return $etc_protocols;
}
-my $ipv4_mask_hash_clusternet = {
+my $ipv4_mask_hash_localnet = {
'255.255.0.0' => 16,
'255.255.128.0' => 17,
'255.255.192.0' => 18,
'255.255.255.252' => 30,
};
-my $cluster_network;
+my $__local_network;
-sub get_cluster_network {
+sub local_network {
+ my ($new_value) = @_;
- return $cluster_network if defined($cluster_network);
+ $__local_network = $new_value if defined($new_value);
+
+ return $__local_network if defined($__local_network);
eval {
my $nodename = PVE::INotify::nodename();
my $routes = PVE::ProcFSTools::read_proc_net_route();
foreach my $entry (@$routes) {
- my $mask = $ipv4_mask_hash_clusternet->{$entry->{mask}};
+ my $mask = $ipv4_mask_hash_localnet->{$entry->{mask}};
next if !defined($mask);
return if $mask eq '0.0.0.0';
my $cidr = "$entry->{dest}/$mask";
my $testnet = Net::IP->new($cidr);
if ($testnet->overlaps($testip)) {
- $cluster_network = $cidr;
+ $__local_network = $cidr;
return;
}
}
};
warn $@ if $@;
- return $cluster_network;
+ return $__local_network;
}
sub parse_address_list {
my $v = $entry->{$k};
next if !defined($v);
$data->{$k} = $v;
- $sha->add($k, ':', $v, "\n");
+ # Note: digest ignores refs ($rule->{errors})
+ $sha->add($k, ':', $v, "\n") if !ref($v); ;
}
push @$res, $data;
}
return $rules;
};
+my $rule_env_iface_lookup = {
+ 'ct' => 1,
+ 'vm' => 1,
+ 'group' => 0,
+ 'cluster' => 1,
+ 'host' => 1,
+};
+
sub verify_rule {
- my ($rule, $allow_groups) = @_;
+ my ($rule, $cluster_conf, $fw_conf, $rule_env, $noerr) = @_;
- my $type = $rule->{type};
+ my $allow_groups = $rule_env eq 'group' ? 0 : 1;
+
+ my $allow_iface = $rule_env_iface_lookup->{$rule_env};
+ die "unknown rule_env '$rule_env'\n" if !defined($allow_iface); # should not happen
- raise_param_exc({ type => "missing property"}) if !$type;
- raise_param_exc({ action => "missing property"}) if !$rule->{action};
-
- if ($type eq 'in' || $type eq 'out') {
- raise_param_exc({ action => "unknown action '$rule->{action}'"})
- if $rule->{action} !~ m/^(ACCEPT|DROP|REJECT)$/;
- } elsif ($type eq 'group') {
- raise_param_exc({ type => "security groups not allowed"})
- if !$allow_groups;
- raise_param_exc({ action => "invalid characters in security group name"})
- if $rule->{action} !~ m/^${security_group_name_pattern}$/;
- } else {
- raise_param_exc({ type => "unknown rule type '$type'"});
+ my $errors = $rule->{errors} || {};
+
+ my $error_count = 0;
+
+ my $add_error = sub {
+ my ($param, $msg) = @_;
+ chomp $msg;
+ raise_param_exc({ $param => $msg }) if !$noerr;
+ $error_count++;
+ $errors->{$param} = $msg if !$errors->{$param};
+ };
+
+ my $check_ipset_or_alias_property = sub {
+ my ($name) = @_;
+
+ if (my $value = $rule->{$name}) {
+ if ($value =~ m/^\+/) {
+ if ($value =~ m/^\+(${security_group_name_pattern})$/) {
+ &$add_error($name, "no such ipset '$1'")
+ if !($cluster_conf->{ipset}->{$1} || ($fw_conf && $fw_conf->{ipset}->{$1}));
+
+ } else {
+ &$add_error($name, "invalid security group name '$value'");
+ }
+ } elsif ($value =~ m/^${ip_alias_pattern}$/){
+ my $alias = lc($value);
+ &$add_error($name, "no such alias '$value'")
+ if !($cluster_conf->{aliases}->{$alias} || ($fw_conf && $fw_conf->{aliases}->{$alias}))
+ }
+ }
+ };
+
+ my $type = $rule->{type};
+ my $action = $rule->{action};
+
+ &$add_error('type', "missing property") if !$type;
+ &$add_error('action', "missing property") if !$action;
+
+ if ($type) {
+ if ($type eq 'in' || $type eq 'out') {
+ &$add_error('action', "unknown action '$action'")
+ if $action && ($action !~ m/^(ACCEPT|DROP|REJECT)$/);
+ } elsif ($type eq 'group') {
+ &$add_error('type', "security groups not allowed")
+ if !$allow_groups;
