+# substitude action of rule according to action hash
+sub rule_substitude_action {
+ my ($rule, $actions) = @_;
+
+ if (my $action = $rule->{action}) {
+ $rule->{action} = $actions->{$action} if defined($actions->{$action});
+ }
+}
+
+# generate a src or dst match
+# $dir(ection) is either d or s
+sub ipt_gen_src_or_dst_match {
+ my ($adr, $dir, $ipversion, $cluster_conf, $fw_conf) = @_;
+
+ my $srcdst;
+ if ($dir eq 's') {
+ $srcdst = "src";
+ } elsif ($dir eq 'd') {
+ $srcdst = "dst";
+ } else {
+ die "ipt_gen_src_or_dst_match: invalid direction $dir \n";
+ }
+
+ my $match;
+ if ($adr =~ m/^\+/) {
+ if ($adr =~ m/^\+(${ipset_name_pattern})$/) {
+ my $name = $1;
+ my $ipset_chain;
+ if ($fw_conf && $fw_conf->{ipset}->{$name}) {
+ $ipset_chain = compute_ipset_chain_name($fw_conf->{vmid}, $name, $ipversion);
+ } elsif ($cluster_conf && $cluster_conf->{ipset}->{$name}) {
+ $ipset_chain = compute_ipset_chain_name(0, $name, $ipversion);
+ } else {
+ die "no such ipset '$name'\n";
+ }
+ $match = "-m set --match-set ${ipset_chain} ${srcdst}";
+ } else {
+ die "invalid security group name '$adr'\n";
+ }
+ } elsif ($adr =~ m/^${ip_alias_pattern}$/){
+ my $alias = lc($adr);
+ my $e = $fw_conf ? $fw_conf->{aliases}->{$alias} : undef;
+ $e = $cluster_conf->{aliases}->{$alias} if !$e && $cluster_conf;
+ die "no such alias '$adr'\n" if !$e;
+ $match = "-${dir} $e->{cidr}";
+ } elsif ($adr =~ m/\-/){
+ $match = "-m iprange --${srcdst}-range $adr";
+ } else {
+ $match = "-${dir} $adr";
+ }
+
+ return $match;
+}
+
+# convert a %rule to an array of iptables commands
+sub ipt_rule_to_cmds {
+ my ($rule, $chain, $ipversion, $cluster_conf, $fw_conf, $vmid) = @_;
+
+ die "ipt_rule_to_cmds unable to handle macro" if $rule->{macro}; #should not happen
+
+ my @match = ();
+
+ if (defined $rule->{match}) {
+ push @match, $rule->{match};
+ } else {
+ push @match, "-i $rule->{iface_in}" if $rule->{iface_in};
+ push @match, "-o $rule->{iface_out}" if $rule->{iface_out};
+
+ if ($rule->{source}) {
+ push @match, ipt_gen_src_or_dst_match($rule->{source}, 's', $ipversion, $cluster_conf, $fw_conf);
+ }
+ if ($rule->{dest}) {
+ push @match, ipt_gen_src_or_dst_match($rule->{dest}, 'd', $ipversion, $cluster_conf, $fw_conf);
+ }
+
+ if (my $proto = $rule->{proto}) {
+ push @match, "-p $proto";
+
+ my $nbdport = defined($rule->{dport}) ? parse_port_name_number_or_range($rule->{dport}, 1) : 0;
+ my $nbsport = defined($rule->{sport}) ? parse_port_name_number_or_range($rule->{sport}, 0) : 0;
+
+ my $multiport = 0;
+ $multiport++ if $nbdport > 1;
+ $multiport++ if $nbsport > 1;
+
+ push @match, "--match multiport" if $multiport;
+
+ die "multiport: option '--sports' cannot be used together with '--dports'\n"
+ if ($multiport == 2) && ($rule->{dport} ne $rule->{sport});
+
+ if ($rule->{dport}) {
+ if ($proto eq 'icmp') {
+ # Note: we use dport to store --icmp-type
+ die "unknown icmp-type '$rule->{dport}'\n"
+ if $rule->{dport} !~ /^\d+$/ && !defined($icmp_type_names->{$rule->{dport}});
+ push @match, "-m icmp --icmp-type $rule->{dport}";
+ } elsif ($proto eq 'icmpv6') {
+ # Note: we use dport to store --icmpv6-type
+ die "unknown icmpv6-type '$rule->{dport}'\n"
+ if $rule->{dport} !~ /^\d+$/ && !defined($icmpv6_type_names->{$rule->{dport}});
+ push @match, "-m icmpv6 --icmpv6-type $rule->{dport}";
+ } elsif (!$PROTOCOLS_WITH_PORTS->{$proto}) {
+ die "protocol $proto does not have ports\n";
+ } else {
+ if ($nbdport > 1) {
+ if ($multiport == 2) {
+ push @match, "--ports $rule->{dport}";
+ } else {
+ push @match, "--dports $rule->{dport}";
+ }
+ } else {
+ push @match, "--dport $rule->{dport}";
+ }
+ }
+ }
+
+ if ($rule->{sport}) {
+ die "protocol $proto does not have ports\n"
+ if !$PROTOCOLS_WITH_PORTS->{$proto};
+ if ($nbsport > 1) {
+ push @match, "--sports $rule->{sport}" if $multiport != 2;
+ } else {
+ push @match, "--sport $rule->{sport}";
+ }
+ }
+ } elsif ($rule->{dport} || $rule->{sport}) {
+ die "destination port '$rule->{dport}', but no protocol specified\n" if $rule->{dport};
+ die "source port '$rule->{sport}', but no protocol specified\n" if $rule->{sport};
+ }
+
+ push @match, "-m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype};
+ }
+ my $matchstr = scalar(@match) ? join(' ', @match) : "";
+
+ my $targetstr;
+ if (defined $rule->{target}) {
+ $targetstr = $rule->{target};
+ } else {
+ my $action = (defined $rule->{action}) ? $rule->{action} : "";
+ my $goto = 1 if $action eq 'PVEFW-SET-ACCEPT-MARK';
+ $targetstr = ($goto) ? "-g $action" : "-j $action";
+ }
+
+ my @iptcmds;
+ if (defined $rule->{log} && $rule->{log}) {
+ my $logaction = get_log_rule_base($chain, $vmid, $rule->{logmsg}, $rule->{log});
+ push @iptcmds, "-A $chain $matchstr $logaction";
+ }
+ push @iptcmds, "-A $chain $matchstr $targetstr";
+ return @iptcmds;
+}
+
+sub ruleset_generate_match {