X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=5f96c8a8cc3c02eb126c9bde3b065ec05a519c49;hb=a523e0578dfac2575074cf765994a055e0ae0fb6;hp=cacfedcf19b936947f3bdbdf50632853c05791a4;hpb=b1ef6d2e715d6aeaf67d53ca3270f0d247c407d9;p=pve-firewall.git diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index cacfedc..5f96c8a 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -855,7 +855,8 @@ sub copy_list_with_digest { my $v = $entry->{$k}; next if !defined($v); $data->{$k} = $v; - $sha->add($k, ':', $v, "\n"); + # Note: digest ignores refs ($rule->{errors}) + $sha->add($k, ':', $v, "\n") if !ref($v); ; } push @$res, $data; } @@ -915,12 +916,10 @@ my $rule_properties = { sport => { type => 'string', format => 'pve-fw-port-spec', optional => 1, - requires => 'proto', }, dport => { type => 'string', format => 'pve-fw-port-spec', optional => 1, - requires => 'proto', }, comment => { type => 'string', @@ -1005,61 +1004,143 @@ my $apply_macro = sub { return $rules; }; +my $rule_env_iface_lookup = { + 'ct' => 1, + 'vm' => 1, + 'group' => 0, + 'cluster' => 1, + 'host' => 1, +}; + sub verify_rule { - my ($rule, $allow_groups) = @_; + my ($rule, $cluster_conf, $fw_conf, $rule_env, $noerr) = @_; - my $type = $rule->{type}; + my $allow_groups = $rule_env eq 'group' ? 0 : 1; + + my $allow_iface = $rule_env_iface_lookup->{$rule_env}; + die "unknown rule_env '$rule_env'\n" if !defined($allow_iface); # should not happen - raise_param_exc({ type => "missing property"}) if !$type; - raise_param_exc({ action => "missing property"}) if !$rule->{action}; - - if ($type eq 'in' || $type eq 'out') { - raise_param_exc({ action => "unknown action '$rule->{action}'"}) - if $rule->{action} !~ m/^(ACCEPT|DROP|REJECT)$/; - } elsif ($type eq 'group') { - raise_param_exc({ type => "security groups not allowed"}) - if !$allow_groups; - raise_param_exc({ action => "invalid characters in security group name"}) - if $rule->{action} !~ m/^${security_group_name_pattern}$/; - } else { - raise_param_exc({ type => "unknown rule type '$type'"}); + my $errors = $rule->{errors} || {}; + + my $error_count = 0; + + my $add_error = sub { + my ($param, $msg) = @_; + chomp $msg; + raise_param_exc({ $param => $msg }) if !$noerr; + $error_count++; + $errors->{$param} = $msg if !$errors->{$param}; + }; + + my $check_ipset_or_alias_property = sub { + my ($name) = @_; + + if (my $value = $rule->{$name}) { + if ($value =~ m/^\+/) { + if ($value =~ m/^\+(${security_group_name_pattern})$/) { + &$add_error($name, "no such ipset '$1'") + if !($cluster_conf->{ipset}->{$1} || ($fw_conf && $fw_conf->{ipset}->{$1})); + + } else { + &$add_error($name, "invalid security group name '$value'"); + } + } elsif ($value =~ m/^${ip_alias_pattern}$/){ + my $alias = lc($value); + &$add_error($name, "no such alias '$value'") + if !($cluster_conf->{aliases}->{$alias} || ($fw_conf && $fw_conf->{aliases}->{$alias})) + } + } + }; + + my $type = $rule->{type}; + my $action = $rule->{action}; + + &$add_error('type', "missing property") if !$type; + &$add_error('action', "missing property") if !$action; + + if ($type) { + if ($type eq 'in' || $type eq 'out') { + &$add_error('action', "unknown action '$action'") + if $action && ($action !~ m/^(ACCEPT|DROP|REJECT)$/); + } elsif ($type eq 'group') { + &$add_error('type', "security groups not allowed") + if !$allow_groups; + &$add_error('action', "invalid characters in security group name") + if $action && ($action !~ m/^${security_group_name_pattern}$/); + } else { + &$add_error('type', "unknown rule type '$type'"); + } } if ($rule->{iface}) { + &$add_error('type', "parameter -i not allowed for this rule type") + if !