while (length($rule)) {
- if ($rule =~ s/^-m conntrack\s*//) {
- return undef; # simply ignore
+ if ($rule =~ s/^-m conntrack --ctstate (\S+)\s*//) {
+ my $cstate = $1;
+
+ return undef if $cstate eq 'INVALID'; # no match
+ return undef if $cstate eq 'RELATED,ESTABLISHED'; # no match
+
+ next if $cstate =~ m/NEW/;
+
+ die "please implement cstate test '$cstate'";
+ }
+
+ if ($rule =~ s/^-m addrtype --src-type (\S+)\s*//) {
+ my $atype = $1;
+ die "missing srctype" if !$pkg->{srctype};
+ return undef if $atype ne $pkg->{srctype};
}
- if ($rule =~ s/^-m addrtype\s*//) {
- return undef; # simply ignore
+ if ($rule =~ s/^-m addrtype --dst-type (\S+)\s*//) {
+ my $atype = $1;
+ die "missing dsttype" if !$pkg->{dsttype};
+ return undef if $atype ne $pkg->{dsttype};
}
if ($rule =~ s/^-i (\S+)\s*//) {
dport => undef,
source => undef,
dest => undef,
+ srctype => 'UNICAST',
+ dsttype => 'UNICAST',
};
while (my ($k,$v) = each %$test) {
my $start_state;
+ my $host_ip = '172.16.1.2';
+
if ($from eq 'host') {
$from_info->{type} = 'host';
$start_state = 'host';
+ $pkg->{source} = $host_ip if !defined($pkg->{source});
} elsif ($from =~ m|^(vmbr\d+)/(\S+)$|) {
$from_info->{type} = 'bport';
$from_info->{bridge} = $1;
die "unable to parse \"from => '$from'\"\n";
}
- $pkg->{source} = '100.200.3.4' if !defined($pkg->{source});
-
my $target;
if ($to eq 'host') {
$target->{type} = 'host';
$target->{iface} = 'host';
+ $pkg->{dest} = $host_ip if !defined($pkg->{dest});
} elsif ($to =~ m|^(vmbr\d+)/(\S+)$|) {
$target->{type} = 'bport';
$target->{bridge} = $1;
die "unable to parse \"to => '$to'\"\n";
}
+ $pkg->{source} = '100.100.1.2' if !defined($pkg->{source});
+ $pkg->{dest} = '100.200.3.4' if !defined($pkg->{dest});
+
my ($res, $ic, $rc) = route_packet($ruleset, $ipset_ruleset, $pkg,
$from_info, $target, $start_state);
$vmdata->{testdir} = $testdir;
+ PVE::Firewall::cluster_network('172.16.1.0/24');
+
my ($ruleset, $ipset_ruleset) =
PVE::Firewall::compile(undef, undef, $vmdata);
projects / pve-firewall.git / blobdiff