			} else {
  96 | 				die "invalid line in '/etc/protocols': $line\n";
  97 | 			}
  98 | 		}
  99 | 	}
 100 | 
 101 | 	open (CONF, $configfile) || die "Can't read configfile '$configfile'\n";
 102 | 	@conflines = <CONF>;
 103 | 	close (CONF);
 104 | 
 105 | 	foreach $line (@conflines) {
 106 | 		$line =~ /^\s*(#|$)/ && next;
 107 | 		chomp($line);
 108 | 		if ($state eq 'NONE') {
 109 | 			my $type;
 110 | 			if ($line =~ /^\s*([^\s}]+)\s*{\s*$/) {
 111 | 				$state="\U$1";
 112 | 			} else {
 113 | 				die "invalid line: $line\n";
 114 | 			}
 115 | 		} else {
 116 | 			if ($line =~ /^\s*}\s*$/) {
 117 | 				$state='NONE';
 118 | 			} elsif ($state eq 'SERVICE') {
 119 | 				if ($line =~ /^\s*([a-zA-Z0-9_-]+)\s+(.*)$/) {
 120 | 					$$Services{$1}.="$2 ";
 121 | 				} else {
 122 | 					die "invalid line in section service: $line\n";
 123 | 				}
 124 | 			} elsif ($state eq 'INCLUDE') {
 125 | 				if ($line =~ /^\s*\"(.+)\"$/) {
 126 | 					my $filename_pattern = $1;
 127 | 					my @filenames = glob($filename_pattern);
 128 | 					my $file;
 129 | 					foreach $file(@filenames) {
 130 | 						readConfig ($file, $Networks, $Services, $Interfaces, $Protocols, $Rules, $Id, $Sysconfig);
 131 | 					}
 132 | 				} else {
 133 | 					die "invalid line in section include: $line\n";
 134 | 				}
 135 | 			} elsif ($state eq 'INCLUDE6') {
 136 | 				if ($ipv6) {
 137 | 					if ($line =~ /^\s*\"(.+)\"$/) {
 138 | 						my $filename_pattern = $1;
 139 | 						my @filenames = glob($filename_pattern);
 140 | 						my $file;
 141 | 						foreach $file(@filenames) {
 142 | 							readConfig ($file, $Networks, $Services, $Interfaces, $Protocols, $Rules, $Id, $Sysconfig);
 143 | 						}
 144 | 					} else {
 145 | 						die "invalid line in section include6: $line\n";
 146 | 					}
 147 | 				}
 148 | 			} elsif ($state eq 'INCLUDE4') {
 149 | 				if ($ipv6) {} else {
 150 | 					if ($line =~ /^\s*\"(.+)\"$/) {
 151 | 						my $filename_pattern = $1;
 152 | 						my @filenames = glob($filename_pattern);
 153 | 						my $file;
 154 | 						foreach $file(@filenames) {
 155 | 							readConfig ($file, $Networks, $Services, $Interfaces, $Protocols, $Rules, $Id, $Sysconfig);
 156 | 						}
 157 | 					} else {
 158 | 						die "invalid line in section include4: $line\n";
 159 | 					}
 160 | 				}
 161 | 			} elsif ($state eq 'NETWORK') {
 162 | 				if ($line =~ /^\s*([a-zA-Z0-9_-]+)\s+(.*)$/) {
 163 | 					$$Networks{$1}.="$2 ";
 164 | 				} else {
 165 | 					die "invalid line in section network: $line\n";
 166 | 				}
 167 | 			} elsif ($state eq 'INTERFACE') {
 168 | 				if ($line =~ /^\s*([a-zA-Z0-9_-]+(:\d+)?)\s+(.*)$/) {
 169 | 					$$Interfaces{$1}.="$3 ";
 170 | 				} else {
 171 | 					die "invalid line in section interface: $line\n";
 172 | 				}
 173 | 			} elsif ($state eq 'MARKER') {
 174 | 				if ($line =~ /^\s*([a-zA-Z0-9_-]+)\s+(.*)$/) {
 175 | 					$$Marker{$1}.="$2 ";
 176 | 				} else {
 177 | 					die "invalid line in section marker: $line\n";
 178 | 				}
 179 | 			} elsif ($state eq 'SYSCONFIG') {
 180 | 				if ($line =~ /^\s*([a-zA-Z0-9_-]+)\s+(.*)$/) {
 181 | 					$$Sysconfig{$1}=$2;
 182 | 				} else {
 183 | 					die "invalid line in section sysconfig: $line\n";
 184 | 				}
 185 | 			} elsif ($state =~ /^(FILTER|NAT|INPUT|OUTPUT|FORWARD|MASQUERADE|STATELESS)$/) {
 186 | 				if ($line =~ /^\s*(\w+([-+|>]|{\w+}))\s*(.*)$/) {
 187 | 					my $type = $1;
 188 | 					my $parameter = $3;
 189 | 					my %temphash;
 190 | 					$temphash{'Type'}=$type;
 191 | 					$temphash{'Rule'}=$line;
 192 | 					$temphash{'Id'}=$$Id++;
 193 | 					my $entry;
 194 | 					foreach $entry (split(/\s+/, $parameter)) {
 195 | 						$entry eq '' && next;
 196 | 						if ($entry =~ /^([a-zA-Z]{1,2})=([^=]+)$/) {
 197 | 							if (exists($charstringmap{$1})) {
 198 | 								my $value = $2;
 199 | 								$value =~ tr /,/ /;
 200 | 								$temphash{$charstringmap{$1}}.="$value ";
 201 | 							} else {
 202 | 								die "invalid prefix: $1\n";
 203 | 							}
 204 | 						} else {
 205 | 							die "invalid parameter: $entry\n";
 206 | 						}
 207 | 					}
 208 | 					push (@$Rules, \%temphash);
 209 | 				} else {
 210 | 					die "invalid line in section filter/nat: $line\n"
 211 | 				}
 212 | 			} else {
 213 | 				die "invalid section: \L$state\n";
 214 | 			}
 215 | 		}
 216 | 	}
 217 | }
 218 | 
 219 | sub resolveHashentries {
 220 | 	my ($value, $Hash, $depth) = @_;
 221 | 
 222 | 	unless (defined($depth)) {
 223 | 		$depth=1;
 224 | 	} elsif ($depth++ > 50) {
 225 | 		die "possible loop in configfile: $value\n";
 226 | 	}
 227 | 
 228 | 	my $newvalue;
 229 | 	my $entry;
 230 | 	foreach $entry (split (/\s+/, $value)) {
 231 | 		$entry eq '' && next;
 232 | 		if (exists($$Hash{$entry})) {
 233 | 			$newvalue.=" ".resolveHashentries($$Hash{$entry}, $Hash, $depth);
 234 | 		} else {
 235 | 			$newvalue.=" ".$entry;
 236 | 		}
 237 | 	}
 238 | 	return $newvalue;
 239 | }
 240 | 
 241 | sub expandRange {
 242 | 	my ($range, $multi) = @_;
 243 | 	if (@$range != 0) {
 244 | 		unless (@$multi == 0 && @$range==1) {
 245 | 			my %rangehash;
 246 | 			my @rangearray;
 247 | 			my $entry;
 248 | 			foreach $entry (@$range) {
 249 | 				$entry =~ /(\d+):(\d+)/;
 250 | 				my $range=$2-$1+1;
 251 | 				if (exists($rangehash{$range})) {
 252 | 					push (@{$rangehash{$range}}, $1);
 253 | 				} else {
 254 | 					$rangehash{$range}=[$1];
 255 | 				}
 256 | 				push (@rangearray, $range);
 257 | 			}
 258 | 
 259 | 			@rangearray=sort {$a <=> $b} (@rangearray);
 260 | 
 261 | 			my $again=1;
 262 | 			my $last=15;
 263 | 			while ($again) {
 264 | 				$again=0;
 265 | 				while (@rangearray) {
 266 | 					my $range=$rangearray[0];
 267 | 					if (@$multi+$range<=$last) {
 268 | 						my $first=shift(@{$rangehash{$range}});
 269 | 						my $port;
 270 | 						for ($port=$first+$range-1; $port>=$first; $port--) {
 271 | 							push (@$multi, $port);
 272 | 						}
 273 | 						shift (@rangearray);
 274 | 					} else {
 275 | 						last;
 276 | 					}
 277 | 				}
 278 | 				if (@rangearray>1) {
 279 | 					$last+=15;
 280 | 					if (@$multi+$rangearray[0]+$rangearray[1]<=$last) {
 281 | 						$again=1;
 282 | 					}
 283 | 				}
 284 | 			}
 285 | 			my @temprange;
 286 | 			foreach $range (@rangearray) {
 287 | 				foreach (@{$rangehash{$range}}) {
 288 | 					my $last=$_+$range-1;
 289 | 					push(@temprange, "$_:$last");
 290 | 				}
 291 | 			}
 292 | 			@$range=@temprange;
 293 | 		}
 294 | 	}
 295 | }
 296 | 
 297 | sub simplifyNetworks {
 298 | 	my (@networks) = @_;
 299 | 	my @netobjects;
 300 | 	my $netref;
 301 | 	my %macs;
 302 | 	my $mac;
 303 | 	my $network;
 304 | 	if (@networks) {
 305 | 		my $ip;
 306 | 		my $no_macs=1;
 307 | 		foreach (@networks) {
 308 | 
 309 | 			my $netaddr = '';
 310 | 			my $network = '';
 311 | 			my $macaddr = '';
 312 | 			if ( ($_ =~ /(^[^\/]+)\/([^\/^=]+)$/) || (($ipv6) && is_ipv6($_)) || ((!$ipv6) && is_ipv4($_)) ) {
 313 | 
 314 | 				if ($ipv6) {
 315 | 					$ip=NetAddr::IP->new6($_) || die "not a valid address or network: $_\n";
 316 | 				} else {
 317 | 					$ip=NetAddr::IP->new($_) || die "not a valid address or network: $_\n";
 318 | 				}
 319 | 				push(@netobjects, $ip);
 320 | 
 321 | 			}
 322 | 			elsif ( $_ =~ /(^[^=]+)=([^=]+)$/ ) {
 323 | 
 324 | 				$netaddr = $1;
 325 | 				$macaddr = $2;
 326 | 				if ($netaddr =~ /(^[^\/]+)\/([^\/]+)$/) {
 327 | 					$network = $1;
 328 | 					# FIXME: netmask = $2; TODO: validate netmask
 329 | 				} else {
 330 | 					$network = $netaddr;
 331 | 				}
 332 | 
 333 | 				if ( (($ipv6) && is_ipv6($network)) || ((!$ipv6) && is_ipv4($network)) ) {
 334 | 
 335 | 					if ($ipv6) {
 336 | 						$ip=NetAddr::IP->new6($netaddr) || die "not a valid address or network: $netaddr\n";
 337 | 					} else {
 338 | 						$ip=NetAddr::IP->new($netaddr) || die "not a valid address or network: $netaddr\n";
 339 | 					}
 340 | 					if (!exists($macs{$ip})) {
 341 | 						$macs{$ip}=[];
 342 | 					}
 343 | 					$no_macs = 0;
 344 | 					push (@{$macs{$ip}}, $macaddr);
 345 | 					push (@netobjects, $ip);
 346 | 
 347 | 				} else {
 348 | 
 349 | 					die "Cannot use <dns-name>=<mac-addr> syntax, must be <network-or-ip-addr>=<mac-addr>"
 350 | 
 351 | 				}
 352 | 			}
 353 | 			else {
 354 | 
 355 | 				# resolv "address" that actually is a DNS host name, not an IP address...
