X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=PVE%2FFirewall.pm;h=6309b81e0223aa3ad674d20ce926ad813e59ff94;hb=181390b09fe8efba63aff2b03959535d4641b8c9;hp=a19505ab9ed393d44c824e09b56ea8feea7a25de;hpb=ccae0b5068f03e859ff280c41d013526a4fbfb4c;p=pve-firewall.git diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm index a19505a..6309b81 100644 --- a/PVE/Firewall.pm +++ b/PVE/Firewall.pm @@ -15,7 +15,6 @@ use Data::Dumper; my $pve_fw_lock_filename = "/var/lock/pvefw.lck"; -# todo: define more MACROS # imported/converted from: /usr/share/shorewall/macro.* my $pve_fw_macros = { 'Amanda' => [ @@ -225,7 +224,7 @@ my $pve_fw_macros = { { action => 'PARAM', proto => 'tcp', dport => '1723' }, ], 'Ping' => [ - { action => 'PARAM', proto => 'icmp', dport => '8' }, + { action => 'PARAM', proto => 'icmp', dport => 'echo-request' }, ], 'PostgreSQL' => [ { action => 'PARAM', proto => 'tcp', dport => '5432' }, @@ -323,7 +322,7 @@ my $pve_fw_macros = { ], 'Trcrt' => [ { action => 'PARAM', proto => 'udp', dport => '33434:33524' }, - { action => 'PARAM', proto => 'icmp', dport => '8' }, + { action => 'PARAM', proto => 'icmp', dport => 'echo-request' }, ], 'VNC' => [ { action => 'PARAM', proto => 'tcp', dport => '5900:5909' }, @@ -349,10 +348,148 @@ my $pve_fw_macros = { my $pve_fw_parsed_macros; my $pve_fw_preferred_macro_names = {}; +my $pve_std_chains = { + 'PVEFW-SET-ACCEPT-MARK' => [ + "-j MARK --set-mark 1", + ], + 'PVEFW-DropBroadcast' => [ + # same as shorewall 'Broadcast' + # simply DROP BROADCAST/MULTICAST/ANYCAST + # we can use this to reduce logging + { action => 'DROP', dsttype => 'BROADCAST' }, + { action => 'DROP', dsttype => 'MULTICAST' }, + { action => 'DROP', dsttype => 'ANYCAST' }, + { action => 'DROP', dest => '224.0.0.0/4' }, + ], + 'PVEFW-reject' => [ + # same as shorewall 'reject' + { action => 'DROP', dsttype => 'BROADCAST' }, + { action => 'DROP', source => '224.0.0.0/4' }, + { action => 'DROP', proto => 'icmp' }, + "-p tcp -j REJECT --reject-with tcp-reset", + "-p udp -j REJECT --reject-with icmp-port-unreachable", + "-p icmp -j REJECT --reject-with icmp-host-unreachable", + "-j REJECT --reject-with icmp-host-prohibited", + ], + 'PVEFW-Drop' => [ + # same as shorewall 'Drop', which is equal to DROP, + # but REJECT/DROP some packages to reduce logging, + # and ACCEPT critical ICMP types + { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth' + # we are not interested in BROADCAST/MULTICAST/ANYCAST + { action => 'PVEFW-DropBroadcast' }, + # ACCEPT critical ICMP types + { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' }, + { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' }, + # Drop packets with INVALID state + "-m conntrack --ctstate INVALID -j DROP", + # Drop Microsoft SMB noise + { action => 'DROP', proto => 'udp', dport => '135,445', nbdport => 2 }, + { action => 'DROP', proto => 'udp', dport => '137:139'}, + { action => 'DROP', proto => 'udp', dport => '1024:65535', sport => 137 }, + { action => 'DROP', proto => 'tcp', dport => '135,139,445', nbdport => 3 }, + { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP + # Drop new/NotSyn traffic so that it doesn't get logged + "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP", + # Drop DNS replies + { action => 'DROP', proto => 'udp', sport => 53 }, + ], + 'PVEFW-Reject' => [ + # same as shorewall 'Reject', which is equal to Reject, + # but REJECT/DROP some packages to reduce logging, + # and ACCEPT critical ICMP types + { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth' + # we are not interested in BROADCAST/MULTICAST/ANYCAST + { action => 'PVEFW-DropBroadcast' }, + # ACCEPT critical ICMP types + { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' }, + { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' }, + # Drop packets with INVALID state + "-m conntrack --ctstate INVALID -j DROP", + # Drop Microsoft SMB noise + { action => 'PVEFW-reject', proto => 'udp', dport => '135,445', nbdport => 2 }, + { action => 'PVEFW-reject', proto => 'udp', dport => '137:139'}, + { action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 }, + { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445', nbdport => 3 }, + { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP + # Drop new/NotSyn traffic so that it doesn't get logged + "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP", + # Drop DNS replies + { action => 'DROP', proto => 'udp', sport => 53 }, + ], + 'PVEFW-logflags' => [ + # same as shorewall logflags action. (fixme: enable/disable logging) + "-j LOG --log-prefix \"logflags-dropped:\" --log-level 4 --log-ip-options", + "-j DROP", + ], + 'PVEFW-tcpflags' => [ + # same as shorewall tcpflags action. + # Packets arriving on this interface are checked for som illegal combinations of TCP flags + "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags", + "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags", + "-p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags", + "-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags", + "-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags", + ], + 'PVEFW-smurflog' => [ + # same as shorewall smurflog. (fixme: enable/disable logging) + "-j LOG --log-prefix \"smurfs-dropped\" --log-level 4", + "-j DROP", + ], + 'PVEFW-smurfs' => [ + # same as shorewall smurfs action + # Filter packets for smurfs (packets with a broadcast address as the source). + "-s 0.0.0.0/32 -j RETURN", + "-m addrtype --src-type BROADCAST -g PVEFW-smurflog", + "-s 224.0.0.0/4 -g PVEFW-smurflog", + ], +}; + +# iptables -p icmp -h +my $icmp_type_names = { + any => 1, + 'echo-reply' => 1, + 'destination-unreachable' => 1, + 'network-unreachable' => 1, + 'host-unreachable' => 1, + 'protocol-unreachable' => 1, + 'port-unreachable' => 1, + 'fragmentation-needed' => 1, + 'source-route-failed' => 1, + 'network-unknown' => 1, + 'host-unknown' => 1, + 'network-prohibited' => 1, + 'host-prohibited' => 1, + 'TOS-network-unreachable' => 1, + 'TOS-host-unreachable' => 1, + 'communication-prohibited' => 1, + 'host-precedence-violation' => 1, + 'precedence-cutoff' => 1, + 'source-quench' => 1, + 'redirect' => 1, + 'network-redirect' => 1, + 'host-redirect' => 1, + 'TOS-network-redirect' => 1, + 'TOS-host-redirect' => 1, + 'echo-request' => 1, + 'router-advertisement' => 1, + 'router-solicitation' => 1, + 'time-exceeded' => 1, + 'ttl-zero-during-transit' => 1, + 'ttl-zero-during-reassembly' => 1, + 'parameter-problem' => 1, + 'ip-header-bad' => 1, + 'required-option-missing' => 1, + 'timestamp-request' => 1, + 'timestamp-reply' => 1, + 'address-mask-request' => 1, + 'address-mask-reply' => 1, +}; + sub get_firewall_macros { return $pve_fw_parsed_macros if $pve_fw_parsed_macros; - + $pve_fw_parsed_macros = {}; foreach my $k (keys %$pve_fw_macros) { @@ -397,8 +534,8 @@ sub get_etc_services { close($fh); - $etc_services = $services; - + $etc_services = $services; + return $etc_services; } @@ -459,6 +596,7 @@ sub parse_port_name_number_or_range { foreach my $item (split(/,/, $str)) { my $portlist = ""; my $oldpon = undef; + $nbports++; foreach my $pon (split(':', $item, 2)) { $pon = $services->{byname}->{$pon}->{port} if $services->{byname}->{$pon}->{port}; if ($pon =~ m/^\d+$/){ @@ -468,7 +606,6 @@ sub parse_port_name_number_or_range { }else{ die "invalid port $services->{byname}->{$pon}\n" if !$services->{byname}->{$pon}; } - $nbports++; } } @@ -575,7 +712,9 @@ sub iptables_rule_exist { } sub ruleset_generate_rule { - my ($ruleset, $chain, $rule, $goto) = @_; + my ($ruleset, $chain, $rule, $actions, $goto) = @_; + + return if $rule->{disable}; my $cmd = ''; @@ -583,16 +722,56 @@ sub ruleset_generate_rule { $cmd .= " -s $rule->{source}" if $rule->{source}; $cmd .= " -m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1; $cmd .= " -d $rule->{dest}" if $rule->{dest}; - $cmd .