]>
Commit | Line | Data |
---|---|---|
1 | package PVE::Service::pve_firewall; | |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use PVE::SafeSyslog; | |
6 | use PVE::Daemon; | |
7 | ||
8 | use Time::HiRes qw (gettimeofday); | |
9 | use PVE::Tools qw(dir_glob_foreach file_read_firstline); | |
10 | use PVE::ProcFSTools; | |
11 | use PVE::INotify; | |
12 | use PVE::Cluster qw(cfs_read_file); | |
13 | use PVE::RPCEnvironment; | |
14 | use PVE::CLIHandler; | |
15 | use PVE::Firewall; | |
16 | use PVE::FirewallSimulator; | |
17 | use Data::Dumper; | |
18 | ||
19 | use base qw(PVE::Daemon); | |
20 | ||
21 | my $cmdline = [$0, @ARGV]; | |
22 | ||
23 | my %daemon_options = (restart_on_error => 5, stop_wait_time => 5); | |
24 | ||
25 | my $daemon = __PACKAGE__->new('pve-firewall', $cmdline, %daemon_options); | |
26 | ||
27 | my $nodename = PVE::INotify::nodename(); | |
28 | ||
29 | sub init { | |
30 | ||
31 | PVE::Cluster::cfs_update(); | |
32 | ||
33 | PVE::Firewall::init(); | |
34 | } | |
35 | ||
36 | my $restart_request = 0; | |
37 | my $next_update = 0; | |
38 | ||
39 | my $cycle = 0; | |
40 | my $updatetime = 10; | |
41 | ||
42 | my $initial_memory_usage; | |
43 | ||
44 | sub shutdown { | |
45 | my ($self) = @_; | |
46 | ||
47 | syslog('info' , "server closing"); | |
48 | ||
49 | # wait for children | |
50 | 1 while (waitpid(-1, POSIX::WNOHANG()) > 0); | |
51 | ||
52 | syslog('info' , "clear firewall rules"); | |
53 | ||
54 | eval { PVE::Firewall::remove_pvefw_chains(); }; | |
55 | warn $@ if $@; | |
56 | ||
57 | $self->exit_daemon(0); | |
58 | } | |
59 | ||
60 | sub hup { | |
61 | my ($self) = @_; | |
62 | ||
63 | $restart_request = 1; | |
64 | } | |
65 | ||
66 | sub run { | |
67 | my ($self) = @_; | |
68 | ||
69 | local $SIG{'__WARN__'} = 'IGNORE'; # do not fill up logs | |
70 | ||
71 | for (;;) { # forever | |
72 | ||
73 | $next_update = time() + $updatetime; | |
74 | ||
75 | my ($ccsec, $cusec) = gettimeofday (); | |
76 | eval { | |
77 | PVE::Cluster::cfs_update(); | |
78 | PVE::Firewall::update(); | |
79 | }; | |
80 | my $err = $@; | |
81 | ||
82 | if ($err) { | |
83 | syslog('err', "status update error: $err"); | |
84 | } | |
85 | ||
86 | my ($ccsec_end, $cusec_end) = gettimeofday (); | |
87 | my $cptime = ($ccsec_end-$ccsec) + ($cusec_end - $cusec)/1000000; | |
88 | ||
89 | syslog('info', sprintf("firewall update time (%.3f seconds)", $cptime)) | |
90 | if ($cptime > 5); | |
91 | ||
92 | $cycle++; | |
93 | ||
94 | my $mem = PVE::ProcFSTools::read_memory_usage(); | |
95 | ||
96 | if (!defined($initial_memory_usage) || ($cycle < 10)) { | |
97 | $initial_memory_usage = $mem->{resident}; | |
98 | } else { | |
99 | my $diff = $mem->{resident} - $initial_memory_usage; | |
100 | if ($diff > 5*1024*1024) { | |
101 | syslog ('info', "restarting server after $cycle cycles to " . | |
102 | "reduce memory usage (free $mem->{resident} ($diff) bytes)"); | |
103 | $self->restart_daemon(); | |
104 | } | |
105 | } | |
106 | ||
107 | my $wcount = 0; | |
108 | while ((time() < $next_update) && | |
109 | ($wcount < $updatetime) && # protect against time wrap | |
110 | !$restart_request) { $wcount++; sleep (1); }; | |
111 | ||
112 | $self->restart_daemon() if $restart_request; | |
113 | } | |
114 | } | |
115 | ||
116 | $daemon->register_start_command("Start the Proxmox VE firewall service."); | |
117 | $daemon->register_restart_command(1, "Restart the Proxmox VE firewall service."); | |
118 | $daemon->register_stop_command("Stop firewall. This removes all Proxmox VE " . | |
119 | "related iptable rules. " . | |
120 | "The host is unprotected afterwards."); | |
121 | ||
122 | __PACKAGE__->register_method ({ | |
123 | name => 'status', | |
124 | path => 'status', | |
125 | method => 'GET', | |
126 | description => "Get firewall status.", | |
127 | parameters => { | |
128 | additionalProperties => 0, | |
129 | properties => {}, | |
130 | }, | |
131 | returns => { | |
132 | type => 'object', | |
133 | additionalProperties => 0, | |
134 | properties => { | |
135 | status => { | |
136 | type => 'string', | |
137 | enum => ['unknown', 'stopped', 'running'], | |
138 | }, | |
139 | enable => { | |
140 | description => "Firewall is enabled (in 'cluster.fw')", | |
141 | type => 'boolean', | |
142 | }, | |
