test if BRIDGEFW-OUT and BRIDGEFW-IN exist
[pve-firewall.git] / PVE / Firewall.pm
CommitLineData
b6360c3f
DM
1package PVE::Firewall;
2
3use warnings;
4use strict;
5use Data::Dumper;
3fa83edf 6use Digest::MD5;
f789653a 7use PVE::Tools;
b6360c3f 8use PVE::QemuServer;
5e1267a5
DM
9use File::Path;
10use IO::File;
ecbea048 11use Net::IP;
06320eb0 12use PVE::Tools qw(run_command lock_file);
ecbea048 13
5e1267a5 14use Data::Dumper;
b6360c3f 15
06320eb0
DM
16my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
17
9aab3127 18my $macros;
3a616aa0 19
a332200b
DM
20# todo: implement some kind of MACROS, like shorewall /usr/share/shorewall/macro.*
21sub get_firewall_macros {
9aab3127
DM
22
23 return $macros if $macros;
24
a332200b
DM
25 #foreach my $path (</usr/share/shorewall/macro.*>) {
26 # if ($path =~ m|/macro\.(\S+)$|) {
27 # $macros->{$1} = 1;
28 # }
29 #}
30
31 $macros = {}; # fixme: implemet me
32
9aab3127
DM
33 return $macros;
34}
35
fcba0beb
DM
36my $etc_services;
37
38sub get_etc_services {
39
40 return $etc_services if $etc_services;
41
42 my $filename = "/etc/services";
43
44 my $fh = IO::File->new($filename, O_RDONLY);
45 if (!$fh) {
46 warn "unable to read '$filename' - $!\n";
47 return {};
48 }
49
50 my $services = {};
51
52 while (my $line = <$fh>) {
53 chomp ($line);
54 next if $line =~m/^#/;
55 next if ($line =~m/^\s*$/);
56
57 if ($line =~ m!^(\S+)\s+(\S+)/(tcp|udp).*$!) {
58 $services->{byid}->{$2}->{name} = $1;
59 $services->{byid}->{$2}->{$3} = 1;
60 $services->{byname}->{$1} = $services->{byid}->{$2};
61 }
62 }
63
64 close($fh);
65
66 $etc_services = $services;
67
3a616aa0 68
fcba0beb
DM
69 return $etc_services;
70}
71
72my $etc_protocols;
73
74sub get_etc_protocols {
75 return $etc_protocols if $etc_protocols;
76
77 my $filename = "/etc/protocols";
78
79 my $fh = IO::File->new($filename, O_RDONLY);
80 if (!$fh) {
81 warn "unable to read '$filename' - $!\n";
82 return {};
83 }
84
85 my $protocols = {};
86
87 while (my $line = <$fh>) {
88 chomp ($line);
89 next if $line =~m/^#/;
90 next if ($line =~m/^\s*$/);
91
92 if ($line =~ m!^(\S+)\s+(\d+)\s+.*$!) {
93 $protocols->{byid}->{$2}->{name} = $1;
94 $protocols->{byname}->{$1} = $protocols->{byid}->{$2};
95 }
96 }
97
98 close($fh);
99
100 $etc_protocols = $protocols;
101
102 return $etc_protocols;
103}
104
ecbea048
DM
105sub parse_address_list {
106 my ($str) = @_;
107
d6de1dc2 108 my $nbaor = 0;
ecbea048
DM
109 foreach my $aor (split(/,/, $str)) {
110 if (!Net::IP->new($aor)) {
111 my $err = Net::IP::Error();
112 die "invalid IP address: $err\n";
d6de1dc2
AD
113 }else{
114 $nbaor++;
ecbea048
DM
115 }
116 }
d6de1dc2 117 return $nbaor;
ecbea048 118}
dddd9413 119
fcba0beb
DM
120sub parse_port_name_number_or_range {
121 my ($str) = @_;
122
123 my $services = PVE::Firewall::get_etc_services();
4cdbb3b7 124 my $nbports = 0;
fcba0beb 125 foreach my $item (split(/,/, $str)) {
4cdbb3b7 126 my $portlist = "";
fcba0beb 127 foreach my $pon (split(':', $item, 2)) {
4cdbb3b7
AD
128 if ($pon =~ m/^\d+$/){
129 die "invalid port '$pon'\n" if $pon < 0 && $pon > 65536;
130 }else{
131 die "invalid port $services->{byname}->{$pon}\n" if !$services->{byname}->{$pon};