$allow_iface; eval { PVE::JSONSchema::pve_verify_iface($rule->{iface}); }; - raise_param_exc({ iface => $@ }) if $@; - } + &$add_error('iface', $@) if $@; + if ($rule_env eq 'vm') { + &$add_error('iface', "value does not match the regex pattern 'net\\d+'") + if $rule->{iface} !~ m/^net(\d+)$/; + } elsif ($rule_env eq 'ct') { + &$add_error('iface', "value does not match the regex pattern '(venet|eth\\d+)'") + if $rule->{iface} !~ m/^(venet|eth(\d+))$/; + } + } if ($rule->{macro}) { - my $preferred_name = $pve_fw_preferred_macro_names->{lc($rule->{macro})}; - raise_param_exc({ macro => "unknown macro '$rule->{macro}'"}) if !$preferred_name; - $rule->{macro} = $preferred_name; + if (my $preferred_name = $pve_fw_preferred_macro_names->{lc($rule->{macro})}) { + $rule->{macro} = $preferred_name; + } else { + &$add_error('macro', "unknown macro '$rule->{macro}'"); + } + } + + if ($rule->{proto}) { + eval { pve_fw_verify_protocol_spec($rule->{proto}); }; + &$add_error('proto', $@) if $@; } if ($rule->{dport}) { eval { parse_port_name_number_or_range($rule->{dport}); }; - raise_param_exc({ dport => $@ }) if $@; + &$add_error('dport', $@) if $@; + &$add_error('proto', "missing property - 'dport' requires this property") + if !$rule->{proto}; } if ($rule->{sport}) { eval { parse_port_name_number_or_range($rule->{sport}); }; - raise_param_exc({ sport => $@ }) if $@; + &$add_error('sport', $@) if $@; + &$add_error('proto', "missing property - 'sport' requires this property") + if !$rule->{proto}; } if ($rule->{source}) { eval { parse_address_list($rule->{source}); }; - raise_param_exc({ source => $@ }) if $@; + &$add_error('source', $@) if $@; + &$check_ipset_or_alias_property('source'); } if ($rule->{dest}) { eval { parse_address_list($rule->{dest}); }; - raise_param_exc({ dest => $@ }) if $@; + &$add_error('dest', $@) if $@; + &$check_ipset_or_alias_property('dest'); } - if ($rule->{macro}) { - &$apply_macro($rule->{macro}, $rule, 1); + if ($rule->{macro} && !$error_count) { + eval { &$apply_macro($rule->{macro}, $rule, 1); }; + if (my $err = $@) { + if (ref($err) eq "PVE::Exception" && $err->{errors}) { + my $eh = $err->{errors}; + foreach my $p (keys %$eh) { + &$add_error($p, $eh->{$p}); + } + } else { + &$add_error('macro', "$err"); + } + } } + $rule->{errors} = $errors if $error_count; + return $rule; } @@ -1073,13 +1154,9 @@ sub copy_rule_data { } else { $rule->{$k} = $v; } - } else { - delete $rule->{$k}; } } - # verify rule now - return $rule; } @@ -1226,6 +1303,7 @@ sub ruleset_generate_cmdstr { my ($ruleset, $chain, $rule, $actions, $goto, $cluster_conf) = @_; return if defined($rule->{enable}) && !$rule->{enable}; + return if $rule->{errors}; die "unable to emit macro - internal error" if $rule->{macro}; # should not happen @@ -1820,77 +1898,64 @@ for (my $i = 0; $i < $MAX_NETS; $i++) { } sub parse_fw_rule { - my ($line, $allow_iface, $allow_groups) = @_; - - my ($type, $action, $macro, $iface, $source, $dest, $proto, $dport, $sport); + my ($prefix, $line, $cluster_conf, $fw_conf, $rule_env, $verbose) = @_; chomp $line; + my $orig_line = $line; + + my $rule = {}; + # we can add single line comments to the end of the rule - my $comment = decode('utf8', $1) if $line =~ s/#\s*(.*?)\s*$//; + if ($line =~ s/#\s*(.*?)\s*$//) { + $rule->{comment} = decode('utf8', $1); + } # we can disable a rule when prefixed with '|' - my $enable = 1; - $enable = 0 if $line =~ s/^\|//; + $rule->{enable} = $line =~ s/^\|// ? 0 : 1; $line =~ s/^(\S+)\s+(\S+)\s*// || die "unable to parse rule: $line\n"; - - $type = lc($1); - $action = $2; - - if ($type eq 'in' || $type eq 'out') { - if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) { - # OK - } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) { - $action = $2; - my $preferred_name = $pve_fw_preferred_macro_names->{lc($1)}; - die "unknown macro '$1'\n" if !