+ &$add_error('action', "invalid characters in security group name")
+ if $action && ($action !~ m/^${security_group_name_pattern}$/);
+ } else {
+ &$add_error('type', "unknown rule type '$type'");
+ }
}
if ($rule->{iface}) {
+ &$add_error('type', "parameter -i not allowed for this rule type")
+ if !$allow_iface;
eval { PVE::JSONSchema::pve_verify_iface($rule->{iface}); };
- raise_param_exc({ iface => $@ }) if $@;
- }
+ &$add_error('iface', $@) if $@;
+ if ($rule_env eq 'vm') {
+ &$add_error('iface', "value does not match the regex pattern 'net\\d+'")
+ if $rule->{iface} !~ m/^net(\d+)$/;
+ } elsif ($rule_env eq 'ct') {
+ &$add_error('iface', "value does not match the regex pattern '(venet|eth\\d+)'")
+ if $rule->{iface} !~ m/^(venet|eth(\d+))$/;
+ }
+ }
if ($rule->{macro}) {
- my $preferred_name = $pve_fw_preferred_macro_names->{lc($rule->{macro})};
- raise_param_exc({ macro => "unknown macro '$rule->{macro}'"}) if !$preferred_name;
- $rule->{macro} = $preferred_name;
+ if (my $preferred_name = $pve_fw_preferred_macro_names->{lc($rule->{macro})}) {
+ $rule->{macro} = $preferred_name;
+ } else {
+ &$add_error('macro', "unknown macro '$rule->{macro}'");
+ }
+ }
+
+ if ($rule->{proto}) {
+ eval { pve_fw_verify_protocol_spec($rule->{proto}); };
+ &$add_error('proto', $@) if $@;
}
if ($rule->{dport}) {
eval { parse_port_name_number_or_range($rule->{dport}); };
- raise_param_exc({ dport => $@ }) if $@;
+ &$add_error('dport', $@) if $@;
+ &$add_error('proto', "missing property - 'dport' requires this property")
+ if !$rule->{proto};
}
if ($rule->{sport}) {
eval { parse_port_name_number_or_range($rule->{sport}); };
- raise_param_exc({ sport => $@ }) if $@;
+ &$add_error('sport', $@) if $@;
+ &$add_error('proto', "missing property - 'sport' requires this property")
+ if !$rule->{proto};
}
if ($rule->{source}) {
eval { parse_address_list($rule->{source}); };
- raise_param_exc({ source => $@ }) if $@;
+ &$add_error('source', $@) if $@;
+ &$check_ipset_or_alias_property('source');
}
if ($rule->{dest}) {
eval { parse_address_list($rule->{dest}); };
- raise_param_exc({ dest => $@ }) if $@;
+ &$add_error('dest', $@) if $@;
+ &$check_ipset_or_alias_property('dest');
}
- if ($rule->{macro}) {
- &$apply_macro($rule->{macro}, $rule, 1);
+ if ($rule->{macro} && !$error_count) {
+ eval { &$apply_macro($rule->{macro}, $rule, 1); };
+ if (my $err = $@) {
+ if (ref($err) eq "PVE::Exception" && $err->{errors}) {
+ my $eh = $err->{errors};
+ foreach my $p (keys %$eh) {
+ &$add_error($p, $eh->{$p});
+ }
+ } else {
+ &$add_error('macro', "$err");
+ }
+ }
}
+ $rule->{errors} = $errors if $error_count;
+
return $rule;
}
} else {
$rule->{$k} = $v;
}
- } else {
- delete $rule->{$k};
}
}
- # verify rule now
-
return $rule;
}
my ($ruleset, $chain, $rule, $actions, $goto, $cluster_conf) = @_;
return if defined($rule->{enable}) && !$rule->{enable};
+ return if $rule->{errors};
die "unable to emit macro - internal error" if $rule->{macro}; # should not happen
}
}
} elsif ($rule->{dport} || $rule->{sport}) {
- warn "ignoring destination port '$rule->{dport}' - no protocol specified\n" if $rule->{dport};
- warn "ignoring source port '$rule->{sport}' - no protocol specified\n" if $rule->{sport};
+ die "destination port '$rule->{dport}', but no protocol specified\n" if $rule->{dport};
+ die "source port '$rule->{sport}', but no protocol specified\n" if $rule->{sport};
}
push @cmd, "-m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype};
my ($ruleset, $chain, $options, $cluster_conf, $loglevel) = @_;
if ($cluster_conf->{ipset}->{blacklist}){
- ruleset_addlog($ruleset, $chain, 0, "DROP: ", $loglevel, "-m set --match-set PVEFW-blacklist src");
