[pve-firewall.git] / PVE / Firewall.pm

package PVE::Firewall;

use warnings;
use strict;
use Data::Dumper;
use Digest::MD5;
use PVE::Tools;
use PVE::QemuServer;
use File::Path;
use IO::File;
use Net::IP;
use PVE::Tools qw(run_command lock_file);

use Data::Dumper;

my $pve_fw_lock_filename = "/var/lock/pvefw.lck";

my $macros;

# todo: implement some kind of MACROS, like shorewall /usr/share/shorewall/macro.*
sub get_firewall_macros {

    return $macros if $macros;

    #foreach my $path (</usr/share/shorewall/macro.*>) {
    #  if ($path =~ m|/macro\.(\S+)$|) {
    #    $macros->{$1} = 1;
    #  }
    #}

    $macros = {}; # fixme: implemet me

    return $macros;
}

my $etc_services;

sub get_etc_services {

    return $etc_services if $etc_services;

    my $filename = "/etc/services";

    my $fh = IO::File->new($filename, O_RDONLY);
    if (!$fh) {
	warn "unable to read '$filename' - $!\n";
	return {};
    }

    my $services = {};

    while (my $line = <$fh>) {
	chomp ($line);
	next if $line =~m/^#/;
	next if ($line =~m/^\s*$/);

	if ($line =~ m!^(\S+)\s+(\S+)/(tcp|udp).*$!) {
	    $services->{byid}->{$2}->{name} = $1;
	    $services->{byid}->{$2}->{$3} = 1;
	    $services->{byname}->{$1} = $services->{byid}->{$2};
	}
    }

    close($fh);

    $etc_services = $services;    
    

    return $etc_services;
}

my $etc_protocols;

sub get_etc_protocols {
    return $etc_protocols if $etc_protocols;

    my $filename = "/etc/protocols";

    my $fh = IO::File->new($filename, O_RDONLY);
    if (!$fh) {
	warn "unable to read '$filename' - $!\n";
	return {};
    }

    my $protocols = {};

    while (my $line = <$fh>) {
	chomp ($line);
	next if $line =~m/^#/;
	next if ($line =~m/^\s*$/);

	if ($line =~ m!^(\S+)\s+(\d+)\s+.*$!) {
	    $protocols->{byid}->{$2}->{name} = $1;
	    $protocols->{byname}->{$1} = $protocols->{byid}->{$2};
	}
    }

    close($fh);

    $etc_protocols = $protocols;

    return $etc_protocols;
}

sub parse_address_list {
    my ($str) = @_;

    my $nbaor = 0;
    foreach my $aor (split(/,/, $str)) {
	if (!Net::IP->new($aor)) {
	    my $err = Net::IP::Error();
	    die "invalid IP address: $err\n";
	}else{
	    $nbaor++;
	}
    }
    return $nbaor;
}

sub parse_port_name_number_or_range {
    my ($str) = @_;

    my $services = PVE::Firewall::get_etc_services();
    my $nbports = 0;
    foreach my $item (split(/,/, $str)) {
	my $portlist = "";
	foreach my $pon (split(':', $item, 2)) {
	    if ($pon =~ m/^\d+$/){
		die "invalid port '$pon'\n" if $pon < 0 && $pon > 65536;
	    }else{
		die "invalid port $services->{byname}->{$pon}\n" if !$services->{byname}->{$pon};
	    }
	    $nbports++;
	}
    }

    return ($nbports);
}

my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n";

sub iptables {
    my ($cmd) = @_;

    run_command("/sbin/iptables $cmd", outfunc => sub {}, errfunc => sub {});
}

sub iptables_restore_cmdlist {
    my ($cmdlist) = @_;

    run_command("/sbin/iptables-restore -n", input => $cmdlist);
}

sub iptables_get_chains {

    my $res = {};

    # check what chains we want to track
    my $is_pvefw_chain = sub {
	my $name = shift;

	return 1 if $name =~ m/^BRIDGEFW-(:?IN|OUT)$/;
	return 1 if $name =~ m/^proxmoxfw-\S+$/;
	return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/;
	return 1 if $name =~ m/^vmbr\d+-(:?IN|OUT)$/;
	return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/;
	return 1 if $name =~ m/^host-(:?IN|OUT)$/;

	return undef;
    };

    my $table = '';

    my $parser = sub {
	my $line = shift;

	return if $line =~ m/^#/;
	return if $line =~ m/^\s*$/;

	if ($line =~ m/^\*(\S+)$/) {
	    $table = $1;
	    return;
	}

	return if $table ne 'filter';

	if ($line =~ m/^:(\S+)\s/) {
	    my $chain = $1;
	    return if !&$is_pvefw_chain($chain);
	    $res->{$chain} = "unknown";
	} elsif ($line =~ m/^-A\s+(\S+)\s.*--log-prefix\s+\"PVESIG:(\S+)\"/) {
	    my ($chain, $sig) = ($1, $2);
	    return if !&$is_pvefw_chain($chain);
	    $res->{$chain} = $sig;
	} else {
	    # simply ignore the rest
	    return;
	}
    };

    run_command("/sbin/iptables-save", outfunc => $parser);

    return $res;
}

sub iptables_chain_exist {
    my ($chain) = @_;

    eval{
	iptables("-n --list $chain");
    };
    return undef if $@;

    return 1;
}

sub iptables_rule_exist {
    my ($rule) = @_;

    eval{
	iptables("-C $rule");
    };
    return undef if $@;

    return 1;
}

sub ruleset_generate_rule {
    my ($ruleset, $chain, $rule) = @_;

    my $cmd = '';

    $cmd .= " -m iprange --src-range" if $rule->{nbsource} && $rule->{nbsource} > 1;
    $cmd .= " -s $rule->{source}" if $rule->{source};
    $cmd .= " -m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1;
    $cmd .= " -d $rule->{dest}" if $rule->{destination};
    $cmd .= " -p $rule->{proto}" if $rule->{proto};
    $cmd .= "  --match multiport" if $rule->{nbdport} && $rule->{nbdport} > 1;
    $cmd .= " --dport $rule->{dport}" if $rule->{dport};
    $cmd .= "  --match multiport" if $rule->{nbsport} && $rule->{nbsport} > 1;
    $cmd .= " --sport $rule->{sport}" if $rule->{sport};
    $cmd .= " -j $rule->{action}" if $rule->{action};

    ruleset_addrule($ruleset, $chain, $cmd) if $cmd;
}

sub ruleset_create_chain {
    my ($ruleset, $chain) = @_;

    die "chain '$chain' already exists\n" if $ruleset->{$chain};

