]>
Commit | Line | Data |
---|---|---|
e2beb7aa DM |
1 | #!/usr/bin/perl |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use PVE::SafeSyslog; | |
a3d58ffc DM |
6 | use PVE::Daemon; |
7 | ||
e2beb7aa DM |
8 | use Time::HiRes qw (gettimeofday); |
9 | use PVE::Tools qw(dir_glob_foreach file_read_firstline); | |
a3d58ffc | 10 | use PVE::ProcFSTools; |
e2beb7aa DM |
11 | use PVE::INotify; |
12 | use PVE::Cluster qw(cfs_read_file); | |
13 | use PVE::RPCEnvironment; | |
14 | use PVE::CLIHandler; | |
15 | use PVE::Firewall; | |
814de832 DM |
16 | use PVE::FirewallSimulator; |
17 | use Data::Dumper; | |
e2beb7aa | 18 | |
a3d58ffc | 19 | use base qw(PVE::Daemon); |
e2beb7aa | 20 | |
cf10b505 DM |
21 | $SIG{'__WARN__'} = sub { |
22 | my $err = $@; | |
23 | my $t = $_[0]; | |
24 | chomp $t; | |
25 | print STDERR "$t\n"; | |
26 | syslog('warning', "%s", $t); | |
27 | $@ = $err; | |
28 | }; | |
29 | ||
a3d58ffc | 30 | my $cmdline = [$0, @ARGV]; |
e2beb7aa | 31 | |
a3d58ffc | 32 | my %daemon_options = (restart_on_error => 5, stop_wait_time => 5); |
e2beb7aa | 33 | |
cf10b505 DM |
34 | my $daemon; |
35 | eval { | |
36 | $daemon = __PACKAGE__->new('pve-firewall', $cmdline, %daemon_options); | |
37 | }; | |
38 | if (my $err = $@) { | |
39 | syslog("err", "daemon init failed - $err"); | |
40 | exit(-1); | |
41 | } | |
e2beb7aa DM |
42 | |
43 | my $rpcenv = PVE::RPCEnvironment->init('cli'); | |
44 | ||
45 | $rpcenv->init_request(); | |
46 | $rpcenv->set_language($ENV{LANG}); | |
47 | $rpcenv->set_user('root@pam'); | |
48 | ||
814de832 DM |
49 | my $nodename = PVE::INotify::nodename(); |
50 | ||
a3d58ffc | 51 | sub init { |
e2beb7aa | 52 | |
a3d58ffc DM |
53 | PVE::Cluster::cfs_update(); |
54 | ||
55 | PVE::Firewall::init(); | |
e2beb7aa DM |
56 | } |
57 | ||
58 | my $restart_request = 0; | |
59 | my $next_update = 0; | |
60 | ||
61 | my $cycle = 0; | |
62 | my $updatetime = 10; | |
63 | ||
64 | my $initial_memory_usage; | |
65 | ||
a3d58ffc DM |
66 | sub shutdown { |
67 | my ($self) = @_; | |
e2beb7aa | 68 | |
a3d58ffc | 69 | syslog('info' , "server closing"); |
e2beb7aa | 70 | |
a3d58ffc DM |
71 | # wait for children |
72 | 1 while (waitpid(-1, POSIX::WNOHANG()) > 0); | |
e2beb7aa | 73 | |
a3d58ffc | 74 | syslog('info' , "clear firewall rules"); |
e2beb7aa | 75 | |
a3d58ffc DM |
76 | eval { PVE::Firewall::remove_pvefw_chains(); }; |
77 | warn $@ if $@; | |
e2beb7aa | 78 | |
a3d58ffc DM |
79 | $self->exit_daemon(0); |
80 | } | |
e2beb7aa | 81 | |
a3d58ffc DM |
82 | sub hup { |
83 | my ($self) = @_; | |
e2beb7aa | 84 | |
a3d58ffc DM |
85 | $restart_request = 1; |
86 | } | |
e2beb7aa | 87 | |
a3d58ffc DM |
88 | sub run { |
89 | my ($self) = @_; | |
e2beb7aa | 90 | |
a3d58ffc | 91 | local $SIG{'__WARN__'} = 'IGNORE'; # do not fill up logs |
e2beb7aa | 92 | |
a3d58ffc | 93 | for (;;) { # forever |
e2beb7aa | 94 | |
a3d58ffc | 95 | $next_update = time() + $updatetime; |
e2beb7aa | 96 | |
a3d58ffc DM |
97 | my ($ccsec, $cusec) = gettimeofday (); |
98 | eval { | |
99 | PVE::Cluster::cfs_update(); | |
100 | PVE::Firewall::update(); | |
e2beb7aa | 101 | }; |
e2beb7aa | 102 | my $err = $@; |
a3d58ffc | 103 | |
e2beb7aa | 104 | if ($err) { |
a3d58ffc | 105 | syslog('err', "status update error: $err"); |
e2beb7aa | 106 | } |
e2beb7aa | 107 | |
a3d58ffc DM |
108 | my ($ccsec_end, $cusec_end) = gettimeofday (); |
109 | my $cptime = ($ccsec_end-$ccsec) + ($cusec_end - $cusec)/1000000; | |
e2beb7aa | 110 | |
a3d58ffc DM |
111 | syslog('info', sprintf("firewall update time (%.3f seconds)", $cptime)) |
112 | if ($cptime > 5); | |
e2beb7aa | 113 | |
a3d58ffc | 114 | $cycle++; |
e2beb7aa | 115 | |
a3d58ffc DM |
116 | my $mem = PVE::ProcFSTools::read_memory_usage(); |
117 | ||
118 | if (!defined($initial_memory_usage) || ($cycle < 10)) { | |
119 | $initial_memory_usage = $mem->{resident}; | |
