[pve-firewall.git] / PVE / Firewall.pm

package PVE::Firewall;

use warnings;
use strict;
use Data::Dumper;

use PVE::QemuServer;

# we need complete VM configuration of all VMs (openvz/qemu)
# in vmdata

sub compile {
    my ($vmdata) = @_;

    my $netinfo;

    my $bridges = {};
    my $zoneinfo = {
	fw => { type => 'firewall' },
    };

    foreach my $vmid (keys %{$vmdata->{qemu}}) {
	$netinfo->{$vmid} = {};
	my $conf = $vmdata->{qemu}->{$vmid};
	foreach my $opt (keys %$conf) {
	    next if $opt !~ m/^net(\d+)$/;
	    my $netid = $1;
	    my $net = PVE::QemuServer::parse_net($conf->{$opt});
	    next if !$net;
	    die "implement me" if !$net->{bridge};
	    my $bridge = $net->{bridge};
	    $bridges->{$bridge} = 1;
	    $zoneinfo->{$bridge}->{type} = 'ipv4';
	    $zoneinfo->{$bridge}->{ifaces}->{$bridge} = 1;
	    if (defined($net->{tag})) {
		$bridge = $bridge .= "v$net->{tag}";
		$bridges->{$bridge} = 1;
		$zoneinfo->{$bridge}->{type} = 'ipv4';
		$zoneinfo->{$bridge}->{ifaces}->{$bridge} = 1;
	    }

	    my $zone = $bridge . ($conf->{zone} || "vm$vmid");
	    $net->{zone} = $zone;
	    $zoneinfo->{$zone}->{type} = 'bport';
	    $zoneinfo->{$zone}->{bridge} = $bridge;
	    $zoneinfo->{$zone}->{ifaces}->{"tap${vmid}i${netid}"} = 1;
	    $netinfo->{$vmid}->{$netid} = $net;
	}
    }

    #print Dumper($netinfo);

    # TODO: zone names have length limit, so we need to
    # translate them into shorter names 

    # dump zone file

    print "DUMP: zones\n";
    my $format = "%-15s %-10s %s\n";
    printf($format, '#ZONE', 'TYPE', 'OPTIONS');

    foreach my $z (sort keys %$zoneinfo) {
	printf($format, $z, $zoneinfo->{$z}->{type}, '');
    }

    print "#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE\n";

    print "\n";
    print "DUMP: interfaces\n";

    $format = "%-15s %-20s %-10s %s\n";
    printf($format, '#ZONE', 'INTERFACE', 'BROADCAST', 'OPTIONS');
    foreach my $z (sort keys %$zoneinfo) {
	my $ifaces = $zoneinfo->{$z}->{ifaces};
	foreach my $iface (sort keys %$ifaces) {
	    my $broadcast =  $zoneinfo->{$z}->{type} eq 'ipv4' ? 'detect' : '';
	    my $options =  $bridges->{$iface} ? 'bridge' : '';
	    my $bridge = $zoneinfo->{$z}->{bridge} || '';
	    my $iftxt = $zoneinfo->{$z}->{bridge} ? "$zoneinfo->{$z}->{bridge}:$iface" : $iface;
	    printf($format, $z, $iftxt, $broadcast, $options);
	}
    }

    print "#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE\n";

    print "\n";


}


sub activate {

}


1;
Commit	Line	Data
b6360c3f DM	1	package PVE::Firewall;
	2
	3	use warnings;
	4	use strict;
	5	use Data::Dumper;
	6
	7	use PVE::QemuServer;
	8
	9	# we need complete VM configuration of all VMs (openvz/qemu)
	10	# in vmdata
	11
	12	sub compile {
	13	my ($vmdata) = @_;
	14
	15	my $netinfo;
	16
886aba9c DM	17	my $bridges = {};
	18	my $zoneinfo = {
	19	fw => { type => 'firewall' },
	20	};
	21
b6360c3f DM	22	foreach my $vmid (keys %{$vmdata->{qemu}}) {
	23	$netinfo->{$vmid} = {};
	24	my $conf = $vmdata->{qemu}->{$vmid};
	25	foreach my $opt (keys %$conf) {
	26	next if $opt !~ m/^net(\d+)$/;
886aba9c	27	my $netid = $1;
b6360c3f DM	28	my $net = PVE::QemuServer::parse_net($conf->{$opt});
b6360c3f DM	29	next if !$net;
886aba9c DM	30	die "implement me" if !$net->{bridge};
	31	my $bridge = $net->{bridge};
	32	$bridges->{$bridge} = 1;
	33	$zoneinfo->{$bridge}->{type} = 'ipv4';
	34	$zoneinfo->{$bridge}->{ifaces}->{$bridge} = 1;
	35	if (defined($net->{tag})) {
	36	$bridge = $bridge .= "v$net->{tag}";
	37	$bridges->{$bridge} = 1;
	38	$zoneinfo->{$bridge}->{type} = 'ipv4';
	39	$zoneinfo->{$bridge}->{ifaces}->{$bridge} = 1;
	40	}
	41
	42	my $zone = $bridge . ($conf->{zone} \|\| "vm$vmid");
	43	$net->{zone} = $zone;
	44	$zoneinfo->{$zone}->{type} = 'bport';
	45	$zoneinfo->{$zone}->{bridge} = $bridge;
	46	$zoneinfo->{$zone}->{ifaces}->{"tap${vmid}i${netid}"} = 1;
	47	$netinfo->{$vmid}->{$netid} = $net;
	48	}
	49	}
	50
	51	#print Dumper($netinfo);
	52
	53	# TODO: zone names have length limit, so we need to
	54	# translate them into shorter names
	55
	56	# dump zone file
	57
	58	print "DUMP: zones\n";
	59	my $format = "%-15s %-10s %s\n";
	60	printf($format, '#ZONE', 'TYPE', 'OPTIONS');
	61
	62	foreach my $z (sort keys %$zoneinfo) {
	63	printf($format, $z, $zoneinfo->{$z}->{type}, '');
	64	}
	65
	66	print "#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE\n";
	67
	68	print "\n";
	69	print "DUMP: interfaces\n";
	70
	71	$format = "%-15s %-20s %-10s %s\n";
	72	printf($format, '#ZONE', 'INTERFACE', 'BROADCAST', 'OPTIONS');
	73	foreach my $z (sort keys %$zoneinfo) {
	74	my $ifaces = $zoneinfo->{$z}->{ifaces};
	75	foreach my $iface (sort keys %$ifaces) {
	76	my $broadcast = $zoneinfo->{$z}->{type} eq 'ipv4' ? 'detect' : '';
	77	my $options = $bridges->{$iface} ? 'bridge' : '';
	78	my $bridge = $zoneinfo->{$z}->{bridge} \|\| '';
	79	my $iftxt = $zoneinfo->{$z}->{bridge} ? "$zoneinfo->{$z}->{bridge}:$iface" : $iface;
	80	printf($format, $z, $iftxt, $broadcast, $options);
b6360c3f DM	81	}
	82	}
	83
886aba9c DM	84	print "#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE\n";
	85
	86	print "\n";
	87
b6360c3f DM	88
	89	}
	90
886aba9c	91
b6360c3f DM	92	sub activate {
	93
	94	}
	95
	96
	97	1;