12 use PVE
::Tools
qw(run_command lock_file);
16 my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
18 # todo: define more MACROS
19 # imported/converted from: /usr/share/shorewall/macro.*
22 { action
=> 'PARAM', proto
=> 'udp', dport
=> '10080' },
23 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '10080' },
26 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '113' },
29 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '179' },
32 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '6881:6889' },
33 { action
=> 'PARAM', proto
=> 'udp', dport
=> '6881' },
36 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '6881:6999' },
37 { action
=> 'PARAM', proto
=> 'udp', dport
=> '6881' },
40 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '2401' },
43 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '1494' },
44 { action
=> 'PARAM', proto
=> 'udp', dport
=> '1604' },
45 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '2598' },
48 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '3689' },
49 { action
=> 'PARAM', proto
=> 'udp', dport
=> '3689' },
52 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '6277' },
55 { action
=> 'PARAM', proto
=> 'udp', dport
=> '67:68', sport
=> '67:68' },
56 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> 'udp', dport
=> '67:68', sport
=> '67:68' },
59 { action
=> 'PARAM', proto
=> 'udp', dport
=> '53' },
60 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '53' },
63 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '3632' },
66 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '4662' },
67 { action
=> 'PARAM', proto
=> 'udp', dport
=> '4665' },
70 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '21' },
73 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '79' },
76 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '2086' },
77 { action
=> 'PARAM', proto
=> 'udp', dport
=> '2086' },
78 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '1080' },
79 { action
=> 'PARAM', proto
=> 'udp', dport
=> '1080' },
82 { action
=> 'PARAM', proto
=> '47' },
83 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> '47' },
86 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '9418' },
89 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '6346' },
90 { action
=> 'PARAM', proto
=> 'udp', dport
=> '6346' },
93 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '11371' },
96 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '80' },
99 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '443' },
102 { action
=> 'PARAM', proto
=> 'udp', dport
=> '3130' },
105 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '5190' },
108 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '143' },
111 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '993' },
114 { action
=> 'PARAM', proto
=> '94' },
115 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> '94' },
118 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '631' },
121 { action
=> 'PARAM', proto
=> 'udp', dport
=> '631' },
124 { action
=> 'PARAM', source
=> 'SOURCE', dest
=> 'DEST', proto
=> 'tcp', dport
=> '631' },
125 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> 'udp', dport
=> '631' },
128 { action
=> 'PARAM', proto
=> 'udp', dport
=> '500', sport
=> '500' },
129 { action
=> 'PARAM', proto
=> '50' },
130 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> 'udp', dport
=> '500', sport
=> '500' },
131 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> '50' },
134 { action
=> 'PARAM', proto
=> 'udp', dport
=> '500', sport
=> '500' },
135 { action
=> 'PARAM', proto
=> '51' },
136 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> 'udp', dport
=> '500', sport
=> '500' },
137 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> '51' },
140 { action
=> 'PARAM', proto
=> 'udp', dport
=> '500' },
141 { action
=> 'PARAM', proto
=> 'udp', dport
=> '4500' },
142 { action
=> 'PARAM', proto
=> '50' },
143 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> 'udp', dport
=> '500' },
144 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> 'udp', dport
=> '4500' },
145 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> '50' },
148 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '6667' },
151 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '5222' },
154 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '5223' },
157 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '5269' },
160 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '9100' },
163 { action
=> 'PARAM', proto
=> 'udp', dport
=> '1701' },
164 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> 'udp', dport
=> '1701' },
167 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '389' },
170 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '636' },