 356 | 				my $err;
 357 | 				my @res;
 358 | 
 359 | 				if ($ipv6) {
 360 | 					( $err, @res ) = getaddrinfo( $_, "", { socktype => SOCK_RAW, family => AF_INET6 } );
 361 | 				} else {
 362 | 					( $err, @res ) = getaddrinfo( $_, "", { socktype => SOCK_RAW, family => AF_INET } );
 363 | 				}
 364 | 				die "Cannot getaddrinfo for name '".$_."'- ".$err if $err;
 365 | 
 366 | 				while ( my $ai = shift @res ) {
 367 | 
 368 | 					my ( $err, $ipaddr ) = getnameinfo( $ai->{addr}, NI_NUMERICHOST, NIx_NOSERV );
 369 | 					die "Cannot getnameinfo - $err" if $err;
 370 | 
 371 | 					if ($ipv6) {
 372 | 						$ip=NetAddr::IP->new6($ipaddr) || die "not a valid address: $ipaddr\n";
 373 | 					} else {
 374 | 						$ip=NetAddr::IP->new($ipaddr) || die "not a valid address: $ipaddr\n";
 375 | 					}
 376 | 
 377 | 					push (@netobjects, $ip);
 378 | 				}
 379 | 			}
 380 | 
 381 | 		}
 382 | 
 383 | 		# if we don't handle individual MAC addresses on any of the networks, then
 384 | 		# we can compact the list of networks
 385 | 		if ($no_macs == 1) {
 386 | 			@netobjects = NetAddr::IP::Compact(@netobjects);
 387 | 		}
 388 | 
 389 | 		@networks=();
 390 | 		foreach $network (@netobjects) {
 391 | 			if (exists($macs{$network})) {
 392 | 				foreach $mac (@{$macs{$network}}) {
 393 | 					push (@networks, $network."=".$mac);
 394 | 				}
 395 | 			}
 396 | 			else {
 397 | 				push (@networks, $network);
 398 | 			}
 399 | 		}
 400 | 	}
 401 | 	return (@networks);
 402 | }
 403 | 
 404 | sub checkLimit {
 405 | 	my ($limit) = @_;
 406 | 	if ($limit =~/^\d+(\/second|\/minute|\/hour|\/day|)$/) {
 407 | 		return 1;
 408 | 	} else {
 409 | 		return 0;
 410 | 	}
 411 | }
 412 | 
 413 | sub validateSysconfig {
 414 | 	my ($Sysconfig) = @_;
 415 | 
 416 | 	my $syskey;
 417 | 	foreach $syskey (keys (%$Sysconfig)) {
 418 | 		if ("\L$syskey" eq "loglevel") {
 419 | 			my $level=$$Sysconfig{$syskey};
 420 | 			delete $$Sysconfig{$syskey};
 421 | 			$level =~ s/\s+//g;
 422 | 			if ($level =~/^(debug|info|notice|warning|err|crit|alert|emerg)$/) {
 423 | 				$$Sysconfig{'LogLevel'}=$level;
 424 | 			} else {
 425 | 				die "unknown loglevel: $level\n";
 426 | 			}
 427 | 		} elsif ("\L$syskey" eq "logprefix") {
 428 | 			my $prefix=$$Sysconfig{$syskey};
 429 | 			delete $$Sysconfig{$syskey};
 430 | 			$$Sysconfig{'LogPrefix'}=$prefix;
 431 | 		} elsif ("\L$syskey" eq "loglimit") {
 432 | 			my $limit=$$Sysconfig{$syskey};
 433 | 			delete $$Sysconfig{$syskey};
 434 | 			$limit =~ s/\s+//g;
 435 | 			if (checkLimit $limit) {
 436 | 				$$Sysconfig{'LogLimit'}=$limit;
 437 | 			} else {
 438 | 				die "unknown loglimit: $limit:\n";
 439 | 			}
 440 | 		} elsif ("\L$syskey" eq "logburst") {
 441 | 			my $burst=$$Sysconfig{$syskey};
 442 | 			delete $$Sysconfig{$syskey};
 443 | 			$burst =~ s/\s+//g;
 444 | 			if ($burst =~/^\d+$/) {
 445 | 				$$Sysconfig{'LogBurst'}=$burst;
 446 | 			} else {
 447 | 				die "unknown logburst: $burst\n";
 448 | 			}
 449 | 		} elsif ("\L$syskey" eq "limit") {
 450 | 			my $limit=$$Sysconfig{$syskey};
 451 | 			delete $$Sysconfig{$syskey};
 452 | 			$limit =~ s/\s+//g;
 453 | 			if (checkLimit $limit) {
 454 | 				$$Sysconfig{'Limit'}=$limit;
 455 | 			} else {
 456 | 				die "unknown limit: $limit:\n";
 457 | 			}
 458 | 		} elsif ("\L$syskey" eq "burst") {
 459 | 			my $burst=$$Sysconfig{$syskey};
 460 | 			delete $$Sysconfig{$syskey};
 461 | 			$burst =~ s/\s+//g;
 462 | 			if ($burst =~/^\d+$/) {
 463 | 				$$Sysconfig{'Burst'}=$burst;
 464 | 			} else {
 465 | 				die "unknown burst: $burst\n";
 466 | 			}
 467 | 		} elsif ("\L$syskey" eq "accountprefix") {
 468 | 			my $prefix=$$Sysconfig{$syskey};
 469 | 			delete $$Sysconfig{$syskey};
 470 | 			$prefix =~ s/\s+//g;
 471 | 			if ($prefix =~/^\w+$/) {
 472 | 				$$Sysconfig{'AccountPrefix'}=$prefix;
 473 | 			} else {
 474 | 				die "invalid account prefix: $prefix\n";
 475 | 			}
 476 | 		} elsif ("\L$syskey" eq "filtercommand") {
 477 | 			my $filter_command=$$Sysconfig{$syskey};
 478 | 			delete $$Sysconfig{$syskey};
 479 | 			$filter_command =~ s/\s+//g;
 480 | 			if ($filter_command eq 'nft') {
 481 | 				$$Sysconfig{'FilterCommand'} = 'nft';
 482 | 			} elsif ($filter_command eq 'iptables') {
 483 | 				$$Sysconfig{'FilterCommand'} = 'iptables';
 484 | 			} elsif ($filter_command eq 'iptables-nft') {
 485 | 				$$Sysconfig{'FilterCommand'} = 'iptables-nft';
 486 | 			} elsif ($filter_command eq 'iptables-legacy') {
 487 | 				$$Sysconfig{'FilterCommand'} = 'iptables-legacy';
 488 | 			} else {
 489 | 				die "invalid packet filter command, use 'nft', 'iptables', 'iptables-nft' or 'iptables-legacy'";
 490 | 			}
 491 | 		} else {
 492 | 			die "unknown sysconfig parameter: $syskey\n";
 493 | 		}
 494 | 	}
 495 | }
 496 | 
 497 | sub toRange {
 498 | 	my ($range, $proto, $rule) = @_;
 499 | 
 500 | 	if ($range =~ /^(\d*)(|:(\d*))$/) {
 501 | 		if ($1 && $3) {
 502 | 			return "$1:$3";
 503 | 		} elsif ($1 && $2) {
 504 | 			return "$1:65535";
 505 | 		} elsif ($2 && $3) {
 506 | 			return "0:$3";
 507 | 		} elsif ($1) {
 508 | 			return "$1:$1";
 509 | 		} else {
 510 | 			return "0:65535";
 511 | 		}
 512 | 	} else {
 513 | 		die "invalid $proto service: $range:\n$rule\n";
 514 | 	}
 515 | }
 516 | 
 517 | sub validateData {
 518 | 	my ($Networks, $Services, $Interfaces, $Protocols, $Rules, $Sysconfig, $Marker) = @_;
 519 | 
 520 | 	validateSysconfig $Sysconfig;
 521 | 
 522 | 	my $key;
 523 | 	foreach $key (keys (%$Networks)) {
 524 | 		$$Networks{$key} = resolveHashentries($$Networks{$key}, $Networks);
 525 | 	}
 526 | 	foreach $key (keys (%$Services)) {
 527 | 		$$Services{$key} = resolveHashentries($$Services{$key}, $Services);
 528 | 	}
 529 | 	foreach $key (keys (%$Interfaces)) {
 530 | 		$$Interfaces{$key} = resolveHashentries($$Interfaces{$key}, $Interfaces);
 531 | 	}
 532 | 	foreach $key (keys (%$Interfaces)) {
 533 | 		if (!($$Interfaces{$key} =~ /^[\.a-zA-Z0-9+ ]+(:\d+)?$/)) {
 534 | 			die "invalid character in interface definition: $$Interfaces{$key}\n";
 535 | 		}
 536 | 	}
 537 | 
 538 | 	foreach $key (keys (%$Marker)) {
 539 | 		$$Marker{$key} = resolveHashentries($$Marker{$key}, $Marker);
 540 | 	}
 541 | 
 542 | ## marken auf plausibilität prüfen
 543 | 
 544 | 	my $rule;
 545 | 	foreach $rule (@$Rules) {
 546 | 		if (exists($$rule{'TranslatedSource'}) && exists($$rule{'TranslatedDestination'})) {
 547 | 			die "can't modify source and destination address in one rule:\n$$rule{'Rule'}\n";
 548 | 		}
 549 | 		my $ruletype=$$rule{'Type'};
 550 | 		if ($ruletype =~ /^\s*(masq|snat|dnat|nat)(\+|-)$/) {
 551 | 			my $type = $1;
 552 | 			my $action = $2;
 553 | 			$$rule{'Table'}='nat';
 554 | 			if ($type eq 'masq') {
 555 | 				if ($ipv6) {
 556 | 					$$rule{'Type'}='IGNORE-IPV6-POSTROUTING';
 557 | 				} else {
 558 | 					$$rule{'Type'}='POSTROUTING';
 559 | 				}
 560 | 				$$rule{'Action'}='MASQUERADE';
 561 | 			} elsif ($type =~ /^(s|d|)nat$/) {
 562 | 				if (exists($$rule{'TranslatedSource'})) {
 563 | 					if ($ipv6) {
 564 | 						$$rule{'Type'}='IGNORE-IPV6-POSTROUTING';
 565 | 					} else {
 566 | 						$$rule{'Type'}='POSTROUTING';
 567 | 					}
 568 | 					$$rule{'Action'}='SNAT';
 569 | 				} elsif (exists($$rule{'TranslatedDestination'})) {
 570 | 					if ($ipv6) {
 571 | 						$$rule{'Type'}='IGNORE-IPV6-PREROUTING';
 572 | 					} else {
 573 | 						$$rule{'Type'}='PREROUTING';
 574 | 					}
 575 | 					$$rule{'Action'}='DNAT';
 576 | 				} else {
 577 | 					die "nat rule without address translation makes no sense:\n$$rule{'Rule'}\n";
 578 | 				}
 579 | 			}
 580 | 			if ($action eq '-') {
 581 | 				$$rule{'Action'}='DROP';
 582 | 			}
 583 | 		} elsif ($ruletype =~ /^\s*(in|out|fw|slin|slout|slfw)(\+|-|\||>|{\w+})$/) {
 584 | 			my $type = $1;
 585 | 			my $action = $2;
 586 | 			$$rule{'Table'}='filter';
 587 | 			if ($type eq 'fw') {
 588 | 				$$rule{'Type'}='FORWARD';
 589 | 			} elsif ($type eq 'in') {
 590 | 				$$rule{'Type'}='INPUT';
 591 | 			} elsif ($type eq 'out') {
 592 | 				$$rule{'Type'}='OUTPUT';
 593 | 			} elsif ($type eq 'slfw') {
 594 | 				$$rule{'Type'}='STATELESSFORWARD';
 595 | 			} elsif ($type eq 'slin') {
 596 | 				$$rule{'Type'}='STATELESSINPUT';
 597 | 			} else {
 598 | 				$$rule{'Type'}='STATELESSOUTPUT';
 599 | 			}
 600 | 			if ($action eq '+') {
 601 | 				$$rule{'Action'}='ACCEPT';
 602 | 			} elsif ($action eq '-') {
 603 | 				$$rule{'Action'}='DROP';
 604 | 			} elsif ($action eq '|') {
 605 | 				if ($$rule{'Type'} =~ /OUTPUT/) {
 606 | 					die "can't use mirror in OUTPUT chain\n";
 607 | 				} else {
 608 | 					$$rule{'Action'}='MIRROR';
 609 | 				}
 610 | 			} elsif ($action =~ /^{(\w+)}$/) {
 611 | 				my $marker=$1;
 612 | 				$$rule{'Action'}='MARK';
 613 | 				$$rule{'Table'}='mangle';
 614 | 				if (exists($$Marker{$marker})) {
 615 | 					my @dummy = split(/\s+/, $$Marker{$marker});
 616 | 					if ($#dummy == 1) {
 617 | 						$$rule{'Mark'}=$$Marker{$marker};
 618 | 					} else {
 619 | 						die "can't mark packet with multiple mark values: $marker\n$$rule{'Rule'}\n";
 620 | 					}
 621 | 				} else {
 622 | 					die "invalid mark identifier: $marker\n$$rule{'Rule'}\n";
 623 | 				}
 624 | 			} else {
 625 | 				if ($$rule{'Type'} =~ /INPUT/) {
 626 | 					die "can't use TCPMSS in INPUT chain\n";
 627 | 				} else {
 628 | 					$$rule{'Action'}='TCPMSS';
 629 | 				}
 630 | 			}
 631 | 			if (exists($$rule{'TranslatedSource'}) || exists($$rule{'TranslatedDestination'}) || exists($$rule{'TranslatedService'})) {
 632 | 				die "you can modify source or destination address only in nat rules:\n$$rule{'Rule'}\n";
 633 | 			}
 634 | 		} else {
 635 | 			die "unknown ruletype:\n$$rule{'Rule'}\n";
 636 | 		}
 637 | 		my $hashentry;
 638 | 		foreach $hashentry (qw(Source Destination TranslatedSource TranslatedDestination)) {
 639 | 			my @simplenetwork;
 640 | 			if (exists($$rule{$hashentry})) {
 641 | 				my $position;
 642 | 				foreach $position (split (/\s+/, $$rule{$hashentry})) {
 643 | 					$position eq '' && next;
 644 | 					$position =~ /^(!{0,1})(.*)/;
 645 | 					if ($1) {
 646 | 						$$rule{"${hashentry}-not"} = 1;
 647 | 					}
 648 | 					$position=$2;
 649 | 
 650 | 					# support IPv4-only/IPv6-only rules
 651 | 					if ($position =~ /^.*\((.+)\)$/) {
 652 | 						my $only_proto = $1;
 653 | 						$position =~ s/\((.+)\)$//;
 654 | 						if (($ipv6) && ($only_proto eq "4")) {
 655 | 							print STDERR "IPv6 setup: Skipping IPv4-only rule for network \"$position\"\n";
 656 | 							$$rule{'Type'} = 'IGNORE-IPV4-ONLY';
 657 | 							next;
 658 | 						} elsif ((! $ipv6) && ($only_proto eq "6")) {
 659 | 							print STDERR "IPv4 setup: Skipping IPv6-only rule for network \"$position\"\n";
 660 | 							$$rule{'Type'} = 'IGNORE-IPV6-ONLY';
 661 | 							next;
 662 | 						}
 663 | 					}
 664 | 
 665 | 					if ($$rule{'Type'} =~ /^IGNORE\-IPV6\-.*$/) {
 666 | 						next;
 667 | 					}
 668 | 
 669 | 					if (exists($$Networks{$position})) {
 670 | 						my $network;
 671 | 						foreach $network (split (/\s+/, $$Networks{$position})) {
 672 | 							$network eq '' && next;
 673 | 							push (@simplenetwork, $network);
 674 | 						}
 675 | 					} else {
 676 | 						die "invalid network name: $position\n$$rule{'Rule'}\n";
 677 | 					}
 678 | 				}
 679 | 				@simplenetwork = simplifyNetworks (@simplenetwork);
 680 | 
 681 | 				my $network;
 682 | 				for $network (@simplenetwork) {
 683 | 					if  ( ( $network =~ /(^[^=]+)=([^=]+)$/ ) && ( ! ( $hashentry =~ /^.*Source$/ ) ) ) {
 684 | 						die "MAC address sources don't make sense on destination networks";
 685 | 					}
 686 | 					if  ( ( $network =~ /(^[^=]+)=([^=]+)$/ ) && ( $$rule{'Type'} eq 'OUTPUT' ) ) {
 687 | 						die "MAC address sources don't make sense for outward bound rules";
 688 | 					}
 689 | 				}
 690 | 
 691 | 				$$rule{$hashentry} = \@simplenetwork;
 692 | 
 693 | 			}
 694 | 		}
 695 | 		foreach (qw(TranslatedSource TranslatedDestination)) {
 696 | 			if (exists($$rule{$_}) && @{$$rule{$_}}>1) {
 697 | 				die "you can specify only one source or destination network as nat target:\n$$rule{'Rule'}\n";
 698 | 			}
 699 | 			if (exists($$rule{"$_-not"})) {
 700 | 				die "inverting nat destinations is not possible\n$$rule{'Rule'}\n";
 701 | 			}
 702 | 		}
 703 | 
 704 | 		foreach (qw(Source Destination)) {
 705 | 			if (exists($$rule{"${_}-not"}) && @{$$rule{$_}}>1) {
 706 | 				die "you can specify only one source or destination network with not statement:\n$$rule{'Rule'}\n";
 707 | 			}
 708 | 		}
 709 | 
 710 | 		if (exists($$rule{'MarkMatch'})) {
 711 | 			my $mark;
 712 | 			my @array;
 713 | 			foreach $mark (split (/\s+/, $$rule{'MarkMatch'})) {