    $ruleset->{$chain} = [];
}

sub ruleset_chain_exist {
    my ($ruleset, $chain) = @_;

    return $ruleset->{$chain} ? 1 : undef;
}

sub ruleset_addrule {
   my ($ruleset, $chain, $rule) = @_;

   die "no such chain '$chain'\n" if !$ruleset->{$chain};

   push @{$ruleset->{$chain}}, "-A $chain $rule";
}

sub ruleset_insertrule {
   my ($ruleset, $chain, $rule) = @_;

   die "no such chain '$chain'\n" if !$ruleset->{$chain};

   unshift @{$ruleset->{$chain}}, "-A $chain $rule";
}

sub generate_bridge_chains {
    my ($ruleset, $bridge) = @_;

    if (!ruleset_chain_exist($ruleset, "BRIDGEFW-IN")){
	ruleset_create_chain($ruleset, "BRIDGEFW-IN");
    }

    if (!ruleset_chain_exist($ruleset, "BRIDGEFW-OUT")){
	ruleset_create_chain($ruleset, "BRIDGEFW-OUT");
    }

    if (!ruleset_chain_exist($ruleset, "proxmoxfw-FORWARD")){
	ruleset_create_chain($ruleset, "proxmoxfw-FORWARD");

	ruleset_addrule($ruleset, "proxmoxfw-FORWARD", "-m state --state RELATED,ESTABLISHED -j ACCEPT");
	ruleset_addrule($ruleset, "proxmoxfw-FORWARD", "-m physdev --physdev-is-in --physdev-is-bridged -j BRIDGEFW-OUT");
	ruleset_addrule($ruleset, "proxmoxfw-FORWARD", "-m physdev --physdev-is-out --physdev-is-bridged -j BRIDGEFW-IN");
    }

    if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
	ruleset_create_chain($ruleset, "$bridge-IN");
	ruleset_addrule($ruleset, "proxmoxfw-FORWARD", "-i $bridge -j DROP");  # disable interbridge routing
	ruleset_addrule($ruleset, "BRIDGEFW-IN", "-j $bridge-IN");
	ruleset_addrule($ruleset, "$bridge-IN", "-j ACCEPT");
    }

    if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
	ruleset_create_chain($ruleset, "$bridge-OUT");
	ruleset_addrule($ruleset, "proxmoxfw-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing
	ruleset_addrule($ruleset, "BRIDGEFW-OUT", "-j $bridge-OUT");
    }
}

sub generate_tap_rules_direction {
    my ($ruleset, $iface, $netid, $rules, $bridge, $direction) = @_;

    my $tapchain = "$iface-$direction";

    ruleset_create_chain($ruleset, $tapchain);

    ruleset_addrule($ruleset, $tapchain, "-m state --state INVALID -j DROP");
    ruleset_addrule($ruleset, $tapchain, "-m state --state RELATED,ESTABLISHED -j ACCEPT");

    if ($rules) {
        foreach my $rule (@$rules) {
	    next if $rule->{iface} && $rule->{iface} ne $netid;
	    if($rule->{action}  =~ m/^(GROUP-(\S+))$/){
		$rule->{action} .= "-$direction";
		# generate empty group rule if don't exist
		if(!ruleset_chain_exist($ruleset, $rule->{action})){
		    generate_group_rules($ruleset, $2);
		}
	    }
	    # we go to vmbr-IN if accept in out rules
	    $rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT';
	    ruleset_generate_rule($ruleset, $tapchain, $rule);
        }
    }

    ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4");
    ruleset_addrule($ruleset, $tapchain, "-j DROP");

    # plug the tap chain to bridge chain
    my $physdevdirection = $direction eq 'IN' ? "out" : "in";
    my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
    ruleset_insertrule($ruleset, "$bridge-$direction", $rule);

    if ($direction eq 'OUT'){
	# add tap->host rules
	my $rule = "-m physdev --physdev-$physdevdirection $iface -j $tapchain";
	ruleset_addrule($ruleset, "proxmoxfw-INPUT", $rule);
    }
}

sub enablehostfw {
    my ($ruleset) = @_;

    my $filename = "/etc/pve/local/host.fw";
    my $fh = IO::File->new($filename, O_RDONLY);
    return if !$fh;

    my $rules = parse_fw_rules($filename, $fh);

    # host inbound firewall
    ruleset_create_chain($ruleset, "host-IN");

    ruleset_addrule($ruleset, "host-IN", "-m state --state INVALID -j DROP");
    ruleset_addrule($ruleset, "host-IN", "-m state --state RELATED,ESTABLISHED -j ACCEPT");
    ruleset_addrule($ruleset, "host-IN", "-i lo -j ACCEPT");
    ruleset_addrule($ruleset, "host-IN", "-m addrtype --dst-type MULTICAST -j ACCEPT");
    ruleset_addrule($ruleset, "host-IN", "-p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT");
    ruleset_addrule($ruleset, "host-IN", "-p udp -m udp --dport 9000 -j ACCEPT");  #corosync

    if ($rules->{in}) {
        foreach my $rule (@{$rules->{in}}) {
            # we use RETURN because we need to check also tap rules
            $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT';
            ruleset_generate_rule($ruleset, "host-IN", $rule);
        }
    }

    ruleset_addrule($ruleset, "host-IN", "-j LOG --log-prefix \"kvmhost-IN dropped: \" --log-level 4");
    ruleset_addrule($ruleset, "host-IN", "-j DROP");

    # host outbound firewall
    ruleset_create_chain($ruleset, "host-OUT");
    ruleset_addrule($ruleset, "host-OUT", "-m state --state INVALID -j DROP");
    ruleset_addrule($ruleset, "host-OUT", "-m state --state RELATED,ESTABLISHED -j ACCEPT");
    ruleset_addrule($ruleset, "host-OUT", "-o lo -j ACCEPT");
    ruleset_addrule($ruleset, "host-OUT", "-m addrtype --dst-type MULTICAST -j ACCEPT");
    ruleset_addrule($ruleset, "host-OUT", "-p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT");
    ruleset_addrule($ruleset, "host-OUT", "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync

    if ($rules->{out}) {
        foreach my $rule (@{$rules->{out}}) {
            # we use RETURN because we need to check also tap rules
            $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT';
            ruleset_generate_rule($ruleset, "host-OUT", $rule);
        }
    }

    ruleset_addrule($ruleset, "host-OUT", "-j LOG --log-prefix \"kvmhost-OUT dropped: \" --log-level 4");
    ruleset_addrule($ruleset, "host-OUT", "-j DROP");
    
    ruleset_addrule($ruleset, "proxmoxfw-OUTPUT", "-j host-OUT");
    ruleset_addrule($ruleset, "proxmoxfw-INPUT", "-j host-IN");
}

sub generate_group_rules {
    my ($ruleset, $group) = @_;

    my $filename = "/etc/pve/firewall/groups.fw";
    my $fh = IO::File->new($filename, O_RDONLY);
    return if !$fh;

    my $rules = parse_fw_rules($filename, $fh, $group);

    my $chain = "GROUP-${group}-IN";

    ruleset_create_chain($ruleset, $chain);

    if ($rules->{in}) {
        foreach my $rule (@{$rules->{in}}) {
 	    ruleset_generate_rule($ruleset, $chain, $rule);
        }
    }

