X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=f009e58ec93f16a60c5c049bf8454d5031536855;hb=e4882cff462276e51fa511f7baa38b776afbc99d;hp=4c1586afec58bb8f91639af7a942b93914c31e06;hpb=37ef1ce1bc8b880f9fe2f9b2c43fb314d4fdba63;p=pve-firewall.git diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 4c1586a..f009e58 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -12,12 +12,15 @@ use PVE::JSONSchema qw(register_standard_option get_standard_option); use PVE::Cluster; use PVE::ProcFSTools; use PVE::Tools qw($IPV4RE $IPV6RE); +use PVE::Network; +use PVE::SafeSyslog; use File::Basename; use File::Path; use IO::File; use Net::IP; use PVE::Tools qw(run_command lock_file dir_glob_foreach); use Encode; +use Storable qw(dclone); my $hostfw_conf_filename = "/etc/pve/local/host.fw"; my $pvefw_conf_dir = "/etc/pve/firewall"; @@ -49,7 +52,15 @@ our $ip_alias_pattern = '[A-Za-z][A-Za-z0-9\-\_]+'; my $max_alias_name_length = 64; my $max_ipset_name_length = 64; -my $max_group_name_length = 20; +my $max_group_name_length = 18; + +my $PROTOCOLS_WITH_PORTS = { + udp => 1, 17 => 1, + udplite => 1, 136 => 1, + tcp => 1, 6 => 1, + dccp => 1, 33 => 1, + sctp => 1, 132 => 1, +}; PVE::JSONSchema::register_format('IPorCIDR', \&pve_verify_ip_or_cidr); sub pve_verify_ip_or_cidr { @@ -132,6 +143,20 @@ my $log_level_hash = { emerg => 0, }; +# %rule +# +# name => optional +# action => +# proto => +# sport => +# dport => +# log => optional, loglevel +# logmsg => optional, logmsg - overwrites default +# iface_in +# iface_out +# match => optional, overwrites generation of match +# target => optional, overwrites action + # we need to overwrite some macros for ipv6 my $pve_ipv6fw_macros = { 'Ping' => [ @@ -321,6 +346,10 @@ my $pve_fw_macros = { { action => 'PARAM', proto => 'tcp', dport => '465' }, { action => 'PARAM', proto => 'tcp', dport => '587' }, ], + 'MDNS' => [ + "Multicast DNS", + { action => 'PARAM', proto => 'udp', dport => '5353' }, + ], 'Munin' => [ "Munin networked resource monitoring traffic", { action => 'PARAM', proto => 'tcp', dport => '4949' }, @@ -520,9 +549,10 @@ my $FWACCEPTMARK_ON = "0x80000000/0x80000000"; my $FWACCEPTMARK_OFF = "0x00000000/0x80000000"; my $pve_std_chains = {}; -$pve_std_chains->{4} = { +my $pve_std_chains_conf = {}; +$pve_std_chains_conf->{4} = { 'PVEFW-SET-ACCEPT-MARK' => [ - "-j MARK --set-mark $FWACCEPTMARK_ON", + { target => "-j MARK --set-mark $FWACCEPTMARK_ON" }, ], 'PVEFW-DropBroadcast' => [ # same as shorewall 'Broadcast' @@ -538,10 +568,10 @@ $pve_std_chains->{4} = { { action => 'DROP', dsttype => 'BROADCAST' }, { action => 'DROP', source => '224.0.0.0/4' }, { action => 'DROP', proto => 'icmp' }, - "-p tcp -j REJECT --reject-with tcp-reset", - "-p udp -j REJECT --reject-with icmp-port-unreachable", - "-p icmp -j REJECT --reject-with icmp-host-unreachable", - "-j REJECT --reject-with icmp-host-prohibited", + { match => '-p tcp', target => '-j REJECT --reject-with tcp-reset' }, + { match => '-p udp', target => '-j REJECT --reject-with icmp-port-unreachable' }, + { match => '-p icmp', target => '-j REJECT --reject-with icmp-host-unreachable' }, + { target => '-j REJECT --reject-with icmp-host-prohibited' }, ], 'PVEFW-Drop' => [ # same as shorewall 'Drop', which is equal to DROP, @@ -554,15 +584,15 @@ $pve_std_chains->{4} = { { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' }, { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' }, # Drop packets with INVALID state - "-m conntrack --ctstate INVALID -j DROP", + { action => 'DROP', match => '-m conntrack --ctstate INVALID', }, # Drop Microsoft SMB noise - { action => 'DROP', proto => 'udp', dport => '135,445', nbdport => 2 }, - { action => 'DROP', proto => 'udp', dport => '137:139'}, + { action => 'DROP', proto => 'udp', dport => '135,445' }, + { action => 'DROP', proto => 'udp', dport => '137:139' }, { action => 'DROP', proto => 'udp', dport => '1024:65535', sport => 137 }, - { action => 'DROP', proto => 'tcp', dport => '135,139,445', nbdport => 3 }, + { action => 'DROP', proto => 'tcp', dport => '135,139,445' }, { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP # Drop new/NotSyn traffic so that it doesn't get logged - "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP", + { action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' }, # Drop DNS replies { action => 'DROP', proto => 'udp', sport => 53 }, ], @@ -577,119 +607,126 @@ $pve_std_chains->{4} = { { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' }, { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' }, # Drop packets with INVALID state - "-m conntrack --ctstate INVALID -j DROP", + { action => 'DROP', match => '-m conntrack --ctstate INVALID', }, # Drop Microsoft SMB noise - { action => 'PVEFW-reject', proto => 'udp', dport => '135,445', nbdport => 2 }, + { action => 'PVEFW-reject', proto => 'udp', dport => '135,445' }, { action => 'PVEFW-reject', proto => 'udp', dport => '137:139'}, { action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 }, - { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445', nbdport => 3 }, + { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445' }, { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP # Drop new/NotSyn traffic so that it doesn't get logged - "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP", + { action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' }, # Drop DNS replies { action => 'DROP', proto => 'udp', sport => 53 }, ], 'PVEFW-tcpflags' => [ # same as shorewall tcpflags action. # Packets arriving on this interface are checked for som illegal combinations of TCP flags - "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags", - "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags", - "-p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags", - "-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags", - "-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags", + { match => '-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG', target => '-g PVEFW-logflags' }, + { match => '-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE', target => '-g PVEFW-logflags' }, + { match => '-p tcp -m tcp --tcp-flags SYN,RST SYN,RST', target => '-g PVEFW-logflags' }, + { match => '-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN', target => '-g PVEFW-logflags' }, + { match => '-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN', target => '-g PVEFW-logflags' }, ], 'PVEFW-smurfs' => [ # same as shorewall smurfs action # Filter packets for smurfs (packets with a broadcast address as the source). - "-s 0.0.0.0/32 -j RETURN", # allow DHCP - "-m addrtype --src-type BROADCAST -g PVEFW-smurflog", - "-s 224.0.0.0/4 -g PVEFW-smurflog", + { match => '-s 0.0.0.0/32', target => '-j RETURN' }, # allow DHCP + { match => '-m addrtype --src-type BROADCAST', target => '-g PVEFW-smurflog' }, + { match => '-s 224.0.0.0/4', target => '-g PVEFW-smurflog' }, + ], + 'PVEFW-smurflog' => [ + { action => 'DROP', logmsg => 'DROP: ' }, + ], + 'PVEFW-logflags' => [ + { action => 'DROP', logmsg => 'DROP: ' }, ], }; -$pve_std_chains->{6} = { +$pve_std_chains_conf->{6} = { 'PVEFW-SET-ACCEPT-MARK' => [ - "-j MARK --set-mark $FWACCEPTMARK_ON", + { target => "-j MARK --set-mark $FWACCEPTMARK_ON" }, ], 'PVEFW-DropBroadcast' => [ - # same as shorewall 'Broadcast' - # simply DROP BROADCAST/MULTICAST/ANYCAST - # we can use this to reduce logging - #{ action => 'DROP', dsttype => 'BROADCAST' }, #no broadcast in ipv6 + # same as shorewall 'Broadcast' + # simply DROP BROADCAST/MULTICAST/ANYCAST + # we can use this to reduce logging + #{ action => 'DROP', dsttype => 'BROADCAST' }, #no broadcast in ipv6 # ipv6 addrtype does not work with kernel 2.6.32 #{ action => 'DROP', dsttype => 'MULTICAST' }, - #{ action => 'DROP', dsttype => 'ANYCAST' }, - { action => 'DROP', dest => 'ff00::/8' }, - #{ action => 'DROP', dest => '224.0.0.0/4' }, + #{ action => 'DROP', dsttype => 'ANYCAST' }, + { action => 'DROP', dest => 'ff00::/8' }, + #{ action => 'DROP', dest => '224.0.0.0/4' }, ], 'PVEFW-reject' => [ - # same as shorewall 'reject' - #{ action => 'DROP', dsttype => 'BROADCAST' }, - #{ action => 'DROP', source => '224.0.0.0/4' }, + # same as shorewall 'reject' + #{ action => 'DROP', dsttype => 'BROADCAST' }, + #{ action => 'DROP', source => '224.0.0.0/4' }, { action => 'DROP', proto => 'icmpv6' }, - "-p tcp -j REJECT --reject-with tcp-reset", - #"-p udp -j REJECT --reject-with icmp-port-unreachable", - #"-p icmp -j REJECT --reject-with icmp-host-unreachable", - #"-j REJECT --reject-with icmp-host-prohibited", + { match => '-p tcp', target => '-j REJECT --reject-with tcp-reset' }, + #"-p udp -j REJECT --reject-with icmp-port-unreachable", + #"-p icmp -j REJECT --reject-with icmp-host-unreachable", + #"-j REJECT --reject-with icmp-host-prohibited", ], 'PVEFW-Drop' => [ - # same as shorewall 'Drop', which is equal to DROP, - # but REJECT/DROP some packages to reduce logging, - # and ACCEPT critical ICMP types + # same as shorewall 'Drop', which is equal to DROP, + # but REJECT/DROP some packages to reduce logging, + # and ACCEPT critical ICMP types { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth' - # we are not interested in BROADCAST/MULTICAST/ANYCAST - { action => 'PVEFW-DropBroadcast' }, - # ACCEPT critical ICMP types - { action => 'ACCEPT', proto => 'icmpv6', dport => 'destination-unreachable' }, - { action => 'ACCEPT', proto => 'icmpv6', dport => 'time-exceeded' }, - { action => 'ACCEPT', proto => 'icmpv6', dport => 'packet-too-big' }, - - # Drop packets with INVALID state - "-m conntrack --ctstate INVALID -j DROP", - # Drop Microsoft SMB noise - { action => 'DROP', proto => 'udp', dport => '135,445', nbdport => 2 }, + # we are not interested in BROADCAST/MULTICAST/ANYCAST + { action => 'PVEFW-DropBroadcast' }, + # ACCEPT critical ICMP types + { action => 'ACCEPT', proto => 'icmpv6', dport => 'destination-unreachable' }, + { action => 'ACCEPT', proto => 'icmpv6', dport => 'time-exceeded' }, + { action => 'ACCEPT', proto => 'icmpv6', dport => 'packet-too-big' }, + # Drop packets with INVALID state + { action => 'DROP', match => '-m conntrack --ctstate INVALID', }, + # Drop Microsoft SMB noise + { action => 'DROP', proto => 'udp', dport => '135,445' }, { action => 'DROP', proto => 'udp', dport => '137:139'}, { action => 'DROP', proto => 'udp', dport => '1024:65535', sport => 137 }, - { action => 'DROP', proto => 'tcp', dport => '135,139,445', nbdport => 3 }, + { action => 'DROP', proto => 'tcp', dport => '135,139,445' }, { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP - # Drop new/NotSyn traffic so that it doesn't get logged - "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP", - # Drop DNS replies + # Drop new/NotSyn traffic so that it doesn't get logged + { action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' }, + # Drop DNS replies { action => 'DROP', proto => 'udp', sport => 53 }, ], 'PVEFW-Reject' => [ - # same as shorewall 'Reject', which is equal to Reject, - # but REJECT/DROP some packages to reduce logging, - # and ACCEPT critical ICMP types - { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth' - # we are not interested in BROADCAST/MULTICAST/ANYCAST - { action => 'PVEFW-DropBroadcast' }, - # ACCEPT critical ICMP types - { action => 'ACCEPT', proto => 'icmpv6', dport => 'destination-unreachable' }, - { action => 'ACCEPT', proto => 'icmpv6', dport => 'time-exceeded' }, - { action => 'ACCEPT', proto => 'icmpv6', dport => 'packet-too-big' }, - - # Drop packets with INVALID state - "-m conntrack --ctstate INVALID -j DROP", - # Drop Microsoft SMB noise - { action => 'PVEFW-reject', proto => 'udp', dport => '135,445', nbdport => 2 }, - { action => 'PVEFW-reject', proto => 'udp', dport => '137:139'}, - { action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 }, - { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445', nbdport => 3 }, - { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP - # Drop new/NotSyn traffic so that it doesn't get logged - "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP", - # Drop DNS replies - { action => 'DROP', proto => 'udp', sport => 53 }, + # same as shorewall 'Reject', which is equal to Reject, + # but REJECT/DROP some packages to reduce logging, + # and ACCEPT critical ICMP types + { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth' + # we are not interested in BROADCAST/MULTICAST/ANYCAST + { action => 'PVEFW-DropBroadcast' }, + # ACCEPT critical ICMP types + { action => 'ACCEPT', proto => 'icmpv6', dport => 'destination-unreachable' }, + { action => 'ACCEPT', proto => 'icmpv6', dport => 'time-exceeded' }, + { action => 'ACCEPT', proto => 'icmpv6', dport => 'packet-too-big' }, + # Drop packets with INVALID state + { action => 'DROP', match => '-m conntrack --ctstate INVALID', }, + # Drop Microsoft SMB noise + { action => 'PVEFW-reject', proto => 'udp', dport => '135,445' }, + { action => 'PVEFW-reject', proto => 'udp', dport => '137:139' }, + { action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 }, + { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445' }, + { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP + # Drop new/NotSyn traffic so that it doesn't get logged + { action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' }, + # Drop DNS replies + { action => 'DROP', proto => 'udp', sport => 53 }, ], 'PVEFW-tcpflags' => [ - # same as shorewall tcpflags action. - # Packets arriving on this interface are checked for som illegal combinations of TCP flags - "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags", - "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags", - "-p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags", - "-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags", - "-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags", + # same as shorewall tcpflags action. + # Packets arriving on this interface are checked for som illegal combinations of TCP flags + { match => '-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG', target => '-g PVEFW-logflags' }, + { match => '-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE', target => '-g PVEFW-logflags' }, + { match => '-p tcp -m tcp --tcp-flags SYN,RST SYN,RST', target => '-g PVEFW-logflags' }, + { match => '-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN', target => '-g PVEFW-logflags' }, + { match => '-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN', target => '-g PVEFW-logflags' }, + ], + 'PVEFW-logflags' => [ + { action => 'DROP', logmsg => 'DROP: ' }, ], }; @@ -875,24 +912,6 @@ sub get_etc_protocols { return $etc_protocols; } -my $ipv4_mask_hash_localnet = { - '255.255.0.0' => 16, - '255.255.128.0' => 17, - '255.255.192.0' => 18, - '255.255.224.0' => 19, - '255.255.240.0' => 20, - '255.255.248.0' => 21, - '255.255.252.0' => 22, - '255.255.254.0' => 23, - '255.255.255.0' => 24, - '255.255.255.128' => 25, - '255.255.255.192' => 26, - '255.255.255.224' => 27, - '255.255.255.240' => 28, - '255.255.255.248' => 29, - '255.255.255.252' => 30, -}; - my $__local_network; sub local_network { @@ -916,13 +935,17 @@ sub local_network { my $mask; if ($isv6) { $mask = $entry->{prefix}; + next if !