= " -p $rule->{proto}" if $rule->{proto}; - $cmd .= " --match multiport" if $rule->{nbdport} && $rule->{nbdport} > 1; - $cmd .= " --dport $rule->{dport}" if $rule->{dport}; - $cmd .= " --match multiport" if $rule->{nbsport} && $rule->{nbsport} > 1; - $cmd .= " --sport $rule->{sport}" if $rule->{sport}; + + if ($rule->{proto}) { + $cmd .= " -p $rule->{proto}"; + + my $multiport = 0; + $multiport++ if $rule->{nbdport} && ($rule->{nbdport} > 1); + $multiport++ if $rule->{nbsport} && ($rule->{nbsport} > 1); + + $cmd .= " --match multiport" if $multiport; + + die "multiport: option '--sports' cannot be used together with '--dports'\n" + if ($multiport == 2) && ($rule->{dport} ne $rule->{sport}); + + if ($rule->{dport}) { + if ($rule->{proto} && $rule->{proto} eq 'icmp') { + # Note: we use dport to store --icmp-type + die "unknown icmp-type '$rule->{dport}'\n" if !defined($icmp_type_names->{$rule->{dport}}); + $cmd .= " -m icmp --icmp-type $rule->{dport}"; + } else { + if ($rule->{nbdport} && $rule->{nbdport} > 1) { + if ($multiport == 2) { + $cmd .= " --ports $rule->{dport}"; + } else { + $cmd .= " --dports $rule->{dport}"; + } + } else { + $cmd .= " --dport $rule->{dport}"; + } + } + } + + if ($rule->{sport}) { + if ($rule->{nbsport} && $rule->{nbsport} > 1) { + $cmd .= " --sports $rule->{sport}" if $multiport != 2; + } else { + $cmd .= " --sport $rule->{sport}"; + } + } + } elsif ($rule->{dport} || $rule->{sport}) { + warn "ignoring destination port '$rule->{dport}' - no protocol specified\n" if $rule->{dport}; + warn "ignoring source port '$rule->{sport}' - no protocol specified\n" if $rule->{sport}; + } + + $cmd .= " -m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype}; if (my $action = $rule->{action}) { + $action = $actions->{$action} if defined($actions->{$action}); $goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK'; $cmd .= $goto ? " -g $action" : " -j $action"; - }; + } ruleset_addrule($ruleset, $chain, $cmd) if $cmd; } @@ -653,6 +832,9 @@ sub generate_bridge_chains { if (!ruleset_chain_exist($ruleset, "$bridge-IN")) { ruleset_create_chain($ruleset, "$bridge-IN"); ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j $bridge-IN"); + ruleset_addrule($ruleset, "$bridge-FW", "-m mark --mark 1 -j ACCEPT"); + # accept traffic to unmanaged bridge ports + ruleset_addrule($ruleset, "$bridge-FW", "-m physdev --physdev-is-bridged --physdev-is-out -j ACCEPT "); } } @@ -666,10 +848,23 @@ sub generate_tap_rules_direction { ruleset_create_chain($ruleset, $tapchain); + if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) { + ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs"); + } + + if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) { + ruleset_addrule($ruleset, $tapchain, "-p udp -m udp --dport 67:68 -j ACCEPT"); + } + + if ($options->{tcpflags}) { + ruleset_addrule($ruleset, $tapchain, "-p tcp -j PVEFW-tcpflags"); + } + ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate INVALID -j DROP"); ruleset_addrule($ruleset, $tapchain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"); - if ($direction eq 'OUT' && defined($macaddr)) { + if ($direction eq 'OUT' && defined($macaddr) && + !(defined($options->{macfilter}) && $options->{macfilter} == 0)) { ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP"); } @@ -684,11 +879,15 @@ sub generate_tap_rules_direction { generate_group_rules($ruleset, $group_rules, $2); } ruleset_generate_rule($ruleset, $tapchain, $rule); - ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -g $bridge-IN") + ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -j RETURN") if $direction eq 'OUT'; } else { - $rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT'; - ruleset_generate_rule($ruleset, $tapchain, $rule); + if ($direction eq 'OUT') { + ruleset_generate_rule($ruleset, $tapchain, $rule, + { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" }); + } else { + ruleset_generate_rule($ruleset, $tapchain, $rule, { REJECT => "PVEFW-reject" }); + } } } } @@ -704,16 +903,18 @@ sub generate_tap_rules_direction { if ($policy eq 'ACCEPT') { if ($direction eq 'OUT') { - ruleset_addrule($ruleset, $tapchain, "-j RETURN"); + ruleset_addrule($ruleset, $tapchain, "-g PVEFW-SET-ACCEPT-MARK"); } else { ruleset_addrule($ruleset, $tapchain, "-j ACCEPT"); } } elsif ($policy eq 'DROP') { + ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Drop"); ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4"); ruleset_addrule($ruleset, $tapchain, "-j DROP"); } elsif ($policy eq 'REJECT') { + ruleset_addrule($ruleset, $tapchain, "-j PVEFW-Reject"); ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-reject: \" --log-level 4"); - ruleset_addrule($ruleset, $tapchain, "-j REJECT"); + ruleset_addrule($ruleset, $tapchain, "-g PVEFW-reject"); } else { # should not happen die "internal error: unknown policy '$policy'"; @@ -750,8 +951,7 @@ sub enablehostfw { if ($rules->{in}) { foreach my $rule (@{$rules->{in}}) { # we use RETURN because we need to check also tap rules - $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT'; - ruleset_generate_rule($ruleset, $chain, $rule); + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" }); } } @@ -772,14 +972,13 @@ sub enablehostfw { if ($rules->{out}) { foreach my $rule (@{$rules->{out}}) { # we use RETURN because we need to check also tap rules - $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT'; - ruleset_generate_rule($ruleset, $chain, $rule); + ruleset_generate_rule($ruleset, $chain, $rule, { ACCEPT => 'RETURN', REJECT => "PVEFW-reject" }); } } ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-OUT dropped: \" --log-level 4"); ruleset_addrule($ruleset, $chain, "-j DROP"); - + ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT"); ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN"); } @@ -790,14 +989,14 @@ sub generate_group_rules { my $rules = $group_rules->{$group}; die "no such security group '$group'\n" if !$rules; - + my $chain = "GROUP-${group}-IN"; ruleset_create_chain($ruleset, $chain); if ($rules->{in}) { foreach my $rule (@{$rules->{in}}) { - ruleset_generate_rule($ruleset, $chain, $rule); + ruleset_generate_rule($ruleset, $chain, $rule, { REJECT => "PVEFW-reject" }); } } @@ -808,11 +1007,10 @@ sub generate_group_rules { if ($rules->{out}) { foreach my $rule (@{$rules->{out}}) { - # we go the PVEFW-SET-ACCEPT-MARK Instead of ACCEPT) because we need to - # check also other tap rules (and group rules can be set on any bridge, - # so we can't go to VMBRXX-IN) - $rule->{action} = 'PVEFW-SET-ACCEPT-MARK' if $rule->{action} eq 'ACCEPT'; - ruleset_generate_rule($ruleset, $chain, $rule); + # we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to + # check also other tap rules later + ruleset_generate_rule($ruleset, $chain, $rule, + { ACCEPT => 'PVEFW-SET-ACCEPT-MARK', REJECT => "PVEFW-reject" }); } } } @@ -831,7 +1029,11 @@ sub parse_fw_rule { my ($action, $iface, $source, $dest, $proto, $dport, $sport); - $line =~ s/#.*$//; + # we can add single line comments to the end of the rule + my $comment = $1 if $line =~ s/#\s*(.*?)\s*$//; + + # we can disable a rule when prefixed with '|' + my $disable = 1 if $line =~ s/^\|//; my @data = split(/\s+/, $line); my $expected_elements = $need_iface ? 7 : 6; @@ -866,12 +1068,12 @@ sub parse_fw_rule { if ($need_iface) { $iface = undef if $iface && $iface eq '-'; - die "unknown interface '$iface'\n" + die "unknown interface '$iface'\n" if defined($iface) && !$valid_netdev_names->{$iface}; } $proto = undef if $proto && $proto eq '-'; - die "unknown protokol '$proto'\n" if $proto && + die "unknown protokol '$proto'\n" if $proto && !