]>
Commit | Line | Data |
---|---|---|
0c32b7fb DM |
1 | package PVE::Service::pve_firewall; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use PVE::SafeSyslog; | |
6 | use PVE::Daemon; | |
7 | ||
8 | use Time::HiRes qw (gettimeofday); | |
9 | use PVE::Tools qw(dir_glob_foreach file_read_firstline); | |
10 | use PVE::ProcFSTools; | |
11 | use PVE::INotify; | |
12 | use PVE::Cluster qw(cfs_read_file); | |
c89fafa2 | 13 | use PVE::Corosync; |
0c32b7fb DM |
14 | use PVE::RPCEnvironment; |
15 | use PVE::CLIHandler; | |
16 | use PVE::Firewall; | |
17 | use PVE::FirewallSimulator; | |
18 | use Data::Dumper; | |
19 | ||
20 | use base qw(PVE::Daemon); | |
21 | ||
22 | my $cmdline = [$0, @ARGV]; | |
23 | ||
24 | my %daemon_options = (restart_on_error => 5, stop_wait_time => 5); | |
25 | ||
26 | my $daemon = __PACKAGE__->new('pve-firewall', $cmdline, %daemon_options); | |
27 | ||
28 | my $nodename = PVE::INotify::nodename(); | |
29 | ||
30 | sub init { | |
31 | ||
32 | PVE::Cluster::cfs_update(); | |
2e2b71e1 | 33 | |
0c32b7fb DM |
34 | PVE::Firewall::init(); |
35 | } | |
36 | ||
37 | my $restart_request = 0; | |
38 | my $next_update = 0; | |
39 | ||
2e2b71e1 | 40 | my $cycle = 0; |
0c32b7fb DM |
41 | my $updatetime = 10; |
42 | ||
43 | my $initial_memory_usage; | |
44 | ||
45 | sub shutdown { | |
46 | my ($self) = @_; | |
47 | ||
48 | syslog('info' , "server closing"); | |
49 | ||
50 | # wait for children | |
51 | 1 while (waitpid(-1, POSIX::WNOHANG()) > 0); | |
2e2b71e1 | 52 | |
0c32b7fb DM |
53 | syslog('info' , "clear firewall rules"); |
54 | ||
55 | eval { PVE::Firewall::remove_pvefw_chains(); }; | |
56 | warn $@ if $@; | |
57 | ||
58 | $self->exit_daemon(0); | |
59 | } | |
60 | ||
61 | sub hup { | |
62 | my ($self) = @_; | |
63 | ||
64 | $restart_request = 1; | |
65 | } | |
66 | ||
67 | sub run { | |
68 | my ($self) = @_; | |
69 | ||
70 | local $SIG{'__WARN__'} = 'IGNORE'; # do not fill up logs | |
71 | ||
72 | for (;;) { # forever | |
73 | ||
74 | $next_update = time() + $updatetime; | |
75 | ||
76 | my ($ccsec, $cusec) = gettimeofday (); | |
77 | eval { | |
78 | PVE::Cluster::cfs_update(); | |
79 | PVE::Firewall::update(); | |
80 | }; | |
81 | my $err = $@; | |
2e2b71e1 | 82 | |
0c32b7fb DM |
83 | if ($err) { |
84 | syslog('err', "status update error: $err"); | |
85 | } | |
86 | ||
87 | my ($ccsec_end, $cusec_end) = gettimeofday (); | |
88 | my $cptime = ($ccsec_end-$ccsec) + ($cusec_end - $cusec)/1000000; | |
89 | ||
90 | syslog('info', sprintf("firewall update time (%.3f seconds)", $cptime)) | |
91 | if ($cptime > 5); | |
92 | ||
93 | $cycle++; | |
94 | ||
95 | my $mem = PVE::ProcFSTools::read_memory_usage(); | |
2e2b71e1 | 96 | |
0c32b7fb DM |
97 | if (!defined($initial_memory_usage) || ($cycle < 10)) { |
98 | $initial_memory_usage = $mem->{resident}; | |
99 | } else { | |
100 | my $diff = $mem->{resident} - $initial_memory_usage; | |
101 | if ($diff > 5*1024*1024) { | |
102 | syslog ('info', "restarting server after $cycle cycles to " . | |
103 | "reduce memory usage (free $mem->{resident} ($diff) bytes)"); | |
104 | $self->restart_daemon(); | |
105 | } | |
106 | } | |
107 | ||
108 | my $wcount = 0; | |
2e2b71e1 | 109 | while ((time() < $next_update) && |
0c32b7fb DM |
110 | ($wcount < $updatetime) && # protect against time wrap |
111 | !$restart_request) { $wcount++; sleep (1); }; | |
2e2b71e1 | 112 | |
0c32b7fb DM |
113 | $self->restart_daemon() if $restart_request; |
114 | } | |
115 | } | |
116 | ||
117 | $daemon->register_start_command("Start the Proxmox VE firewall service."); | |
118 | $daemon->register_restart_command(1, "Restart the Proxmox VE firewall service."); | |
