]> git.proxmox.com Git - pve-firewall.git/blame - src/PVE/Firewall.pm
projects / pve-firewall.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
convert string based rule definitions to hashes
[pve-firewall.git] / src / PVE / Firewall.pm
CommitLineData
b6360c3f
DM		 1package PVE::Firewall;
2
3use warnings;
4use strict;
cbb5d6f3 5use POSIX;
b6360c3f 6use Data::Dumper;
09d5f68e 7use Digest::SHA;
6d959e3f 8use Socket qw(AF_INET6 inet_ntop inet_pton);
c8301d63 9use PVE::INotify;
7ca36671 10use PVE::Exception qw(raise raise_param_exc);
e74a87f5 11use PVE::JSONSchema qw(register_standard_option get_standard_option);
c8301d63 12use PVE::Cluster;
5f0a912c 13use PVE::ProcFSTools;
70e524eb 14use PVE::Tools qw($IPV4RE $IPV6RE);
2e1ae6b9 15use PVE::Network;
eedcb564 16use PVE::SafeSyslog;
6b9f68a2 17use File::Basename;
5e1267a5
DM		 18use File::Path;
19use IO::File;
ecbea048 20use Net::IP;
1a301a8d 21use PVE::Tools qw(run_command lock_file dir_glob_foreach);
30c1ae52 22use Encode;
ecbea048 23
63c91681 24my $hostfw_conf_filename = "/etc/pve/local/host.fw";
21053409
DM		 25my $pvefw_conf_dir = "/etc/pve/firewall";
26my $clusterfw_conf_filename = "$pvefw_conf_dir/cluster.fw";
fca39c2c 27
fdefeeab 28# dynamically include PVE::QemuServer and PVE::LXC
d9fee004
DM		 29# to avoid dependency problems
30my $have_qemu_server;
31eval {
32 require PVE::QemuServer;
b5a16dd3 33 require PVE::QemuConfig;
d9fee004
DM		 34 $have_qemu_server = 1;
35};
36
3b4882dc
AG		 37my $have_lxc;
38eval {
39 require PVE::LXC;
40 $have_lxc = 1;
41};
42
43
259db1e6
DM		 44my $pve_fw_status_dir = "/var/lib/pve-firewall";
45
46mkdir $pve_fw_status_dir; # make sure this exists
47
351052d1
DM		 48my $security_group_name_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
49my $ipset_name_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
f9792937 50our $ip_alias_pattern = '[A-Za-z][A-Za-z0-9\-\_]+';
351052d1
DM		 51
52my $max_alias_name_length = 64;
53my $max_ipset_name_length = 64;
5c53cde4 54my $max_group_name_length = 18;
351052d1 55
48e3963e
WB		 56my $PROTOCOLS_WITH_PORTS = {
57 udp => 1, 17 => 1,
58 udplite => 1, 136 => 1,
59 tcp => 1, 6 => 1,
60 dccp => 1, 33 => 1,
61 sctp => 1, 132 => 1,
62};
63
ae029a88
DM		 64PVE::JSONSchema::register_format('IPorCIDR', \&pve_verify_ip_or_cidr);
65sub pve_verify_ip_or_cidr {
009ee3ac
DM		 66 my ($cidr, $noerr) = @_;
67
70e524eb 68 if ($cidr =~ m!^(?:$IPV6RE|$IPV4RE)(/(\d+))?$!) {
e34d0e58 69 return $cidr if Net::IP->new($cidr);
7c619bbb
DM		 70 return undef if $noerr;
71 die Net::IP::Error() . "\n";
72 }
73 return undef if $noerr;
74 die "value does not look like a valid IP address or CIDR network\n";
75}
76
ae029a88
DM		 77PVE::JSONSchema::register_format('IPorCIDRorAlias', \&pve_verify_ip_or_cidr_or_alias);
78sub pve_verify_ip_or_cidr_or_alias {
7c619bbb
DM		 79 my ($cidr, $noerr) = @_;
80
81 return if $cidr =~ m/^(?:$ip_alias_pattern)$/;
82
ae029a88 83 return pve_verify_ip_or_cidr($cidr, $noerr);
009ee3ac
DM		 84}
85
e74a87f5
DM		 86PVE::JSONSchema::register_standard_option('ipset-name', {
87 description => "IP set name.",
88 type => 'string',
351052d1 89 pattern => $ipset_name_pattern,
387d0ffc 90 minLength => 2,
351052d1 91 maxLength => $max_ipset_name_length,
387d0ffc
DM		 92});
93
81d574a7
DM		 94PVE::JSONSchema::register_standard_option('pve-fw-alias', {
95 description => "Alias name.",
96 type => 'string',
351052d1 97 pattern => $ip_alias_pattern,
81d574a7 98 minLength => 2,
351052d1 99 maxLength => $max_alias_name_length,
81d574a7
DM		 100});
101
6302c41f
DM		 102PVE::JSONSchema::register_standard_option('pve-fw-loglevel' => {
103 description => "Log level.",
e34d0e58 104 type => 'string',
6302c41f
DM		 105 enum => ['emerg', 'alert', 'crit', 'err', 'warning', 'notice', 'info', 'debug', 'nolog'],
106 optional => 1,
107});
108
387d0ffc
DM		 109PVE::JSONSchema::register_standard_option('pve-security-group-name', {
110 description => "Security Group name.",
111 type => 'string',
44be8ceb 112 pattern => $security_group_name_pattern,
387d0ffc 113 minLength => 2,
351052d1 114 maxLength => $max_group_name_length,
e74a87f5 115});
009ee3ac 116
cbb5d6f3
DM		 117my $feature_ipset_nomatch = 0;
118eval {
119 my (undef, undef, $release) = POSIX::uname();
120 if ($release =~ m/^(\d+)\.(\d+)\.\d+-/) {
121 my ($major, $minor) = ($1, $2);
122 $feature_ipset_nomatch = 1 if ($major > 3) ||
123 ($major == 3 && $minor >= 7);
124 }
125
126};
127
c8301d63
DM		 128my $nodename = PVE::INotify::nodename();
129
06320eb0
DM		 130my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
131
56f313f7 132my $default_log_level = 'nolog'; # avoid logs by default
2d404ffc
DM		 133
134my $log_level_hash = {
135 debug => 7,
136 info => 6,
137 notice => 5,
138 warning => 4,
139 err => 3,
140 crit => 2,
141 alert => 1,
142 emerg => 0,
143};
144
044409e5
TW		 145# %rule
146#
147# name => optional
148# action =>
149# proto =>
150# sport =>
151# dport =>
152# log => optional, loglevel
153# logmsg => optional, logmsg - overwrites default
154# iface_in
155# iface_out
156# match => optional, overwrites generation of match
157# target => optional, overwrites action
158
35d1d6da
DM		 159# we need to overwrite some macros for ipv6
160my $pve_ipv6fw_macros = {
161 'Ping' => [
162 { action => 'PARAM', proto => 'icmpv6', dport => 'echo-request' },
163 ],
b3d75afb
WB		 164 'NeighborDiscovery' => [
165 "IPv6 neighbor solicitation, neighbor and router advertisement",
c71cdd44 166 { action => 'PARAM', proto => 'icmpv6', dport => 'router-solicitation' },
b3d75afb
WB		 167 { action => 'PARAM', proto => 'icmpv6', dport => 'router-advertisement' },
168 { action => 'PARAM', proto => 'icmpv6', dport => 'neighbor-solicitation' },
169 { action => 'PARAM', proto => 'icmpv6', dport => 'neighbor-advertisement' },
170 ],
a42e9763 171 'DHCPv6' => [
24dd51c2 172 "DHCPv6 traffic",
a42e9763
WB		 173 { action => 'PARAM', proto => 'udp', dport => '546:547', sport => '546:547' },
174 ],
35d1d6da
DM		 175 'Trcrt' => [
176 { action => 'PARAM', proto => 'udp', dport => '33434:33524' },
177 { action => 'PARAM', proto => 'icmpv6', dport => 'echo-request' },
178 ],
179 };
180
857f62c8 181# imported/converted from: /usr/share/shorewall/macro.*
961b4928 182my $pve_fw_macros = {
857f62c8 183 'Amanda' => [
ebd54ae9 184 "Amanda Backup",
857f62c8
DM		 185 { action => 'PARAM', proto => 'udp', dport => '10080' },
186 { action => 'PARAM', proto => 'tcp', dport => '10080' },
187 ],
188 'Auth' => [
ebd54ae9 189 "Auth (identd) traffic",
857f62c8
DM		 190 { action => 'PARAM', proto => 'tcp', dport => '113' },
191 ],
192 'BGP' => [
ebd54ae9 193 "Border Gateway Protocol traffic",
857f62c8
DM		 194 { action => 'PARAM', proto => 'tcp', dport => '179' },
195 ],
196 'BitTorrent' => [
ebd54ae9 197 "BitTorrent traffic for BitTorrent 3.1 and earlier",
961b4928 198 { action => 'PARAM', proto => 'tcp', dport => '6881:6889' },
857f62c8
DM		 199 { action => 'PARAM', proto => 'udp', dport => '6881' },
200 ],
201 'BitTorrent32' => [
ebd54ae9 202 "BitTorrent traffic for BitTorrent 3.2 and later",
857f62c8
DM		 203 { action => 'PARAM', proto => 'tcp', dport => '6881:6999' },
204 { action => 'PARAM', proto => 'udp', dport => '6881' },
205 ],
06ba9c44
AG		 206 'Ceph' => [
207 "Ceph Storage Cluster traffic (Ceph Monitors, OSD & MDS Deamons)",
208 { action => 'PARAM', proto => 'tcp', dport => '6789' },
209 { action => 'PARAM', proto => 'tcp', dport => '6800:7300' },
210 ],
857f62c8 211 'CVS' => [
ebd54ae9 212 "Concurrent Versions System pserver traffic",
857f62c8
DM		 213 { action => 'PARAM', proto => 'tcp', dport => '2401' },
214 ],
215 'Citrix' => [
ebd54ae9 216 "Citrix/ICA traffic (ICA, ICA Browser, CGP)",
857f62c8
DM		 217 { action => 'PARAM', proto => 'tcp', dport => '1494' },
218 { action => 'PARAM', proto => 'udp', dport => '1604' },
219 { action => 'PARAM', proto => 'tcp', dport => '2598' },
220 ],
221 'DAAP' => [
ebd54ae9 222 "Digital Audio Access Protocol traffic (iTunes, Rythmbox daemons)",
857f62c8
DM		 223 { action => 'PARAM', proto => 'tcp', dport => '3689' },
224 { action => 'PARAM', proto => 'udp', dport => '3689' },
225 ],
226 'DCC' => [
ebd54ae9 227 "Distributed Checksum Clearinghouse spam filtering mechanism",
857f62c8
DM		 228 { action => 'PARAM', proto => 'tcp', dport => '6277' },
229 ],
230 'DHCPfwd' => [
d2c3266d 231 "Forwarded DHCP traffic",
857f62c8 232 { action => 'PARAM', proto => 'udp', dport => '67:68', sport => '67:68' },
857f62c8
DM		 233 ],
234 'DNS' => [
ebd54ae9 235 "Domain Name System traffic (upd and tcp)",
857f62c8
DM		 236 { action => 'PARAM', proto => 'udp', dport => '53' },
237 { action => 'PARAM', proto => 'tcp', dport => '53' },
238 ],
239 'Distcc' => [
ebd54ae9 240 "Distributed Compiler service",
857f62c8
DM		 241 { action => 'PARAM', proto => 'tcp', dport => '3632' },
242 ],
857f62c8 243 'FTP' => [
ebd54ae9 244 "File Transfer Protocol",
857f62c8
DM		 245 { action => 'PARAM', proto => 'tcp', dport => '21' },
246 ],
247 'Finger' => [
ebd54ae9 248 "Finger protocol (RFC 742)",
857f62c8
DM		 249 { action => 'PARAM', proto => 'tcp', dport => '79' },
250 ],
251 'GNUnet' => [
ebd54ae9 252 "GNUnet secure peer-to-peer networking traffic",
857f62c8
DM		 253 { action => 'PARAM', proto => 'tcp', dport => '2086' },
254 { action => 'PARAM', proto => 'udp', dport => '2086' },
255 { action => 'PARAM', proto => 'tcp', dport => '1080' },
256 { action => 'PARAM', proto => 'udp', dport => '1080' },
257 ],
258 'GRE' => [
d2c3266d 259 "Generic Routing Encapsulation tunneling protocol",
857f62c8 260 { action => 'PARAM', proto => '47' },
857f62c8
DM		 261 ],
262 'Git' => [
ebd54ae9 263 "Git distributed revision control traffic",
857f62c8
DM		 264 { action => 'PARAM', proto => 'tcp', dport => '9418' },
265 ],
857f62c8 266 'HKP' => [
ebd54ae9 267 "OpenPGP HTTP keyserver protocol traffic",
857f62c8
DM		 268 { action => 'PARAM', proto => 'tcp', dport => '11371' },
269 ],
270 'HTTP' => [
ebd54ae9 271 "Hypertext Transfer Protocol (WWW)",
961b4928
DM		 272 { action => 'PARAM', proto => 'tcp', dport => '80' },
273 ],
857f62c8 274 'HTTPS' => [
ebd54ae9 275 "Hypertext Transfer Protocol (WWW) over SSL",
857f62c8
DM		 276 { action => 'PARAM', proto => 'tcp', dport => '443' },
277 ],
278 'ICPV2' => [
ebd54ae9 279 "Internet Cache Protocol V2 (Squid) traffic",
857f62c8
DM		 280 { action => 'PARAM', proto => 'udp', dport => '3130' },
281 ],
282 'ICQ' => [
ebd54ae9 283 "AOL Instant Messenger traffic",
857f62c8
DM		 284 { action => 'PARAM', proto => 'tcp', dport => '5190' },
285 ],
286 'IMAP' => [
ebd54ae9 287 "Internet Message Access Protocol",
857f62c8
DM		 288 { action => 'PARAM', proto => 'tcp', dport => '143' },
289 ],
290 'IMAPS' => [
ebd54ae9 291 "Internet Message Access Protocol over SSL",
857f62c8
DM		 292 { action => 'PARAM', proto => 'tcp', dport => '993' },
293 ],
294 'IPIP' => [
d2c3266d 295 "IPIP capsulation traffic",
857f62c8 296 { action => 'PARAM', proto => '94' },
857f62c8 297 ],
857f62c8 298 'IPsec' => [
d2c3266d 299 "IPsec traffic",
857f62c8
DM		 300 { action => 'PARAM', proto => 'udp', dport => '500', sport => '500' },
301 { action => 'PARAM', proto => '50' },
857f62c8
DM		 302 ],
303 'IPsecah' => [
d2c3266d 304 "IPsec authentication (AH) traffic",
857f62c8
DM		 305 { action => 'PARAM', proto => 'udp', dport => '500', sport => '500' },
306 { action => 'PARAM', proto => '51' },
857f62c8
DM		 307 ],
308 'IPsecnat' => [
d2c3266d 309 "IPsec traffic and Nat-Traversal",
857f62c8
DM		 310 { action => 'PARAM', proto => 'udp', dport => '500' },
311 { action => 'PARAM', proto => 'udp', dport => '4500' },
312 { action => 'PARAM', proto => '50' },
857f62c8
DM		 313 ],
314 'IRC' => [
ebd54ae9 315 "Internet Relay Chat traffic",
857f62c8
DM		 316 { action => 'PARAM', proto => 'tcp', dport => '6667' },
317 ],
857f62c8 318 'Jetdirect' => [
ebd54ae9 319 "HP Jetdirect printing",
857f62c8
DM		 320 { action => 'PARAM', proto => 'tcp', dport => '9100' },
321 ],
322 'L2TP' => [
ebd54ae9 323 "Layer 2 Tunneling Protocol traffic",
857f62c8 324 { action => 'PARAM', proto => 'udp', dport => '1701' },
857f62c8
DM		 325 ],
326 'LDAP' => [
ebd54ae9 327 "Lightweight Directory Access Protocol traffic",
857f62c8
DM		 328 { action => 'PARAM', proto => 'tcp', dport => '389' },
329 ],
330 'LDAPS' => [
ebd54ae9 331 "Secure Lightweight Directory Access Protocol traffic",
857f62c8
DM		 332 { action => 'PARAM', proto => 'tcp', dport => '636' },
333 ],
334 'MSNP' => [
ebd54ae9 335 "Microsoft Notification Protocol",
857f62c8
DM		 336 { action => 'PARAM', proto => 'tcp', dport => '1863' },
337 ],
338 'MSSQL' => [
ebd54ae9 339 "Microsoft SQL Server",
857f62c8
DM		 340 { action => 'PARAM', proto => 'tcp', dport => '1433' },
341 ],
342 'Mail' => [
ebd54ae9 343 "Mail traffic (SMTP, SMTPS, Submission)",
857f62c8
DM		 344 { action => 'PARAM', proto => 'tcp', dport => '25' },
345 { action => 'PARAM', proto => 'tcp', dport => '465' },
346 { action => 'PARAM', proto => 'tcp', dport => '587' },
347 ],
7831e1e3
EK		 348 'MDNS' => [
349 "Multicast DNS",
350 { action => 'PARAM', proto => 'udp', dport => '5353' },
351 ],
857f62c8 352 'Munin' => [
ebd54ae9 353 "Munin networked resource monitoring traffic",
857f62c8
DM		 354 { action => 'PARAM', proto => 'tcp', dport => '4949' },
355 ],
356 'MySQL' => [
ebd54ae9 357 "MySQL server",
857f62c8
DM		 358 { action => 'PARAM', proto => 'tcp', dport => '3306' },
359 ],
360 'NNTP' => [
ebd54ae9 361 "NNTP traffic (Usenet).",
857f62c8
DM		 362 { action => 'PARAM', proto => 'tcp', dport => '119' },
363 ],
364 'NNTPS' => [
ebd54ae9 365 "Encrypted NNTP traffic (Usenet)",
857f62c8
DM		 366 { action => 'PARAM', proto => 'tcp', dport => '563' },
367 ],
368 'NTP' => [
ebd54ae9 369 "Network Time Protocol (ntpd)",
857f62c8
DM		 370 { action => 'PARAM', proto => 'udp', dport => '123' },
371 ],
857f62c8 372 'OSPF' => [
ebd54ae9 373 "OSPF multicast traffic",
857f62c8
DM		 374 { action => 'PARAM', proto => '89' },
375 ],
376 'OpenVPN' => [
ebd54ae9 377 "OpenVPN traffic",
857f62c8
DM		 378 { action => 'PARAM', proto => 'udp', dport => '1194' },
379 ],
380 'PCA' => [
ebd54ae9 381 "Symantec PCAnywere (tm)",
857f62c8
DM		 382 { action => 'PARAM', proto => 'udp', dport => '5632' },
383 { action => 'PARAM', proto => 'tcp', dport => '5631' },
384 ],
385 'POP3' => [
ebd54ae9 386 "POP3 traffic",
857f62c8
DM		 387 { action => 'PARAM', proto => 'tcp', dport => '110' },
388 ],
389 'POP3S' => [
ebd54ae9 390 "Encrypted POP3 traffic",
857f62c8
DM		 391 { action => 'PARAM', proto => 'tcp', dport => '995' },
392 ],
393 'PPtP' => [
ebd54ae9 394 "Point-to-Point Tunneling Protocol",
857f62c8 395 { action => 'PARAM', proto => '47' },
857f62c8
DM		 396 { action => 'PARAM', proto => 'tcp', dport => '1723' },
397 ],
398 'Ping' => [
ebd54ae9 399 "ICMP echo request",
269d4f13 400 { action => 'PARAM', proto => 'icmp', dport => 'echo-request' },
857f62c8
DM		 401 ],
402 'PostgreSQL' => [
ebd54ae9 403 "PostgreSQL server",
857f62c8
DM		 404 { action => 'PARAM', proto => 'tcp', dport => '5432' },
405 ],
406 'Printer' => [
ebd54ae9 407 "Line Printer protocol printing",
857f62c8
DM		 408 { action => 'PARAM', proto => 'tcp', dport => '515' },
409 ],
410 'RDP' => [
ebd54ae9 411 "Microsoft Remote Desktop Protocol traffic",
857f62c8
DM		 412 { action => 'PARAM', proto => 'tcp', dport => '3389' },
413 ],
d2c3266d 414 'RIP' => [
ebd54ae9 415 "Routing Information Protocol (bidirectional)",
857f62c8 416 { action => 'PARAM', proto => 'udp', dport => '520' },
857f62c8
DM		 417 ],
418 'RNDC' => [
ebd54ae9 419 "BIND remote management protocol",
857f62c8
DM		 420 { action => 'PARAM', proto => 'tcp', dport => '953' },
421 ],
422 'Razor' => [
ebd54ae9 423 "Razor Antispam System",
857f62c8
DM		 424 { action => 'ACCEPT', proto => 'tcp', dport => '2703' },
425 ],
426 'Rdate' => [
ebd54ae9 427 "Remote time retrieval (rdate)",
857f62c8
DM		 428 { action => 'PARAM', proto => 'tcp', dport => '37' },
429 ],
430 'Rsync' => [
ebd54ae9 431 "Rsync server",
857f62c8
DM		 432 { action => 'PARAM', proto => 'tcp', dport => '873' },
433 ],
434 'SANE' => [
ebd54ae9 435 "SANE network scanning",
857f62c8
DM		 436 { action => 'PARAM', proto => 'tcp', dport => '6566' },
437 ],
438 'SMB' => [
ebd54ae9 439 "Microsoft SMB traffic",
857f62c8
DM		 440 { action => 'PARAM', proto => 'udp', dport => '135,445' },
441 { action => 'PARAM', proto => 'udp', dport => '137:139' },
442 { action => 'PARAM', proto => 'udp', dport => '1024:65535', sport => '137' },
443 { action => 'PARAM', proto => 'tcp', dport => '135,139,445' },
444 ],
857f62c8 445 'SMBswat' => [
ebd54ae9 446 "Samba Web Administration Tool",
857f62c8
DM		 447 { action => 'PARAM', proto => 'tcp', dport => '901' },
448 ],
449 'SMTP' => [
ebd54ae9 450 "Simple Mail Transfer Protocol",
857f62c8
DM		 451 { action => 'PARAM', proto => 'tcp', dport => '25' },
452 ],
453 'SMTPS' => [
ebd54ae9 454 "Encrypted Simple Mail Transfer Protocol",
857f62c8
DM		 455 { action => 'PARAM', proto => 'tcp', dport => '465' },
456 ],
457 'SNMP' => [
ebd54ae9 458 "Simple Network Management Protocol",
857f62c8
DM		 459 { action => 'PARAM', proto => 'udp', dport => '161:162' },
460 { action => 'PARAM', proto => 'tcp', dport => '161' },
461 ],
462 'SPAMD' => [
ebd54ae9 463 "Spam Assassin SPAMD traffic",
857f62c8
DM		 464 { action => 'PARAM', proto => 'tcp', dport => '783' },
465 ],
466 'SSH' => [
ebd54ae9 467 "Secure shell traffic",
857f62c8
DM		 468 { action => 'PARAM', proto => 'tcp', dport => '22' },
469 ],
470 'SVN' => [
ebd54ae9 471 "Subversion server (svnserve)",
857f62c8
DM		 472 { action => 'PARAM', proto => 'tcp', dport => '3690' },
473 ],
474 'SixXS' => [
ebd54ae9 475 "SixXS IPv6 Deployment and Tunnel Broker",
857f62c8
DM		 476 { action => 'PARAM', proto => 'tcp', dport => '3874' },
477 { action => 'PARAM', proto => 'udp', dport => '3740' },
478 { action => 'PARAM', proto => '41' },
479 { action => 'PARAM', proto => 'udp', dport => '5072,8374' },
480 ],
481 'Squid' => [
ebd54ae9 482 "Squid web proxy traffic",
857f62c8