- ruleset_addrule($ruleset, $chain, "-m set --match-set PVEFW-blacklist src -j DROP");
+ if (!ruleset_chain_exist($ruleset, "PVEFW-blacklist")) {
+ ruleset_create_chain($ruleset, "PVEFW-blacklist");
+ ruleset_addlog($ruleset, "PVEFW-blacklist", 0, "DROP: ", $loglevel) if $loglevel;
+ ruleset_addrule($ruleset, "PVEFW-blacklist", "-j DROP");
+ }
+ ruleset_addrule($ruleset, $chain, "-m set --match-set PVEFW-blacklist src -j PVEFW-blacklist");
}
if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
foreach my $rule (@$rules) {
next if $rule->{iface} && $rule->{iface} ne $netid;
- next if !$rule->{enable};
+ next if !$rule->{enable} || $rule->{errors};
if ($rule->{type} eq 'group') {
ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, $direction,
$direction eq 'OUT' ? 'RETURN' : $in_accept);
# we use RETURN because we need to check also tap rules
my $accept_action = 'RETURN';
+ ruleset_addrule($ruleset, $chain, "-p igmp -j $accept_action"); # important for multicast
+
# add host rules first, so that cluster wide rules can be overwritten
foreach my $rule (@$rules, @$cluster_rules) {
+ next if !$rule->{enable} || $rule->{errors};
+
$rule->{iface_in} = $rule->{iface} if $rule->{iface};
- if ($rule->{type} eq 'group') {
- ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'IN', $accept_action);
- } elsif ($rule->{type} eq 'in') {
- ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" },
- undef, $cluster_conf);
- }
+
+ eval {
+ if ($rule->{type} eq 'group') {
+ ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'IN', $accept_action);
+ } elsif ($rule->{type} eq 'in') {
+ ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" },
+ undef, $cluster_conf);
+ }
+ };
+ warn $@ if $@;
delete $rule->{iface_in};
}
+
+ # allow standard traffic for management ipset (includes cluster network)
+ my $mngmntsrc = "-m set --match-set PVEFW-management src";
+ ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 8006 -j $accept_action"); # PVE API
+ ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console
+ ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy
+ ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action"); # SSH
- my $clusternet = get_cluster_network();
+ my $localnet = local_network();
- # allow standard traffic on cluster network
- if ($clusternet) {
- ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 8006 -j $accept_action"); # PVE API
- ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console
- ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy
- ruleset_addrule($ruleset, $chain, "-s $clusternet -p tcp --dport 22 -j $accept_action"); # SSH
-
- # corosync
- my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action"
- ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
- ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
+ # corosync
+ if ($localnet) {
+ my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action";
+ ruleset_addrule($ruleset, $chain, "-s $localnet -d $localnet $corosync_rule");
+ ruleset_addrule($ruleset, $chain, "-s $localnet -m addrtype --dst-type MULTICAST $corosync_rule");
}
# implement input policy
# we use RETURN because we may want to check other thigs later
$accept_action = 'RETURN';
+ ruleset_addrule($ruleset, $chain, "-p igmp -j $accept_action"); # important for multicast
+
# add host rules first, so that cluster wide rules can be overwritten
foreach my $rule (@$rules, @$cluster_rules) {
+ next if !$rule->{enable} || $rule->{errors};
+
$rule->{iface_out} = $rule->{iface} if $rule->{iface};
- if ($rule->{type} eq 'group') {
- ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'OUT', $accept_action);
- } elsif ($rule->{type} eq 'out') {
- ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" },