119 | $daemon->register_stop_command("Stop firewall. This removes all Proxmox VE " . | |
120 | "related iptable rules. " . | |
121 | "The host is unprotected afterwards."); | |
122 | ||
123 | __PACKAGE__->register_method ({ | |
124 | name => 'status', | |
125 | path => 'status', | |
126 | method => 'GET', | |
127 | description => "Get firewall status.", | |
128 | parameters => { | |
2e2b71e1 | 129 | additionalProperties => 0, |
0c32b7fb DM |
130 | properties => {}, |
131 | }, | |
2e2b71e1 | 132 | returns => { |
0c32b7fb DM |
133 | type => 'object', |
134 | additionalProperties => 0, | |
135 | properties => { | |
136 | status => { | |
137 | type => 'string', | |
138 | enum => ['unknown', 'stopped', 'running'], | |
139 | }, | |
140 | enable => { | |
141 | description => "Firewall is enabled (in 'cluster.fw')", | |
142 | type => 'boolean', | |
143 | }, | |
144 | changes => { | |
145 | description => "Set when there are pending changes.", | |
146 | type => 'boolean', | |
147 | optional => 1, | |
148 | } | |
149 | }, | |
150 | }, | |
151 | code => sub { | |
152 | my ($param) = @_; | |
153 | ||
154 | local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog | |
155 | ||
156 | my $code = sub { | |
157 | ||
158 | my $status = $daemon->running() ? 'running' : 'stopped'; | |
159 | ||
160 | my $res = { status => $status }; | |
161 | ||
40af93c4 TL |
162 | PVE::Firewall::set_verbose(1); # show syntax errors |
163 | ||
164 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef); | |
0c32b7fb DM |
165 | $res->{enable} = $cluster_conf->{options}->{enable} ? 1 : 0; |
166 | ||
167 | if ($status eq 'running') { | |
2e2b71e1 | 168 | |
40af93c4 | 169 | my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef); |
0c32b7fb | 170 | |
40af93c4 TL |
171 | PVE::Firewall::set_verbose(0); # do not show iptables details |
172 | my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset); | |
173 | my ($test, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset); | |
174 | my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, "ip6tables"); | |
175 | my (undef, $ebtables_changes) = PVE::Firewall::get_ebtables_cmdlist($ebtables_ruleset); | |
0c32b7fb | 176 | |
151c209e | 177 | $res->{changes} = ($ipset_changes || $ruleset_changes || $ruleset_changesv6 || $ebtables_changes) ? 1 : 0; |
0c32b7fb DM |
178 | } |
179 | ||
180 | return $res; | |
181 | }; | |
182 | ||
183 | return PVE::Firewall::run_locked($code); | |
184 | }}); | |
185 | ||
186 | __PACKAGE__->register_method ({ | |
187 | name => 'compile', | |
188 | path => 'compile', | |
189 | method => 'GET', | |
190 | description => "Compile and print firewall rules. This is useful for testing.", | |
191 | parameters => { | |
2e2b71e1 | 192 | additionalProperties => 0, |
0c32b7fb DM |
193 | properties => {}, |
194 | }, | |
195 | returns => { type => 'null' }, | |
196 | ||
197 | code => sub { | |
198 | my ($param) = @_; | |
199 | ||
200 | local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog | |
201 | ||
202 | my $code = sub { | |
203 | ||
40af93c4 | 204 | PVE::Firewall::set_verbose(1); |
0c32b7fb | 205 | |
40af93c4 TL |
206 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef); |
207 | my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef); | |
0c32b7fb DM |
208 | |
209 | print "ipset cmdlist:\n"; | |
40af93c4 | 210 | my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset); |
0c32b7fb DM |
211 | |
212 | print "\niptables cmdlist:\n"; | |
40af93c4 | 213 | my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset); |
0c32b7fb DM |
214 | |
215 | print "\nip6tables cmdlist:\n"; | |
40af93c4 | 216 | my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, "ip6tables"); |
