cleanup chain names
[pve-firewall.git] / PVE / Firewall.pm
1 package PVE::Firewall;
2
3 use warnings;
4 use strict;
5 use Data::Dumper;
6 use Digest::MD5;
7 use PVE::Tools;
8 use PVE::QemuServer;
9 use File::Path;
10 use IO::File;
11 use Net::IP;
12 use PVE::Tools qw(run_command lock_file);
13
14 use Data::Dumper;
15
16 my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
17
18 my $macros;
19
20 # todo: implement some kind of MACROS, like shorewall /usr/share/shorewall/macro.*
21 sub get_firewall_macros {
22
23 return $macros if $macros;
24
25 #foreach my $path (</usr/share/shorewall/macro.*>) {
26 # if ($path =~ m|/macro\.(\S+)$|) {
27 # $macros->{$1} = 1;
28 # }
29 #}
30
31 $macros = {}; # fixme: implemet me
32
33 return $macros;
34 }
35
36 my $etc_services;
37
38 sub get_etc_services {
39
40 return $etc_services if $etc_services;
41
42 my $filename = "/etc/services";
43
44 my $fh = IO::File->new($filename, O_RDONLY);
45 if (!$fh) {
46 warn "unable to read '$filename' - $!\n";
47 return {};
48 }
49
50 my $services = {};
51
52 while (my $line = <$fh>) {
53 chomp ($line);
54 next if $line =~m/^#/;
55 next if ($line =~m/^\s*$/);
56
57 if ($line =~ m!^(\S+)\s+(\S+)/(tcp|udp).*$!) {
58 $services->{byid}->{$2}->{name} = $1;
59 $services->{byid}->{$2}->{$3} = 1;
60 $services->{byname}->{$1} = $services->{byid}->{$2};
61 }
62 }
63
64 close($fh);
65
66 $etc_services = $services;
67
68
69 return $etc_services;
70 }
71
72 my $etc_protocols;
73
74 sub get_etc_protocols {
75 return $etc_protocols if $etc_protocols;
76
77 my $filename = "/etc/protocols";
78
79 my $fh = IO::File->new($filename, O_RDONLY);
80 if (!$fh) {
81 warn "unable to read '$filename' - $!\n";
82 return {};
83 }
84
85 my $protocols = {};
86
87 while (my $line = <$fh>) {
88 chomp ($line);
89 next if $line =~m/^#/;
90 next if ($line =~m/^\s*$/);
91
92 if ($line =~ m!^(\S+)\s+(\d+)\s+.*$!) {
93 $protocols->{byid}->{$2}->{name} = $1;
94 $protocols->{byname}->{$1} = $protocols->{byid}->{$2};
95 }
96 }
97
98 close($fh);
99
100 $etc_protocols = $protocols;
101
102 return $etc_protocols;
103 }
104
105 sub parse_address_list {
106 my ($str) = @_;
107
108 my $nbaor = 0;
109 foreach my $aor (split(/,/, $str)) {
110 if (!Net::IP->new($aor)) {
111 my $err = Net::IP::Error();
112 die "invalid IP address: $err\n";
113 }else{
114 $nbaor++;
115 }
116 }
117 return $nbaor;
118 }
119
120 sub parse_port_name_number_or_range {
121 my ($str) = @_;
122
123 my $services = PVE::Firewall::get_etc_services();
124 my $nbports = 0;
125 foreach my $item (split(/,/, $str)) {
126 my $portlist = "";
127 foreach my $pon (split(':', $item, 2)) {
128 if ($pon =~ m/^\d+$/){
129 die "invalid port '$pon'\n" if $pon < 0 && $pon > 65536;
130 }else{
131 die "invalid port $services->{byname}->{$pon}\n" if !$services->{byname}->{$pon};
132 }
133 $nbports++;
134 }
135 }
136
137 return ($nbports);
138 }
139
140 my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n";
141
142 sub iptables {
143 my ($cmd) = @_;
144
145 run_command("/sbin/iptables $cmd", outfunc => sub {}, errfunc => sub {});
146 }
147
148 sub iptables_restore_cmdlist {
149 my ($cmdlist) = @_;
150
151 run_command("/sbin/iptables-restore -n", input => $cmdlist);
152 }
153
154 sub iptables_get_chains {
155
156 my $res = {};
157
158 # check what chains we want to track