DM		 483 { action => 'PARAM', proto => 'tcp', dport => '3128' },
484 ],
485 'Submission' => [
ebd54ae9 486 "Mail message submission traffic",
857f62c8
DM		 487 { action => 'PARAM', proto => 'tcp', dport => '587' },
488 ],
489 'Syslog' => [
ebd54ae9 490 "Syslog protocol (RFC 5424) traffic",
857f62c8
DM		 491 { action => 'PARAM', proto => 'udp', dport => '514' },
492 { action => 'PARAM', proto => 'tcp', dport => '514' },
493 ],
494 'TFTP' => [
ebd54ae9 495 "Trivial File Transfer Protocol traffic",
857f62c8
DM		 496 { action => 'PARAM', proto => 'udp', dport => '69' },
497 ],
498 'Telnet' => [
ebd54ae9 499 "Telnet traffic",
857f62c8
DM		 500 { action => 'PARAM', proto => 'tcp', dport => '23' },
501 ],
502 'Telnets' => [
ebd54ae9 503 "Telnet over SSL",
857f62c8
DM		 504 { action => 'PARAM', proto => 'tcp', dport => '992' },
505 ],
506 'Time' => [
ebd54ae9 507 "RFC 868 Time protocol",
857f62c8
DM		 508 { action => 'PARAM', proto => 'tcp', dport => '37' },
509 ],
510 'Trcrt' => [
ebd54ae9 511 "Traceroute (for up to 30 hops) traffic",
857f62c8 512 { action => 'PARAM', proto => 'udp', dport => '33434:33524' },
269d4f13 513 { action => 'PARAM', proto => 'icmp', dport => 'echo-request' },
857f62c8
DM		 514 ],
515 'VNC' => [
93be4333
DM		 516 "VNC traffic for VNC display's 0 - 99",
517 { action => 'PARAM', proto => 'tcp', dport => '5900:5999' },
857f62c8
DM		 518 ],
519 'VNCL' => [
ebd54ae9 520 "VNC traffic from Vncservers to Vncviewers in listen mode",
857f62c8
DM		 521 { action => 'PARAM', proto => 'tcp', dport => '5500' },
522 ],
523 'Web' => [
ebd54ae9 524 "WWW traffic (HTTP and HTTPS)",
857f62c8 525 { action => 'PARAM', proto => 'tcp', dport => '80' },
961b4928
DM		 526 { action => 'PARAM', proto => 'tcp', dport => '443' },
527 ],
857f62c8 528 'Webcache' => [
ebd54ae9 529 "Web Cache/Proxy traffic (port 8080)",
857f62c8
DM		 530 { action => 'PARAM', proto => 'tcp', dport => '8080' },
531 ],
532 'Webmin' => [
ebd54ae9 533 "Webmin traffic",
857f62c8
DM		 534 { action => 'PARAM', proto => 'tcp', dport => '10000' },
535 ],
536 'Whois' => [
ebd54ae9 537 "Whois (nicname, RFC 3912) traffic",
857f62c8
DM		 538 { action => 'PARAM', proto => 'tcp', dport => '43' },
539 ],
961b4928
DM		 540};
541
542my $pve_fw_parsed_macros;
ebd54ae9 543my $pve_fw_macro_descr;
21a18e53 544my $pve_fw_macro_ipversion = {};
961b4928 545my $pve_fw_preferred_macro_names = {};
3a616aa0 546
fe3d79b4
WB		 547my $FWACCEPTMARK_ON = "0x80000000/0x80000000";
548my $FWACCEPTMARK_OFF = "0x00000000/0x80000000";
549
5547adf7
AD		 550my $pve_std_chains = {};
551$pve_std_chains->{4} = {
d8f2505e 552 'PVEFW-SET-ACCEPT-MARK' => [
044409e5 553 { target => "-j MARK --set-mark $FWACCEPTMARK_ON" },
d8f2505e 554 ],
79929d9c
DM		 555 'PVEFW-DropBroadcast' => [
556 # same as shorewall 'Broadcast'
557 # simply DROP BROADCAST/MULTICAST/ANYCAST
558 # we can use this to reduce logging
559 { action => 'DROP', dsttype => 'BROADCAST' },
560 { action => 'DROP', dsttype => 'MULTICAST' },
561 { action => 'DROP', dsttype => 'ANYCAST' },
cbb5d6f3 562 { action => 'DROP', dest => '224.0.0.0/4' },
79929d9c
DM		 563 ],
564 'PVEFW-reject' => [
565 # same as shorewall 'reject'
566 { action => 'DROP', dsttype => 'BROADCAST' },
cbb5d6f3 567 { action => 'DROP', source => '224.0.0.0/4' },
79929d9c 568 { action => 'DROP', proto => 'icmp' },
044409e5
TW		 569 { match => '-p tcp', target => '-j REJECT --reject-with tcp-reset' },
570 { match => '-p udp', target => '-j REJECT --reject-with icmp-port-unreachable' },
571 { match => '-p icmp', target => '-j REJECT --reject-with icmp-host-unreachable' },
572 { target => '-j REJECT --reject-with icmp-host-prohibited' },
79929d9c
DM		 573 ],
574 'PVEFW-Drop' => [
cbb5d6f3 575 # same as shorewall 'Drop', which is equal to DROP,
79929d9c
DM		 576 # but REJECT/DROP some packages to reduce logging,
577 # and ACCEPT critical ICMP types
578 { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth'
579 # we are not interested in BROADCAST/MULTICAST/ANYCAST
580 { action => 'PVEFW-DropBroadcast' },
581 # ACCEPT critical ICMP types
582 { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' },
583 { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' },
584 # Drop packets with INVALID state
044409e5 585 { action => 'DROP', match => '-m conntrack --ctstate INVALID', },
79929d9c
DM		 586 # Drop Microsoft SMB noise
587 { action => 'DROP', proto => 'udp', dport => '135,445', nbdport => 2 },
588 { action => 'DROP', proto => 'udp', dport => '137:139'},
589 { action => 'DROP', proto => 'udp', dport => '1024:65535', sport => 137 },
590 { action => 'DROP', proto => 'tcp', dport => '135,139,445', nbdport => 3 },
591 { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP
592 # Drop new/NotSyn traffic so that it doesn't get logged
044409e5 593 { action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' },
79929d9c
DM		 594 # Drop DNS replies
595 { action => 'DROP', proto => 'udp', sport => 53 },
596 ],
597 'PVEFW-Reject' => [
cbb5d6f3 598 # same as shorewall 'Reject', which is equal to Reject,
79929d9c
DM		 599 # but REJECT/DROP some packages to reduce logging,
600 # and ACCEPT critical ICMP types
601 { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth'
602 # we are not interested in BROADCAST/MULTICAST/ANYCAST
603 { action => 'PVEFW-DropBroadcast' },
604 # ACCEPT critical ICMP types
605 { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' },
606 { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' },
607 # Drop packets with INVALID state
044409e5 608 { action => 'DROP', match => '-m conntrack --ctstate INVALID', },
79929d9c
DM		 609 # Drop Microsoft SMB noise
610 { action => 'PVEFW-reject', proto => 'udp', dport => '135,445', nbdport => 2 },
611 { action => 'PVEFW-reject', proto => 'udp', dport => '137:139'},
612 { action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 },
613 { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445', nbdport => 3 },
614 { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP
615 # Drop new/NotSyn traffic so that it doesn't get logged
044409e5 616 { action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' },
79929d9c
DM		 617 # Drop DNS replies
618 { action => 'DROP', proto => 'udp', sport => 53 },
619 ],
d86659ef
DM		 620 'PVEFW-tcpflags' => [
621 # same as shorewall tcpflags action.
622 # Packets arriving on this interface are checked for som illegal combinations of TCP flags
044409e5
TW		 623 { match => '-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG', target => '-g PVEFW-logflags' },
624 { match => '-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE', target => '-g PVEFW-logflags' },
625 { match => '-p tcp -m tcp --tcp-flags SYN,RST SYN,RST', target => '-g PVEFW-logflags' },
626 { match => '-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN', target => '-g PVEFW-logflags' },
627 { match => '-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN', target => '-g PVEFW-logflags' },
d86659ef 628 ],
bee633ab
DM		 629 'PVEFW-smurfs' => [
630 # same as shorewall smurfs action
631 # Filter packets for smurfs (packets with a broadcast address as the source).
044409e5
TW		 632 { match => '-s 0.0.0.0/32', target => '-j RETURN' }, # allow DHCP
633 { match => '-m addrtype --src-type BROADCAST', target => '-g PVEFW-smurflog' },
634 { match => '-s 224.0.0.0/4', target => '-g PVEFW-smurflog' },
635 ],
636 'PVEFW-smurflog' => [
637 { action => 'DROP', logmsg => 'DROP: ' },
638 ],
639 'PVEFW-logflags' => [
640 { action => 'DROP', logmsg => 'DROP: ' },
bee633ab 641 ],
d8f2505e
DM		 642};
643
47a79ff2
AD		 644$pve_std_chains->{6} = {
645 'PVEFW-SET-ACCEPT-MARK' => [
044409e5 646 { target => "-j MARK --set-mark $FWACCEPTMARK_ON" },
47a79ff2
AD		 647 ],
648 'PVEFW-DropBroadcast' => [
044409e5
TW		 649 # same as shorewall 'Broadcast'
650 # simply DROP BROADCAST/MULTICAST/ANYCAST
651 # we can use this to reduce logging
652 #{ action => 'DROP', dsttype => 'BROADCAST' }, #no broadcast in ipv6
649cd835
DM		 653 # ipv6 addrtype does not work with kernel 2.6.32
654 #{ action => 'DROP', dsttype => 'MULTICAST' },
044409e5
TW		 655 #{ action => 'DROP', dsttype => 'ANYCAST' },
656 { action => 'DROP', dest => 'ff00::/8' },
657 #{ action => 'DROP', dest => '224.0.0.0/4' },
47a79ff2
AD		 658 ],
659 'PVEFW-reject' => [
044409e5
TW		 660 # same as shorewall 'reject'
661 #{ action => 'DROP', dsttype => 'BROADCAST' },
662 #{ action => 'DROP', source => '224.0.0.0/4' },
649cd835 663 { action => 'DROP', proto => 'icmpv6' },
044409e5
TW		 664 { match => '-p tcp', target => '-j REJECT --reject-with tcp-reset' },
665 #"-p udp -j REJECT --reject-with icmp-port-unreachable",
666 #"-p icmp -j REJECT --reject-with icmp-host-unreachable",
667 #"-j REJECT --reject-with icmp-host-prohibited",
47a79ff2
AD		 668 ],
669 'PVEFW-Drop' => [
044409e5
TW		 670 # same as shorewall 'Drop', which is equal to DROP,
671 # but REJECT/DROP some packages to reduce logging,
672 # and ACCEPT critical ICMP types
649cd835 673 { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth'
044409e5
TW		 674 # we are not interested in BROADCAST/MULTICAST/ANYCAST
675 { action => 'PVEFW-DropBroadcast' },
676 # ACCEPT critical ICMP types
677 { action => 'ACCEPT', proto => 'icmpv6', dport => 'destination-unreachable' },
678 { action => 'ACCEPT', proto => 'icmpv6', dport => 'time-exceeded' },
679 { action => 'ACCEPT', proto => 'icmpv6', dport => 'packet-too-big' },
680 # Drop packets with INVALID state
681 { action => 'DROP', match => '-m conntrack --ctstate INVALID', },
682 # Drop Microsoft SMB noise
649cd835
DM		 683 { action => 'DROP', proto => 'udp', dport => '135,445', nbdport => 2 },
684 { action => 'DROP', proto => 'udp', dport => '137:139'},
685 { action => 'DROP', proto => 'udp', dport => '1024:65535', sport => 137 },
686 { action => 'DROP', proto => 'tcp', dport => '135,139,445', nbdport => 3 },
687 { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP
044409e5
TW		 688 # Drop new/NotSyn traffic so that it doesn't get logged
689 { action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' },
690 # Drop DNS replies
649cd835 691 { action => 'DROP', proto => 'udp', sport => 53 },
47a79ff2
AD		 692 ],
693 'PVEFW-Reject' => [
044409e5
TW		 694 # same as shorewall 'Reject', which is equal to Reject,
695 # but REJECT/DROP some packages to reduce logging,
696 # and ACCEPT critical ICMP types
697 { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth'
698 # we are not interested in BROADCAST/MULTICAST/ANYCAST
699 { action => 'PVEFW-DropBroadcast' },
700 # ACCEPT critical ICMP types
701 { action => 'ACCEPT', proto => 'icmpv6', dport => 'destination-unreachable' },
702 { action => 'ACCEPT', proto => 'icmpv6', dport => 'time-exceeded' },
703 { action => 'ACCEPT', proto => 'icmpv6', dport => 'packet-too-big' },
704 # Drop packets with INVALID state
705 { action => 'DROP', match => '-m conntrack --ctstate INVALID', },
706 # Drop Microsoft SMB noise
707 { action => 'PVEFW-reject', proto => 'udp', dport => '135,445', nbdport => 2 },
708 { action => 'PVEFW-reject', proto => 'udp', dport => '137:139'},
709 { action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 },
710 { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445', nbdport => 3 },
711 { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP
712 # Drop new/NotSyn traffic so that it doesn't get logged
713 { action => 'DROP', match => '-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN' },
714 # Drop DNS replies
715 { action => 'DROP', proto => 'udp', sport => 53 },
47a79ff2
AD		 716 ],
717 'PVEFW-tcpflags' => [
044409e5
TW		 718 # same as shorewall tcpflags action.
719 # Packets arriving on this interface are checked for som illegal combinations of TCP flags
720 { match => '-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG', target => '-g PVEFW-logflags' },
721 { match => '-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE', target => '-g PVEFW-logflags' },
722 { match => '-p tcp -m tcp --tcp-flags SYN,RST SYN,RST', target => '-g PVEFW-logflags' },
723 { match => '-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN', target => '-g PVEFW-logflags' },
724 { match => '-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN', target => '-g PVEFW-logflags' },
725 ],
726 'PVEFW-logflags' => [
727 { action => 'DROP', logmsg => 'DROP: ' },
47a79ff2 728 ],
47a79ff2
AD		 729};
730
4b586518
DM		 731# iptables -p icmp -h
732my $icmp_type_names = {
733 any => 1,
734 'echo-reply' => 1,
735 'destination-unreachable' => 1,
736 'network-unreachable' => 1,
737 'host-unreachable' => 1,
738 'protocol-unreachable' => 1,
739 'port-unreachable' => 1,
740 'fragmentation-needed' => 1,
741 'source-route-failed' => 1,
742 'network-unknown' => 1,
743 'host-unknown' => 1,
744 'network-prohibited' => 1,
745 'host-prohibited' => 1,
746 'TOS-network-unreachable' => 1,
747 'TOS-host-unreachable' => 1,
748 'communication-prohibited' => 1,
749 'host-precedence-violation' => 1,
750 'precedence-cutoff' => 1,
751 'source-quench' => 1,
752 'redirect' => 1,
753 'network-redirect' => 1,
754 'host-redirect' => 1,
755 'TOS-network-redirect' => 1,
756 'TOS-host-redirect' => 1,
757 'echo-request' => 1,
758 'router-advertisement' => 1,
759 'router-solicitation' => 1,
760 'time-exceeded' => 1,
761 'ttl-zero-during-transit' => 1,
762 'ttl-zero-during-reassembly' => 1,
763 'parameter-problem' => 1,
764 'ip-header-bad' => 1,
765 'required-option-missing' => 1,
766 'timestamp-request' => 1,
767 'timestamp-reply' => 1,
768 'address-mask-request' => 1,
769 'address-mask-reply' => 1,
770};
771
041b9277
DM		 772# ip6tables -p icmpv6 -h
773
774my $icmpv6_type_names = {
775 'any' => 1,
776 'destination-unreachable' => 1,
777 'no-route' => 1,
778 'communication-prohibited' => 1,
779 'address-unreachable' => 1,
780 'port-unreachable' => 1,
781 'packet-too-big' => 1,
782 'time-exceeded' => 1,
783 'ttl-zero-during-transit' => 1,
784 'ttl-zero-during-reassembly' => 1,
785 'parameter-problem' => 1,
786 'bad-header' => 1,
787 'unknown-header-type' => 1,
788 'unknown-option' => 1,
789 'echo-request' => 1,
790 'echo-reply' => 1,
791 'router-solicitation' => 1,
792 'router-advertisement' => 1,
593604cc 793 'neighbor-solicitation' => 1,
041b9277 794 'neighbour-solicitation' => 1,
593604cc 795 'neighbor-advertisement' => 1,
041b9277
DM		 796 'neighbour-advertisement' => 1,
797 'redirect' => 1,
798};
799
54cd19a8 800sub init_firewall_macros {
6158271d 801
961b4928 802 $pve_fw_parsed_macros = {};
9aab3127 803
21a18e53
WB		 804 my $parse = sub {
805 my ($k, $macro) = @_;
e5076eee 806 my $lc_name = lc($k);
21a18e53
WB		 807 $pve_fw_macro_ipversion->{$k} = 0;
808 while (!ref($macro->[0])) {
809 my $desc = shift @$macro;
810 if ($desc eq 'ipv4only') {
811 $pve_fw_macro_ipversion->{$k} = 4;
812 } elsif ($desc eq 'ipv6only') {
813 $pve_fw_macro_ipversion->{$k} = 6;
814 } else {
815 $pve_fw_macro_descr->{$k} = $desc;
816 }
ebd54ae9 817 }
e5076eee
DM		 818 $pve_fw_preferred_macro_names->{$lc_name} = $k;
819 $pve_fw_parsed_macros->{$k} = $macro;
21a18e53
WB		 820 };
821
822 foreach my $k (keys %$pve_fw_macros) {
823 &$parse($k, $pve_fw_macros->{$k});
824 }
825
826 foreach my $k (keys %$pve_ipv6fw_macros) {
827 next if $pve_fw_parsed_macros->{$k};
828 &$parse($k, $pve_ipv6fw_macros->{$k});
829 $pve_fw_macro_ipversion->{$k} = 6;
961b4928 830 }
9aab3127
DM		 831}
832
54cd19a8
DM		 833init_firewall_macros();
834
ebd54ae9
DM		 835sub get_macros {
836 return wantarray ? ($pve_fw_parsed_macros, $pve_fw_macro_descr): $pve_fw_parsed_macros;
837}
838
fcba0beb
DM		 839my $etc_services;
840
841sub get_etc_services {
842
843 return $etc_services if $etc_services;
844
845 my $filename = "/etc/services";
846
847 my $fh = IO::File->new($filename, O_RDONLY);
848 if (!$fh) {
849 warn "unable to read '$filename' - $!\n";
850 return {};
851 }
852
853 my $services = {};
854
855 while (my $line = <$fh>) {
856 chomp ($line);
857 next if $line =~m/^#/;
858 next if ($line =~m/^\s*$/);
859
860 if ($line =~ m!^(\S+)\s+(\S+)/(tcp|udp).*$!) {
861 $services->{byid}->{$2}->{name} = $1;
35b66e9d 862 $services->{byid}->{$2}->{port} = $2;
fcba0beb
DM		 863 $services->{byid}->{$2}->{$3} = 1;
864 $services->{byname}->{$1} = $services->{byid}->{$2};
865 }
866 }
867
868 close($fh);
869
6158271d
DM		 870 $etc_services = $services;
871
3a616aa0 872
fcba0beb
DM		 873 return $etc_services;
874}
875
876my $etc_protocols;
877
878sub get_etc_protocols {
879 return $etc_protocols if $etc_protocols;
880
881 my $filename = "/etc/protocols";
882
883 my $fh = IO::File->new($filename, O_RDONLY);
884 if (!$fh) {
885 warn "unable to read '$filename' - $!\n";
886 return {};
887 }
888
889 my $protocols = {};
890
891 while (my $line = <$fh>) {
892 chomp ($line);
893 next if $line =~m/^#/;
894 next if ($line =~m/^\s*$/);
895
896 if ($line =~ m!^(\S+)\s+(\d+)\s+.*$!) {
897 $protocols->{byid}->{$2}->{name} = $1;
898 $protocols->{byname}->{$1} = $protocols->{byid}->{$2};
899 }
900 }
901
902 close($fh);
903
041b9277
DM		 904 # add special case for ICMP v6
905 $protocols->{byid}->{icmpv6}->{name} = "icmpv6";
906 $protocols->{byname}->{icmpv6} = $protocols->{byid}->{icmpv6};
907
fcba0beb
DM		 908 $etc_protocols = $protocols;
909
910 return $etc_protocols;
911}
912
525778d7 913my $__local_network;
93be4333 914
525778d7 915sub local_network {
ac633d30 916 my ($new_value) = @_;
93be4333 917
525778d7 918 $__local_network = $new_value if defined($new_value);
ac633d30 919
525778d7 920 return $__local_network if defined($__local_network);
93be4333
DM		 921
922 eval {
923 my $nodename = PVE::INotify::nodename();
924
925 my $ip = PVE::Cluster::remote_node_ip($nodename);
926
927 my $testip = Net::IP->new($ip);
bfc488f6 928
5dc356af
WB		 929 my $isv6 = $testip->version == 6;
930 my $routes = $isv6 ? PVE::ProcFSTools::read_proc_net_ipv6_route()
931 : PVE::ProcFSTools::read_proc_net_route();
93be4333 932 foreach my $entry (@$routes) {
5dc356af
WB		 933 my $mask;
934 if ($isv6) {
935 $mask = $entry->{prefix};
15c80000 936 next if !$mask; # skip the default route...
