12 use PVE
::Tools
qw(run_command lock_file);
16 my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
20 # todo: implement some kind of MACROS, like shorewall /usr/share/shorewall/macro.*
21 sub get_firewall_macros
{
23 return $macros if $macros;
25 #foreach my $path (</usr/share/shorewall/macro.*>) {
26 # if ($path =~ m|/macro\.(\S+)$|) {
31 $macros = {}; # fixme: implemet me
38 sub get_etc_services
{
40 return $etc_services if $etc_services;
42 my $filename = "/etc/services";
44 my $fh = IO
::File-
>new($filename, O_RDONLY
);
46 warn "unable to read '$filename' - $!\n";
52 while (my $line = <$fh>) {
54 next if $line =~m/^#/;
55 next if ($line =~m/^\s*$/);
57 if ($line =~ m!^(\S+)\s+(\S+)/(tcp|udp).*$!) {
58 $services->{byid
}->{$2}->{name
} = $1;
59 $services->{byid
}->{$2}->{$3} = 1;
60 $services->{byname
}->{$1} = $services->{byid
}->{$2};
66 $etc_services = $services;
74 sub get_etc_protocols
{
75 return $etc_protocols if $etc_protocols;
77 my $filename = "/etc/protocols";
79 my $fh = IO
::File-
>new($filename, O_RDONLY
);
81 warn "unable to read '$filename' - $!\n";
87 while (my $line = <$fh>) {
89 next if $line =~m/^#/;
90 next if ($line =~m/^\s*$/);
92 if ($line =~ m!^(\S+)\s+(\d+)\s+.*$!) {
93 $protocols->{byid
}->{$2}->{name
} = $1;
94 $protocols->{byname
}->{$1} = $protocols->{byid
}->{$2};
100 $etc_protocols = $protocols;
102 return $etc_protocols;
105 sub parse_address_list
{
109 foreach my $aor (split(/,/, $str)) {
110 if (!Net
::IP-
>new($aor)) {
111 my $err = Net
::IP
::Error
();
112 die "invalid IP address: $err\n";
120 sub parse_port_name_number_or_range
{
123 my $services = PVE
::Firewall
::get_etc_services
();
125 foreach my $item (split(/,/, $str)) {
127 foreach my $pon (split(':', $item, 2)) {
128 if ($pon =~ m/^\d+$/){
129 die "invalid port '$pon'\n" if $pon < 0 && $pon > 65536;
131 die "invalid port $services->{byname}->{$pon}\n" if !$services->{byname
}->{$pon};
140 my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n";
145 run_command
("/sbin/iptables $cmd", outfunc
=> sub {}, errfunc
=> sub {});
148 sub iptables_restore_cmdlist
{
151 run_command
("/sbin/iptables-restore -n", input
=> $cmdlist);
154 sub iptables_get_chains
{
158 # check what chains we want to track
159 my $is_pvefw_chain = sub {
162 return 1 if $name =~ m/^BRIDGEFW-(:?IN|OUT)$/;
163 return 1 if $name =~ m/^proxmoxfw-\S+$/;
164 return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/;
165 return 1 if $name =~ m/^vmbr\d+-(:?IN|OUT)$/;
166 return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/;
167 return 1 if $name =~ m/^host-(:?IN|OUT)$/;
177 return if $line =~ m/^#/;
178 return if $line =~ m/^\s*$/;
180 if ($line =~ m/^\*(\S+)$/) {
185 return if $table ne 'filter';
187 if ($line =~ m/^:(\S+)\s/) {
189 return if !&$is_pvefw_chain($chain);
190 $res->{$chain} = "unknown";
191 } elsif ($line =~ m/^-A\s+(\S+)\s.*--log-prefix\s+\"PVESIG:(\S+)\"/) {
192 my ($chain, $sig) = ($1, $2);
193 return if !&$is_pvefw_chain($chain);
194 $res->{$chain} = $sig;
196 # simply ignore the rest
201 run_command
("/sbin/iptables-save", outfunc
=> $parser);
206 sub iptables_chain_exist
{
210 iptables
("-n --list $chain");
217 sub iptables_rule_exist
{
221 iptables
("-C $rule");
228 sub ruleset_generate_rule
{
229 my ($ruleset, $chain, $rule) = @_;
233 $cmd .= " -m iprange --src-range" if $rule->{nbsource
} && $rule->{nbsource
} > 1;
234 $cmd .= " -s $rule->{source}" if $rule->{source
};
235 $cmd .= " -m iprange --dst-range" if $rule->{nbdest
} && $rule->{nbdest
} > 1;
236 $cmd .= " -d $rule->{dest}" if $rule->{destination
};
237 $cmd .= " -p $rule->{proto}" if $rule->{proto
};
238 $cmd .= " --match multiport" if $rule->{nbdport
} && $rule->{nbdport
} > 1;
239 $cmd .= " --dport $rule->{dport}" if $rule->{dport
};
240 $cmd .= " --match multiport" if $rule->{nbsport
} && $rule->{nbsport
} > 1;
241 $cmd .= " --sport $rule->{sport}" if $rule->{sport
};
242 $cmd .= " -j $rule->{action}" if $rule->{action
};
244 ruleset_addrule
($ruleset, $chain, $cmd) if $cmd;
247 sub ruleset_create_chain
{
248 my ($ruleset, $chain) = @_;
250 die "chain '$chain' already exists\n" if $ruleset->{$chain};
252 $ruleset->{$chain} = [];
255 sub ruleset_chain_exist
{
256 my ($ruleset, $chain) = @_;
258 return $ruleset->{$chain} ?