- undef, $cluster_conf);
- }
+ eval {
+ if ($rule->{type} eq 'group') {
+ ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'OUT', $accept_action);
+ } elsif ($rule->{type} eq 'out') {
+ ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" },
+ undef, $cluster_conf);
+ }
+ };
+ warn $@ if $@;
delete $rule->{iface_out};
}
# allow standard traffic on cluster network
- if ($clusternet) {
- ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 8006 -j $accept_action"); # PVE API
- ruleset_addrule($ruleset, $chain, "-d $clusternet -p tcp --dport 22 -j $accept_action"); # SSH
+ if ($localnet) {
+ ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 8006 -j $accept_action"); # PVE API
+ ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 22 -j $accept_action"); # SSH
+ ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console
+ ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy
- my $corosync_rule = "-p udp -m conntrack --ctstate NEW --dport 5404:5405 -j $accept_action";
- ruleset_addrule($ruleset, $chain, "-s $clusternet -d $clusternet $corosync_rule");
- ruleset_addrule($ruleset, $chain, "-s $clusternet -m addrtype --dst-type MULTICAST $corosync_rule");
+ my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action";
+ ruleset_addrule($ruleset, $chain, "-d $localnet $corosync_rule");
+ ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule");
}
# implement output policy
}
sub parse_fw_rule {
- my ($line, $allow_iface, $allow_groups) = @_;
-
- my ($type, $action, $macro, $iface, $source, $dest, $proto, $dport, $sport);
+ my ($prefix, $line, $cluster_conf, $fw_conf, $rule_env, $verbose) = @_;
chomp $line;
+ my $orig_line = $line;
+
+ my $rule = {};
+
# we can add single line comments to the end of the rule
- my $comment = decode('utf8', $1) if $line =~ s/#\s*(.*?)\s*$//;
+ if ($line =~ s/#\s*(.*?)\s*$//) {
+ $rule->{comment} = decode('utf8', $1);
+ }
# we can disable a rule when prefixed with '|'
- my $enable = 1;
- $enable = 0 if $line =~ s/^\|//;
+ $rule->{enable} = $line =~ s/^\|// ? 0 : 1;
$line =~ s/^(\S+)\s+(\S+)\s*// ||
die "unable to parse rule: $line\n";
-
- $type = lc($1);
- $action = $2;
-
- if ($type eq 'in' || $type eq 'out') {
- if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) {
- # OK
- } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
- $action = $2;
- my $preferred_name = $pve_fw_preferred_macro_names->{lc($1)};
- die "unknown macro '$1'\n" if !$preferred_name;
- $macro = $preferred_name;
- } else {
- die "unknown action '$action'\n";
+
+ $rule->{type} = lc($1);
+ $rule->{action} = $2;
+
+ if ($rule->{type} eq 'in' || $rule->{type} eq 'out') {
+ if ($rule->{action} =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
+ $rule->{macro} = $1;
+ $rule->{action} = $2;
}
- } elsif ($type eq 'group') {
- die "groups disabled\n" if !$allow_groups;
- die "invalid characters in group name\n" if $action !~ m/^${security_group_name_pattern}$/;
- } else {
- die "unknown rule type '$type'\n";
}
while (length($line)) {
if ($line =~ s/^-i (\S+)\s*//) {
- die "parameter -i not allowed\n" if !$allow_iface;
- $iface = $1;
- PVE::JSONSchema::pve_verify_iface($iface);
+ $rule->{iface} = $1;
next;
}
- last if $type eq 'group';
+ last if $rule->{type} eq 'group';
if ($line =~ s/^-p (\S+)\s*//) {
- $proto = $1;
- pve_fw_verify_protocol_spec($proto);
+ $rule->{proto} = $1;
next;
}
+
if ($line =~ s/^-dport (\S+)\s*//) {
- $dport = $1;
- parse_port_name_number_or_range($dport);
+ $rule->{dport} = $1;
next;
}
+
if ($line =~ s/^-sport (\S+)\s*//) {
- $sport = $1;
- parse_port_name_number_or_range($sport);
+ $rule->{sport} = $1;
next;
}
if ($line =~ s/^-source (\S+)\s*//) {
- $source = $1;
- parse_address_list($source);