$mask; # skip the default route... } else { - $mask = $ipv4_mask_hash_localnet->{$entry->{mask}}; + $mask = $PVE::Network::ipv4_mask_hash_localnet->{$entry->{mask}}; next if !defined($mask); } my $cidr = "$entry->{dest}/$mask"; my $testnet = Net::IP->new($cidr); - if ($testnet->overlaps($testip) == $Net::IP::IP_B_IN_A_OVERLAP) { + my $overlap = $testnet->overlaps($testip); + if ($overlap == $Net::IP::IP_B_IN_A_OVERLAP || + $overlap == $Net::IP::IP_IDENTICAL) + { $__local_network = $cidr; return; } @@ -977,7 +1000,9 @@ sub parse_address_list { my $iprange = 0; my $ipversion; - foreach my $elem (split(/,/, $str)) { + my @elements = split(/,/, $str); + die "extraneous commas in list\n" if $str ne join(',', @elements); + foreach my $elem (@elements) { $count++; my $ip = Net::IP->new($elem); if (!$ip) { @@ -1006,7 +1031,9 @@ sub parse_port_name_number_or_range { my $count = 0; my $icmp_port = 0; - foreach my $item (split(/,/, $str)) { + my @elements = split(/,/, $str); + die "extraneous commas in list\n" if $str ne join(',', @elements); + foreach my $item (@elements) { $count++; if ($item =~ m/^(\d+):(\d+)$/) { my ($port1, $port2) = ($1, $2); @@ -1257,6 +1284,7 @@ my $rule_properties = { }, digest => get_standard_option('pve-config-digest'), type => { + description => "Rule type.", type => 'string', optional => 1, enum => ['in', 'out', 'group'], @@ -1270,6 +1298,7 @@ my $rule_properties = { minLength => 2, }, macro => { + description => "Use predefined standard macro.", type => 'string', optional => 1, maxLength => 128, @@ -1294,6 +1323,7 @@ my $rule_properties = { optional => 1, }, enable => { + description => "Flag to enable/disable a rule.", type => 'integer', minimum => 0, optional => 1, @@ -1309,6 +1339,7 @@ my $rule_properties = { optional => 1, }, comment => { + description => "Descriptive comment.", type => 'string', optional => 1, }, @@ -1511,15 +1542,22 @@ sub verify_rule { if ($rule->{dport}) { eval { parse_port_name_number_or_range($rule->{dport}, 1); }; &$add_error('dport', $@) if $@; + my $proto = $rule->{proto}; &$add_error('proto', "missing property - 'dport' requires this property") - if !$rule->{proto}; + if !$proto; + &$add_error('dport', "protocol '$proto' does not support ports") + if !$PROTOCOLS_WITH_PORTS->{$proto} && + $proto ne 'icmp' && $proto ne 'icmpv6'; # special cases } if ($rule->{sport}) { eval { parse_port_name_number_or_range($rule->{sport}, 0); }; &$add_error('sport', $@) if $@; + my $proto = $rule->{proto}; &$add_error('proto', "missing property - 'sport' requires this property") - if !$rule->{proto}; + if !$proto; + &$add_error('sport', "protocol '$proto' does not support ports") + if !$PROTOCOLS_WITH_PORTS->{$proto}; } if ($rule->{source}) { @@ -1633,8 +1671,6 @@ sub enable_bridge_firewall { $bridge_firewall_enabled = 1; } -my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n"; - sub iptables_restore_cmdlist { my ($cmdlist) = @_; @@ -1763,12 +1799,14 @@ sub ipset_get_chains { return $res; } -sub ruleset_generate_cmdstr { +sub ruleset_generate_match { my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_; return if defined($rule->{enable}) && !$rule->{enable}; return if $rule->{errors}; + return $rule->{match} if defined $rule->{match}; + die "unable to emit macro - internal error" if $rule->{macro}; # should not happen my $nbdport = defined($rule->{dport}) ? parse_port_name_number_or_range($rule->{dport}, 1) : 0; @@ -1840,8 +1878,8 @@ sub ruleset_generate_cmdstr { } } - if ($rule->{proto}) { - push @cmd, "-p $rule->{proto}"; + if (my $proto = $rule->{proto}) { + push @cmd, "-p $proto"; my $multiport = 0; $multiport++ if $nbdport > 1; @@ -1853,16 +1891,18 @@ sub ruleset_generate_cmdstr { if ($multiport == 2) && ($rule->{dport} ne $rule->{sport}); if ($rule->{dport}) { - if ($rule->{proto} && $rule->{proto} eq 'icmp') { + if ($proto eq 'icmp') { # Note: we use dport to store --icmp-type die "unknown icmp-type '$rule->{dport}'\n" if $rule->{dport} !~ /^\d+$/ && !defined($icmp_type_names->{$rule->{dport}}); push @cmd, "-m icmp --icmp-type $rule->{dport}"; - } elsif ($rule->{proto} && $rule->{proto} eq 'icmpv6') { + } elsif ($proto eq 'icmpv6') { # Note: we use dport to store --icmpv6-type die "unknown icmpv6-type '$rule->{dport}'\n" if $rule->{dport} !~ /^\d+$/ && !defined($icmpv6_type_names->{$rule->{dport}}); push @cmd, "-m icmpv6 --icmpv6-type $rule->{dport}"; + } elsif (!$PROTOCOLS_WITH_PORTS->{$proto}) { + die "protocol $proto does not have ports\n"; } else { if ($nbdport > 1) { if ($multiport == 2) { @@ -1877,6 +1917,8 @@ sub ruleset_generate_cmdstr { } if ($rule->{sport}) { + die "protocol $proto does not have ports\n" + if !