143 | changes => { | |
144 | description => "Set when there are pending changes.", | |
145 | type => 'boolean', | |
146 | optional => 1, | |
147 | } | |
148 | }, | |
149 | }, | |
150 | code => sub { | |
151 | my ($param) = @_; | |
152 | ||
153 | local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog | |
154 | ||
155 | my $code = sub { | |
156 | ||
157 | my $status = $daemon->running() ? 'running' : 'stopped'; | |
158 | ||
159 | my $res = { status => $status }; | |
160 | ||
161 | my $verbose = 1; # show syntax errors | |
162 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef, $verbose); | |
163 | $res->{enable} = $cluster_conf->{options}->{enable} ? 1 : 0; | |
164 | ||
165 | if ($status eq 'running') { | |
166 | ||
167 | my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose); | |
168 | ||
169 | $verbose = 0; # do not show iptables details | |
170 | my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose); | |
171 | my ($test, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose); | |
172 | my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, $verbose, "ip6tables"); | |
173 | ||
174 | $res->{changes} = ($ipset_changes || $ruleset_changes || $ruleset_changesv6) ? 1 : 0; | |
175 | } | |
176 | ||
177 | return $res; | |
178 | }; | |
179 | ||
180 | return PVE::Firewall::run_locked($code); | |
181 | }}); | |
182 | ||
183 | __PACKAGE__->register_method ({ | |
184 | name => 'compile', | |
185 | path => 'compile', | |
186 | method => 'GET', | |
187 | description => "Compile and print firewall rules. This is useful for testing.", | |
188 | parameters => { | |
189 | additionalProperties => 0, | |
190 | properties => {}, | |
191 | }, | |
192 | returns => { type => 'null' }, | |
193 | ||
194 | code => sub { | |
195 | my ($param) = @_; | |
196 | ||
197 | local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog | |
198 | ||
199 | my $code = sub { | |
200 | ||
201 | my $verbose = 1; | |
202 | ||
203 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef, $verbose); | |
204 | my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose); | |
205 | ||
206 | print "ipset cmdlist:\n"; | |
207 | my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose); | |
208 | ||
209 | print "\niptables cmdlist:\n"; | |
210 | my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose); | |
211 | ||
212 | print "\nip6tables cmdlist:\n"; | |
213 | my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, $verbose, "ip6tables"); | |
214 | ||
215 | if ($ipset_changes || $ruleset_changes || $ruleset_changesv6) { | |
216 | print "detected changes\n"; | |
217 | } else { | |
218 | print "no changes\n"; | |
219 | } | |
220 | if (!$cluster_conf->{options}->{enable}) { | |
221 | print "firewall disabled\n"; | |
222 | } | |
223 | ||
224 | }; | |
225 | ||
226 | PVE::Firewall::run_locked($code); | |
227 | ||
228 | return undef; | |
229 | }}); | |
230 | ||
231 | __PACKAGE__->register_method ({ | |
232 | name => 'localnet', | |
233 | path => 'localnet', | |
234 | method => 'GET', | |
235 | description => "Print information about local network.", | |
236 | parameters => { | |
237 | additionalProperties => 0, | |
238 | properties => {}, | |
239 | }, | |
240 | returns => { type => 'null' }, | |
241 | code => sub { | |
242 | my ($param) = @_; | |
243 | ||
244 | local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog | |
245 | ||
246 | my $nodename = PVE::INotify::nodename(); | |
247 | print "local hostname: $nodename\n"; | |
248 | ||
249 | my $ip = PVE::Cluster::remote_node_ip($nodename); | |
250 | print "local IP address: $ip\n"; | |
251 | ||
252 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); | |
253 | ||
254 | my $localnet = PVE::Firewall::local_network() || '127.0.0.0/8'; | |
255 | print "network auto detect: $localnet\n"; | |
256 | if ($cluster_conf->{aliases}->{local_network}) { | |
257 | print "using user defined local_network: $cluster_conf->{aliases}->{local_network}->{cidr}\n"; | |
258 | } else { | |
259 | print "using detected local_network: $localnet\n"; | |
260 | } | |
261 | ||
262 | return undef; | |
263 | }}); | |
264 | ||
265 | __PACKAGE__->register_method ({ | |
266 | name => 'simulate', | |
267 | path => 'simulate', | |
268 | method => 'GET', | |