0c32b7fb | 217 | |
151c209e | 218 | print "\nebtables cmdlist:\n"; |
40af93c4 | 219 | my (undef, $ebtables_changes) = PVE::Firewall::get_ebtables_cmdlist($ebtables_ruleset); |
151c209e AD |
220 | |
221 | if ($ipset_changes || $ruleset_changes || $ruleset_changesv6 || $ebtables_changes) { | |
0c32b7fb DM |
222 | print "detected changes\n"; |
223 | } else { | |
224 | print "no changes\n"; | |
225 | } | |
226 | if (!$cluster_conf->{options}->{enable}) { | |
227 | print "firewall disabled\n"; | |
228 | } | |
229 | ||
230 | }; | |
231 | ||
232 | PVE::Firewall::run_locked($code); | |
233 | ||
234 | return undef; | |
235 | }}); | |
236 | ||
237 | __PACKAGE__->register_method ({ | |
238 | name => 'localnet', | |
239 | path => 'localnet', | |
240 | method => 'GET', | |
241 | description => "Print information about local network.", | |
242 | parameters => { | |
2e2b71e1 | 243 | additionalProperties => 0, |
0c32b7fb DM |
244 | properties => {}, |
245 | }, | |
246 | returns => { type => 'null' }, | |
247 | code => sub { | |
248 | my ($param) = @_; | |
249 | ||
250 | local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog | |
251 | ||
252 | my $nodename = PVE::INotify::nodename(); | |
253 | print "local hostname: $nodename\n"; | |
254 | ||
255 | my $ip = PVE::Cluster::remote_node_ip($nodename); | |
256 | print "local IP address: $ip\n"; | |
257 | ||
258 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); | |
2e2b71e1 | 259 | |
0c32b7fb DM |
260 | my $localnet = PVE::Firewall::local_network() || '127.0.0.0/8'; |
261 | print "network auto detect: $localnet\n"; | |
262 | if ($cluster_conf->{aliases}->{local_network}) { | |
263 | print "using user defined local_network: $cluster_conf->{aliases}->{local_network}->{cidr}\n"; | |
264 | } else { | |
265 | print "using detected local_network: $localnet\n"; | |
266 | } | |
267 | ||
c89fafa2 SR |
268 | if (PVE::Corosync::check_conf_exists(1)) { |
269 | my $corosync_conf = PVE::Cluster::cfs_read_file("corosync.conf"); | |
270 | my $corosync_node_found = 0; | |
271 | ||
272 | print "\naccepting corosync traffic from/to:\n"; | |
273 | ||
274 | PVE::Corosync::for_all_corosync_addresses($corosync_conf, undef, sub { | |
ae2dc2fa | 275 | my ($curr_node_name, $curr_node_ip, undef, $key) = @_; |
c89fafa2 SR |
276 | |
277 | if (!$corosync_node_found) { | |
278 | $corosync_node_found = 1; | |
279 | } | |
280 | ||
281 | $key =~ m/(?:ring|link)(\d+)_addr/; | |
ae2dc2fa | 282 | print " - $curr_node_name: $curr_node_ip (link: $1)\n"; |
c89fafa2 SR |
283 | }); |
284 | ||
285 | if (!$corosync_node_found) { | |
286 | print " - no nodes found\n"; | |
287 | } | |
288 | } | |
289 | ||
0c32b7fb DM |
290 | return undef; |
291 | }}); | |
292 | ||
293 | __PACKAGE__->register_method ({ | |
294 | name => 'simulate', | |
295 | path => 'simulate', | |
296 | method => 'GET', | |
297 | description => "Simulate firewall rules. This does not simulate kernel 'routing' table. Instead, this simply assumes that routing from source zone to destination zone is possible.", | |
298 | parameters => { | |
2e2b71e1 | 299 | additionalProperties => 0, |
0c32b7fb DM |
300 | properties => { |
301 | verbose => { | |
302 | description => "Verbose output.", | |
303 | type => 'boolean', | |
304 | optional => 1, | |
305 | default => 0, | |
306 | }, | |
307 | from => { | |
308 | description => "Source zone.", | |
309 | type => 'string', | |
310 | pattern => '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)', | |
311 | optional => 1, | |
312 | default => 'outside', | |
313 | }, | |
314 | to => { | |
315 | description => "Destination zone.", | |
316 | type => 'string', | |