173 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '1863' },
176 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '1433' },
179 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '25' },
180 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '465' },
181 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '587' },
184 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '4949' },
187 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '3306' },
190 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '119' },
193 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '563' },
196 { action
=> 'PARAM', proto
=> 'udp', dport
=> '123' },
199 { action
=> 'PARAM', proto
=> 'udp', dport
=> '123' },
200 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> 'udp', dport
=> '123' },
203 { action
=> 'PARAM', proto
=> 'udp', dport
=> '123' },
204 { action
=> 'PARAM', proto
=> 'udp', dport
=> '1024:65535', sport
=> '123' },
207 { action
=> 'PARAM', proto
=> '89' },
210 { action
=> 'PARAM', proto
=> 'udp', dport
=> '1194' },
213 { action
=> 'PARAM', proto
=> 'udp', dport
=> '5632' },
214 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '5631' },
217 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '110' },
220 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '995' },
223 { action
=> 'PARAM', proto
=> '47' },
224 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> '47' },
225 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '1723' },
228 { action
=> 'PARAM', proto
=> 'icmp', dport
=> '8' },
231 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '5432' },
234 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '515' },
237 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '3389' },
240 { action
=> 'PARAM', proto
=> 'udp', dport
=> '520' },
241 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> 'udp', dport
=> '520' },
244 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '953' },
247 { action
=> 'ACCEPT', proto
=> 'tcp', dport
=> '2703' },
250 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '37' },
253 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '873' },
256 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '6566' },
259 { action
=> 'PARAM', proto
=> 'udp', dport
=> '135,445' },
260 { action
=> 'PARAM', proto
=> 'udp', dport
=> '137:139' },
261 { action
=> 'PARAM', proto
=> 'udp', dport
=> '1024:65535', sport
=> '137' },
262 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '135,139,445' },
265 { action
=> 'PARAM', proto
=> 'udp', dport
=> '135,445' },
266 { action
=> 'PARAM', proto
=> 'udp', dport
=> '137:139' },
267 { action
=> 'PARAM', proto
=> 'udp', dport
=> '1024:65535', sport
=> '137' },
268 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '135,139,445' },
269 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> 'udp', dport
=> '135,445' },
270 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> 'udp', dport
=> '137:139' },
271 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> 'udp', dport
=> '1024:65535', sport
=> '137' },
272 { action
=> 'PARAM', source
=> 'DEST', dest
=> 'SOURCE', proto
=> 'tcp', dport
=> '135,139,445' },
275 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '901' },
278 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '25' },
281 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '465' },
284 { action
=> 'PARAM', proto
=> 'udp', dport
=> '161:162' },
285 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '161' },
288 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '783' },
291 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '22' },
294 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '3690' },
297 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '3874' },
298 { action
=> 'PARAM', proto
=> 'udp', dport
=> '3740' },
299 { action
=> 'PARAM', proto
=> '41' },
300 { action
=> 'PARAM', proto
=> 'udp', dport
=> '5072,8374' },
303 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '3128' },
306 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '587' },
309 { action
=> 'PARAM', proto
=> 'udp', dport
=> '514' },
310 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '514' },
313 { action
=> 'PARAM', proto
=> 'udp', dport
=> '69' },
316 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '23' },
319 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '992' },
322 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '37' },
325 { action
=> 'PARAM', proto
=> 'udp', dport
=> '33434:33524' },
326 { action
=> 'PARAM', proto
=> 'icmp', dport
=> '8' },
329 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '5900:5909' },
332 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '5500' },
335 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '80' },