    $chain = "GROUP-${group}-OUT";

    ruleset_create_chain($ruleset, $chain);

    if ($rules->{out}) {
        foreach my $rule (@{$rules->{out}}) {
            # we go the BRIDGEFW-IN because we need to check also other tap rules 
            # (and group rules can be set on any bridge, so we can't go to VMBRXX-IN)
            $rule->{action} = 'BRIDGEFW-IN' if $rule->{action} eq 'ACCEPT';
            ruleset_generate_rule($rule, $chain, $rule);
        }
    }
}

sub parse_fw_rules {
    my ($filename, $fh, $group) = @_;

    my $section;
    my $securitygroup;
    my $securitygroupexist;

    my $res = { in => [], out => [] };

    my $macros = get_firewall_macros();
    my $protocols = get_etc_protocols();
    
    while (defined(my $line = <$fh>)) {
	next if $line =~ m/^#/;
	next if $line =~ m/^\s*$/;

	if ($line =~ m/^\[(in|out)(:(\S+))?\]\s*$/i) {
	    $section = lc($1);
	    $securitygroup = lc($3) if $3;
	    $securitygroupexist = 1 if $securitygroup &&  $securitygroup eq $group;
	    next;
	}
	next if !$section;
	next if $group && $securitygroup ne $group;

	my ($action, $iface, $source, $dest, $proto, $dport, $sport) =
	    split(/\s+/, $line);

	if (!$action) {
	    warn "skip incomplete line\n";
	    next;
	}

	my $service;
	if ($action =~ m/^(ACCEPT|DROP|REJECT|GROUP-(\S+))$/) {
	    # OK
	} elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
	    ($service, $action) = ($1, $2);
	    if (!$macros->{$service}) {
		warn "unknown service '$service'\n";
		next;
	    }
	} else {
	    warn "unknown action '$action'\n";
	    next;
	}

	$iface = undef if $iface && $iface eq '-';
	if ($iface && $iface !~ m/^(net0|net1|net2|net3|net4|net5)$/) {
	    warn "unknown interface '$iface'\n";
	    next;
	}

	$proto = undef if $proto && $proto eq '-';
	if ($proto && !(defined($protocols->{byname}->{$proto}) ||
			defined($protocols->{byid}->{$proto}))) {
	    warn "unknown protokol '$proto'\n";
	    next;
	}

	$source = undef if $source && $source eq '-';
	$dest = undef if $dest && $dest eq '-';

	$dport = undef if $dport && $dport eq '-';
	$sport = undef if $sport && $sport eq '-';
	my $nbdport = undef;
	my $nbsport = undef;
	my $nbsource = undef;
	my $nbdest = undef;

	eval {
	    $nbsource = parse_address_list($source) if $source;
	    $nbdest = parse_address_list($dest) if $dest;
	    $nbdport = parse_port_name_number_or_range($dport) if $dport;
	    $nbsport = parse_port_name_number_or_range($sport) if $sport;
	};
	if (my $err = $@) {
	    warn $err;
	    next;

	}


	my $rule = {
	    action => $action,
	    service => $service,
	    iface => $iface,
	    source => $source,
	    dest => $dest,
	    nbsource => $nbsource,
	    nbdest => $nbdest,
	    proto => $proto,
	    dport => $dport,
	    sport => $sport,
	    nbdport => $nbdport,
	    nbsport => $nbsport,

	};

	push @{$res->{$section}}, $rule;
    }

    die "security group $group don't exist" if $group && !$securitygroupexist;
    return $res;
}

sub run_locked {
    my ($code, @param) = @_;

    my $timeout = 10;

    my $res = lock_file($pve_fw_lock_filename, $timeout, $code, @param);

    die $@ if $@;

    return $res;
}

sub read_local_vm_config {

    my $openvz = {};

    my $qemu = {};

    my $list = PVE::QemuServer::config_list();

    foreach my $vmid (keys %$list) {
	my $cfspath = PVE::QemuServer::cfs_config_path($vmid);
	if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) {
	    $qemu->{$vmid} = $conf;
	}
    }

    my $vmdata = { openvz => $openvz, qemu => $qemu };

    return $vmdata;
};

sub read_vm_firewall_rules {
    my ($vmdata) = @_;
    my $rules = {};
    foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
	my $filename = "/etc/pve/firewall/$vmid.fw";
	my $fh = IO::File->new($filename, O_RDONLY);
	next if !$fh;

	$rules->{$vmid} = parse_fw_rules($filename, $fh);
    }

    return $rules;
}

sub compile {
    my $vmdata = read_local_vm_config();
    my $rules = read_vm_firewall_rules($vmdata);

    #print Dumper($rules);

    my $ruleset = {};

    # setup host firewall rules
    ruleset_create_chain($ruleset, "proxmoxfw-INPUT");
    ruleset_create_chain($ruleset, "proxmoxfw-OUTPUT");

    enablehostfw($ruleset);

    # generate firewall rules for QEMU VMs 
    foreach my $vmid (keys %{$vmdata->{qemu}}) {
	my $conf = $vmdata->{qemu}->{$vmid};
	next if !$rules->{$vmid};

	foreach my $netid (keys %$conf) {
	    next if $netid !~ m/^net(\d+)$/;
	    my $net = PVE::QemuServer::parse_net($conf->{$netid});
	    next if !$net;
	    my $iface = "tap${vmid}i$1";

	    my $bridge = $net->{bridge};
	    next if !$bridge; # fixme: ?