 714 | 				$mark eq '' && next;
 715 | 				foreach (split(/\s+/, $$Marker{$mark})) {
 716 | 					$_ eq '' && next;
 717 | 					push (@array, $_);
 718 | 				}
 719 | 			}
 720 | 			$$rule{'MarkMatch'}=\@array;
 721 | 		}
 722 | 		foreach $hashentry (qw(InputInterface OutputInterface PhysicalInputInterface PhysicalOutputInterface)) {
 723 | 			if (exists($$rule{$hashentry})) {
 724 | 				if (($hashentry eq 'InputInterface' || $hashentry eq 'PhysicalInputInterface') && $$rule{'Type'} =~ /(OUTPUT|POSTROUTING)/) {
 725 | 					die "can't use input interface in output rule:\n$$rule{'Rule'}\n";
 726 | 				} elsif (($hashentry eq 'OutputInterface' || $hashentry eq 'PhysicalOutputInterface') && $$rule{'Type'} =~ /(INPUT|PREROUTING)/) {
 727 | 					die "can't use output interface in input rule:\n$$rule{'Rule'}\n";
 728 | 				}
 729 | 				my $position;
 730 | 				my %interfacehash;
 731 | 				foreach $position (split (/\s+/, $$rule{$hashentry})) {
 732 | 					$position eq '' && next;
 733 | 					$position =~ /^(!{0,1})(.*)/;
 734 | 					if ($1) {
 735 | 						$$rule{"${hashentry}-not"} = 1;
 736 | 					}
 737 | 					$position=$2;
 738 | 					if (exists($$Interfaces{$position})) {
 739 | 						my $interface;
 740 | 						foreach $interface (split (/\s+/, $$Interfaces{$position})) {
 741 | 							$interface eq '' && next;
 742 | 							$interfacehash{$interface}=1;
 743 | 						}
 744 | 					} else {
 745 | 						die "invalid interface entry: $position\n";
 746 | 					}
 747 | 				}
 748 | 				my @array = keys (%interfacehash);
 749 | 				$$rule{$hashentry} = \@array;
 750 | 			}
 751 | 			if (exists($$rule{"${hashentry}-not"}) && @{$$rule{$hashentry}}>1) {
 752 | 				die "you can specify only one input or output interface with not statement:\n$$rule{'Rule'}\n";
 753 | 			}
 754 | 		}
 755 | 
 756 | 		my $serviceentry;
 757 | 		my $servicecounter=0;
 758 | 		foreach $serviceentry (qw(Service TranslatedService)) {
 759 | 			$servicecounter=0;
 760 | 			if (exists($$rule{$serviceentry})) {
 761 | 				my $serviceprefix='';
 762 | 				if ($serviceentry eq 'TranslatedService') {
 763 | 					$serviceprefix='Translated';
 764 | 				}
 765 | 				my @newservice;
 766 | 				my $position;
 767 | 				my %protocols;
 768 | 				foreach $position (split (/\s+/, $$rule{$serviceentry})) {
 769 | 					$position eq '' && next;
 770 | 					$position =~ /^(!{0,1})(.*)/;
 771 | 					if ($1) {
 772 | 						if ($serviceprefix) {
 773 | 							die "can't use not in nat destination service description: $position\n$$rule{'Rule'}\n";
 774 | 						}
 775 | 						$$rule{"Service-not"}=1;
 776 | 					}
 777 | 					$position=$2;
 778 | 					if (exists($$Services{$position})) {
 779 | 						my $service;
 780 | 						foreach $service (split (/\s+/, $$Services{$position})) {
 781 | 							$service eq '' && next;
 782 | 							if ($service =~ /^([\w-]+)\((.*)\)$/) {
 783 | 								my $proto=$1;
 784 | 								my $param=$2;
 785 | 								if ($param eq '') {
 786 | 									$param='all';
 787 | 								}
 788 | 								if (exists($$Protocols{$proto})) {
 789 | 									if ($proto =~ /^\d+$/) {
 790 | 										$proto = $$Protocols{$proto};
 791 | 									}
 792 | 								} else {
 793 | 									die "unknown protocol: $service:\n$$rule{'Rule'}\n";
 794 | 								}
 795 | 								$protocols{"$serviceprefix$proto"}.=" $param";
 796 | 							} else {
 797 | 								die "invalid service entry: $service:\n$$rule{'Rule'}\n";
 798 | 							}
 799 | 						}
 800 | 					} else {
 801 | 						die "invalid service entry: $position\n";
 802 | 					}
 803 | 				}
 804 | 				delete $$rule{$serviceentry};
 805 | 				my $proto;
 806 | 				foreach $proto (qw(udp tcp)) {
 807 | 					if (exists($protocols{"$serviceprefix$proto"})) {
 808 | 						my @multisource;
 809 | 						my @multidestination;
 810 | 						my @sourcerange;
 811 | 						my @destinationrange;
 812 | 						my @sourcedestination;
 813 | 						my %other;
 814 | 						my $service;
 815 | 						foreach $service (split (/\s+/, $protocols{"$serviceprefix$proto"})) {
 816 | 							$service eq '' && next;
 817 | 							if ($service  =~ /^([^\/]*)\/([^\/]*)$/) {
 818 | 								my $range=toRange ($1, $proto, $$rule{'Rule'});
 819 | 								$range.="/".toRange ($2, $proto, $$rule{'Rule'});
 820 | 								$other{$range}=1;
 821 | 							} else {
 822 | 								die "invalid $proto service: $service:\n$$rule{'Rule'}\n";
 823 | 							}
 824 | 						}
 825 | 						my $again=0;
 826 | 						my $first=1;
 827 | 						while ($first || $again) {
 828 | 							$first=0;
 829 | 							$again=0;
 830 | 							LOOP: foreach $service (keys (%other)) {
 831 | 								next unless exists($other{$service});
 832 | 								if ($service =~ /^(\d+):(\d+)\/(\d+):(\d+)$/) {
 833 | 									my $ss=$1;
 834 | 									my $se=$2;
 835 | 									my $ds=$3;
 836 | 									my $de=$4;
 837 | 									if ($ss>$se || $ds>$de) {
 838 | 										die "invalid port range: $service:\n$$rule{'Rule'}\n";
 839 | 									}
 840 | 									my $test;
 841 | 									foreach $test (keys (%other)) {
 842 | 										$test eq $service && next;
 843 | 										$test =~ /(\d+):(\d+)\/(\d+):(\d+)/;
 844 | 										if (	$1 == $ss &&
 845 | 											$2 == $se ) {
 846 | 											if (	$3 >= $ds &&
 847 | 												$4 <= $de) {
 848 | 												delete $other{$test};
 849 | 												$again=1;
 850 | 												last LOOP;
 851 | 											}
 852 | 											if (	$4 == $ds-1 ||
 853 | 												($4 >= $ds && $4 <= $de)) {
 854 | 												$ds=$3;
 855 | 												$de=$4 if $4>$de;
 856 | 												delete $other{$service};
 857 | 												delete $other{$test};
 858 | 												$other{"$ss:$se/$ds:$de"}=1;
 859 | 												$again=1;
 860 | 												last LOOP;
 861 | 											}
 862 | 										} elsif (	$3 == $ds &&
 863 | 												$4 == $de ) {
 864 | 											if (	$1 >= $ss &&
 865 | 												$2 <= $se) {
 866 | 												delete $other{$test};
 867 | 												$again=1;
 868 | 												last LOOP;
 869 | 											}
 870 | 											if (	$2 == $ss-1 ||
 871 | 												($2 >= $ss && $2 <= $se)) {
 872 | 												$ss=$1;
 873 | 												$se=$2 if $2>$se;
 874 | 												delete $other{$service};
 875 | 												delete $other{$test};
 876 | 												$other{"$ss:$se/$ds:$de"}=1;
 877 | 												$again=1;
 878 | 												last LOOP;
 879 | 											}
 880 | 										}
 881 | 									}
 882 | 								} else {
 883 | 									 die "invalid service entry: $service:\n$$rule{'Rule'}\n";
 884 | 								}
 885 | 							}
 886 | 						}
 887 | 						my $entry;
 888 | 						foreach $entry (keys (%other)) {
 889 | 							if ($entry =~ /(\d+):(\d+)\/0:65535/) {
 890 | 								if ($1 != $2) {
 891 | 									push (@sourcerange, "$1:$2");
 892 | 								} else {
 893 | 									push (@multisource, $1);
 894 | 								}
 895 | 							} elsif ($entry =~ /0:65535\/(\d+):(\d+)/) {
 896 | 								if ($1 != $2) {
 897 | 									push (@destinationrange, "$1:$2");
 898 | 								} else {
 899 | 									push (@multidestination, $1);
 900 | 								}
 901 | 							} else {
 902 | 								push (@sourcedestination, $entry);
 903 | 							}
 904 | 						}
 905 | 						if ($serviceprefix eq '') {
 906 | 							expandRange (\@sourcerange, \@multisource);
 907 | 							expandRange (\@destinationrange, \@multidestination);
 908 | 						}
 909 | 						$$rule{"$serviceprefix\u$proto"}= [\@multisource, \@multidestination, \@sourcerange, \@destinationrange, \@sourcedestination];
 910 | 						$servicecounter+=@multisource+@multidestination+@sourcerange+@destinationrange+@sourcedestination;
 911 | 						delete $protocols{"$serviceprefix$proto"};
 912 | 					}
 913 | 				}
 914 | 				if ($serviceprefix ne '' && $servicecounter>1) {
 915 | 					die "you can specify only one service or service range as nat target:\n$$rule{'Rule'}\n";
 916 | 				}
 917 | 				if (exists($$rule{"Service-not"}) && $serviceprefix eq '' && $servicecounter>1) {
 918 | 					die "you can specify only one service in not statement:\n$$rule{'Rule'}\n";
 919 | 				}
 920 | 				if (exists($protocols{"${serviceprefix}icmp"})) {
 921 | 					if ($serviceprefix ne '') {
 922 | 						die "can't use icmp nat target:\n$$rule{'Rule'}\n";
 923 | 					}
 924 | 					my %icmphash;
 925 | 					my $message;
 926 | 					foreach $message (split (/\s+/, $protocols{"${serviceprefix}icmp"})) {
 927 | # message validation missing
 928 | 						$message eq '' && next;
 929 | 						$icmphash{$message}=1;
 930 | 					}
 931 | 					my @array = keys (%icmphash);
 932 | 					$$rule{"${serviceprefix}ICMP"}=\@array;
 933 | 					delete $protocols{"${serviceprefix}icmp"};
 934 | 				}
 935 | 				if (exists($protocols{"${serviceprefix}ipv6-icmp"})) {
 936 | 					if ($serviceprefix ne '') {
 937 | 						die "can't use ipv6-icmp nat target:\n$$rule{'Rule'}\n";
 938 | 					}
 939 | 					my %icmp6hash;
 940 | 					my $message;
 941 | 					foreach $message (split (/\s+/, $protocols{"${serviceprefix}ipv6-icmp"})) {
 942 | # message validation missing
 943 | 						$message eq '' && next;
 944 | 						$icmp6hash{$message}=1;
 945 | 					}
 946 | 					my @array = keys (%icmp6hash);
 947 | 					$$rule{"${serviceprefix}ICMP6"}=\@array;
 948 | 					delete $protocols{"${serviceprefix}ipv6-icmp"};
 949 | 				}
 950 | 				if (keys (%protocols)) {
 951 | 					if ($serviceprefix ne '') {
 952 | 						die "you can use tcp and udp based nat targets only:\n$$rule{'Rule'}\n";
 953 | 					}
 954 | 					my @array = keys (%protocols);
 955 | 					$$rule{"${serviceprefix}OtherProtocols"} = \@array;
 956 | 				}
 957 | 			}
 958 | 		}
 959 | 		if (	(exists($$rule{'TranslatedTcp'}) && exists($$rule{'Udp'})) ||
 960 | 			(exists($$rule{'TranslatedUdp'}) && exists($$rule{'Tcp'}))) {
 961 | 			die "source protocol and translated protocol must be equal in nat rule:\n$$rule{'Rule'}\n";
 962 | 		}
 963 | 		if (exists($$rule{'Flags'})) {
 964 | 			my $flag;
 965 | 			foreach $flag (split (/\s+/, $$rule{'Flags'})) {
 966 | 				$flag eq '' && next;
 967 | 				if ($flag =~ /^log(\((.+)\)|)$/) {
 968 | 					$$rule{'Log'}=$2;
 969 | 				} elsif ($flag =~ /^reject(\((.+)\)|)$/) {
 970 | 					if ($$rule{'Table'} eq 'nat') {
 971 | 						die "can't use reject with nat:\n$$rule{'Rule'}\n";
 972 | 					}
 973 | 					if ($$rule{'Action'} ne 'DROP') {
 974 | 						die "rejecting packets in allow rule makes no sense:\n$$rule{'Rule'}\n";
 975 | 					}
 976 | 					if ($2) {
 977 | 						my $param=$2;
 978 | 						if ($param =~ /^(icmp-(net|host|port|proto)-unreachable|icmp-(net|host)-prohibited|tcp-reset)$/) {
 979 | 							$$rule{'Reject'}=$param;
 980 | 						} else {
 981 | 							die "invalid reject parameter: $param:\n$$rule{'Rule'}\n";
 982 | 						}
 983 | 						if ($param eq 'tcp-reset') {
 984 | 							if (exists($$rule{'OtherProtocols'}) || exists($$rule{'ICMP'}) || exists($$rule{'ICMP6'}) || exists($$rule{'Udp'})) {
 985 | 								die "can't use tcp-reset with other protocols than tcp:\n$$rule{'Rule'}\n";
 986 | 							}
 987 | 							unless (exists($$rule{'Tcp'})) {
 988 | 								die "need tcp protocol for tcp-reset:\n$$rule{'Rule'}\n";
 989 | 							}
 990 | 						}
 991 | 					} else {
 992 | 						$$rule{'Reject'}=1;
 993 | 					}
 994 | 				} elsif ($flag =~ /^account(\((.+)\)|)$/) {
 995 | 					if ($$rule{'Table'} eq 'nat') {
 996 | 						die "can't use accounting with nat:\n$$rule{'Rule'}\n";
 997 | 					}
 998 | 					if ($$rule{'Action'} eq 'DROP') {
 999 | 						die "accounting packets in reject/drop rule makes no sense:\n$$rule{'Rule'}\n";
1000 | 					}
1001 | 					if ($2) {
1002 | 						my $param=$2;
1003 | 						if ($param =~ /^[a-zA-Z0-9]+$/) {
1004 | 							$$rule{'Accounting'}=$param;
1005 | 						} else {
1006 | 							die "invalid character in accountingname '$param':\n$$rule{'Rule'}\n";
1007 | 						}
1008 | 					} else {
1009 | 						$$rule{'Reject'}='default';
1010 | 					}
1011 | 				} elsif ($flag =~ /^limit(\((.*)\)|)$/) {
1012 | 					if ($$rule{'Action'} eq 'DROP') {
1013 | 						die "limiting packets in reject/drop rule makes no sense:\n$$rule{'Rule'}\n";
1014 | 					}
1015 | 					if (exists($$rule{'Accounting'})) {
1016 | 						die "limiting packets does not work with accounting in current implementation:\n$$rule{'Rule'}\n";
1017 | 					}
1018 | 					if ($2) {
1019 | 						my $param=$2;
1020 | 						if ($param =~ /^([^:]+)(:\d+|)$/) {
1021 | 							if (checkLimit $1) {
1022 | 								$$rule{'Limit'}=$1;
1023 | 								if ($2) {
1024 | 									# no need to check burst since it
1025 | 									# is guaranteed to be either empty
1026 | 									# or digits only (plus leading colon).
1027 | 									# Empty results in other part of if
1028 | 									# clause.
