}
}
+sub ruleset_add_chain_policy {
+ my ($ruleset, $chain, $policy, $loglevel, $accept_action) = @_;
+
+ if ($policy eq 'ACCEPT') {
+
+ ruleset_generate_rule($ruleset, $chain, { action => 'ACCEPT' },
+ { ACCEPT => $accept_action});
+
+ } elsif ($policy eq 'DROP') {
+
+ ruleset_addrule($ruleset, $chain, "-j PVEFW-Drop");
+
+ ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"$chain-dropped: \" --log-level $loglevel")
+ if defined($loglevel);
+
+ ruleset_addrule($ruleset, $chain, "-j DROP");
+ } elsif ($policy eq 'REJECT') {
+ ruleset_addrule($ruleset, $chain, "-j PVEFW-Reject");
+
+ ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"$chain-reject: \" --log-level $loglevel")
+ if defined($loglevel);
+
+ ruleset_addrule($ruleset, $chain, "-g PVEFW-reject");
+ } else {
+ # should not happen
+ die "internal error: unknown policy '$policy'";
+ }
+}
+
sub generate_tap_rules_direction {
my ($ruleset, $groups_conf, $iface, $netid, $macaddr, $vmfw_conf, $bridge, $direction) = @_;
ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID -j DROP");
ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
- if ($direction eq 'OUT' && defined($macaddr) &&
- !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
- ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP");
+ if ($direction eq 'OUT') {
+ if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
+ ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP");
+ }
+ ruleset_addrule($ruleset, $tapchain, "-j MARK --set-mark 0"); # clear mark
}
foreach my $rule (@$rules) {
if ($direction eq 'OUT') {
$policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default
} else {
- $policy = $options->{'policy-in'} || 'DROP'; # allow everything by default
+ $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default
}
- if ($policy eq 'ACCEPT') {
- if ($direction eq 'OUT') {
- ruleset_addrule($ruleset, $tapchain, "-g PVEFW-SET-ACCEPT-MARK");
- } else {
- ruleset_addrule($ruleset, $tapchain, "-j ACCEPT");
- }
- } elsif ($policy eq 'DROP') {
-
- ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Drop");
-
- ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level $loglevel")
- if defined($loglevel);
-
- ruleset_addrule($ruleset, $tapchain, "-j DROP");
- } elsif ($policy eq 'REJECT') {
- ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Reject");
-
- ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-reject: \" --log-level $loglevel")
- if defined($loglevel);
-
- ruleset_addrule($ruleset, $tapchain, "-g PVEFW-reject");
- } else {
- # should not happen
- die "internal error: unknown policy '$policy'";
- }
+ my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : "ACCEPT";
+ ruleset_add_chain_policy($ruleset, $tapchain, $policy, $loglevel, $accept_action);
# plug the tap chain to bridge chain
my $physdevdirection = $direction eq 'IN' ? "out" : "in";
}
}
-sub enablehostfw {
+sub enable_host_firewall {
my ($ruleset, $hostfw_conf, $groups_conf) = @_;
# fixme: allow security groups
ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW -m multiport --dports 5404,5405 -j ACCEPT");
ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
+ # we use RETURN because we need to check also tap rules
+ my $accept_action = 'RETURN';
+
foreach my $rule (@$rules) {
next if $rule->{type} ne 'in';
- # we use RETURN because we need to check also tap rules
- ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" });
+ ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" });
}
- ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-IN dropped: \" --log-level $loglevel")
- if defined($loglevel);
-
- ruleset_addrule($ruleset, $chain, "-j DROP");
+ # implement input policy
+ my $policy = $options->{'policy-in'} || 'DROP'; # allow nothing by default
+ ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action);
# host outbound firewall
$chain = "PVEFW-HOST-OUT";
ruleset_addrule($ruleset, $chain, "-p udp -m conntrack --ctstate NEW -m multiport --dports 5404,5405 -j ACCEPT");
ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
+ # we use RETURN because we may want to check other thigs later
+ $accept_action = 'RETURN';
+
foreach my $rule (@$rules) {
next if $rule->{type} ne 'out';
- # we use RETURN because we need to check also tap rules
- ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" });
+ ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" });
}
- ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-OUT dropped: \" --log-level $loglevel")
- if defined($loglevel);
-
- ruleset_addrule($ruleset, $chain, "-j DROP");
+ # implement output policy
+ $policy = $options->{'policy-out'} || 'ACCEPT'; # allow everything by default
+ ruleset_add_chain_policy($ruleset, $chain, $policy, $loglevel, $accept_action);
ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN");
my $hostfw_enable = $hostfw_conf &&
!(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
- enablehostfw($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable;
+ enable_host_firewall($ruleset, $hostfw_conf, $groups_conf) if $hostfw_enable;
# generate firewall rules for QEMU VMs
foreach my $vmid (keys %{$vmdata->{qemu}}) {
}
}
- if ($hostfw_enable) {
- # allow traffic from lo (ourself)
- ruleset_addrule($ruleset, "PVEFW-INPUT", "-i lo -j ACCEPT");
- }
-
return $ruleset;
}