	    $bridge .= "v$net->{tag}" if $net->{tag};

	    generate_bridge_chains($ruleset, $bridge);

	    generate_tap_rules_direction($ruleset, $iface, $netid, $rules->{$vmid}->{in}, $bridge, 'IN');
	    generate_tap_rules_direction($ruleset, $iface, $netid, $rules->{$vmid}->{out}, $bridge, 'OUT');
	}
    }
    return $ruleset;
}

sub get_ruleset_status {
    my ($ruleset, $verbose) = @_;

    my $active_chains = iptables_get_chains();

    my $statushash = {};

    foreach my $chain (sort keys %$ruleset) {
	my $digest = Digest::MD5->new();
	foreach my $cmd (@{$ruleset->{$chain}}) {
	     $digest->add("$cmd\n");
	}
	my $sig = $digest->b64digest;
	$statushash->{$chain}->{sig} = $sig;

	my $oldsig = $active_chains->{$chain};
	if (!defined($oldsig)) {
	    $statushash->{$chain}->{action} = 'create';
	} else {
	    if ($oldsig eq $sig) {
		$statushash->{$chain}->{action} = 'exists';
	    } else {
		$statushash->{$chain}->{action} = 'update';
	    }
	}
	print "$statushash->{$chain}->{action} $chain ($sig)\n" if $verbose;
	foreach my $cmd (@{$ruleset->{$chain}}) {
	    print "\t$cmd\n" if $verbose;
	}
    }

    foreach my $chain (sort keys %$active_chains) {
	if (!defined($ruleset->{$chain})) {
	    my $sig = $active_chains->{$chain};
	    $statushash->{$chain}->{action} = 'delete';
	    $statushash->{$chain}->{sig} = $sig;
	    print "delete $chain ($sig)\n" if $verbose;
	}
    }    

    return $statushash;
}

sub print_ruleset {
    my ($ruleset) = @_;

    get_ruleset_status($ruleset, 1);
}

sub print_sig_rule {
    my ($chain, $sig) = @_;

    # Note: This rule should never match! We just use this hack to store a SHA1 checksum
    # used to detect changes
    return "-A $chain -j LOG --log-prefix \"PVESIG:$sig\" -p tcp -s \"127.128.129.130\" --dport 1\n";
}

sub compile_and_start {
    my ($verbose) = @_;

    my $ruleset = compile();

    my $cmdlist = "*filter\n"; # we pass this to iptables-restore;

    my $statushash = get_ruleset_status($ruleset, $verbose);

    # create missing chains first
    foreach my $chain (sort keys %$ruleset) {
	my $stat = $statushash->{$chain};
	die "internal error" if !$stat;
	next if $stat->{action} ne 'create';

	$cmdlist .= ":$chain - [0:0]\n";
    }

    my $rule = "INPUT -j proxmoxfw-INPUT";
    if (!PVE::Firewall::iptables_rule_exist($rule)) {
	$cmdlist .= "-A $rule\n";
    }
    $rule = "OUTPUT -j proxmoxfw-OUTPUT";
    if (!PVE::Firewall::iptables_rule_exist($rule)) {
	$cmdlist .= "-A $rule\n";
    }

    $rule = "FORWARD -j proxmoxfw-FORWARD";
    if (!PVE::Firewall::iptables_rule_exist($rule)) {
	$cmdlist .= "-A $rule\n";
    }

    foreach my $chain (sort keys %$ruleset) {
	my $stat = $statushash->{$chain};
	die "internal error" if !$stat;

	if ($stat->{action} eq 'update' || $stat->{action} eq 'create') {
	    $cmdlist .= "-F $chain\n";
	    foreach my $cmd (@{$ruleset->{$chain}}) {
		$cmdlist .= "$cmd\n";
	    }
	    $cmdlist .= print_sig_rule($chain, $stat->{sig});
	} elsif ($stat->{action} eq 'delete') {
	    $cmdlist .= "-F $chain\n";
	    $cmdlist .= "-X $chain\n";
	} elsif ($stat->{action} eq 'exists') {
	    # do nothing
	} else {
	    die "internal error - unknown status '$stat->{action}'";
	}
    }

    $cmdlist .= "COMMIT\n";

    print $cmdlist if $verbose;

    iptables_restore_cmdlist($cmdlist);

    # test: re-read status and check if everything is up to date 
    $statushash = get_ruleset_status($ruleset);

    my $errors;
    foreach my $chain (sort keys %$ruleset) {
	my $stat = $statushash->{$chain};
	if ($stat->{action} ne 'exists') {
	    warn "unable to update chain '$chain'\n";
	    $errors = 1;
	}
    }

