X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=PVE%2FFirewall.pm;h=16ded99986028c1c07fc9a11018749c104f413a2;hb=de2a57cdcf099c30feecb5c095328a82d1d154e1;hp=8e5cfb1f996ccc0d552173c87cce02bcec9e0f76;hpb=a332200b53c7d2d53f9b4c76c50de56a252e8f5f;p=pve-firewall.git diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm index 8e5cfb1..16ded99 100644 --- a/PVE/Firewall.pm +++ b/PVE/Firewall.pm @@ -3,15 +3,18 @@ package PVE::Firewall; use warnings; use strict; use Data::Dumper; +use Digest::SHA; use PVE::Tools; use PVE::QemuServer; use File::Path; use IO::File; use Net::IP; -use PVE::Tools qw(run_command); +use PVE::Tools qw(run_command lock_file); use Data::Dumper; +my $pve_fw_lock_filename = "/var/lock/pvefw.lck"; + my $macros; my @ruleset = (); @@ -148,9 +151,75 @@ sub iptables_restore { unshift (@ruleset, '*filter'); push (@ruleset, 'COMMIT'); - my $cmdlist = join("\n", @ruleset); + my $cmdlist = join("\n", @ruleset) . "\n"; + + my $verbose = 1; # fixme: how/when do we set this + + #run_command("echo '$cmdlist' | /sbin/iptables-restore -n"); + eval { run_command("/sbin/iptables-restore -n ", input => $cmdlist); }; + if (my $err = $@) { + print STDERR $cmdlist if $verbose; + die $err; + } +} + +# experimental code to read existing chains and compute SHA1 checksum +# for each chain. +sub iptables_get_chains { + + my $res = {}; + + # check what chains we want to track + my $is_pvefw_chain = sub { + my $name = shift; + + return 1 if $name =~ m/^BRIDGEFW-(:?IN|OUT)$/; + return 1 if $name =~ m/^proxmoxfw-\S+$/; + return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/; + + return undef; + }; + + my $table = ''; + + my $dhash = {}; + + my $parser = sub { + my $line = shift; + + return if $line =~ m/^#/; + return if $line =~ m/^\s*$/; + + if ($line =~ m/^\*(\S+)$/) { + $table = $1; + return; + } + + return if $table ne 'filter'; + + if ($line =~ m/^:(\S+)\s/) { + my $chain = $1; + return if !&$is_pvefw_chain($chain); + $dhash->{$chain} = Digest::SHA->new('sha1'); + } elsif ($line =~ m/^-([A-Z]) (\S+)\s/) { + my $chain = $2; + return if !&$is_pvefw_chain($chain); + my $sha = $dhash->{$chain} || die "undefined chain '$chain'"; + $sha->add_bits("$line\n"); + } else { + # simply ignore the rest + return; + } + }; + + run_command("/sbin/iptables-save", outfunc => $parser); - run_command("echo '$cmdlist' | /sbin/iptables-restore -n", outfunc => sub {}); + foreach my $chain (keys %$dhash) { + my $sha = $dhash->{$chain}; + $res->{$chain} = $sha->b64digest; + } + + return $res; } sub iptables_addrule { @@ -541,319 +610,6 @@ sub disable_group_rules { iptables_restore(); } - -my $generate_input_rule = sub { - my ($zoneinfo, $rule, $net, $netid) = @_; - - my $zone = $net->{zone} || die "internal error"; - my $zid = $zoneinfo->{$zone}->{zoneref} || die "internal error"; - my $tap = $net->{tap} || die "internal error"; - - my $dest = "$zid:$tap"; - - if ($rule->{dest}) { - $dest .= ":$rule->{dest}"; - } - - my $action = $rule->{service} ? - "$rule->{service}($rule->{action})" : $rule->{action}; - - my $sources = []; - - if (!$rule->{source}) { - push @$sources, 'all'; - } elsif ($zoneinfo->{$zone}->{type} eq 'bport') { - my $bridge_zone = $zoneinfo->{$zone}->{bridge_zone} || die "internal error"; - my $zoneref = $zoneinfo->{$bridge_zone}->{zoneref} || die "internal error"; - - # using 'all' does not work, so we create one rule for - # each related zone on the same bridge - push @$sources, "${zoneref}:$rule->{source}"; - foreach my $z (keys %$zoneinfo) { - next if $z eq $zone; - next if !$zoneinfo->{$z}->{bridge_zone}; - next if $zoneinfo->{$z}->{bridge_zone} ne $bridge_zone; - $zoneref = $zoneinfo->{$z}->{zoneref} || die "internal error"; - push @$sources, "${zoneref}:$rule->{source}"; - } - } else { - push @$sources, "all:$rule->{source}"; - } - - my $out = ''; - - foreach my $source (@$sources) { - $out .