package Evoauth::Iptables;

use strict;
use warnings;
use Config::Tiny;
use Evoauth::Functions;

my $Config = Config::Tiny->read( '/etc/evoauth/evoauth.conf' );

# Paramètres de configuration
my $activation = $Config->{control}->{enable};
my $timetorem = $Config->{control}->{timetorem};

# Connexion à la base de données
my $db = $Config->{bdd}->{db};
my $username = $Config->{bdd}->{username};
my $userpass = $Config->{bdd}->{userpass};

my $dbh = DBI->connect( $db, $username, $userpass )
	&& &Evoauth::Functions::Log("La connexion a réussie.") ||
	&Evoauth::Functions::Log("La connexion a échoué : $DBI::errstr");

# Règles
our %conf;
my $cpt = 1;

while ($cpt <= 4) {
	$conf{"rule".$cpt} = $Config->{rules}->{"rule".$cpt};
	$cpt++;
}

sub Alter() {
	my $action = shift;
	my $ip = shift;

	# ajout
	if ($action == 1) {
		system("/sbin/iptables -I EVOAUTH -s $ip -j ACCEPT > /dev/null") &&
			&Evoauth::Functions::Log("Ajout de $ip aux connectés.") &&
			&Evoauth::Functions::Mail("Connexion", $ip);
	}

	# verification
	elsif ($action == 2) {
		&check_iptables;
		&check_timestamp;
	}

	# suppression
	else {
		my $sql = qq{ UPDATE users set statut = 0 where ip = '$ip' };
		my $sth = $dbh->prepare($sql);

		system("/sbin/iptables -D EVOAUTH -s $ip -j ACCEPT") &&
			$sth->execute() &&
			$sth->finish() &&
			&Evoauth::Functions::Log("$ip [supprimee]") &&
			&Evoauth::Functions::Mail("Déconnexion", $ip);
	}

	return 0;
}


sub check_iptables() {
	my ($ip, @ips);

	&Evoauth::Functions::Log("Suppression des règles obsolètes dans iptables.");

	# obtention de la liste des ips
	system("/sbin/iptables -L EVOAUTH -n |grep ACCEPT |awk '{ print \$4 }' > /tmp/ips.txt");

	# on ouvre le fichier des ips
	open(IPS, "/tmp/ips.txt") || &ecriture("L'ouverture des IPs a échoué.");
	@ips = <IPS>;
	close(IPS);

	foreach $ip (@ips)
	{
		chomp $ip;

		my $sql = "SELECT statut FROM users where ip = '".$ip."'";
		my $sth = $dbh->prepare( $sql );
		$sth->execute();
        
		my $statut;
		$sth->bind_columns(undef, \$statut);

		$sth->fetch();

		if ($statut != 1) {
			&Evoauth::Functions::Log("$ip [supprimée]\n");
			&Evoauth::Functions::Mail("Suppression", $ip);
			&delet($ip);
		}
	}
}

sub check_timestamp() {
	&Evoauth::Functions::Log("Suppression des règles obsolètes dans iptables.");

	# on travaille sur tous les utilisateurs présents
	my $sql = "SELECT * FROM users";
	my $sth = $dbh->prepare($sql);
	$sth->execute();

	my($id, $login, $pass, $groupe, $utype, $credit, $ip, $statut, 
	$actif, $firstcon, $lastupdate, $kick);

	$sth->bind_columns(undef, \$id, \$login, \$pass, \$groupe,
	\$utype, \$credit, \$ip, \$statut, \$actif, \$firstcon,
	\$lastupdate, \$kick);

	my ($newtime, $oldtime);

	&Evoauth::Functions::Log("Vérification de la base.");

	my $cpt;     #compteur
	while ($sth->fetch() && $sth != 0)
	{
		if ($statut == 1)
		{
			$newtime = time();
			$oldtime = $lastupdate;

			my $timestamp = $newtime - $oldtime;
			if ($timestamp > $conf{timetorem})
			{
				# dernière connexion est < 1 min -> suppresion
				&delet($ip) && &Evoauth::Functions::Log("$ip [supprimée]") &&
					&Evoauth::Functions::Mail("Suppression", $ip);
			}

			else
			{
				# sinon conservation
				&Evoauth::Functions::Log("$ip [conservée]");
			}
		}
	}

	$sth->finish();
	return 0;
}

sub Control() {
	my $action = shift;
	my ( @tmp1, @tmp2, $key, $value );

	# start
	if ($action == 1) {
		while ( ($key, $value) = each(%conf) ) {
			@tmp1 = split (/\t/, $value);
			system("/sbin/iptables -t nat -A PREROUTING -p $tmp1[2] -i ppp0 --dport $tmp1[1] -j DNAT --to $tmp1[0]:$tmp1[1]");
		}

		&Evoauth::Functions::Log("1 - Regles de PREROUTING charges");

		system("/sbin/iptables -N EVOAUTH") &&
			system("/sbin/iptables -A EVOAUTH -j DROP");

		&Evoauth::Functions::Log("2 - Tables crées");

		while ( ($key, $value) = each(%conf) ) {	
			@tmp2 = split (/\t/, $value);
			system("/sbin/iptables -A FORWARD -p $tmp2[2] -i ppp0 -o eth0 --dport $tmp2[1] -j EVOAUTH");
		}

		&Evoauth::Functions::Log("3 - Règles chargées");

		&Evoauth::Functions::Log("Evoauth vient de démarrer.");
	}

	# arret
	elsif ($action == 2) {
		system("/sbin/iptables -F EVOAUTH") &&
			&Evoauth::Functions::Log("1 - Flush de la table EVOAUTH");

		my @tmp3;

		while ( ($key, $value) = each(%conf) ) {
			@tmp3 = split $value;
			system("/sbin/iptables -D FORWARD -p $tmp3[2] -i ppp0 -o eth0 --dport $tmp3[1] -j EVOAUTH");
			system("/sbin/iptables -t nat -D PREROUTING -p $tmp3[2] -i ppp0 --dport $tmp3[1] -j DNAT --to $tmp3[0]:$tmp3[1]");
		}

		&Evoauth::Functions::Log("2 - Annulation FORWARD + PREROUTING");

		system("/sbin/iptables -X EVOAUTH") &&
			&Evoauth::Functions::Log("3 - Suppression de la table EVOAUTH");

		&Evoauth::Functions::Log("Evoauth vient de s'arreter.");
	}

	# restart
	else {
		&stop() &&
			&start() &&
			&Evoauth::Functions::Log("Evoauth vient de redémarrer.");
	}

	return 0;
}

1;
__END__

=head1 NAME

Evoauth::Iptables - Firewall

=head1 SYNOPSIS

  use Evoauth::Iptables;

=head1 DESCRIPTION

Fonctions d'administration d'Evoauth.

=head2 EXPORT

...

=head1 SEE ALSO

...

=head1 AUTHOR

Alexandre Anriot, E<lt>aanriot@evolix.fr<gt>

=head1 COPYRIGHT AND LICENSE

Copyright (C) 2005 by Alexandre Anriot

This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself, either Perl version 5.8.6 or,
at your option, any later version of Perl 5 you may have available.


=cut