159 my $is_pvefw_chain = sub {
160 my $name = shift;
161
162 return 1 if $name =~ m/^PVEFW-\S+$/;
163
164 return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/;
165 return 1 if $name =~ m/^vmbr\d+-(:?IN|OUT)$/;
166 return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/;
167
168 return undef;
169 };
170
171 my $table = '';
172
173 my $parser = sub {
174 my $line = shift;
175
176 return if $line =~ m/^#/;
177 return if $line =~ m/^\s*$/;
178
179 if ($line =~ m/^\*(\S+)$/) {
180 $table = $1;
181 return;
182 }
183
184 return if $table ne 'filter';
185
186 if ($line =~ m/^:(\S+)\s/) {
187 my $chain = $1;
188 return if !&$is_pvefw_chain($chain);
189 $res->{$chain} = "unknown";
190 } elsif ($line =~ m/^-A\s+(\S+)\s.*--log-prefix\s+\"PVESIG:(\S+)\"/) {
191 my ($chain, $sig) = ($1, $2);
192 return if !&$is_pvefw_chain($chain);
193 $res->{$chain} = $sig;
194 } else {
195 # simply ignore the rest
196 return;
197 }
198 };
199
200 run_command("/sbin/iptables-save", outfunc => $parser);
201
202 return $res;
203 }
204
205 sub iptables_chain_exist {
206 my ($chain) = @_;
207
208 eval{
209 iptables("-n --list $chain");
210 };
211 return undef if $@;
212
213 return 1;
214 }
215
216 sub iptables_rule_exist {
217 my ($rule) = @_;
218
219 eval{
220 iptables("-C $rule");
221 };
222 return undef if $@;
223
224 return 1;
225 }
226
227 sub ruleset_generate_rule {
228 my ($ruleset, $chain, $rule) = @_;
229
230 my $cmd = '';
231
232 $cmd .= " -m iprange --src-range" if $rule->{nbsource} && $rule->{nbsource} > 1;
233 $cmd .= " -s $rule->{source}" if $rule->{source};
234 $cmd .= " -m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1;
235 $cmd .= " -d $rule->{dest}" if $rule->{destination};
236 $cmd .= " -p $rule->{proto}" if $rule->{proto};
237 $cmd .= " --match multiport" if $rule->{nbdport} && $rule->{nbdport} > 1;
238 $cmd .= " --dport $rule->{dport}" if $rule->{dport};
239 $cmd .= " --match multiport" if $rule->{nbsport} && $rule->{nbsport} > 1;
240 $cmd .= " --sport $rule->{sport}" if $rule->{sport};
241 $cmd .= " -j $rule->{action}" if $rule->{action};
242
243 ruleset_addrule($ruleset, $chain, $cmd) if $cmd;
244 }
245
246 sub ruleset_create_chain {
247 my ($ruleset, $chain) = @_;
248
249 die "chain '$chain' already exists\n" if $ruleset->{$chain};
250
251 $ruleset->{$chain} = [];
252 }
253
254 sub ruleset_chain_exist {
255 my ($ruleset, $chain) = @_;
256
257 return $ruleset->{$chain} ? 1 : undef;
258 }
259
260 sub ruleset_addrule {
261 my ($ruleset, $chain, $rule) = @_;
262
263 die "no such chain '$chain'\n" if !$ruleset->{$chain};
264
265 push @{$ruleset->{$chain}}, "-A $chain $rule";
266 }
267
268 sub ruleset_insertrule {
269 my ($ruleset, $chain, $rule) = @_;
270
271 die "no such chain '$chain'\n" if !$ruleset->{$chain};
272
273 unshift @{$ruleset->{$chain}}, "-A $chain $rule";
274 }
275
276 sub generate_bridge_chains {
277 my ($ruleset, $bridge) = @_;
278
279 if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-IN")){
280 ruleset_create_chain($ruleset, "PVEFW-BRIDGE-IN");
281 }
282
283 if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-OUT")){
284 ruleset_create_chain($ruleset, "PVEFW-BRIDGE-OUT");
285 }
286
287 if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){
288 ruleset_create_chain($ruleset, "PVEFW-FORWARD");
289