120 | } else { | |
121 | my $diff = $mem->{resident} - $initial_memory_usage; | |
122 | if ($diff > 5*1024*1024) { | |
123 | syslog ('info', "restarting server after $cycle cycles to " . | |
124 | "reduce memory usage (free $mem->{resident} ($diff) bytes)"); | |
125 | $self->restart_daemon(); | |
e2beb7aa DM |
126 | } |
127 | } | |
128 | ||
a3d58ffc DM |
129 | my $wcount = 0; |
130 | while ((time() < $next_update) && | |
131 | ($wcount < $updatetime) && # protect against time wrap | |
132 | !$restart_request) { $wcount++; sleep (1); }; | |
133 | ||
134 | $self->restart_daemon() if $restart_request; | |
135 | } | |
136 | } | |
137 | ||
138 | $daemon->register_start_command(__PACKAGE__, | |
139 | "Start the Proxmox VE firewall service."); | |
e3087bc6 | 140 | $daemon->register_restart_command(__PACKAGE__, 1, |
a3d58ffc DM |
141 | "Restart the Proxmox VE firewall service."); |
142 | $daemon->register_stop_command(__PACKAGE__, | |
143 | "Stop firewall. This removes all Proxmox VE " . | |
144 | "related iptable rules. " . | |
145 | "The host is unprotected afterwards."); | |
e2beb7aa DM |
146 | |
147 | __PACKAGE__->register_method ({ | |
148 | name => 'status', | |
149 | path => 'status', | |
150 | method => 'GET', | |
151 | description => "Get firewall status.", | |
152 | parameters => { | |
153 | additionalProperties => 0, | |
154 | properties => {}, | |
155 | }, | |
156 | returns => { | |
157 | type => 'object', | |
158 | additionalProperties => 0, | |
159 | properties => { | |
160 | status => { | |
161 | type => 'string', | |
55fad3b7 DM |
162 | enum => ['unknown', 'stopped', 'running'], |
163 | }, | |
164 | enable => { | |
165 | description => "Firewall is enabled (in 'cluster.fw')", | |
166 | type => 'boolean', | |
e2beb7aa DM |
167 | }, |
168 | changes => { | |
169 | description => "Set when there are pending changes.", | |
170 | type => 'boolean', | |
171 | optional => 1, | |
172 | } | |
173 | }, | |
174 | }, | |
175 | code => sub { | |
176 | my ($param) = @_; | |
177 | ||
178 | local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog | |
179 | ||
180 | my $code = sub { | |
181 | ||
a3d58ffc | 182 | my $status = $daemon->running() ? 'running' : 'stopped'; |
e2beb7aa DM |
183 | |
184 | my $res = { status => $status }; | |
55fad3b7 DM |
185 | |
186 | my $verbose = 1; # show syntax errors | |
187 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef, $verbose); | |
188 | $res->{enable} = $cluster_conf->{options}->{enable} ? 1 : 0; | |
189 | ||
190 | if ($status eq 'running') { | |
d4cda423 | 191 | |
638c755a | 192 | my ($ruleset, $ipset_ruleset, $rulesetv6) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose); |
e2beb7aa | 193 | |
d4cda423 DM |
194 | $verbose = 0; # do not show iptables details |
195 | my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose); | |
55fad3b7 | 196 | my ($test, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose); |
17da5c0f AD |
197 | my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, $verbose, "ip6tables"); |
198 | ||
199 | $res->{changes} = ($ipset_changes || $ruleset_changes || $ruleset_changesv6) ? 1 : 0; | |
e2beb7aa DM |
200 | } |
201 | ||
202 | return $res; | |
203 | }; | |
204 | ||
205 | return PVE::Firewall::run_locked($code); | |
206 | }}); | |
207 | ||
208 | __PACKAGE__->register_method ({ | |
209 | name => 'compile', | |
210 | path => 'compile', | |
3324948a | 211 | method => 'GET', |
16adff04 | 212 | description => "Compile and print firewall rules. This is useful for testing.", |
e2beb7aa DM |
213 | parameters => { |
214 | additionalProperties => 0, | |
215 | properties => {}, | |
216 | }, | |
217 | returns => { type => 'null' }, | |
218 | ||
219 | code => sub { | |
220 | my ($param) = @_; | |
221 | ||
222 | local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog | |
223 | ||
224 | my $code = sub { | |
e2beb7aa | 225 | |
d4cda423 DM |
226 | my $verbose = 1; |
227 | ||
55fad3b7 | 228 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef, $verbose); |
638c755a | 229 | my ($ruleset, $ipset_ruleset, $rulesetv6) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose); |
d4cda423 | 230 | |
1cc9bd90 | 231 | print "ipset cmdlist:\n"; |
d4cda423 | 232 | my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose); |
1cc9bd90 DM |
233 | |
234 | print "\niptables cmdlist:\n"; | |
d4cda423 | 235 | my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose); |
1cc9bd90 DM |
236 | |
237 | print "\nip6tables cmdlist:\n"; | |
17da5c0f | 238 | my (undef, $ruleset_changesv6) = PVE::Firewall::get_ruleset_cmdlist($rulesetv6, $verbose, "ip6tables"); |
55fad3b7 | 239 | |
17da5c0f | 240 | if ($ipset_changes || $ruleset_changes || $ruleset_changesv6) { |
e2beb7aa DM |
241 | print "detected changes\n"; |
242 | } else { | |
243 | print "no changes\n"; | |
244 | } | |
55fad3b7 DM |
245 | if (!$cluster_conf->{options}->{enable}) { |
246 | print "firewall disabled\n"; | |
247 | } | |
248 | ||
e2beb7aa DM |
249 | }; |
250 | ||
251 | PVE::Firewall::run_locked($code); | |
252 | ||
253 | return undef; | |
254 | }}); | |
255 | ||
e7fb6ff2 DM |
256 | __PACKAGE__->register_method ({ |
257 | name => 'localnet', | |
258 | path => 'localnet', | |
259 | method => 'GET', | |
260 | description => "Print information about local network.", | |
261 | parameters => { | |
262 | additionalProperties => 0, | |
263 | properties => {}, | |
264 | }, | |
265 | returns => { type => 'null' }, | |
266 | code => sub { | |
267 | my ($param) = @_; | |
268 | ||
269 | local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog | |
270 | ||
271 | my $nodename = PVE::INotify::nodename(); | |
272 | print "local hostname: $nodename\n"; | |
273 | ||
274 | my $ip = PVE::Cluster::remote_node_ip($nodename); | |
275 | print "local IP address: $ip\n"; | |
276 | ||
277 | my $cluster_conf = PVE::Firewall::load_clusterfw_conf(); | |
278 | ||
279 | my $localnet = PVE::Firewall::local_network() || '127.0.0.0/8'; | |
280 | print "network auto detect: $localnet\n"; | |
281 | if ($cluster_conf->{aliases}->{local_network}) { | |
282 | print "using user defined local_network: $cluster_conf->{aliases}->{local_network}->{cidr}\n"; | |
283 | } else { | |
284 | print "using detected local_network: $localnet\n"; | |
285 | } | |
286 | ||
287 | return undef; | |
288 | }}); | |
289 | ||
814de832 DM |
290 | __PACKAGE__->register_method ({ |
291 | name => 'simulate', | |
292 | path => 'simulate', | |
3324948a | 293 | method => 'GET', |
c9902e5a | 294 | description => "Simulate firewall rules. This does not simulate kernel 'routing' table. Instead, this simply assumes that routing from source zone to destination zone is possible.", |
814de832 DM |
295 | parameters => { |
296 | additionalProperties => 0, | |
297 | properties => { | |
298 | verbose => { | |
299 | description => "Verbose output.", | |
300 | type => 'boolean', | |
301 | optional => 1, | |
302 | default => 0, | |
303 | }, | |
304 | from => { | |
305 | description => "Source zone.", | |
306 | type => 'string', | |
307 | pattern => '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)', | |
308 | optional => 1, | |
309 | default => 'outside', | |
310 | }, | |
311 | to => { | |
312 | description => "Destination zone.", | |
313 | type => 'string', | |
314 | pattern => '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)', | |
315 | optional => 1, | |
316 | default => 'host', | |
317 | }, | |
318 | protocol => { | |
319 | description => "Protocol.", | |
320 | type => 'string', | |
321 | pattern => '(tcp|udp)', | |
322 | optional => 1, | |
323 | default => 'tcp', | |
324 | }, | |
325 | dport => { | |
326 | description => "Destination port.", | |
