]>
git.proxmox.com Git - pve-firewall.git/blob - PVE/Firewall.pm
cf53afc1cace24113e6638263bf789346e3b1d6b
9 # we need complete VM configuration of all VMs (openvz/qemu)
13 my ($targetdir, $vmdata) = @_;
18 fw
=> { type
=> 'firewall' },
21 my $register_bridge = sub {
24 my $zone = 'z' . $bridge;
26 return $zone if $zoneinfo->{$zone};
28 $zoneinfo->{$zone} = {
36 foreach my $vmid (keys %{$vmdata->{qemu
}}) {
37 $netinfo->{$vmid} = {};
38 my $conf = $vmdata->{qemu
}->{$vmid};
39 foreach my $opt (keys %$conf) {
40 next if $opt !~ m/^net(\d+)$/;
42 my $net = PVE
::QemuServer
::parse_net
($conf->{$opt});
44 die "implement me" if !$net->{bridge
};
45 my $bridge = $net->{bridge
};
46 my $bridge_zone = &$register_bridge($bridge);
47 if (defined($net->{tag
})) {
48 $bridge = $bridge .= "v$net->{tag}";
49 $bridge_zone = &$register_bridge($bridge);
52 my $vmzone = $conf->{zone
} || "vm$vmid";
53 my $zone = "$bridge_zone$vmzone";
55 $zoneinfo->{$zone}->{type
} = 'bport';
56 $zoneinfo->{$zone}->{bridge_zone
} = $bridge_zone;
57 $zoneinfo->{$zone}->{ifaces
}->{"tap${vmid}i${netid}"} = 1;
58 $netinfo->{$vmid}->{$netid} = $net;
62 #print Dumper($netinfo);
64 # NOTE: zone names have length limit, so we need to
65 # translate them into shorter names
68 my $zonemap = { fw
=> 'fw' };
70 my $lookup_zonename = sub {
73 return $zonemap->{$zone} if defined($zonemap->{$zone});
74 $zonemap->{$zone} = 'z' . $zoneid++;
76 return $zonemap->{$zone};
83 my $format = "%-15s %-10s %s\n";
84 $out = sprintf($format, '#ZONE', 'TYPE', 'OPTIONS');
86 foreach my $z (sort keys %$zoneinfo) {
87 my $zid = &$lookup_zonename($z);
88 if ($zoneinfo->{$z}->{type
} eq 'firewall') {
89 $out .= sprintf($format, $zid, $zoneinfo->{$z}->{type
}, '');
90 } elsif ($zoneinfo->{$z}->{type
} eq 'bridge') {
91 $out .= sprintf($format, &$lookup_zonename($z), 'ipv4', '');
92 } elsif ($zoneinfo->{$z}->{type
} eq 'bport') {
93 my $bridge_zone = $zoneinfo->{$z}->{bridge_zone
} || die "internal error";
94 my $bzid = &$lookup_zonename($bridge_zone);
95 $out .= sprintf($format, "$zid:$bzid", 'bport', '');
101 $out .= sprintf("#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE\n");
103 PVE
::Tools
::file_set_contents
("$targetdir/zones", $out);
107 $format = "%-15s %-20s %-10s %s\n";
108 $out = sprintf($format, '#ZONE', 'INTERFACE', 'BROADCAST', 'OPTIONS');
110 foreach my $z (sort keys %$zoneinfo) {
111 my $zid = &$lookup_zonename($z);
112 if ($zoneinfo->{$z}->{type
} eq 'firewall') {
114 } elsif ($zoneinfo->{$z}->{type
} eq 'bridge') {
115 my $bridge = $zoneinfo->{$z}->{bridge
} || die "internal error";
116 $out .= sprintf($format, $zid, $bridge, 'detect', 'bridge');
118 } elsif ($zoneinfo->{$z}->{type
} eq 'bport') {
119 my $ifaces = $zoneinfo->{$z}->{ifaces
};
120 foreach my $iface (sort keys %$ifaces) {
121 my $bridge_zone = $zoneinfo->{$z}->{bridge_zone
} || die "internal error";
122 my $bridge = $zoneinfo->{$bridge_zone}->{bridge
} || die "internal error";
123 my $iftxt = "$bridge:$iface";
124 $out .= sprintf($format, $zid, $iftxt, '', '');
127 die "internal error";
131 $out .= sprintf("#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE\n");
133 PVE
::Tools
::file_set_contents
("$targetdir/interfaces", $out);
137 $format = "%-15s %-15s %-15s %s\n";
138 $out = sprintf($format, '#SOURCE', 'DEST', 'POLICY', 'LOG');
139 $out .= sprintf($format, 'all', 'all', 'REJECT', 'info');
141 PVE
::Tools
::file_set_contents
("$targetdir/policy", $out);