1029 | 									my $burst=$2;
1030 | 									$burst=~s/^://;
1031 | 									$$rule{'Limit-burst'}=$burst;
1032 | 								} else {
1033 | 									$$rule{'Limit-burst'}=$$Sysconfig{'Burst'};
1034 | 								}
1035 | 							} else {
1036 | 								die "invalid limit '$param':\n$$rule{'Rule'}\n";
1037 | 							}
1038 | 						} else {
1039 | 							die "invalid limit descriptionb '$param':\n$$rule{'Rule'}\n";
1040 | 						}
1041 | 					} else {
1042 | 						$$rule{'Limit'}=$$Sysconfig{'Limit'};
1043 | 						$$rule{'Limit-burst'}=$$Sysconfig{'Burst'};
1044 | 					}
1045 | 				} else {
1046 | 					die "invalid flag: $flag -- $$rule{'Flags'}:\n$$rule{'Rule'}\n";
1047 | 				}
1048 | 			}
1049 | 		}
1050 | 	}
1051 | }
1052 | 
1053 | sub icmpv6_types_IPTABLES_to_NFT {
1054 | 	my ($type) = @_;
1055 | 	my $nft_type = $type;
1056 | 	foreach my $map (@icmpv6_types_mapping) {
1057 | 		if ( "@$map[0]" eq "$type" ) {
1058 | 			$nft_type = "@$map[1]";
1059 | 			last;
1060 | 		}
1061 | 	}
1062 | 	return $nft_type;
1063 | }
1064 | 
1065 | sub genRuleDump_NFT {
1066 | 	my ($Rules, $Listing, $Sysconfig) = @_;
1067 | 	my @partial;
1068 | 	my $rule;
1069 | 	my %nat;
1070 | 	my %filter;
1071 | 	my %mangle;
1072 | 	my @nat;
1073 | 	my @filter;
1074 | 	my @mangle;
1075 | 	my $table;
1076 | 	my $chains;
1077 | 	my $inet;
1078 | 
1079 | 	if ($ipv6) {
1080 | 		$inet = "ip6";
1081 | 	} else {
1082 | 		$inet = "ip";
1083 | 	}
1084 | 
1085 | 	foreach $rule (@$Rules) {
1086 | 
1087 | 		if ( ($$rule{'Type'} eq "IGNORE-IPV4-ONLY") || ($$rule{'Type'} eq "IGNORE-IPV6-ONLY") ) {
1088 | 			next;
1089 | 		}
1090 | 
1091 | 		my @protocol;
1092 | 		my @source;
1093 | 		my @destination;
1094 | 		my @inputinterface;
1095 | 		my @outputinterface;
1096 | 		my @mark;
1097 | 		my $action;
1098 | 		my $logaction;
1099 | 		my $type;
1100 | 		my $name;
1101 | 		my $proto;
1102 | 		my $id;
1103 | 		my $not;
1104 | 
1105 | 		if ($$rule{'Table'} eq 'filter') {
1106 | 			$table=\@filter;
1107 | 			$chains=\%filter;
1108 | 		} elsif ($$rule{'Table'} eq 'nat') {
1109 | 			$table=\@nat;
1110 | 			$chains=\%nat;
1111 | 		} elsif ($$rule{'Table'} eq 'mangle') {
1112 | 			$table=\@mangle;
1113 | 			$chains=\%mangle;
1114 | 		} else {
1115 | 			die "$$rule{'Table'} is not implemented!\n";
1116 | 		}
1117 | 
1118 | 		$type="add rule $inet $$rule{'Table'} $$rule{'Type'}";
1119 | 		if (exists($$rule{'Name'})) {
1120 | 			$name=$$rule{'Name'};
1121 | 			$name=~s/\s+//g;
1122 | 		} else {
1123 | 			$name="-";
1124 | 		}
1125 | 		$id=$$rule{'Id'};
1126 | 
1127 | 		if (exists($$rule{'Reject'})) {
1128 | 			if ($$rule{'Reject'} ne '1') {
1129 | 				$action="counter reject with $$rule{'Reject'}";
1130 | 				$action =~ s/-/ /g;
1131 | 			} else {
1132 | 				$action="counter jump MYREJECT";
1133 | 			}
1134 | 			$logaction="REJECT";
1135 | 		} elsif ($$rule{'Action'} eq "TCPMSS") {
1136 | 			$action="tcp flags & (syn|rst) == syn tcp option maxseg size >= 1400 counter tcp option maxseg size set rt mtu";
1137 | 			$logaction="TCPMSS";
1138 | 		} elsif ($$rule{'Action'} eq "MARK") {
1139 | 			$action="counter meta mark set $$rule{'Mark'}";
1140 | 			$logaction="MARK";
1141 | 		} else {
1142 | 			if ( $$rule{'Action'} =~ /^(ACCEPT|DROP|RETURN|MASQUERADE|DNAT|SNAT)$/) {
1143 | 				$action="counter ".lc $$rule{'Action'};
1144 | 			} else {
1145 | 				$action="counter jump $$rule{'Action'}";
1146 | 			}
1147 | 			$logaction=$$rule{'Action'};
1148 | 		}
1149 | 
1150 | 		if (exists($$rule{"Service-not"})) {
1151 | 			$not='!';
1152 | 		} else {
1153 | 			$not='';
1154 | 		}
1155 | 
1156 | 		foreach $proto (qw(tcp udp)) {
1157 | 			if (exists($$rule{"\u$proto"})) {
1158 | 				my $string;
1159 | 				my $entry;
1160 | 				foreach $entry (qw(0 1)) {
1161 | 					my $multiport;
1162 | 					my $count=0;
1163 | 					foreach $multiport (@{$$rule{"\u$proto"}[$entry]}) {
1164 | 						if ($count==0) {
1165 | 							$string='';
1166 | 						}
1167 | 						$string.="$multiport,";
1168 | 						$count++;
1169 | 						if ($count==15) {
1170 | 							$string =~ s/,$//;
1171 | 							$string="meta l4proto $proto ".($entry==1?"d":"s")."port {".$string."}";
1172 | 							push (@protocol, $string);
1173 | 							$string='';
1174 | 							$count=0;
1175 | 						}
1176 | 					}
1177 | 					if (defined($string) && $count) {
1178 | 						$string =~ s/,$//;
1179 | 						if ($count > 1) {
1180 | 							$string="meta l4proto $proto $proto ".($entry==1?"d":"s")."port {".$string."}";
1181 | 						} else {
1182 | 							$string="meta l4proto $proto $proto ".($entry==1?"d":"s")."port {".$string."}";
1183 | 						}
1184 | 						push (@protocol, $string);
1185 | 					}
1186 | 				}
1187 | 				my $range;
1188 | 				foreach $range (@{$$rule{"\u$proto"}[2]}) {
1189 | 					$range =~ s/\:/-/g;
1190 | 					$range =~ /^(.+)-(.+)$/;
1191 | 					if ( $1 eq $2 ) {
1192 | 						$range = $1;
1193 | 					}
1194 | 					push (@protocol, "$not $proto sport $range");
1195 | 				}
1196 | 				foreach $range (@{$$rule{"\u$proto"}[3]}) {
1197 | 					$range =~ s/\:/-/g;
1198 | 					$range =~ /^(.+)-(.+)$/;
1199 | 					if ( $1 eq $2 ) {
1200 | 						$range = $1;
1201 | 					}
1202 | 					push (@protocol, "$not $proto dport $range");
1203 | 				}
1204 | 				my $range_sport;
1205 | 				my $range_dport;
1206 | 				foreach $range (@{$$rule{"\u$proto"}[4]}) {
1207 | 					$range =~ s/\:/-/g;
1208 | 					$range =~ /^(.+)\/(.+)$/;
1209 | 					$range_sport = $1;
1210 | 					$range_dport = $2;
1211 | 					$range_sport =~ /^(.+)-(.+)$/;
1212 | 					if ( $1 eq $2 ) {
1213 | 						$range_sport = $1;
1214 | 					}
1215 | 					$range_dport =~ /^(.+)-(.+)$/;
1216 | 					if ( $1 eq $2 ) {
1217 | 						$range_dport = $1;
1218 | 					}
1219 | 					push (@protocol, "$not $proto sport $range_sport $not $proto dport $range_dport");
1220 | 				}
1221 | 			}
1222 | 		}
1223 | 		if (exists($$rule{'ICMP'}) && (! $ipv6)) {
1224 | 			my $type;
1225 | 			foreach $type (@{$$rule{'ICMP'}}) {
1226 | 				if ($type eq 'all') {
1227 | 					push (@protocol, "$not icmp");
1228 | 				} else {
1229 | 					push (@protocol, "icmp $not type $type");
1230 | 				}
1231 | 			}
1232 | 		}
1233 | 		if (exists($$rule{'ICMP6'}) and ($ipv6)) {
1234 | 			my $type;
1235 | 			foreach $type (@{$$rule{'ICMP6'}}) {
1236 | 				if ($type eq 'all') {
1237 | 					push (@protocol, "meta l4proto $not ipv6-icmp");
1238 | 				} else {
1239 | 					my $nft_type = icmpv6_types_IPTABLES_to_NFT($type);
1240 | 					push (@protocol, "icmpv6 type $not $nft_type");
1241 | 				}
1242 | 			}
1243 | 		}
1244 | 		if (exists($$rule{'OtherProtocols'})) {
1245 | 			my $proto;
1246 | 			foreach $proto (@{$$rule{'OtherProtocols'}}) {
1247 | 				push (@protocol, "$not $proto");
1248 | 			}
1249 | 		}
1250 | 		if (exists($$rule{'Source'})) {
1251 | 			if (exists($$rule{'Source-not'})) {
1252 | 				$not='!';
1253 | 			} else {
1254 | 				$not='';
1255 | 			}
1256 | 			my $source;
1257 | 			foreach $source (@{$$rule{'Source'}}) {
1258 | 				if ($source =~ /(.+)=(.+)/ && ($$rule{'Table'} eq 'filter')) {
1259 | 					push (@source, "$not $inet saddr $1 mac $not ether saddr $2 counter");
1260 | 				} else {
1261 | 					$source =~ /([^=]+)/;
1262 | 					push (@source, "$not $inet saddr $1");
1263 | 				}
1264 | 			}
1265 | 		}
1266 | 		if (exists($$rule{'Destination'})) {
1267 | 			if (exists($$rule{'Destination-not'})) {
1268 | 				$not='!';
1269 | 			} else {
1270 | 				$not='';
1271 | 			}
1272 | 			my $destination;
1273 | 			foreach $destination (@{$$rule{'Destination'}}) {
1274 | 				$destination =~ /([^=]+)/;
1275 | 				push (@destination, "$not $inet daddr $1");
1276 | 			}
1277 | 		}
1278 | 		if (exists($$rule{'TranslatedSource'})) {
1279 | 			my $source;
1280 | 			$source=${$$rule{'TranslatedSource'}}[0];
1281 | 			$source =~ /([^=]+)/;
1282 | 			$source=$1;
1283 | 			my $ip = NetAddr::IP->new($source) || die "not a valid network: $source\n";
1284 | 			my $net=$ip->network();
1285 | 			my $bcast = $ip->broadcast();
1286 | 			if ($net ne $bcast) {
1287 | 				$source="$net-$bcast";
1288 | 			}
1289 | 			$source =~ s/\/[^-]+//g;
1290 | 			$action.=" to $source";
1291 | 		}
1292 | 		if (exists($$rule{'TranslatedDestination'})) {
1293 | 			my $destination;
1294 | 			$destination=${$$rule{'TranslatedDestination'}}[0];
1295 | 			$destination =~ /([^=]+)/;
1296 | 			$destination=$1;
1297 | 			my $ip = NetAddr::IP->new($destination) || die "not a valid network: $destination\n";
1298 | 			my $net=$ip->network();
1299 | 			my $bcast = $ip->broadcast();
1300 | 			if ($net ne $bcast) {
1301 | 				$destination="$net-$bcast";
1302 | 			}
1303 | 			$destination =~ s/\/[^-]+//g;
1304 | 			$action.=" to $destination";
1305 | 		}
1306 | 
1307 | 		foreach $proto (qw(tcp udp)) {
1308 | 			if (exists($$rule{"Translated\u$proto"})) {
1309 | 				my $ref = $$rule{"Translated\u$proto"};
1310 | 				if (defined($$ref[1][0])) {
1311 | 					$action.=":$$ref[1][0]";
1312 | 				}
1313 | 				if (defined($$ref[3][0])) {
1314 | 					$action.=":$$ref[3][0]";
1315 | 				}
1316 | 				last;
1317 | 			}
1318 | 		}
1319 | 
1320 | 		if (exists($$rule{'InputInterface'})) {
1321 | 			if (exists($$rule{'InputInterface-not'})) {
1322 | 				$not='!';
1323 | 			} else {
1324 | 				$not='';
1325 | 			}
1326 | 			my $input;
1327 | 			foreach $input (@{$$rule{'InputInterface'}}) {
1328 | 				push (@inputinterface, "$not iifname \"$input\"");
1329 | 			}
1330 | 		}
1331 | 		if (exists($$rule{'OutputInterface'})) {
1332 | 			if (exists($$rule{'OutputInterface-not'})) {
1333 | 				$not='!';
1334 | 			} else {
1335 | 				$not='';
1336 | 			}
1337 | 			my $output;
1338 | 			foreach $output (@{$$rule{'OutputInterface'}}) {
1339 | 				push (@outputinterface, "$not oifname \"$output\"");
1340 | 			}
1341 | 		}
1342 | 		if (exists($$rule{'MarkMatch'})) {
1343 | 			my $mark;
1344 | 			foreach $mark (@{$$rule{'MarkMatch'}}) {
1345 | 				push (@mark, "meta mark set $mark");
1346 | 
1347 | 			}
1348 | 		}
1349 | 
1350 | 		if (exists($$rule{'Log'})) {
1351 | 			my $chain = "${id}$$rule{'Action'}log";
1352 | 			$$chains{$chain}=1;
1353 | 			my $logid;
1354 | 			if ($$rule{'Log'}) {
1355 | 				$logid=$$rule{'Log'};
1356 | 			} else {
1357 | 				$logid=$name;
1358 | 			}
1359 | 			push (@$table, "add rule $inet $$rule{'Table'} CHAIN_$chain limit rate $$Sysconfig{'LogLimit'} burst $$Sysconfig{'LogBurst'} packets counter log prefix \"$$Sysconfig{'LogPrefix'} $logaction ($logid): \" level $$Sysconfig{'LogLevel'} flags tcp options flags ip options");
1360 | 			push (@$table, "add rule $inet $$rule{'Table'} CHAIN_$chain $action");
1361 | 			$action="counter jump CHAIN_$chain";
1362 | 		}
1363 | 		if (exists($$rule{'Accounting'})) {
1364 | 			my $accountchain="$$Sysconfig{'AccountPrefix'}$$rule{'Accounting'}";
1365 | 			unless (exists($$chains{"$accountchain"})) {
1366 | 				$$chains{"$accountchain"}=1;
1367 | 				push (@$table, "add rule $inet $$rule{'Table'} CHAIN_$accountchain $action");
1368 | 			}
1369 | 			my $accountrules="${id}_ACCOUNTING_$$rule{'Accounting'}";
1370 | 			$$chains{$accountrules}=1;
1371 | 			push (@$table, "$type counter jump $accountrules");
1372 | 			push (@$table, "add rule $inet $$rule{'Table'} ACCOUNTING$$rule{'Type'} counter jump CHAIN_$accountrules");
1373 | 			$type="add rule $inet $$rule{'Table'} $accountrules ";
1374 | 			$action=" counter jump CHAIN_$accountchain";
1375 | 		}
1376 | 		if (exists($$rule{'Limit'})) {
1377 | 			$action=" limit rate $$rule{'Limit'} burst $$rule{'Limit-burst'} packets $action";
1378 | 		}
1379 | 		my @rulearray = (\@inputinterface, \@outputinterface, \@protocol, \@source, \@destination, \@mark);
1380 | 
1381 | 		my $level=1;
1382 | 		my $again=1;
1383 | 		while ($again) {
1384 | 			@partial = ();
1385 | 			$again=0;
1386 | 			my $array;
1387 | 			# adjust if you have many entries...