5dc356af 937 } else {
2e1ae6b9 938 $mask = $PVE::Network::ipv4_mask_hash_localnet->{$entry->{mask}};
5dc356af
WB		 939 next if !defined($mask);
940 }
93be4333
DM		 941 my $cidr = "$entry->{dest}/$mask";
942 my $testnet = Net::IP->new($cidr);
15c80000
WB		 943 my $overlap = $testnet->overlaps($testip);
944 if ($overlap == $Net::IP::IP_B_IN_A_OVERLAP ||
945 $overlap == $Net::IP::IP_IDENTICAL)
946 {
525778d7 947 $__local_network = $cidr;
93be4333
DM		 948 return;
949 }
950 }
951 };
952 warn $@ if $@;
953
525778d7 954 return $__local_network;
93be4333
DM		 955}
956
6d959e3f
DM		 957# ipset names are limited to 31 characters,
958# and we use '-v4' or '-v6' to indicate IP versions,
959# and we use '_swap' suffix for atomic update,
960# for example PVEFW-${VMID}-${ipset_name}_swap
30150dca 961
88c26d5e 962my $max_iptables_ipset_name_length = 31 - length("PVEFW-") - length("_swap");
708ba714
DM		 963
964sub compute_ipset_chain_name {
88c26d5e 965 my ($vmid, $ipset_name, $ipversion) = @_;
708ba714
DM		 966
967 $vmid = 0 if !defined($vmid);
968
88c26d5e 969 my $id = "$vmid-${ipset_name}-v$ipversion";
708ba714 970
88c26d5e 971 if (length($id) > $max_iptables_ipset_name_length) {
708ba714
DM		 972 $id = PVE::Tools::fnv31a_hex($id);
973 }
974
975 return "PVEFW-$id";
976}
977
b692f42c
DM		 978sub compute_ipfilter_ipset_name {
979 my ($iface) = @_;
980
981 return "ipfilter-$iface";
982}
983
ecbea048
DM		 984sub parse_address_list {
985 my ($str) = @_;
986
e2c62733
DM		 987 if ($str =~ m/^(\+)(\S+)$/) { # ipset ref
988 die "ipset name too long\n" if length($str) > ($max_ipset_name_length + 1);
989 return;
990 }
991
992 if ($str =~ m/^${ip_alias_pattern}$/) {
993 die "alias name too long\n" if length($str) > $max_alias_name_length;
994 return;
995 }
d72beb8e 996
3162af6b
DM		 997 my $count = 0;
998 my $iprange = 0;
a589b6ac 999 my $ipversion;
7697c041 1000
55b47371
WB		 1001 my @elements = split(/,/, $str);
1002 die "extraneous commas in list\n" if $str ne join(',', @elements);
1003 foreach my $elem (@elements) {
3162af6b 1004 $count++;
c344e509
DM		 1005 my $ip = Net::IP->new($elem);
1006 if (!$ip) {
ecbea048
DM		 1007 my $err = Net::IP::Error();
1008 die "invalid IP address: $err\n";
1009 }
3162af6b 1010 $iprange = 1 if $elem =~ m/-/;
a589b6ac 1011
c344e509 1012 my $new_ipversion = Net::IP::ip_is_ipv6($ip->ip()) ? 6 : 4;
a589b6ac
DM		 1013
1014 die "detected mixed ipv4/ipv6 addresses in address list '$str'\n"
006490cb 1015 if $ipversion && ($new_ipversion != $ipversion);
a589b6ac
DM		 1016
1017 $ipversion = $new_ipversion;
ecbea048 1018 }
e34d0e58 1019
5163367b 1020 die "you can't use a range in a list\n" if $iprange && $count > 1;
a589b6ac 1021
7697c041 1022 return $ipversion;
ecbea048 1023}
dddd9413 1024
fcba0beb 1025sub parse_port_name_number_or_range {
a1c04f71 1026 my ($str, $dport) = @_;
fcba0beb
DM		 1027
1028 my $services = PVE::Firewall::get_etc_services();
7ca36671 1029 my $count = 0;
041b7e8e
DM		 1030 my $icmp_port = 0;
1031
55b47371
WB		 1032 my @elements = split(/,/, $str);
1033 die "extraneous commas in list\n" if $str ne join(',', @elements);
1034 foreach my $item (@elements) {
7ca36671
DM		 1035 $count++;
1036 if ($item =~ m/^(\d+):(\d+)$/) {
1037 my ($port1, $port2) = ($1, $2);
1038 die "invalid port '$port1'\n" if $port1 > 65535;
1039 die "invalid port '$port2'\n" if $port2 > 65535;
1040 } elsif ($item =~ m/^(\d+)$/) {
1041 my $port = $1;
1042 die "invalid port '$port'\n" if $port > 65535;
1043 } else {
a1c04f71 1044 if ($dport && $icmp_type_names->{$item}) {
041b7e8e 1045 $icmp_port = 1;
a1c04f71 1046 } elsif ($dport && $icmpv6_type_names->{$item}) {
041b9277 1047 $icmp_port = 1;
041b7e8e 1048 } else {
e34d0e58 1049 die "invalid port '$item'\n" if !$services->{byname}->{$item};
041b7e8e 1050 }
fcba0beb
DM		 1051 }
1052 }
1053
041b7e8e
DM		 1054 die "ICPM ports not allowed in port range\n" if $icmp_port && $count > 1;
1055
7ca36671 1056 return $count;
fcba0beb
DM		 1057}
1058
a1c04f71
WB		 1059PVE::JSONSchema::register_format('pve-fw-sport-spec', \&pve_fw_verify_sport_spec);
1060sub pve_fw_verify_sport_spec {
1061 my ($portstr) = @_;
1062
1063 parse_port_name_number_or_range($portstr, 0);
1064
1065 return $portstr;
1066}
1067
1068PVE::JSONSchema::register_format('pve-fw-dport-spec', \&pve_fw_verify_dport_spec);
1069sub pve_fw_verify_dport_spec {
54cd19a8
DM		 1070 my ($portstr) = @_;
1071
a1c04f71 1072 parse_port_name_number_or_range($portstr, 1);
54cd19a8
DM		 1073
1074 return $portstr;
1075}
1076
d31689ee
DM		 1077PVE::JSONSchema::register_format('pve-fw-addr-spec', \&pve_fw_verify_addr_spec);
1078sub pve_fw_verify_addr_spec {
54cd19a8
DM		 1079 my ($list) = @_;
1080
1081 parse_address_list($list);
1082
1083 return $list;
1084}
1085
1086PVE::JSONSchema::register_format('pve-fw-protocol-spec', \&pve_fw_verify_protocol_spec);
1087sub pve_fw_verify_protocol_spec {
1088 my ($proto) = @_;
1089
1090 my $protocols = get_etc_protocols();
1091
1092 die "unknown protocol '$proto'\n" if $proto &&
1093 !(defined($protocols->{byname}->{$proto}) ||
1094 defined($protocols->{byid}->{$proto}));
1095
1096 return $proto;
1097}
1098
1099
d1c53b3e 1100# helper function for API
d1c53b3e 1101
5d38d64f
DM		 1102sub copy_opject_with_digest {
1103 my ($object) = @_;
1104
1105 my $sha = Digest::SHA->new('sha1');
1106
1107 my $res = {};
1108 foreach my $k (sort keys %$object) {
1109 my $v = $object->{$k};
0365eb68 1110 next if !defined($v);
5d38d64f
DM		 1111 $res->{$k} = $v;
1112 $sha->add($k, ':', $v, "\n");
1113 }
1114
55e686c7 1115 my $digest = $sha->hexdigest;
5d38d64f
DM		 1116
1117 $res->{digest} = $digest;
1118
1119 return wantarray ? ($res, $digest) : $res;
1120}
1121
1122sub copy_list_with_digest {
1123 my ($list) = @_;
1124
1125 my $sha = Digest::SHA->new('sha1');
1126
1127 my $res = [];
1128 foreach my $entry (@$list) {
1129 my $data = {};
1130 foreach my $k (sort keys %$entry) {
1131 my $v = $entry->{$k};
0365eb68 1132 next if !defined($v);
5d38d64f 1133 $data->{$k} = $v;
6d9246e7 1134 # Note: digest ignores refs ($rule->{errors})
e83f0d00
DC		 1135 # since Digest::SHA expects a series of bytes,
1136 # we have to encode the value here to prevent errors when
1137 # using utf8 characters (eg. in comments)
1138 $sha->add($k, ':', encode_utf8($v), "\n") if !ref($v); ;
5d38d64f
DM		 1139 }
1140 push @$res, $data;
1141 }
1142
55e686c7 1143 my $digest = $sha->hexdigest;
5d38d64f
DM		 1144
1145 foreach my $entry (@$res) {
1146 $entry->{digest} = $digest;
1147 }
1148
1149 return wantarray ? ($res, $digest) : $res;
1150}
1151
e313afe0
DM		 1152our $cluster_option_properties = {
1153 enable => {
1154 description => "Enable or disable the firewall cluster wide.",
1155 type => 'integer',
1156 minimum => 0,
1157 optional => 1,
1158 },
1159 policy_in => {
1160 description => "Input policy.",
1161 type => 'string',
1162 optional => 1,
1163 enum => ['ACCEPT', 'REJECT', 'DROP'],
1164 },
1165 policy_out => {
1166 description => "Output policy.",
1167 type => 'string',
1168 optional => 1,
1169 enum => ['ACCEPT', 'REJECT', 'DROP'],
1170 },
1171};
1172
1173our $host_option_properties = {
1174 enable => {
1175 description => "Enable host firewall rules.",
1176 type => 'boolean',
1177 optional => 1,
1178 },
1179 log_level_in => get_standard_option('pve-fw-loglevel', {
1180 description => "Log level for incoming traffic." }),
1181 log_level_out => get_standard_option('pve-fw-loglevel', {
1182 description => "Log level for outgoing traffic." }),
1183 tcp_flags_log_level => get_standard_option('pve-fw-loglevel', {
1184 description => "Log level for illegal tcp flags filter." }),
1185 smurf_log_level => get_standard_option('pve-fw-loglevel', {
1186 description => "Log level for SMURFS filter." }),
1187 nosmurfs => {
1188 description => "Enable SMURFS filter.",
1189 type => 'boolean',
1190 optional => 1,
1191 },
1192 tcpflags => {
1193 description => "Filter illegal combinations of TCP flags.",
1194 type => 'boolean',
1195 optional => 1,
1196 },
1197 nf_conntrack_max => {
1198 description => "Maximum number of tracked connections.",
1199 type => 'integer',
1200 optional => 1,
1201 minimum => 32768,
1202 },
1203 nf_conntrack_tcp_timeout_established => {
1204 description => "Conntrack established timeout.",
1205 type => 'integer',
1206 optional => 1,
1207 minimum => 7875,
1208 },
1209 ndp => {
1210 description => "Enable NDP.",
1211 type => 'boolean',
1212 optional => 1,
1213 },
1214};
1215
1216our $vm_option_properties = {
1217 enable => {
1218 description => "Enable/disable firewall rules.",
1219 type => 'boolean',
1220 optional => 1,
1221 },
1222 macfilter => {
1223 description => "Enable/disable MAC address filter.",
1224 type => 'boolean',
1225 optional => 1,
1226 },
1227 dhcp => {
1228 description => "Enable DHCP.",
1229 type => 'boolean',
1230 optional => 1,
1231 },
1232 ndp => {
1233 description => "Enable NDP.",
1234 type => 'boolean',
1235 optional => 1,
1236 },
1237 radv => {
1238 description => "Allow sending Router Advertisement.",
1239 type => 'boolean',
1240 optional => 1,
1241 },
1242 ipfilter => {
1243 description => "Enable default IP filters. " .
1244 "This is equivalent to adding an empty ipfilter-net<id> ipset " .
1245 "for every interface. Such ipsets implicitly contain sane default " .
1246 "restrictions such as restricting IPv6 link local addresses to " .
1247 "the one derived from the interface's MAC address. For containers " .
1248 "the configured IP addresses will be implicitly added.",
1249 type => 'boolean',
1250 optional => 1,
1251 },
1252 policy_in => {
1253 description => "Input policy.",
1254 type => 'string',
1255 optional => 1,
1256 enum => ['ACCEPT', 'REJECT', 'DROP'],
1257 },
1258 policy_out => {
1259 description => "Output policy.",
1260 type => 'string',
1261 optional => 1,
1262 enum => ['ACCEPT', 'REJECT', 'DROP'],
1263 },
1264 log_level_in => get_standard_option('pve-fw-loglevel', {
1265 description => "Log level for incoming traffic." }),
1266 log_level_out => get_standard_option('pve-fw-loglevel', {
1267 description => "Log level for outgoing traffic." }),
1268
1269};
1270
fb060a52 1271
7a332151 1272my $addr_list_descr = "This can refer to a single IP address, an IP set ('+ipsetname') or an IP alias definition. You can also specify an address range like '20.34.101.207-201.3.9.99', or a list of IP addresses and networks (entries are separated by comma). Please do not mix IPv4 and IPv6 addresses inside such lists.";
fb060a52 1273
7a332151 1274my $port_descr = "You can use service names or simple numbers (0-65535), as defined in '/etc/services'. Port ranges can be specified with '\\d+:\\d+', for example '80:85', and you can use comma separated list to match several ports or ranges.";
fb060a52 1275
9c7e0858
DM		 1276my $rule_properties = {
1277 pos => {
1278 description => "Update rule at position <pos>.",
1279 type => 'integer',
1280 minimum => 0,
1281 optional => 1,
1282 },
c71e785f 1283 digest => get_standard_option('pve-config-digest'),
9c7e0858 1284 type => {
e50429af 1285 description => "Rule type.",
9c7e0858
DM		 1286 type => 'string',
1287 optional => 1,
1288 enum => ['in', 'out', 'group'],
1289 },
1290 action => {
c14dacdf 1291 description => "Rule action ('ACCEPT', 'DROP', 'REJECT') or security group name.",
9c7e0858
DM		 1292 type => 'string',
1293 optional => 1,
44be8ceb 1294 pattern => $security_group_name_pattern,
c14dacdf
DM		 1295 maxLength => 20,
1296 minLength => 2,
9c7e0858 1297 },
e5076eee 1298 macro => {
e50429af 1299 description => "Use predefined standard macro.",
e5076eee
DM		 1300 type => 'string',
1301 optional => 1,
54cd19a8 1302 maxLength => 128,
e5076eee 1303 },
fb060a52 1304 iface => get_standard_option('pve-iface', {
7ccaa5f1 1305 description => "Network interface name. You have to use network configuration key names for VMs and containers ('net\\d+'). Host related rules can use arbitrary strings.",
fb060a52
DM		 1306 optional => 1
1307 }),
9c7e0858 1308 source => {
fb060a52 1309 description => "Restrict packet source address. $addr_list_descr",
d31689ee 1310 type => 'string', format => 'pve-fw-addr-spec',
9c7e0858
DM		 1311 optional => 1,
1312 },
1313 dest => {
fb060a52 1314 description => "Restrict packet destination address. $addr_list_descr",
d31689ee 1315 type => 'string', format => 'pve-fw-addr-spec',
9c7e0858
DM		 1316 optional => 1,
1317 },
1318 proto => {
fb060a52 1319 description => "IP protocol. You can use protocol names ('tcp'/'udp') or simple numbers, as defined in '/etc/protocols'.",
54cd19a8 1320 type => 'string', format => 'pve-fw-protocol-spec',
9c7e0858
DM		 1321 optional => 1,
1322 },
1323 enable => {
e50429af 1324 description => "Flag to enable/disable a rule.",
72d055fc
AG		 1325 type => 'integer',
1326 minimum => 0,
9c7e0858
DM		 1327 optional => 1,
1328 },
1329 sport => {
fb060a52 1330 description => "Restrict TCP/UDP source port. $port_descr",
a1c04f71 1331 type => 'string', format => 'pve-fw-sport-spec',
9c7e0858
DM		 1332 optional => 1,
1333 },
1334 dport => {
fb060a52 1335 description => "Restrict TCP/UDP destination port. $port_descr",
a1c04f71 1336 type => 'string', format => 'pve-fw-dport-spec',
9c7e0858
DM		 1337 optional => 1,
1338 },
1339 comment => {
e50429af 1340 description => "Descriptive comment.",
9c7e0858
DM		 1341 type => 'string',
1342 optional => 1,
1343 },
1344};
1345
1346sub add_rule_properties {
1347 my ($properties) = @_;
1348
1349 foreach my $k (keys %$rule_properties) {
3655b01f
DM		 1350 my $h = $rule_properties->{$k};
1351 # copy data, so that we can modify later without side effects
1352 foreach my $opt (keys %$h) { $properties->{$k}->{$opt} = $h->{$opt}; }
9c7e0858 1353 }
cbb5d6f3 1354
9c7e0858
DM		 1355 return $properties;
1356}
1357
5b7974df
DM		 1358sub delete_rule_properties {
1359 my ($rule, $delete_str) = @_;
e34d0e58 1360
5b7974df
DM		 1361 foreach my $opt (PVE::Tools::split_list($delete_str)) {
1362 raise_param_exc({ 'delete' => "no such property ('$opt')"})
1363 if !defined($rule_properties->{$opt});
1364 raise_param_exc({ 'delete' => "unable to delete required property '$opt'"})
1365 if $opt eq 'type' || $opt eq 'action';
1366 delete $rule->{$opt};
1367 }
1368
1369 return $rule;
1370}
1371
9a2745a0 1372my $apply_macro = sub {
35d1d6da 1373 my ($macro_name, $param, $verify, $ipversion) = @_;
9a2745a0
DM		 1374
1375 my $macro_rules = $pve_fw_parsed_macros->{$macro_name};
1376 die "unknown macro '$macro_name'\n" if !$macro_rules; # should not happen
1377
35d1d6da
DM		 1378 if ($ipversion && ($ipversion == 6) && $pve_ipv6fw_macros->{$macro_name}) {
1379 $macro_rules = $pve_ipv6fw_macros->{$macro_name};
1380 }
1381
21a18e53 1382 # skip macros which are specific to another ipversion
ff5d050e
AG		 1383 if ($ipversion && (my $required = $pve_fw_macro_ipversion->{$macro_name})) {
1384 return if $ipversion != $required;
1385 }
21a18e53 1386
9a2745a0
DM		 1387 my $rules = [];
1388
1389 foreach my $templ (@$macro_rules) {
1390 my $rule = {};
1391 my $param_used = {};
1392 foreach my $k (keys %$templ) {
1393 my $v = $templ->{$k};
1394 if ($v eq 'PARAM') {
1395 $v = $param->{$k};
1396 $param_used->{$k} = 1;
1397 } elsif ($v eq 'DEST') {
1398 $v = $param->{dest};
1399 $param_used->{dest} = 1;
1400 } elsif ($v eq 'SOURCE') {
1401 $v = $param->{source};
1402 $param_used->{source} = 1;
1403 }
1404
1405 if (!defined($v)) {
1406 my $msg = "missing parameter '$k' in macro '$macro_name'";
e34d0e58 1407 raise_param_exc({ macro => $msg }) if $verify;
9a2745a0
DM		 1408 die "$msg\n";
1409 }
1410 $rule->{$k} = $v;
1411 }
1412 foreach my $k (keys %$param) {
1413 next if $k eq 'macro';
1414 next if !defined($param->{$k});
1415 next if $param_used->{$k};
1416 if (defined($rule->{$k})) {
1417 if ($rule->{$k} ne $param->{$k}) {
1418 my $msg = "parameter '$k' already define in macro (value = '$rule->{$k}')";
e34d0e58 1419 raise_param_exc({ $k => $msg }) if $verify;
9a2745a0
DM		 1420 die "$msg\n";
1421 }
1422 } else {
1423 $rule->{$k} = $param->{$k};
1424 }
1425 }
1426 push @$rules, $rule;
1427 }
1428
1429 return $rules;
1430};
1431
b6b8e6ad
DM		 1432my $rule_env_iface_lookup = {
1433 'ct' => 1,
1434 'vm' => 1,
1435 'group' => 0,
1436 'cluster' => 1,
1437 'host' => 1,
1438};
1439
7ca36671 1440sub verify_rule {
a523e057 1441 my ($rule, $cluster_conf, $fw_conf, $rule_env, $noerr) = @_;
b6b8e6ad
DM		 1442
1443 my $allow_groups = $rule_env eq 'group' ? 0 : 1;
bfc488f6 1444
b6b8e6ad
DM		 1445 my $allow_iface = $rule_env_iface_lookup->{$rule_env};
1446 die "unknown rule_env '$rule_env'\n" if !defined($allow_iface); # should not happen
7ca36671 1447
a523e057
DM		 1448 my $errors = $rule->{errors} || {};
1449
6d9246e7 1450 my $error_count = 0;
7ca36671 1451
6d9246e7
DM		 1452 my $add_error = sub {
1453 my ($param, $msg) = @_;
d4cda423 1454 chomp $msg;
6d9246e7
DM		 1455 raise_param_exc({ $param => $msg }) if !$noerr;
1456 $error_count++;
1457 $errors->{$param} = $msg if !$errors->{$param};
1458 };
1459
eea9d2a1
DM		 1460 my $ipversion;
1461 my $set_ip_version = sub {
1462 my $vers = shift;
1463 if ($vers) {
1464 die "detected mixed ipv4/ipv6 adresses in rule\n"
1465 if $ipversion && ($vers != $ipversion);
1466 $ipversion = $vers;
1467 }
1468 };
1469
a523e057 1470 my $check_ipset_or_alias_property = sub {
ae029a88 1471 my ($name, $expected_ipversion) = @_;
a523e057
DM		 1472
1473 if (my $value = $rule->{$name}) {
1474 if ($value =~ m/^\+/) {
4dfe04e6 1475 if ($value =~ m/^\+(${ipset_name_pattern})$/) {
bfc488f6 1476 &$add_error($name, "no such ipset '$1'")
a523e057 1477 if !($cluster_conf->{ipset}->{$1} || ($fw_conf && $fw_conf->{ipset}->{$1}));
bfc488f6 1478
a523e057 1479 } else {
351052d1 1480 &$add_error($name, "invalid ipset name '$value'");
a523e057
DM		 1481 }
1482 } elsif ($value =~ m/^${ip_alias_pattern}$/){
1483 my $alias = lc($value);
bfc488f6 1484 &$add_error($name, "no such alias '$value'")
70e524eb 1485 if !($cluster_conf->{aliases}->{$alias} || ($fw_conf && $fw_conf->{aliases}->{$alias}));
04f5088f 1486 my $e = $fw_conf ? $fw_conf->{aliases}->{$alias} : undef;
70e524eb
AD		 1487 $e = $cluster_conf->{aliases}->{$alias} if !$e && $cluster_conf;
1488
eea9d2a1 1489 &$set_ip_version($e->{ipversion});
a523e057
DM		 1490 }
1491 }
1492 };
1493
6d9246e7
DM		 1494 my $type = $rule->{type};
1495 my $action = $rule->{action};
bfc488f6 1496
6d9246e7
DM		 1497 &$add_error('type', "missing property") if !$type;
1498 &$add_error('action', "missing property") if !$action;
1499
1500 if ($type) {
1501 if ($type eq 'in' || $type eq 'out') {
1502 &$add_error('action', "unknown action '$action'")
1503 if $action && ($action !~ m/^(ACCEPT|DROP|REJECT)$/);
1504 } elsif ($type eq 'group') {
1505 &$add_error('type', "security groups not allowed")
1506 if !$allow_groups;
1507 &$add_error('action', "invalid characters in security group name")
1508 if $action && ($action !~ m/^${security_group_name_pattern}$/);
1509 } else {
1510 &$add_error('type', "unknown rule type '$type'");
1511 }
7ca36671 1512 }
e34d0e58 1513
dba740a9 1514 if ($rule->{iface}) {
bfc488f6 1515 &$add_error('type', "parameter -i not allowed for this rule type")
b6b8e6ad 1516 if !$allow_iface;
dba740a9 1517 eval { PVE::JSONSchema::pve_verify_iface($rule->{iface}); };
6d9246e7 1518 &$add_error('iface', $@) if $@;
fdefeeab 1519 if ($rule_env eq 'vm' || $rule_env eq 'ct') {
b6b8e6ad
DM		 1520 &$add_error('iface', "value does not match the regex pattern 'net\\d+'")
1521 if $rule->{iface} !~ m/^net(\d+)$/;
b6b8e6ad
DM		 1522 }
1523 }
7ca36671
DM		 1524
1525 if ($rule->{macro}) {
6d9246e7
DM		 1526 if (my $preferred_name = $pve_fw_preferred_macro_names->{lc($rule->{macro})}) {
1527 $rule->{macro} = $preferred_name;
1528 } else {
1529 &$add_error('macro', "unknown macro '$rule->{macro}'");
1530 }
1531 }
1532
1533 if ($rule->{proto}) {
1534 eval { pve_fw_verify_protocol_spec($rule->{proto}); };
1535 &$add_error('proto', $@) if $@;
041b9277
DM		 1536 &$set_ip_version(4) if $rule->{proto} eq 'icmp';
1537 &$set_ip_version(6) if $rule->{proto} eq 'icmpv6';
6d9246e7 1538 }
7ca36671
DM		 1539
1540 if ($rule->{dport}) {
a1c04f71 1541 eval { parse_port_name_number_or_range($rule->{dport}, 1); };
6d9246e7 1542 &$add_error('dport', $@) if $@;
48e3963e 1543 my $proto = $rule->{proto};