336 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '443' },
339 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '8080' },
342 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '10000' },
345 { action
=> 'PARAM', proto
=> 'tcp', dport
=> '43' },
349 my $pve_fw_parsed_macros;
350 my $pve_fw_preferred_macro_names = {};
352 sub get_firewall_macros
{
354 return $pve_fw_parsed_macros if $pve_fw_parsed_macros;
356 $pve_fw_parsed_macros = {};
358 foreach my $k (keys %$pve_fw_macros) {
361 my $macro = $pve_fw_macros->{$k};
362 $pve_fw_preferred_macro_names->{$name} = $k;
363 $pve_fw_parsed_macros->{$name} = $macro;
366 return $pve_fw_parsed_macros;
371 sub get_etc_services
{
373 return $etc_services if $etc_services;
375 my $filename = "/etc/services";
377 my $fh = IO
::File-
>new($filename, O_RDONLY
);
379 warn "unable to read '$filename' - $!\n";
385 while (my $line = <$fh>) {
387 next if $line =~m/^#/;
388 next if ($line =~m/^\s*$/);
390 if ($line =~ m!^(\S+)\s+(\S+)/(tcp|udp).*$!) {
391 $services->{byid
}->{$2}->{name
} = $1;
392 $services->{byid
}->{$2}->{port
} = $2;
393 $services->{byid
}->{$2}->{$3} = 1;
394 $services->{byname
}->{$1} = $services->{byid
}->{$2};
400 $etc_services = $services;
403 return $etc_services;
408 sub get_etc_protocols
{
409 return $etc_protocols if $etc_protocols;
411 my $filename = "/etc/protocols";
413 my $fh = IO
::File-
>new($filename, O_RDONLY
);
415 warn "unable to read '$filename' - $!\n";
421 while (my $line = <$fh>) {
423 next if $line =~m/^#/;
424 next if ($line =~m/^\s*$/);
426 if ($line =~ m!^(\S+)\s+(\d+)\s+.*$!) {
427 $protocols->{byid
}->{$2}->{name
} = $1;
428 $protocols->{byname
}->{$1} = $protocols->{byid
}->{$2};
434 $etc_protocols = $protocols;
436 return $etc_protocols;
439 sub parse_address_list
{
443 foreach my $aor (split(/,/, $str)) {
444 if (!Net
::IP-
>new($aor)) {
445 my $err = Net
::IP
::Error
();
446 die "invalid IP address: $err\n";
454 sub parse_port_name_number_or_range
{
457 my $services = PVE
::Firewall
::get_etc_services
();
459 foreach my $item (split(/,/, $str)) {
462 foreach my $pon (split(':', $item, 2)) {
463 $pon = $services->{byname
}->{$pon}->{port
} if $services->{byname
}->{$pon}->{port
};
464 if ($pon =~ m/^\d+$/){
465 die "invalid port '$pon'\n" if $pon < 0 && $pon > 65535;
466 die "port '$pon' must be bigger than port '$oldpon' \n" if $oldpon && ($pon < $oldpon);
469 die "invalid port $services->{byname}->{$pon}\n" if !$services->{byname
}->{$pon};
478 my $bridge_firewall_enabled = 0;
480 sub enable_bridge_firewall
{
482 return if $bridge_firewall_enabled; # only once
484 system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables");
485 system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables");
487 $bridge_firewall_enabled = 1;
490 my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n";
495 run_command
("/sbin/iptables $cmd", outfunc
=> sub {}, errfunc
=> sub {});
498 sub iptables_restore_cmdlist
{
501 run_command
("/sbin/iptables-restore -n", input
=> $cmdlist);
504 sub iptables_get_chains
{
508 # check what chains we want to track
509 my $is_pvefw_chain = sub {
512 return 1 if $name =~ m/^PVEFW-\S+$/;
514 return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/;
515 return 1 if $name =~ m/^vmbr\d+-(:?IN|OUT)$/;
516 return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/;
526 return if $line =~ m/^#/;
527 return if $line =~ m/^\s*$/;
529 if ($line =~ m/^\*(\S+)$/) {
534 return if $table ne 'filter';
536 if ($line =~ m/^:(\S+)\s/) {
538 return if !&$is_pvefw_chain($chain);
539 $res->{$chain} = "unknown";
540 } elsif ($line =~ m/^-A\s+(\S+)\s.*--comment\s+\"PVESIG:(\S+)\"/) {
541 my ($chain, $sig) = ($1, $2);
542 return if !&$is_pvefw_chain($chain);
543 $res->{$chain} = $sig;
545 # simply ignore the rest
550 run_command
("/sbin/iptables-save", outfunc
=> $parser);
555 sub iptables_chain_exist
{
559 iptables
("-n --list $chain");
566 sub iptables_rule_exist
{
570 iptables
("-C $rule");
577 sub ruleset_generate_rule
{
578 my ($ruleset, $chain, $rule, $goto) = @_;
582 $cmd .= " -m iprange --src-range" if $rule->{nbsource
} && $rule->{nbsource
} > 1;
583 $cmd .= " -s $rule->{source}" if $rule->{source
};
584 $cmd .= " -m iprange --dst-range" if $rule->{nbdest
} && $rule->{nbdest
} > 1;
585 $cmd .= " -d $rule->{dest}" if $rule->{dest
};
586 $cmd .= " -p $rule->{proto}" if $rule->{proto
};
587 $cmd .= " --match multiport" if $rule->{nbdport
} && $rule->{nbdport
} > 1;
588 $cmd .= " --dport $rule->{dport}" if $rule->{dport
};
589 $cmd .= " --match multiport" if $rule->{nbsport
} && $rule->{nbsport
} > 1;
590 $cmd .= " --sport $rule->{sport}" if $rule->{sport
};
592 if (my $action = $rule->{action
}) {
593 $goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK';
594 $cmd .= $goto ?