290 ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m state --state RELATED,ESTABLISHED -j ACCEPT");
291 ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-in --physdev-is-bridged -j PVEFW-BRIDGE-OUT");
292 ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-out --physdev-is-bridged -j PVEFW-BRIDGE-IN");
293 }
294
295 if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
296 ruleset_create_chain($ruleset, "$bridge-IN");
297 ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing
298 ruleset_addrule($ruleset, "PVEFW-BRIDGE-IN", "-j $bridge-IN");
299 ruleset_addrule($ruleset, "$bridge-IN", "-j ACCEPT");
300 }
301
302 if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
303 ruleset_create_chain($ruleset, "$bridge-OUT");
304 ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing
305 ruleset_addrule($ruleset, "PVEFW-BRIDGE-OUT", "-j $bridge-OUT");
306 }
307 }
308
309 sub generate_tap_rules_direction {
310 my ($ruleset, $iface, $netid, $rules, $bridge, $direction) = @_;
311
312 my $tapchain = "$iface-$direction";
313
314 ruleset_create_chain($ruleset, $tapchain);
315
316 ruleset_addrule($ruleset, $tapchain, "-m state --state INVALID -j DROP");
317 ruleset_addrule($ruleset, $tapchain, "-m state --state RELATED,ESTABLISHED -j ACCEPT");
318
319 if ($rules) {
320 foreach my $rule (@$rules) {
321 next if $rule->{iface} && $rule->{iface} ne $netid;
322 if($rule->{action} =~ m/^(GROUP-(\S+))$/){
323 $rule->{action} .= "-$direction";
324 # generate empty group rule if don't exist
325 if(!ruleset_chain_exist($ruleset, $rule->{action})){
326 generate_group_rules($ruleset, $2);
327 }
328 }
329 # we go to vmbr-IN if accept in out rules
330 $rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT';
331 ruleset_generate_rule($ruleset, $tapchain, $rule);
332 }
333 }
334
335 ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4");
336 ruleset_addrule($ruleset, $tapchain, "-j DROP");
337
338 # plug the tap chain to bridge chain
339 my $physdevdirection = $direction eq 'IN' ? "out" : "in";
340 my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
341 ruleset_insertrule($ruleset, "$bridge-$direction", $rule);
342
343 if ($direction eq 'OUT'){
344 # add tap->host rules
345 my $rule = "-m physdev --physdev-$physdevdirection $iface -j $tapchain";
346 ruleset_addrule($ruleset, "PVEFW-INPUT", $rule);
347 }
348 }
349
350 sub enablehostfw {
351 my ($ruleset) = @_;
352
353 my $filename = "/etc/pve/local/host.fw";
354 my $fh = IO::File->new($filename, O_RDONLY);
355 return if !$fh;
356
357 my $rules = parse_fw_rules($filename, $fh);
358
359 # host inbound firewall
360 my $chain = "PVEFW-HOST-IN";
361 ruleset_create_chain($ruleset, $chain);
362
363 ruleset_addrule($ruleset, $chain, "-m state --state INVALID -j DROP");
364 ruleset_addrule($ruleset, $chain, "-m state --state RELATED,ESTABLISHED -j ACCEPT");
365 ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT");
366 ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
367 ruleset_addrule($ruleset, $chain, "-p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT");
368 ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
369
370 if ($rules->{in}) {
371 foreach my $rule (@{$rules->{in}}) {
372 # we use RETURN because we need to check also tap rules
373 $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT';