132 }
133 $nbports++;
fcba0beb
DM
134 }
135 }
136
4cdbb3b7 137 return ($nbports);
fcba0beb
DM
138}
139
8cebfa6f 140my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n";
dddd9413 141
3a616aa0
AD
142sub iptables {
143 my ($cmd) = @_;
144
145 run_command("/sbin/iptables $cmd", outfunc => sub {}, errfunc => sub {});
146}
147
b16e818e
DM
148sub iptables_restore_cmdlist {
149 my ($cmdlist) = @_;
3a616aa0 150
3fa83edf 151 run_command("/sbin/iptables-restore -n", input => $cmdlist);
3a616aa0
AD
152}
153
de2a57cd
DM
154sub iptables_get_chains {
155
156 my $res = {};
157
158 # check what chains we want to track
159 my $is_pvefw_chain = sub {
160 my $name = shift;
161
162 return 1 if $name =~ m/^BRIDGEFW-(:?IN|OUT)$/;
163 return 1 if $name =~ m/^proxmoxfw-\S+$/;
164 return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/;
b16e818e 165 return 1 if $name =~ m/^vmbr\d+-(:?IN|OUT)$/;
f50656c2 166 return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/;
1ddbcfaf 167 return 1 if $name =~ m/^host-(:?IN|OUT)$/;
de2a57cd
DM
168
169 return undef;
170 };
171
172 my $table = '';
173
de2a57cd
DM
174 my $parser = sub {
175 my $line = shift;
176
177 return if $line =~ m/^#/;
178 return if $line =~ m/^\s*$/;
179
180 if ($line =~ m/^\*(\S+)$/) {
181 $table = $1;
182 return;
183 }
184
185 return if $table ne 'filter';
186
187 if ($line =~ m/^:(\S+)\s/) {
188 my $chain = $1;
189 return if !&$is_pvefw_chain($chain);
3fa83edf
DM
190 $res->{$chain} = "unknown";
191 } elsif ($line =~ m/^-A\s+(\S+)\s.*--log-prefix\s+\"PVESIG:(\S+)\"/) {
192 my ($chain, $sig) = ($1, $2);
de2a57cd 193 return if !&$is_pvefw_chain($chain);
3fa83edf 194 $res->{$chain} = $sig;
de2a57cd
DM
195 } else {
196 # simply ignore the rest
197 return;
198 }
199 };
200
201 run_command("/sbin/iptables-save", outfunc => $parser);
202
de2a57cd
DM
203 return $res;
204}
205
3a616aa0
AD
206sub iptables_chain_exist {
207 my ($chain) = @_;
208
209 eval{
210 iptables("-n --list $chain");
211 };
212 return undef if $@;
213
214 return 1;
215}
216
217sub iptables_rule_exist {
218 my ($rule) = @_;
219
220 eval{
221 iptables("-C $rule");
222 };
223 return undef if $@;
224
225 return 1;
226}
227
3fa83edf
DM
228sub ruleset_generate_rule {
229 my ($ruleset, $chain, $rule) = @_;
3a616aa0 230
3fa83edf 231 my $cmd = '';
3a616aa0 232
d6de1dc2 233 $cmd .= " -m iprange --src-range" if $rule->{nbsource} && $rule->{nbsource} > 1;
3a616aa0 234 $cmd .= " -s $rule->{source}" if $rule->{source};
d6de1dc2 235 $cmd .= " -m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1;
3a616aa0
AD
236 $cmd .= " -d $rule->{dest}" if $rule->{destination};
237 $cmd .= " -p $rule->{proto}" if $rule->{proto};
4cdbb3b7 238 $cmd .= " --match multiport" if $rule->{nbdport} && $rule->{nbdport} > 1;
3a616aa0 239 $cmd .= " --dport $rule->{dport}" if $rule->{dport};
4cdbb3b7 240 $cmd .= " --match multiport" if $rule->{nbsport} && $rule->{nbsport} > 1;
3a616aa0
AD
241 $cmd .= " --sport $rule->{sport}" if $rule->{sport};
242 $cmd .= " -j $rule->{action}" if $rule->{action};
243
3fa83edf
DM
244 ruleset_addrule($ruleset, $chain, $cmd) if $cmd;
245}
246
247sub ruleset_create_chain {