" -g $action" : " -j $action";
597 ruleset_addrule
($ruleset, $chain, $cmd) if $cmd;
600 sub ruleset_create_chain
{
601 my ($ruleset, $chain) = @_;
603 die "Invalid chain name '$chain' (28 char max)\n" if length($chain) > 28;
605 die "chain '$chain' already exists\n" if $ruleset->{$chain};
607 $ruleset->{$chain} = [];
610 sub ruleset_chain_exist
{
611 my ($ruleset, $chain) = @_;
613 return $ruleset->{$chain} ?
1 : undef;
616 sub ruleset_addrule
{
617 my ($ruleset, $chain, $rule) = @_;
619 die "no such chain '$chain'\n" if !$ruleset->{$chain};
621 push @{$ruleset->{$chain}}, "-A $chain $rule";
624 sub ruleset_insertrule
{
625 my ($ruleset, $chain, $rule) = @_;
627 die "no such chain '$chain'\n" if !$ruleset->{$chain};
629 unshift @{$ruleset->{$chain}}, "-A $chain $rule";
632 sub generate_bridge_chains
{
633 my ($ruleset, $bridge) = @_;
635 if (!ruleset_chain_exist
($ruleset, "PVEFW-BRIDGE-IN")){
636 ruleset_create_chain
($ruleset, "PVEFW-BRIDGE-IN");
639 if (!ruleset_chain_exist
($ruleset, "PVEFW-BRIDGE-OUT")){
640 ruleset_create_chain
($ruleset, "PVEFW-BRIDGE-OUT");
643 if (!ruleset_chain_exist
($ruleset, "PVEFW-FORWARD")){
644 ruleset_create_chain
($ruleset, "PVEFW-FORWARD");
646 ruleset_addrule
($ruleset, "PVEFW-FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
647 ruleset_addrule
($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-in --physdev-is-bridged -j PVEFW-BRIDGE-OUT");
648 ruleset_addrule
($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-out --physdev-is-bridged -j PVEFW-BRIDGE-IN");
651 if (!ruleset_chain_exist
($ruleset, "$bridge-IN")) {
652 ruleset_create_chain
($ruleset, "$bridge-IN");
653 ruleset_addrule
($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing
654 ruleset_addrule
($ruleset, "PVEFW-BRIDGE-IN", "-j $bridge-IN");
655 ruleset_addrule
($ruleset, "$bridge-IN", "-j ACCEPT");
658 if (!ruleset_chain_exist
($ruleset, "$bridge-OUT")) {
659 ruleset_create_chain
($ruleset, "$bridge-OUT");
660 ruleset_addrule
($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing
661 ruleset_addrule
($ruleset, "PVEFW-BRIDGE-OUT", "-j $bridge-OUT");
665 sub generate_tap_rules_direction
{
666 my ($ruleset, $group_rules, $iface, $netid, $macaddr, $rules, $bridge, $direction) = @_;
668 my $tapchain = "$iface-$direction";
670 ruleset_create_chain
($ruleset, $tapchain);
672 ruleset_addrule
($ruleset, $tapchain, "-m conntrack --ctstate INVALID -j DROP");
673 ruleset_addrule
($ruleset, $tapchain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
675 if ($direction eq 'OUT' && defined($macaddr)) {
676 ruleset_addrule
($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP");
680 foreach my $rule (@$rules) {
681 next if $rule->{iface
} && $rule->{iface
} ne $netid;
682 # we go to $bridge-IN if accept in out rules
683 if($rule->{action
} =~ m/^(GROUP-(\S+))$/){
684 $rule->{action
} .= "-$direction";
685 # generate empty group rule if don't exist
686 if(!ruleset_chain_exist
($ruleset, $rule->{action
})){
687 generate_group_rules
($ruleset, $group_rules, $2);
689 ruleset_generate_rule
($ruleset, $tapchain, $rule);
690 ruleset_addrule
($ruleset, $tapchain, "-m mark --mark 1 -g $bridge-IN")
691 if $direction eq 'OUT';
693 $rule->{action
} = "$bridge-IN" if $rule->{action
} eq 'ACCEPT' && $direction eq 'OUT';
694 ruleset_generate_rule
($ruleset, $tapchain, $rule);
699 ruleset_addrule
($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4");
700 ruleset_addrule
($ruleset, $tapchain, "-j DROP");
702 # plug the tap chain to bridge chain
703 my $physdevdirection = $direction eq 'IN' ?