1388 | 			my $depth=0xFFFF;
1389 | 			foreach $array (@rulearray) {
1390 | 				if (@$array && $depth>@$array) {
1391 | 					$depth=@$array;
1392 | 				}
1393 | 			}
1394 | 			foreach $array (@rulearray) {
1395 | 				if (@$array==$depth) {
1396 | 					my $i;
1397 | 					for ($i=0; $i<@$array; $i++) {
1398 | 						$partial[$i].=" $$array[$i]";
1399 | 					}
1400 | 					@$array = ();
1401 | 					if ($depth != 1) {
1402 | 						last;
1403 | 					}
1404 | 				}
1405 | 			}
1406 | 			foreach $array (@rulearray) {
1407 | 				if (@$array) {
1408 | 					$again=1;
1409 | 					last;
1410 | 				}
1411 | 			}
1412 | 			my $jumpto;
1413 | 			if ($again) {
1414 | 				$jumpto="counter jump CHAIN_${id}_$level";
1415 | 			} else {
1416 | 				$jumpto=$action;
1417 | 			}
1418 | 			if (@partial) {
1419 | 				my $newjumpto;
1420 | 				my $part;
1421 | 				foreach $part (@partial) {
1422 | 					$newjumpto=$jumpto;
1423 | 					if ($part =~ /-p (udp|tcp)/ && $jumpto =~ /-p (udp|tcp)/) {
1424 | 						$newjumpto =~ s/-p (udp|tcp) -m (udp|tcp)//;
1425 | 					}
1426 | 					push (@$table, $type." $part $newjumpto");
1427 | 				}
1428 | 			} else {
1429 | 				push (@$table, "$type $jumpto");
1430 | 			}
1431 | 			if ($again) {
1432 | 				$type="add rule $inet $$rule{'Table'} CHAIN_${id}_$level";
1433 | 				$$chains{"${id}_$level"}=1;
1434 | 				$level++;
1435 | 			}
1436 | 		}
1437 | 	}
1438 | 
1439 | 	# make sure, all rules get dropped before populating tables anew
1440 | 	push (@$Listing, "flush ruleset $inet");
1441 | 
1442 | 	my $entry;
1443 | 	foreach $entry (qw(mangle filter nat)) {
1444 | 		if ($entry eq "nat" && $ipv6 == 1) {next};
1445 | 		my $chain;
1446 | 		push (@$Listing, "add table $inet $entry");
1447 | 		if ($entry eq 'filter') {
1448 | 			$table=\@filter;
1449 | 			$chains=\%filter;
1450 | 			push (@$Listing, "add chain $inet filter MYREJECT");
1451 | 			push (@$Listing, "add chain $inet filter STATENOTNEW");
1452 | 			foreach (qw(INPUT OUTPUT FORWARD)) {
1453 | 				push (@$Listing, "add chain $inet filter ACCOUNTING$_");
1454 | 				push (@$Listing, "add chain $inet filter ACCOUNTINGSTATELESS$_");
1455 | 				push (@$Listing, "add chain $inet filter STATE$_");
1456 | 				push (@$Listing, "add chain $inet filter STATELESS$_");
1457 | 				push (@$Listing, "add chain $inet filter $_ { type filter hook ".lc $_." priority 0; policy drop; }");
1458 | 				push (@$Listing, "add rule $inet filter $_ counter jump STATE$_");
1459 | 				push (@$Listing, "add rule $inet filter STATE$_ ct state invalid counter jump STATELESS$_");
1460 | 				push (@$Listing, "add rule $inet filter STATE$_ counter jump ACCOUNTING$_");
1461 | 				push (@$Listing, "add rule $inet filter STATE$_ ct state related,established counter accept");
1462 | 				if ($ipv6) {
1463 | 					push (@$Listing, "add rule ip6 filter STATE$_ meta l4proto != ipv6-icmp ct state != new counter jump STATENOTNEW");
1464 | 				} else {
1465 | 					push (@$Listing, "add rule ip filter STATE$_ ct state != new counter jump STATENOTNEW");
1466 | 				}
1467 | 				push (@$Listing, "add rule $inet filter STATELESS$_ counter jump ACCOUNTINGSTATELESS$_");
1468 | 			}
1469 | 			push (@$Listing, "add rule $inet filter STATENOTNEW limit rate $$Sysconfig{'LogLimit'} burst $$Sysconfig{'LogBurst'} packets counter log prefix \"$$Sysconfig{'LogPrefix'} STATE NOT NEW: \" level $$Sysconfig{'LogLevel'} flags tcp options flags ip options");
1470 | 			push (@$Listing, "add rule $inet filter STATENOTNEW counter drop");
1471 | 			push (@$Listing, "add rule $inet filter MYREJECT counter reject with tcp reset");
1472 | 			push (@$Listing, "add rule $inet filter MYREJECT counter reject");
1473 | 		} elsif ($entry eq 'nat') {
1474 | 			$table=\@nat;
1475 | 			$chains=\%nat;
1476 | 			push (@$Listing, "add chain $inet nat POSTROUTING { type nat hook postrouting priority srcnat; policy accept; }");
1477 | 			foreach (qw(PREROUTING)) {
1478 | 				push (@$Listing, "add chain $inet nat $_ { type nat hook ".lc $_." priority dstnat; policy accept; }");
1479 | 			}
1480 | 			foreach (qw(OUTPUT)) {
1481 | 				push (@$Listing, "add chain $inet nat $_ { type nat hook ".lc $_." priority -100; policy accept; }");
1482 | 			}
1483 | 		} else {
1484 | 			$table=\@mangle;
1485 | 			$chains=\%mangle;
1486 | 			push (@$Listing, "add chain $inet mangle PREROUTING { type filter hook prerouting priority mangle; policy accept; }");
1487 | 			push (@$Listing, "add chain $inet mangle OUTPUT { type route hook output priority mangle; policy accept; }");
1488 | 		}
1489 | 		foreach (keys(%$chains)) {
1490 | 			push (@$Listing, "add chain $inet filter CHAIN_$_");
1491 | 		}
1492 | 		push (@$Listing, "#");
1493 | 		push (@$Listing, "# beginning of user generated $entry rules");
1494 | 		push (@$Listing, "#");
1495 | 		foreach (@$table) {
1496 | 			push (@$Listing, $_);
1497 | 		}
1498 | 		push (@$Listing, "#");
1499 | 		push (@$Listing, "# end of user generated $entry rules");
1500 | 		push (@$Listing, "#");
1501 | 		if ($entry eq 'filter') {
1502 | 			foreach (qw(INPUT OUTPUT FORWARD)) {
1503 | 				push (@$Listing, "add rule $inet filter STATELESS$_ limit rate $$Sysconfig{'LogLimit'} burst $$Sysconfig{'LogBurst'} packets counter log prefix \"$$Sysconfig{'LogPrefix'} INVALID STATE: \"  level $$Sysconfig{'LogLevel'} flags tcp options flags ip options");
1504 | 				push (@$Listing, "add rule $inet filter STATELESS$_ counter drop");
1505 | 			}
1506 | 		}
1507 | 	}
1508 | }
1509 | 
1510 | sub genRuleDump_IPTABLES {
1511 | 	my ($Rules, $Listing, $Sysconfig) = @_;
1512 | 	my @partial;
1513 | 	my $rule;
1514 | 	my %nat;
1515 | 	my %filter;
1516 | 	my %mangle;
1517 | 	my @nat;
1518 | 	my @filter;
1519 | 	my @mangle;
1520 | 	my $table;
1521 | 	my $chains;
1522 | 
1523 | 	foreach $rule (@$Rules) {
1524 | 
1525 | 		if ( ($$rule{'Type'} eq "IGNORE-IPV4-ONLY") || ($$rule{'Type'} eq "IGNORE-IPV6-ONLY") ) {
1526 | 			next;
1527 | 		}
1528 | 
1529 | 		my @protocol;
1530 | 		my @source;
1531 | 		my @destination;
1532 | 		my @inputinterface;
1533 | 		my @outputinterface;
1534 | 		my @physicalinputinterface;
1535 | 		my @physicaloutputinterface;
1536 | 		my @mark;
1537 | 		my $action;
1538 | 		my $logaction;
1539 | 		my $type;
1540 | 		my $name;
1541 | 		my $proto;
1542 | 		my $id;
1543 | 		my $not;
1544 | 
1545 | 		if ($$rule{'Table'} eq 'filter') {
1546 | 			$table=\@filter;
1547 | 			$chains=\%filter;
1548 | 		} elsif ($$rule{'Table'} eq 'nat') {
1549 | 			$table=\@nat;
1550 | 			$chains=\%nat;
1551 | 		} elsif ($$rule{'Table'} eq 'mangle') {
1552 | 			$table=\@mangle;
1553 | 			$chains=\%mangle;
1554 | 		} else {
1555 | 			die "$$rule{'Table'} is not implemented!\n";
1556 | 		}
1557 | 
1558 | 		$type="-A $$rule{'Type'}";
1559 | 		if (exists($$rule{'Name'})) {
1560 | 			$name=$$rule{'Name'};
1561 | 			$name=~s/\s+//g;
1562 | 		} else {
1563 | 			$name="-";
1564 | 		}
1565 | 		$id=$$rule{'Id'};
1566 | 
1567 | 		if (exists($$rule{'Reject'})) {
1568 | 			if ($$rule{'Reject'} ne '1') {
1569 | 				if ($$rule{'Reject'} =~ /tcp/) {
1570 | 					$action="-p tcp -m tcp -j REJECT --reject-with $$rule{'Reject'}";
1571 | 				} else {
1572 | 					$action="-j REJECT --reject-with $$rule{'Reject'}";
1573 | 				}
1574 | 			} else {
1575 | 				$action="-j MYREJECT";
1576 | 
1577 | 			}
1578 | 			$logaction="REJECT";
1579 | 		} elsif ($$rule{'Action'} eq "TCPMSS") {
1580 | 			$action="-p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu";
1581 | 			$logaction="TCPMSS";
1582 | 		} elsif ($$rule{'Action'} eq "MARK") {
1583 | 			$action="-j MARK --set-mark $$rule{'Mark'}";
1584 | 			$logaction="MARK";
1585 | 		} else {
1586 | 			$action="-j $$rule{'Action'}";
1587 | 			$logaction=$$rule{'Action'};
1588 | 		}
1589 | 
1590 | 		if (exists($$rule{"Service-not"})) {
1591 | 			$not='!';
1592 | 		} else {
1593 | 			$not='';
1594 | 		}
1595 | 
1596 | 		foreach $proto (qw(tcp udp)) {
1597 | 			if (exists($$rule{"\u$proto"})) {
1598 | 				my $string;
1599 | 				my $entry;
1600 | 				foreach $entry (qw(0 1)) {
1601 | 					my $multiport;
1602 | 					my $count=0;
1603 | 					foreach $multiport (@{$$rule{"\u$proto"}[$entry]}) {
1604 | 						if ($count==0) {
1605 | 							$string='';
1606 | 						}
1607 | 						$string.="$multiport,";
1608 | 						$count++;
1609 | 						if ($count==15) {
1610 | 							$string =~ s/,$//;
1611 | 							$string="-p $proto -m multiport --".($entry==1?"d":"s")."port ".$string;
1612 | 							push (@protocol, $string);
1613 | 							$string='';
1614 | 							$count=0;
1615 | 						}
1616 | 					}
1617 | 					if (defined($string) && $count) {
1618 | 						$string =~ s/,$//;
1619 | 						if ($count > 1) {
1620 | 							$string="-p $proto -m multiport --".($entry==1?"d":"s")."port ".$string;
1621 | 						} else {
1622 | 							$string="-p $proto -m $proto --".($entry==1?"d":"s")."port ".$string;
1623 | 						}
1624 | 						push (@protocol, $string);
1625 | 					}
1626 | 				}
1627 | 				my $range;
1628 | 				foreach $range (@{$$rule{"\u$proto"}[2]}) {
1629 | 					push (@protocol, "-p $proto -m $proto $not --sport $range");
1630 | 				}
1631 | 				foreach $range (@{$$rule{"\u$proto"}[3]}) {
1632 | 					push (@protocol, "-p $proto -m $proto $not --dport $range");
1633 | 				}
1634 | 				foreach $range (@{$$rule{"\u$proto"}[4]}) {
1635 | 					$range =~ /^(.+)\/(.+)$/;
1636 | 					push (@protocol, "-p $proto -m $proto $not --sport $1 $not --dport $2");
1637 | 				}
1638 | 			}
1639 | 		}
1640 | 		if (exists($$rule{'ICMP'}) && (! $ipv6)) {
1641 | 			my $type;
1642 | 			foreach $type (@{$$rule{'ICMP'}}) {
1643 | 				if ($type eq 'all') {
1644 | 					push (@protocol, "$not -p icmp");
1645 | 				} else {
1646 | 					push (@protocol, "-p icmp -m icmp $not --icmp-type $type");
1647 | 				}
1648 | 			}
1649 | 		}
1650 | 		if (exists($$rule{'ICMP6'}) and ($ipv6)) {
1651 | 			my $type;
1652 | 			foreach $type (@{$$rule{'ICMP6'}}) {
1653 | 				if ($type eq 'all') {
1654 | 					push (@protocol, "$not -p icmpv6");
1655 | 				} else {
1656 | 					push (@protocol, "-p icmpv6 -m icmpv6 $not --icmpv6-type $type");
1657 | 				}
1658 | 			}
1659 | 		}
1660 | 		if (exists($$rule{'OtherProtocols'})) {
1661 | 			my $proto;
1662 | 			foreach $proto (@{$$rule{'OtherProtocols'}}) {
1663 | 				push (@protocol, "$not -p $proto");
1664 | 			}
1665 | 		}
1666 | 		if (exists($$rule{'Source'})) {
1667 | 			if (exists($$rule{'Source-not'})) {
1668 | 				$not='!';
1669 | 			} else {
1670 | 				$not='';
1671 | 			}
1672 | 			my $source;
1673 | 			foreach $source (@{$$rule{'Source'}}) {
1674 | 				if ($source =~ /(.+)=(.+)/ && ($$rule{'Table'} eq 'filter')) {
1675 | 					push (@source, "$not -s $1 -m mac $not --mac-source $2");
1676 | 				} else {
1677 | 					$source =~ /([^=]+)/;
1678 | 					push (@source, "$not -s $1");
1679 | 				}
1680 | 			}
1681 | 		}
1682 | 		if (exists($$rule{'Destination'})) {
1683 | 			if (exists($$rule{'Destination-not'})) {
1684 | 				$not='!';
1685 | 			} else {
1686 | 				$not='';
1687 | 			}
1688 | 			my $destination;
1689 | 			foreach $destination (@{$$rule{'Destination'}}) {
1690 | 				$destination =~ /([^=]+)/;
1691 | 				push (@destination, "$not -d $1");
1692 | 			}
1693 | 		}
1694 | 		if (exists($$rule{'TranslatedSource'})) {
1695 | 			my $source;
1696 | 			$source=${$$rule{'TranslatedSource'}}[0];
1697 | 			$source =~ /([^=]+)/;
1698 | 			$source=$1;
1699 | 			my $ip = NetAddr::IP->new($source) || die "not a valid network: $source\n";
1700 | 			my $net=$ip->network();
1701 | 			my $bcast = $ip->broadcast();
1702 | 			if ($net ne $bcast) {
1703 | 				$source="$net-$bcast";
1704 | 			}
1705 | 			$source =~ s/\/[^-]+//g;
1706 | #			$action="-t nat ".$action;
1707 | 			$action.=" --to-source $source";
1708 | 		}
1709 | 		if (exists($$rule{'TranslatedDestination'})) {
1710 | 			my $destination;
1711 | 			$destination=${$$rule{'TranslatedDestination'}}[0];
1712 | 			$destination =~ /([^=]+)/;
1713 | 			$destination=$1;
1714 | 			my $ip = NetAddr::IP->new($destination) || die "not a valid network: $destination\n";
1715 | 			my $net=$ip->network();
1716 | 			my $bcast = $ip->broadcast();
1717 | 			if ($net ne $bcast) {
1718 | 				$destination="$net-$bcast";
1719 | 			}
1720 | 			$destination =~ s/\/[^-]+//g;
1721 | #			$action="-t nat ".$action;
1722 | 			$action.=" --to-destination $destination";
1723 | 		}
1724 | 
1725 | 		foreach $proto (qw(tcp udp)) {
1726 | 			if (exists($$rule{"Translated\u$proto"})) {
1727 | 				my $ref = $$rule{"Translated\u$proto"};
1728 | 				if (defined($$ref[1][0])) {
1729 | 					$action.=":$$ref[1][0]";
1730 | 					$action="-p $proto -m $proto ".$action;
1731 | 				}
1732 | 				if (defined($$ref[3][0])) {
1733 | 					$action.=":$$ref[3][0]";
1734 | 					$action="-p $proto -m $proto ".$action;
1735 | 				}
1736 | 				last;
1737 | 			}
1738 | 		}
1739 | 
1740 | 		if (exists($$rule{'InputInterface'})) {
1741 | 			if (exists($$rule{'InputInterface-not'})) {
1742 | 				$not='!';
1743 | 			} else {
1744 | 				$not='';
1745 | 			}
1746 | 			my $input;
1747 | 			foreach $input (@{$$rule{'InputInterface'}}) {
1748 | 				push (@inputinterface, "$not -i $input");
1749 | 			}
1750 | 		}
1751 | 		if (exists($$rule{'OutputInterface'})) {
1752 | 			if (exists($$rule{'OutputInterface-not'})) {
1753 | 				$not='!';
1754 | 			} else {
1755 | 				$not='';
1756 | 			}
1757 | 			my $output;
1758 | 			foreach $output (@{$$rule{'OutputInterface'}}) {
1759 | 				push (@outputinterface, "$not -o $output");
1760 | 			}
1761 | 		}
1762 | 		if (exists($$rule{'PhysicalInputInterface'})) {
1763 | 			if (exists($$rule{'PhysicalInputInterface-not'})) {
1764 | 				$not='!';
1765 | 			} else {
1766 | 				$not='';
1767 | 			}
1768 | 			my $input;
1769 | 			foreach $input (@{$$rule{'PhysicalInputInterface'}}) {
1770 | 				push (@physicalinputinterface, "-m physdev $not --physdev-in $input");
1771 | 			}
1772 | 		}
1773 | 		if (exists($$rule{'PhysicalOutputInterface'})) {
1774 | 			if (exists($$rule{'PhysicalOutputInterface-not'})) {
1775 | 				$not='!';
1776 | 			} else {
1777 | 				$not='';
1778 | 			}
1779 | 			my $output;
1780 | 			foreach $output (@{$$rule{'PhysicalOutputInterface'}}) {
1781 | 				push (@physicaloutputinterface, "-m physdev $not --physdev-out $output");
1782 | 			}
1783 | 		}
1784 | 		if (exists($$rule{'MarkMatch'})) {
1785 | 			my $mark;
1786 | 			foreach $mark (@{$$rule{'MarkMatch'}}) {
1787 | 				push (@mark, "-m mark --mark $mark");
1788 | 			}
1789 | 		}
1790 | 
1791 | 		if (exists($$rule{'Log'})) {
1792 | 			my $chain = "${id}$$rule{'Action'}log";
1793 | 			$$chains{$chain}=1;
1794 | 			my $logid;
1795 | 			if ($$rule{'Log'}) {
1796 | 				$logid=$$rule{'Log'};
1797 | 			} else {
1798 | 				$logid=$name;
1799 | 			}
1800 | 			push (@$table, "-A CHAIN_$chain -m limit --limit $$Sysconfig{'LogLimit'} --limit-burst $$Sysconfig{'LogBurst'} -j LOG --log-prefix \"$$Sysconfig{'LogPrefix'} $logaction ($logid): \" --log-level $$Sysconfig{'LogLevel'} --log-tcp-options --log-ip-options");
1801 | 			push (@$table, "-A CHAIN_$chain $action");
1802 | 			$action="-j CHAIN_$chain";
1803 | 		}
1804 | 		if (exists($$rule{'Accounting'})) {
1805 | 			my $accountchain="$$Sysconfig{'AccountPrefix'}$$rule{'Accounting'}";
1806 | 			unless (exists($$chains{"$accountchain"})) {
1807 | 				$$chains{"$accountchain"}=1;
1808 | 				push (@$table, "-A CHAIN_$accountchain $action");
1809 | 			}
1810 | 			my $accountrules="${id}_ACCOUNTING_$$rule{'Accounting'}";
1811 | 			$$chains{$accountrules}=1;
1812 | 			push (@$table, "$type -j $accountrules");
1813 | 			push (@$table, "-A ACCOUNTING$$rule{'Type'} -j CHAIN_$accountrules");
1814 | 			$type="-A $accountrules ";
1815 | 			$action=" -j CHAIN_$accountchain";
1816 | 		}
1817 | 		if (exists($$rule{'Limit'})) {
1818 | 			$action=" -m limit --limit $$rule{'Limit'} --limit-burst $$rule{'Limit-burst'} $action";
1819 | 		}
1820 | 		my @rulearray = (\@inputinterface, \@outputinterface, \@physicalinputinterface, \@physicaloutputinterface, \@protocol, \@source, \@destination, \@mark);
1821 | 
1822 | 		my $level=1;
1823 | 		my $again=1;
1824 | 		while ($again) {
1825 | 			@partial = ();
1826 | 			$again=0;
1827 | 			my $array;
1828 | 			# adjust if you have many entries...