6d9246e7 1544 &$add_error('proto', "missing property - 'dport' requires this property")
48e3963e
WB		 1545 if !$proto;
1546 &$add_error('dport', "protocol '$proto' does not support ports")
1547 if !$PROTOCOLS_WITH_PORTS->{$proto} &&
1548 $proto ne 'icmp' && $proto ne 'icmpv6'; # special cases
6d9246e7 1549 }
7ca36671
DM		 1550
1551 if ($rule->{sport}) {
a1c04f71 1552 eval { parse_port_name_number_or_range($rule->{sport}, 0); };
6d9246e7 1553 &$add_error('sport', $@) if $@;
48e3963e 1554 my $proto = $rule->{proto};
6d9246e7 1555 &$add_error('proto', "missing property - 'sport' requires this property")
48e3963e
WB		 1556 if !$proto;
1557 &$add_error('sport', "protocol '$proto' does not support ports")
1558 if !$PROTOCOLS_WITH_PORTS->{$proto};
7ca36671
DM		 1559 }
1560
1561 if ($rule->{source}) {
041b9277
DM		 1562 eval {
1563 my $source_ipversion = parse_address_list($rule->{source});
1564 &$set_ip_version($source_ipversion);
1565 };
6d9246e7 1566 &$add_error('source', $@) if $@;
ae029a88 1567 &$check_ipset_or_alias_property('source', $ipversion);
7ca36671
DM		 1568 }
1569
1570 if ($rule->{dest}) {
9e2205e5
DM		 1571 eval {
1572 my $dest_ipversion = parse_address_list($rule->{dest});
041b9277 1573 &$set_ip_version($dest_ipversion);
9e2205e5 1574 };
6d9246e7 1575 &$add_error('dest', $@) if $@;
ae029a88 1576 &$check_ipset_or_alias_property('dest', $ipversion);
7ca36671
DM		 1577 }
1578
35d1d6da
DM		 1579 $rule->{ipversion} = $ipversion if $ipversion;
1580
a523e057 1581 if ($rule->{macro} && !$error_count) {
35d1d6da 1582 eval { &$apply_macro($rule->{macro}, $rule, 1, $ipversion); };
6d9246e7
DM		 1583 if (my $err = $@) {
1584 if (ref($err) eq "PVE::Exception" && $err->{errors}) {
1585 my $eh = $err->{errors};
1586 foreach my $p (keys %$eh) {
1587 &$add_error($p, $eh->{$p});
1588 }
1589 } else {
1590 &$add_error('macro', "$err");
1591 }
1592 }
9a2745a0
DM		 1593 }
1594
6d9246e7
DM		 1595 $rule->{errors} = $errors if $error_count;
1596
7ca36671
DM		 1597 return $rule;
1598}
1599
9c7e0858
DM		 1600sub copy_rule_data {
1601 my ($rule, $param) = @_;
1602
1603 foreach my $k (keys %$rule_properties) {
1604 if (defined(my $v = $param->{$k})) {
1605 if ($v eq '' || $v eq '-') {
1606 delete $rule->{$k};
1607 } else {
1608 $rule->{$k} = $v;
1609 }
9c7e0858
DM		 1610 }
1611 }
7ca36671 1612
9c7e0858
DM		 1613 return $rule;
1614}
1615
9f6845cf
DM		 1616sub rules_modify_permissions {
1617 my ($rule_env) = @_;
1618
1619 if ($rule_env eq 'host') {
1620 return {
1621 check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
1622 };
1623 } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
1624 return {
1625 check => ['perm', '/', [ 'Sys.Modify' ]],
1626 };
3b4882dc 1627 } elsif ($rule_env eq 'vm' || $rule_env eq 'ct') {
9f6845cf
DM		 1628 return {
1629 check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
1630 }
1631 }
1632
1633 return undef;
1634}
1635
1636sub rules_audit_permissions {
1637 my ($rule_env) = @_;
1638
1639 if ($rule_env eq 'host') {
1640 return {
1641 check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
1642 };
1643 } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
1644 return {
1645 check => ['perm', '/', [ 'Sys.Audit' ]],
1646 };
3b4882dc 1647 } elsif ($rule_env eq 'vm' || $rule_env eq 'ct') {
9f6845cf
DM		 1648 return {
1649 check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
1650 }
1651 }
1652
1653 return undef;
1654}
1655
9c7e0858 1656# core functions
780bcc0f
DM		 1657my $bridge_firewall_enabled = 0;
1658
1659sub enable_bridge_firewall {
1660
1661 return if $bridge_firewall_enabled; # only once
1662
5f0a912c
DM		 1663 PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-iptables", "1");
1664 PVE::ProcFSTools::write_proc_entry("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "1");
780bcc0f 1665
6a8a75db
DM		 1666 # make sure syncookies are enabled (which is default on newer 3.X kernels anyways)
1667 PVE::ProcFSTools::write_proc_entry("/proc/sys/net/ipv4/tcp_syncookies", "1");
1668
780bcc0f
DM		 1669 $bridge_firewall_enabled = 1;
1670}
1671
b16e818e
DM		 1672sub iptables_restore_cmdlist {
1673 my ($cmdlist) = @_;
3a616aa0 1674
59f9b456 1675 run_command("/sbin/iptables-restore -n", input => $cmdlist, errmsg => "iptables_restore_cmdlist");
3a616aa0
AD		 1676}
1677
17da5c0f
AD		 1678sub ip6tables_restore_cmdlist {
1679 my ($cmdlist) = @_;
1680
59f9b456 1681 run_command("/sbin/ip6tables-restore -n", input => $cmdlist, errmsg => "iptables_restore_cmdlist");
17da5c0f
AD		 1682}
1683
34cdedfa
AD		 1684sub ipset_restore_cmdlist {
1685 my ($cmdlist) = @_;
1686
ff5363da 1687 run_command("/sbin/ipset restore", input => $cmdlist, errmsg => "ipset_restore_cmdlist");
34cdedfa
AD		 1688}
1689
de2a57cd 1690sub iptables_get_chains {
17da5c0f
AD		 1691 my ($iptablescmd) = @_;
1692
1693 $iptablescmd = "iptables" if !$iptablescmd;
de2a57cd
DM		 1694
1695 my $res = {};
1696
1697 # check what chains we want to track
1698 my $is_pvefw_chain = sub {
1699 my $name = shift;
1700
dec84fcd
DM		 1701 return 1 if $name =~ m/^PVEFW-\S+$/;
1702
a3ded5cd 1703 return 1 if $name =~ m/^tap\d+i\d+-(?:IN|OUT)$/;
954f24b1 1704
a3ded5cd 1705 return 1 if $name =~ m/^veth\d+i\d+-(?:IN|OUT)$/;
954f24b1 1706
a3ded5cd 1707 return 1 if $name =~ m/^fwbr\d+(v\d+)?-(?:FW|IN|OUT|IPS)$/;
a89dfcc6 1708 return 1 if $name =~ m/^GROUP-(?:$security_group_name_pattern)-(?:IN|OUT)$/;
de2a57cd
DM		 1709
1710 return undef;
1711 };
1712
1713 my $table = '';
1714
c4a2e5ae
DM		 1715 my $hooks = {};
1716
de2a57cd
DM		 1717 my $parser = sub {
1718 my $line = shift;
1719
1720 return if $line =~ m/^#/;
1721 return if $line =~ m/^\s*$/;
1722
1723 if ($line =~ m/^\*(\S+)$/) {
1724 $table = $1;
1725 return;
1726 }
1727
1728 return if $table ne 'filter';
1729
1730 if ($line =~ m/^:(\S+)\s/) {
1731 my $chain = $1;
1732 return if !&$is_pvefw_chain($chain);
3fa83edf 1733 $res->{$chain} = "unknown";
09d5f68e 1734 } elsif ($line =~ m/^-A\s+(\S+)\s.*--comment\s+\"PVESIG:(\S+)\"/) {
3fa83edf 1735 my ($chain, $sig) = ($1, $2);
de2a57cd 1736 return if !&$is_pvefw_chain($chain);
3fa83edf 1737 $res->{$chain} = $sig;
c4a2e5ae
DM		 1738 } elsif ($line =~ m/^-A\s+(INPUT|OUTPUT|FORWARD)\s+-j\s+PVEFW-\1$/) {
1739 $hooks->{$1} = 1;
de2a57cd
DM		 1740 } else {
1741 # simply ignore the rest
1742 return;
1743 }
1744 };
1745
17da5c0f 1746 run_command("/sbin/$iptablescmd-save", outfunc => $parser);
de2a57cd 1747
c4a2e5ae 1748 return wantarray ? ($res, $hooks) : $res;
de2a57cd
DM		 1749}
1750
9bf7d929
DM		 1751sub iptables_chain_digest {
1752 my ($rules) = @_;
1753 my $digest = Digest::SHA->new('sha1');
1754 foreach my $rule (@$rules) { # order is important
1755 $digest->add($rule);
1756 }
1757 return $digest->b64digest;
1758}
1759
3f95d14a
DM		 1760sub ipset_chain_digest {
1761 my ($rules) = @_;
4bd0a9c4 1762
3f95d14a
DM		 1763 my $digest = Digest::SHA->new('sha1');
1764 foreach my $rule (sort @$rules) { # note: sorted
1765 $digest->add($rule);
1766 }
1767 return $digest->b64digest;
1768}
1769
34cdedfa
AD		 1770sub ipset_get_chains {
1771
1772 my $res = {};
1773 my $chains = {};
1774
1775 my $parser = sub {
1776 my $line = shift;
1777
1778 return if $line =~ m/^#/;
1779 return if $line =~ m/^\s*$/;
4b96e877 1780 if ($line =~ m/^(?:\S+)\s(PVEFW-\S+)\s(?:\S+).*/) {
81a0bf43
DM		 1781 my $chain = $1;
1782 $line =~ s/\s+$//; # delete trailing white space
1783 push @{$chains->{$chain}}, $line;
34cdedfa
AD		 1784 } else {
1785 # simply ignore the rest
1786 return;
1787 }
1788 };
1789
ff5363da 1790 run_command("/sbin/ipset save", outfunc => $parser);
34cdedfa 1791
3f95d14a
DM		 1792 # compute digest for each chain
1793 foreach my $chain (keys %$chains) {
1794 $res->{$chain} = ipset_chain_digest($chains->{$chain});
34cdedfa
AD		 1795 }
1796
1797 return $res;
1798}
1799
1e9c5070 1800sub ruleset_generate_match {
88c26d5e 1801 my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
3a616aa0 1802
00bb4391 1803 return if defined($rule->{enable}) && !$rule->{enable};
6d9246e7 1804 return if $rule->{errors};
11bac5c2 1805
044409e5
TW		 1806 return $rule->{match} if defined $rule->{match};
1807
e5076eee
DM		 1808 die "unable to emit macro - internal error" if $rule->{macro}; # should not happen
1809
a1c04f71
WB		 1810 my $nbdport = defined($rule->{dport}) ? parse_port_name_number_or_range($rule->{dport}, 1) : 0;
1811 my $nbsport = defined($rule->{sport}) ? parse_port_name_number_or_range($rule->{sport}, 0) : 0;
e5076eee 1812
41524a58 1813 my @cmd = ();
3a616aa0 1814
eba0fb64
DM		 1815 push @cmd, "-i $rule->{iface_in}" if $rule->{iface_in};
1816 push @cmd, "-o $rule->{iface_out}" if $rule->{iface_out};
1817
ba791b1f
AD		 1818 my $source = $rule->{source};
1819 my $dest = $rule->{dest};
1820
cbb5d6f3 1821 if ($source) {
44be8ceb 1822 if ($source =~ m/^\+/) {
4dfe04e6 1823 if ($source =~ m/^\+(${ipset_name_pattern})$/) {
e523d2bb
DM		 1824 my $name = $1;
1825 if ($fw_conf && $fw_conf->{ipset}->{$name}) {
88c26d5e 1826 my $ipset_chain = compute_ipset_chain_name($fw_conf->{vmid}, $name, $ipversion);
708ba714 1827 push @cmd, "-m set --match-set ${ipset_chain} src";
e523d2bb 1828 } elsif ($cluster_conf && $cluster_conf->{ipset}->{$name}) {
88c26d5e 1829 my $ipset_chain = compute_ipset_chain_name(0, $name, $ipversion);
708ba714 1830 push @cmd, "-m set --match-set ${ipset_chain} src";
e523d2bb
DM		 1831 } else {
1832 die "no such ipset '$name'\n";
1833 }
44be8ceb
DM		 1834 } else {
1835 die "invalid security group name '$source'\n";
1836 }
1837 } elsif ($source =~ m/^${ip_alias_pattern}$/){
81d574a7 1838 my $alias = lc($source);
04f5088f 1839 my $e = $fw_conf ? $fw_conf->{aliases}->{$alias} : undef;
e523d2bb
DM		 1840 $e = $cluster_conf->{aliases}->{$alias} if !$e && $cluster_conf;
1841 die "no such alias '$source'\n" if !$e;
81d574a7 1842 push @cmd, "-s $e->{cidr}";
ac8242cc 1843 } elsif ($source =~ m/\-/){
ba791b1f 1844 push @cmd, "-m iprange --src-range $source";
cbb5d6f3 1845 } else {
ba791b1f
AD		 1846 push @cmd, "-s $source";
1847 }
1848 }
1849
cbb5d6f3 1850 if ($dest) {
44be8ceb 1851 if ($dest =~ m/^\+/) {
4dfe04e6 1852 if ($dest =~ m/^\+(${ipset_name_pattern})$/) {
e523d2bb
DM		 1853 my $name = $1;
1854 if ($fw_conf && $fw_conf->{ipset}->{$name}) {
88c26d5e 1855 my $ipset_chain = compute_ipset_chain_name($fw_conf->{vmid}, $name, $ipversion);
ac4580a0 1856 push @cmd, "-m set --match-set ${ipset_chain} dst";
e523d2bb 1857 } elsif ($cluster_conf && $cluster_conf->{ipset}->{$name}) {
88c26d5e 1858 my $ipset_chain = compute_ipset_chain_name(0, $name, $ipversion);
708ba714 1859 push @cmd, "-m set --match-set ${ipset_chain} dst";
e523d2bb
DM		 1860 } else {
1861 die "no such ipset '$name'\n";
1862 }
44be8ceb
DM		 1863 } else {
1864 die "invalid security group name '$dest'\n";
1865 }
1866 } elsif ($dest =~ m/^${ip_alias_pattern}$/){
51b40846 1867 my $alias = lc($dest);
04f5088f 1868 my $e = $fw_conf ? $fw_conf->{aliases}->{$alias} : undef;
e523d2bb
DM		 1869 $e = $cluster_conf->{aliases}->{$alias} if !$e && $cluster_conf;
1870 die "no such alias '$dest'\n" if !$e;
81d574a7 1871 push @cmd, "-d $e->{cidr}";
cbb5d6f3 1872 } elsif ($dest =~ m/^(\d+)\.(\d+).(\d+).(\d+)\-(\d+)\.(\d+).(\d+).(\d+)$/){
ba791b1f 1873 push @cmd, "-m iprange --dst-range $dest";
cbb5d6f3 1874 } else {
d6d2a385 1875 push @cmd, "-d $dest";
ba791b1f
AD		 1876 }
1877 }
4b586518 1878
95e35949
WB		 1879 if (my $proto = $rule->{proto}) {
1880 push @cmd, "-p $proto";
e3a1d391 1881
181390b0 1882 my $multiport = 0;
e5076eee
DM		 1883 $multiport++ if $nbdport > 1;
1884 $multiport++ if $nbsport > 1;
e3a1d391 1885
41524a58 1886 push @cmd, "--match multiport" if $multiport;
4b586518 1887
cbb5d6f3 1888 die "multiport: option '--sports' cannot be used together with '--dports'\n"
181390b0
DM		 1889 if ($multiport == 2) && ($rule->{dport} ne $rule->{sport});
1890
1891 if ($rule->{dport}) {
95e35949 1892 if ($proto eq 'icmp') {
181390b0 1893 # Note: we use dport to store --icmp-type
9bd7a4b3
WB		 1894 die "unknown icmp-type '$rule->{dport}'\n"
1895 if $rule->{dport} !~ /^\d+$/ && !defined($icmp_type_names->{$rule->{dport}});
41524a58 1896 push @cmd, "-m icmp --icmp-type $rule->{dport}";
95e35949 1897 } elsif ($proto eq 'icmpv6') {
041b9277 1898 # Note: we use dport to store --icmpv6-type
9bd7a4b3
WB		 1899 die "unknown icmpv6-type '$rule->{dport}'\n"
1900 if $rule->{dport} !~ /^\d+$/ && !defined($icmpv6_type_names->{$rule->{dport}});
041b9277 1901 push @cmd, "-m icmpv6 --icmpv6-type $rule->{dport}";
48e3963e
WB		 1902 } elsif (!$PROTOCOLS_WITH_PORTS->{$proto}) {
1903 die "protocol $proto does not have ports\n";
181390b0 1904 } else {
e5076eee 1905 if ($nbdport > 1) {
181390b0 1906 if ($multiport == 2) {
41524a58 1907 push @cmd, "--ports $rule->{dport}";
181390b0 1908 } else {
41524a58 1909 push @cmd, "--dports $rule->{dport}";
181390b0 1910 }
e3a1d391 1911 } else {
41524a58 1912 push @cmd, "--dport $rule->{dport}";
e3a1d391 1913 }
4b586518
DM		 1914 }
1915 }
4b586518 1916
181390b0 1917 if ($rule->{sport}) {
48e3963e
WB		 1918 die "protocol $proto does not have ports\n"
1919 if !$PROTOCOLS_WITH_PORTS->{$proto};
e5076eee 1920 if ($nbsport > 1) {
41524a58 1921 push @cmd, "--sports $rule->{sport}" if $multiport != 2;
181390b0 1922 } else {
41524a58 1923 push @cmd, "--sport $rule->{sport}";
181390b0 1924 }
4b586518 1925 }
181390b0 1926 } elsif ($rule->{dport} || $rule->{sport}) {
93d96f83
DM		 1927 die "destination port '$rule->{dport}', but no protocol specified\n" if $rule->{dport};
1928 die "source port '$rule->{sport}', but no protocol specified\n" if $rule->{sport};
4b586518
DM		 1929 }
1930
41524a58 1931 push @cmd, "-m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype};
4e6112f9 1932
1e9c5070
TW		 1933 return scalar(@cmd) ? join(' ', @cmd) : undef;
1934}
1935
1936sub ruleset_generate_action {
1937 my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
1938
044409e5
TW		 1939 return $rule->{target} if defined $rule->{target};
1940
1e9c5070
TW		 1941 my @cmd = ();
1942
4e6112f9 1943 if (my $action = $rule->{action}) {
cbb5d6f3 1944 $action = $actions->{$action} if defined($actions->{$action});
4e6112f9 1945 $goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK';
41524a58 1946 push @cmd, $goto ? "-g $action" : "-j $action";
181390b0 1947 }
3a616aa0 1948
eba0fb64
DM		 1949 return scalar(@cmd) ? join(' ', @cmd) : undef;
1950}
1951
1e9c5070
TW		 1952sub ruleset_generate_cmdstr {
1953 my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
1954 my $match = ruleset_generate_match($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf);
1955 my $action = ruleset_generate_action($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf);
1956
1957 return undef if !(defined($match) or defined($action));
1958 my $ret = defined($match) ? $match : "";
1959 $ret = "$ret $action" if defined($action);
1960 return $ret;
1961}
1962
eba0fb64 1963sub ruleset_generate_rule {
88c26d5e 1964 my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
eba0fb64 1965
e5076eee
DM		 1966 my $rules;
1967
1968 if ($rule->{macro}) {
35d1d6da 1969 $rules = &$apply_macro($rule->{macro}, $rule, 0, $ipversion);
e5076eee
DM		 1970 } else {
1971 $rules = [ $rule ];
1972 }
1973
d4091b82
DM		 1974 # update all or nothing
1975
044409e5 1976 # fixme: lots of temporary ugliness
1e9c5070
TW		 1977 my @mstrs = ();
1978 my @astrs = ();
044409e5
TW		 1979 my @logging = ();
1980 my @logmsg = ();
cbb5d6f3 1981 foreach my $tmp (@$rules) {
1e9c5070
TW		 1982 my $m = ruleset_generate_match($ruleset, $chain, $ipversion, $tmp, $actions, $goto, $cluster_conf, $fw_conf);
1983 my $a = ruleset_generate_action($ruleset, $chain, $ipversion, $tmp, $actions, $goto, $cluster_conf, $fw_conf);
1984 if (defined $m or defined $a) {
1985 push @mstrs, defined($m) ? $m : "";
1986 push @astrs, defined($a) ? $a : "";
044409e5
TW		 1987 push @logging, $tmp->{log};
1988 push @logmsg, $tmp->{logmsg};
e5076eee 1989 }
41524a58 1990 }
d4091b82 1991
1e9c5070 1992 for my $i (0 .. $#mstrs) {
044409e5 1993 ruleset_addrule($ruleset, $chain, $mstrs[$i], $astrs[$i], $logging[$i], $logmsg[$i]);
d4091b82 1994 }
3fa83edf 1995}
0f168d7b 1996
eba0fb64 1997sub ruleset_generate_rule_insert {
88c26d5e 1998 my ($ruleset, $chain, $ipversion, $rule, $actions, $goto) = @_;
eba0fb64 1999
e5076eee
DM		 2000 die "implement me" if $rule->{macro}; # not implemented, because not needed so far
2001
1e9c5070
TW		 2002 my $match = ruleset_generate_match($ruleset, $chain, $ipversion, $rule, $actions, $goto);
2003 my $action = ruleset_generate_action($ruleset, $chain, $ipversion, $rule, $actions, $goto);
2004 if (defined $match && defined $action) {
2005 ruleset_insertrule($ruleset, $chain, $match, $action);
eba0fb64
DM		 2006 }
2007}
3fa83edf
DM		 2008
2009sub ruleset_create_chain {
2010 my ($ruleset, $chain) = @_;
3a616aa0 2011
d050c724 2012 die "Invalid chain name '$chain' (28 char max)\n" if length($chain) > 28;
782c4cde 2013 die "chain name may not contain collons\n" if $chain =~ m/:/; # because of log format
d050c724 2014
3fa83edf
DM		 2015 die "chain '$chain' already exists\n" if $ruleset->{$chain};
2016
2017 $ruleset->{$chain} = [];
3a616aa0
AD		 2018}
2019
3fa83edf
DM		 2020sub ruleset_chain_exist {
2021 my ($ruleset, $chain) = @_;
3a616aa0 2022
3fa83edf
DM		 2023 return $ruleset->{$chain} ? 1 : undef;
2024}
3a616aa0 2025
1e9c5070 2026sub ruleset_addrule {
7f7930f8 2027 my ($ruleset, $chain, $match, $action, $log, $logmsg, $vmid) = @_;
1e9c5070
TW		 2028
2029 die "no such chain '$chain'\n" if !$ruleset->{$chain};
2030
7f7930f8
TW		 2031 if (defined($log) && $log) {
2032 my $logaction = get_log_rule_base($chain, $vmid, $logmsg, $log);
2033 push @{$ruleset->{$chain}}, "-A $chain $match $logaction";
2034 }
1e9c5070
TW		 2035 push @{$ruleset->{$chain}}, "-A $chain $match $action";
2036}
2037
3fa83edf 2038sub ruleset_insertrule {
1e9c5070 2039 my ($ruleset, $chain, $match, $action, $log) = @_;
3a616aa0 2040
3fa83edf 2041 die "no such chain '$chain'\n" if !$ruleset->{$chain};
3a616aa0 2042
1e9c5070 2043 unshift @{$ruleset->{$chain}}, "-A $chain $match $action";
3fa83edf 2044}
3a616aa0 2045
782c4cde
DM		 2046sub get_log_rule_base {
2047 my ($chain, $vmid, $msg, $loglevel) = @_;
cbb5d6f3 2048
782c4cde 2049 $vmid = 0 if !defined($vmid);
7f7930f8 2050 $msg = "" if !defined($msg);
782c4cde 2051
cbb5d6f3 2052 # Note: we use special format for prefix to pass further
7f7930f8 2053 # info to log daemon (VMID, LOGLEVEL and CHAIN)
782c4cde
DM		 2054
2055 return "-j NFLOG --nflog-prefix \":$vmid:$loglevel:$chain: $msg\"";
2056}
2057
ead850e8 2058sub ruleset_add_chain_policy {
88c26d5e 2059 my ($ruleset, $chain, $ipversion, $vmid, $policy, $loglevel, $accept_action) = @_;
ead850e8
DM		 2060
2061 if ($policy eq 'ACCEPT') {
2062
88c26d5e 2063 ruleset_generate_rule($ruleset, $chain, $ipversion, { action => 'ACCEPT' },
ead850e8
DM		 2064 { ACCEPT => $accept_action});
2065
2066 } elsif ($policy eq 'DROP') {
2067
1e9c5070 2068 ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Drop");
ead850e8 2069
7f7930f8 2070 ruleset_addrule($ruleset, $chain, "", "-j DROP", $loglevel, "policy $policy: ", $vmid);
ead850e8 2071 } elsif ($policy eq 'REJECT') {
1e9c5070 2072 ruleset_addrule($ruleset, $chain, "", "-j PVEFW-Reject");
ead850e8 2073
7f7930f8 2074 ruleset_addrule($ruleset, $chain, "", "-g PVEFW-reject", $loglevel, "policy $policy:", $vmid);
ead850e8
DM		 2075 } else {
2076 # should not happen
2077 die "internal error: unknown policy '$policy'";
2078 }
2079}
2080
a83abe93 2081sub ruleset_chain_add_ndp {
e8415920 2082 my ($ruleset, $chain, $ipversion, $options, $direction, $accept) = @_;
a83abe93
WB		 2083 return if $ipversion != 6 || (defined($options->{ndp}) && !$options->{ndp});
2084
1e9c5070 2085 ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-solicitation", $accept);
d7aa51ac 2086 if ($direction ne 'OUT' || $options->{radv}) {
1e9c5070 2087 ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-advertisement", $accept);
d7aa51ac 2088 }
1e9c5070
TW		 2089 ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type neighbor-solicitation", $accept);
2090 ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type neighbor-advertisement", $accept);
a83abe93
WB		 2091}
2092
e2943485
DM		 2093sub ruleset_chain_add_conn_filters {
