my $pve_fw_macro_ipversion = {};
my $pve_fw_preferred_macro_names = {};
+my $FWACCEPTMARK_ON = "0x80000000/0x80000000";
+my $FWACCEPTMARK_OFF = "0x00000000/0x80000000";
+
my $pve_std_chains = {};
$pve_std_chains->{4} = {
'PVEFW-SET-ACCEPT-MARK' => [
- "-j MARK --set-mark 1",
+ "-j MARK --set-mark $FWACCEPTMARK_ON",
],
'PVEFW-DropBroadcast' => [
# same as shorewall 'Broadcast'
$pve_std_chains->{6} = {
'PVEFW-SET-ACCEPT-MARK' => [
- "-j MARK --set-mark 1",
+ "-j MARK --set-mark $FWACCEPTMARK_ON",
],
'PVEFW-DropBroadcast' => [
# same as shorewall 'Broadcast'
if ($ipfilter_ipset) {
ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src -j DROP");
}
- ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
+ ruleset_addrule($ruleset, $chain, "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark
}
my $accept_action = $direction eq 'OUT' ? '-g PVEFW-SET-ACCEPT-MARK' : "-j $accept";
ruleset_addrule($ruleset, $chain, "-j $group_chain");
}
- ruleset_addrule($ruleset, $chain, "-m mark --mark 1 -j $action");
+ ruleset_addrule($ruleset, $chain, "-m mark --mark $FWACCEPTMARK_ON -j $action");
}
sub ruleset_generate_vm_rules {
my $chain = "GROUP-${group}-IN";
ruleset_create_chain($ruleset, $chain);
- ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
+ ruleset_addrule($ruleset, $chain, "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark
foreach my $rule (@$rules) {
next if $rule->{type} ne 'in';
$chain = "GROUP-${group}-OUT";
ruleset_create_chain($ruleset, $chain);
- ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
+ ruleset_addrule($ruleset, $chain, "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark
foreach my $rule (@$rules) {
next if $rule->{type} ne 'out';
$valid_netdev_names->{"net$i"} = 1;
}
+sub get_mark_values {
+ my ($value, $mask) = @_;
+ $value = hex($value) if $value =~ /^0x/;
+ $mask = hex($mask) if defined($mask) && $mask =~ /^0x/;
+ $mask = 0xffffffff if !defined($mask);
+ return ($value, $mask);
+}
+
sub parse_fw_rule {
my ($prefix, $line, $cluster_conf, $fw_conf, $rule_env, $verbose) = @_;
my $trace;
my $debug = 0;
+my $NUMBER_RE = qr/0x[0-9a-fA-F]+|\d+/;
+
sub debug {
my $new_value = shift;
next;
}
- if ($rule =~ s/^-m mark --mark (\d+)\s*//) {
- return undef if !defined($mark) || $mark != $1;
+ if ($rule =~ s@^-m mark --mark ($NUMBER_RE)(?:/($NUMBER_RE))?\s*@@) {
+ my ($value, $mask) = PVE::Firewall::get_mark_values($1, $2);
+ return undef if !defined($mark) || ($mark & $mask) != $value;
next;
}
# final actions
- if ($rule =~ s/^-j MARK --set-mark (\d+)\s*$//) {
- $mark = $1;
+ if ($rule =~ s@^-j MARK --set-mark ($NUMBER_RE)(?:/($NUMBER_RE))?\s*$@@) {
+ my ($value, $mask) = PVE::Firewall::get_mark_values($1, $2);
+ $mark = ($mark & ~$mask) | $value;
return undef;
}