X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=336aedbd72cacd417e7533257495eb3f9aa9dba5;hb=c14dacdfd975121912c387acafefc081d6c6606e;hp=9054648a40ff03c4c1f0c28a1be96960a8332b83;hpb=041b7e8e058cb55e730d7ffc4cc94e5050e54a9e;p=pve-firewall.git diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 9054648..336aedb 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -7,10 +7,10 @@ use Data::Dumper; use Digest::SHA; use PVE::INotify; use PVE::Exception qw(raise raise_param_exc); -use PVE::JSONSchema qw(get_standard_option); +use PVE::JSONSchema qw(register_standard_option get_standard_option); use PVE::Cluster; use PVE::ProcFSTools; -use PVE::Tools; +use PVE::Tools qw($IPV4RE); use File::Basename; use File::Path; use IO::File; @@ -35,6 +35,37 @@ eval { $have_pve_manager = 1; }; +PVE::JSONSchema::register_format('IPv4orCIDR', \&pve_verify_ipv4_or_cidr); +sub pve_verify_ipv4_or_cidr { + my ($cidr, $noerr) = @_; + + if ($cidr =~ m!^(?:$IPV4RE)(/(\d+))?$!) { + return $cidr if Net::IP->new($cidr); + return undef if $noerr; + die Net::IP::Error() . "\n"; + } + return undef if $noerr; + die "value does not look like a valid IP address or CIDR network\n"; +} + +PVE::JSONSchema::register_standard_option('ipset-name', { + description => "IP set name.", + type => 'string', + pattern => '[A-Za-z][A-Za-z0-9\-\_]+', + minLength => 2, + maxLength => 20, +}); + +my $security_group_pattern = '[A-Za-z][A-Za-z0-9\-\_]+'; + +PVE::JSONSchema::register_standard_option('pve-security-group-name', { + description => "Security Group name.", + type => 'string', + pattern => $security_group_pattern, + minLength => 2, + maxLength => 20, +}); + my $feature_ipset_nomatch = 0; eval { my (undef, undef, $release) = POSIX::uname(); @@ -673,7 +704,7 @@ sub get_etc_protocols { sub parse_address_list { my ($str) = @_; - return if $str !~ m/^(\+)(\S+)$/; # ipset ref + return if $str =~ m/^(\+)(\S+)$/; # ipset ref my $count = 0; my $iprange = 0; @@ -772,9 +803,12 @@ my $rule_properties = { enum => ['in', 'out', 'group'], }, action => { + description => "Rule action ('ACCEPT', 'DROP', 'REJECT') or security group name.", type => 'string', optional => 1, - enum => ['ACCEPT', 'DROP', 'REJECT'], + pattern => $security_group_pattern, + maxLength => 20, + minLength => 2, }, macro => { type => 'string', @@ -921,7 +955,7 @@ sub verify_rule { raise_param_exc({ type => "security groups not allowed"}) if !$allow_groups; raise_param_exc({ action => "invalid characters in security group name"}) - if $rule->{action} !~ m/^[A-Za-z0-9_\-]+$/; + if $rule->{action} !~ m/^${security_group_pattern}$/; } else { raise_param_exc({ type => "unknown rule type '$type'"}); } @@ -1719,7 +1753,7 @@ sub parse_fw_rule { die "wrong number of rule elements\n" if scalar(@data) != 3; die "groups disabled\n" if !$allow_groups; - die "invalid characters in group name\n" if $action !~ m/^[A-Za-z0-9_\-]+$/; + die "invalid characters in group name\n" if $action !~ m/^${security_group_pattern}$/; } else { die "unknown rule type '$type'\n"; } @@ -1963,6 +1997,7 @@ sub parse_cluster_fw_rules { if ($line =~ m/^\[group\s+(\S+)\]\s*$/i) { $section = 'groups'; $group = lc($1); + $res->{$section}->{$group} = []; next; } @@ -1974,6 +2009,7 @@ sub parse_cluster_fw_rules { if ($line =~ m/^\[ipset\s+(\S+)\]\s*$/i) { $section = 'ipset'; $group = lc($1); + $res->{$section}->{$group} = []; next; } @@ -2005,29 +2041,26 @@ sub parse_cluster_fw_rules { } push @{$res->{$section}->{$group}}, $rule; } elsif ($section eq 'ipset') { - chomp $line; - $line =~ m/^(\!)?\s*((\d+)\.(\d+)\.(\d+)\.(\d+)(\/(\d+))?)/; + # we can add single line comments to the end of the rule + my $comment = decode('utf8', $1) if $line =~ s/#\s*(.*?)\s*$//; + + $line =~ m/^(\!)?\s*(\S+)\s*$/; my $nomatch = $1; - my $ip = $2; + my $cidr = $2; - if(!