2094 my ($ruleset, $chain, $accept) = @_;
2095
1e9c5070
TW		 2096 ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID", "-j DROP");
2097 ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED", "-j $accept");
e2943485
DM		 2098}
2099
2100sub ruleset_chain_add_input_filters {
88c26d5e 2101 my ($ruleset, $chain, $ipversion, $options, $cluster_conf, $loglevel) = @_;
2428e394
AD		 2102
2103 if ($cluster_conf->{ipset}->{blacklist}){
b5831a0d
AD		 2104 if (!ruleset_chain_exist($ruleset, "PVEFW-blacklist")) {
2105 ruleset_create_chain($ruleset, "PVEFW-blacklist");
7f7930f8 2106 ruleset_addrule($ruleset, "PVEFW-blacklist", "", "-j DROP", $loglevel, "DROP: ");
b5831a0d 2107 }
88c26d5e 2108 my $ipset_chain = compute_ipset_chain_name(0, 'blacklist', $ipversion);
1e9c5070 2109 ruleset_addrule($ruleset, $chain, "-m set --match-set ${ipset_chain} src", "-j PVEFW-blacklist");
2428e394 2110 }
e2943485
DM		 2111
2112 if (!(defined($options->{nosmurfs}) && $options->{nosmurfs} == 0)) {
5b5c42b1 2113 if ($ipversion == 4) {
1e9c5070 2114 ruleset_addrule($ruleset, $chain, "-m conntrack --ctstate INVALID,NEW", "-j PVEFW-smurfs");
5b5c42b1 2115 }
e2943485
DM		 2116 }
2117
2118 if ($options->{tcpflags}) {
1e9c5070 2119 ruleset_addrule($ruleset, $chain, "-p tcp", "-j PVEFW-tcpflags");
e2943485
DM		 2120 }
2121}
2122
9e15114a 2123sub ruleset_create_vm_chain {
88c26d5e 2124 my ($ruleset, $chain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction) = @_;
3a616aa0 2125
9e15114a 2126 ruleset_create_chain($ruleset, $chain);
b47ecc88 2127 my $accept = generate_nfqueue($options);
3a616aa0 2128
ce15d90b 2129 if (!(defined($options->{dhcp}) && $options->{dhcp} == 0)) {
dcafc5fb
WB		 2130 if ($ipversion == 4) {
2131 if ($direction eq 'OUT') {
2132 ruleset_generate_rule($ruleset, $chain, $ipversion,
2133 { action => 'PVEFW-SET-ACCEPT-MARK',
2134 proto => 'udp', sport => 68, dport => 67 });
2135 } else {
2136 ruleset_generate_rule($ruleset, $chain, $ipversion,
2137 { action => 'ACCEPT',
2138 proto => 'udp', sport => 67, dport => 68 });
2139 }
2140 } elsif ($ipversion == 6) {
2141 if ($direction eq 'OUT') {
2142 ruleset_generate_rule($ruleset, $chain, $ipversion,
2143 { action => 'PVEFW-SET-ACCEPT-MARK',
2144 proto => 'udp', sport => 546, dport => 547 });
2145 } else {
2146 ruleset_generate_rule($ruleset, $chain, $ipversion,
2147 { action => 'ACCEPT',
2148 proto => 'udp', sport => 547, dport => 546 });
2149 }
76a2d1e7 2150 }
dcafc5fb 2151
ce15d90b
DM		 2152 }
2153
b21aca2c
DM		 2154 if ($direction eq 'OUT') {
2155 if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
1e9c5070 2156 ruleset_addrule($ruleset, $chain, "-m mac ! --mac-source $macaddr", "-j DROP");
b21aca2c 2157 }
d7aa51ac 2158 if ($ipversion == 6 && !$options->{radv}) {
1e9c5070 2159 ruleset_addrule($ruleset, $chain, "-p icmpv6 --icmpv6-type router-advertisement", "-j DROP");
d7aa51ac 2160 }
808d711d 2161 if ($ipfilter_ipset) {
1e9c5070 2162 ruleset_addrule($ruleset, $chain, "-m set ! --match-set $ipfilter_ipset src", "-j DROP");
808d711d 2163 }
1e9c5070 2164 ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark
c29f55c9 2165 }
e8415920
WB		 2166
2167 my $accept_action = $direction eq 'OUT' ? '-g PVEFW-SET-ACCEPT-MARK' : "-j $accept";
2168 ruleset_chain_add_ndp($ruleset, $chain, $ipversion, $options, $direction, $accept_action);
9e15114a
DM		 2169}
2170
4bc6b5ac 2171sub ruleset_add_group_rule {
aedde2c2 2172 my ($ruleset, $cluster_conf, $chain, $rule, $direction, $action, $ipversion) = @_;
4bc6b5ac
DM		 2173
2174 my $group = $rule->{action};
2175 my $group_chain = "GROUP-$group-$direction";
2176 if(!ruleset_chain_exist($ruleset, $group_chain)){
aedde2c2 2177 generate_group_rules($ruleset, $cluster_conf, $group, $ipversion);
4bc6b5ac 2178 }
bfc488f6 2179
f8b12fff 2180 if ($direction eq 'OUT' && $rule->{iface_out}) {
1e9c5070 2181 ruleset_addrule($ruleset, $chain, "-o $rule->{iface_out}", "-j $group_chain");
f8b12fff 2182 } elsif ($direction eq 'IN' && $rule->{iface_in}) {
1e9c5070 2183 ruleset_addrule($ruleset, $chain, "-i $rule->{iface_in}", "-j $group_chain");
4bc6b5ac 2184 } else {
1e9c5070 2185 ruleset_addrule($ruleset, $chain, "", "-j $group_chain");
4bc6b5ac
DM		 2186 }
2187
1e9c5070 2188 ruleset_addrule($ruleset, $chain, "-m mark --mark $FWACCEPTMARK_ON", "-j $action");
4bc6b5ac
DM		 2189}
2190
9e15114a 2191sub ruleset_generate_vm_rules {
84870b1a 2192 my ($ruleset, $rules, $cluster_conf, $vmfw_conf, $chain, $netid, $direction, $options, $ipversion) = @_;
9e15114a
DM		 2193
2194 my $lc_direction = lc($direction);
c29f55c9 2195
6b8ca015
DM		 2196 my $in_accept = generate_nfqueue($options);
2197
92e976b3
DM		 2198 foreach my $rule (@$rules) {
2199 next if $rule->{iface} && $rule->{iface} ne $netid;
b7ab6989 2200 next if !$rule->{enable} || $rule->{errors};
006490cb 2201 next if $rule->{ipversion} && ($rule->{ipversion} != $ipversion);
84870b1a 2202
92e976b3 2203 if ($rule->{type} eq 'group') {
4bc6b5ac 2204 ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, $direction,
aedde2c2 2205 $direction eq 'OUT' ? 'RETURN' : $in_accept, $ipversion);
92e976b3
DM		 2206 } else {
2207 next if $rule->{type} ne $lc_direction;
921dfb33
DM		 2208 eval {
2209 if ($direction eq 'OUT') {
88c26d5e 2210 ruleset_generate_rule($ruleset, $chain, $ipversion, $rule,
e34d0e58 2211 { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" },
e523d2bb 2212 undef, $cluster_conf, $vmfw_conf);
921dfb33 2213 } else {
88c26d5e 2214 ruleset_generate_rule($ruleset, $chain, $ipversion, $rule,
e34d0e58 2215 { ACCEPT => $in_accept , REJECT => "PVEFW-reject" },
e523d2bb 2216 undef, $cluster_conf, $vmfw_conf);
921dfb33
DM		 2217 }
2218 };
2219 warn $@ if $@;
4e6112f9 2220 }
3a616aa0 2221 }
9e15114a
DM		 2222}
2223
b47ecc88
AD		 2224sub generate_nfqueue {
2225 my ($options) = @_;
2226
73089769
DM		 2227 if ($options->{ips}) {
2228 my $action = "NFQUEUE";
2229 if ($options->{ips_queues} && $options->{ips_queues} =~ m/^(\d+)(:(\d+))?$/) {
2230 if (defined($3) && defined($1)) {
b47ecc88 2231 $action .= " --queue-balance $1:$3";
73089769 2232 } elsif (defined($1)) {
b47ecc88
AD		 2233 $action .= " --queue-num $1";
2234 }
2235 }
8dc92812 2236 $action .= " --queue-bypass" if $feature_ipset_nomatch; #need kernel 3.10
73089769
DM		 2237 return $action;
2238 } else {
2239 return "ACCEPT";
b47ecc88 2240 }
b47ecc88
AD		 2241}
2242
da6fc60b 2243sub ruleset_generate_vm_ipsrules {
a01c32c7 2244 my ($ruleset, $options, $direction, $iface) = @_;
da6fc60b
AD		 2245
2246 if ($options->{ips} && $direction eq 'IN') {
2247 my $nfqueue = generate_nfqueue($options);
2248
a01c32c7 2249 if (!ruleset_chain_exist($ruleset, "PVEFW-IPS")) {
da6fc60b
AD		 2250 ruleset_create_chain($ruleset, "PVEFW-IPS");
2251 }
2252
1e9c5070 2253 ruleset_addrule($ruleset, "PVEFW-IPS", "-m physdev --physdev-out $iface --physdev-is-bridged", "-j $nfqueue");
da6fc60b
AD		 2254 }
2255}
2256
9e15114a 2257sub generate_tap_rules_direction {
84870b1a 2258 my ($ruleset, $cluster_conf, $iface, $netid, $macaddr, $vmfw_conf, $vmid, $direction, $ipversion) = @_;
9e15114a
DM		 2259
2260 my $lc_direction = lc($direction);
2261
2262 my $rules = $vmfw_conf->{rules};
2263
2264 my $options = $vmfw_conf->{options};
2265 my $loglevel = get_option_log_level($options, "log_level_${lc_direction}");
2266
2267 my $tapchain = "$iface-$direction";
2268
b692f42c 2269 my $ipfilter_name = compute_ipfilter_ipset_name($netid);
88c26d5e 2270 my $ipfilter_ipset = compute_ipset_chain_name($vmid, $ipfilter_name, $ipversion)
74601077 2271 if $options->{ipfilter} || $vmfw_conf->{ipset}->{$ipfilter_name};
808d711d 2272
a34cfdd0 2273 # create chain with mac and ip filter
88c26d5e 2274 ruleset_create_vm_chain($ruleset, $tapchain, $ipversion, $options, $macaddr, $ipfilter_ipset, $direction);
9e15114a 2275
a34cfdd0 2276 if ($options->{enable}) {
84870b1a 2277 ruleset_generate_vm_rules($ruleset, $rules, $cluster_conf, $vmfw_conf, $tapchain, $netid, $direction, $options, $ipversion);
3a616aa0 2278
a34cfdd0 2279 ruleset_generate_vm_ipsrules($ruleset, $options, $direction, $iface);
da6fc60b 2280
a34cfdd0
DM		 2281 # implement policy
2282 my $policy;
ccae0b50 2283
a34cfdd0
DM		 2284 if ($direction eq 'OUT') {
2285 $policy = $options->{policy_out} || 'ACCEPT'; # allow everything by default
2286 } else {
72f63fde 2287 $policy = $options->{policy_in} || 'DROP'; # allow nothing by default
a34cfdd0 2288 }
ccae0b50 2289
a34cfdd0
DM		 2290 my $accept = generate_nfqueue($options);
2291 my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : $accept;
88c26d5e 2292 ruleset_add_chain_policy($ruleset, $tapchain, $ipversion, $vmid, $policy, $loglevel, $accept_action);
a34cfdd0
DM		 2293 } else {
2294 my $accept_action = $direction eq 'OUT' ? "PVEFW-SET-ACCEPT-MARK" : 'ACCEPT';
88c26d5e 2295 ruleset_add_chain_policy($ruleset, $tapchain, $ipversion, $vmid, 'ACCEPT', $loglevel, $accept_action);
a34cfdd0 2296 }
3a616aa0 2297
3fa83edf 2298 # plug the tap chain to bridge chain
3cc81077 2299 if ($direction eq 'IN') {
a01c32c7 2300 ruleset_addrule($ruleset, "PVEFW-FWBR-IN",
1e9c5070 2301 "-m physdev --physdev-is-bridged --physdev-out $iface", "-j $tapchain");
3cc81077 2302 } else {
a01c32c7 2303 ruleset_addrule($ruleset, "PVEFW-FWBR-OUT",
1e9c5070 2304 "-m physdev --physdev-is-bridged --physdev-in $iface", "-j $tapchain");
3cc81077 2305 }
3a616aa0
AD		 2306}
2307
d18c1e2b 2308sub enable_host_firewall {
aedde2c2 2309 my ($ruleset, $hostfw_conf, $cluster_conf, $ipversion) = @_;
0bd5f137 2310
92e976b3 2311 my $options = $hostfw_conf->{options};
63324b09 2312 my $cluster_options = $cluster_conf->{options};
92e976b3 2313 my $rules = $hostfw_conf->{rules};
35f0c37e 2314 my $cluster_rules = $cluster_conf->{rules};
178a63be 2315
3fa83edf 2316 # host inbound firewall
dec84fcd
DM		 2317 my $chain = "PVEFW-HOST-IN";
2318 ruleset_create_chain($ruleset, $chain);
0bd5f137 2319
178a63be
DM		 2320 my $loglevel = get_option_log_level($options, "log_level_in");
2321
1e9c5070 2322 ruleset_addrule($ruleset, $chain, "-i lo", "-j ACCEPT");
4ac863a6 2323
e2943485 2324 ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
e8415920 2325 ruleset_chain_add_ndp($ruleset, $chain, $ipversion, $options, 'IN', '-j RETURN');
88c26d5e 2326 ruleset_chain_add_input_filters($ruleset, $chain, $ipversion, $options, $cluster_conf, $loglevel);
fb424a00 2327
23e888f8
DM		 2328 # we use RETURN because we need to check also tap rules
2329 my $accept_action = 'RETURN';
2330
1e9c5070 2331 ruleset_addrule($ruleset, $chain, "-p igmp", "-j $accept_action"); # important for multicast
cc8dc02f 2332
35f0c37e
DM		 2333 # add host rules first, so that cluster wide rules can be overwritten
2334 foreach my $rule (@$rules, @$cluster_rules) {
5383df39 2335 next if !$rule->{enable} || $rule->{errors};
35d1d6da 2336 next if $rule->{ipversion} && ($rule->{ipversion} != $ipversion);
bfc488f6 2337
f8b12fff 2338 $rule->{iface_in} = $rule->{iface} if $rule->{iface};
5383df39 2339
1a9978ed
DM		 2340 eval {
2341 if ($rule->{type} eq 'group') {
aedde2c2 2342 ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'IN', $accept_action, $ipversion);
1a9978ed 2343 } elsif ($rule->{type} eq 'in') {
88c26d5e
DM		 2344 ruleset_generate_rule($ruleset, $chain, $ipversion, $rule,
2345 { ACCEPT => $accept_action, REJECT => "PVEFW-reject" },
e523d2bb 2346 undef, $cluster_conf, $hostfw_conf);
1a9978ed
DM		 2347 }
2348 };
2349 warn $@ if $@;
f8b12fff 2350 delete $rule->{iface_in};
0bd5f137 2351 }
eb399cef
DM		 2352
2353 # allow standard traffic for management ipset (includes cluster network)
88c26d5e 2354 my $mngmnt_ipset_chain = compute_ipset_chain_name(0, "management", $ipversion);
708ba714 2355 my $mngmntsrc = "-m set --match-set ${mngmnt_ipset_chain} src";
1e9c5070
TW		 2356 ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 8006", "-j $accept_action"); # PVE API
2357 ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 5900:5999", "-j $accept_action"); # PVE VNC Console
2358 ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128", "-j $accept_action"); # SPICE Proxy
2359 ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22", "-j $accept_action"); # SSH
bfc488f6 2360
afcd29b3
DM		 2361 my $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
2362 my $localnet_ver = $cluster_conf->{aliases}->{local_network}->{ipversion};
3bc79f87 2363
eb399cef 2364 # corosync
35d1d6da 2365 if ($localnet && ($ipversion == $localnet_ver)) {
1e9c5070
TW		 2366 my $corosync_rule = "-p udp --dport 5404:5405";
2367 ruleset_addrule($ruleset, $chain, "-s $localnet -d $localnet $corosync_rule", "-j $accept_action");
2368 ruleset_addrule($ruleset, $chain, "-s $localnet -m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action");
3bc79f87 2369 }
0bd5f137 2370
23e888f8 2371 # implement input policy
63324b09 2372 my $policy = $cluster_options->{policy_in} || 'DROP'; # allow nothing by default
88c26d5e 2373 ruleset_add_chain_policy($ruleset, $chain, $ipversion, 0, $policy, $loglevel, $accept_action);
0bd5f137 2374
3fa83edf 2375 # host outbound firewall
aadd745e 2376 $chain = "PVEFW-HOST-OUT";
dec84fcd
DM		 2377 ruleset_create_chain($ruleset, $chain);
2378
178a63be
DM		 2379 $loglevel = get_option_log_level($options, "log_level_out");
2380
1e9c5070 2381 ruleset_addrule($ruleset, $chain, "-o lo", "-j ACCEPT");
e2943485
DM		 2382
2383 ruleset_chain_add_conn_filters($ruleset, $chain, 'ACCEPT');
2384
23e888f8
DM		 2385 # we use RETURN because we may want to check other thigs later
2386 $accept_action = 'RETURN';
e8415920 2387 ruleset_chain_add_ndp($ruleset, $chain, $ipversion, $options, 'OUT', "-j $accept_action");
23e888f8 2388
1e9c5070 2389 ruleset_addrule($ruleset, $chain, "-p igmp", "-j $accept_action"); # important for multicast
cc8dc02f 2390
35f0c37e
DM		 2391 # add host rules first, so that cluster wide rules can be overwritten
2392 foreach my $rule (@$rules, @$cluster_rules) {
5383df39 2393 next if !$rule->{enable} || $rule->{errors};
35d1d6da 2394 next if $rule->{ipversion} && ($rule->{ipversion} != $ipversion);
5383df39 2395
f8b12fff 2396 $rule->{iface_out} = $rule->{iface} if $rule->{iface};
1a9978ed
DM		 2397 eval {
2398 if ($rule->{type} eq 'group') {
aedde2c2 2399 ruleset_add_group_rule($ruleset, $cluster_conf, $chain, $rule, 'OUT', $accept_action, $ipversion);
1a9978ed 2400 } elsif ($rule->{type} eq 'out') {
88c26d5e
DM		 2401 ruleset_generate_rule($ruleset, $chain, $ipversion,
2402 $rule, { ACCEPT => $accept_action, REJECT => "PVEFW-reject" },
e523d2bb 2403 undef, $cluster_conf, $hostfw_conf);
1a9978ed
DM		 2404 }
2405 };
2406 warn $@ if $@;
f8b12fff 2407 delete $rule->{iface_out};
0bd5f137
AD		 2408 }
2409
3bc79f87 2410 # allow standard traffic on cluster network
35d1d6da 2411 if ($localnet && ($ipversion == $localnet_ver)) {
1e9c5070
TW		 2412 ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 8006", "-j $accept_action"); # PVE API
2413 ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 22", "-j $accept_action"); # SSH
2414 ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 5900:5999", "-j $accept_action"); # PVE VNC Console
2415 ruleset_addrule($ruleset, $chain, "-d $localnet -p tcp --dport 3128", "-j $accept_action"); # SPICE Proxy
bfc488f6 2416
1e9c5070
TW		 2417 my $corosync_rule = "-p udp --dport 5404:5405";
2418 ruleset_addrule($ruleset, $chain, "-d $localnet $corosync_rule", "-j $accept_action");
2419 ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST $corosync_rule", "-j $accept_action");
3bc79f87
DM		 2420 }
2421
23e888f8 2422 # implement output policy
63324b09 2423 $policy = $cluster_options->{policy_out} || 'ACCEPT'; # allow everything by default
88c26d5e 2424 ruleset_add_chain_policy($ruleset, $chain, $ipversion, 0, $policy, $loglevel, $accept_action);
6158271d 2425
1e9c5070
TW		 2426 ruleset_addrule($ruleset, "PVEFW-OUTPUT", "", "-j PVEFW-HOST-OUT");
2427 ruleset_addrule($ruleset, "PVEFW-INPUT", "", "-j PVEFW-HOST-IN");
9d31b418
AD		 2428}
2429
2430sub generate_group_rules {
aedde2c2 2431 my ($ruleset, $cluster_conf, $group, $ipversion) = @_;
9d31b418 2432
c6f5cc88 2433 my $rules = $cluster_conf->{groups}->{$group};
6158271d 2434
b4deedab
DM		 2435 if (!$rules) {
2436 warn "no such security group '$group'\n";
2437 $rules = []; # create empty chain
2438 }
2439
3fa83edf 2440 my $chain = "GROUP-${group}-IN";
9d31b418 2441
3fa83edf 2442 ruleset_create_chain($ruleset, $chain);
1e9c5070 2443 ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark
9d31b418 2444
92e976b3
DM		 2445 foreach my $rule (@$rules) {
2446 next if $rule->{type} ne 'in';
aedde2c2 2447 next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
88c26d5e
DM		 2448 ruleset_generate_rule($ruleset, $chain, $ipversion, $rule,
2449 { ACCEPT => "PVEFW-SET-ACCEPT-MARK", REJECT => "PVEFW-reject" },
2450 undef, $cluster_conf);
9d31b418
AD		 2451 }
2452
3fa83edf 2453 $chain = "GROUP-${group}-OUT";
9d31b418 2454
3fa83edf 2455 ruleset_create_chain($ruleset, $chain);
1e9c5070 2456 ruleset_addrule($ruleset, $chain, "", "-j MARK --set-mark $FWACCEPTMARK_OFF"); # clear mark
9d31b418 2457
92e976b3
DM		 2458 foreach my $rule (@$rules) {
2459 next if $rule->{type} ne 'out';
aedde2c2 2460 next if $rule->{ipversion} && $rule->{ipversion} ne $ipversion;
92e976b3
DM		 2461 # we use PVEFW-SET-ACCEPT-MARK (Instead of ACCEPT) because we need to
2462 # check also other tap rules later
88c26d5e
DM		 2463 ruleset_generate_rule($ruleset, $chain, $ipversion, $rule,
2464 { ACCEPT => 'PVEFW-SET-ACCEPT-MARK', REJECT => "PVEFW-reject" },
2465 undef, $cluster_conf);
9d31b418 2466 }
9d31b418
AD		 2467}
2468
51bae274
DM		 2469my $MAX_NETS = 32;
2470my $valid_netdev_names = {};
2471for (my $i = 0; $i < $MAX_NETS; $i++) {
2472 $valid_netdev_names->{"net$i"} = 1;
2473}
5e1267a5 2474
fe3d79b4
WB		 2475sub get_mark_values {
2476 my ($value, $mask) = @_;
2477 $value = hex($value) if $value =~ /^0x/;
2478 $mask = hex($mask) if defined($mask) && $mask =~ /^0x/;
2479 $mask = 0xffffffff if !defined($mask);
2480 return ($value, $mask);
2481}
2482
51bae274 2483sub parse_fw_rule {
a523e057 2484 my ($prefix, $line, $cluster_conf, $fw_conf, $rule_env, $verbose) = @_;
5e1267a5 2485
d4cda423
DM		 2486 my $orig_line = $line;
2487
6d9246e7
DM		 2488 my $rule = {};
2489
11bac5c2 2490 # we can add single line comments to the end of the rule
6d9246e7
DM		 2491 if ($line =~ s/#\s*(.*?)\s*$//) {
2492 $rule->{comment} = decode('utf8', $1);
2493 }
11bac5c2
DM		 2494
2495 # we can disable a rule when prefixed with '|'
ea9e5116 2496
6d9246e7 2497 $rule->{enable} = $line =~ s/^\|// ? 0 : 1;
51bae274 2498
dba740a9
DM		 2499 $line =~ s/^(\S+)\s+(\S+)\s*// ||
2500 die "unable to parse rule: $line\n";
6d9246e7
DM		 2501
2502 $rule->{type} = lc($1);
2503 $rule->{action} = $2;
2504
2505 if ($rule->{type} eq 'in' || $rule->{type} eq 'out') {
2506 if ($rule->{action} =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
2507 $rule->{macro} = $1;
2508 $rule->{action} = $2;
92e976b3 2509 }
51bae274
DM		 2510 }
2511
dba740a9
DM		 2512 while (length($line)) {
2513 if ($line =~ s/^-i (\S+)\s*//) {
6d9246e7 2514 $rule->{iface} = $1;
dba740a9
DM		 2515 next;
2516 }
51bae274 2517
6d9246e7 2518 last if $rule->{type} eq 'group';
51bae274 2519
dba740a9 2520 if ($line =~ s/^-p (\S+)\s*//) {
6d9246e7 2521 $rule->{proto} = $1;
dba740a9
DM		 2522 next;
2523 }
6d9246e7 2524
dba740a9 2525 if ($line =~ s/^-dport (\S+)\s*//) {
6d9246e7 2526 $rule->{dport} = $1;
dba740a9
DM		 2527 next;
2528 }
6d9246e7 2529
dba740a9 2530 if ($line =~ s/^-sport (\S+)\s*//) {
6d9246e7 2531 $rule->{sport} = $1;
dba740a9
DM		 2532 next;
2533 }
2534 if ($line =~ s/^-source (\S+)\s*//) {
6d9246e7 2535 $rule->{source} = $1;
dba740a9
DM		 2536 next;
2537 }
2538 if ($line =~ s/^-dest (\S+)\s*//) {
6d9246e7 2539 $rule->{dest} = $1;
dba740a9
DM		 2540 next;
2541 }
51bae274 2542
dba740a9
DM		 2543 last;
2544 }
ba791b1f 2545
dba740a9 2546 die "unable to parse rule parameters: $line\n" if length($line);
51bae274 2547
a523e057 2548 $rule = verify_rule($rule, $cluster_conf, $fw_conf, $rule_env, 1);
eedcb564
WB		 2549 if ($rule->{errors}) {
2550 # The verbose flag really means we're running from the CLI and want
2551 # output on the console - in the other case we really want such errors
2552 # to go into the syslog instead.