1829 | 			my $depth=0xFFFF;
1830 | 			foreach $array (@rulearray) {
1831 | 				if (@$array && $depth>@$array) {
1832 | 					$depth=@$array;
1833 | 				}
1834 | 			}
1835 | 			foreach $array (@rulearray) {
1836 | 				if (@$array==$depth) {
1837 | 					my $i;
1838 | 					for ($i=0; $i<@$array; $i++) {
1839 | 						$partial[$i].=" $$array[$i]";
1840 | 					}
1841 | 					@$array = ();
1842 | 					if ($depth != 1) {
1843 | 						last;
1844 | 					}
1845 | 				}
1846 | 			}
1847 | 			foreach $array (@rulearray) {
1848 | 				if (@$array) {
1849 | 					$again=1;
1850 | 					last;
1851 | 				}
1852 | 			}
1853 | 			my $jumpto;
1854 | 			if ($again) {
1855 | 				$jumpto="-j CHAIN_${id}_$level";
1856 | 			} else {
1857 | 				$jumpto=$action;
1858 | 			}
1859 | 			if (@partial) {
1860 | 				my $newjumpto;
1861 | 				my $part;
1862 | 				foreach $part (@partial) {
1863 | 					$newjumpto=$jumpto;
1864 | 					if ($part =~ /-p (udp|tcp)/ && $jumpto =~ /-p (udp|tcp)/) {
1865 | 						$newjumpto =~ s/-p (udp|tcp) -m (udp|tcp)//;
1866 | 					}
1867 | 					push (@$table, $type." $part $newjumpto");
1868 | 				}
1869 | 			} else {
1870 | 				push (@$table, "$type $jumpto");
1871 | 			}
1872 | 			if ($again) {
1873 | 				$type="-A CHAIN_${id}_$level";
1874 | 				$$chains{"${id}_$level"}=1;
1875 | 				$level++;
1876 | 			}
1877 | 		}
1878 | 	}
1879 | 
1880 | 	my $entry;
1881 | 	foreach $entry (qw(mangle filter nat)) {
1882 | 		if ($entry eq "nat" && $ipv6 == 1) {next};
1883 | 		my $chain;
1884 | 		push (@$Listing, "*$entry");
1885 | 		if ($entry eq 'filter') {
1886 | 			$table=\@filter;
1887 | 			$chains=\%filter;
1888 | 			push (@$Listing, ":MYREJECT - [0:0]");
1889 | 			push (@$Listing, ":STATENOTNEW - [0:0]");
1890 | 			foreach (qw(INPUT OUTPUT FORWARD)) {
1891 | 				push (@$Listing, ":ACCOUNTING$_ - [0:0]");
1892 | 				push (@$Listing, ":ACCOUNTINGSTATELESS$_ - [0:0]");
1893 | 				push (@$Listing, ":STATE$_ - [0:0]");
1894 | 				push (@$Listing, ":STATELESS$_ - [0:0]");
1895 | 				push (@$Listing, ":$_ DROP [0:0]");
1896 | 				push (@$Listing, "-A $_ -j STATE$_");
1897 | 				push (@$Listing, "-A STATE$_ -m state --state INVALID -j STATELESS$_");
1898 | 				push (@$Listing, "-A STATE$_ -j ACCOUNTING$_");
1899 | 				push (@$Listing, "-A STATE$_ -m state --state ESTABLISHED,RELATED -j ACCEPT");
1900 | 				if ($ipv6) {
1901 | 					push (@$Listing, "-A STATE$_ ! -p ipv6-icmp -m state ! --state NEW -j STATENOTNEW");
1902 | 				} else {
1903 | 					push (@$Listing, "-A STATE$_ -m state ! --state NEW -j STATENOTNEW");
1904 | 				}
1905 | 				push (@$Listing, "-A STATELESS$_ -j ACCOUNTINGSTATELESS$_");
1906 | 			}
1907 | 			push (@$Listing, "-A STATENOTNEW -m limit --limit $$Sysconfig{'LogLimit'} --limit-burst $$Sysconfig{'LogBurst'} -j LOG --log-prefix \"$$Sysconfig{'LogPrefix'} STATE NOT NEW: \"  --log-level $$Sysconfig{'LogLevel'} --log-tcp-options --log-ip-options");
1908 | 			push (@$Listing, "-A STATENOTNEW -j DROP");
1909 | 			push (@$Listing, "-A MYREJECT -m tcp -p tcp -j REJECT --reject-with tcp-reset");
1910 | 			if ($ipv6) {
1911 | 				push (@$Listing, "-A MYREJECT -j REJECT --reject-with icmp6-port-unreachable");
1912 | 			} else {
1913 | 				push (@$Listing, "-A MYREJECT -j REJECT --reject-with icmp-port-unreachable");
1914 | 			}
1915 | 		} elsif ($entry eq 'nat') {
1916 | 			$table=\@nat;
1917 | 			$chains=\%nat;
1918 | 			foreach (qw(POSTROUTING PREROUTING OUTPUT)) {
1919 | 				push (@$Listing, ":$_ ACCEPT [0:0]");
1920 | 			}
1921 | 		} else {
1922 | 			$table=\@mangle;
1923 | 			$chains=\%mangle;
1924 | 			foreach (qw(PREROUTING OUTPUT)) {
1925 | 				push (@$Listing, ":$_ ACCEPT [0:0]");
1926 | 			}
1927 | 		}
1928 | 		foreach (keys(%$chains)) {
1929 | 			push (@$Listing, ":CHAIN_$_ - [0:0]");
1930 | 		}
1931 | 		push (@$Listing, "#");
1932 | 		push (@$Listing, "# beginning of user generated $entry rules");
1933 | 		push (@$Listing, "#");
1934 | 		foreach (@$table) {
1935 | 			push (@$Listing, $_);
1936 | 		}
1937 | 		push (@$Listing, "#");
1938 | 		push (@$Listing, "# end of user generated $entry rules");
1939 | 		push (@$Listing, "#");
1940 | 		if ($entry eq 'filter') {
1941 | 			foreach (qw(INPUT OUTPUT FORWARD)) {
1942 | 				push (@$Listing, "-A STATELESS$_ -m limit --limit $$Sysconfig{'LogLimit'} --limit-burst $$Sysconfig{'LogBurst'} -j LOG --log-prefix \"$$Sysconfig{'LogPrefix'} INVALID STATE: \"  --log-level $$Sysconfig{'LogLevel'} --log-tcp-options --log-ip-options");
1943 | 				push (@$Listing, "-A STATELESS$_ -j DROP");
1944 | 			}
1945 | 		}
1946 | 		push (@$Listing, "COMMIT");
1947 | 	}
1948 | }
1949 | 
1950 | sub printRules {
1951 | 	my ($Listing) = @_;
1952 | 	@$Listing=map { $_."\n" } @$Listing;
1953 | 	print @$Listing;
1954 | }
1955 | 
1956 | sub printRulesWithLinenumbers {
1957 | 	my ($Listing) = @_;
1958 | 	@$Listing=map { $_."\n" } @$Listing;
1959 | 	my $i = 1;
1960 | 	for (@$Listing) {
1961 | 		print $i++,":","\t",$_ if $_ ne '';
1962 | 	}
1963 | }
1964 | 
1965 | sub signalCatcher {
1966 | 	$SignalCatched=1;
1967 | }
1968 | 
1969 | sub applyRules_NFT {
1970 | 	my ($timeout, $Listing, $Sysconfig) = @_;
1971 | 	my @oldrules;
1972 | 	my $error;
1973 | 
1974 | 	@$Listing=map { $_."\n" } @$Listing;
1975 | 	open (NFT, '/usr/sbin/nft list ruleset|');
1976 | 	@oldrules = <NFT>;
1977 | 	close (NFT);
1978 | 
1979 | 	$SIG{'INT'} = 'signalCatcher';
1980 | 	$SIG{'KILL'} = 'signalCatcher';
1981 | 	$SIG{'QUIT'} = 'signalCatcher';
1982 | 	$SIG{'TERM'} = 'signalCatcher';
1983 | 
1984 | 	open (NFT_DISK, '>/tmp/nftrules');
1985 | 	print NFT_DISK @$Listing;
1986 | 	close (NFT_DISK);
1987 | 
1988 | 	open (NFT, '|/usr/sbin/nft -f -');
1989 | 	print NFT @$Listing;
1990 | 	close (NFT);
1991 | 	$error=$?;
1992 | 
1993 | 	if ($timeout && !$error) {
1994 | 		sleep $timeout;
1995 | 	}
1996 | 	if ($timeout || $SignalCatched || $error) {
1997 | 		open (NFT, '|/usr/sbin/nft -f -');
1998 | 		print NFT @oldrules;
1999 | 		close (NFT);
2000 | 		if ($SignalCatched) {
2001 | 			die "aborted. old rules restored.\n";
2002 | 		} elsif ($error) {
2003 | 			die "error in generated rules\n";
2004 | 		}
2005 | 	}
2006 | }
2007 | 
2008 | sub applyRules_IPTABLES {
2009 | 	my ($timeout, $Listing, $Sysconfig) = @_;
2010 | 	my @oldrules;
2011 | 	my $error;
2012 | 	my $save_cmd;
2013 | 	my $restore_cmd;
2014 | 
2015 | 	if (%$Sysconfig{'FilterCommand'} eq 'iptables') {
2016 | 		if ($ipv6) {
2017 | 			$save_cmd    = "/usr/sbin/ip6tables-save";
2018 | 			$restore_cmd = "/usr/sbin/ip6tables-restore";
2019 | 		} else {
2020 | 			$save_cmd    = "/usr/sbin/iptables-save";
2021 | 			$restore_cmd = "/usr/sbin/iptables-restore";
2022 | 		}
2023 | 	} elsif (%$Sysconfig{'FilterCommand'} eq 'iptables-nft') {
2024 | 		if ($ipv6) {
2025 | 			$save_cmd    = "/usr/sbin/ip6tables-nft-save";
2026 | 			$restore_cmd = "/usr/sbin/ip6tables-nft-restore";
2027 | 		} else {
2028 | 			$save_cmd    = "/usr/sbin/iptables-nft-save";
2029 | 			$restore_cmd = "/usr/sbin/iptables-nft-restore";
2030 | 		}
2031 | 	} elsif (%$Sysconfig{'FilterCommand'} eq 'iptables-legacy') {
2032 | 		if ($ipv6) {
2033 | 			$save_cmd    = "/usr/sbin/ip6tables-legacy-save";
2034 | 			$restore_cmd = "/usr/sbin/ip6tables-legacy-restore";
2035 | 		} else {
2036 | 			$save_cmd    = "/usr/sbin/iptables-legacy-save";
2037 | 			$restore_cmd = "/usr/sbin/iptables-legacy-restore";
2038 | 		}
2039 | 	}
2040 | 
2041 | 	@$Listing=map { $_."\n" } @$Listing;
2042 | 	open (IPT, "$save_cmd|");
2043 | 	@oldrules = <IPT>;
2044 | 	close (IPT);
2045 | 
2046 | 	$SIG{'INT'} = 'signalCatcher';
2047 | 	$SIG{'KILL'} = 'signalCatcher';
2048 | 	$SIG{'QUIT'} = 'signalCatcher';
2049 | 	$SIG{'TERM'} = 'signalCatcher';
2050 | 
2051 | 	open (IPT, "|$restore_cmd");
2052 | 	print IPT @$Listing;
2053 | 	close (IPT);
2054 | 	$error=$?;
2055 | 
2056 | 	if ($timeout && !$error) {
2057 | 		sleep $timeout;
2058 | 	}
2059 | 	if ($timeout || $SignalCatched || $error) {
2060 | 		open (IPT, "|$restore_cmd");
2061 | 		print IPT @oldrules;
2062 | 		close (IPT);
2063 | 		if ($SignalCatched) {
2064 | 			die "aborted. old rules restored.\n";
2065 | 		} elsif ($error) {
2066 | 			die "error in generated rules\n";
2067 | 		}
2068 | 	}
2069 | }
2070 | 
2071 | sub readCommandLine {
2072 | 	my %Networks;
2073 | 	my %Services;
2074 | 	my %Protocols;
2075 | 	my %Interfaces;
2076 | 	my %Sysconfig;
2077 | 	my %Marker;
2078 | 	my @Rules;
2079 | 	my @Listing;
2080 | 	my $test=0;
2081 | 	my $print=0;
2082 | 	my $linenumbers=0;
2083 | 	my $disable=0;
2084 | 	my $writeconfigfile;
2085 | 	my $writeldapruleset;
2086 | 	my $ldap;
2087 | 	my $readldap=0;
2088 | 	my $writeldap=0;
2089 | 	my $mesg;
2090 | 	my $ldapbase='o=unconfigured';
2091 | 	my $ldapserver='localhost:389';
2092 | 	my $ldapruleset='std';
2093 | 	my $ldapbinddn;
2094 | 	my $ldappassword;
2095 | 	my $timeout=0;
2096 | 
2097 | 	if (exists($ENV{'FILTER_COMMAND'})) {
2098 | 		$Sysconfig{'FilterCommand'}=$ENV{'FILTER_COMMAND'};
2099 | 	} else {
2100 | 		$Sysconfig{'FilterCommand'}='nft';
2101 | 	}
2102 | 	if (exists($ENV{'LOGLIMIT'})) {
2103 | 		$Sysconfig{'LogLimit'}=$ENV{'LOGLIMIT'};
2104 | 	} else {
2105 | 		$Sysconfig{'LogLimit'}='20/minute';
2106 | 	}
2107 | 	if (exists($ENV{'LOGBURST'})) {
2108 | 		$Sysconfig{'LogBurst'}=$ENV{'LOGBURST'};
2109 | 	} else {
2110 | 		$Sysconfig{'LogBurst'}='5';
2111 | 	}
2112 | 	if (exists($ENV{'LOGLEVEL'})) {
2113 | 		$Sysconfig{'LogLevel'}=$ENV{'LOGLEVEL'};
2114 | 	} else {
2115 | 		$Sysconfig{'LogLevel'}='debug';
2116 | 	}
2117 | 	if (exists($ENV{'LOGPREFIX'})) {
2118 | 		$Sysconfig{'LogPrefix'}=$ENV{'LOGPREFIX'};
2119 | 	} else {
2120 | 		$Sysconfig{'LogPrefix'}='FW';
2121 | 	}
2122 | 	if (exists($ENV{'LIMIT'})) {
2123 | 		$Sysconfig{'Limit'}=$ENV{'LIMIT'};
2124 | 	} else {
2125 | 		$Sysconfig{'Limit'}='20/minute';
2126 | 	}
2127 | 	if (exists($ENV{'BURST'})) {
2128 | 		$Sysconfig{'Burst'}=$ENV{'BURST'};
2129 | 	} else {
2130 | 		$Sysconfig{'Burst'}='5';
2131 | 	}
2132 | 	if (exists($ENV{'ACCOUNTPREFIX'})) {
2133 | 		$Sysconfig{'AccountPrefix'}=$ENV{'ACCOUNTPREFIX'};
2134 | 	} else {
2135 | 		$Sysconfig{'AccountPrefix'}='ACC_';
2136 | 	}
2137 | 	my %opt;
2138 | 	getopts('6c:tplds:b:r:T:C:R:D:w:W', \%opt) || uifUsg ();
2139 | 
2140 | 	$ipv6 = 1 if $opt{'6'};
2141 | 	$configfile=$configfile6 if $opt{'6'};
2142 | 	$configfile = $opt{'c'} if $opt{'c'};