269 | description => "Simulate firewall rules. This does not simulate kernel 'routing' table. Instead, this simply assumes that routing from source zone to destination zone is possible.", | |
270 | parameters => { | |
271 | additionalProperties => 0, | |
272 | properties => { | |
273 | verbose => { | |
274 | description => "Verbose output.", | |
275 | type => 'boolean', | |
276 | optional => 1, | |
277 | default => 0, | |
278 | }, | |
279 | from => { | |
280 | description => "Source zone.", | |
281 | type => 'string', | |
282 | pattern => '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)', | |
283 | optional => 1, | |
284 | default => 'outside', | |
285 | }, | |
286 | to => { | |
287 | description => "Destination zone.", | |
288 | type => 'string', | |
289 | pattern => '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)', | |
290 | optional => 1, | |
291 | default => 'host', | |
292 | }, | |
293 | protocol => { | |
294 | description => "Protocol.", | |
295 | type => 'string', | |
296 | pattern => '(tcp|udp)', | |
297 | optional => 1, | |
298 | default => 'tcp', | |
299 | }, | |
300 | dport => { | |
301 | description => "Destination port.", | |
302 | type => 'integer', | |
303 | minValue => 1, | |
304 | maxValue => 65535, | |
305 | optional => 1, | |
306 | }, | |
307 | sport => { | |
308 | description => "Source port.", | |
309 | type => 'integer', | |
310 | minValue => 1, | |
311 | maxValue => 65535, | |
312 | optional => 1, | |
313 | }, | |
314 | source => { | |
315 | description => "Source IP address.", | |
316 | type => 'string', format => 'ipv4', | |
317 | optional => 1, | |
318 | }, | |
319 | dest => { | |
320 | description => "Destination IP address.", | |
321 | type => 'string', format => 'ipv4', | |
322 | optional => 1, | |
323 | }, | |
324 | }, | |
325 | }, | |
326 | returns => { type => 'null' }, | |
327 | code => sub { | |
328 | my ($param) = @_; | |
329 | ||
330 | local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog | |
331 | ||
332 | my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile(undef, undef, undef, $param->{verbose}); | |
333 | ||
334 | PVE::FirewallSimulator::debug($param->{verbose} || 0); | |
335 | ||
336 | my $host_ip = PVE::Cluster::remote_node_ip($nodename); | |
337 | ||
338 | PVE::FirewallSimulator::reset_trace(); | |
339 | print Dumper($ruleset) if $param->{verbose}; | |
340 | ||
341 | my $test = { | |
342 | from => $param->{from}, | |
343 | to => $param->{to}, | |
344 | proto => $param->{protocol} || 'tcp', | |
345 | source => $param->{source}, | |
346 | dest => $param->{dest}, | |
347 | dport => $param->{dport}, | |
348 | sport => $param->{sport}, | |
349 | }; | |
350 | ||
351 | if (!defined($test->{to})) { | |
352 | $test->{to} = 'host'; | |
353 | PVE::FirewallSimulator::add_trace("Set Zone: to => '$test->{to}'\n"); | |
354 | } | |
355 | if (!defined($test->{from})) { | |
356 | $test->{from} = 'outside', | |
357 | PVE::FirewallSimulator::add_trace("Set Zone: from => '$test->{from}'\n"); | |
358 | } | |
359 | ||
360 | my $vmdata = PVE::Firewall::read_local_vm_config(); | |
361 | ||
362 | print "Test packet:\n"; | |
363 | ||
364 | foreach my $k (qw(from to proto source dest dport sport)) { | |
365 | printf(" %-8s: %s\n", $k, $test->{$k}) if defined($test->{$k}); | |
366 | } | |
367 | ||
368 | $test->{action} = 'QUERY'; | |
369 | ||
370 | my $res = PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset, | |
371 | $host_ip, $vmdata, $test); | |
372 | ||
373 | print "ACTION: $res\n"; | |
374 | ||
375 | return undef; | |
376 | }}); | |
377 | ||
378 | our $cmddef = { | |
379 | start => [ __PACKAGE__, 'start', []], | |
380 | restart => [ __PACKAGE__, 'restart', []], | |
381 | stop => [ __PACKAGE__, 'stop', []], | |
382 | compile => [ __PACKAGE__, 'compile', []], | |
383 | simulate => [ __PACKAGE__, 'simulate', []], | |
384 | localnet => [ __PACKAGE__, 'localnet', []], | |
385 | status => [ __PACKAGE__, 'status', [], undef, sub { | |
386 | my $res = shift; | |
387 | my $status = ($res->{enable} ? "enabled" : "disabled") . '/' . $res->{status}; | |
388 | ||
389 | if ($res->{changes}) { | |
390 | print "Status: $status (pending changes)\n"; | |
391 | } else { | |
392 | print "Status: $status\n"; | |
393 | } | |
394 | }], | |
395 | }; | |
396 | ||
397 | 1; |