#!/bin/bash

#Preupgrade Assistant performs system upgradability assessment
#and gathers information required for successful operating system upgrade.
#Copyright (C) 2013 Red Hat Inc.
#Jakub Mazanek <jmazanek@redhat.com>
#
#This program is free software: you can redistribute it and/or modify
#it under the terms of the GNU General Public License as published by
#the Free Software Foundation, either version 3 of the License, or
#(at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program.  If not, see <http://www.gnu.org/licenses/>.
. /usr/share/preupgrade/common.sh
check_applies_to "iptables"
#END GENERATED SECTION

if [ -z $SOLUTION_FILE ]; then
  SOLUTION_FILE="./solution.txt"
fi

# Returns list of unique port numbers open in iptables
declare -a open_ports=$(iptables -n -L | awk -F ' ' '$1 == "ACCEPT" {print $0 }' | awk -F ':' '/:[[:digit:]]/ { print $2 }'| sort -u )


DIRTYCONF_D="$VALUE_TMP_PREUPGRADE/dirtyconf"
kickstart="$KICKSTART_DIR"/firewall-cmd
iptables=/etc/sysconfig/iptables
ip6tables=/etc/sysconfig/ip6tables
iptables_backup="$DIRTYCONF_D/etc/sysconfig"
list_of_ports=/usr/share/preupgrade/RHEL5_7/networking/IptablesToFirewallcmd/list_of_ports

get_module () {
    lsmod | grep -wq "$1"
}

check_port () {
    printf -- '%s\n' "${open_ports[@]}" | grep -wq "$1" 
#    if [ "$?" -eq 0 ]; then
#       echo "$1" >> "$list_of_ports"
#    fi
}


cat /dev/null > "$kickstart"
cat /dev/null > "$list_of_ports"

declare -a additional_allowed_services=()

# Create copies of iptables configuration for later reference

if [ -f "$iptables" ];then
  cp -a --parents $iptables $DIRTYCONF_D
fi

if [ -f "$ip6tables" ];then
  cp -a --parents $ip6tables $DIRTYCONF_D
fi


# Check for services that require loading a kernel module

if get_module ip_conntrack_tftp ;then
   if check_port 69 ;then
      echo 69 >> "$list_of_ports"
      echo -n "service=tftp " >> "$kickstart"
   else 
      echo -n "service=tftp-client " >> "$kickstart"
   fi  
elif get_module ip_conntrack_amanda && check_port 10080 ;then
   echo 10080 >> "$list_of_ports"
   echo -n "service=amanda-client " >> "$kickstart"
elif get_module ip_conntrack_ftp && check_port 21 ; then
   echo 21 >> "$list_of_ports"
   echo -n "service=ftp " >> "$kickstart"
elif get_module ip_conntrack_netbios_ns && check_port 137 && check_port 138 ;then
   echo 137 138 >> "$list_of_ports"
   if check_port 139 && check_port 445 ; then
      echo 139 445 >> "$list_of_ports"
      echo -n "service=samba " >> "$kickstart"
   else
      echo -n "service=samba-client " >> "$kickstart"
   fi  
fi

# Check for other services defined in firewall-cmd --get-services

others=0
if  check_port 80;then
    echo 80 >> "$list_of_ports"
   if check_port 443;then
      echo 443 >> "$list_of_ports"
      additional_allowed_services+=("service=https ") 
      if check_port 5646-5647 && check_port 5671 && check_port 8140 && check_port 8080 && check_port 9090 ;then
         echo 5646-5647 5671 8140 8080 9090 >> "$list_of_ports"
         others=1 
         echo -n "service=RH-Satellite-6 " >> "$kickstart"
      elif check_port 88 && check_port 123 && check_port 464 && check_port 389 ;then
           echo 88 123 464 389 >> "$list_of_ports"
           others=2
         echo -n "service=freeipa-ldap " >> "$kickstart"
      elif check_port 88  && check_port 123 && check_port 464 && check_port 636;then
           echo 88 123 464 636 >> "$list_of_ports"
           others=3
         echo -n "service=freeipa-ldaps " >> "$kickstart"
      else
         for i in 88 123 464 389 636; do if check_port "$i" ;then additional_allowed_services+=$(grep -w "$i" unique_sorted_ports |sort -u | awk '{print "service="$2" " }'); echo "$i" >> "$list_of_ports"; fi ; done
      fi
   else
      echo -n "service=http " >> "$kickstart"
      for i in 88 123 464 389 636; do if check_port "$i" ;then additional_allowed_services+=$(grep -w "$i" unique_sorted_ports |sort -u |  awk '{print "service="$2" " }');echo "$i" >> "$list_of_ports"; fi ; done
   fi
else 
    for i in 88 123 464 389 636 443; do if check_port "$i" ;then additional_allowed_services+=$(grep -w "$i" unique_sorted_ports |sort -u |  awk '{print "service="$2" " }');echo "$i" >> "$list_of_ports"; fi ; done   
fi