"out" : "in";
704 my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
705 ruleset_insertrule
($ruleset, "$bridge-$direction", $rule);
707 if ($direction eq 'OUT'){
708 # add tap->host rules
709 my $rule = "-m physdev --physdev-$physdevdirection $iface -j $tapchain";
710 ruleset_addrule
($ruleset, "PVEFW-INPUT", $rule);
715 my ($ruleset, $rules, $group_rules) = @_;
717 # fixme: allow security groups
719 # host inbound firewall
720 my $chain = "PVEFW-HOST-IN";
721 ruleset_create_chain
($ruleset, $chain);
723 ruleset_addrule
($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
724 ruleset_addrule
($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
725 ruleset_addrule
($ruleset, $chain, "-i lo -j ACCEPT");
726 ruleset_addrule
($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
727 ruleset_addrule
($ruleset, $chain, "-p udp -m conntrack --ctstate NEW -m multiport --dports 5404,5405 -j ACCEPT");
728 ruleset_addrule
($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
731 foreach my $rule (@{$rules->{in}}) {
732 # we use RETURN because we need to check also tap rules
733 $rule->{action
} = 'RETURN' if $rule->{action
} eq 'ACCEPT';
734 ruleset_generate_rule
($ruleset, $chain, $rule);
738 ruleset_addrule
($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-IN dropped: \" --log-level 4");
739 ruleset_addrule
($ruleset, $chain, "-j DROP");
741 # host outbound firewall
742 $chain = "PVEFW-HOST-OUT";
743 ruleset_create_chain
($ruleset, $chain);
745 ruleset_addrule
($ruleset, $chain, "-m conntrack --ctstate INVALID -j DROP");
746 ruleset_addrule
($ruleset, $chain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT");
747 ruleset_addrule
($ruleset, $chain, "-o lo -j ACCEPT");
748 ruleset_addrule
($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
749 ruleset_addrule
($ruleset, $chain, "-p udp -m conntrack --ctstate NEW -m multiport --dports 5404,5405 -j ACCEPT");
750 ruleset_addrule
($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
753 foreach my $rule (@{$rules->{out
}}) {
754 # we use RETURN because we need to check also tap rules
755 $rule->{action
} = 'RETURN' if $rule->{action
} eq 'ACCEPT';
756 ruleset_generate_rule
($ruleset, $chain, $rule);
760 ruleset_addrule
($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-OUT dropped: \" --log-level 4");
761 ruleset_addrule
($ruleset, $chain, "-j DROP");
763 ruleset_addrule
($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
764 ruleset_addrule
($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN");
767 sub generate_group_rules
{
768 my ($ruleset, $group_rules, $group) = @_;
770 my $rules = $group_rules->{$group};
772 die "no such security group '$group'\n" if !$rules;
774 my $chain = "GROUP-${group}-IN";
776 ruleset_create_chain
($ruleset, $chain);
779 foreach my $rule (@{$rules->{in}}) {
780 ruleset_generate_rule
($ruleset, $chain, $rule);
784 $chain = "GROUP-${group}-OUT";
786 ruleset_create_chain
($ruleset, $chain);
787 ruleset_addrule
($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
790 foreach my $rule (@{$rules->{out
}}) {
791 # we go the PVEFW-SET-ACCEPT-MARK Instead of ACCEPT) because we need to
792 # check also other tap rules (and group rules can be set on any bridge,
793 # so we can't go to VMBRXX-IN)
794 $rule->{action
} = 'PVEFW-SET-ACCEPT-MARK' if $rule->{action
} eq 'ACCEPT';
795 ruleset_generate_rule
($ruleset, $chain, $rule);
801 my $valid_netdev_names = {};
802 for (my $i = 0; $i < $MAX_NETS; $i++) {
803 $valid_netdev_names->{"net$i"} = 1;
807 my ($line, $need_iface, $allow_groups) = @_;
809 my $macros = get_firewall_macros
();
810 my $protocols = get_etc_protocols
();
812 my ($action, $iface, $source, $dest, $proto, $dport, $sport);
816 my @data = split(/\s+/, $line);
817 my $expected_elements = $need_iface ?