    die "unable to apply firewall changes\n" if $errors;
}

1;
Commit	Line	Data
	1	package PVE::Firewall;
	2
	3	use warnings;
	4	use strict;
	5	use Data::Dumper;
	6	use Digest::MD5;
	7	use PVE::Tools;
	8	use PVE::QemuServer;
	9	use File::Path;
	10	use IO::File;
	11	use Net::IP;
	12	use PVE::Tools qw(run_command lock_file);
	13
	14	use Data::Dumper;
	15
	16	my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
	17
	18	my $macros;
	19
	20	# todo: implement some kind of MACROS, like shorewall /usr/share/shorewall/macro.*
	21	sub get_firewall_macros {
	22
	23	return $macros if $macros;
	24
	25	#foreach my $path (</usr/share/shorewall/macro.*>) {
	26	# if ($path =~ m\|/macro\.(\S+)$\|) {
	27	# $macros->{$1} = 1;
	28	# }
	29	#}
	30
	31	$macros = {}; # fixme: implemet me
	32
	33	return $macros;
	34	}
	35
	36	my $etc_services;
	37
	38	sub get_etc_services {
	39
	40	return $etc_services if $etc_services;
	41
	42	my $filename = "/etc/services";
	43
	44	my $fh = IO::File->new($filename, O_RDONLY);
	45	if (!$fh) {
	46	warn "unable to read '$filename' - $!\n";
	47	return {};
	48	}
	49
	50	my $services = {};
	51
	52	while (my $line = <$fh>) {
	53	chomp ($line);
	54	next if $line =~m/^#/;
	55	next if ($line =~m/^\s*$/);
	56
	57	if ($line =~ m!^(\S+)\s+(\S+)/(tcp\|udp).*$!) {
	58	$services->{byid}->{$2}->{name} = $1;
	59	$services->{byid}->{$2}->{$3} = 1;
	60	$services->{byname}->{$1} = $services->{byid}->{$2};
	61	}
	62	}
	63
	64	close($fh);
	65
	66	$etc_services = $services;
	67
	68
	69	return $etc_services;
	70	}
	71
	72	my $etc_protocols;
	73
	74	sub get_etc_protocols {
	75	return $etc_protocols if $etc_protocols;
	76
	77	my $filename = "/etc/protocols";
	78
	79	my $fh = IO::File->new($filename, O_RDONLY);
	80	if (!$fh) {
	81	warn "unable to read '$filename' - $!\n";
	82	return {};
	83	}
	84
	85	my $protocols = {};
	86
	87	while (my $line = <$fh>) {
	88	chomp ($line);
	89	next if $line =~m/^#/;
	90	next if ($line =~m/^\s*$/);
	91
	92	if ($line =~ m!^(\S+)\s+(\d+)\s+.*$!) {
	93	$protocols->{byid}->{$2}->{name} = $1;
	94	$protocols->{byname}->{$1} = $protocols->{byid}->{$2};
	95	}
	96	}
	97
	98	close($fh);
	99
	100	$etc_protocols = $protocols;
	101
	102	return $etc_protocols;
	103	}
	104
	105	sub parse_address_list {
	106	my ($str) = @_;
	107
	108	my $nbaor = 0;
	109	foreach my $aor (split(/,/, $str)) {
	110	if (!Net::IP->new($aor)) {
	111	my $err = Net::IP::Error();
	112	die "invalid IP address: $err\n";
	113	}else{
	114	$nbaor++;
	115	}
	116	}
	117	return $nbaor;
	118	}
	119
	120	sub parse_port_name_number_or_range {
	121	my ($str) = @_;
	122
	123	my $services = PVE::Firewall::get_etc_services();
	124	my $nbports = 0;
	125	foreach my $item (split(/,/, $str)) {
	126	my $portlist = "";
	127	foreach my $pon (split(':', $item, 2)) {
	128	if ($pon =~ m/^\d+$/){
	129	die "invalid port '$pon'\n" if $pon < 0 && $pon > 65536;
	130	}else{
	131	die "invalid port $services->{byname}->{$pon}\n" if !$services->{byname}->{$pon};
	132	}
	133	$nbports++;
	134	}
	135	}
	136
	137	return ($nbports);
	138	}
	139
	140	my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n";
	141
	142	sub iptables {
	143	my ($cmd) = @_;
	144
	145	run_command("/sbin/iptables $cmd", outfunc => sub {}, errfunc => sub {});
	146	}
	147
	148	sub iptables_restore_cmdlist {
	149	my ($cmdlist) = @_;
	150
	151	run_command("/sbin/iptables-restore -n", input => $cmdlist);
	152	}
	153
	154	sub iptables_get_chains {
	155
	156	my $res = {};
	157
	158	# check what chains we want to track
	159	my $is_pvefw_chain = sub {
	160	my $name = shift;
	161
	162	return 1 if $name =~ m/^BRIDGEFW-(:?IN\|OUT)$/;
	163	return 1 if $name =~ m/^proxmoxfw-\S+$/;
	164	return 1 if $name =~ m/^tap\d+i\d+-(:?IN\|OUT)$/;
	165	return 1 if $name =~ m/^vmbr\d+-(:?IN\|OUT)$/;
	166	return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN\|OUT)$/;
	167	return 1 if $name =~ m/^host-(:?IN\|OUT)$/;
	168
	169	return undef;
	170	};
	171
	172	my $table = '';
	173
	174	my $parser = sub {
	175	my $line = shift;
	176
	177	return if $line =~ m/^#/;
	178	return if $line =~ m/^\s*$/;
	179
	180	if ($line =~ m/^\*(\S+)$/) {
	181	$table = $1;
	182	return;
	183	}
	184
	185	return if $table ne 'filter';
	186
	187	if ($line =~ m/^:(\S+)\s/) {
	188	my $chain = $1;
	189	return if !&$is_pvefw_chain($chain);
	190	$res->{$chain} = "unknown";
	191	} elsif ($line =~ m/^-A\s+(\S+)\s.*--log-prefix\s+\"PVESIG:(\S+)\"/) {
	192	my ($chain, $sig) = ($1, $2);
	193	return if !&$is_pvefw_chain($chain);
	194	$res->{$chain} = $sig;
	195	} else {
	196	# simply ignore the rest
	197	return;
	198	}
	199	};
	200
	201	run_command("/sbin/iptables-save", outfunc => $parser);
	202
	203	return $res;
	204	}
	205
	206	sub iptables_chain_exist {
	207	my ($chain) = @_;
	208
	209	eval{
	210	iptables("-n --list $chain");
	211	};
	212	return undef if $@;
	213
	214	return 1;
	215	}
	216
	217	sub iptables_rule_exist {
	218	my ($rule) = @_;
	219
	220	eval{
	221	iptables("-C $rule");
	222	};
	223	return undef if $@;
	224
	225	return 1;
	226	}
	227
	228	sub ruleset_generate_rule {
	229	my ($ruleset, $chain, $rule) = @_;
	230
	231	my $cmd = '';
	232
	233	$cmd .= " -m iprange --src-range" if $rule->{nbsource} && $rule->{nbsource} > 1;
	234	$cmd .= " -s $rule->{source}" if $rule->{source};
	235	$cmd .= " -m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1;
	236	$cmd .= " -d $rule->{dest}" if $rule->{destination};