= sprintf($rule_format, $action, $source, $dest, $rule->{proto} || '-', - $rule->{dport} || '-', $rule->{sport} || '-'); - } - - return $out; -}; - -my $generate_output_rule = sub { - my ($zoneinfo, $rule, $net, $netid) = @_; - - my $zone = $net->{zone} || die "internal error"; - my $zid = $zoneinfo->{$zone}->{zoneref} || die "internal error"; - my $tap = $net->{tap} || die "internal error"; - - my $action = $rule->{service} ? - "$rule->{service}($rule->{action})" : $rule->{action}; - - my $dest; - - if (!$rule->{dest}) { - $dest = 'all'; - } else { - $dest = "all:$rule->{dest}"; - } - - return sprintf($rule_format, $action, "$zid:$tap", $dest, - $rule->{proto} || '-', $rule->{dport} || '-', $rule->{sport} || '-'); -}; - -# we need complete VM configuration of all VMs (openvz/qemu) -# in vmdata - -my $compile_shorewall = sub { - my ($targetdir, $vmdata, $rules) = @_; - - # remove existing data ? - foreach my $file (qw(params zones rules interfaces maclist policy)) { - unlink "$targetdir/$file"; - } - - my $netinfo; - - my $zoneinfo = { - fw => { type => 'firewall' }, - }; - - my $maclist = {}; - - my $register_bridge; - - $register_bridge = sub { - my ($bridge, $vlan) = @_; - - my $zone = $bridge; - - return $zone if $zoneinfo->{$zone}; - - my $ext_zone = "${bridge}_ext"; - - $zoneinfo->{$zone} = { - type => 'bridge', - bridge => $bridge, - bridge_ext_zone => $ext_zone, - }; - - # physical input devices - my $dir = "/sys/class/net/$bridge/brif"; - my $physical = {}; - PVE::Tools::dir_glob_foreach($dir, '((eth|bond).+)', sub { - my ($slave) = @_; - $physical->{$slave} = 1; - }); - - $zoneinfo->{$ext_zone} = { - type => 'bport', - bridge_zone => $zone, - ifaces => $physical, - }; - - return &$register_bridge("${bridge}v${vlan}") if defined($vlan); - - return $zone; - }; - - my $register_bridge_port = sub { - my ($bridge, $vlan, $vmzone, $tap) = @_; - - my $bridge_zone = &$register_bridge($bridge, $vlan); - my $zone = $bridge_zone . '_' . $vmzone; - - if (!$zoneinfo->{$zone}) { - $zoneinfo->{$zone} = { - type => 'bport', - bridge_zone => $bridge_zone, - ifaces => {}, - }; - } - - $zoneinfo->{$zone}->{ifaces}->{$tap} = 1; - - return $zone; - }; - - foreach my $vmid (keys %{$vmdata->{qemu}}) { - $netinfo->{$vmid} = {}; - my $conf = $vmdata->{qemu}->{$vmid}; - foreach my $opt (keys %$conf) { - next if $opt !~ m/^net(\d+)$/; - my $netnum = $1; - my $net = PVE::QemuServer::parse_net($conf->{$opt}); - next if !$net; - die "implement me" if !$net->{bridge}; - - my $vmzone = $conf->{zone} || "vm$vmid"; - $net->{tap} = "tap${vmid}i${netnum}"; - $maclist->{$net->{tap}} = $net->{macaddr} || die "internal error"; - $net->{zone} = &$register_bridge_port($net->{bridge}, $net->{tag}, $vmzone, $net->{tap}); - $netinfo->{$vmid}->{$opt} = $net; - } - } - - #print Dumper($netinfo); - - # NOTE: zone names have length limit, so we need to - # translate them into shorter names - - my $zoneid = 0; - my $zonemap = { fw => 'fw' }; - - my $lookup_zonename = sub { - my ($zone) = @_; - - return $zonemap->{$zone} if defined($zonemap->{$zone}); - $zonemap->{$zone} = 'z' . $zoneid++; - - return $zonemap->{$zone}; - }; - - foreach my $z (sort keys %$zoneinfo) { - $zoneinfo->{$z}->{id} = &$lookup_zonename($z); - $zoneinfo->{$z}->{zonevar} = uc($z); - $zoneinfo->{$z}->{zoneref} = '$' . $zoneinfo->{$z}->{zonevar}; - } - - my $out; - - # dump params file - $out = "# PVE zones\n"; - foreach my $z (sort keys %$zoneinfo) { - $out .= "$zoneinfo->{$z}->{zonevar}=$zoneinfo->{$z}->{id}\n"; - } - PVE::Tools::file_set_contents("$targetdir/params", $out); - - # dump zone file - - my $format = "%-30s %-10s %-15s\n"; - $out = sprintf($format, '#ZONE', 'TYPE', 'OPTIONS'); - - foreach my $z (sort keys %$zoneinfo) { - my $zid = $zoneinfo->{$z}->{zoneref}; - if ($zoneinfo->{$z}->{type} eq 'firewall') { - $out .