return ($dev =~ m/^${devre}$/) ? 1 : 0;
}
+sub ipset_match {
+ my ($ipsetname, $ipset, $ipaddr) = @_;
+
+ my $ip = Net::IP->new($ipaddr);
+
+ foreach my $entry (@$ipset) {
+ next if $entry =~ m/^create/; # simply ignore
+ if ($entry =~ m/add \S+ (\S+)$/) {
+ my $test = Net::IP->new($1);
+ if ($test->overlaps($ip)) {
+ add_trace("IPSET $ipsetname match $ipaddr\n");
+ return 1;
+ }
+ } else {
+ die "implement me";
+ }
+ }
+
+ return 0;
+}
+
sub rule_match {
- my ($chain, $rule, $pkg) = @_;
+ my ($ipset_ruleset, $chain, $rule, $pkg) = @_;
$rule =~ s/^-A $chain // || die "got strange rule: $rule";
while (length($rule)) {
- if ($rule =~ s/^-m conntrack\s*//) {
- return undef; # simply ignore
+ if ($rule =~ s/^-m conntrack --ctstate (\S+)\s*//) {
+ my $cstate = $1;
+
+ return undef if $cstate eq 'INVALID'; # no match
+ return undef if $cstate eq 'RELATED,ESTABLISHED'; # no match
+
+ next if $cstate =~ m/NEW/;
+
+ die "please implement cstate test '$cstate'";
}
if ($rule =~ s/^-m addrtype\s*//) {
next;
}
+ if ($rule =~ s/^-m set --match-set (\S+) src\s*//) {
+ die "missing source" if !$pkg->{source};
+ my $ipset = $ipset_ruleset->{$1};
+ die "no such ip set '$1'" if !$ipset;
+ return undef if !ipset_match($1, $ipset, $pkg->{source});
+ next;
+ }
+
+ if ($rule =~ s/^-m set --match-set (\S+) dst\s*//) {
+ die "missing destination" if !$pkg->{dest};
+ my $ipset = $ipset_ruleset->{$1};
+ die "no such ip set '$1'" if !$ipset;
+ return undef if !ipset_match($1, $ipset, $pkg->{dest});
+ next;
+ }
+
if ($rule =~ s/^-m mac ! --mac-source (\S+)\s*//) {
die "missing source mac" if !$pkg->{mac_source};
return undef if $pkg->{mac_source} eq $1; # no match
}
# final actions
+
if ($rule =~ s/^-j MARK --set-mark (\d+)\s*$//) {
$mark = $1;
return undef;
return (1, $1);
}
+ if ($rule =~ s/^-j NFLOG --nflog-prefix \"[^\"]+\"$//) {
+ return undef;
+ }
+
last;
}
}
sub ruleset_simulate_chain {
- my ($ruleset, $chain, $pkg) = @_;
+ my ($ruleset, $ipset_ruleset, $chain, $pkg) = @_;
add_trace("ENTER chain $chain\n");
foreach my $rule (@$rules) {
$counter++;
- my ($goto, $action) = rule_match($chain, $rule, $pkg);
+ my ($goto, $action) = rule_match($ipset_ruleset, $chain, $rule, $pkg);
if (!defined($action)) {
add_trace("SKIP: $rule\n");
next;
} else {
if ($goto) {
add_trace("LEAVE chain $chain - goto $action\n");
- return ruleset_simulate_chain($ruleset, $action, $pkg)
+ return ruleset_simulate_chain($ruleset, $ipset_ruleset, $action, $pkg)
#$chain = $action;
#$rules = $ruleset->{$chain} || die "no such chain '$chain'";
} else {
- my ($act, $ctr) = ruleset_simulate_chain($ruleset, $action, $pkg);
+ my ($act, $ctr) = ruleset_simulate_chain($ruleset, $ipset_ruleset, $action, $pkg);
$counter += $ctr;
return ($act, $counter) if $act;
add_trace("CONTINUE chain $chain\n");
add_trace("IPT check at $route_state (chain $chain)\n");
add_trace(Dumper($pkg));
$ipt_invocation_counter++;
- my ($res, $ctr) = ruleset_simulate_chain($ruleset, $chain, $pkg);
+ my ($res, $ctr) = ruleset_simulate_chain($ruleset, $ipset_ruleset, $chain, $pkg);
$rule_check_counter += $ctr;
return ($res, $ipt_invocation_counter, $rule_check_counter) if $res ne 'ACCEPT';
}
my $start_state;
+ my $host_ip = '172.16.1.2';
+
if ($from eq 'host') {
$from_info->{type} = 'host';
$start_state = 'host';
+ $pkg->{source} = $host_ip if !defined($pkg->{source});
} elsif ($from =~ m|^(vmbr\d+)/(\S+)$|) {
$from_info->{type} = 'bport';
$from_info->{bridge} = $1;
if ($to eq 'host') {
$target->{type} = 'host';
$target->{iface} = 'host';
+ $pkg->{dest} = $host_ip if !defined($pkg->{dest});
} elsif ($to =~ m|^(vmbr\d+)/(\S+)$|) {
$target->{type} = 'bport';
$target->{bridge} = $1;
die "unable to parse \"to => '$to'\"\n";
}
+ $pkg->{source} = '100.100.1.2' if !defined($pkg->{source});
+ $pkg->{dest} = '100.200.3.4' if !defined($pkg->{dest});
+
my ($res, $ic, $rc) = route_packet($ruleset, $ipset_ruleset, $pkg,
$from_info, $target, $start_state);
$vmdata->{testdir} = $testdir;
+ PVE::Firewall::cluster_network('172.16.1.0/24');
+
my ($ruleset, $ipset_ruleset) =
PVE::Firewall::compile(undef, undef, $vmdata);
projects / pve-firewall.git / blobdiff