	237	$cmd .= " -p $rule->{proto}" if $rule->{proto};
	238	$cmd .= " --match multiport" if $rule->{nbdport} && $rule->{nbdport} > 1;
	239	$cmd .= " --dport $rule->{dport}" if $rule->{dport};
	240	$cmd .= " --match multiport" if $rule->{nbsport} && $rule->{nbsport} > 1;
	241	$cmd .= " --sport $rule->{sport}" if $rule->{sport};
	242	$cmd .= " -j $rule->{action}" if $rule->{action};
	243
	244	ruleset_addrule($ruleset, $chain, $cmd) if $cmd;
	245	}
	246
	247	sub ruleset_create_chain {
	248	my ($ruleset, $chain) = @_;
	249
	250	die "chain '$chain' already exists\n" if $ruleset->{$chain};
	251
	252	$ruleset->{$chain} = [];
	253	}
	254
	255	sub ruleset_chain_exist {
	256	my ($ruleset, $chain) = @_;
	257
	258	return $ruleset->{$chain} ? 1 : undef;
	259	}
	260
	261	sub ruleset_addrule {
	262	my ($ruleset, $chain, $rule) = @_;
	263
	264	die "no such chain '$chain'\n" if !$ruleset->{$chain};
	265
	266	push @{$ruleset->{$chain}}, "-A $chain $rule";
	267	}
	268
	269	sub ruleset_insertrule {
	270	my ($ruleset, $chain, $rule) = @_;
	271
	272	die "no such chain '$chain'\n" if !$ruleset->{$chain};
	273
	274	unshift @{$ruleset->{$chain}}, "-A $chain $rule";
	275	}
	276
	277	sub generate_bridge_chains {
	278	my ($ruleset, $bridge) = @_;
	279
	280	if (!ruleset_chain_exist($ruleset, "BRIDGEFW-IN")){
	281	ruleset_create_chain($ruleset, "BRIDGEFW-IN");
	282	}
	283
	284	if (!ruleset_chain_exist($ruleset, "BRIDGEFW-OUT")){
	285	ruleset_create_chain($ruleset, "BRIDGEFW-OUT");
	286	}
	287
	288	if (!ruleset_chain_exist($ruleset, "proxmoxfw-FORWARD")){
	289	ruleset_create_chain($ruleset, "proxmoxfw-FORWARD");
	290
	291	ruleset_addrule($ruleset, "proxmoxfw-FORWARD", "-m state --state RELATED,ESTABLISHED -j ACCEPT");
	292	ruleset_addrule($ruleset, "proxmoxfw-FORWARD", "-m physdev --physdev-is-in --physdev-is-bridged -j BRIDGEFW-OUT");
	293	ruleset_addrule($ruleset, "proxmoxfw-FORWARD", "-m physdev --physdev-is-out --physdev-is-bridged -j BRIDGEFW-IN");
	294	}
	295
	296	if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
	297	ruleset_create_chain($ruleset, "$bridge-IN");
	298	ruleset_addrule($ruleset, "proxmoxfw-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing
	299	ruleset_addrule($ruleset, "BRIDGEFW-IN", "-j $bridge-IN");
	300	ruleset_addrule($ruleset, "$bridge-IN", "-j ACCEPT");
	301	}
	302
	303	if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
	304	ruleset_create_chain($ruleset, "$bridge-OUT");
	305	ruleset_addrule($ruleset, "proxmoxfw-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing
	306	ruleset_addrule($ruleset, "BRIDGEFW-OUT", "-j $bridge-OUT");
	307	}
	308	}
	309
	310	sub generate_tap_rules_direction {
	311	my ($ruleset, $iface, $netid, $rules, $bridge, $direction) = @_;
	312
	313	my $tapchain = "$iface-$direction";
	314
	315	ruleset_create_chain($ruleset, $tapchain);
	316
	317	ruleset_addrule($ruleset, $tapchain, "-m state --state INVALID -j DROP");
	318	ruleset_addrule($ruleset, $tapchain, "-m state --state RELATED,ESTABLISHED -j ACCEPT");
	319
	320	if ($rules) {
	321	foreach my $rule (@$rules) {
	322	next if $rule->{iface} && $rule->{iface} ne $netid;
	323	if($rule->{action} =~ m/^(GROUP-(\S+))$/){
	324	$rule->{action} .= "-$direction";
	325	# generate empty group rule if don't exist
	326	if(!ruleset_chain_exist($ruleset, $rule->{action})){
	327	generate_group_rules($ruleset, $2);
	328	}
	329	}
	330	# we go to vmbr-IN if accept in out rules
	331	$rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT';
	332	ruleset_generate_rule($ruleset, $tapchain, $rule);
	333	}
	334	}
	335
	336	ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4");
	337	ruleset_addrule($ruleset, $tapchain, "-j DROP");
	338
	339	# plug the tap chain to bridge chain
	340	my $physdevdirection = $direction eq 'IN' ? "out" : "in";
	341	my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
	342	ruleset_insertrule($ruleset, "$bridge-$direction", $rule);
	343
	344	if ($direction eq 'OUT'){
	345	# add tap->host rules
	346	my $rule = "-m physdev --physdev-$physdevdirection $iface -j $tapchain";
	347	ruleset_addrule($ruleset, "proxmoxfw-INPUT", $rule);
	348	}
	349	}
	350
	351	sub enablehostfw {
	352	my ($ruleset) = @_;
	353
	354	my $filename = "/etc/pve/local/host.fw";
	355	my $fh = IO::File->new($filename, O_RDONLY);
	356	return if !$fh;
	357
	358	my $rules = parse_fw_rules($filename, $fh);
	359
	360	# host inbound firewall
	361	ruleset_create_chain($ruleset, "host-IN");
	362
	363	ruleset_addrule($ruleset, "host-IN", "-m state --state INVALID -j DROP");
	364	ruleset_addrule($ruleset, "host-IN", "-m state --state RELATED,ESTABLISHED -j ACCEPT");
	365	ruleset_addrule($ruleset, "host-IN", "-i lo -j ACCEPT");
	366	ruleset_addrule($ruleset, "host-IN", "-m addrtype --dst-type MULTICAST -j ACCEPT");
	367	ruleset_addrule($ruleset, "host-IN", "-p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT");
	368	ruleset_addrule($ruleset, "host-IN", "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
	369
	370	if ($rules->{in}) {
	371	foreach my $rule (@{$rules->{in}}) {
	372	# we use RETURN because we need to check also tap rules
	373	$rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT';
	374	ruleset_generate_rule($ruleset, "host-IN", $rule);
	375	}
	376	}
	377
	378	ruleset_addrule($ruleset, "host-IN", "-j LOG --log-prefix \"kvmhost-IN dropped: \" --log-level 4");
	379	ruleset_addrule($ruleset, "host-IN", "-j DROP");
	380
