#!/bin/sh
#------------------------------------------------------------------------------
#                                                                  __FLI4LVER__
# /srv/www/include/firewall_functions.inc
# Creation:     15.05.2005 HH
# Last Update:  $Id$
#------------------------------------------------------------------------------
[ "$cgi_helper" ] || exit 1 # must not be called standalone
case $FORM_fwdebug in
yes)
    FWRULES_DO_DEBUG=yes # set firewall debugging
    reload ()            # don't reload site
    {
        return
    }
    ;;
esac

# Initialize main functions
. /etc/boot.d/base-helper
. /etc/rc.d/fwrules-helper
SCRIPT=portfw.cgi

# helper functions for portforwarding
get_active_matches ()
{
    matches=prot
    match_nr=1
    for i in tmpl `set | sed -n -e "s/^\([a-z]\+\)_p='yes'.*/\1/p"`; do
        case $i in
	    prot) ;;
	    *)
                if grep -q -e "^$i:" -e "[[:space:]]$i:" /etc/portfw.conf
                then
                    matches="$matches $i"
                    match_nr=`expr $match_nr + 1`
                fi
		;;
	esac
    done
}
get_all_matches ()
{
    matches="tmpl `set | sed -n -e "s/^\([a-z]\+\)_p='yes'.*/\1/p"`"
    match_nr=`set | grep -c "_p='yes'"`
    match_nr=`expr $match_nr + 1`
}
pfw_fixup_ip ()
{
    name=$1
    eval ip=\$$name
    case $ip in
        any | 0.0.0.0/0) 
                eval $name= 
                ;;
    esac
}

matches=
match_nr=0
default_prot='tcp'

#------- Firewall GUI Functions -------------------------------------------------------
init_vars ()
{ #clear some variables
    prot=
    if_in=
    if_out=
    sport=
    dport=
    action=
    orig_tmpl_name=
    rule_error=yes
}

reset_rule_error ()
{
    rule_error=
}

check_rule ()
{
    init_vars
    do_rule nat PREROUTING A "$pf_rule" '' reset_rule_error > /dev/null 2>&1
    get_params
}

reset_and_exec ()
{
    reset_rule_error
    exec_portfw_rule
}

create_rule ()
{
    src=$1
    sport=$2
    dst=$3
    dport=$4
    rip=$5
    rport=$6
    [ "$src" ] && pf_rule="$pf_rule $src"
    [ "$sport" ] && sport=":$sport"
    [ "$dport" ] && dport=":$dport"
    [ "$rport" ] && rport=":$rport"
    pf_rule="$pf_rule$sport $dst$dport DNAT:$rip$rport"
}

check_and_exec_portfw_rule ()
{
    init_vars
    if echo $pf_rule | grep -q dynamic
    then
        if ls /var/run/*.ip > /dev/null 2>&1
        then
            pf_type=dynamic
            iplist=`cat /var/run/*.ip`
            for pf_ip in $iplist
            do
                do_rule nat PREROUTING $1 "$pf_rule" '' reset_and_exec
            done
        else
            rule_error=yes
        fi
    else
        pf_type=static
        do_rule nat PREROUTING $1 "$pf_rule" '' reset_and_exec
    fi
    if [ "$rule_error" ]
    then
        return 1
    else
        return 0
    fi
}

get_params ()
{
    # restrictions:
    prot=$proto
    if_in=`echo $if_in_negopt$if_in | sed "s/ //g"`
    if_out=`echo $if_out_negopt$if_out | sed "s/ //g"`
    # still missing match-opts: state, mac, limit, length, ...
    
    sport=`echo $src_port_opt | sed "s/-m multiport --source-ports//;s/--source-port//;s/ //g;"`
    # this is for debugging purpose only
    src=$src
    dst=$dst
    dport=$dport
    action=$action
    
    mangle_ip_params `echo $action | sed -e 's/DNAT://'`
    rip=$ip
    rport=$port
}

show_rule_error ()
{
    show_html_header "$_PF_portforwarding"
    show_backlink
    echo "<br /><br />"
    show_error "$_MN_err" "<pre>`cat /tmp/pfcgi.$$ | htmlspecialchars`</pre>"
    show_html_footer
}