1 : undef;
261 sub ruleset_addrule
{
262 my ($ruleset, $chain, $rule) = @_;
264 die "no such chain '$chain'\n" if !$ruleset->{$chain};
266 push @{$ruleset->{$chain}}, "-A $chain $rule";
269 sub ruleset_insertrule
{
270 my ($ruleset, $chain, $rule) = @_;
272 die "no such chain '$chain'\n" if !$ruleset->{$chain};
274 unshift @{$ruleset->{$chain}}, "-A $chain $rule";
277 sub generate_bridge_chains
{
278 my ($ruleset, $bridge) = @_;
280 if (!ruleset_chain_exist
($ruleset, "BRIDGEFW-IN")){
281 ruleset_create_chain
($ruleset, "BRIDGEFW-IN");
284 if (!ruleset_chain_exist
($ruleset, "BRIDGEFW-OUT")){
285 ruleset_create_chain
($ruleset, "BRIDGEFW-OUT");
288 if (!ruleset_chain_exist
($ruleset, "proxmoxfw-FORWARD")){
289 ruleset_create_chain
($ruleset, "proxmoxfw-FORWARD");
291 ruleset_addrule
($ruleset, "proxmoxfw-FORWARD", "-m state --state RELATED,ESTABLISHED -j ACCEPT");
292 ruleset_addrule
($ruleset, "proxmoxfw-FORWARD", "-m physdev --physdev-is-in --physdev-is-bridged -j BRIDGEFW-OUT");
293 ruleset_addrule
($ruleset, "proxmoxfw-FORWARD", "-m physdev --physdev-is-out --physdev-is-bridged -j BRIDGEFW-IN");
296 if (!ruleset_chain_exist
($ruleset, "$bridge-IN")) {
297 ruleset_create_chain
($ruleset, "$bridge-IN");
298 ruleset_addrule
($ruleset, "proxmoxfw-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing
299 ruleset_addrule
($ruleset, "BRIDGEFW-IN", "-j $bridge-IN");
300 ruleset_addrule
($ruleset, "$bridge-IN", "-j ACCEPT");
303 if (!ruleset_chain_exist
($ruleset, "$bridge-OUT")) {
304 ruleset_create_chain
($ruleset, "$bridge-OUT");
305 ruleset_addrule
($ruleset, "proxmoxfw-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing
306 ruleset_addrule
($ruleset, "BRIDGEFW-OUT", "-j $bridge-OUT");
310 sub generate_tap_rules_direction
{
311 my ($ruleset, $iface, $netid, $rules, $bridge, $direction) = @_;
313 my $tapchain = "$iface-$direction";
315 ruleset_create_chain
($ruleset, $tapchain);
317 ruleset_addrule
($ruleset, $tapchain, "-m state --state INVALID -j DROP");
318 ruleset_addrule
($ruleset, $tapchain, "-m state --state RELATED,ESTABLISHED -j ACCEPT");
321 foreach my $rule (@$rules) {
322 next if $rule->{iface
} && $rule->{iface
} ne $netid;
323 if($rule->{action
} =~ m/^(GROUP-(\S+))$/){
324 $rule->{action
} .= "-$direction";
325 # generate empty group rule if don't exist
326 if(!ruleset_chain_exist
($ruleset, $rule->{action
})){
327 generate_group_rules
($ruleset, $2);
330 # we go to vmbr-IN if accept in out rules
331 $rule->{action
} = "$bridge-IN" if $rule->{action
} eq 'ACCEPT' && $direction eq 'OUT';
332 ruleset_generate_rule
($ruleset, $tapchain, $rule);
336 ruleset_addrule
($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4");
337 ruleset_addrule
($ruleset, $tapchain, "-j DROP");
339 # plug the tap chain to bridge chain
340 my $physdevdirection = $direction eq 'IN' ?