	381	# host outbound firewall
	382	ruleset_create_chain($ruleset, "host-OUT");
	383	ruleset_addrule($ruleset, "host-OUT", "-m state --state INVALID -j DROP");
	384	ruleset_addrule($ruleset, "host-OUT", "-m state --state RELATED,ESTABLISHED -j ACCEPT");
	385	ruleset_addrule($ruleset, "host-OUT", "-o lo -j ACCEPT");
	386	ruleset_addrule($ruleset, "host-OUT", "-m addrtype --dst-type MULTICAST -j ACCEPT");
	387	ruleset_addrule($ruleset, "host-OUT", "-p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT");
	388	ruleset_addrule($ruleset, "host-OUT", "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
	389
	390	if ($rules->{out}) {
	391	foreach my $rule (@{$rules->{out}}) {
	392	# we use RETURN because we need to check also tap rules
	393	$rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT';
	394	ruleset_generate_rule($ruleset, "host-OUT", $rule);
	395	}
	396	}
	397
	398	ruleset_addrule($ruleset, "host-OUT", "-j LOG --log-prefix \"kvmhost-OUT dropped: \" --log-level 4");
	399	ruleset_addrule($ruleset, "host-OUT", "-j DROP");
	400
	401	ruleset_addrule($ruleset, "proxmoxfw-OUTPUT", "-j host-OUT");
	402	ruleset_addrule($ruleset, "proxmoxfw-INPUT", "-j host-IN");
	403	}
	404
	405	sub generate_group_rules {
	406	my ($ruleset, $group) = @_;
	407
	408	my $filename = "/etc/pve/firewall/groups.fw";
	409	my $fh = IO::File->new($filename, O_RDONLY);
	410	return if !$fh;
	411
	412	my $rules = parse_fw_rules($filename, $fh, $group);
	413
	414	my $chain = "GROUP-${group}-IN";
	415
	416	ruleset_create_chain($ruleset, $chain);
	417
	418	if ($rules->{in}) {
	419	foreach my $rule (@{$rules->{in}}) {
	420	ruleset_generate_rule($ruleset, $chain, $rule);
	421	}
	422	}
	423
	424	$chain = "GROUP-${group}-OUT";
	425
	426	ruleset_create_chain($ruleset, $chain);
	427
	428	if ($rules->{out}) {
	429	foreach my $rule (@{$rules->{out}}) {
	430	# we go the BRIDGEFW-IN because we need to check also other tap rules
	431	# (and group rules can be set on any bridge, so we can't go to VMBRXX-IN)
	432	$rule->{action} = 'BRIDGEFW-IN' if $rule->{action} eq 'ACCEPT';
	433	ruleset_generate_rule($rule, $chain, $rule);
	434	}
	435	}
	436	}
	437
	438	sub parse_fw_rules {
	439	my ($filename, $fh, $group) = @_;
	440
	441	my $section;
	442	my $securitygroup;
	443	my $securitygroupexist;
	444
	445	my $res = { in => [], out => [] };
	446
	447	my $macros = get_firewall_macros();
	448	my $protocols = get_etc_protocols();
	449
	450	while (defined(my $line = <$fh>)) {
	451	next if $line =~ m/^#/;
	452	next if $line =~ m/^\s*$/;
	453
	454	if ($line =~ m/^\[(in\|out)(:(\S+))?\]\s*$/i) {
	455	$section = lc($1);
	456	$securitygroup = lc($3) if $3;
	457	$securitygroupexist = 1 if $securitygroup && $securitygroup eq $group;
	458	next;
	459	}
	460	next if !$section;
	461	next if $group && $securitygroup ne $group;
	462
	463	my ($action, $iface, $source, $dest, $proto, $dport, $sport) =
	464	split(/\s+/, $line);
	465
	466	if (!$action) {
	467	warn "skip incomplete line\n";
	468	next;
	469	}
	470
	471	my $service;
	472	if ($action =~ m/^(ACCEPT\|DROP\|REJECT\|GROUP-(\S+))$/) {
	473	# OK
	474	} elsif ($action =~ m/^(\S+)\((ACCEPT\|DROP\|REJECT)\)$/) {
	475	($service, $action) = ($1, $2);
	476	if (!$macros->{$service}) {
	477	warn "unknown service '$service'\n";
	478	next;
	479	}
	480	} else {
	481	warn "unknown action '$action'\n";
	482	next;
	483	}
	484
	485	$iface = undef if $iface && $iface eq '-';
	486	if ($iface && $iface !~ m/^(net0\|net1\|net2\|net3\|net4\|net5)$/) {
	487	warn "unknown interface '$iface'\n";
	488	next;
	489	}
	490
	491	$proto = undef if $proto && $proto eq '-';
	492	if ($proto && !(defined($protocols->{byname}->{$proto}) \|\|
	493	defined($protocols->{byid}->{$proto}))) {
	494	warn "unknown protokol '$proto'\n";
	495	next;
	496	}
	497
	498	$source = undef if $source && $source eq '-';
	499	$dest = undef if $dest && $dest eq '-';
	500
	501	$dport = undef if $dport && $dport eq '-';
	502	$sport = undef if $sport && $sport eq '-';
	503	my $nbdport = undef;
	504	my $nbsport = undef;
	505	my $nbsource = undef;
	506	my $nbdest = undef;
	507
	508	eval {
	509	$nbsource = parse_address_list($source) if $source;
	510	$nbdest = parse_address_list($dest) if $dest;
	511	$nbdport = parse_port_name_number_or_range($dport) if $dport;
	512	$nbsport = parse_port_name_number_or_range($sport) if $sport;
	513	};
	514	if (my $err = $@) {
	515	warn $err;
	516	next;
	517
	518	}
	519
	520
	521	my $rule = {
	522	action => $action,
	523	service => $service,
	524	iface => $iface,
	525	source => $source,
	526	dest => $dest,
	527	nbsource => $nbsource,
	528	nbdest => $nbdest,
	529	proto => $proto,
	530	dport => $dport,
	531	sport => $sport,
	532	nbdport => $nbdport,
	533	nbsport => $nbsport,
	534
	535	};
	536
	537	push @{$res->{$section}}, $rule;
	538	}
	539
	540	die "security group $group don't exist" if $group && !$securitygroupexist;
	541	return $res;
	542	}
	543
	544	sub run_locked {
	545	my ($code, @param) = @_;
	546
	547	my $timeout = 10;
	548
	549	my $res = lock_file($pve_fw_lock_filename, $timeout, $code, @param);
	550
	551	die $@ if $@;
	552
	553	return $res;
	554	}
	555
	556	sub read_local_vm_config {
	557
	558	my $openvz = {};
	559
	560	my $qemu = {};
	561
	562	my $list = PVE::QemuServer::config_list();
	563
	564	foreach my $vmid (keys %$list) {
	565	my $cfspath = PVE::QemuServer::cfs_config_path($vmid);
	566	if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) {