$PROTOCOLS_WITH_PORTS->{$proto}; if ($nbsport > 1) { push @cmd, "--sports $rule->{sport}" if $multiport != 2; } else { @@ -1890,6 +1932,16 @@ sub ruleset_generate_cmdstr { push @cmd, "-m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype}; + return scalar(@cmd) ? join(' ', @cmd) : undef; +} + +sub ruleset_generate_action { + my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_; + + return $rule->{target} if defined $rule->{target}; + + my @cmd = (); + if (my $action = $rule->{action}) { $action = $actions->{$action} if defined($actions->{$action}); $goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK'; @@ -1899,6 +1951,17 @@ sub ruleset_generate_cmdstr { return scalar(@cmd) ? join(' ', @cmd) : undef; } +sub ruleset_generate_cmdstr { + my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_; + my $match = ruleset_generate_match($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf); + my $action = ruleset_generate_action($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf); + + return undef if !(defined($match) or defined($action)); + my $ret = defined($match) ? $match : ""; + $ret = "$ret $action" if defined($action); + return $ret; +} + sub ruleset_generate_rule { my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_; @@ -1912,15 +1975,24 @@ sub ruleset_generate_rule { # update all or nothing - my @cmds = (); + # fixme: lots of temporary ugliness + my @mstrs = (); + my @astrs = (); + my @logging = (); + my @logmsg = (); foreach my $tmp (@$rules) { - if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $ipversion, $tmp, $actions, $goto, $cluster_conf, $fw_conf)) { - push @cmds, $cmdstr; + my $m = ruleset_generate_match($ruleset, $chain, $ipversion, $tmp, $actions, $goto, $cluster_conf, $fw_conf); + my $a = ruleset_generate_action($ruleset, $chain, $ipversion, $tmp, $actions, $goto, $cluster_conf, $fw_conf); + if (defined $m or defined $a) { + push @mstrs, defined($m) ? $m : ""; + push @astrs, defined($a) ? $a : ""; + push @logging, $tmp->{log}; + push @logmsg, $tmp->{logmsg}; } } - foreach my $cmdstr (@cmds) { - ruleset_addrule($ruleset, $chain, $cmdstr); + for my $i (0 .. $#mstrs) { + ruleset_addrule($ruleset, $chain, $mstrs[$i], $astrs[$i], $logging[$i], $logmsg[$i]); } } @@ -1929,8 +2001,10 @@ sub ruleset_generate_rule_insert { die "implement me" if $rule->{macro}; # not implemented, because not needed so far - if (my $cmdstr = ruleset_generate_cmdstr($ruleset, $chain, $ipversion, $rule, $actions, $goto)) { - ruleset_insertrule($ruleset, $chain, $cmdstr); + my $match = ruleset_generate_match($ruleset, $chain, $ipversion, $rule, $actions, $goto); + my $action = ruleset_generate_action($ruleset, $chain, $ipversion, $rule, $actions, $goto); + if (defined $match && defined $action) { + ruleset_insertrule($ruleset, $chain, $match, $action); } } @@ -1952,46 +2026,37 @@ sub ruleset_chain_exist { } sub ruleset_addrule { - my ($ruleset, $chain, $rule) = @_; + my ($ruleset, $chain, $match, $action, $log, $logmsg, $vmid) = @_; die "no such chain '$chain'\n" if !$ruleset->{$chain}; - push @{$ruleset->{$chain}}, "-A $chain $rule"; + if (defined($log) && $log) { + my $logaction = get_log_rule_base($chain, $vmid, $logmsg, $log); + push @{$ruleset->{$chain}}, "-A $chain $match $logaction"; + } + push @{$ruleset->{$chain}}, "-A $chain $match $action"; } sub ruleset_insertrule { - my ($ruleset, $chain, $rule) = @_; + my ($ruleset, $chain, $match, $action, $log) = @_; die "no such chain '$chain'\n" if !$ruleset->{$chain}; - unshift @{$ruleset->{$chain}}, "-A $chain $rule"; + unshift @{$ruleset->{$chain}}, "-A $chain $match $action"; } sub get_log_rule_base { my ($chain, $vmid, $msg, $loglevel) = @_; - die "internal error - no log level" if !defined($loglevel); - $vmid = 0 if !defined($vmid); + $msg = "" if !defined($msg); # Note: we use special format for prefix to pass further - # info to log daemon (VMID, LOGVELEL and CHAIN) + # info to log daemon (VMID, LOGLEVEL and CHAIN) return "-j NFLOG --nflog-prefix \":$vmid:$loglevel:$chain: $msg\""; } -sub ruleset_addlog { - my ($ruleset, $chain, $vmid, $msg, $loglevel, $rule) = @_; - - return if !defined($loglevel); - - my $logrule = get_log_rule_base($chain, $vmid, $msg, $loglevel); - - $logrule = "$rule $logrule" if defined($rule); - - ruleset_addrule($ruleset, $chain, $logrule); -} - sub ruleset_add_chain_policy { my ($ruleset, $chain, $ipversion, $vmid, $policy, $loglevel, $accept_action) = @_; @@ -2002,17 +2067,13 @@ sub ruleset_add_chain_policy { } elsif ($policy eq 'DROP') { - ruleset_addrule($ruleset, $chain, "-j PVEFW-Drop"); + ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Drop"); - ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel); - - ruleset_addrule($ruleset, $chain, "-j DROP"); + ruleset_addrule($ruleset, $chain, "", "-j DROP", $loglevel, "policy $policy: ", $vmid); } elsif ($policy eq 'REJECT') { - ruleset_addrule($ruleset, $chain, "-j PVEFW-Reject"); - - ruleset_addlog($ruleset, $chain, $vmid, "policy $policy: ", $loglevel); + ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Reject"); - ruleset_addrule($ruleset, $chain, "-g PVEFW-reject"); + ruleset_addrule($ruleset, $chain, "", "-g PVEFW-reject", $loglevel, "policy $policy:", $vmid); } else { # should not happen die "internal error: unknown policy '$policy'"; @@ -2023,19 +2084,19 @@ sub ruleset_chain_add_ndp { my ($ruleset, $chain, $ipversion, $options, $direction, $accept) = @_; return if $ipversion != 6 || (defined($options->{ndp}) && !