327 | type => 'integer', | |
328 | minValue => 1, | |
329 | maxValue => 65535, | |
330 | optional => 1, | |
331 | }, | |
332 | sport => { | |
333 | description => "Source port.", | |
334 | type => 'integer', | |
335 | minValue => 1, | |
336 | maxValue => 65535, | |
337 | optional => 1, | |
338 | }, | |
339 | source => { | |
340 | description => "Source IP address.", | |
341 | type => 'string', format => 'ipv4', | |
342 | optional => 1, | |
343 | }, | |
344 | dest => { | |
345 | description => "Destination IP address.", | |
346 | type => 'string', format => 'ipv4', | |
347 | optional => 1, | |
348 | }, | |
349 | }, | |
350 | }, | |
351 | returns => { type => 'null' }, | |
352 | code => sub { | |
353 | my ($param) = @_; | |
354 | ||
815b4ebf DM |
355 | local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog |
356 | ||
638c755a | 357 | my ($ruleset, $ipset_ruleset, $rulesetv6) = PVE::Firewall::compile(undef, undef, undef, $param->{verbose}); |
814de832 DM |
358 | |
359 | PVE::FirewallSimulator::debug($param->{verbose} || 0); | |
360 | ||
361 | my $host_ip = PVE::Cluster::remote_node_ip($nodename); | |
362 | ||
363 | PVE::FirewallSimulator::reset_trace(); | |
364 | print Dumper($ruleset) if $param->{verbose}; | |
365 | ||
366 | my $test = { | |
367 | from => $param->{from}, | |
368 | to => $param->{to}, | |
369 | proto => $param->{protocol} || 'tcp', | |
370 | source => $param->{source}, | |
371 | dest => $param->{dest}, | |
372 | dport => $param->{dport}, | |
373 | sport => $param->{sport}, | |
374 | }; | |
375 | ||
376 | if (!defined($test->{to})) { | |
377 | $test->{to} = 'host'; | |
378 | PVE::FirewallSimulator::add_trace("Set Zone: to => '$test->{to}'\n"); | |
379 | } | |
380 | if (!defined($test->{from})) { | |
381 | $test->{from} = 'outside', | |
382 | PVE::FirewallSimulator::add_trace("Set Zone: from => '$test->{from}'\n"); | |
383 | } | |
384 | ||
385 | my $vmdata = PVE::Firewall::read_local_vm_config(); | |
386 | ||
387 | print "Test packet:\n"; | |
388 | ||
389 | foreach my $k (qw(from to proto source dest dport sport)) { | |
390 | printf(" %-8s: %s\n", $k, $test->{$k}) if defined($test->{$k}); | |
391 | } | |
392 | ||
393 | $test->{action} = 'QUERY'; | |
394 | ||
395 | my $res = PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset, | |
396 | $host_ip, $vmdata, $test); | |
397 | ||
398 | print "ACTION: $res\n"; | |
399 | ||
400 | return undef; | |
401 | }}); | |
e2beb7aa DM |
402 | |
403 | my $cmddef = { | |
404 | start => [ __PACKAGE__, 'start', []], | |
a3d58ffc | 405 | restart => [ __PACKAGE__, 'restart', []], |
e2beb7aa DM |
406 | stop => [ __PACKAGE__, 'stop', []], |
407 | compile => [ __PACKAGE__, 'compile', []], | |
814de832 | 408 | simulate => [ __PACKAGE__, 'simulate', []], |
e7fb6ff2 | 409 | localnet => [ __PACKAGE__, 'localnet', []], |
e2beb7aa DM |
410 | status => [ __PACKAGE__, 'status', [], undef, sub { |
411 | my $res = shift; | |
55fad3b7 DM |
412 | my $status = ($res->{enable} ? "enabled" : "disabled") . '/' . $res->{status}; |
413 | ||
e2beb7aa | 414 | if ($res->{changes}) { |
55fad3b7 | 415 | print "Status: $status (pending changes)\n"; |
e2beb7aa | 416 | } else { |
55fad3b7 | 417 | print "Status: $status\n"; |
e2beb7aa DM |
418 | } |
419 | }], | |
420 | }; | |
421 | ||
422 | my $cmd = shift; | |
423 | ||
424 | PVE::CLIHandler::handle_cmd($cmddef, $0, $cmd, \@ARGV, undef, $0); | |
425 | ||
426 | exit (0); | |
427 | ||
428 | __END__ | |
429 | ||
430 | =head1 NAME | |
431 | ||
16adff04 | 432 | pve-firewall - PVE Firewall Daemon |
e2beb7aa DM |
433 | |
434 | =head1 SYNOPSIS | |
435 | ||
16adff04 | 436 | =include synopsis |
e2beb7aa DM |
437 | |
438 | =head1 DESCRIPTION | |
439 | ||
440 | This service updates iptables rules periodically. | |
441 | ||
16adff04 | 442 | =include pve_copyright |