"out" : "in";
341 my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
342 ruleset_insertrule
($ruleset, "$bridge-$direction", $rule);
344 if ($direction eq 'OUT'){
345 # add tap->host rules
346 my $rule = "-m physdev --physdev-$physdevdirection $iface -j $tapchain";
347 ruleset_addrule
($ruleset, "proxmoxfw-INPUT", $rule);
354 my $filename = "/etc/pve/local/host.fw";
355 my $fh = IO
::File-
>new($filename, O_RDONLY
);
358 my $rules = parse_fw_rules
($filename, $fh);
360 # host inbound firewall
361 ruleset_create_chain
($ruleset, "host-IN");
363 ruleset_addrule
($ruleset, "host-IN", "-m state --state INVALID -j DROP");
364 ruleset_addrule
($ruleset, "host-IN", "-m state --state RELATED,ESTABLISHED -j ACCEPT");
365 ruleset_addrule
($ruleset, "host-IN", "-i lo -j ACCEPT");
366 ruleset_addrule
($ruleset, "host-IN", "-m addrtype --dst-type MULTICAST -j ACCEPT");
367 ruleset_addrule
($ruleset, "host-IN", "-p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT");
368 ruleset_addrule
($ruleset, "host-IN", "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
371 foreach my $rule (@{$rules->{in}}) {
372 # we use RETURN because we need to check also tap rules
373 $rule->{action
} = 'RETURN' if $rule->{action
} eq 'ACCEPT';
374 ruleset_generate_rule
($ruleset, "host-IN", $rule);
378 ruleset_addrule
($ruleset, "host-IN", "-j LOG --log-prefix \"kvmhost-IN dropped: \" --log-level 4");
379 ruleset_addrule
($ruleset, "host-IN", "-j DROP");
381 # host outbound firewall
382 ruleset_create_chain
($ruleset, "host-OUT");
383 ruleset_addrule
($ruleset, "host-OUT", "-m state --state INVALID -j DROP");
384 ruleset_addrule
($ruleset, "host-OUT", "-m state --state RELATED,ESTABLISHED -j ACCEPT");
385 ruleset_addrule
($ruleset, "host-OUT", "-o lo -j ACCEPT");
386 ruleset_addrule
($ruleset, "host-OUT", "-m addrtype --dst-type MULTICAST -j ACCEPT");
387 ruleset_addrule
($ruleset, "host-OUT", "-p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT");
388 ruleset_addrule
($ruleset, "host-OUT", "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
391 foreach my $rule (@{$rules->{out
}}) {
392 # we use RETURN because we need to check also tap rules
393 $rule->{action
} = 'RETURN' if $rule->{action
} eq 'ACCEPT';
394 ruleset_generate_rule
($ruleset, "host-OUT", $rule);
398 ruleset_addrule
($ruleset, "host-OUT", "-j LOG --log-prefix \"kvmhost-OUT dropped: \" --log-level 4");
399 ruleset_addrule
($ruleset, "host-OUT", "-j DROP");
401 ruleset_addrule
($ruleset, "proxmoxfw-OUTPUT", "-j host-OUT");
402 ruleset_addrule
($ruleset, "proxmoxfw-INPUT", "-j host-IN");
405 sub generate_group_rules
{
406 my ($ruleset, $group) = @_;
408 my $filename = "/etc/pve/firewall/groups.fw";
409 my $fh = IO
::File-
>new($filename, O_RDONLY
);
412 my $rules = parse_fw_rules
($filename, $fh, $group);
414 my $chain = "GROUP-${group}-IN";
416 ruleset_create_chain
($ruleset, $chain);
419 foreach my $rule (@{$rules->{in}}) {
420 ruleset_generate_rule
($ruleset, $chain, $rule);
424 $chain = "GROUP-${group}-OUT";
426 ruleset_create_chain
($ruleset, $chain);
429 foreach my $rule (@{$rules->{out
}}) {
430 # we go the BRIDGEFW-IN because we need to check also other tap rules
431 # (and group rules can be set on any bridge, so we can't go to VMBRXX-IN)
432 $rule->{action
} = 'BRIDGEFW-IN' if $rule->{action