$ip){ - warn "$prefix: $line is not an valid ip address\n"; - next; - } - if (!Net::IP->new($ip)) { - warn "$prefix: $line is not an valid ip address\n"; + $cidr =~ s|/32$||; + + eval { pve_verify_ipv4_or_cidr($cidr); }; + if (my $err = $@) { + warn "$prefix: $cidr - $err"; next; } - if ($nomatch) { - if ($feature_ipset_nomatch) { - push @{$res->{$section}->{$group}}, "$ip nomatch"; - } else { - warn "$prefix: ignore $line - nomatch not supported by kernel\n"; - } - } else { - push @{$res->{$section}->{$group}}, $ip; - } + my $entry = { cidr => $cidr }; + $entry->{nomatch} = 1 if $nomatch; + $entry->{comment} = $comment if $comment; + + push @{$res->{$section}->{$group}}, $entry; } } @@ -2102,7 +2135,7 @@ my $format_rules = sub { my $raw = ''; foreach my $rule (@$rules) { - if ($rule->{type} eq 'in' || $rule->{type} eq 'out') { + if ($rule->{type} eq 'in' || $rule->{type} eq 'out' || $rule->{type} eq 'group') { $raw .= '|' if defined($rule->{enable}) && !$rule->{enable}; $raw .= uc($rule->{type}); if ($rule->{macro}) { @@ -2111,16 +2144,20 @@ my $format_rules = sub { $raw .= " " . $rule->{action}; } $raw .= " " . ($rule->{iface} || '-') if $need_iface; - $raw .= " " . ($rule->{source} || '-'); - $raw .= " " . ($rule->{dest} || '-'); - $raw .= " " . ($rule->{proto} || '-'); - $raw .= " " . ($rule->{dport} || '-'); - $raw .= " " . ($rule->{sport} || '-'); + + if ($rule->{type} ne 'group') { + $raw .= " " . ($rule->{source} || '-'); + $raw .= " " . ($rule->{dest} || '-'); + $raw .= " " . ($rule->{proto} || '-'); + $raw .= " " . ($rule->{dport} || '-'); + $raw .= " " . ($rule->{sport} || '-'); + } + $raw .= " # " . encode('utf8', $rule->{comment}) if $rule->{comment} && $rule->{comment} !~ m/^\s*$/; $raw .= "\n"; } else { - die "implement me '$rule->{type}'"; + die "unknown rule type '$rule->{type}'"; } } @@ -2141,6 +2178,28 @@ my $format_options = sub { return $raw; }; +my $format_ipset = sub { + my ($options) = @_; + + my $raw = ''; + + my $nethash = {}; + foreach my $entry (@$options) { + $nethash->{$entry->{cidr}} = $entry; + } + + foreach my $cidr (sort keys %$nethash) { + my $entry = $nethash->{$cidr}; + my $line = $entry->{nomatch} ? '!' : ''; + $line .= $entry->{cidr}; + $line .= " # " . encode('utf8', $entry->{comment}) + if $entry->{comment} && $entry->{comment} !~ m/^\s*$/; + $raw .= "$line\n"; + } + + return $raw; +}; + sub save_vmfw_conf { my ($vmid, $vmfw_conf) = @_; @@ -2240,8 +2299,25 @@ sub generate_ipset { push @{$ipset_ruleset->{$name}}, "create $name hash:net family inet hashsize $hashsize maxelem $hashsize"; - foreach my $ip (@$options) { - push @{$ipset_ruleset->{$name}}, "add $name $ip"; + # remove duplicates + my $nethash = {}; + foreach my $entry (@$options) { + $nethash->{$entry->{cidr}} = $entry; + } + + foreach my $cidr (sort keys %$nethash) { + my $entry = $nethash->{$cidr}; + + my $cmd = "add $name $cidr"; + if ($entry->{nomatch}) { + if ($feature_ipset_nomatch) { + push @{$ipset_ruleset->{$name}}, "$cmd nomatch"; + } else { + warn "ignore !$cidr - nomatch not supported by kernel\n"; + } + } else { + push @{$ipset_ruleset->{$name}}, $cmd; + } } } @@ -2323,7 +2399,12 @@ sub save_clusterfw_conf { my $options = $cluster_conf->{options}; $raw .= &$format_options($options) if scalar(keys %$options); - # fixme: save ipset + foreach my $ipset (sort keys %{$cluster_conf->{ipset}}) { + $raw .= "[IPSET $ipset]\n\n"; + my $options = $cluster_conf->{ipset}->{$ipset}; + $raw .= &$format_ipset($options); + $raw .= "\n"; + } my $rules = $cluster_conf->{rules}; if (scalar(@$rules)) { @@ -2602,6 +2683,13 @@ sub get_ipset_cmdlist { my $active_chains = ipset_get_chains(); my $statushash = get_ruleset_status($ruleset, $active_chains, \&ipset_chain_digest, $verbose); + # remove stale _swap chains + foreach my $chain (keys %$active_chains) { + if ($chain =~ m/^PVEFW-\S+_swap$/) { + $cmdlist .= "destroy $chain\n"; + } + } + foreach my $chain (sort keys %$ruleset) { my $stat = $statushash->{$chain}; die "internal error" if !$stat;