248 my ($ruleset, $chain) = @_;
3a616aa0 249
3fa83edf
DM
250 die "chain '$chain' already exists\n" if $ruleset->{$chain};
251
252 $ruleset->{$chain} = [];
3a616aa0
AD
253}
254
3fa83edf
DM
255sub ruleset_chain_exist {
256 my ($ruleset, $chain) = @_;
3a616aa0 257
3fa83edf
DM
258 return $ruleset->{$chain} ? 1 : undef;
259}
3a616aa0 260
3fa83edf
DM
261sub ruleset_addrule {
262 my ($ruleset, $chain, $rule) = @_;
3a616aa0 263
3fa83edf 264 die "no such chain '$chain'\n" if !$ruleset->{$chain};
3a616aa0 265
3fa83edf
DM
266 push @{$ruleset->{$chain}}, "-A $chain $rule";
267}
3a616aa0 268
3fa83edf
DM
269sub ruleset_insertrule {
270 my ($ruleset, $chain, $rule) = @_;
3a616aa0 271
3fa83edf 272 die "no such chain '$chain'\n" if !$ruleset->{$chain};
3a616aa0 273
3fa83edf
DM
274 unshift @{$ruleset->{$chain}}, "-A $chain $rule";
275}
3a616aa0 276
3fa83edf
DM
277sub generate_bridge_chains {
278 my ($ruleset, $bridge) = @_;
3a616aa0 279
d4d0fd1d
AD
280 if (!ruleset_chain_exist($ruleset, "BRIDGEFW-IN")){
281 ruleset_create_chain($ruleset, "BRIDGEFW-IN");
282 }
283
284 if (!ruleset_chain_exist($ruleset, "BRIDGEFW-OUT")){
285 ruleset_create_chain($ruleset, "BRIDGEFW-OUT");
286 }
3fa83edf
DM
287
288 if (!ruleset_chain_exist($ruleset, "proxmoxfw-FORWARD")){
289 ruleset_create_chain($ruleset, "proxmoxfw-FORWARD");
290
291 ruleset_addrule($ruleset, "proxmoxfw-FORWARD", "-m state --state RELATED,ESTABLISHED -j ACCEPT");
292 ruleset_addrule($ruleset, "proxmoxfw-FORWARD", "-m physdev --physdev-is-in --physdev-is-bridged -j BRIDGEFW-OUT");
293 ruleset_addrule($ruleset, "proxmoxfw-FORWARD", "-m physdev --physdev-is-out --physdev-is-bridged -j BRIDGEFW-IN");
3a616aa0
AD
294 }
295
3fa83edf
DM
296 if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
297 ruleset_create_chain($ruleset, "$bridge-IN");
298 ruleset_addrule($ruleset, "proxmoxfw-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing
299 ruleset_addrule($ruleset, "BRIDGEFW-IN", "-j $bridge-IN");
300 ruleset_addrule($ruleset, "$bridge-IN", "-j ACCEPT");
301 }
3a616aa0 302
3fa83edf
DM
303 if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
304 ruleset_create_chain($ruleset, "$bridge-OUT");
305 ruleset_addrule($ruleset, "proxmoxfw-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing
306 ruleset_addrule($ruleset, "BRIDGEFW-OUT", "-j $bridge-OUT");
307 }
308}
3a616aa0
AD
309
310sub generate_tap_rules_direction {
3fa83edf 311 my ($ruleset, $iface, $netid, $rules, $bridge, $direction) = @_;
3a616aa0
AD
312
313 my $tapchain = "$iface-$direction";
314
3fa83edf 315 ruleset_create_chain($ruleset, $tapchain);
3a616aa0 316
3fa83edf
DM
317 ruleset_addrule($ruleset, $tapchain, "-m state --state INVALID -j DROP");
318 ruleset_addrule($ruleset, $tapchain, "-m state --state RELATED,ESTABLISHED -j ACCEPT");
3a616aa0 319
3fa83edf 320 if ($rules) {
3a616aa0
AD
321 foreach my $rule (@$rules) {
322 next if $rule->{iface} && $rule->{iface} ne $netid;
323 if($rule->{action} =~ m/^(GROUP-(\S+))$/){
3fa83edf
DM
324 $rule->{action} .= "-$direction";
325 # generate empty group rule if don't exist
326 if(!ruleset_chain_exist($ruleset, $rule->{action})){