} eq 'ACCEPT';
433 ruleset_generate_rule
($rule, $chain, $rule);
439 my ($filename, $fh, $group) = @_;
443 my $securitygroupexist;
445 my $res = { in => [], out
=> [] };
447 my $macros = get_firewall_macros
();
448 my $protocols = get_etc_protocols
();
450 while (defined(my $line = <$fh>)) {
451 next if $line =~ m/^#/;
452 next if $line =~ m/^\s*$/;
454 if ($line =~ m/^\[(in|out)(:(\S+))?\]\s*$/i) {
456 $securitygroup = lc($3) if $3;
457 $securitygroupexist = 1 if $securitygroup && $securitygroup eq $group;
461 next if $group && $securitygroup ne $group;
463 my ($action, $iface, $source, $dest, $proto, $dport, $sport) =
467 warn "skip incomplete line\n";
472 if ($action =~ m/^(ACCEPT|DROP|REJECT|GROUP-(\S+))$/) {
474 } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
475 ($service, $action) = ($1, $2);
476 if (!$macros->{$service}) {
477 warn "unknown service '$service'\n";
481 warn "unknown action '$action'\n";
485 $iface = undef if $iface && $iface eq '-';
486 if ($iface && $iface !~ m/^(net0|net1|net2|net3|net4|net5)$/) {
487 warn "unknown interface '$iface'\n";
491 $proto = undef if $proto && $proto eq '-';
492 if ($proto && !(defined($protocols->{byname
}->{$proto}) ||
493 defined($protocols->{byid
}->{$proto}))) {
494 warn "unknown protokol '$proto'\n";
498 $source = undef if $source && $source eq '-';
499 $dest = undef if $dest && $dest eq '-';
501 $dport = undef if $dport && $dport eq '-';
502 $sport = undef if $sport && $sport eq '-';
505 my $nbsource = undef;
509 $nbsource = parse_address_list
($source) if $source;
510 $nbdest = parse_address_list
($dest) if $dest;
511 $nbdport = parse_port_name_number_or_range
($dport) if $dport;
512 $nbsport = parse_port_name_number_or_range
($sport) if $sport;
527 nbsource
=> $nbsource,
537 push @{$res->{$section}}, $rule;
540 die "security group $group don't exist" if $group && !$securitygroupexist;
545 my ($code, @param) = @_;
549 my $res = lock_file
($pve_fw_lock_filename, $timeout, $code, @param);
556 sub read_local_vm_config
{
562 my $list = PVE
::QemuServer
::config_list
();
564 foreach my $vmid (keys %$list) {
565 my $cfspath = PVE
::QemuServer
::cfs_config_path
($vmid);
566 if (my $conf = PVE
::Cluster
::cfs_read_file
($cfspath)) {
567 $qemu->{$vmid} = $conf;
571 my $vmdata = { openvz
=> $openvz, qemu
=> $qemu };
576 sub read_vm_firewall_rules
{
579 foreach my $vmid (keys %{$vmdata->{qemu
}}, keys %{$vmdata->{openvz
}}) {
580 my $filename = "/etc/pve/firewall/$vmid.fw";
581 my $fh = IO
::File-
>new($filename, O_RDONLY
);
584 $rules->{$vmid} = parse_fw_rules
($filename, $fh);
591 my $vmdata = read_local_vm_config
();
592 my $rules = read_vm_firewall_rules
($vmdata);
594 #print Dumper($rules);
598 # setup host firewall rules
599 ruleset_create_chain
($ruleset, "proxmoxfw-INPUT");
600 ruleset_create_chain
($ruleset, "proxmoxfw-OUTPUT");
602 enablehostfw
($ruleset);
604 # generate firewall rules for QEMU VMs
605 foreach my $vmid (keys %{$vmdata->{qemu
}}) {
606 my $conf = $vmdata->{qemu
}->{$vmid};
607 next if !$rules->{$vmid};
609 foreach my $netid (keys %$conf) {
610 next if $netid !~ m/^net(\d+)$/;
611 my $net = PVE
::QemuServer
::parse_net
($conf->{$netid});
613 my $iface = "tap${vmid}i$1";
615 my $bridge = $net->{bridge
};
616 next if !$bridge; # fixme: ?