+ $rule->{source} = $1;
next;
}
if ($line =~ s/^-dest (\S+)\s*//) {
- $dest = $1;
- parse_address_list($dest);
+ $rule->{dest} = $1;
next;
}
die "unable to parse rule parameters: $line\n" if length($line);
- return {
- type => $type,
- enable => $enable,
- comment => $comment,
- action => $action,
- macro => $macro,
- iface => $iface,
- source => $source,
- dest => $dest,
- proto => $proto,
- dport => $dport,
- sport => $sport,
- };
+ $rule = verify_rule($rule, $cluster_conf, $fw_conf, $rule_env, 1);
+ if ($verbose && $rule->{errors}) {
+ warn "$prefix - errors in rule parameters: $orig_line\n";
+ foreach my $p (keys %{$rule->{errors}}) {
+ warn " $p: $rule->{errors}->{$p}\n";
+ }
+ }
+
+ return $rule;
}
sub parse_vmfw_option {
return ($opt, $value);
}
-sub parse_clusterfw_alias {
+sub parse_alias {
my ($line) = @_;
# we can add single line comments to the end of the line
}
sub parse_vm_fw_rules {
- my ($filename, $fh) = @_;
+ my ($filename, $fh, $cluster_conf, $rule_env, $verbose) = @_;
- my $res = { rules => [], options => {}};
+ my $res = {
+ rules => [],
+ options => {},
+ aliases => {},
+ };
my $section;
next;
}
+ if ($section eq 'aliases') {
+ eval {
+ my $data = parse_alias($line);
+ $res->{aliases}->{lc($data->{name})} = $data;
+ };
+ warn "$prefix: $@" if $@;
+ next;
+ }
+
my $rule;
- eval { $rule = parse_fw_rule($line, 1, 1); };
+ eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, $res, $rule_env, $verbose); };
if (my $err = $@) {
warn "$prefix: $err";
next;
}
sub parse_host_fw_rules {
- my ($filename, $fh) = @_;
+ my ($filename, $fh, $cluster_conf, $verbose) = @_;
my $res = { rules => [], options => {}};
}
my $rule;
- eval { $rule = parse_fw_rule($line, 1, 1); };
+ eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, $res, 'host', $verbose); };
if (my $err = $@) {
warn "$prefix: $err";
next;
}
sub parse_cluster_fw_rules {
- my ($filename, $fh) = @_;
+ my ($filename, $fh, $verbose) = @_;
my $section;
my $group;
warn "$prefix: $@" if $@;
} elsif ($section eq 'aliases') {
eval {
- my $data = parse_clusterfw_alias($line);
+ my $data = parse_alias($line);
$res->{aliases}->{lc($data->{name})} = $data;
};
warn "$prefix: $@" if $@;
} elsif ($section eq 'rules') {
my $rule;
- eval { $rule = parse_fw_rule($line, 1, 1); };
+ eval { $rule = parse_fw_rule($prefix, $line, $res, undef, 'cluster', $verbose); };
if (my $err = $@) {
warn "$prefix: $err";
next;
push @{$res->{$section}}, $rule;
} elsif ($section eq 'groups') {
my $rule;
- eval { $rule = parse_fw_rule($line, 0, 0); };
+ eval { $rule = parse_fw_rule($prefix, $line, $res, undef, 'group', $verbose); };
if (my $err = $@) {
warn "$prefix: $err";
next;
};
sub load_vmfw_conf {
- my ($vmid, $dir) = @_;
+ my ($cluster_conf, $rule_env, $vmid, $dir, $verbose) = @_;
my $vmfw_conf = {};
my $filename = "$dir/$vmid.fw";
if (my $fh = IO::File->new($filename, O_RDONLY)) {
- $vmfw_conf = parse_vm_fw_rules($filename, $fh);
+ $vmfw_conf = parse_vm_fw_rules($filename, $fh, $cluster_conf, $rule_env, $verbose);
}
return $vmfw_conf;
my $options = $vmfw_conf->{options};
$raw .= &$format_options($options) if scalar(keys %$options);
+ my $aliases = $vmfw_conf->{aliases};
+ $raw .= &$format_aliases($aliases) if scalar(keys %$aliases);
+
my $rules = $vmfw_conf->{rules} || [];
if (scalar(@$rules)) {
$raw .= "[RULES]\n\n";
}
sub read_vm_firewall_configs {
- my ($vmdata, $dir) = @_;
+ my ($cluster_conf, $vmdata, $dir, $verbose) = @_;
my $vmfw_configs = {};
- foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
- my $vmfw_conf = load_vmfw_conf($vmid, $dir);
+ foreach my $vmid (keys %{$vmdata->{qemu}}) {
+ my $vmfw_conf = load_vmfw_conf($cluster_conf, 'vm', $vmid, $dir, $verbose);