2143 | 	$test = 1 if $opt{'t'};
2144 | 	$print = 1 if $opt{'p'};
2145 | 	$linenumbers = 1 if $opt{'l'};
2146 | 	$disable = 1 if $opt{'d'};
2147 | 	if ($opt{'T'}) {
2148 | 		if ($opt{'T'} =~ /^(\d+)$/) {
2149 | 			$timeout=$1;
2150 | 		} else {
2151 | 			die "timeout must be numeric: $opt{'T'}\n";
2152 | 			uifUsg ();
2153 | 		}
2154 | 	}
2155 | 	if ($opt{'s'}) {
2156 | 		$ldapserver=$opt{'s'};
2157 | 	}
2158 | 	if ($opt{'b'}) {
2159 | 		$ldapbase=$opt{'b'};
2160 | 	}
2161 | 	if ($opt{'r'}) {
2162 | 		$readldap=1;
2163 | 		$ldapruleset=$opt{'r'};
2164 | 	}
2165 | 	if ($opt{'C'}) {
2166 | 		$ldap=1;
2167 | 		$writeconfigfile=$opt{'C'};
2168 | 	}
2169 | 	if ($opt{'R'}) {
2170 | 		$writeldap=1;
2171 | 		$writeldapruleset=$opt{'R'};
2172 | 	}
2173 | 	if ($opt{'D'}) {
2174 | 		$ldapbinddn=$opt{'D'};
2175 | 	}
2176 | 	if ($opt{'w'}) {
2177 | 		$ldappassword=$opt{'w'};
2178 | 	}
2179 | 	if ($opt{'W'}) {
2180 | 		print "password: ";
2181 | 		$ldappassword=<STDIN>;
2182 | 		chomp($ldappassword);
2183 | 	}
2184 | 
2185 | 	if ($ipv6) {
2186 | 		if (exists($ENV{'LOGPREFIX6'})) {
2187 | 			$Sysconfig{'LogPrefix'}=$ENV{'LOGPREFIX6'};
2188 | 		} else {
2189 | 			$Sysconfig{'LogPrefix'}='FW6';
2190 | 		}
2191 | 	}
2192 | 
2193 | 	if ($readldap || $writeldap) {
2194 | 		if ($LDAPENABLED == 0) { die "To use LDAP features be sure to install Net::LDAP from the Debian package libnet-ldap-perl" } ;
2195 | 		$ldap = Net::LDAP->new($ldapserver) or die "$@";
2196 | 		if ($ldapbinddn && ($ldappassword eq "")) {
2197 | 			$mesg=$ldap->bind(	$ldapbinddn);
2198 | 		} elsif ($ldapbinddn && $ldappassword) {
2199 | 			$mesg=$ldap->bind(	$ldapbinddn,
2200 | 						password => $ldappassword);
2201 | 		} else {
2202 | 			$mesg=$ldap->bind;
2203 | 		}
2204 | 		if ($mesg->is_error) {
2205 | 			die "can't bind to ldap server: ".$mesg->error."\n";
2206 | 			uifUsg ();
2207 | 		}
2208 | 	}
2209 | 
2210 | 	unless ($disable) {
2211 | 		if ($readldap) {
2212 | 			readLdap ($ldap, $ldapbase, $ldapruleset, \%Networks, \%Services, \%Interfaces, \%Protocols, \@Rules, \%Sysconfig, \%Marker);
2213 | 		} else {
2214 | 			my $Id=0;
2215 | 			readConfig ($configfile, \%Networks, \%Services, \%Interfaces, \%Protocols, \@Rules, \$Id, \%Sysconfig, \%Marker);
2216 | 		}
2217 | 		if ($writeconfigfile) {
2218 | 			writeConfig ($writeconfigfile, \%Networks, \%Services, \%Interfaces, \%Protocols, \@Rules, \%Sysconfig, \%Marker);
2219 | 			exit 0;
2220 | 		} elsif ($writeldap) {
2221 | 			writeLdap ($ldap, $ldapbase, $writeldapruleset, \%Networks, \%Services, \%Interfaces, \%Protocols, \@Rules, \%Sysconfig, \%Marker);
2222 | 			exit 0;
2223 | 		} else {
2224 | 			validateData (\%Networks, \%Services, \%Interfaces, \%Protocols, \@Rules, \%Sysconfig, \%Marker);
2225 | 			if ($Sysconfig{'FilterCommand'} eq 'nft') {
2226 | 				genRuleDump_NFT (\@Rules, \@Listing, \%Sysconfig);
2227 | 			} else {
2228 | 				genRuleDump_IPTABLES (\@Rules, \@Listing, \%Sysconfig);
2229 | 			}
2230 | 		}
2231 | 	} else {
2232 | 		validateSysconfig (\%Sysconfig);
2233 | 		if ($Sysconfig{'FilterCommand'} eq 'nft') {
2234 | 			clearAllRules_NFT (\@Listing);
2235 | 		} else {
2236 | 			clearAllRules_IPTABLES (\@Listing);
2237 | 		}
2238 | 	}
2239 | 
2240 | 	if ($print && $linenumbers) {
2241 | 		printRulesWithLinenumbers (\@Listing);
2242 | 	} elsif ($print) {
2243 | 		printRules (\@Listing);
2244 | 	}
2245 | 	if ($test==0) {
2246 | 		if ($Sysconfig{'FilterCommand'} eq 'nft') {
2247 | 			applyRules_NFT ($timeout, \@Listing, \%Sysconfig);
2248 | 		} else {
2249 | 			applyRules_IPTABLES ($timeout, \@Listing, \%Sysconfig);
2250 | 		}
2251 | 	}
2252 | }
2253 | 
2254 | sub clearAllRules_NFT {
2255 | 	my ($Listing) = @_;
2256 | 
2257 | 	if ($ipv6) {
2258 | 		push (@$Listing,"flush ruleset ip6");
2259 | 	} else {
2260 | 		push (@$Listing,"flush ruleset ip");
2261 | 	}
2262 | }
2263 | 
2264 | sub clearAllRules_IPTABLES {
2265 | 	my ($Listing) = @_;
2266 | 
2267 | 	push (@$Listing,"*mangle");
2268 | 	push (@$Listing, ":PREROUTING ACCEPT [0:0]");
2269 | 	push (@$Listing, ":OUTPUT ACCEPT [0:0]");
2270 | 	push (@$Listing, "COMMIT");
2271 | 	if ($ipv6) {} else {
2272 | 		push (@$Listing, "*nat");
2273 | 		push (@$Listing, ":PREROUTING ACCEPT [0:0]");
2274 | 		push (@$Listing, ":POSTROUTING ACCEPT [0:0]");
2275 | 		push (@$Listing, ":OUTPUT ACCEPT [0:0]");
2276 | 		push (@$Listing, "COMMIT");
2277 | 	}
2278 | 	push (@$Listing, "*filter");
2279 | 	push (@$Listing, ":INPUT ACCEPT [0:0]");
2280 | 	push (@$Listing, ":OUTPUT ACCEPT [0:0]");
2281 | 	push (@$Listing, ":FORWARD ACCEPT [0:0]");
2282 | 	push (@$Listing, "COMMIT");
2283 | }
2284 | 
2285 | sub uifUsg {
2286 | 	print "usage: $0 [-6] [-c configfile] [-t] [-p] [-d] [-s server] [-b base] [-r ruleset] [-R ruleset] [-D <bind dn>] [-W] [-w <password>] [-T time] [-C configfile]\n";
2287 | 	print "-6  ipv6 mode default config $configfile6\n";
2288 | 	print "-c  read <configfile> instead of $configfile (or in ipv6 mode $configfile6)\n";
2289 | 	print "-t  test rules\n";
2290 | 	print "-p  print rules to stdout\n";
2291 | 	print "-l  if '-p' is used, prepend line numbers to the rules printout\n";
2292 | 	print "-d  disable firewall (clear all rules)\n";
2293 | 	print "-s  LDAP-server (default: localhost)\n";
2294 | 	print "-b  LDAP-base\n";
2295 | 	print "-r  LDAP ruleset\n";
2296 | 	print "-T  apply new rules and restore old rules after <time> seconds\n";
2297 | 	print "-C  write previously read config to <configfile>\n";
2298 | 	print "-R  write previously read config to LDAP as <ruleset>\n";
2299 | 	print "-D  LDAP bind DN\n";
2300 | 	print "-w  use <password> during LDAP bind\n";
2301 | 	print "-W  ask for password for LDAP bind\n";
2302 | 
2303 | 	exit 0;
2304 | }
2305 | 
2306 | sub cleanupLdap {
2307 | 	my ($ldap, $ldapbase) = @_;
2308 | 	my $mesg;
2309 | 
2310 | 	$mesg = $ldap->search (	base => "ou=Filter,ou=Sysconfig,$ldapbase",
2311 | 				filter => "objectClass=UIFRuleSet");
2312 | 	if ($mesg->is_error || $mesg->count == 0) {
2313 | 		die "ldapsearch failed\n";
2314 | 	}
2315 | 
2316 | 	my $result;
2317 | 	$result=$mesg->as_struct;
2318 | 	my %fwruleset;
2319 | 	my $entry;
2320 | 	foreach $entry (keys (%$result)) {
2321 | 		my $arrayref = $$result{$entry};
2322 | 		foreach (@{$$arrayref{'uiflist'}}) {
2323 | 			foreach (split (/\s+/, $_)) {
2324 | 				$_ eq '' && next;
2325 | 				$fwruleset{$_}=1;
2326 | 			}
2327 | 		}
2328 | 	}
2329 | 
2330 | 	$mesg = $ldap->search (	base => "ou=Filter,ou=Sysconfig,$ldapbase",
2331 | 				filter => "objectClass=UIFRule");
2332 | 	if ($mesg->is_error || $mesg->count == 0) {
2333 | 		die "ldapsearch failed\n";
2334 | 	}
2335 | 	$result=$mesg->as_struct;
2336 | 	foreach $entry (keys (%$result)) {
2337 | 		my $arrayref = $$result{$entry};
2338 | 		foreach (@{$$arrayref{'cn'}}) {
2339 | 			unless (exists($fwruleset{$_})) {
2340 | 				$mesg = $ldap->delete($entry);
2341 | 				if ($mesg->is_error) {
2342 | 					die "ldapsearch failed\n";
2343 | 				}
2344 | 			}
2345 | 		}
2346 | 	}
2347 | }
2348 | 
2349 | sub readLdap {
2350 | 	my ($ldap, $ldapbase, $ldapruleset, $Networks, $Services, $Interfaces, $Protocols, $Rules, $Sysconfig, $Marker) = @_;
2351 | 	my $mesg;
2352 | 
2353 | 	$mesg = $ldap->search (	base => "ou=Filter,ou=Sysconfig,$ldapbase",
2354 | 				filter => "(\&(objectClass=UIFRuleSet) (cn=$ldapruleset))");
2355 | 	if ($mesg->is_error || $mesg->count != 1) {
2356 | 		die "ldapsearch failed\n";
2357 | 	}
2358 | 
2359 | 	my $result;
2360 | 	$result=$mesg->as_struct;
2361 | 	my %fwruleset;
2362 | 	my %fwdisabled;
2363 | 	my $counter=0;
2364 | 	my $entry;
2365 | 	foreach $entry (keys (%$result)) {
2366 | 		my $arrayref = $$result{$entry};
2367 | 		foreach (@{$$arrayref{'uifdisabled'}}) {
2368 | 			foreach (split (/\s+/, $_)) {
2369 | 				$_ eq '' && next;
2370 | 				$fwdisabled{$_}=1;
2371 | 			}
2372 | 		}
2373 | 		foreach (@{$$arrayref{'uiflist'}}) {
2374 | 			foreach (split (/\s+/, $_)) {
2375 | 				$_ eq '' && next;
2376 | 				unless (exists($fwdisabled{$_})) {
2377 | 					$fwruleset{$_}=$counter++;
2378 | 				}
2379 | 			}
2380 | 		}
2381 | 		my $sysentry;
2382 | 		foreach $sysentry (qw(LogLevel LogPrefix LogLimit LogBurst Limit Burst AccountPrefix)) {
2383 | 			if (@{$$arrayref{"UIF".$sysentry}}[0]) {
2384 | 				$$Sysconfig{$sysentry}=@{$$arrayref{"UIF".$sysentry}}[0];
2385 | 			}
2386 | 		}
2387 | 	}
2388 | 
2389 | 	$mesg = $ldap->search (	base => $ldapbase,
2390 | 				filter => "objectClass=ipNetwork");
2391 | 	if ($mesg->is_error) {
2392 | 		die "ldapsearch (network) failed\n";
2393 | 	}
2394 | 	$result=$mesg->as_struct;
2395 | 	foreach $entry (keys (%$result)) {
2396 | 		my $arrayref = $$result{$entry};
2397 | 		my $name = @{$$arrayref{'cn'}}[0];
2398 | 		my $netaddress = @{$$arrayref{'ipnetworknumber'}}[0];
2399 | 		my $netmask = @{$$arrayref{'ipnetmasknumber'}}[0];
2400 | 		die "undefined netmask\n" unless defined($netmask);
2401 | 		$$Networks{$name}.="$netaddress/$netmask ";
2402 | 	}
2403 | 
2404 | 	$mesg = $ldap->search (	base => $ldapbase,
2405 | 				filter => "objectClass=ipHost");
2406 | 	if ($mesg->is_error) {
2407 | 		die "ldapsearch (iphost) failed\n";
2408 | 	}
2409 | 	$result=$mesg->as_struct;
2410 | 	foreach $entry (keys (%$result)) {
2411 | 		my $arrayref = $$result{$entry};
2412 | 		my $name = @{$$arrayref{'cn'}}[0];
2413 | 		my $hostaddress = @{$$arrayref{'iphostnumber'}}[0];
2414 | 		if (exists($$arrayref{'macaddress'})) {
2415 | 			$$Networks{$name}.="$hostaddress/32=@{$$arrayref{'macaddress'}}[0] ";
2416 | 		} else {
2417 | 			$$Networks{$name}.="$hostaddress/32 ";
2418 | 		}
2419 | 	}
2420 | 
2421 | 	$mesg = $ldap->search (	base => "ou=Filter,ou=Sysconfig,$ldapbase",
2422 | 				filter => "objectClass=UIFGroup");
2423 | 	if ($mesg->is_error) {
2424 | 		die "ldapsearch (group) failed\n";
2425 | 	}
2426 | 	$result=$mesg->as_struct;
2427 | 	foreach $entry (keys (%$result)) {
2428 | 		my $arrayref = $$result{$entry};
2429 | 		my $name = @{$$arrayref{'cn'}}[0];
2430 | 		if (exists($$arrayref{'uifnetwork'})) {
2431 | 			$$Networks{$name}.=join (" ", @{$$arrayref{'uifnetwork'}})." ";
2432 | 		}
2433 | 		if (exists($$arrayref{'uifservice'})) {
2434 | 			$$Services{$name}.=join (" ", @{$$arrayref{'uifservice'}})." ";
2435 | 		}
2436 | 		if (exists($$arrayref{'uifdevice'})) {