618 $bridge .= "v$net->{tag}" if $net->{tag
};
620 generate_bridge_chains
($ruleset, $bridge);
622 generate_tap_rules_direction
($ruleset, $iface, $netid, $rules->{$vmid}->{in}, $bridge, 'IN');
623 generate_tap_rules_direction
($ruleset, $iface, $netid, $rules->{$vmid}->{out
}, $bridge, 'OUT');
629 sub get_ruleset_status
{
630 my ($ruleset, $verbose) = @_;
632 my $active_chains = iptables_get_chains
();
636 foreach my $chain (sort keys %$ruleset) {
637 my $digest = Digest
::MD5-
>new();
638 foreach my $cmd (@{$ruleset->{$chain}}) {
639 $digest->add("$cmd\n");
641 my $sig = $digest->b64digest;
642 $statushash->{$chain}->{sig
} = $sig;
644 my $oldsig = $active_chains->{$chain};
645 if (!defined($oldsig)) {
646 $statushash->{$chain}->{action
} = 'create';
648 if ($oldsig eq $sig) {
649 $statushash->{$chain}->{action
} = 'exists';
651 $statushash->{$chain}->{action
} = 'update';
654 print "$statushash->{$chain}->{action} $chain ($sig)\n" if $verbose;
655 foreach my $cmd (@{$ruleset->{$chain}}) {
656 print "\t$cmd\n" if $verbose;
660 foreach my $chain (sort keys %$active_chains) {
661 if (!defined($ruleset->{$chain})) {
662 my $sig = $active_chains->{$chain};
663 $statushash->{$chain}->{action
} = 'delete';
664 $statushash->{$chain}->{sig
} = $sig;
665 print "delete $chain ($sig)\n" if $verbose;
675 get_ruleset_status
($ruleset, 1);
679 my ($chain, $sig) = @_;
681 # Note: This rule should never match! We just use this hack to store a SHA1 checksum
682 # used to detect changes
683 return "-A $chain -j LOG --log-prefix \"PVESIG:$sig\" -p tcp
-s
\"127.128.129.130\" --dport
1\n";
686 sub compile_and_start {
689 my $ruleset = compile();
691 my $cmdlist = "*filter
\n"; # we pass this to iptables-restore;
693 my $statushash = get_ruleset_status($ruleset, $verbose);
695 # create missing chains first
696 foreach my $chain (sort keys %$ruleset) {
697 my $stat = $statushash->{$chain};
698 die "internal error
" if !$stat;
699 next if $stat->{action} ne 'create';
701 $cmdlist .= ":$chain - [0:0]\n";
704 my $rule = "INPUT
-j proxmoxfw-INPUT
";
705 if (!PVE::Firewall::iptables_rule_exist($rule)) {
706 $cmdlist .= "-A
$rule\n";
708 $rule = "OUTPUT
-j proxmoxfw-OUTPUT
";
709 if (!PVE::Firewall::iptables_rule_exist($rule)) {
710 $cmdlist .= "-A
$rule\n";
713 $rule = "FORWARD
-j proxmoxfw-FORWARD
";
714 if (!PVE::Firewall::iptables_rule_exist($rule)) {
715 $cmdlist .= "-A
$rule\n";
718 foreach my $chain (sort keys %$ruleset) {
719 my $stat = $statushash->{$chain};
720 die "internal error
" if !$stat;
722 if ($stat->{action} eq 'update' || $stat->{action} eq 'create') {
723 $cmdlist .= "-F
$chain\n";
724 foreach my $cmd (@{$ruleset->{$chain}}) {
725 $cmdlist .= "$cmd\n";
727 $cmdlist .= print_sig_rule($chain, $stat->{sig});
728 } elsif ($stat->{action} eq 'delete') {
729 $cmdlist .= "-F
$chain\n";
730 $cmdlist .= "-X
$chain\n";
731 } elsif ($stat->{action} eq 'exists') {
734 die "internal error
- unknown status
'$stat->{action}'";
738 $cmdlist .= "COMMIT
\n";
740 print $cmdlist if $verbose;
742 iptables_restore_cmdlist($cmdlist);
744 # test: re-read status and check if everything is up to date
745 $statushash = get_ruleset_status($ruleset);
748 foreach my $chain (sort keys %$ruleset) {
749 my $stat = $statushash->{$chain};
750 if ($stat->{action} ne 'exists') {
751 warn "unable to update chain
'$chain'\n";
756 die "unable to apply firewall changes
\n" if $errors;