2553 my $log = $verbose ? sub { warn @_ } : sub { syslog(err => @_) };
2554 $log->("$prefix - errors in rule parameters: $orig_line\n");
d4cda423 2555 foreach my $p (keys %{$rule->{errors}}) {
eedcb564 2556 $log->(" $p: $rule->{errors}->{$p}\n");
d4cda423
DM		 2557 }
2558 }
6d9246e7
DM		 2559
2560 return $rule;
51bae274
DM		 2561}
2562
2d404ffc 2563sub parse_vmfw_option {
85c6eaed
DM		 2564 my ($line) = @_;
2565
2566 my ($opt, $value);
2567
178a63be
DM		 2568 my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
2569
74601077 2570 if ($line =~ m/^(enable|dhcp|ndp|radv|macfilter|ipfilter|ips):\s*(0|1)\s*$/i) {
9c6b6efd
DM		 2571 $opt = lc($1);
2572 $value = int($2);
178a63be
DM		 2573 } elsif ($line =~ m/^(log_level_in|log_level_out):\s*(($loglevels)\s*)?$/i) {
2574 $opt = lc($1);
2575 $value = $2 ? lc($3) : '';
72f63fde 2576 } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
85c6eaed
DM		 2577 $opt = lc($1);
2578 $value = uc($3);
b47ecc88
AD		 2579 } elsif ($line =~ m/^(ips_queues):\s*((\d+)(:(\d+))?)\s*$/i) {
2580 $opt = lc($1);
2581 $value = $2;
9c6b6efd 2582 } else {
85c6eaed
DM		 2583 die "can't parse option '$line'\n"
2584 }
2585
2586 return ($opt, $value);
2587}
2588
2d404ffc
DM		 2589sub parse_hostfw_option {
2590 my ($line) = @_;
2591
2592 my ($opt, $value);
2593
2594 my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
2595
a83abe93 2596 if ($line =~ m/^(enable|nosmurfs|tcpflags|ndp):\s*(0|1)\s*$/i) {
2d404ffc
DM		 2597 $opt = lc($1);
2598 $value = int($2);
178a63be 2599 } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
2d404ffc
DM		 2600 $opt = lc($1);
2601 $value = $2 ? lc($3) : '';
28c082a1 2602 } elsif ($line =~ m/^(nf_conntrack_max|nf_conntrack_tcp_timeout_established):\s*(\d+)\s*$/i) {
490cdead
DM		 2603 $opt = lc($1);
2604 $value = int($2);
2d404ffc 2605 } else {
2d404ffc
DM		 2606 die "can't parse option '$line'\n"
2607 }
2608
2609 return ($opt, $value);
2610}
2611
c6f5cc88
DM		 2612sub parse_clusterfw_option {
2613 my ($line) = @_;
2614
2615 my ($opt, $value);
2616
72d055fc 2617 if ($line =~ m/^(enable):\s*(\d+)\s*$/i) {
c6f5cc88
DM		 2618 $opt = lc($1);
2619 $value = int($2);
72d055fc
AG		 2620 if (($value > 1) && ((time() - $value) > 60)) {
2621 $value = 0
2622 }
63324b09
DM		 2623 } elsif ($line =~ m/^(policy_(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
2624 $opt = lc($1);
2625 $value = uc($3);
c6f5cc88 2626 } else {
c6f5cc88
DM		 2627 die "can't parse option '$line'\n"
2628 }
2629
2630 return ($opt, $value);
2631}
2632
6c221576
DM		 2633sub resolve_alias {
2634 my ($clusterfw_conf, $fw_conf, $cidr) = @_;
2635
6d959e3f 2636 my $alias = lc($cidr);
04f5088f 2637 my $e = $fw_conf ? $fw_conf->{aliases}->{$alias} : undef;
6d959e3f 2638 $e = $clusterfw_conf->{aliases}->{$alias} if !$e && $clusterfw_conf;
6c221576 2639
6d959e3f
DM		 2640 die "no such alias '$cidr'\n" if !$e;;
2641
2642 return wantarray ? ($e->{cidr}, $e->{ipversion}) : $e->{cidr};
6c221576
DM		 2643}
2644
ae029a88
DM		 2645sub parse_ip_or_cidr {
2646 my ($cidr) = @_;
2647
2648 my $ipversion;
2649
2650 if ($cidr =~ m!^(?:$IPV6RE)(/(\d+))?$!) {
2651 $cidr =~ s|/128$||;
2652 $ipversion = 6;
2653 } elsif ($cidr =~ m!^(?:$IPV4RE)(/(\d+))?$!) {
2654 $cidr =~ s|/32$||;
2655 $ipversion = 4;
2656 } else {
2657 die "value does not look like a valid IP address or CIDR network\n";
2658 }
2659
2660 return wantarray ? ($cidr, $ipversion) : $cidr;
2661}
2662
e76a9f53 2663sub parse_alias {
92e1209b
AD		 2664 my ($line) = @_;
2665
81d574a7
DM		 2666 # we can add single line comments to the end of the line
2667 my $comment = decode('utf8', $1) if $line =~ s/\s*#\s*(.*?)\s*$//;
2668
92e1209b 2669 if ($line =~ m/^(\S+)\s(\S+)$/) {
81d574a7 2670 my ($name, $cidr) = ($1, $2);
ae029a88
DM		 2671 my $ipversion;
2672
2673 ($cidr, $ipversion) = parse_ip_or_cidr($cidr);
2674
81d574a7
DM		 2675 my $data = {
2676 name => $name,
2677 cidr => $cidr,
70e524eb 2678 ipversion => $ipversion,
81d574a7
DM		 2679 };
2680 $data->{comment} = $comment if $comment;
2681 return $data;
92e1209b
AD		 2682 }
2683
81d574a7 2684 return undef;
92e1209b
AD		 2685}
2686
e5cd1ee0 2687sub generic_fw_config_parser {
1210ae94 2688 my ($filename, $fh, $verbose, $cluster_conf, $empty_conf, $rule_env) = @_;
5e1267a5 2689
51bae274
DM		 2690 my $section;
2691 my $group;
2692
1210ae94 2693 my $res = $empty_conf;
6158271d 2694
51bae274
DM		 2695 while (defined(my $line = <$fh>)) {
2696 next if $line =~ m/^#/;
2697 next if $line =~ m/^\s*$/;
2698
c8c534f7
DM		 2699 chomp $line;
2700
961b4928
DM		 2701 my $linenr = $fh->input_line_number();
2702 my $prefix = "$filename (line $linenr)";
2703
1210ae94 2704 if ($empty_conf->{options} && ($line =~ m/^\[options\]$/i)) {
c6f5cc88
DM		 2705 $section = 'options';
2706 next;
2707 }
2708
1210ae94 2709 if ($empty_conf->{aliases} && ($line =~ m/^\[aliases\]$/i)) {
92e1209b
AD		 2710 $section = 'aliases';
2711 next;
2712 }
2713
1210ae94 2714 if ($empty_conf->{groups} && ($line =~ m/^\[group\s+(\S+)\]\s*(?:#\s*(.*?)\s*)?$/i)) {
c6f5cc88 2715 $section = 'groups';
92e976b3 2716 $group = lc($1);
0d22acb3 2717 my $comment = $2;
351052d1
DM		 2718 eval {
2719 die "security group name too long\n" if length($group) > $max_group_name_length;
2720 die "invalid security group name '$group'\n" if $group !~ m/^${security_group_name_pattern}$/;
2721 };
2722 if (my $err = $@) {
2723 ($section, $group, $comment) = undef;
2724 warn "$prefix: $err";
2725 next;
2726 }
2727
c85c87f9 2728 $res->{$section}->{$group} = [];
649e4d57
DM		 2729 $res->{group_comments}->{$group} = decode('utf8', $comment)
2730 if $comment;
51bae274
DM		 2731 next;
2732 }
34cdedfa 2733
1210ae94 2734 if ($empty_conf->{rules} && ($line =~ m/^\[rules\]$/i)) {
c6f5cc88
DM		 2735 $section = 'rules';
2736 next;
2737 }
cbb5d6f3 2738
1210ae94 2739 if ($empty_conf->{ipset} && ($line =~ m/^\[ipset\s+(\S+)\]\s*(?:#\s*(.*?)\s*)?$/i)) {
34cdedfa
AD		 2740 $section = 'ipset';
2741 $group = lc($1);
d72c631c 2742 my $comment = $2;
351052d1
DM		 2743 eval {
2744 die "ipset name too long\n" if length($group) > $max_ipset_name_length;
2745 die "invalid ipset name '$group'\n" if $group !~ m/^${ipset_name_pattern}$/;
2746 };
2747 if (my $err = $@) {
2748 ($section, $group, $comment) = undef;
2749 warn "$prefix: $err";
2750 next;
2751 }
2752
c85c87f9 2753 $res->{$section}->{$group} = [];
e34d0e58 2754 $res->{ipset_comments}->{$group} = decode('utf8', $comment)
649e4d57 2755 if $comment;
34cdedfa
AD		 2756 next;
2757 }
2758
c6f5cc88 2759 if (!$section) {
cbb5d6f3 2760 warn "$prefix: skip line - no section\n";
51bae274
DM		 2761 next;
2762 }
2763
c6f5cc88
DM		 2764 if ($section eq 'options') {
2765 eval {
1210ae94
DM		 2766 my ($opt, $value);
2767 if ($rule_env eq 'cluster') {
2768 ($opt, $value) = parse_clusterfw_option($line);
2769 } elsif ($rule_env eq 'host') {
2770 ($opt, $value) = parse_hostfw_option($line);
2771 } else {
2772 ($opt, $value) = parse_vmfw_option($line);
2773 }
c6f5cc88
DM		 2774 $res->{options}->{$opt} = $value;
2775 };
2776 warn "$prefix: $@" if $@;
92e1209b
AD		 2777 } elsif ($section eq 'aliases') {
2778 eval {
e76a9f53 2779 my $data = parse_alias($line);
81d574a7 2780 $res->{aliases}->{lc($data->{name})} = $data;
92e1209b
AD		 2781 };
2782 warn "$prefix: $@" if $@;
c6f5cc88
DM		 2783 } elsif ($section eq 'rules') {
2784 my $rule;
1210ae94 2785 eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, $res, $rule_env, $verbose); };
c6f5cc88
DM		 2786 if (my $err = $@) {
2787 warn "$prefix: $err";
2788 next;
2789 }
2790 push @{$res->{$section}}, $rule;
2791 } elsif ($section eq 'groups') {
34cdedfa 2792 my $rule;
1210ae94 2793 eval { $rule = parse_fw_rule($prefix, $line, $cluster_conf, undef, 'group', $verbose); };
34cdedfa
AD		 2794 if (my $err = $@) {
2795 warn "$prefix: $err";
2796 next;
2797 }
3f95d14a 2798 push @{$res->{$section}->{$group}}, $rule;
3f95d14a 2799 } elsif ($section eq 'ipset') {
9d6f90e6
DM		 2800 # we can add single line comments to the end of the rule
2801 my $comment = decode('utf8', $1) if $line =~ s/#\s*(.*?)\s*$//;
2802
30f1b100 2803 $line =~ m/^(\!)?\s*(\S+)\s*$/;
2a052ee3 2804 my $nomatch = $1;
9d6f90e6 2805 my $cidr = $2;
d46b1ef6
DM		 2806 my $errors;
2807
2808 if ($nomatch && !$feature_ipset_nomatch) {
2809 $errors->{nomatch} = "nomatch not supported by kernel";
2810 }
2a052ee3 2811
4803b296
DM		 2812 eval {
2813 if ($cidr =~ m/^${ip_alias_pattern}$/) {
2814 resolve_alias($cluster_conf, $res, $cidr); # make sure alias exists
2815 } else {
ae029a88 2816 $cidr = parse_ip_or_cidr($cidr);
92e1209b 2817 }
4803b296
DM		 2818 };
2819 if (my $err = $@) {
c8c534f7 2820 chomp $err;
d46b1ef6 2821 $errors->{cidr} = $err;
2a052ee3 2822 }
2a052ee3 2823
b14db52f
WB		 2824 if ($cidr =~ m!/0+$!) {
2825 $errors->{cidr} = "a zero prefix is not allowed in ipset entries\n";
2826 }
2827
e34d0e58 2828 my $entry = { cidr => $cidr };
9d6f90e6
DM		 2829 $entry->{nomatch} = 1 if $nomatch;
2830 $entry->{comment} = $comment if $comment;
d46b1ef6 2831 $entry->{errors} = $errors if $errors;
e34d0e58 2832
c8c534f7 2833 if ($verbose && $errors) {
9a3061c7 2834 warn "$prefix - errors in ipset '$group': $line\n";
c8c534f7
DM		 2835 foreach my $p (keys %{$errors}) {
2836 warn " $p: $errors->{$p}\n";
2837 }
2838 }
2839
9d6f90e6 2840 push @{$res->{$section}->{$group}}, $entry;
1210ae94
DM		 2841 } else {
2842 warn "$prefix: skip line - unknown section\n";
2843 next;
51bae274 2844 }
5e1267a5
DM		 2845 }
2846
2847 return $res;
2848}
2849
e5cd1ee0 2850sub parse_hostfw_config {
1210ae94
DM		 2851 my ($filename, $fh, $cluster_conf, $verbose) = @_;
2852
2853 my $empty_conf = { rules => [], options => {}};
2854
e5cd1ee0 2855 return generic_fw_config_parser($filename, $fh, $verbose, $cluster_conf, $empty_conf, 'host');
1210ae94
DM		 2856}
2857
e5cd1ee0 2858sub parse_vmfw_config {
1210ae94
DM		 2859 my ($filename, $fh, $cluster_conf, $rule_env, $verbose) = @_;
2860
2861 my $empty_conf = {
2862 rules => [],
2863 options => {},
2864 aliases => {},
2865 ipset => {} ,
2866 ipset_comments => {},
2867 };
2868
e5cd1ee0 2869 return generic_fw_config_parser($filename, $fh, $verbose, $cluster_conf, $empty_conf, $rule_env);
1210ae94
DM		 2870}
2871
e5cd1ee0 2872sub parse_clusterfw_config {
1210ae94
DM		 2873 my ($filename, $fh, $verbose) = @_;
2874
2875 my $section;
2876 my $group;
2877
2878 my $empty_conf = {
2879 rules => [],
2880 options => {},
2881 aliases => {},
2882 groups => {},
2883 group_comments => {},
2884 ipset => {} ,
2885 ipset_comments => {},
2886 };
2887
e5cd1ee0 2888 return generic_fw_config_parser($filename, $fh, $verbose, $empty_conf, $empty_conf, 'cluster');
1210ae94
DM		 2889}
2890
06320eb0
DM		 2891sub run_locked {
2892 my ($code, @param) = @_;
2893
2894 my $timeout = 10;
2895
2896 my $res = lock_file($pve_fw_lock_filename, $timeout, $code, @param);
2897
2898 die $@ if $@;
2899
2900 return $res;
2901}
2902
5e1267a5
DM		 2903sub read_local_vm_config {
2904
5e1267a5 2905 my $qemu = {};
3b4882dc 2906 my $lxc = {};
5e1267a5 2907
fdefeeab 2908 my $vmdata = { qemu => $qemu, lxc => $lxc };
5e1267a5 2909
c8301d63
DM		 2910 my $vmlist = PVE::Cluster::get_vmlist();
2911 return $vmdata if !$vmlist || !$vmlist->{ids};
2912 my $ids = $vmlist->{ids};
2913
2914 foreach my $vmid (keys %$ids) {
2915 next if !$vmid; # skip VE0
2916 my $d = $ids->{$vmid};
2917 next if !$d->{node} || $d->{node} ne $nodename;
2918 next if !$d->{type};
fdefeeab 2919 if ($d->{type} eq 'qemu') {
d9fee004 2920 if ($have_qemu_server) {
b5a16dd3 2921 my $cfspath = PVE::QemuConfig->cfs_config_path($vmid);
d9fee004
DM		 2922 if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) {
2923 $qemu->{$vmid} = $conf;
2924 }
c8301d63 2925 }
3b4882dc
AG		 2926 } elsif ($d->{type} eq 'lxc') {
2927 if ($have_lxc) {
a7c85d56 2928 my $cfspath = PVE::LXC::Config->cfs_config_path($vmid);
3b4882dc
AG		 2929 if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) {
2930 $lxc->{$vmid} = $conf;
2931 }
2932 }
2933 }
5e1267a5 2934 }
d9fee004 2935
5e1267a5
DM		 2936 return $vmdata;
2937};
2938
e7b35711 2939sub load_vmfw_conf {
a523e057 2940 my ($cluster_conf, $rule_env, $vmid, $dir, $verbose) = @_;
e7b35711
DM		 2941
2942 my $vmfw_conf = {};
2943
21053409 2944 $dir = $pvefw_conf_dir if !defined($dir);
8aef5177
DM		 2945
2946 my $filename = "$dir/$vmid.fw";
e7b35711 2947 if (my $fh = IO::File->new($filename, O_RDONLY)) {
e5cd1ee0 2948 $vmfw_conf = parse_vmfw_config($filename, $fh, $cluster_conf, $rule_env, $verbose);
708ba714 2949 $vmfw_conf->{vmid} = $vmid;
e7b35711
DM		 2950 }
2951
2952 return $vmfw_conf;
2953}
2954
464f933e 2955my $format_rules = sub {
dba740a9 2956 my ($rules, $allow_iface) = @_;
464f933e
DM		 2957
2958 my $raw = '';
2959
2960 foreach my $rule (@$rules) {
c14dacdf 2961 if ($rule->{type} eq 'in' || $rule->{type} eq 'out' || $rule->{type} eq 'group') {
464f933e
DM		 2962 $raw .= '|' if defined($rule->{enable}) && !$rule->{enable};
2963 $raw .= uc($rule->{type});
7ca36671
DM		 2964 if ($rule->{macro}) {
2965 $raw .= " $rule->{macro}($rule->{action})";
2966 } else {
2967 $raw .= " " . $rule->{action};
2968 }
dba740a9
DM		 2969 if ($allow_iface && $rule->{iface}) {
2970 $raw .= " -i $rule->{iface}";
2971 }
c14dacdf
DM		 2972
2973 if ($rule->{type} ne 'group') {
dba740a9
DM		 2974 $raw .= " -source $rule->{source}" if $rule->{source};
2975 $raw .= " -dest $rule->{dest}" if $rule->{dest};
2976 $raw .= " -p $rule->{proto}" if $rule->{proto};
2977 $raw .= " -dport $rule->{dport}" if $rule->{dport};
2978 $raw .= " -sport $rule->{sport}" if $rule->{sport};
c14dacdf
DM		 2979 }
2980
cbb5d6f3 2981 $raw .= " # " . encode('utf8', $rule->{comment})
464f933e
DM		 2982 if $rule->{comment} && $rule->{comment} !~ m/^\s*$/;
2983 $raw .= "\n";
2984 } else {
c14dacdf 2985 die "unknown rule type '$rule->{type}'";
464f933e
DM		 2986 }
2987 }
2988
2989 return $raw;
2990};
2991
2992my $format_options = sub {
68c90e21
DM		 2993 my ($options) = @_;
2994
2995 my $raw = '';
464f933e
DM		 2996
2997 $raw .= "[OPTIONS]\n\n";
2998 foreach my $opt (keys %$options) {
2999 $raw .= "$opt: $options->{$opt}\n";
3000 }
3001 $raw .= "\n";
68c90e21
DM		 3002
3003 return $raw;
464f933e
DM		 3004};
3005
0d5f0a0f
DM		 3006my $format_aliases = sub {
3007 my ($aliases) = @_;
3008
3009 my $raw = '';
3010
3011 $raw .= "[ALIASES]\n\n";
3012 foreach my $k (keys %$aliases) {
81d574a7
DM		 3013 my $e = $aliases->{$k};
3014 $raw .= "$e->{name} $e->{cidr}";
3015 $raw .= " # " . encode('utf8', $e->{comment})
3016 if $e->{comment} && $e->{comment} !~ m/^\s*$/;
3017 $raw .= "\n";
0d5f0a0f
DM		 3018 }
3019 $raw .= "\n";
3020
3021 return $raw;
3022};
3023
1210ae94
DM		 3024my $format_ipsets = sub {
3025 my ($fw_conf) = @_;
3026
9d6f90e6
DM		 3027 my $raw = '';
3028
1210ae94
DM		 3029 foreach my $ipset (sort keys %{$fw_conf->{ipset}}) {
3030 if (my $comment = $fw_conf->{ipset_comments}->{$ipset}) {
3031 my $utf8comment = encode('utf8', $comment);
3032 $raw .= "[IPSET $ipset] # $utf8comment\n\n";
3033 } else {
3034 $raw .= "[IPSET $ipset]\n\n";
3035 }
3036 my $options = $fw_conf->{ipset}->{$ipset};
6e299ae3 3037
1210ae94
DM		 3038 my $nethash = {};
3039 foreach my $entry (@$options) {
3040 $nethash->{$entry->{cidr}} = $entry;
3041 }
3042
3043 foreach my $cidr (sort keys %$nethash) {
3044 my $entry = $nethash->{$cidr};
3045 my $line = $entry->{nomatch} ? '!' : '';
3046 $line .= $entry->{cidr};
3047 $line .= " # " . encode('utf8', $entry->{comment})
3048 if $entry->{comment} && $entry->{comment} !~ m/^\s*$/;
3049 $raw .= "$line\n";
3050 }
3051
3052 $raw .= "\n";
9d6f90e6 3053 }
e34d0e58 3054
9d6f90e6
DM		 3055 return $raw;
3056};
3057
464f933e
DM		 3058sub save_vmfw_conf {
3059 my ($vmid, $vmfw_conf) = @_;
3060
3061 my $raw = '';
3062
