use Encode;
my $hostfw_conf_filename = "/etc/pve/local/host.fw";
-my $clusterfw_conf_filename = "/etc/pve/firewall/cluster.fw";
+my $pvefw_conf_dir = "/etc/pve/firewall";
+my $clusterfw_conf_filename = "$pvefw_conf_dir/cluster.fw";
# dynamically include PVE::QemuServer and PVE::OpenVZ
# to avoid dependency problems
return "PVEFW-$id";
}
+sub compute_ipfilter_ipset_name {
+ my ($iface) = @_;
+
+ return "ipfilter-$iface";
+}
+
sub parse_address_list {
my ($str) = @_;
}
sub ruleset_create_vm_chain {
- my ($ruleset, $chain, $options, $macaddr, $direction) = @_;
+ my ($ruleset, $chain, $options, $macaddr, $ipfilter_ipset, $direction) = @_;
ruleset_create_chain($ruleset, $chain);
my $accept = generate_nfqueue($options);
if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP");
}
+ if ($ipfilter_ipset) {
+ ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP");
+ }
ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
}
}
my $chain = "venet0-$vmid-$direction";
- ruleset_create_vm_chain($ruleset, $chain, $options, undef, $direction);
+ my $ipfilter_name = compute_ipfilter_ipset_name('venet0');
+ my $ipfilter_ipset = compute_ipset_chain_name($vmid, $ipfilter_name)
+ if $vmfw_conf->{ipset}->{$ipfilter_name};
+
+ ruleset_create_vm_chain($ruleset, $chain, $options, undef, $ipfilter_ipset, $direction);
ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, 'venet', $direction);
my $tapchain = "$iface-$direction";
- ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $direction);
+ my $ipfilter_name = compute_ipfilter_ipset_name($netid);
+ my $ipfilter_ipset = compute_ipset_chain_name($vmid, $ipfilter_name)
+ if $vmfw_conf->{ipset}->{$ipfilter_name};
+
+ ruleset_create_vm_chain($ruleset, $tapchain, $options, $macaddr, $ipfilter_ipset, $direction);
ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options);
my $vmfw_conf = {};
- $dir = "/etc/pve/firewall" if !defined($dir);
+ $dir = $pvefw_conf_dir if !defined($dir);
my $filename = "$dir/$vmid.fw";
if (my $fh = IO::File->new($filename, O_RDONLY)) {
my $raw = '';
my $options = $vmfw_conf->{options};
- $raw .= &$format_options($options) if scalar(keys %$options);
+ $raw .= &$format_options($options) if $options && scalar(keys %$options);
my $aliases = $vmfw_conf->{aliases};
- $raw .= &$format_aliases($aliases) if scalar(keys %$aliases);
+ $raw .= &$format_aliases($aliases) if $aliases && scalar(keys %$aliases);
- $raw .= &$format_ipsets($vmfw_conf);
+ $raw .= &$format_ipsets($vmfw_conf) if $vmfw_conf->{ipset};
my $rules = $vmfw_conf->{rules} || [];
- if (scalar(@$rules)) {
+ if ($rules && scalar(@$rules)) {
$raw .= "[RULES]\n\n";
$raw .= &$format_rules($rules, 1);
$raw .= "\n";
}
- my $filename = "/etc/pve/firewall/$vmid.fw";
+ mkdir $pvefw_conf_dir;
+
+ my $filename = "$pvefw_conf_dir/$vmid.fw";
PVE::Tools::file_set_contents($filename, $raw);
}
my $raw = '';
my $options = $cluster_conf->{options};
- $raw .= &$format_options($options) if scalar(keys %$options);
+ $raw .= &$format_options($options) if $options && scalar(keys %$options);
my $aliases = $cluster_conf->{aliases};
- $raw .= &$format_aliases($aliases) if scalar(keys %$aliases);
+ $raw .= &$format_aliases($aliases) if $aliases && scalar(keys %$aliases);
- $raw .= &$format_ipsets($cluster_conf);
+ $raw .= &$format_ipsets($cluster_conf) if $cluster_conf->{ipset};
my $rules = $cluster_conf->{rules};
- if (scalar(@$rules)) {
+ if ($rules && scalar(@$rules)) {
$raw .= "[RULES]\n\n";
$raw .= &$format_rules($rules, 1);
$raw .= "\n";
}
- foreach my $group (sort keys %{$cluster_conf->{groups}}) {
- my $rules = $cluster_conf->{groups}->{$group};
- if (my $comment = $cluster_conf->{group_comments}->{$group}) {
- my $utf8comment = encode('utf8', $comment);
- $raw .= "[group $group] # $utf8comment\n\n";
- } else {
- $raw .= "[group $group]\n\n";
- }
+ if ($cluster_conf->{groups}) {
+ foreach my $group (sort keys %{$cluster_conf->{groups}}) {
+ my $rules = $cluster_conf->{groups}->{$group};
+ if (my $comment = $cluster_conf->{group_comments}->{$group}) {
+ my $utf8comment = encode('utf8', $comment);
+ $raw .= "[group $group] # $utf8comment\n\n";
+ } else {
+ $raw .= "[group $group]\n\n";
+ }
- $raw .= &$format_rules($rules, 0);
- $raw .= "\n";
+ $raw .= &$format_rules($rules, 0);
+ $raw .= "\n";
+ }
}
+ mkdir $pvefw_conf_dir;
PVE::Tools::file_set_contents($clusterfw_conf_filename, $raw);
}
my $raw = '';
my $options = $hostfw_conf->{options};
- $raw .= &$format_options($options) if scalar(keys %$options);
+ $raw .= &$format_options($options) if $options && scalar(keys %$options);
my $rules = $hostfw_conf->{rules};
- if (scalar(@$rules)) {
+ if ($rules && scalar(@$rules)) {
$raw .= "[RULES]\n\n";
$raw .= &$format_rules($rules, 1);
$raw .= "\n";
}
foreach my $h (qw(INPUT OUTPUT FORWARD)) {
- if (!$hooks->{$h}) {
- $cmdlist .= "-A $h -j PVEFW-$h\n";
+ my $chain = "PVEFW-$h";
+ if ($ruleset->{$chain} && !$hooks->{$h}) {
+ $cmdlist .= "-A $h -j $chain\n";
}
}
$cmdlist .= "COMMIT\n";
iptables_restore_cmdlist($cmdlist);
+
+ my $ipset_chains = ipset_get_chains();
+
+ $cmdlist = "";
+
+ foreach my $chain (keys %$ipset_chains) {
+ $cmdlist .= "flush $chain\n";
+ $cmdlist .= "destroy $chain\n";
+ }
+
+ ipset_restore_cmdlist($cmdlist) if $cmdlist;
}
sub init {
my $cluster_conf = load_clusterfw_conf();
my $cluster_options = $cluster_conf->{options};
- my $enable = $cluster_options->{enable};
-
- die "Firewall is disabled - cannot start\n" if !$enable;
-
- if (!$enable) {
+ if (!$cluster_options->{enable}) {
PVE::Firewall::remove_pvefw_chains();
return;
}