	567	$qemu->{$vmid} = $conf;
	568	}
	569	}
	570
	571	my $vmdata = { openvz => $openvz, qemu => $qemu };
	572
	573	return $vmdata;
	574	};
	575
	576	sub read_vm_firewall_rules {
	577	my ($vmdata) = @_;
	578	my $rules = {};
	579	foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
	580	my $filename = "/etc/pve/firewall/$vmid.fw";
	581	my $fh = IO::File->new($filename, O_RDONLY);
	582	next if !$fh;
	583
	584	$rules->{$vmid} = parse_fw_rules($filename, $fh);
	585	}
	586
	587	return $rules;
	588	}
	589
	590	sub compile {
	591	my $vmdata = read_local_vm_config();
	592	my $rules = read_vm_firewall_rules($vmdata);
	593
	594	#print Dumper($rules);
	595
	596	my $ruleset = {};
	597
	598	# setup host firewall rules
	599	ruleset_create_chain($ruleset, "proxmoxfw-INPUT");
	600	ruleset_create_chain($ruleset, "proxmoxfw-OUTPUT");
	601
	602	enablehostfw($ruleset);
	603
	604	# generate firewall rules for QEMU VMs
	605	foreach my $vmid (keys %{$vmdata->{qemu}}) {
	606	my $conf = $vmdata->{qemu}->{$vmid};
	607	next if !$rules->{$vmid};
	608
	609	foreach my $netid (keys %$conf) {
	610	next if $netid !~ m/^net(\d+)$/;
	611	my $net = PVE::QemuServer::parse_net($conf->{$netid});
	612	next if !$net;
	613	my $iface = "tap${vmid}i$1";
	614
	615	my $bridge = $net->{bridge};
	616	next if !$bridge; # fixme: ?
	617
	618	$bridge .= "v$net->{tag}" if $net->{tag};
	619
	620	generate_bridge_chains($ruleset, $bridge);
	621
	622	generate_tap_rules_direction($ruleset, $iface, $netid, $rules->{$vmid}->{in}, $bridge, 'IN');
	623	generate_tap_rules_direction($ruleset, $iface, $netid, $rules->{$vmid}->{out}, $bridge, 'OUT');
	624	}
	625	}
	626	return $ruleset;
	627	}
	628
	629	sub get_ruleset_status {
	630	my ($ruleset, $verbose) = @_;
	631
	632	my $active_chains = iptables_get_chains();
	633
	634	my $statushash = {};
	635
	636	foreach my $chain (sort keys %$ruleset) {
	637	my $digest = Digest::MD5->new();
	638	foreach my $cmd (@{$ruleset->{$chain}}) {
	639	$digest->add("$cmd\n");
	640	}
	641	my $sig = $digest->b64digest;
	642	$statushash->{$chain}->{sig} = $sig;
	643
	644	my $oldsig = $active_chains->{$chain};
	645	if (!defined($oldsig)) {
	646	$statushash->{$chain}->{action} = 'create';
	647	} else {
	648	if ($oldsig eq $sig) {
	649	$statushash->{$chain}->{action} = 'exists';
	650	} else {
	651	$statushash->{$chain}->{action} = 'update';
	652	}
	653	}
	654	print "$statushash->{$chain}->{action} $chain ($sig)\n" if $verbose;
	655	foreach my $cmd (@{$ruleset->{$chain}}) {
	656	print "\t$cmd\n" if $verbose;
	657	}
	658	}
	659
	660	foreach my $chain (sort keys %$active_chains) {
	661	if (!defined($ruleset->{$chain})) {
	662	my $sig = $active_chains->{$chain};
	663	$statushash->{$chain}->{action} = 'delete';
	664	$statushash->{$chain}->{sig} = $sig;
	665	print "delete $chain ($sig)\n" if $verbose;
	666	}
	667	}
	668
	669	return $statushash;
	670	}
	671
	672	sub print_ruleset {
	673	my ($ruleset) = @_;
	674
	675	get_ruleset_status($ruleset, 1);
	676	}
	677
	678	sub print_sig_rule {
	679	my ($chain, $sig) = @_;
	680
	681	# Note: This rule should never match! We just use this hack to store a SHA1 checksum
	682	# used to detect changes
	683	return "-A $chain -j LOG --log-prefix \"PVESIG:$sig\" -p tcp -s \"127.128.129.130\" --dport 1\n";
	684	}
	685
	686	sub compile_and_start {
	687	my ($verbose) = @_;
	688
	689	my $ruleset = compile();
	690
	691	my $cmdlist = "*filter\n"; # we pass this to iptables-restore;
	692
	693	my $statushash = get_ruleset_status($ruleset, $verbose);
	694
	695	# create missing chains first
	696	foreach my $chain (sort keys %$ruleset) {
	697	my $stat = $statushash->{$chain};
	698	die "internal error" if !$stat;
	699	next if $stat->{action} ne 'create';
	700
	701	$cmdlist .= ":$chain - [0:0]\n";
	702	}
	703
	704	my $rule = "INPUT -j proxmoxfw-INPUT";
	705	if (!PVE::Firewall::iptables_rule_exist($rule)) {
	706	$cmdlist .= "-A $rule\n";
	707	}
	708	$rule = "OUTPUT -j proxmoxfw-OUTPUT";
	709	if (!PVE::Firewall::iptables_rule_exist($rule)) {
	710	$cmdlist .= "-A $rule\n";
	711	}
	712
	713	$rule = "FORWARD -j proxmoxfw-FORWARD";
	714	if (!PVE::Firewall::iptables_rule_exist($rule)) {
	715	$cmdlist .= "-A $rule\n";
	716	}
	717
	718	foreach my $chain (sort keys %$ruleset) {
	719	my $stat = $statushash->{$chain};
	720	die "internal error" if !$stat;
	721
	722	if ($stat->{action} eq 'update' \|\| $stat->{action} eq 'create') {
	723	$cmdlist .= "-F $chain\n";
	724	foreach my $cmd (@{$ruleset->{$chain}}) {
	725	$cmdlist .= "$cmd\n";
	726	}
	727	$cmdlist .= print_sig_rule($chain, $stat->{sig});
	728	} elsif ($stat->{action} eq 'delete') {
	729	$cmdlist .= "-F $chain\n";
	730	$cmdlist .= "-X $chain\n";
	731	} elsif ($stat->{action} eq 'exists') {
	732	# do nothing
	733	} else {
	734	die "internal error - unknown status '$stat->{action}'";
	735	}
	736	}
	737
	738	$cmdlist .= "COMMIT\n";
	739
	740	print $cmdlist if $verbose;
	741
	742	iptables_restore_cmdlist($cmdlist);
	743
	744	# test: re-read status and check if everything is up to date
	745	$statushash = get_ruleset_status($ruleset);
	746
	747	my $errors;
	748	foreach my $chain (sort keys %$ruleset) {
	749	my $stat = $statushash->{$chain};
	750	if ($stat->{action} ne 'exists') {
	751	warn "unable to update chain '$chain'\n";
	752	$errors = 1;
	753	}
	754	}
	755
	756	die "unable to apply firewall changes\n" if $errors;
	757	}
	758
	759	1;