317 | pattern => '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)', | |
318 | optional => 1, | |
319 | default => 'host', | |
320 | }, | |
321 | protocol => { | |
322 | description => "Protocol.", | |
323 | type => 'string', | |
324 | pattern => '(tcp|udp)', | |
325 | optional => 1, | |
326 | default => 'tcp', | |
327 | }, | |
328 | dport => { | |
329 | description => "Destination port.", | |
330 | type => 'integer', | |
331 | minValue => 1, | |
332 | maxValue => 65535, | |
333 | optional => 1, | |
334 | }, | |
335 | sport => { | |
336 | description => "Source port.", | |
337 | type => 'integer', | |
338 | minValue => 1, | |
339 | maxValue => 65535, | |
340 | optional => 1, | |
341 | }, | |
342 | source => { | |
343 | description => "Source IP address.", | |
344 | type => 'string', format => 'ipv4', | |
345 | optional => 1, | |
346 | }, | |
347 | dest => { | |
348 | description => "Destination IP address.", | |
349 | type => 'string', format => 'ipv4', | |
350 | optional => 1, | |
351 | }, | |
352 | }, | |
353 | }, | |
354 | returns => { type => 'null' }, | |
355 | code => sub { | |
356 | my ($param) = @_; | |
357 | ||
358 | local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog | |
359 | ||
40af93c4 TL |
360 | PVE::Firewall::set_verbose($param->{verbose}); |
361 | ||
362 | my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE::Firewall::compile(); | |
0c32b7fb | 363 | |
40af93c4 | 364 | PVE::FirewallSimulator::debug(); |
2e2b71e1 | 365 | |
0c32b7fb DM |
366 | my $host_ip = PVE::Cluster::remote_node_ip($nodename); |
367 | ||
368 | PVE::FirewallSimulator::reset_trace(); | |
369 | print Dumper($ruleset) if $param->{verbose}; | |
370 | ||
371 | my $test = { | |
372 | from => $param->{from}, | |
373 | to => $param->{to}, | |
374 | proto => $param->{protocol} || 'tcp', | |
375 | source => $param->{source}, | |
376 | dest => $param->{dest}, | |
377 | dport => $param->{dport}, | |
378 | sport => $param->{sport}, | |
379 | }; | |
380 | ||
381 | if (!defined($test->{to})) { | |
382 | $test->{to} = 'host'; | |
2e2b71e1 SR |
383 | PVE::FirewallSimulator::add_trace("Set Zone: to => '$test->{to}'\n"); |
384 | } | |
0c32b7fb DM |
385 | if (!defined($test->{from})) { |
386 | $test->{from} = 'outside', | |
2e2b71e1 | 387 | PVE::FirewallSimulator::add_trace("Set Zone: from => '$test->{from}'\n"); |
0c32b7fb DM |
388 | } |
389 | ||
390 | my $vmdata = PVE::Firewall::read_local_vm_config(); | |
391 | ||
392 | print "Test packet:\n"; | |
393 | ||
394 | foreach my $k (qw(from to proto source dest dport sport)) { | |
395 | printf(" %-8s: %s\n", $k, $test->{$k}) if defined($test->{$k}); | |
396 | } | |
397 | ||
398 | $test->{action} = 'QUERY'; | |
399 | ||
2e2b71e1 | 400 | my $res = PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset, |
0c32b7fb | 401 | $host_ip, $vmdata, $test); |
2e2b71e1 | 402 | |
0c32b7fb DM |
403 | print "ACTION: $res\n"; |
404 | ||
405 | return undef; | |
406 | }}); | |
407 | ||
408 | our $cmddef = { | |
409 | start => [ __PACKAGE__, 'start', []], | |
410 | restart => [ __PACKAGE__, 'restart', []], | |
411 | stop => [ __PACKAGE__, 'stop', []], | |
412 | compile => [ __PACKAGE__, 'compile', []], | |
413 | simulate => [ __PACKAGE__, 'simulate', []], | |
414 | localnet => [ __PACKAGE__, 'localnet', []], | |
415 | status => [ __PACKAGE__, 'status', [], undef, sub { | |
416 | my $res = shift; | |
417 | my $status = ($res->{enable} ? "enabled" : "disabled") . '/' . $res->{status}; | |
2e2b71e1 | 418 | |
0c32b7fb DM |
419 | if ($res->{changes}) { |
420 | print "Status: $status (pending changes)\n"; | |
421 | } else { | |
422 | print "Status: $status\n"; | |
423 | } | |
424 | }], | |
425 | }; | |
426 | ||
427 | 1; |