374 ruleset_generate_rule($ruleset, $chain, $rule);
375 }
376 }
377
378 ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-IN dropped: \" --log-level 4");
379 ruleset_addrule($ruleset, $chain, "-j DROP");
380
381 # host outbound firewall
382 my $chain = "PVEFW-HOST-OUT";
383 ruleset_create_chain($ruleset, $chain);
384
385 ruleset_addrule($ruleset, $chain, "-m state --state INVALID -j DROP");
386 ruleset_addrule($ruleset, $chain, "-m state --state RELATED,ESTABLISHED -j ACCEPT");
387 ruleset_addrule($ruleset, $chain, "-o lo -j ACCEPT");
388 ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
389 ruleset_addrule($ruleset, $chain, "-p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT");
390 ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
391
392 if ($rules->{out}) {
393 foreach my $rule (@{$rules->{out}}) {
394 # we use RETURN because we need to check also tap rules
395 $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT';
396 ruleset_generate_rule($ruleset, $chain, $rule);
397 }
398 }
399
400 ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-OUT dropped: \" --log-level 4");
401 ruleset_addrule($ruleset, $chain, "-j DROP");
402
403 ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
404 ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN");
405 }
406
407 sub generate_group_rules {
408 my ($ruleset, $group) = @_;
409
410 my $filename = "/etc/pve/firewall/groups.fw";
411 my $fh = IO::File->new($filename, O_RDONLY);
412 return if !$fh;
413
414 my $rules = parse_fw_rules($filename, $fh, $group);
415
416 my $chain = "GROUP-${group}-IN";
417
418 ruleset_create_chain($ruleset, $chain);
419
420 if ($rules->{in}) {
421 foreach my $rule (@{$rules->{in}}) {
422 ruleset_generate_rule($ruleset, $chain, $rule);
423 }
424 }
425
426 $chain = "GROUP-${group}-OUT";
427
428 ruleset_create_chain($ruleset, $chain);
429
430 if ($rules->{out}) {
431 foreach my $rule (@{$rules->{out}}) {
432 # we go the PVEFW-BRIDGE-IN because we need to check also other tap rules
433 # (and group rules can be set on any bridge, so we can't go to VMBRXX-IN)
434 $rule->{action} = 'PVEFW-BRIDGE-IN' if $rule->{action} eq 'ACCEPT';
435 ruleset_generate_rule($rule, $chain, $rule);
436 }
437 }
438 }
439
440 sub parse_fw_rules {
441 my ($filename, $fh, $group) = @_;
442
443 my $section;
444 my $securitygroup;
445 my $securitygroupexist;
446
447 my $res = { in => [], out => [] };
448
449 my $macros = get_firewall_macros();
450 my $protocols = get_etc_protocols();
451
452 while (defined(my $line = <$fh>)) {
453 next if $line =~ m/^#/;
454 next if $line =~ m/^\s*$/;
455
456 if ($line =~ m/^\[(in|out)(:(\S+))?\]\s*$/i) {
457 $section = lc($1);
458 $securitygroup = lc($3) if $3;
459 $securitygroupexist = 1 if $securitygroup && $securitygroup eq $group;
460 next;
461 }
462 next if !$section;
463 next if $group && $securitygroup ne $group;
464
465 my ($action, $iface, $source, $dest, $proto, $dport, $sport) =
466 split(/\s+/, $line);
467
468 if (!$action) {
469 warn "skip incomplete line\n";
470 next;
471 }
472
473 my $service;
474 if ($action =~ m/^(ACCEPT|DROP|REJECT|GROUP-(\S+))$/) {
475 # OK
476 } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
477 ($service, $action) = ($1, $2);
478 if (!$macros->{$service}) {
479 warn "unknown service '$service'\n";
480 next;