$options->{ndp}); - ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-solicitation $accept"); + ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-solicitation", $accept); if ($direction ne 'OUT' || $options->{radv}) { - ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-advertisement $accept"); + ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-advertisement", $accept); } - ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type neighbor-solicitation $accept"); - ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type neighbor-advertisement $accept"); + ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type neighbor-solicitation", $accept); + ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type neighbor-advertisement", $accept); } sub ruleset_chain_add_conn_filters { my ($ruleset, $chain, $accept) = @_; - ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP"); - ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j $accept"); + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID", "-j DROP"); + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED", "-j $accept"); } sub ruleset_chain_add_input_filters { @@ -2044,21 +2105,20 @@ sub ruleset_chain_add_input_filters { if ($cluster_conf->{ipset}->{blacklist}){ if (!ruleset_chain_exist($ruleset, "PVEFW-blacklist")) { ruleset_create_chain($ruleset, "PVEFW-blacklist"); - ruleset_addlog($ruleset, "PVEFW-blacklist", 0, "DROP: ", $loglevel) if $loglevel; - ruleset_addrule($ruleset, "PVEFW-blacklist", "-j DROP"); + ruleset_addrule($ruleset, "PVEFW-blacklist", "", "-j DROP", $loglevel, "DROP: "); } my $ipset_chain = compute_ipset_chain_name(0, 'blacklist', $ipversion); - ruleset_addrule($ruleset, $chain, "-m set --match-set ${ipset_chain} src -j PVEFW-blacklist"); + ruleset_addrule($ruleset, $chain, "-m set --match-set ${ipset_chain} src", "-j PVEFW-blacklist"); } if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) { if ($ipversion == 4) { - ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs"); + ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW", "-j PVEFW-smurfs"); } } if ($options->{tcpflags}) { - ruleset_addrule($ruleset, $chain, "-p tcp -j PVEFW-tcpflags"); + ruleset_addrule($ruleset, $chain, "-p tcp", "-j PVEFW-tcpflags"); } } @@ -2095,15 +2155,15 @@ sub ruleset_create_vm_chain { if ($direction eq 'OUT') { if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) { - ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr -j DROP"); + ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr", "-j DROP"); } if ($ipversion == 6 && !$options->{radv}) { - ruleset_addrule($ruleset, $chain, '-p icmpv6 --icmpv6-type router-advertisement -j DROP'); + ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-advertisement", "-j DROP"); } if ($ipfilter_ipset) { - ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP"); + ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src", "-j DROP"); } - ruleset_addrule($ruleset, $chain, "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark + ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark } my $accept_action = $direction eq 'OUT' ? '-g PVEFW-SET-ACCEPT-MARK' : "-j $accept"; @@ -2120,14 +2180,14 @@ sub ruleset_add_group_rule { } if ($direction eq 'OUT' && $rule->{iface_out}) { - ruleset_addrule($ruleset, $chain, "-o $rule->{iface_out} -j $group_chain"); + ruleset_addrule($ruleset, $chain, "-o $rule->{iface_out}", "-j $group_chain"); } elsif ($direction eq 'IN' && $rule->{iface_in}) { - ruleset_addrule($ruleset, $chain, "-i $rule->{iface_in} -j $group_chain"); + ruleset_addrule($ruleset, $chain, "-i $rule->{iface_in}", "-j $group_chain"); } else { - ruleset_addrule($ruleset, $chain, "-j $group_chain"); + ruleset_addrule($ruleset, $chain, "", "-j $group_chain"); } - ruleset_addrule($ruleset, $chain, "-m mark --mark $FWACCEPTMARK_ON -j $action"); + ruleset_addrule($ruleset, $chain, "-m mark --mark $FWACCEPTMARK_ON", "-j $action"); } sub ruleset_generate_vm_rules { @@ -2192,7 +2252,7 @@ sub ruleset_generate_vm_ipsrules { ruleset_create_chain($ruleset, "PVEFW-IPS"); } - ruleset_addrule($ruleset, "PVEFW-IPS", "-m physdev --physdev-out $iface --physdev-is-bridged -j $nfqueue"); + ruleset_addrule($ruleset, "PVEFW-IPS", "-m physdev --physdev-out $iface --physdev-is-bridged", "-j $nfqueue"); } } @@ -2240,10 +2300,10 @@ sub generate_tap_rules_direction { # plug the tap chain to bridge chain if ($direction eq 'IN') { ruleset_addrule($ruleset, "PVEFW-FWBR-IN", - "-m physdev --physdev-is-bridged --physdev-out $iface -j $tapchain"); + "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain"); } else { ruleset_addrule($ruleset, "PVEFW-FWBR-OUT", - "-m physdev --physdev-is-bridged --physdev-in $iface -j $tapchain"); + "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain"); } } @@ -2261,7 +2321,7 @@ sub enable_host_firewall { my $loglevel = get_option_log_level($options, "log_level_in"); - ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT"); + ruleset_addrule($ruleset, $chain, "-i lo", "-j ACCEPT"); ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT'); ruleset_chain_add_ndp($ruleset, $chain, $ipversion, $options, 'IN', '-j RETURN'); @@ -2270,7 +2330,7 @@ sub enable_host_firewall { # we use RETURN because we need to check also tap rules my $accept_action = 'RETURN'; - ruleset_addrule($ruleset, $chain, "-p igmp -j $accept_action"); # important for multicast + ruleset_addrule($ruleset, $chain, "-p igmp", "-j $accept_action"); # important for multicast # add host rules first, so that cluster wide rules can be overwritten foreach my $rule (@$rules, @$cluster_rules) { @@ -2295,19 +2355,19 @@ sub enable_host_firewall { # allow standard traffic for management ipset (includes cluster network) my $mngmnt_ipset_chain = compute_ipset_chain_name(0, "management", $ipversion); my $mngmntsrc = "-m set --match-set ${mngmnt_ipset_chain} src"; - ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 8006 -j $accept_action"); # PVE API - ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console - ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy - ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action"); # SSH + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 8006", "-j $accept_action"); # PVE API + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 5900:5999", "-j $accept_action"); # PVE VNC Console + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128", "-j $accept_action"); # SPICE Proxy + ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22", "-j $accept_action"); # SSH my $localnet = $cluster_conf->{aliases}->{local_network}->{cidr}; my $localnet_ver = $cluster_conf->{aliases}->{local_network}->{ipversion}; # corosync if ($localnet && ($ipversion == $localnet_ver)) { - my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action"; - ruleset_addrule($ruleset, $chain, "-s $localnet -d $localnet $corosync_rule"); - ruleset_addrule($ruleset, $chain, "-s $localnet -m addrtype --dst-type MULTICAST $corosync_rule"); + my $corosync_rule = "-p udp --dport 5404:5405"; + ruleset_addrule($ruleset, $chain, "-s $localnet -d $localnet $corosync_rule", "-j $accept_action"); + ruleset_addrule($ruleset, $chain, "-s $localnet -m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action"); } # implement input policy @@ -2320,7 +2380,7 @@ sub enable_host_firewall { $loglevel = get_option_log_level($options, "log_level_out"); - ruleset_addrule($ruleset, $chain, "-o lo -j ACCEPT"); + ruleset_addrule($ruleset, $chain, "-o lo", "-j ACCEPT"); ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT'); @@ -2328,7 +2388,7 @@ sub enable_host_firewall { $accept_action = 'RETURN'; ruleset_chain_add_ndp($ruleset, $chain, $ipversion, $options, 'OUT', "-j $accept_action"); - ruleset_addrule($ruleset, $chain, "-p igmp -j $accept_action"); # important for multicast + ruleset_addrule($ruleset, $chain, "-p igmp", "-j $accept_action"); # important for multicast # add host rules first, so that cluster wide rules can be overwritten foreach my $rule (@$rules, @$cluster_rules) { @@ -2351,22 +2411,22 @@ sub enable_host_firewall { # allow standard traffic on cluster network if ($localnet && ($ipversion == $localnet_ver)) { - ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 8006 -j $accept_action"); # PVE API - ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 22 -j $accept_action"); # SSH - ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 5900:5999 -j $accept_action"); # PVE VNC Console - ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 3128 -j $accept_action"); # SPICE Proxy + ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 8006", "-j $accept_action"); # PVE API + ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 22", "-j $accept_action"); # SSH + ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 5900:5999", "-j $accept_action"); # PVE VNC Console + ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 3128", "-j $accept_action"); # SPICE Proxy - my $corosync_rule = "-p udp --dport 5404:5405 -j $accept_action"; - ruleset_addrule($ruleset, $chain, "-d $localnet $corosync_rule"); - ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule"); + my $corosync_rule = "-p udp --dport 5404:5405"; + ruleset_addrule($ruleset, $chain, "-d $localnet $corosync_rule", "-j $accept_action"); + ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action"); } # implement output policy $policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default ruleset_add_chain_policy($ruleset, $chain, $ipversion, 0, $policy, $loglevel, $accept_action); - ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT"); - ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN"); + ruleset_addrule($ruleset, "PVEFW-OUTPUT", "", "-j PVEFW-HOST-OUT"); + ruleset_addrule($ruleset, "PVEFW-INPUT", "", "-j PVEFW-HOST-IN"); } sub generate_group_rules { @@ -2382,7 +2442,7 @@ sub generate_group_rules { my $chain = "GROUP-${group}-IN"; ruleset_create_chain($ruleset, $chain); - ruleset_addrule($ruleset, $chain, "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark + ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark foreach my $rule (@$rules) { next if $rule->{type} ne 'in'; @@ -2395,7 +2455,7 @@ sub generate_group_rules { $chain = "GROUP-${group}-OUT"; ruleset_create_chain($ruleset, $chain); - ruleset_addrule($ruleset, $chain, "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark + ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark foreach my $rule (@$rules) { next if $rule->{type} ne 'out'; @@ -2488,10 +2548,14 @@ sub parse_fw_rule { die "unable to parse rule parameters: $line\n" if length($line); $rule = verify_rule($rule, $cluster_conf, $fw_conf, $rule_env, 1); - if ($verbose && $rule->{errors}) { - warn "$prefix - errors in rule parameters: $orig_line\n"; + if ($rule->{errors}) { + # The verbose flag really means we're running from the CLI and want + # output on the console - in the other case we really want such errors + # to go into the syslog instead. + my $log = $verbose ? sub { warn @_ } : sub { syslog(err => @_) }; + $log->("$prefix - errors in rule parameters: $orig_line\n"); foreach my $p (keys %{$rule->{errors}}) { - warn " $p: $rule->{errors}->{$p}\n"; + $log->(" $p: $rule->{errors}->{$p}\n"); } } @@ -2759,6 +2823,10 @@ sub generic_fw_config_parser { $errors->{cidr} = $err; } + if ($cidr =~ m!/0+$!) { + $errors->{cidr} = "a zero prefix is not allowed in ipset entries\n"; + } + my $entry = { cidr => $cidr }; $entry->{nomatch} = 1 if $nomatch; $entry->{comment} = $comment if $comment; @@ -3083,26 +3151,21 @@ sub generate_std_chains { my $std_chains = $pve_std_chains->{$ipversion} || die "internal error"; my $loglevel = get_option_log_level($options, 'smurf_log_level'); - - my $chain; - - if ($ipversion == 4) { - # same as shorewall smurflog. - $chain = 'PVEFW-smurflog'; - $std_chains->{$chain} = []; - - push @{$std_chains->{$chain}}, get_log_rule_base($chain, 0, "DROP: ", $loglevel) if $loglevel; - push @{$std_chains->{$chain}}, "-j DROP"; + my $chain = 'PVEFW-smurflog'; + if ( $std_chains->{$chain} ) { + foreach my $r (@{$std_chains->{$chain}}) { + $r->{log} = $loglevel; + } } # same as shorewall logflags action. $loglevel = get_option_log_level($options, 'tcp_flags_log_level'); $chain = 'PVEFW-logflags'; - $std_chains->{$chain} = []; - - # fixme: is this correctly logged by pvewf-logger? (ther is no --log-ip-options for NFLOG) - push @{$std_chains->{$chain}}, get_log_rule_base($chain, 0, "DROP: ", $loglevel) if $loglevel; - push @{$std_chains->{$chain}}, "-j DROP"; + if ( $std_chains->{$chain} ) { + foreach my $r (@{$std_chains->{$chain}}) { + $r->{log} = $loglevel; + } + } foreach my $chain (keys %$std_chains) { ruleset_create_chain($ruleset, $chain); @@ -3110,7 +3173,7 @@ sub generate_std_chains { if (ref($rule)) { ruleset_generate_rule($ruleset, $chain, $ipversion, $rule); } else { - ruleset_addrule($ruleset, $chain, $rule); + die "rule $rule as string - should not happen"; } } } @@ -3293,6 +3356,9 @@ sub compile { my $vmfw_configs; + # fixme: once we read standard chains from config this needs to be put in test/standard cases below + $pve_std_chains = dclone($pve_std_chains_conf); + if ($vmdata) { # test mode my $testdir = $vmdata->{testdir} || die "no test directory specified"; my $filename = "$testdir/cluster.fw"; @@ -3353,10 +3419,10 @@ sub compile_iptables_filter { ruleset_create_chain($ruleset, "PVEFW-FWBR-IN"); ruleset_chain_add_input_filters($ruleset, "PVEFW-FWBR-IN", $ipversion, $hostfw_options, $cluster_conf, $loglevel); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-in fwln+", "-j PVEFW-FWBR-IN"); ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT"); - ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT"); + ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out fwln+", "-j PVEFW-FWBR-OUT"); generate_std_chains($ruleset, $hostfw_options, $ipversion); @@ -3368,13 +3434,13 @@ sub compile_iptables_filter { } # generate firewall rules for QEMU VMs - foreach my $vmid (keys %{$vmdata->{qemu}}) { + foreach my $vmid (sort keys %{$vmdata->{qemu}}) { eval { my $conf = $vmdata->{qemu}->{$vmid}; my $vmfw_conf = $vmfw_configs->{$vmid}; return if !$vmfw_conf; - foreach my $netid (keys %$conf) { + foreach my $netid (sort keys %$conf) { next if $netid !~ m/^net(\d+)$/; my $net = PVE::QemuServer::parse_net($conf->{$netid}); next if !$net->{firewall}; @@ -3391,14 +3457,14 @@ sub compile_iptables_filter { } # generate firewall rules for LXC containers - foreach my $vmid (keys %{$vmdata->{lxc}}) { + foreach my $vmid (sort keys %{$vmdata->{lxc}}) { eval { my $conf = $vmdata->{lxc}->{$vmid}; my $vmfw_conf = $vmfw_configs->{$vmid}; return if !$vmfw_conf; if ($vmfw_conf->{options}->{enable}) { - foreach my $netid (keys %$conf) { + foreach my $netid (sort keys %$conf) { next if $netid !~ m/^net(\d+)$/; my $net = PVE::LXC::Config->parse_lxc_network($conf->{$netid}); next if !$net->{firewall}; @@ -3415,7 +3481,7 @@ sub compile_iptables_filter { } if(ruleset_chain_exist($ruleset, "PVEFW-IPS")){ - ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j PVEFW-IPS"); + ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED", "-j PVEFW-IPS"); } return $ruleset;