327 generate_group_rules($ruleset, $2);
328 }
3a616aa0 329 }
3fa83edf 330 # we go to vmbr-IN if accept in out rules
3a616aa0 331 $rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT';
3fa83edf 332 ruleset_generate_rule($ruleset, $tapchain, $rule);
3a616aa0
AD
333 }
334 }
335
3fa83edf
DM
336 ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4");
337 ruleset_addrule($ruleset, $tapchain, "-j DROP");
3a616aa0 338
3fa83edf
DM
339 # plug the tap chain to bridge chain
340 my $physdevdirection = $direction eq 'IN' ? "out" : "in";
341 my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
342 ruleset_insertrule($ruleset, "$bridge-$direction", $rule);
3a616aa0 343
3fa83edf
DM
344 if ($direction eq 'OUT'){
345 # add tap->host rules
346 my $rule = "-m physdev --physdev-$physdevdirection $iface -j $tapchain";
347 ruleset_addrule($ruleset, "proxmoxfw-INPUT", $rule);
3a616aa0
AD
348 }
349}
350
0bd5f137 351sub enablehostfw {
3fa83edf 352 my ($ruleset) = @_;
0bd5f137
AD
353
354 my $filename = "/etc/pve/local/host.fw";
355 my $fh = IO::File->new($filename, O_RDONLY);
356 return if !$fh;
357
358 my $rules = parse_fw_rules($filename, $fh);
0bd5f137 359
3fa83edf
DM
360 # host inbound firewall
361 ruleset_create_chain($ruleset, "host-IN");
0bd5f137 362
3fa83edf
DM
363 ruleset_addrule($ruleset, "host-IN", "-m state --state INVALID -j DROP");
364 ruleset_addrule($ruleset, "host-IN", "-m state --state RELATED,ESTABLISHED -j ACCEPT");
365 ruleset_addrule($ruleset, "host-IN", "-i lo -j ACCEPT");
366 ruleset_addrule($ruleset, "host-IN", "-m addrtype --dst-type MULTICAST -j ACCEPT");
367 ruleset_addrule($ruleset, "host-IN", "-p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT");
368 ruleset_addrule($ruleset, "host-IN", "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
0bd5f137 369
3fa83edf
DM
370 if ($rules->{in}) {
371 foreach my $rule (@{$rules->{in}}) {
372 # we use RETURN because we need to check also tap rules
373 $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT';
374 ruleset_generate_rule($ruleset, "host-IN", $rule);
375 }
0bd5f137
AD
376 }
377
3fa83edf
DM
378 ruleset_addrule($ruleset, "host-IN", "-j LOG --log-prefix \"kvmhost-IN dropped: \" --log-level 4");
379 ruleset_addrule($ruleset, "host-IN", "-j DROP");
0bd5f137 380
3fa83edf
DM
381 # host outbound firewall
382 ruleset_create_chain($ruleset, "host-OUT");
383 ruleset_addrule($ruleset, "host-OUT", "-m state --state INVALID -j DROP");
384 ruleset_addrule($ruleset, "host-OUT", "-m state --state RELATED,ESTABLISHED -j ACCEPT");
385 ruleset_addrule($ruleset, "host-OUT", "-o lo -j ACCEPT");
386 ruleset_addrule($ruleset, "host-OUT", "-m addrtype --dst-type MULTICAST -j ACCEPT");
387 ruleset_addrule($ruleset, "host-OUT", "-p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT");
388 ruleset_addrule($ruleset, "host-OUT", "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
0bd5f137 389
3fa83edf
DM
390 if ($rules->{out}) {
391 foreach my $rule (@{$rules->{out}}) {
392 # we use RETURN because we need to check also tap rules
393 $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT';
394 ruleset_generate_rule($ruleset, "host-OUT", $rule);
395 }
0bd5f137
