#! /usr/bin/perl -w

# vim:syntax=perl

use strict;
use lib '/usr/local/share/perl5';
use Lire::DlfSchema;
use Lire::Program qw/ :msg :dlf /;
use Lire::Firewall qw/ firewall_number2names /;
use Lire::Syslog;

init_dlf_converter('firewall');

my $schema  = eval { Lire::DlfSchema::load_schema( "firewall" ) };
lr_err( "failed to load firewall schema: $@" ) if $@;
my $dlf_maker = $schema->make_hashref2asciidlf_func( qw/time rule action
    protocol from_ip from_port to_ip to_port length count/ );

my ($lines, $dlflines, $errorlines) = (0, 0, 0);

my $parser = new Lire::Syslog;
while (<>) {
    lire_chomp;
    #Jul 18 09:14:25 firewall firewalld[130]: deny out eth1:0 72 udp 
    #  20 63 172.30.0.5 192.33.4.12 1024 53 (DNS-nonauth) 
    #Jul 18 09:14:27 firewall firewalld[130]: deny in pptp0 48 tcp 
    #  20 128 172.30.29.1 64.4.13.170 1243 80 syn (HTTP) 
    #Jul 18 09:14:31 firewall firewalld[130]: deny out eth1:0 74 udp 
    #  20 63 172.30.0.5 198.32.64.12 1024 53 (DNS-nonauth) 
    $lines++;

    my $log = eval { $parser->parse( $_ ) };
    if ( $@ ) {
	lr_warn( $@ );
	lr_notice( "failed to parse line $. as a syslog line\n" );
	$errorlines++;
	next;
    }

    # Skip non watchguard related lines
    next unless defined $log->{process} && $log->{process} eq 'firewalld';

    my %dlf;
    $dlf{'time'} = $log->{timestamp};

    #deny out eth1:0 72 udp 20 63 172.30.0.5 192.33.4.12 1024 53 (DNS-nonauth) 
    #deny in pptp0 48 tcp 20 128 172.30.29.1 64.4.13.170 1243 80 syn (HTTP) 
    #deny out eth1:0 74 udp 20 63 172.30.0.5 198.32.64.12 1024 53 (DNS-nonauth) 

    #action gdir iface size proto tos? ttl from_ip to_ip from_port 
    # to_port [flags] (rule)

    #gdir = 'in' if the packet goes to a more secure
    # zone (eg inet->dmz,inet->lan,dmz->lan)
    # and 'out' if the packet goes to a less secure zone (the other way round)

    my @v;
    if ((@v = split ' ', $log->{content}) < 9) {
	lr_warn( "invalid firewalld record at line $.: should contains more than 9 fields" );
        $errorlines++;
        next;
    }

    my $u=shift @v;
    if ($u eq 'deny')  { $dlf{'action'}='denied'; }
    elsif ($u eq 'allow') { $dlf{'action'}='permitted'; }
    else { next; }
    shift @v;
    shift @v;
    $dlf{'length'}=shift @v;
    $dlf{'protocol'}=shift @v;
    shift @v;
    shift @v;
    $dlf{'from_ip'}=shift @v;
    $dlf{'to_ip'}=shift @v;
    $dlf{'from_port'}=shift @v;
    $dlf{'to_port'}=shift @v;
    $log->{content} =~/ \((.+)\)/;
    $dlf{'rule'}=$1;
    $dlf{'count'}=1;

    my $dlf;
    eval {
	firewall_number2names( \%dlf );
        $dlf = $dlf_maker->( \%dlf )
    };
    if ( $@ ){
        lr_warn( $@ );
        lr_warn("cannot convert %dlf to dlf, skipping\n");
        $errorlines++;
        next;
    }

    print join( " ", @$dlf ), "\n";
    $dlflines++;
}

end_dlf_converter( $lines, $dlflines, $errorlines );

exit 0;

__END__

=pod

=head1 NAME

watchguard2dlf - convert WatchGuard Firebox logs to dlf format

=head1 SYNOPSIS

B<watchguard2dlf>

=head1 DESCRIPTION

WatchGuard Firebox syslog file in, Lire firewall DLF out.  Logs from the
WatchGuard Firebox SOHO are not supported, since such a box does not use syslog.

=head1 SEE ALSO

The WatchGuard website at http://www.watchguard.com/ for some information on
the WatchGuard Firebox System.  Unfortunately, only very little information is
freely available.

=head1 VERSION

$Id: watchguard2dlf.in,v 1.3 2002/08/19 00:41:05 flacoste Exp $

=head1 COPYRIGHT

Copyright (C) 2001,2002 Joost Bekkers <joost@jodocus.org>

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program (see COPYING); if not, check with
http://www.gnu.org/copyleft/gpl.html or write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111, USA.

"Watchguard" and "Firebox" are either trademarks or registered
trademarks of WatchGuard Technologies, Inc. and/or its subsidiaries
in the United States and/or other countries.

=head1 AUTHOR

Initial code by Joost Bekkers <joost@jodocus.org>, now maintained by the
LogReport team.  Based upon the cisco_ios2dlf.in script.

=cut

# Local Variables:
# mode: cperl
# End:
