#==============================================================================
#
# Module:	netfilter.pm
#
# Author:	Peter Sundstrom (peter@ginini.com)
#
# Purpose:	Converts netfilter/iptable logs to FW1 log export format.
#
# Version:	1.0.0
#
# Source:	http://www.ginini.com/software/fwlogsum/converters/
#
#==============================================================================

use strict;

#########################
# CONFIGURATION SECTION #
#########################

# The following structure defines the convertion of the netfilter log prefix
# to FW1 action and rule.  You can create as many definitions as you require.
# 
# The fields are:
#
# pattern - This is a regex to match the log prefix
#
# action - This is the corresponding action (accept,reject,drop)
#
# rule - This is an arbitary number rule number.
#
# 
my @action = (
	{
		pattern	=> 'ACCEPT-PREFIX',
		action	=> 'accept',
		rule	=> 1,
	},
	{
		pattern	=> 'DROP-PREFIX',
		action	=> 'drop',
		rule	=> 2,
	}
);

#
# If this setting is blank, the hostname in the syslog entry will
# be used as the firewall origin, otherwise manually set the hostname here.
#
my $orig='';

################################
# END OF CONFIGURATION SECTION #
################################

sub Convert {
	my $input = shift;
	
	open INPUT, $input or die "Can not open $input $!\n";

	#
	# Output FW1 logexport header (log account format)
	#
	print "num;date;time;orig;type;action;i/f_name;i/f_dir;proto;src;dst;service;s_port;icmp-type;icmp-code;rule;\n";

	my $count=0;
	
	while (<INPUT>) {
	
		next unless (/IN=/);

		chomp;
	
		$count++;
	
		Linecount($count) if $verbose;
	
		my ($host,$in,$out,$src,$dst,$proto) = /(\S+?) kernel:.*IN=(\w*) OUT=(\w*).*SRC=(\S+) DST=(\S+).*PROTO=(\w+)/;
		my ($icmp_type,$icmp_code,$src_port,$dst_port);
	
		if ($proto eq 'ICMP') {
			($icmp_type,$icmp_code) = /TYPE=(\d+) CODE=(\d+)/;
		}
		else {
			($src_port,$dst_port) = /SPT=(\w+) DPT=(\w+)/;	
		}	
	
		my ($action,$rule,$direction,$interface);

		for my $i (0 .. $#action) {
			if (/$action[$i]{'pattern'}/) {
				$action = $action[$i]{'action'};
				$rule = $action[$i]{'rule'};
				last;
			}
		}

		die "No action pattern defined for line $.\n" unless $action;

	
		if ($in) {
			$direction='inbound';
			$interface=$in;
		}
		else {
			$direction='outbound';
			$interface=$out;
		}

		my ($date,$time) = ParseDate($_);

		$proto = lc($proto);

		$host=$orig if $orig;

		print "$count;$date;$time;$host;log;$action;$interface;$direction;$proto;$src;$dst;$dst_port;$src_port;$icmp_type;$icmp_code;$rule;\n";
	
	}

	close INPUT;
}

1;