AD
396 }
397
3fa83edf
DM
398 ruleset_addrule($ruleset, "host-OUT", "-j LOG --log-prefix \"kvmhost-OUT dropped: \" --log-level 4");
399 ruleset_addrule($ruleset, "host-OUT", "-j DROP");
9d31b418 400
3fa83edf
DM
401 ruleset_addrule($ruleset, "proxmoxfw-OUTPUT", "-j host-OUT");
402 ruleset_addrule($ruleset, "proxmoxfw-INPUT", "-j host-IN");
9d31b418
AD
403}
404
405sub generate_group_rules {
3fa83edf 406 my ($ruleset, $group) = @_;
9d31b418
AD
407
408 my $filename = "/etc/pve/firewall/groups.fw";
409 my $fh = IO::File->new($filename, O_RDONLY);
410 return if !$fh;
411
412 my $rules = parse_fw_rules($filename, $fh, $group);
9d31b418 413
3fa83edf 414 my $chain = "GROUP-${group}-IN";
9d31b418 415
3fa83edf 416 ruleset_create_chain($ruleset, $chain);
9d31b418 417
3fa83edf
DM
418 if ($rules->{in}) {
419 foreach my $rule (@{$rules->{in}}) {
420 ruleset_generate_rule($ruleset, $chain, $rule);
9d31b418
AD
421 }
422 }
423
3fa83edf 424 $chain = "GROUP-${group}-OUT";
9d31b418 425
3fa83edf 426 ruleset_create_chain($ruleset, $chain);
9d31b418 427
3fa83edf
DM
428 if ($rules->{out}) {
429 foreach my $rule (@{$rules->{out}}) {
430 # we go the BRIDGEFW-IN because we need to check also other tap rules
431 # (and group rules can be set on any bridge, so we can't go to VMBRXX-IN)
9d31b418 432 $rule->{action} = 'BRIDGEFW-IN' if $rule->{action} eq 'ACCEPT';
3fa83edf 433 ruleset_generate_rule($rule, $chain, $rule);
9d31b418
AD
434 }
435 }
9d31b418
AD
436}
437
5e1267a5 438sub parse_fw_rules {
9d31b418 439 my ($filename, $fh, $group) = @_;
5e1267a5
DM
440
441 my $section;
9d31b418
AD
442 my $securitygroup;
443 my $securitygroupexist;
5e1267a5
DM
444
445 my $res = { in => [], out => [] };
446
a332200b 447 my $macros = get_firewall_macros();
fcba0beb
DM
448 my $protocols = get_etc_protocols();
449
5e1267a5
DM
450 while (defined(my $line = <$fh>)) {
451 next if $line =~ m/^#/;
452 next if $line =~ m/^\s*$/;
453
9d31b418 454 if ($line =~ m/^\[(in|out)(:(\S+))?\]\s*$/i) {
5e1267a5 455 $section = lc($1);
9d31b418
AD
456 $securitygroup = lc($3) if $3;
457 $securitygroupexist = 1 if $securitygroup && $securitygroup eq $group;
5e1267a5
DM
458 next;
459 }
460 next if !$section;
9d31b418 461 next if $group && $securitygroup ne $group;
5e1267a5
DM
462
463 my ($action, $iface, $source, $dest, $proto, $dport, $sport) =
464 split(/\s+/, $line);
465
466 if (!$action) {
467 warn "skip incomplete line\n";
468 next;
469 }
470
471 my $service;
3a616aa0 472 if ($action =~ m/^(ACCEPT|DROP|REJECT|GROUP-(\S+))$/) {
5e1267a5
DM
473 # OK
474 } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
475 ($service, $action) = ($1, $2);
476 if (!$macros->{$service}) {
477 warn "unknown service '$service'\n";
478 next;
479 }
480 } else {
481 warn "unknown action '$action'\n";
482 next;
483 }
484
485 $iface = undef if $iface && $iface eq '-';
486 if ($iface && $iface !~ m/^(net0|net1|net2|net3|net4|net5)$/) {
487 warn "unknown interface '$iface'\n";
488 next;
489 }
490
491 $proto = undef if $proto && $proto eq '-';
fcba0beb
DM
492 if ($proto && !(defined($protocols->{byname}->{$proto}) ||
493 defined($protocols->{byid}->{$proto}))) {
5e1267a5
DM