= sprintf($format, $zid, $zoneinfo->{$z}->{type}, ''); - } elsif ($zoneinfo->{$z}->{type} eq 'bridge') { - $out .= sprintf($format, $zid, 'ipv4', ''); - } elsif ($zoneinfo->{$z}->{type} eq 'bport') { - my $bridge_zone = $zoneinfo->{$z}->{bridge_zone} || die "internal error"; - my $bzid = $zoneinfo->{$bridge_zone}->{zoneref} || die "internal error"; - $out .= sprintf($format, "$zid:$bzid", 'bport', ''); - } else { - die "internal error"; - } - } - - $out .= sprintf("#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE\n"); - - PVE::Tools::file_set_contents("$targetdir/zones", $out); - - # dump interfaces - - $format = "%-25s %-20s %-10s %-15s\n"; - $out = sprintf($format, '#ZONE', 'INTERFACE', 'BROADCAST', 'OPTIONS'); - - my $maclist_format = "%-15s %-15s %-15s\n"; - my $macs = sprintf($maclist_format, '#DISPOSITION', 'INTERFACE', 'MACZONE'); - - foreach my $z (sort keys %$zoneinfo) { - my $zid = $zoneinfo->{$z}->{zoneref}; - if ($zoneinfo->{$z}->{type} eq 'firewall') { - # do nothing; - } elsif ($zoneinfo->{$z}->{type} eq 'bridge') { - my $bridge = $zoneinfo->{$z}->{bridge} || die "internal error"; - $out .= sprintf($format, $zid, $bridge, 'detect', 'bridge,optional'); - } elsif ($zoneinfo->{$z}->{type} eq 'bport') { - my $ifaces = $zoneinfo->{$z}->{ifaces}; - foreach my $iface (sort keys %$ifaces) { - my $bridge_zone = $zoneinfo->{$z}->{bridge_zone} || die "internal error"; - my $bridge = $zoneinfo->{$bridge_zone}->{bridge} || die "internal error"; - my $iftxt = "$bridge:$iface"; - - if ($maclist->{$iface}) { - $out .= sprintf($format, $zid, $iftxt, '-', 'maclist'); - $macs .= sprintf($maclist_format, 'ACCEPT', $iface, $maclist->{$iface}); - } else { - $out .= sprintf($format, $zid, $iftxt, '-', ''); - } - } - } else { - die "internal error"; - } - } - - $out .= sprintf("#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE\n"); - - PVE::Tools::file_set_contents("$targetdir/interfaces", $out); - - # dump maclist - PVE::Tools::file_set_contents("$targetdir/maclist", $macs); - - # dump policy - - $format = "%-15s %-15s %-15s %s\n"; - $out = sprintf($format, '#SOURCE', 'DEST', 'POLICY', 'LOG'); - $out .= sprintf($format, 'fw', 'all', 'ACCEPT', ''); - - # we need to disable intra-zone traffic on bridges. Else traffic - # from untracked interfaces simply pass the firewall - foreach my $z (sort keys %$zoneinfo) { - my $zid = $zoneinfo->{$z}->{zoneref}; - if ($zoneinfo->{$z}->{type} eq 'bridge') { - $out .= sprintf($format, $zid, $zid, 'REJECT', 'info'); - } - } - $out .= sprintf($format, 'all', 'all', 'REJECT', 'info'); - - PVE::Tools::file_set_contents("$targetdir/policy", $out); - - # dump rules - $out = ''; - - $out = sprintf($rule_format, '#ACTION', 'SOURCE', 'DEST', 'PROTO', 'DPORT', 'SPORT'); - foreach my $vmid (sort keys %$rules) { - my $inrules = $rules->{$vmid}->{in}; - my $outrules = $rules->{$vmid}->{out}; - - if (scalar(@$inrules)) { - $out .= "# IN to VM $vmid\n"; - foreach my $rule (@$inrules) { - foreach my $netid (keys %{$netinfo->{$vmid}}) { - my $net = $netinfo->{$vmid}->{$netid}; - next if $rule->{iface} && $rule->{iface} ne $netid; - $out .= &$generate_input_rule($zoneinfo, $rule, $net, $netid); - } - } - } - - if (scalar(@$outrules)) { - $out .= "# OUT from VM $vmid\n"; - foreach my $rule (@$outrules) { - foreach my $netid (keys %{$netinfo->{$vmid}}) { - my $net = $netinfo->{$vmid}->{$netid}; - next if $rule->{iface} && $rule->{iface} ne $netid; - $out .= &$generate_output_rule($zoneinfo, $rule, $net, $netid); - } - } - } - } - - PVE::Tools::file_set_contents("$targetdir/rules", $out); -}; - - sub parse_fw_rules { my ($filename, $fh, $group) = @_; @@ -960,6 +716,18 @@ sub parse_fw_rules { return $res; } +sub run_locked { + my ($code, @param) = @_; + + my $timeout = 10; + + my $res = lock_file($pve_fw_lock_filename, $timeout, $code, @param); + + die $@ if $@; + + return $res; +} + sub read_local_vm_config { my $openvz = {};