3063 my $options = $vmfw_conf->{options};
89ea63c8 3064 $raw .= &$format_options($options) if $options && scalar(keys %$options);
cbb5d6f3 3065
e76a9f53 3066 my $aliases = $vmfw_conf->{aliases};
89ea63c8 3067 $raw .= &$format_aliases($aliases) if $aliases && scalar(keys %$aliases);
e76a9f53 3068
89ea63c8 3069 $raw .= &$format_ipsets($vmfw_conf) if $vmfw_conf->{ipset};
1210ae94 3070
8824b2f0 3071 my $rules = $vmfw_conf->{rules} || [];
89ea63c8 3072 if ($rules && scalar(@$rules)) {
464f933e
DM		 3073 $raw .= "[RULES]\n\n";
3074 $raw .= &$format_rules($rules, 1);
3075 $raw .= "\n";
3076 }
3077
21053409 3078 my $filename = "$pvefw_conf_dir/$vmid.fw";
c32e04e6
FG		 3079 if ($raw) {
3080 mkdir $pvefw_conf_dir;
3081 PVE::Tools::file_set_contents($filename, $raw);
3082 } else {
3083 unlink $filename;
3084 }
464f933e
DM		 3085}
3086
edee9035
AG		 3087sub remove_vmfw_conf {
3088 my ($vmid) = @_;
3089
3090 my $vmfw_conffile = "$pvefw_conf_dir/$vmid.fw";
3091
3092 unlink $vmfw_conffile;
3093}
3094
5471ff7c
AG		 3095sub clone_vmfw_conf {
3096 my ($vmid, $newid) = @_;
3097
3098 my $sourcevm_conffile = "$pvefw_conf_dir/$vmid.fw";
3099 my $clonevm_conffile = "$pvefw_conf_dir/$newid.fw";
3100
3101 if (-f $clonevm_conffile) {
3102 unlink $clonevm_conffile;
3103 }
3104 if (-f $sourcevm_conffile) {
3105 my $data = PVE::Tools::file_get_contents($sourcevm_conffile);
3106 PVE::Tools::file_set_contents($clonevm_conffile, $data);
3107 }
3108}
3109
6fc63ffd 3110sub read_vm_firewall_configs {
a523e057 3111 my ($cluster_conf, $vmdata, $dir, $verbose) = @_;
8aef5177 3112
6fc63ffd 3113 my $vmfw_configs = {};
c8301d63 3114
b6b8e6ad 3115 foreach my $vmid (keys %{$vmdata->{qemu}}) {
a523e057 3116 my $vmfw_conf = load_vmfw_conf($cluster_conf, 'vm', $vmid, $dir, $verbose);
b6b8e6ad
DM		 3117 next if !$vmfw_conf->{options}; # skip if file does not exists
3118 $vmfw_configs->{$vmid} = $vmfw_conf;
3119 }
3b4882dc
AG		 3120 foreach my $vmid (keys %{$vmdata->{lxc}}) {
3121 my $vmfw_conf = load_vmfw_conf($cluster_conf, 'ct', $vmid, $dir, $verbose);
3122 next if !$vmfw_conf->{options}; # skip if file does not exists
3123 $vmfw_configs->{$vmid} = $vmfw_conf;
3124 }
5e1267a5 3125
6fc63ffd 3126 return $vmfw_configs;
5e1267a5
DM		 3127}
3128
2d404ffc
DM		 3129sub get_option_log_level {
3130 my ($options, $k) = @_;
3131
3132 my $v = $options->{$k};
178a63be 3133 $v = $default_log_level if !defined($v);
2d404ffc
DM		 3134
3135 return undef if $v eq '' || $v eq 'nolog';
3136
3137 $v = $log_level_hash->{$v} if defined($log_level_hash->{$v});
3138
3139 return $v if ($v >= 0) && ($v <= 7);
3140
3141 warn "unknown log level ($k = '$v')\n";
3142
3143 return undef;
3144}
3145
d8f2505e 3146sub generate_std_chains {
db8a955f
DM		 3147 my ($ruleset, $options, $ipversion) = @_;
3148
3149 my $std_chains = $pve_std_chains->{$ipversion} || die "internal error";
cbb5d6f3 3150
2d404ffc 3151 my $loglevel = get_option_log_level($options, 'smurf_log_level');
044409e5
TW		 3152 my $chain = 'PVEFW-smurflog';
3153 if ( $std_chains->{$chain} ) {
3154 foreach my $r (@{$std_chains->{$chain}}) {
3155 $r->{log} = $loglevel;
3156 }
db8a955f 3157 }
2d404ffc
DM		 3158
3159 # same as shorewall logflags action.
3160 $loglevel = get_option_log_level($options, 'tcp_flags_log_level');
782c4cde 3161 $chain = 'PVEFW-logflags';
044409e5
TW		 3162 if ( $std_chains->{$chain} ) {
3163 foreach my $r (@{$std_chains->{$chain}}) {
3164 $r->{log} = $loglevel;
3165 }
3166 }
d8f2505e 3167
db8a955f 3168 foreach my $chain (keys %$std_chains) {
d8f2505e 3169 ruleset_create_chain($ruleset, $chain);
db8a955f 3170 foreach my $rule (@{$std_chains->{$chain}}) {
d8f2505e 3171 if (ref($rule)) {
88c26d5e 3172 ruleset_generate_rule($ruleset, $chain, $ipversion, $rule);
d8f2505e 3173 } else {
044409e5 3174 die "rule $rule as string - should not happen";
d8f2505e
DM		 3175 }
3176 }
3177 }
3178}
3179
34cdedfa 3180sub generate_ipset_chains {
74601077 3181 my ($ipset_ruleset, $clusterfw_conf, $fw_conf, $device_ips, $ipsets) = @_;
34cdedfa 3182
74601077 3183 foreach my $ipset (keys %{$ipsets}) {
34cdedfa 3184
74601077 3185 my $options = $ipsets->{$ipset};
34cdedfa 3186
ebf72e49
WB		 3187 if ($device_ips && $ipset =~ /^ipfilter-(net\d+)$/) {
3188 if (my $ips = $device_ips->{$1}) {
3189 $options = [@$options, @$ips];
3190 }
3191 }
3192
88c26d5e
DM		 3193 # remove duplicates
3194 my $nethash = {};
3195 foreach my $entry (@$options) {
3196 next if $entry->{errors}; # skip entries with errors
3197 eval {
3198 my ($cidr, $ver);
3199 if ($entry->{cidr} =~ m/^${ip_alias_pattern}$/) {
3200 ($cidr, $ver) = resolve_alias($clusterfw_conf, $fw_conf, $entry->{cidr});
3201 } else {
3202 ($cidr, $ver) = parse_ip_or_cidr($entry->{cidr});
3203 }
3204 #http://backreference.org/2013/03/01/ipv6-address-normalization/
3205 if ($ver == 6) {
e0a9139f
WB		 3206 # ip_compress_address takes an address only, no CIDR
3207 my ($addr, $prefix_len) = ($cidr =~ m@^([^/]*)(/.*)?$@);
3208 $cidr = lc(Net::IP::ip_compress_address($addr, 6));
3209 $cidr .= $prefix_len if defined($prefix_len);
88c26d5e
DM		 3210 $cidr =~ s|/128$||;
3211 } else {
3212 $cidr =~ s|/32$||;
3213 }
34cdedfa 3214
88c26d5e
DM		 3215 $nethash->{$ver}->{$cidr} = { cidr => $cidr, nomatch => $entry->{nomatch} };
3216 };
3217 warn $@ if $@;
3218 }
6d959e3f 3219
88c26d5e
DM		 3220 foreach my $ipversion (4, 6) {
3221 my $data = $nethash->{$ipversion};
30f1b100 3222
88c26d5e 3223 my $name = compute_ipset_chain_name($fw_conf->{vmid}, $ipset, $ipversion);
6d959e3f 3224
88c26d5e
DM		 3225 my $hashsize = scalar(@$options);
3226 if ($hashsize <= 64) {
3227 $hashsize = 64;
3228 } else {
3229 $hashsize = round_powerof2($hashsize);
3230 }
6d959e3f 3231
88c26d5e 3232 my $family = $ipversion == "6" ? "inet6" : "inet";
30f1b100 3233
88c26d5e 3234 $ipset_ruleset->{$name} = ["create $name hash:net family $family hashsize $hashsize maxelem $hashsize"];
6d959e3f 3235
88c26d5e
DM		 3236 foreach my $cidr (sort keys %$data) {
3237 my $entry = $data->{$cidr};
6d959e3f 3238
88c26d5e
DM		 3239 my $cmd = "add $name $cidr";
3240 if ($entry->{nomatch}) {
3241 if ($feature_ipset_nomatch) {
3242 push @{$ipset_ruleset->{$name}}, "$cmd nomatch";
3243 } else {
3244 warn "ignore !$cidr - nomatch not supported by kernel\n";
3245 }
6d959e3f 3246 } else {
88c26d5e 3247 push @{$ipset_ruleset->{$name}}, $cmd;
6d959e3f 3248 }
9d6f90e6 3249 }
9d6f90e6 3250 }
34cdedfa 3251 }
2a052ee3
AD		 3252}
3253
3254sub round_powerof2 {
dd7a13fd 3255 my ($int) = @_;
2a052ee3 3256
dd7a13fd
DM		 3257 $int--;
3258 $int |= $int >> $_ foreach (1,2,4,8,16);
3259 return ++$int;
34cdedfa
AD		 3260}
3261
fca39c2c 3262sub load_clusterfw_conf {
d4cda423 3263 my ($filename, $verbose) = @_;
8aef5177
DM		 3264
3265 $filename = $clusterfw_conf_filename if !defined($filename);
530c005e 3266
fca39c2c 3267 my $cluster_conf = {};
8aef5177 3268 if (my $fh = IO::File->new($filename, O_RDONLY)) {
e5cd1ee0 3269 $cluster_conf = parse_clusterfw_config($filename, $fh, $verbose);
51bae274 3270 }
5e1267a5 3271
fca39c2c 3272 return $cluster_conf;
e5d76bde
DM		 3273}
3274
fca39c2c
DM		 3275sub save_clusterfw_conf {
3276 my ($cluster_conf) = @_;
9c7e0858
DM		 3277
3278 my $raw = '';
9c7e0858 3279
c6f5cc88 3280 my $options = $cluster_conf->{options};
89ea63c8 3281 $raw .= &$format_options($options) if $options && scalar(keys %$options);
9c7e0858 3282
0d5f0a0f 3283 my $aliases = $cluster_conf->{aliases};
89ea63c8 3284 $raw .= &$format_aliases($aliases) if $aliases && scalar(keys %$aliases);
e34d0e58 3285
89ea63c8 3286 $raw .= &$format_ipsets($cluster_conf) if $cluster_conf->{ipset};
1210ae94 3287
c6f5cc88 3288 my $rules = $cluster_conf->{rules};
89ea63c8 3289 if ($rules && scalar(@$rules)) {
c6f5cc88 3290 $raw .= "[RULES]\n\n";
63c91681 3291 $raw .= &$format_rules($rules, 1);
c6f5cc88
DM		 3292 $raw .= "\n";
3293 }
3294
89ea63c8
DM		 3295 if ($cluster_conf->{groups}) {
3296 foreach my $group (sort keys %{$cluster_conf->{groups}}) {
3297 my $rules = $cluster_conf->{groups}->{$group};
3298 if (my $comment = $cluster_conf->{group_comments}->{$group}) {
3299 my $utf8comment = encode('utf8', $comment);
3300 $raw .= "[group $group] # $utf8comment\n\n";
3301 } else {
3302 $raw .= "[group $group]\n\n";
3303 }
0d22acb3 3304
89ea63c8
DM		 3305 $raw .= &$format_rules($rules, 0);
3306 $raw .= "\n";
3307 }
9c7e0858
DM		 3308 }
3309
c32e04e6
FG		 3310 if ($raw) {
3311 mkdir $pvefw_conf_dir;
3312 PVE::Tools::file_set_contents($clusterfw_conf_filename, $raw);
3313 } else {
3314 unlink $clusterfw_conf_filename;
3315 }
9c7e0858
DM		 3316}
3317
8b27beb9 3318sub load_hostfw_conf {
a523e057 3319 my ($cluster_conf, $filename, $verbose) = @_;
8aef5177
DM		 3320
3321 $filename = $hostfw_conf_filename if !defined($filename);
8b27beb9
DM		 3322
3323 my $hostfw_conf = {};
8aef5177 3324 if (my $fh = IO::File->new($filename, O_RDONLY)) {
e5cd1ee0 3325 $hostfw_conf = parse_hostfw_config($filename, $fh, $cluster_conf, $verbose);
8b27beb9
DM		 3326 }
3327 return $hostfw_conf;
3328}
3329
63c91681
DM		 3330sub save_hostfw_conf {
3331 my ($hostfw_conf) = @_;
3332
3333 my $raw = '';
3334
3335 my $options = $hostfw_conf->{options};
89ea63c8 3336 $raw .= &$format_options($options) if $options && scalar(keys %$options);
cbb5d6f3 3337
63c91681 3338 my $rules = $hostfw_conf->{rules};
89ea63c8 3339 if ($rules && scalar(@$rules)) {
63c91681
DM		 3340 $raw .= "[RULES]\n\n";
3341 $raw .= &$format_rules($rules, 1);
3342 $raw .= "\n";
3343 }
3344
c32e04e6
FG		 3345 if ($raw) {
3346 PVE::Tools::file_set_contents($hostfw_conf_filename, $raw);
3347 } else {
3348 unlink $hostfw_conf_filename;
3349 }
63c91681
DM		 3350}
3351
e5d76bde 3352sub compile {
d4cda423 3353 my ($cluster_conf, $hostfw_conf, $vmdata, $verbose) = @_;
3dfa8a7f 3354
8aef5177
DM		 3355 my $vmfw_configs;
3356
3357 if ($vmdata) { # test mode
3358 my $testdir = $vmdata->{testdir} || die "no test directory specified";
3359 my $filename = "$testdir/cluster.fw";
d4cda423 3360 $cluster_conf = load_clusterfw_conf($filename, $verbose);
8aef5177
DM		 3361
3362 $filename = "$testdir/host.fw";
a523e057 3363 $hostfw_conf = load_hostfw_conf($cluster_conf, $filename, $verbose);
8aef5177 3364
a523e057 3365 $vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, $testdir, $verbose);
8aef5177 3366 } else { # normal operation
d4cda423 3367 $cluster_conf = load_clusterfw_conf(undef, $verbose) if !$cluster_conf;
8aef5177 3368
a523e057 3369 $hostfw_conf = load_hostfw_conf($cluster_conf, undef, $verbose) if !$hostfw_conf;
8aef5177
DM		 3370
3371 $vmdata = read_local_vm_config();
a523e057 3372 $vmfw_configs = read_vm_firewall_configs($cluster_conf, $vmdata, undef, $verbose);
8aef5177 3373 }
3dfa8a7f 3374
147dd882 3375 return ({},{},{}) if !$cluster_conf->{options}->{enable};
9268573a 3376
525778d7
DM		 3377 my $localnet;
3378 if ($cluster_conf->{aliases}->{local_network}) {
3379 $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
3380 } else {
afcd29b3
DM		 3381 my $localnet_ver;
3382 ($localnet, $localnet_ver) = parse_ip_or_cidr(local_network() || '127.0.0.0/8');
3383
3384 $cluster_conf->{aliases}->{local_network} = {
3385 name => 'local_network', cidr => $localnet, ipversion => $localnet_ver };
525778d7
DM		 3386 }
3387
3388 push @{$cluster_conf->{ipset}->{management}}, { cidr => $localnet };
bfc488f6 3389
147dd882
WB		 3390 my $ruleset = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, 4, $verbose);
3391 my $rulesetv6 = compile_iptables_filter($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, 6, $verbose);
3392 my $ipset_ruleset = compile_ipsets($cluster_conf, $vmfw_configs, $vmdata);
3393
3394 return ($ruleset, $ipset_ruleset, $rulesetv6);
3395}
3396
3397sub compile_iptables_filter {
3398 my ($cluster_conf, $hostfw_conf, $vmfw_configs, $vmdata, $ipversion, $verbose) = @_;
085fd492 3399
3fa83edf
DM		 3400 my $ruleset = {};
3401
dec84fcd
DM		 3402 ruleset_create_chain($ruleset, "PVEFW-INPUT");
3403 ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
5b1df9a0 3404
fadb13dd 3405 ruleset_create_chain($ruleset, "PVEFW-FORWARD");
e34d0e58 3406
8b27beb9 3407 my $hostfw_options = $hostfw_conf->{options} || {};
fadb13dd 3408
88733a74
AD		 3409 # fixme: what log level should we use here?
3410 my $loglevel = get_option_log_level($hostfw_options, "log_level_out");
3411
097820b0 3412 ruleset_chain_add_conn_filters($ruleset, "PVEFW-FORWARD", "ACCEPT");
88733a74 3413
e2943485 3414 ruleset_create_chain($ruleset, "PVEFW-FWBR-IN");
88c26d5e 3415 ruleset_chain_add_input_filters($ruleset, "PVEFW-FWBR-IN", $ipversion, $hostfw_options, $cluster_conf, $loglevel);
e2943485 3416
1e9c5070 3417 ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-in fwln+", "-j PVEFW-FWBR-IN");
e2943485
DM		 3418
3419 ruleset_create_chain($ruleset, "PVEFW-FWBR-OUT");
1e9c5070 3420 ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-bridged --physdev-out fwln+", "-j PVEFW-FWBR-OUT");
e2943485 3421
db8a955f 3422 generate_std_chains($ruleset, $hostfw_options, $ipversion);
fadb13dd 3423
6d2ab017 3424 my $hostfw_enable = !(defined($hostfw_options->{enable}) && ($hostfw_options->{enable} == 0));
2d404ffc 3425
35d1d6da 3426 if ($hostfw_enable) {
aedde2c2 3427 eval { enable_host_firewall($ruleset, $hostfw_conf, $cluster_conf, $ipversion); };
1a9978ed
DM		 3428 warn $@ if $@; # just to be sure - should not happen
3429 }
3fa83edf 3430
6158271d 3431 # generate firewall rules for QEMU VMs
0a0ba19e 3432 foreach my $vmid (sort keys %{$vmdata->{qemu}}) {
1a9978ed
DM		 3433 eval {
3434 my $conf = $vmdata->{qemu}->{$vmid};
3435 my $vmfw_conf = $vmfw_configs->{$vmid};
3436 return if !$vmfw_conf;
1a9978ed 3437
0a0ba19e 3438 foreach my $netid (sort keys %$conf) {
1a9978ed
DM		 3439 next if $netid !~ m/^net(\d+)$/;
3440 my $net = PVE::QemuServer::parse_net($conf->{$netid});
3441 next if !$net->{firewall};
3442 my $iface = "tap${vmid}i$1";
3443
3444 my $macaddr = $net->{macaddr};
3445 generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
84870b1a 3446 $vmfw_conf, $vmid, 'IN', $ipversion);
1a9978ed 3447 generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
84870b1a 3448 $vmfw_conf, $vmid, 'OUT', $ipversion);
1a9978ed
DM		 3449 }
3450 };
3451 warn $@ if $@; # just to be sure - should not happen
3fa83edf 3452 }
c8301d63 3453
3b4882dc 3454 # generate firewall rules for LXC containers
0a0ba19e 3455 foreach my $vmid (sort keys %{$vmdata->{lxc}}) {
3b4882dc
AG		 3456 eval {
3457 my $conf = $vmdata->{lxc}->{$vmid};
3458 my $vmfw_conf = $vmfw_configs->{$vmid};
3459 return if !$vmfw_conf;
3460
3b4882dc 3461 if ($vmfw_conf->{options}->{enable}) {
0a0ba19e 3462 foreach my $netid (sort keys %$conf) {
3b4882dc 3463 next if $netid !~ m/^net(\d+)$/;
a7c85d56 3464 my $net = PVE::LXC::Config->parse_lxc_network($conf->{$netid});
3b4882dc
AG		 3465 next if !$net->{firewall};
3466 my $iface = "veth${vmid}i$1";
3467 my $macaddr = $net->{hwaddr};
3468 generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
3469 $vmfw_conf, $vmid, 'IN', $ipversion);
3470 generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
3471 $vmfw_conf, $vmid, 'OUT', $ipversion);
3472 }
3473 }
3474 };
3475 warn $@ if $@; # just to be sure - should not happen
3476 }
3477
097820b0 3478 if(ruleset_chain_exist($ruleset, "PVEFW-IPS")){
1e9c5070 3479 ruleset_insertrule($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED", "-j PVEFW-IPS");
097820b0
AD		 3480 }
3481
147dd882
WB		 3482 return $ruleset;
3483}
3484
ebf72e49
WB		 3485sub mac_to_linklocal {
3486 my ($macaddr) = @_;
3487 my @parts = split(/:/, $macaddr);
3488 # The standard link local address uses the fe80::/64 prefix with the
3489 # modified EUI-64 identifier derived from the MAC address by flipping the
3490 # universal/local bit and inserting FF:FE in the middle.