494 warn "unknown protokol '$proto'\n";
495 next;
496 }
497
498 $source = undef if $source && $source eq '-';
5e1267a5 499 $dest = undef if $dest && $dest eq '-';
5e1267a5
DM
500
501 $dport = undef if $dport && $dport eq '-';
502 $sport = undef if $sport && $sport eq '-';
4cdbb3b7
AD
503 my $nbdport = undef;
504 my $nbsport = undef;
d6de1dc2
AD
505 my $nbsource = undef;
506 my $nbdest = undef;
5e1267a5 507
ecbea048 508 eval {
d6de1dc2
AD
509 $nbsource = parse_address_list($source) if $source;
510 $nbdest = parse_address_list($dest) if $dest;
4cdbb3b7
AD
511 $nbdport = parse_port_name_number_or_range($dport) if $dport;
512 $nbsport = parse_port_name_number_or_range($sport) if $sport;
ecbea048
DM
513 };
514 if (my $err = $@) {
515 warn $err;
516 next;
517
518 }
519
520
5e1267a5
DM
521 my $rule = {
522 action => $action,
523 service => $service,
524 iface => $iface,
525 source => $source,
526 dest => $dest,
d6de1dc2
AD
527 nbsource => $nbsource,
528 nbdest => $nbdest,
5e1267a5
DM
529 proto => $proto,
530 dport => $dport,
531 sport => $sport,
4cdbb3b7
AD
532 nbdport => $nbdport,
533 nbsport => $nbsport,
534
5e1267a5
DM
535 };
536
537 push @{$res->{$section}}, $rule;
538 }
539
9d31b418 540 die "security group $group don't exist" if $group && !$securitygroupexist;
5e1267a5
DM
541 return $res;
542}
543
06320eb0
DM
544sub run_locked {
545 my ($code, @param) = @_;
546
547 my $timeout = 10;
548
549 my $res = lock_file($pve_fw_lock_filename, $timeout, $code, @param);
550
551 die $@ if $@;
552
553 return $res;
554}
555
5e1267a5
DM
556sub read_local_vm_config {
557
558 my $openvz = {};
559
560 my $qemu = {};
561
562 my $list = PVE::QemuServer::config_list();
563
564 foreach my $vmid (keys %$list) {
5e1267a5
DM
565 my $cfspath = PVE::QemuServer::cfs_config_path($vmid);
566 if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) {
567 $qemu->{$vmid} = $conf;
568 }
569 }
570
571 my $vmdata = { openvz => $openvz, qemu => $qemu };
572
573 return $vmdata;
574};
575
576sub read_vm_firewall_rules {
577 my ($vmdata) = @_;
578 my $rules = {};
579 foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
580 my $filename = "/etc/pve/firewall/$vmid.fw";
581 my $fh = IO::File->new($filename, O_RDONLY);
582 next if !$fh;
583
584 $rules->{$vmid} = parse_fw_rules($filename, $fh);
585 }
586
587 return $rules;
588}
589
590sub compile {
5e1267a5
DM
591 my $vmdata = read_local_vm_config();
592 my $rules = read_vm_firewall_rules($vmdata);
593
3fa83edf
DM
594 #print Dumper($rules);
595
596 my $ruleset = {};
597
598 # setup host firewall rules
599 ruleset_create_chain($ruleset, "proxmoxfw-INPUT");
600 ruleset_create_chain($ruleset, "proxmoxfw-OUTPUT");
601
602 enablehostfw($ruleset);
603
604 # generate firewall rules for QEMU VMs
605 foreach my $vmid (keys %{$vmdata->{qemu}}) {
606 my $conf = $vmdata->{qemu}->{$vmid};
607 next if !$rules->{$vmid};
608
609 foreach my $netid (keys %$conf) {
610 next if $netid !~ m/^net(\d+)$/;
611 my $net = PVE::QemuServer::parse_net($conf->{$netid});
612 next if !$net;
613 my $iface = "tap${vmid}i$1";
5e1267a5 614
3fa83edf
DM
615 my $bridge = $net->{bridge};
616 next if !$bridge; # fixme: ?