2437 | 			$$Interfaces{$name}.=join (" ", @{$$arrayref{'uifdevice'}})." ";
2438 | 		}
2439 | 		if (exists($$arrayref{'uifmark'})) {
2440 | 			$$Marker{$name}.=join (" ", @{$$arrayref{'uifmark'}})." ";
2441 | 		}
2442 | 	}
2443 | 
2444 | 	$mesg = $ldap->search (	base => $ldapbase,
2445 | 				filter => "objectClass=ipProtocol");
2446 | 	if ($mesg->is_error) {
2447 | 		die "ldapsearch (protocol) failed\n";
2448 | 	}
2449 | 	$result=$mesg->as_struct;
2450 | 	foreach $entry (keys (%$result)) {
2451 | 		my $arrayref = $$result{$entry};
2452 | 		my $name = @{$$arrayref{'cn'}}[0];
2453 | 		my $number = @{$$arrayref{'ipprotocolnumber'}}[0];
2454 | 		$$Protocols{$name}=$number;
2455 | 		$$Protocols{$number}=$name;
2456 | 	}
2457 | 
2458 | 	$mesg = $ldap->search (	base => "ou=Filter,ou=Sysconfig,$ldapbase",
2459 | 				filter => "objectClass=UIFRule");
2460 | 	if ($mesg->is_error) {
2461 | 		die "ldapsearch (rule) failed\n";
2462 | 	}
2463 | 	$result=$mesg->as_struct;
2464 | 	foreach $entry (keys (%$result)) {
2465 | 		my $arrayref = $$result{$entry};
2466 | 		my $name = @{$$arrayref{'cn'}}[0];
2467 | 		if (exists($fwruleset{$name})) {
2468 | 			my $type=@{$$arrayref{'uiftype'}}[0];
2469 | 			my %temphash;
2470 | 			$temphash{'Id'} = $name;
2471 | 			if ($type =~ /^\s*(\w+([-+|>]|{\w+}))$/) {
2472 | 				my $type = $1;
2473 | 				$temphash{'Type'}=$type;
2474 | 			} else {
2475 | 				die "invalid ruletype: $type\n";
2476 | 			}
2477 | 			my $entry;
2478 | 			foreach $entry (keys(%ldapstringmap)) {
2479 | 				if (exists($$arrayref{$entry})) {
2480 | 					foreach (@{$$arrayref{$entry}}) {
2481 | 						$temphash{$ldapstringmap{$entry}}.="$_ ";
2482 | 					}
2483 | 				}
2484 | 			}
2485 | 			$$Rules[$fwruleset{$name}]=\%temphash;
2486 | 		}
2487 | 	}
2488 | }
2489 | 
2490 | sub writeLdap {
2491 | 	my ($ldap, $ldapbase, $writeldapruleset, $Networks, $Services, $Interfaces, $Protocols, $Rules, $Sysconfig, $Marker) = @_;
2492 | 
2493 | 	validateSysconfig $Sysconfig;
2494 | 
2495 | 	my $mesg;
2496 | 	my $ruleset;
2497 | 
2498 | 	$mesg = $ldap->search (	base => "ou=Filter,ou=Sysconfig,$ldapbase",
2499 | 				filter => "objectClass=UIFRule");
2500 | 	if ($mesg->is_error) {
2501 | 		die "ldapsearch failed\n";
2502 | 	}
2503 | 
2504 | 	my $counter;
2505 | 	my $result;
2506 | 	$result=$mesg->as_struct;
2507 | 
2508 | 	my $cn;
2509 | 	my $maxcn=0;
2510 | 	my $entry;
2511 | 	foreach $entry (keys (%$result)) {
2512 | 		my $arrayref = $$result{$entry};
2513 | 		$cn=@{$$arrayref{'cn'}}[0];
2514 | 		if ($cn =~ /^\d+$/) {
2515 | 			if ($cn > $maxcn) {
2516 | 				$maxcn=$cn;
2517 | 			}
2518 | 		}
2519 | 	}
2520 | 	my $cns;
2521 | 
2522 | 	my $rule;
2523 | 	foreach $rule (@$Rules) {
2524 | 		$cns.=++$maxcn." ";
2525 | 
2526 | 		my @ruleentry = ("cn", "$maxcn", "objectClass", "UIFRule");
2527 | 		my $key;
2528 | 		foreach $key (keys %$rule) {
2529 | 			exists($ldapwritemap{$key}) || next;
2530 | 			my @entries;
2531 | 			foreach $entry (split (/\s+/, $$rule{$key})) {
2532 | 				$entry eq '' && next;
2533 | 				push (@entries, $entry);
2534 | 			}
2535 | 			push (@ruleentry, $ldapwritemap{$key});
2536 | 			push (@ruleentry, \@entries);
2537 | 		}
2538 | 		addLdap ($ldap, "cn=$maxcn,ou=Rules,ou=Filter,ou=Sysconfig,$ldapbase", \@ruleentry);
2539 | 	}
2540 | 
2541 | 	if ($cns) {
2542 | 		my @ruleset = ("cn", "$writeldapruleset", "objectClass", "UIFRuleSet");
2543 | 		push (@ruleset, 'UIFList');
2544 | 		push (@ruleset, $cns);
2545 | 
2546 | 		my $syskeys;
2547 | 		foreach $syskeys (keys %$Sysconfig) {
2548 | 			push (@ruleset, "UIF$syskeys");
2549 | 			push (@ruleset, $$Sysconfig{$syskeys});
2550 | 		}
2551 | 		addLdap ($ldap, "cn=$writeldapruleset,ou=RuleSets,ou=Filter,ou=Sysconfig,$ldapbase", \@ruleset);
2552 | 	}
2553 | 	my $network;
2554 | 	foreach $network (keys (%$Networks)) {
2555 | 		my $counter="";
2556 | 		my @entry;
2557 | 		my @networks;
2558 | 		my $nethost;
2559 | 
2560 | 		foreach $nethost (split (/\s+/, $$Networks{$network})) {
2561 | 			$nethost eq '' && next;
2562 | 
2563 | 			$nethost =~ s/\/32//g;
2564 | 			$nethost =~ s/\/255.255.255.255//g;
2565 | 			if ($nethost =~ /\//) {
2566 | 				@entry = ("cn", "$network$counter", "objectClass", "ipNetwork");
2567 | 				my $ip;
2568 | 				if ($ipv6) {
2569 | 					$ip = NetAddr::IP->new6($nethost) || die "not a valid network: $nethost\n";
2570 | 				} else {
2571 | 					$ip = NetAddr::IP->new($nethost) || die "not a valid network: $nethost\n";
2572 | 				}
2573 | 				push (@entry, "ipNetworkNumber");
2574 | 				push (@entry, $ip->addr());
2575 | 				push (@entry, "ipNetmaskNumber");
2576 | 				push (@entry, $ip->mask());
2577 | 				addLdap ($ldap, "cn=$network$counter,ou=Networks,$ldapbase", \@entry);
2578 | 				push (@networks, "$network$counter");
2579 | 				if ($counter) {
2580 | 					$counter++;
2581 | 				} else {
2582 | 					$counter=1;
2583 | 				}
2584 | 			} elsif ($nethost =~ /[.]/) {
2585 | 				@entry = ("cn", "$network$counter", "objectClass", [ 	"ipHost",
2586 | 										"ieee802device",
2587 | 										"device" ]);
2588 | 				my $ip;
2589 | 				my $mac;
2590 | 				if ($nethost =~ /^(.+)=(.+)$/) {
2591 | 					$mac=$2;
2592 | 					if ($ipv6) {
2593 | 						$ip = NetAddr::IP->new6($1) || die "not a valid network: $1\n";
2594 | 					} else {
2595 | 						$ip = NetAddr::IP->new($1) || die "not a valid network: $1\n";
2596 | 					}
2597 | 				} else {
2598 | 					if ($ipv6) {
2599 | 						$ip = NetAddr::IP->new6($nethost) || die "not a valid network: $nethost\n";
2600 | 					} else {
2601 | 						$ip = NetAddr::IP->new($nethost) || die "not a valid network: $nethost\n";
2602 | 					}
2603 | 				}
2604 | 				push (@entry, "ipHostNumber");
2605 | 				push (@entry, $ip->addr());
2606 | 				if ($mac) {
2607 | 					push (@entry, "macAddress");
2608 | 					push (@entry, $mac);
2609 | 				}
2610 | 				addLdap ($ldap, "cn=$network$counter,ou=Hosts,$ldapbase", \@entry);
2611 | 				push (@networks, "$network$counter");
2612 | 				if ($counter) {
2613 | 					$counter++;
2614 | 				} else {
2615 | 					$counter=1;
2616 | 				}
2617 | 			} else {
2618 | 				push (@networks, $nethost);
2619 | 			}
2620 | 		}
2621 | 		if ($#networks > 0) {
2622 | 			@entry = ("cn", "$network", "objectClass", "UIFGroup", "UIFNetwork", \@networks);
2623 | 			addLdap ($ldap, "cn=$network,ou=NetGroups,ou=Filter,ou=sysconfig,$ldapbase", \@entry);
2624 | 		}
2625 | 	}
2626 | 
2627 | 	my $service;
2628 | 	foreach $service (keys (%$Services)) {
2629 | 		my @entry;
2630 | 		my $serviceentry;
2631 | 		@entry = ("cn", $service, "objectClass", "UIFGroup");
2632 | 		my @services;
2633 | 		foreach $serviceentry (split (/\s+/, $$Services{$service})) {
2634 | 			$serviceentry eq '' && next;
2635 | 			push (@services, $serviceentry);
2636 | 		}
2637 | 		push (@entry, "UIFService");
2638 | 		push (@entry, \@services);
2639 | 		addLdap ($ldap, "cn=$service,ou=Services,ou=Filter,ou=sysconfig,$ldapbase", \@entry);
2640 | 	}
2641 | 
2642 | 	my $interface;
2643 | 	foreach $interface (keys (%$Interfaces)) {
2644 | 		my @entry;
2645 | 		my $interfaceentry;
2646 | 		@entry = ("cn", $interface, "objectClass", "UIFGroup");
2647 | 		my @interfaces;
2648 | 		foreach $interfaceentry (split (/\s+/, $$Interfaces{$interface})) {
2649 | 			$interfaceentry eq '' && next;
2650 | 			push (@interfaces, $interfaceentry);
2651 | 		}
2652 | 		push (@entry, "UIFDevice");
2653 | 		push (@entry, \@interfaces);
2654 | 		addLdap ($ldap, "cn=$interface,ou=Interfaces,ou=Filter,ou=sysconfig,$ldapbase", \@entry);
2655 | 	}
2656 | 
2657 | 	my $marker;
2658 | 	foreach $marker (keys (%$Marker)) {
2659 | 		my @entry;
2660 | 		my $markerentry;
2661 | 		@entry = ("cn", $marker, "objectClass", "UIFGroup");
2662 | 		my @markervalues;
2663 | 		foreach $markerentry (split (/\s+/, $$Marker{$marker})) {
2664 | 			$markerentry eq '' && next;
2665 | 			push (@markervalues, $markerentry);
2666 | 		}
2667 | 		push (@entry, "UIFMark");
2668 | 		push (@entry, \@markervalues);
2669 | 		addLdap ($ldap, "cn=$marker,ou=Marker,ou=Filter,ou=sysconfig,$ldapbase", \@entry);
2670 | 	}
2671 | 
2672 | 	cleanupLdap ($ldap, $ldapbase);
2673 | }
2674 | 
2675 | sub addLdap {
2676 | 	my ($ldap, $dn, $attr) = @_;
2677 | 	my $mesg;
2678 | 
2679 | 	$ldap->delete ($dn);
2680 | 
2681 | 	$mesg = $ldap->add (	$dn,
2682 | 				attr => $attr
2683 | 			   );
2684 | 
2685 | 	if ($mesg->is_error) {
2686 | 		die "adding rule failed: ".$mesg->error."\n";
2687 | 	}
2688 | }
2689 | 
2690 | sub writeConfig {
2691 | 	my ($configfile, $Networks, $Services, $Interfaces, $Protocols, $Rules, $Sysconfig, $Marker) = @_;
2692 | 
2693 | 	-e $configfile && die "$configfile already exists\n";
2694 | 	open (OUTFILE, ">$configfile") || die "can't open $configfile\n";
2695 | 	print OUTFILE "sysconfig {\n";
2696 | 	foreach (keys (%$Sysconfig)) {
2697 | 		print OUTFILE "\t$_\t$$Sysconfig{$_}\n";
2698 | 	}
2699 | 	print OUTFILE "}\n";
2700 | 	print OUTFILE "service {\n";
2701 | 	foreach (keys (%$Services)) {
2702 | 		print OUTFILE "\t$_\t$$Services{$_}\n";
2703 | 	}
2704 | 	print OUTFILE "}\n";
2705 | 	print OUTFILE "network {\n";
2706 | 	foreach (keys (%$Networks)) {
2707 | 		print OUTFILE "\t$_\t$$Networks{$_}\n";
2708 | 	}
2709 | 	print OUTFILE "}\n";
2710 | 	print OUTFILE "interface {\n";
2711 | 	foreach (keys (%$Interfaces)) {
2712 | 		print OUTFILE "\t$_\t$$Interfaces{$_}\n";
2713 | 	}
2714 | 	print OUTFILE "}\n";
2715 | 	print OUTFILE "marker {\n";
2716 | 	foreach (keys (%$Marker)) {
2717 | 		print OUTFILE "\t$_\t$$Marker{$_}\n";
2718 | 	}
2719 | 	print OUTFILE "}\n";
2720 | 	print OUTFILE "filter {\n";
2721 | 	my $rule;
2722 | 	foreach $rule (@$Rules) {
2723 | 		print OUTFILE "\t${$rule}{'Type'}";
2724 | 		my $entry;
2725 | 		foreach $entry (@mapping) {
2726 | 			my $key=$$entry[2];
2727 | 			if (exists($$rule{$key}) && $$entry[0] ne '') {
2728 | 				my $char=$$entry[0];
2729 | 				my $value=${$rule}{$key};
2730 | 				$value =~ s/^\s+//;
2731 | 				$value =~ s/\s+$//;
2732 | 				$value =~ s/\s+/ /g;
2733 | 				$value =~ tr/ /,/;
2734 | 				print OUTFILE "\t$char=$value";
2735 | 			}
2736 | 		}
2737 | 		print OUTFILE "\n";
2738 | 	}
2739 | 	print OUTFILE "}\n";
2740 | }
2741 | 
2742 | readCommandLine();
2743 | 


--------------------------------------------------------------------------------