481 }
482 } else {
483 warn "unknown action '$action'\n";
484 next;
485 }
486
487 $iface = undef if $iface && $iface eq '-';
488 if ($iface && $iface !~ m/^(net0|net1|net2|net3|net4|net5)$/) {
489 warn "unknown interface '$iface'\n";
490 next;
491 }
492
493 $proto = undef if $proto && $proto eq '-';
494 if ($proto && !(defined($protocols->{byname}->{$proto}) ||
495 defined($protocols->{byid}->{$proto}))) {
496 warn "unknown protokol '$proto'\n";
497 next;
498 }
499
500 $source = undef if $source && $source eq '-';
501 $dest = undef if $dest && $dest eq '-';
502
503 $dport = undef if $dport && $dport eq '-';
504 $sport = undef if $sport && $sport eq '-';
505 my $nbdport = undef;
506 my $nbsport = undef;
507 my $nbsource = undef;
508 my $nbdest = undef;
509
510 eval {
511 $nbsource = parse_address_list($source) if $source;
512 $nbdest = parse_address_list($dest) if $dest;
513 $nbdport = parse_port_name_number_or_range($dport) if $dport;
514 $nbsport = parse_port_name_number_or_range($sport) if $sport;
515 };
516 if (my $err = $@) {
517 warn $err;
518 next;
519
520 }
521
522
523 my $rule = {
524 action => $action,
525 service => $service,
526 iface => $iface,
527 source => $source,
528 dest => $dest,
529 nbsource => $nbsource,
530 nbdest => $nbdest,
531 proto => $proto,
532 dport => $dport,
533 sport => $sport,
534 nbdport => $nbdport,
535 nbsport => $nbsport,
536
537 };
538
539 push @{$res->{$section}}, $rule;
540 }
541
542 die "security group $group don't exist" if $group && !$securitygroupexist;
543 return $res;
544 }
545
546 sub run_locked {
547 my ($code, @param) = @_;
548
549 my $timeout = 10;
550
551 my $res = lock_file($pve_fw_lock_filename, $timeout, $code, @param);
552
553 die $@ if $@;
554
555 return $res;
556 }
557
558 sub read_local_vm_config {
559
560 my $openvz = {};
561
562 my $qemu = {};
563
564 my $list = PVE::QemuServer::config_list();
565
566 foreach my $vmid (keys %$list) {
567 my $cfspath = PVE::QemuServer::cfs_config_path($vmid);
568 if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) {
569 $qemu->{$vmid} = $conf;
570 }
571 }
572
573 my $vmdata = { openvz => $openvz, qemu => $qemu };
574
575 return $vmdata;
576 };
577
578 sub read_vm_firewall_rules {
579 my ($vmdata) = @_;
580 my $rules = {};
581 foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
582 my $filename = "/etc/pve/firewall/$vmid.fw";
583 my $fh = IO::File->new($filename, O_RDONLY);
584 next if !$fh;
585
586 $rules->{$vmid} = parse_fw_rules($filename, $fh);
587 }
588
589 return $rules;
590 }
591
592 sub compile {
593 my $vmdata = read_local_vm_config();
594 my $rules = read_vm_firewall_rules($vmdata);
595
596 #print Dumper($rules);
597
598 my $ruleset = {};
599
600 # setup host firewall rules
601 ruleset_create_chain($ruleset, "PVEFW-INPUT");
602 ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
603
604 enablehostfw($ruleset);
605
606 # generate firewall rules for QEMU VMs
607 foreach my $vmid (keys %{$vmdata->{qemu}}) {
608 my $conf = $vmdata->{qemu}->{$vmid};
609 next if !$rules->{$vmid};
610
611 foreach my $netid (keys %$conf) {
612 next if $netid !~ m/^net(\d+)$/;
613 my $net = PVE::QemuServer::parse_net($conf->{$netid});
614 next if !$net;
615 my $iface = "tap${vmid}i$1";
616
617 my $bridge = $net->{bridge};
618 next if !$bridge; # fixme: ?