$preferred_name; - $macro = $preferred_name; - } else { - die "unknown action '$action'\n"; + + $rule->{type} = lc($1); + $rule->{action} = $2; + + if ($rule->{type} eq 'in' || $rule->{type} eq 'out') { + if ($rule->{action} =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) { + $rule->{macro} = $1; + $rule->{action} = $2; } - } elsif ($type eq 'group') { - die "groups disabled\n" if !$allow_groups; - die "invalid characters in group name\n" if $action !~ m/^${security_group_name_pattern}$/; - } else { - die "unknown rule type '$type'\n"; } while (length($line)) { if ($line =~ s/^-i (\S+)\s*//) { - die "parameter -i not allowed\n" if !$allow_iface; - $iface = $1; - PVE::JSONSchema::pve_verify_iface($iface); + $rule->{iface} = $1; next; } - last if $type eq 'group'; + last if $rule->{type} eq 'group'; if ($line =~ s/^-p (\S+)\s*//) { - $proto = $1; - pve_fw_verify_protocol_spec($proto); + $rule->{proto} = $1; next; } + if ($line =~ s/^-dport (\S+)\s*//) { - $dport = $1; - parse_port_name_number_or_range($dport); + $rule->{dport} = $1; next; } + if ($line =~ s/^-sport (\S+)\s*//) { - $sport = $1; - parse_port_name_number_or_range($sport); + $rule->{sport} = $1; next; } if ($line =~ s/^-source (\S+)\s*//) { - $source = $1; - parse_address_list($source); + $rule->{source} = $1; next; } if ($line =~ s/^-dest (\S+)\s*//) { - $dest = $1; - parse_address_list($dest); + $rule->{dest} = $1; next; } @@ -1899,19 +1964,15 @@ sub parse_fw_rule { die "unable to parse rule parameters: $line\n" if length($line); - return { - type => $type, - enable => $enable, - comment => $comment, - action => $action, - macro => $macro, - iface => $iface, - source => $source, - dest => $dest, - proto => $proto, - dport => $dport, - sport => $sport, - }; + $rule = verify_rule($rule, $cluster_conf, $fw_conf, $rule_env, 1); + if ($verbose && $rule->{errors}) { + warn "$prefix - errors in rule parameters: $orig_line\n"; + foreach my $p (keys %{$rule->{errors}}) { + warn " $p: $rule->{errors}->{$p}\n"; + } + } + + return $rule; } sub parse_vmfw_option { @@ -2006,7 +2067,7 @@ sub parse_alias { } sub parse_vm_fw_rules { - my ($filename, $fh) = @_; + my ($filename, $fh, $cluster_conf, $rule_env, $verbose) = @_; my $res = { rules => [], @@ -2054,7 +2115,7 @@ sub parse_vm_fw_rules { } my $rule; - eval { $rule = parse_fw_rule($line, 1, 1); }; + eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, $res, $rule_env, $verbose); }; if (my $err = $@) { warn "$prefix: $err"; next; @@ -2067,7 +2128,7 @@ sub parse_vm_fw_rules { } sub parse_host_fw_rules { - my ($filename, $fh) = @_; + my ($filename, $fh, $cluster_conf, $verbose) = @_; my $res = { rules => [], options => {}}; @@ -2102,7 +2163,7 @@ sub parse_host_fw_rules { } my $rule; - eval { $rule = parse_fw_rule($line, 1, 1); }; + eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, $res, 'host', $verbose); }; if (my $err = $@) { warn "$prefix: $err"; next; @@ -2115,7 +2176,7 @@ sub parse_host_fw_rules { } sub parse_cluster_fw_rules { - my ($filename, $fh) = @_; + my ($filename, $fh, $verbose) = @_; my $section; my $group; @@ -2191,7 +2252,7 @@ sub parse_cluster_fw_rules { warn "$prefix: $@" if $@; } elsif ($section eq 'rules') { my $rule; - eval { $rule = parse_fw_rule($line, 1, 1); }; + eval { $rule = parse_fw_rule($prefix, $line, $res, undef, 'cluster', $verbose); }; if (my $err = $@) { warn "$prefix: $err"; next; @@ -2199,7 +2260,7 @@ sub parse_cluster_fw_rules { push @{$res->{$section}}, $rule; } elsif ($section eq 'groups') { my $rule; - eval { $rule = parse_fw_rule($line, 0, 0); }; + eval { $rule = parse_fw_rule($prefix, $line, $res, undef, 'group', $verbose); }; if (my $err = $@) { warn "$prefix: $err"; next; @@ -2283,7 +2344,7 @@ sub read_local_vm_config { }; sub load_vmfw_conf { - my ($vmid, $dir) = @_; + my ($cluster_conf, $rule_env, $vmid, $dir, $verbose) = @_; my $vmfw_conf = {}; @@ -2291,7 +2352,7 @@ sub load_vmfw_conf { my $filename = "$dir/$vmid.fw"; if (my $fh = IO::File->new($filename, O_RDONLY)) { - $vmfw_conf = parse_vm_fw_rules($filename, $fh); + $vmfw_conf = parse_vm_fw_rules($filename, $fh, $cluster_conf, $rule_env, $verbose); } return $vmfw_conf; @@ -2411,12 +2472,17 @@ sub save_vmfw_conf { } sub read_vm_firewall_configs { - my ($vmdata, $dir) = @_; + my ($cluster_conf, $vmdata, $dir, $verbose) = @_; my $vmfw_configs = {}; - foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) { - my $vmfw_conf = load_vmfw_conf($vmid, $dir); + foreach my $vmid (keys %{$vmdata->{qemu}}) { + my $vmfw_conf = load_vmfw_conf($cluster_conf, 'vm', $vmid, $dir, $verbose); + next if !$vmfw_conf->{options}; # skip if file does not exists + $vmfw_configs->{$vmid} = $vmfw_conf; + } + foreach my $vmid (keys %{$vmdata->{openvz}}) { + my $vmfw_conf = load_vmfw_conf($cluster_conf, 'ct', $vmid, $dir, $verbose); next if !$vmfw_conf->{options}; # skip if file does not exists $vmfw_configs->{$vmid} = $vmfw_conf; } @@ -2536,13 +2602,13 @@ sub round_powerof2 { } sub load_clusterfw_conf { - my ($filename) = @_; + my ($filename, $verbose) = @_; $filename = $clusterfw_conf_filename if !defined($filename); my $cluster_conf = {}; if (my $fh = IO::File->new($filename, O_RDONLY)) { - $cluster_conf = parse_cluster_fw_rules($filename, $fh); + $cluster_conf = parse_cluster_fw_rules($filename, $fh, $verbose); } return $cluster_conf; @@ -2595,13 +2661,13 @@ sub save_clusterfw_conf { } sub load_hostfw_conf { - my ($filename) = @_; + my ($cluster_conf, $filename, $verbose) = @_; $filename = $hostfw_conf_filename if !defined($filename); my $hostfw_conf = {}; if (my $fh = IO::File->new($filename, O_RDONLY)) { - $hostfw_conf = parse_host_fw_rules($filename, $fh); + $hostfw_conf = parse_host_fw_rules($filename, $fh, $cluster_conf, $verbose); } return $hostfw_conf; } @@ -2625,29 +2691,28 @@ sub save_hostfw_conf { } sub compile { - my ($cluster_conf, $hostfw_conf, $vmdata) = @_; + my ($cluster_conf, $hostfw_conf, $vmdata, $verbose) = @_; my $vmfw_configs; if ($vmdata) { # test mode my $testdir = $vmdata->{testdir} || die "no test directory specified"; my $filename = "$testdir/cluster.fw"; - $cluster_conf = load_clusterfw_conf($filename); + $cluster_conf = load_clusterfw_conf($filename, $verbose); $filename = "$testdir/host.fw"; - $hostfw_conf = load_hostfw_conf($filename); + $hostfw_conf = load_hostfw_conf($cluster_conf, $filename, $verbose); - $vmfw_configs = read_vm_firewall_configs($vmdata, $testdir); + $vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, $testdir, $verbose); } else { # normal operation - $cluster_conf = load_clusterfw_conf() if !$cluster_conf; + $cluster_conf = load_clusterfw_conf(undef, $verbose) if !$cluster_conf; - $hostfw_conf = load_hostfw_conf() if !$hostfw_conf; + $hostfw_conf = load_hostfw_conf($cluster_conf, undef, $verbose) if !$hostfw_conf; $vmdata = read_local_vm_config(); - $vmfw_configs = read_vm_firewall_configs($vmdata); + $vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef, $verbose); } - $cluster_conf->{ipset}->{venet0} = []; my $localnet; @@ -3056,8 +3121,6 @@ sub init { } sub update { - my ($verbose) = @_; - my $code = sub { my $cluster_conf = load_clusterfw_conf(); @@ -3069,7 +3132,6 @@ sub update { if (!$enable) { PVE::Firewall::remove_pvefw_chains(); - print "Firewall disabled\n" if $verbose; return; } @@ -3077,7 +3139,7 @@ sub update { my ($ruleset, $ipset_ruleset) = compile($cluster_conf, $hostfw_conf); - apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset, $verbose); + apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset); }; run_locked($code);