617
618 $bridge .= "v$net->{tag}" if $net->{tag};
619
620 generate_bridge_chains($ruleset, $bridge);
621
622 generate_tap_rules_direction($ruleset, $iface, $netid, $rules->{$vmid}->{in}, $bridge, 'IN');
623 generate_tap_rules_direction($ruleset, $iface, $netid, $rules->{$vmid}->{out}, $bridge, 'OUT');
624 }
625 }
3fa83edf
DM
626 return $ruleset;
627}
628
629sub get_ruleset_status {
630 my ($ruleset, $verbose) = @_;
631
632 my $active_chains = iptables_get_chains();
633
634 my $statushash = {};
635
636 foreach my $chain (sort keys %$ruleset) {
637 my $digest = Digest::MD5->new();
638 foreach my $cmd (@{$ruleset->{$chain}}) {
639 $digest->add("$cmd\n");
640 }
641 my $sig = $digest->b64digest;
642 $statushash->{$chain}->{sig} = $sig;
643
644 my $oldsig = $active_chains->{$chain};
645 if (!defined($oldsig)) {
646 $statushash->{$chain}->{action} = 'create';
647 } else {
648 if ($oldsig eq $sig) {
649 $statushash->{$chain}->{action} = 'exists';
650 } else {
651 $statushash->{$chain}->{action} = 'update';
652 }
653 }
654 print "$statushash->{$chain}->{action} $chain ($sig)\n" if $verbose;
655 foreach my $cmd (@{$ruleset->{$chain}}) {
656 print "\t$cmd\n" if $verbose;
657 }
658 }
659
660 foreach my $chain (sort keys %$active_chains) {
661 if (!defined($ruleset->{$chain})) {
662 my $sig = $active_chains->{$chain};
663 $statushash->{$chain}->{action} = 'delete';
664 $statushash->{$chain}->{sig} = $sig;
665 print "delete $chain ($sig)\n" if $verbose;
666 }
667 }
668
669 return $statushash;
670}
671
672sub print_ruleset {
673 my ($ruleset) = @_;
674
675 get_ruleset_status($ruleset, 1);
676}
677
678sub print_sig_rule {
679 my ($chain, $sig) = @_;
680
681 # Note: This rule should never match! We just use this hack to store a SHA1 checksum
682 # used to detect changes
683 return "-A $chain -j LOG --log-prefix \"PVESIG:$sig\" -p tcp -s \"127.128.129.130\" --dport 1\n";
b6360c3f
DM
684}
685
5e1267a5 686sub compile_and_start {
3fa83edf
DM
687 my ($verbose) = @_;
688
689 my $ruleset = compile();
690
691 my $cmdlist = "*filter\n"; # we pass this to iptables-restore;
692
693 my $statushash = get_ruleset_status($ruleset, $verbose);
694
695 # create missing chains first
696 foreach my $chain (sort keys %$ruleset) {
697 my $stat = $statushash->{$chain};
698 die "internal error" if !$stat;
699 next if $stat->{action} ne 'create';
886aba9c 700
3fa83edf
DM
701 $cmdlist .= ":$chain - [0:0]\n";
702 }
703
704 my $rule = "INPUT -j proxmoxfw-INPUT";
705 if (!PVE::Firewall::iptables_rule_exist($rule)) {
706 $cmdlist .= "-A $rule\n";
707 }
708 $rule = "OUTPUT -j proxmoxfw-OUTPUT";
709 if (!PVE::Firewall::iptables_rule_exist($rule)) {
710 $cmdlist .= "-A $rule\n";
711 }
712
713 $rule = "FORWARD -j proxmoxfw-FORWARD";
714 if (!PVE::Firewall::iptables_rule_exist($rule)) {
715 $cmdlist .= "-A $rule\n";
716 }
717
718 foreach my $chain (sort keys %$ruleset) {
719 my $stat = $statushash->{$chain};
720 die "internal error" if !$stat;
721
722 if ($stat->{action} eq 'update' || $stat->{action} eq 'create') {
723 $cmdlist .= "-F $chain\n";
724 foreach my $cmd (@{$ruleset->{$chain}}) {
725 $cmdlist .= "$cmd\n";
726 }
727 $cmdlist .= print_sig_rule($chain, $stat->{sig});
728 } elsif ($stat->{action} eq 'delete') {
729 $cmdlist .= "-F $chain\n";
730 $cmdlist .= "-X $chain\n";
731 } elsif ($stat->{action} eq 'exists') {
732 # do nothing
733 } else {
734 die "internal error - unknown status '$stat->{action}'";
735 }
736 }
737
738 $cmdlist .= "COMMIT\n";
739
740 print $cmdlist if $verbose;
741
742 iptables_restore_cmdlist($cmdlist);
743
744 # test: re-read status and check if everything is up to date
745 $statushash = get_ruleset_status($ruleset);
746
747 my $errors;
748 foreach my $chain (sort keys %$ruleset) {
749 my $stat = $statushash->{$chain};
750 if ($stat->{action} ne 'exists') {
751 warn "unable to update chain '$chain'\n";
752 $errors = 1;
753 }
754 }
b6360c3f 755
3fa83edf 756 die "unable to apply firewall changes\n" if $errors;
b6360c3f
DM
757}
758
b6360c3f 7591;