3491 # See RFC 4291.
3492 $parts[0] = sprintf("%02x", hex($parts[0]) ^ 0x02);
3493 my @meui64 = (@parts[0,1,2], 'ff', 'fe', @parts[3,4,5]);
3494 return "fe80::$parts[0]$parts[1]:$parts[2]FF:FE$parts[3]:$parts[4]$parts[5]";
3495}
3496
147dd882
WB		 3497sub compile_ipsets {
3498 my ($cluster_conf, $vmfw_configs, $vmdata) = @_;
3499
3500 my $localnet;
3501 if ($cluster_conf->{aliases}->{local_network}) {
3502 $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
3503 } else {
3504 my $localnet_ver;
3505 ($localnet, $localnet_ver) = parse_ip_or_cidr(local_network() || '127.0.0.0/8');
3506
3507 $cluster_conf->{aliases}->{local_network} = {
3508 name => 'local_network', cidr => $localnet, ipversion => $localnet_ver };
3509 }
3510
3511 push @{$cluster_conf->{ipset}->{management}}, { cidr => $localnet };
3512
3513
3514 my $ipset_ruleset = {};
3515
3516 # generate ipsets for QEMU VMs
3517 foreach my $vmid (keys %{$vmdata->{qemu}}) {
3518 eval {
3519 my $conf = $vmdata->{qemu}->{$vmid};
3520 my $vmfw_conf = $vmfw_configs->{$vmid};
3521 return if !$vmfw_conf;
3522
74601077
WB		 3523 # When the 'ipfilter' option is enabled every device for which there
3524 # is no 'ipfilter-netX' ipset defiend gets an implicit empty default
3525 # ipset.
3526 # The reason is that ipfilter ipsets are always filled with standard
3527 # IPv6 link-local filters.
3528 my $ipsets = $vmfw_conf->{ipset};
3529 my $implicit_sets = {};
3530
ebf72e49
WB		 3531 my $device_ips = {};
3532 foreach my $netid (keys %$conf) {
3533 next if $netid !~ m/^net(\d+)$/;
3534 my $net = PVE::QemuServer::parse_net($conf->{$netid});
3535 next if !$net->{firewall};
3536
74601077
WB		 3537 if ($vmfw_conf->{options}->{ipfilter} && !$ipsets->{"ipfilter-$netid"}) {
3538 $implicit_sets->{"ipfilter-$netid"} = [];
3539 }
3540
ebf72e49
WB		 3541 my $macaddr = $net->{macaddr};
3542 my $linklocal = mac_to_linklocal($macaddr);
3543 $device_ips->{$netid} = [
3544 { cidr => $linklocal },
3545 { cidr => 'fe80::/10', nomatch => 1 }
3546 ];
3547 }
3548
74601077
WB		 3549 generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf, $device_ips, $ipsets);
3550 generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf, $device_ips, $implicit_sets);
147dd882
WB		 3551 };
3552 warn $@ if $@; # just to be sure - should not happen
3553 }
3554
3555 # generate firewall rules for LXC containers
3556 foreach my $vmid (keys %{$vmdata->{lxc}}) {
aa229652
WB		 3557 eval {
3558 my $conf = $vmdata->{lxc}->{$vmid};
3559 my $vmfw_conf = $vmfw_configs->{$vmid};
3560 return if !$vmfw_conf;
147dd882 3561
74601077
WB		 3562 # When the 'ipfilter' option is enabled every device for which there
3563 # is no 'ipfilter-netX' ipset defiend gets an implicit empty default
3564 # ipset.
3565 # The reason is that ipfilter ipsets are always filled with standard
383fe679
WB		 3566 # IPv6 link-local filters, as well as the IP addresses configured
3567 # for the container.
74601077
WB		 3568 my $ipsets = $vmfw_conf->{ipset};
3569 my $implicit_sets = {};
3570
ebf72e49
WB		 3571 my $device_ips = {};
3572 foreach my $netid (keys %$conf) {
3573 next if $netid !~ m/^net(\d+)$/;
a7c85d56 3574 my $net = PVE::LXC::Config->parse_lxc_network($conf->{$netid});
ebf72e49
WB		 3575 next if !$net->{firewall};
3576
74601077
WB		 3577 if ($vmfw_conf->{options}->{ipfilter} && !$ipsets->{"ipfilter-$netid"}) {
3578 $implicit_sets->{"ipfilter-$netid"} = [];
3579 }
3580
ebf72e49
WB		 3581 my $macaddr = $net->{hwaddr};
3582 my $linklocal = mac_to_linklocal($macaddr);
383fe679 3583 my $set = $device_ips->{$netid} = [
ebf72e49
WB		 3584 { cidr => $linklocal },
3585 { cidr => 'fe80::/10', nomatch => 1 }
3586 ];
37ef1ce1 3587 if (defined($net->{ip}) && $net->{ip} =~ m!^($IPV4RE)(?:/\d+)?$!) {
383fe679
WB		 3588 push @$set, { cidr => $1 };
3589 }
37ef1ce1 3590 if (defined($net->{ip6}) && $net->{ip6} =~ m!^($IPV6RE)(?:/\d+)?$!) {
383fe679
WB		 3591 push @$set, { cidr => $1 };
3592 }
ebf72e49
WB		 3593 }
3594
74601077
WB		 3595 generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf, $device_ips, $ipsets);
3596 generate_ipset_chains($ipset_ruleset, $cluster_conf, $vmfw_conf, $device_ips, $implicit_sets);
aa229652
WB		 3597 };
3598 warn $@ if $@; # just to be sure - should not happen
147dd882
WB		 3599 }
3600
74601077 3601 generate_ipset_chains($ipset_ruleset, undef, $cluster_conf, undef, $cluster_conf->{ipset});
27083984 3602
147dd882 3603 return $ipset_ruleset;
3fa83edf
DM		 3604}
3605
3606sub get_ruleset_status {
4bd0a9c4 3607 my ($ruleset, $active_chains, $digest_fn, $verbose) = @_;
3fa83edf
DM		 3608
3609 my $statushash = {};
3610
3611 foreach my $chain (sort keys %$ruleset) {
4bd0a9c4 3612 my $sig = &$digest_fn($ruleset->{$chain});
9bf7d929 3613
3fa83edf
DM		 3614 $statushash->{$chain}->{sig} = $sig;
3615
3616 my $oldsig = $active_chains->{$chain};
3617 if (!defined($oldsig)) {
3618 $statushash->{$chain}->{action} = 'create';
3619 } else {
3620 if ($oldsig eq $sig) {
3621 $statushash->{$chain}->{action} = 'exists';
3622 } else {
3623 $statushash->{$chain}->{action} = 'update';
3624 }
3625 }
3626 print "$statushash->{$chain}->{action} $chain ($sig)\n" if $verbose;
3627 foreach my $cmd (@{$ruleset->{$chain}}) {
3628 print "\t$cmd\n" if $verbose;
3629 }
3630 }
3631
3632 foreach my $chain (sort keys %$active_chains) {
3633 if (!defined($ruleset->{$chain})) {
3634 my $sig = $active_chains->{$chain};
3635 $statushash->{$chain}->{action} = 'delete';
3636 $statushash->{$chain}->{sig} = $sig;
3637 print "delete $chain ($sig)\n" if $verbose;
3638 }
6158271d 3639 }
2a052ee3 3640
3fa83edf
DM		 3641 return $statushash;
3642}
3643
3fa83edf
DM		 3644sub print_sig_rule {
3645 my ($chain, $sig) = @_;
3646
09d5f68e
DM		 3647 # We just use this to store a SHA1 checksum used to detect changes
3648 return "-A $chain -m comment --comment \"PVESIG:$sig\"\n";
b6360c3f
DM		 3649}
3650
df7cb349 3651sub get_ruleset_cmdlist {
17da5c0f 3652 my ($ruleset, $verbose, $iptablescmd) = @_;
3fa83edf 3653
3fa83edf 3654 my $cmdlist = "*filter\n"; # we pass this to iptables-restore;
cbb5d6f3 3655
17da5c0f 3656 my ($active_chains, $hooks) = iptables_get_chains($iptablescmd);
4bd0a9c4 3657 my $statushash = get_ruleset_status($ruleset, $active_chains, \&iptables_chain_digest, $verbose);
3fa83edf
DM		 3658
3659 # create missing chains first
3660 foreach my $chain (sort keys %$ruleset) {
3661 my $stat = $statushash->{$chain};
3662 die "internal error" if !$stat;
3663 next if $stat->{action} ne 'create';
886aba9c 3664
3fa83edf
DM		 3665 $cmdlist .= ":$chain - [0:0]\n";
3666 }
3667
4bd0a9c4 3668 foreach my $h (qw(INPUT OUTPUT FORWARD)) {
55fad3b7
DM		 3669 my $chain = "PVEFW-$h";
3670 if ($ruleset->{$chain} && !$hooks->{$h}) {
3671 $cmdlist .= "-A $h -j $chain\n";
4bd0a9c4 3672 }
3fa83edf
DM		 3673 }
3674
3675 foreach my $chain (sort keys %$ruleset) {
3676 my $stat = $statushash->{$chain};
3677 die "internal error" if !$stat;
3678
3679 if ($stat->{action} eq 'update' || $stat->{action} eq 'create') {
3680 $cmdlist .= "-F $chain\n";
3681 foreach my $cmd (@{$ruleset->{$chain}}) {
3682 $cmdlist .= "$cmd\n";
3683 }
3684 $cmdlist .= print_sig_rule($chain, $stat->{sig});
3685 } elsif ($stat->{action} eq 'delete') {
f5d28682 3686 die "internal error"; # this should not happen
3fa83edf
DM		 3687 } elsif ($stat->{action} eq 'exists') {
3688 # do nothing
3689 } else {
3690 die "internal error - unknown status '$stat->{action}'";
3691 }
3692 }
3693
f5d28682
DM		 3694 foreach my $chain (keys %$statushash) {
3695 next if $statushash->{$chain}->{action} ne 'delete';
3696 $cmdlist .= "-F $chain\n";
3697 }
3698 foreach my $chain (keys %$statushash) {
3699 next if $statushash->{$chain}->{action} ne 'delete';
fadb13dd
DM		 3700 next if $chain eq 'PVEFW-INPUT';
3701 next if $chain eq 'PVEFW-OUTPUT';
3702 next if $chain eq 'PVEFW-FORWARD';
f5d28682
DM		 3703 $cmdlist .= "-X $chain\n";
3704 }
3705
3f95d14a 3706 my $changes = $cmdlist ne "*filter\n" ? 1 : 0;
4bd0a9c4 3707
3fa83edf
DM		 3708 $cmdlist .= "COMMIT\n";
3709
3f95d14a 3710 return wantarray ? ($cmdlist, $changes) : $cmdlist;
6b9f68a2
DM		 3711}
3712
34cdedfa 3713sub get_ipset_cmdlist {
dd7a13fd 3714 my ($ruleset, $verbose) = @_;
34cdedfa
AD		 3715
3716 my $cmdlist = "";
3717
dd7a13fd
DM		 3718 my $delete_cmdlist = "";
3719
4bd0a9c4
DM		 3720 my $active_chains = ipset_get_chains();
3721 my $statushash = get_ruleset_status($ruleset, $active_chains, \&ipset_chain_digest, $verbose);
34cdedfa 3722
e34d0e58 3723 # remove stale _swap chains
30f1b100
DM		 3724 foreach my $chain (keys %$active_chains) {
3725 if ($chain =~ m/^PVEFW-\S+_swap$/) {
3726 $cmdlist .= "destroy $chain\n";
3727 }
3728 }
3729
c69cf614 3730 foreach my $chain (keys %$ruleset) {
c69cf614
DM		 3731 my $stat = $statushash->{$chain};
3732 die "internal error" if !$stat;
3733
3734 if ($stat->{action} eq 'create') {
3735 foreach my $cmd (@{$ruleset->{$chain}}) {
3736 $cmdlist .= "$cmd\n";
3737 }
3738 }
3739 }
3740
3741 foreach my $chain (keys %$ruleset) {
6d959e3f
DM		 3742 my $stat = $statushash->{$chain};
3743 die "internal error" if !$stat;
34cdedfa 3744
dd7a13fd
DM		 3745 if ($stat->{action} eq 'update') {
3746 my $chain_swap = $chain."_swap";
cbb5d6f3 3747
dd7a13fd
DM		 3748 foreach my $cmd (@{$ruleset->{$chain}}) {
3749 $cmd =~ s/$chain/$chain_swap/;
3750 $cmdlist .= "$cmd\n";
34cdedfa 3751 }
dd7a13fd
DM		 3752 $cmdlist .= "swap $chain_swap $chain\n";
3753 $cmdlist .= "flush $chain_swap\n";
3754 $cmdlist .= "destroy $chain_swap\n";
2a052ee3 3755 }
dd7a13fd 3756 }
3f95d14a 3757
88c26d5e 3758 # the remove unused chains
c69cf614 3759 foreach my $chain (keys %$statushash) {
dd7a13fd 3760 next if $statushash->{$chain}->{action} ne 'delete';
2a052ee3 3761
dd7a13fd
DM		 3762 $delete_cmdlist .= "flush $chain\n";
3763 $delete_cmdlist .= "destroy $chain\n";
34cdedfa
AD		 3764 }
3765
dd7a13fd 3766 my $changes = ($cmdlist || $delete_cmdlist) ? 1 : 0;
cbb5d6f3 3767
dd7a13fd 3768 return ($cmdlist, $delete_cmdlist, $changes);
34cdedfa
AD		 3769}
3770
6b9f68a2 3771sub apply_ruleset {
17da5c0f 3772 my ($ruleset, $hostfw_conf, $ipset_ruleset, $rulesetv6, $verbose) = @_;
6b9f68a2
DM		 3773
3774 enable_bridge_firewall();
3775
cbb5d6f3 3776 my ($ipset_create_cmdlist, $ipset_delete_cmdlist, $ipset_changes) =
9a462317 3777 get_ipset_cmdlist($ipset_ruleset, $verbose);
6b9f68a2 3778
81a0bf43 3779 my ($cmdlist, $changes) = get_ruleset_cmdlist($ruleset, $verbose);
17da5c0f 3780 my ($cmdlistv6, $changesv6) = get_ruleset_cmdlist($rulesetv6, $verbose, "ip6tables");
2a052ee3 3781
81a0bf43
DM		 3782 if ($verbose) {
3783 if ($ipset_changes) {
3784 print "ipset changes:\n";
3785 print $ipset_create_cmdlist if $ipset_create_cmdlist;
3786 print $ipset_delete_cmdlist if $ipset_delete_cmdlist;
3787 }
3f95d14a 3788
81a0bf43
DM		 3789 if ($changes) {
3790 print "iptables changes:\n";
3791 print $cmdlist;
3792 }
17da5c0f
AD		 3793
3794 if ($changesv6) {
3795 print "ip6tables changes:\n";
3796 print $cmdlistv6;
3797 }
81a0bf43 3798 }
3fa83edf 3799
259db1e6
DM		 3800 my $tmpfile = "$pve_fw_status_dir/ipsetcmdlist1";
3801 PVE::Tools::file_set_contents($tmpfile, $ipset_create_cmdlist || '');
3802
2a052ee3 3803 ipset_restore_cmdlist($ipset_create_cmdlist);
34cdedfa 3804
259db1e6
DM		 3805 $tmpfile = "$pve_fw_status_dir/ip4cmdlist";
3806 PVE::Tools::file_set_contents($tmpfile, $cmdlist || '');
3807
3fa83edf 3808 iptables_restore_cmdlist($cmdlist);
259db1e6
DM		 3809
3810 $tmpfile = "$pve_fw_status_dir/ip6cmdlist";
3811 PVE::Tools::file_set_contents($tmpfile, $cmdlistv6 || '');
3812
17da5c0f 3813 ip6tables_restore_cmdlist($cmdlistv6);
3fa83edf 3814
259db1e6
DM		 3815 $tmpfile = "$pve_fw_status_dir/ipsetcmdlist2";
3816 PVE::Tools::file_set_contents($tmpfile, $ipset_delete_cmdlist || '');
3817
dd7a13fd 3818 ipset_restore_cmdlist($ipset_delete_cmdlist) if $ipset_delete_cmdlist;
2a052ee3 3819
6158271d 3820 # test: re-read status and check if everything is up to date
4bd0a9c4 3821 my $active_chains = iptables_get_chains();
81a0bf43 3822 my $statushash = get_ruleset_status($ruleset, $active_chains, \&iptables_chain_digest, 0);
3fa83edf
DM		 3823
3824 my $errors;
3825 foreach my $chain (sort keys %$ruleset) {
3826 my $stat = $statushash->{$chain};
3827 if ($stat->{action} ne 'exists') {
3828 warn "unable to update chain '$chain'\n";
3829 $errors = 1;
3830 }
3831 }
b6360c3f 3832
17da5c0f
AD		 3833 my $active_chainsv6 = iptables_get_chains("ip6tables");
3834 my $statushashv6 = get_ruleset_status($rulesetv6, $active_chainsv6, \&iptables_chain_digest, 0);
3835
3836 foreach my $chain (sort keys %$rulesetv6) {
3837 my $stat = $statushashv6->{$chain};
3838 if ($stat->{action} ne 'exists') {
3839 warn "unable to update chain '$chain'\n";
3840 $errors = 1;
3841 }
3842 }
3843
3fa83edf 3844 die "unable to apply firewall changes\n" if $errors;
46a2ac1f
AD		 3845
3846 update_nf_conntrack_max($hostfw_conf);
3847
3848 update_nf_conntrack_tcp_timeout_established($hostfw_conf);
3849
b6360c3f
DM		 3850}
3851
490cdead
DM		 3852sub update_nf_conntrack_max {
3853 my ($hostfw_conf) = @_;
3854
3855 my $max = 65536; # reasonable default
3856
3857 my $options = $hostfw_conf->{options} || {};
3858
3859 if (defined($options->{nf_conntrack_max}) && ($options->{nf_conntrack_max} > $max)) {
3860 $max = $options->{nf_conntrack_max};
3861 $max = int(($max+ 8191)/8192)*8192; # round to multiples of 8192
3862 }
3863
3864 my $filename_nf_conntrack_max = "/proc/sys/net/nf_conntrack_max";
3865 my $filename_hashsize = "/sys/module/nf_conntrack/parameters/hashsize";
3866
3867 my $current = int(PVE::Tools::file_read_firstline($filename_nf_conntrack_max) || $max);
3868
3869 if ($current != $max) {
3870 my $hashsize = int($max/4);
3871 PVE::ProcFSTools::write_proc_entry($filename_hashsize, $hashsize);
3872 PVE::ProcFSTools::write_proc_entry($filename_nf_conntrack_max, $max);
3873 }
3874}
3875
28c082a1
AD		 3876sub update_nf_conntrack_tcp_timeout_established {
3877 my ($hostfw_conf) = @_;
3878
3879 my $options = $hostfw_conf->{options} || {};
3880
3881 my $value = defined($options->{nf_conntrack_tcp_timeout_established}) ? $options->{nf_conntrack_tcp_timeout_established} : 432000;
3882
3883 PVE::ProcFSTools::write_proc_entry("/proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established", $value);
3884}
3885
c4a2e5ae
DM		 3886sub remove_pvefw_chains {
3887
7b7b2654
AD		 3888 PVE::Firewall::remove_pvefw_chains_iptables("iptables");
3889 PVE::Firewall::remove_pvefw_chains_iptables("ip6tables");
3890 PVE::Firewall::remove_pvefw_chains_ipset();
3891
3892}
3893
3894sub remove_pvefw_chains_iptables {
3895 my ($iptablescmd) = @_;
3896
3897 my ($chash, $hooks) = iptables_get_chains($iptablescmd);
c4a2e5ae
DM		 3898 my $cmdlist = "*filter\n";
3899
3900 foreach my $h (qw(INPUT OUTPUT FORWARD)) {
3901 if ($hooks->{$h}) {
3902 $cmdlist .= "-D $h -j PVEFW-$h\n";
3903 }
3904 }
cbb5d6f3 3905
c4a2e5ae
DM		 3906 foreach my $chain (keys %$chash) {
3907 $cmdlist .= "-F $chain\n";
3908 }
3909
3910 foreach my $chain (keys %$chash) {
3911 $cmdlist .= "-X $chain\n";
3912 }
3913 $cmdlist .= "COMMIT\n";
3914
7b7b2654
AD		 3915 if($iptablescmd eq "ip6tables") {
3916 ip6tables_restore_cmdlist($cmdlist);
3917 } else {
3918 iptables_restore_cmdlist($cmdlist);
3919 }
3920}
3921
3922sub remove_pvefw_chains_ipset {
55fad3b7
DM		 3923
3924 my $ipset_chains = ipset_get_chains();
3925
7b7b2654 3926 my $cmdlist = "";
55fad3b7
DM		 3927
3928 foreach my $chain (keys %$ipset_chains) {
88c26d5e
DM		 3929 $cmdlist .= "flush $chain\n";
3930 $cmdlist .= "destroy $chain\n";
55fad3b7
DM		 3931 }
3932
7b7b2654 3933 ipset_restore_cmdlist($cmdlist) if $cmdlist;
c4a2e5ae
DM		 3934}
3935
8b453a09
DM		 3936sub init {
3937 my $cluster_conf = load_clusterfw_conf();
3938 my $cluster_options = $cluster_conf->{options};
3939 my $enable = $cluster_options->{enable};
3940
3941 return if !$enable;
3942
3943 # load required modules here
3944}
3945
6b9f68a2 3946sub update {
6b9f68a2 3947 my $code = sub {
3dfa8a7f
DM		 3948
3949 my $cluster_conf = load_clusterfw_conf();
3950 my $cluster_options = $cluster_conf->{options};
3951
55fad3b7 3952 if (!$cluster_options->{enable}) {
b22130d3 3953 PVE::Firewall::remove_pvefw_chains();
3dfa8a7f
DM		 3954 return;
3955 }
3956
50f9a28d 3957 my $hostfw_conf = load_hostfw_conf($cluster_conf);
3dfa8a7f 3958
638c755a 3959 my ($ruleset, $ipset_ruleset, $rulesetv6) = compile($cluster_conf, $hostfw_conf);
490cdead 3960
17da5c0f 3961 apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset, $rulesetv6);
6b9f68a2
DM		 3962 };
3963
3964 run_locked($code);
3965}
3966
b6360c3f 39671;
Firewall test scripts