+ next if !$vmfw_conf->{options}; # skip if file does not exists
+ $vmfw_configs->{$vmid} = $vmfw_conf;
+ }
+ foreach my $vmid (keys %{$vmdata->{openvz}}) {
+ my $vmfw_conf = load_vmfw_conf($cluster_conf, 'ct', $vmid, $dir, $verbose);
next if !$vmfw_conf->{options}; # skip if file does not exists
$vmfw_configs->{$vmid} = $vmfw_conf;
}
}
sub load_clusterfw_conf {
- my ($filename) = @_;
+ my ($filename, $verbose) = @_;
$filename = $clusterfw_conf_filename if !defined($filename);
my $cluster_conf = {};
if (my $fh = IO::File->new($filename, O_RDONLY)) {
- $cluster_conf = parse_cluster_fw_rules($filename, $fh);
+ $cluster_conf = parse_cluster_fw_rules($filename, $fh, $verbose);
}
return $cluster_conf;
}
sub load_hostfw_conf {
- my ($filename) = @_;
+ my ($cluster_conf, $filename, $verbose) = @_;
$filename = $hostfw_conf_filename if !defined($filename);
my $hostfw_conf = {};
if (my $fh = IO::File->new($filename, O_RDONLY)) {
- $hostfw_conf = parse_host_fw_rules($filename, $fh);
+ $hostfw_conf = parse_host_fw_rules($filename, $fh, $cluster_conf, $verbose);
}
return $hostfw_conf;
}
}
sub compile {
- my ($cluster_conf, $hostfw_conf, $vmdata) = @_;
+ my ($cluster_conf, $hostfw_conf, $vmdata, $verbose) = @_;
my $vmfw_configs;
if ($vmdata) { # test mode
my $testdir = $vmdata->{testdir} || die "no test directory specified";
my $filename = "$testdir/cluster.fw";
- die "missing test file '$filename'\n" if ! -f $filename;
- $cluster_conf = load_clusterfw_conf($filename);
+ $cluster_conf = load_clusterfw_conf($filename, $verbose);
$filename = "$testdir/host.fw";
- die "missing test file '$filename'\n" if ! -f $filename;
- $hostfw_conf = load_hostfw_conf($filename);
+ $hostfw_conf = load_hostfw_conf($cluster_conf, $filename, $verbose);
- $vmfw_configs = read_vm_firewall_configs($vmdata, $testdir);
+ $vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, $testdir, $verbose);
} else { # normal operation
- $cluster_conf = load_clusterfw_conf() if !$cluster_conf;
+ $cluster_conf = load_clusterfw_conf(undef, $verbose) if !$cluster_conf;
- $hostfw_conf = load_hostfw_conf() if !$hostfw_conf;
+ $hostfw_conf = load_hostfw_conf($cluster_conf, undef, $verbose) if !$hostfw_conf;
$vmdata = read_local_vm_config();
- $vmfw_configs = read_vm_firewall_configs($vmdata);
+ $vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef, $verbose);
}
-
$cluster_conf->{ipset}->{venet0} = [];
+
+ my $localnet;
+ if ($cluster_conf->{aliases}->{local_network}) {
+ $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
+ } else {
+ $localnet = local_network() || '127.0.0.0/8';
+ $cluster_conf->{aliases}->{local_network} = { cidr => $localnet };
+ }
+ push @{$cluster_conf->{ipset}->{management}}, { cidr => $localnet };
+
my $ruleset = {};
ruleset_create_chain($ruleset, "PVEFW-INPUT");
my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
- enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf) if $hostfw_enable;
+ if ($hostfw_enable) {
+ eval { enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf); };
+ warn $@ if $@; # just to be sure - should not happen
+ }
ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-o venet0 -m set --match-set PVEFW-venet0 dst -j PVEFW-VENET-IN");
# generate firewall rules for QEMU VMs
foreach my $vmid (keys %{$vmdata->{qemu}}) {
- my $conf = $vmdata->{qemu}->{$vmid};
- my $vmfw_conf = $vmfw_configs->{$vmid};
- next if !$vmfw_conf;
- next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0);
-
- foreach my $netid (keys %$conf) {
- next if $netid !~ m/^net(\d+)$/;
- my $net = PVE::QemuServer::parse_net($conf->{$netid});
- next if !$net->{firewall};
- my $iface = "tap${vmid}i$1";
-
- my $macaddr = $net->{macaddr};
- generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
- $vmfw_conf, $vmid, 'IN');
- generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
- $vmfw_conf, $vmid, 'OUT');
- }
+ eval {
+ my $conf = $vmdata->{qemu}->{$vmid};
+ my $vmfw_conf = $vmfw_configs->{$vmid};
+ return if !$vmfw_conf;
+ return if !$vmfw_conf->{options}->{enable};
+
+ foreach my $netid (keys %$conf) {
+ next if $netid !~ m/^net(\d+)$/;
+ my $net = PVE::QemuServer::parse_net($conf->{$netid});
+ next if !$net->{firewall};
+ my $iface = "tap${vmid}i$1";
+
+ my $macaddr = $net->{macaddr};
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
+ $vmfw_conf, $vmid, 'IN');
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
+ $vmfw_conf, $vmid, 'OUT');
+ }
+ };
+ warn $@ if $@; # just to be sure - should not happen
}
# generate firewall rules for OpenVZ containers
foreach my $vmid (keys %{$vmdata->{openvz}}) {
- my $conf = $vmdata->{openvz}->{$vmid};
-
- my $vmfw_conf = $vmfw_configs->{$vmid};
- next if !$vmfw_conf;
- next if defined($vmfw_conf->{options}->{enable}) && ($vmfw_conf->{options}->{enable} == 0);
+ eval {
+ my $conf = $vmdata->{openvz}->{$vmid};
- if ($conf->{ip_address} && $conf->{ip_address}->{value}) {
- my $ip = $conf->{ip_address}->{value};
- $ip =~ s/\s+/,/g;
- parse_address_list($ip); # make sure we have a valid $ip list
+ my $vmfw_conf = $vmfw_configs->{$vmid};
+ return if !$vmfw_conf;
+ return if !$vmfw_conf->{options}->{enable};
- my @ips = split(',', $ip);
+ if ($conf->{ip_address} && $conf->{ip_address}->{value}) {
+ my $ip = $conf->{ip_address}->{value};
+ $ip =~ s/\s+/,/g;
+ parse_address_list($ip); # make sure we have a valid $ip list
- foreach my $singleip (@ips) {
- my $venet0ipset = {};
- $venet0ipset->{cidr} = $singleip;
- push @{$cluster_conf->{ipset}->{venet0}}, $venet0ipset;
- }
+ my @ips = split(',', $ip);
- generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'IN');
- generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'OUT');
- }
+ foreach my $singleip (@ips) {
+ my $venet0ipset = {};
+ $venet0ipset->{cidr} = $singleip;
+ push @{$cluster_conf->{ipset}->{venet0}}, $venet0ipset;
+ }
- if ($conf->{netif} && $conf->{netif}->{value}) {
- my $netif = PVE::OpenVZ::parse_netif($conf->{netif}->{value});
- foreach my $netid (keys %$netif) {
- my $d = $netif->{$netid};
+ generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'IN');
+ generate_venet_rules_direction($ruleset, $cluster_conf, $vmfw_conf, $vmid, $ip, 'OUT');
+ }
- my $macaddr = $d->{mac};
- my $iface = $d->{host_ifname};
- generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
- $vmfw_conf, $vmid, 'IN');
- generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
- $vmfw_conf, $vmid, 'OUT');
+ if ($conf->{netif} && $conf->{netif}->{value}) {
+ my $netif = PVE::OpenVZ::parse_netif($conf->{netif}->{value});
+ foreach my $netid (keys %$netif) {
+ my $d = $netif->{$netid};
+
+ my $macaddr = $d->{mac};
+ my $iface = $d->{host_ifname};
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
+ $vmfw_conf, $vmid, 'IN');
+ generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
+ $vmfw_conf, $vmid, 'OUT');
+ }
}
- }
+ };
+ warn $@ if $@; # just to be sure - should not happen
}
if(ruleset_chain_exist($ruleset, "PVEFW-IPS")){
}
sub update {
- my ($verbose) = @_;
-
my $code = sub {
my $cluster_conf = load_clusterfw_conf();
if (!$enable) {
PVE::Firewall::remove_pvefw_chains();
- print "Firewall disabled\n" if $verbose;
return;
}
my ($ruleset, $ipset_ruleset) = compile($cluster_conf, $hostfw_conf);
- apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset, $verbose);
+ apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset);
};
run_locked($code);