619
620 $bridge .= "v$net->{tag}" if $net->{tag};
621
622 generate_bridge_chains($ruleset, $bridge);
623
624 generate_tap_rules_direction($ruleset, $iface, $netid, $rules->{$vmid}->{in}, $bridge, 'IN');
625 generate_tap_rules_direction($ruleset, $iface, $netid, $rules->{$vmid}->{out}, $bridge, 'OUT');
626 }
627 }
628 return $ruleset;
629 }
630
631 sub get_ruleset_status {
632 my ($ruleset, $verbose) = @_;
633
634 my $active_chains = iptables_get_chains();
635
636 my $statushash = {};
637
638 foreach my $chain (sort keys %$ruleset) {
639 my $digest = Digest::MD5->new();
640 foreach my $cmd (@{$ruleset->{$chain}}) {
641 $digest->add("$cmd\n");
642 }
643 my $sig = $digest->b64digest;
644 $statushash->{$chain}->{sig} = $sig;
645
646 my $oldsig = $active_chains->{$chain};
647 if (!defined($oldsig)) {
648 $statushash->{$chain}->{action} = 'create';
649 } else {
650 if ($oldsig eq $sig) {
651 $statushash->{$chain}->{action} = 'exists';
652 } else {
653 $statushash->{$chain}->{action} = 'update';
654 }
655 }
656 print "$statushash->{$chain}->{action} $chain ($sig)\n" if $verbose;
657 foreach my $cmd (@{$ruleset->{$chain}}) {
658 print "\t$cmd\n" if $verbose;
659 }
660 }
661
662 foreach my $chain (sort keys %$active_chains) {
663 if (!defined($ruleset->{$chain})) {
664 my $sig = $active_chains->{$chain};
665 $statushash->{$chain}->{action} = 'delete';
666 $statushash->{$chain}->{sig} = $sig;
667 print "delete $chain ($sig)\n" if $verbose;
668 }
669 }
670
671 return $statushash;
672 }
673
674 sub print_ruleset {
675 my ($ruleset) = @_;
676
677 get_ruleset_status($ruleset, 1);
678 }
679
680 sub print_sig_rule {
681 my ($chain, $sig) = @_;
682
683 # Note: This rule should never match! We just use this hack to store a SHA1 checksum
684 # used to detect changes
685 return "-A $chain -j LOG --log-prefix \"PVESIG:$sig\" -p tcp -s \"127.128.129.130\" --dport 1\n";
686 }
687
688 sub compile_and_start {
689 my ($verbose) = @_;
690
691 my $ruleset = compile();
692
693 my $cmdlist = "*filter\n"; # we pass this to iptables-restore;
694
695 my $statushash = get_ruleset_status($ruleset, $verbose);
696
697 # create missing chains first
698 foreach my $chain (sort keys %$ruleset) {
699 my $stat = $statushash->{$chain};
700 die "internal error" if !$stat;
701 next if $stat->{action} ne 'create';
702
703 $cmdlist .= ":$chain - [0:0]\n";
704 }
705
706 my $rule = "INPUT -j PVEFW-INPUT";
707 if (!PVE::Firewall::iptables_rule_exist($rule)) {
708 $cmdlist .= "-A $rule\n";
709 }
710 $rule = "OUTPUT -j PVEFW-OUTPUT";
711 if (!PVE::Firewall::iptables_rule_exist($rule)) {
712 $cmdlist .= "-A $rule\n";
713 }
714
715 $rule = "FORWARD -j PVEFW-FORWARD";
716 if (!PVE::Firewall::iptables_rule_exist($rule)) {
717 $cmdlist .= "-A $rule\n";
718 }
719
720 foreach my $chain (sort keys %$ruleset) {
721 my $stat = $statushash->{$chain};
722 die "internal error" if !$stat;
723
724 if ($stat->{action} eq 'update' || $stat->{action} eq 'create') {
725 $cmdlist .= "-F $chain\n";
726 foreach my $cmd (@{$ruleset->{$chain}}) {
727 $cmdlist .= "$cmd\n";
728 }
729 $cmdlist .= print_sig_rule($chain, $stat->{sig});
730 } elsif ($stat->{action} eq 'delete') {
731 $cmdlist .= "-F $chain\n";
732 $cmdlist .= "-X $chain\n";
733 } elsif ($stat->{action} eq 'exists') {
734 # do nothing
735 } else {
736 die "internal error - unknown status '$stat->{action}'";
737 }
738 }
739
740 $cmdlist .= "COMMIT\n";
741
742 print $cmdlist if $verbose;
743
744 iptables_restore_cmdlist($cmdlist);
745
746 # test: re-read status and check if everything is up to date
747 $statushash = get_ruleset_status($ruleset);
748
749 my $errors;
750 foreach my $chain (sort keys %$ruleset) {
751 my $stat = $statushash->{$chain};
752 if ($stat->{action} ne 'exists') {
753 warn "unable to update chain '$chain'\n";
754 $errors = 1;
755 }
756 }
757
758 die "unable to apply firewall changes\n" if $errors;
759 }
760
761 1;