(defined($protocols->{byname}->{$proto}) || defined($protocols->{byid}->{$proto})); @@ -886,10 +1088,12 @@ sub parse_fw_rule { $nbsource = parse_address_list($source) if $source; $nbdest = parse_address_list($dest) if $dest; - + my $rules = []; my $param = { + disable => $disable, + comment => $comment, action => $action, iface => $iface, source => $source, @@ -904,19 +1108,33 @@ sub parse_fw_rule { if ($macro) { foreach my $templ (@$macro) { my $rule = {}; + my $param_used = {}; foreach my $k (keys %$templ) { my $v = $templ->{$k}; if ($v eq 'PARAM') { $v = $param->{$k}; + $param_used->{$k} = 1; } elsif ($v eq 'DEST') { $v = $param->{dest}; + $param_used->{dest} = 1; } elsif ($v eq 'SOURCE') { $v = $param->{source}; + $param_used->{source} = 1; } die "missing parameter '$k' in macro '$macro_name'\n" if !defined($v); $rule->{$k} = $v; } + foreach my $k (keys %$param) { + next if !defined($param->{$k}); + next if $param_used->{$k}; + if (defined($rule->{$k})) { + die "parameter '$k' already define in macro (value = '$rule->{$k}')\n" + if $rule->{$k} ne $param->{$k}; + } else { + $rule->{$k} = $param->{$k}; + } + } push @$rules, $rule; } } else { @@ -924,9 +1142,9 @@ sub parse_fw_rule { } foreach my $rule (@$rules) { - $rule->{nbdport} = parse_port_name_number_or_range($rule->{dport}) + $rule->{nbdport} = parse_port_name_number_or_range($rule->{dport}) if defined($rule->{dport}); - $rule->{nbsport} = parse_port_name_number_or_range($rule->{sport}) + $rule->{nbsport} = parse_port_name_number_or_range($rule->{sport}) if defined($rule->{sport}); } @@ -938,13 +1156,13 @@ sub parse_fw_option { my ($opt, $value); - if ($line =~ m/^enable:\s*(0|1)\s*$/i) { - $opt = 'enable'; - $value = int($1); + if ($line =~ m/^(enable|dhcp|macfilter|nosmurfs|tcpflags):\s*(0|1)\s*$/i) { + $opt = lc($1); + $value = int($2); } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) { $opt = lc($1); $value = uc($3); - } else { + } else { chomp $line; die "can't parse option '$line'\n" } @@ -979,8 +1197,8 @@ sub parse_vm_fw_rules { next if !$res->{$section}; # skip undefined section if ($section eq 'options') { - eval { - my ($opt, $value) = parse_fw_option($line); + eval { + my ($opt, $value) = parse_fw_option($line); $res->{options}->{$opt} = $value; }; warn "$prefix: $@" if $@; @@ -1043,7 +1261,7 @@ sub parse_group_fw_rules { my $group; my $res = { in => [], out => [] }; - + while (defined(my $line = <$fh>)) { next if $line =~ m/^#/; next if $line =~ m/^\s*$/; @@ -1120,10 +1338,25 @@ sub read_vm_firewall_rules { return $rules; } +sub generate_std_chains { + my ($ruleset) = @_; + + foreach my $chain (keys %$pve_std_chains) { + ruleset_create_chain($ruleset, $chain); + foreach my $rule (@{$pve_std_chains->{$chain}}) { + if (ref($rule)) { + ruleset_generate_rule($ruleset, $chain, $rule); + } else { + ruleset_addrule($ruleset, $chain, $rule); + } + } + } +} + sub compile { my $vmdata = read_local_vm_config(); my $rules = read_vm_firewall_rules($vmdata); - + my $group_rules = {}; my $filename = "/etc/pve/firewall/groups.fw"; if (my $fh = IO::File->new($filename, O_RDONLY)) { @@ -1138,8 +1371,7 @@ sub compile { ruleset_create_chain($ruleset, "PVEFW-OUTPUT"); ruleset_create_chain($ruleset, "PVEFW-FORWARD"); - ruleset_create_chain($ruleset, "PVEFW-SET-ACCEPT-MARK"); - ruleset_addrule($ruleset, "PVEFW-SET-ACCEPT-MARK", "-j MARK --set-mark 1"); + generate_std_chains($ruleset); my $enable_hostfw = 0; $filename = "/etc/pve/local/host.fw"; @@ -1151,7 +1383,7 @@ sub compile { enablehostfw($ruleset, $host_rules, $group_rules); } - # generate firewall rules for QEMU VMs + # generate firewall rules for QEMU VMs foreach my $vmid (keys %{$vmdata->{qemu}}) { my $conf = $vmdata->{qemu}->{$vmid}; my $vmfw_conf = $rules->{$vmid}; @@ -1224,7 +1456,7 @@ sub get_ruleset_status { $statushash->{$chain}->{sig} = $sig; print "delete $chain ($sig)\n" if $verbose; } - } + } return $statushash; } @@ -1311,7 +1543,7 @@ sub apply_ruleset { iptables_restore_cmdlist($cmdlist); - # test: re-read status and check if everything is up to date + # test: re-read status and check if everything is up to date $statushash = get_ruleset_status($ruleset); my $errors;