$action .= " --queue-num $1";
}
}
- $action .= " --queue-bypass";
+ $action .= " --queue-bypass" if $feature_ipset_nomatch; #need kernel 3.10
}else{
$action = "ACCEPT";
}
# fixme: allow security groups
my $options = $hostfw_conf->{options};
+ my $cluster_options = $cluster_conf->{options};
my $rules = $hostfw_conf->{rules};
# host inbound firewall
}
# implement input policy
- my $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
+ my $policy = $cluster_options->{policy_in} || 'DROP'; # allow nothing by default
ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
# host outbound firewall
}
# implement output policy
- $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
+ $policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default
ruleset_add_chain_policy($ruleset, $chain, 0, $policy, $loglevel, $accept_action);
ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
- if ($line =~ m/^(enable|dhcp|nosmurfs|tcpflags|allow_bridge_route|optimize):\s*(0|1)\s*$/i) {
+ if ($line =~ m/^(enable|nosmurfs|tcpflags|allow_bridge_route|optimize):\s*(0|1)\s*$/i) {
$opt = lc($1);
$value = int($2);
} elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
$opt = lc($1);
$value = $2 ? lc($3) : '';
- } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
- $opt = lc($1);
- $value = uc($3);
} elsif ($line =~ m/^(nf_conntrack_max|nf_conntrack_tcp_timeout_established):\s*(\d+)\s*$/i) {
$opt = lc($1);
$value = int($2);
if ($line =~ m/^(enable):\s*(0|1)\s*$/i) {
$opt = lc($1);
$value = int($2);
+ } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
+ $opt = lc($1);
+ $value = uc($3);
} else {
chomp $line;
die "can't parse option '$line'\n"
}
sub compile {
+ my ($cluster_conf, $hostfw_conf) = @_;
+
+ $cluster_conf = load_clusterfw_conf() if !$cluster_conf;
+ $hostfw_conf = load_hostfw_conf() if !$hostfw_conf;
+
my $vmdata = read_local_vm_config();
my $vmfw_configs = read_vm_firewall_configs($vmdata);
my $routing_table = read_proc_net_route();
- my $cluster_conf = load_clusterfw_conf();
my $ipset_ruleset = {};
generate_ipset_chains($ipset_ruleset, $cluster_conf);
ruleset_create_chain($ruleset, "PVEFW-FORWARD");
- my $hostfw_conf = load_hostfw_conf();
my $hostfw_options = $hostfw_conf->{options} || {};
generate_std_chains($ruleset, $hostfw_options);
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o vmbr+ -j DROP");
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i vmbr+ -j DROP");
- return wantarray ? ($ruleset, $hostfw_conf, $ipset_ruleset) : $ruleset;
+ return ($ruleset, $ipset_ruleset);
}
sub get_ruleset_status {
my ($start, $verbose) = @_;
my $code = sub {
+
+ my $cluster_conf = load_clusterfw_conf();
+ my $cluster_options = $cluster_conf->{options};
+
+ my $enable = !(defined($cluster_options->{enable}) && ($cluster_options->{enable} == 0));
+
my $status = read_pvefw_status();
- my ($ruleset, $hostfw_conf, $ipset_ruleset) = compile();
+ die "Firewall is disabled - cannot start\n" if !$enable && $start;
+
+ if (!$enable) {
+ if ($status ne 'stopped') {
+ print "trying to stop firewall (firewall is disabled)\n" if $verbose;
+ PVE::Firewall::remove_pvefw_chains();
+ PVE::Firewall::save_pvefw_status('stopped');
+ }
+ print "Firewall disabled\n" if $verbose;
+ return;
+ }
+
+ my $hostfw_conf = load_hostfw_conf();
+
+ my ($ruleset, $ipset_ruleset) = compile($cluster_conf, $hostfw_conf);
if ($start || $status eq 'active') {