if [ "$others" -eq 1 ];then
   for i in 88 123 464 389 636; do if check_port "$i" ;then additional_allowed_services+=$(grep -w "$i" unique_sorted_ports |sort -u |  awk '{print "service="$2" " }'); echo "$i" >> "$list_of_ports";fi ; done
elif [ "$others" -eq 2 ];then 
    if check_port 636; then additional_allowed_services+=("service=ldaps ");echo 636 >> "$list_of_ports";fi
elif [ "$others" -eq 3 ];then 
    if check_port 389; then additional_allowed_services+=("service=ldaps ");echo 389 >> "$list_of_ports";fi
fi

if check_port 2224 && check_port 3121 && check_port 5404 && check_port 5405 && check_port 21064 ;then
   echo 2224 3121 5404 5405 21064 >> "$list_of_ports"
   echo -n "service=high-availability " >> "$kickstart"
fi


if check_port 9102 ;then
   echo 9102 >> "$list_of_ports"
   if check_port 9101 && check_port 9103 ; then
      echo 9101 9103 >> "$list_of_ports"
       echo -n "service=bacula " >> "$kickstart"
   else
       echo -n "service=bacula-client " >> "$kickstart"
   fi
fi

if check_port 54321 && check_port 5900-6923 && check_port 49152-49216 ; then
   echo 54321 5900-6923 49152-49216 >> "$list_of_ports"
   echo -n "service=vdsm " >> "$kickstart"
fi

if check_port 1812 && check_port 1813 ;then
   echo 1812 1813 >> "$list_of_ports"
   echo -n "service=radius " >> "$kickstart"
fi

for port in ${open_ports[@]}; do

    case "$port" in
                546 )
          echo -n "service=dhcpv6-client " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                547 )
          echo -n "service=dhcpv6 " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                67 )
          echo -n "service=dhcp " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                53 )
          echo -n "service=dns " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                7389 )
          echo -n "service=freeipa-replication " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                993 )
          echo -n "service=imaps " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                631 )
          echo -n "service=ipp-client " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
          echo -n "service=ipp " >> "$kickstart"
                 ;;

                500 )
          echo -n "service=ipsec " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                3260 )
          echo -n "service=iscsi-target " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                16514 )
          echo -n "service=libvirt-tls " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                16509 )
          echo -n "service=libvirt " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                5353 )
          echo -n "service=mdns " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                20048 )
          echo -n "service=mountd " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                3389 )
          echo -n "service=ms-wbt " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                3306 )
          echo -n "service=nfs " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                1194 )
          echo -n "service=openvpn " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                44321 )
          echo -n "service=pmcd " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                44322 )
          echo -n "service=pmproxy " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                44324 )
          echo -n "service=pmwebapis " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                44323 )
          echo -n "service=pmwebapi " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                995 )
          echo -n "service=pop3s " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                5432 )
          echo -n "service=postgresql " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                4011 )
          echo -n "service=proxy-dhcp " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                111 )
          echo -n "service=rpc-bind " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                873 )
          echo -n "service=rsyncd " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                25 )
          echo -n "service=smtp " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                22 )
          echo -n "service=ssh " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                23 )
          echo -n "service=telnet " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                51413 )
          echo -n "service=transmission-client " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                5900-5903 )
          echo -n "service=vnc-server " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                5989 )
          echo -n "service=wbem-https " >> "$kickstart"
          echo "$port" >> "$list_of_ports"
                 ;;

                 * )
                 ;;
     esac

done


   
echo -n "${additional_allowed_services[@]}" >> "$kickstart"

#Check for other open ports
/bin/echo -e "\n" >> "$kickstart"
printf -- '%s\n' "${open_ports[@]}" > aidfile
for i in $(grep  -v -f "$list_of_ports" aidfile) ; do
   if ! [ -z "$i" ];then
       echo -n $( iptables -n -L | grep -w "$i" |  awk -F' ' '$1 == "ACCEPT"  { print $NF":"$2 }' | awk -F ':' '/:[[:digit:]]/ {print "port="$2":"$3}')" " >> "$kickstart"
   fi
done

if [ -f aidfile ];then
   rm -f aidfile
fi

echo "Simple firewall-cmd entries based on your iptables rules have been added to the Kickstart file. Ip6tables rules have not been migrated. These entries should allow your previously running services to be functional on the migrated system, but they are not a replacement of the complex firewall rules. Review and adjust the Kickstart file as needed. You will find copies of your iptables and ip6tables in the $iptables_backup/iptables and $iptables_backup/ip6tables files respectively. You can use them to modify the firewalld rules after migration. For more details on the firewalld configuration see man(5) firewalld.richlanguage" > $SOLUTION_FILE

log_medium_risk "Basic iptables rules will be migrated. For a further configuration, review the original $iptables and $ip6tables configuration files."

exit $RESULT_FAIL