7 : 6;
819 die "wrong number of rule elements\n" if scalar(@data) > $expected_elements;
822 ($action, $iface, $source, $dest, $proto, $dport, $sport) = @data
824 ($action, $source, $dest, $proto, $dport, $sport) = @data;
827 die "incomplete rule\n" if !$action;
832 if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) {
834 } elsif ($allow_groups && $action =~ m/^GROUP-(:?\S+)$/) {
836 } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
837 ($macro_name, $action) = ($1, $2);
838 my $lc_macro_name = lc($macro_name);
839 my $preferred_name = $pve_fw_preferred_macro_names->{$lc_macro_name};
840 $macro_name = $preferred_name if $preferred_name;
841 $macro = $macros->{$lc_macro_name};
842 die "unknown macro '$macro_name'\n" if !$macro;
844 die "unknown action '$action'\n";
848 $iface = undef if $iface && $iface eq '-';
849 die "unknown interface '$iface'\n"
850 if defined($iface) && !$valid_netdev_names->{$iface};
853 $proto = undef if $proto && $proto eq '-';
854 die "unknown protokol '$proto'\n" if $proto &&
855 !(defined($protocols->{byname
}->{$proto}) ||
856 defined($protocols->{byid
}->{$proto}));
858 $source = undef if $source && $source eq '-';
859 $dest = undef if $dest && $dest eq '-';
861 $dport = undef if $dport && $dport eq '-';
862 $sport = undef if $sport && $sport eq '-';
864 my $nbsource = undef;
867 $nbsource = parse_address_list
($source) if $source;
868 $nbdest = parse_address_list
($dest) if $dest;
877 nbsource
=> $nbsource,
885 foreach my $templ (@$macro) {
887 foreach my $k (keys %$templ) {
888 my $v = $templ->{$k};
891 } elsif ($v eq 'DEST') {
893 } elsif ($v eq 'SOURCE') {
894 $v = $param->{source
};
897 die "missing parameter '$k' in macro '$macro_name'\n" if !defined($v);
903 push @$rules, $param;
906 foreach my $rule (@$rules) {
907 $rule->{nbdport
} = parse_port_name_number_or_range
($rule->{dport
})
908 if defined($rule->{dport
});
909 $rule->{nbsport
} = parse_port_name_number_or_range
($rule->{sport
})
910 if defined($rule->{sport
});
916 sub parse_fw_option
{
921 if ($line =~ m/^enable:\s*(0|1)\s*$/i) {
924 } elsif ($line =~ m/^(policy-(in|out)):\s*(ACCEPT|DROP|REJECT)\s*$/i) {
929 die "can't parse option '$line'\n"
932 return ($opt, $value);
935 sub parse_vm_fw_rules
{
936 my ($filename, $fh) = @_;
938 my $res = { in => [], out
=> [], options
=> {}};
942 while (defined(my $line = <$fh>)) {
943 next if $line =~ m/^#/;
944 next if $line =~ m/^\s*$/;
946 my $linenr = $fh->input_line_number();
947 my $prefix = "$filename (line $linenr)";
949 if ($line =~ m/^\[(\S+)\]\s*$/i) {
951 warn "$prefix: ignore unknown section '$section'\n" if !$res->{$section};
955 warn "$prefix: skip line - no section";
959 next if !$res->{$section}; # skip undefined section
961 if ($section eq 'options') {
963 my ($opt, $value) = parse_fw_option
($line);
964 $res->{options
}->{$opt} = $value;
966 warn "$prefix: $@" if $@;
971 eval { $rules = parse_fw_rule
($line, 1, 1); };
973 warn "$prefix: $err";
977 push @{$res->{$section}}, @$rules;
983 sub parse_host_fw_rules
{
984 my ($filename, $fh) = @_;
986 my $res = { in => [], out
=> [] };
990 while (defined(my $line = <$fh>)) {
991 next if $line =~ m/^#/;
992 next if $line =~ m/^\s*$/;
994 my $linenr = $fh->input_line_number();
995 my $prefix = "$filename (line $linenr)";
997 if ($line =~ m/^\[(in|out)\]\s*$/i) {
1002 warn "$prefix: skip line - no section";
1007 eval { $rules = parse_fw_rule
($line, 1, 1); };
1009 warn "$prefix: $err";
1013 push @{$res->{$section}}, @$rules;
1019 sub parse_group_fw_rules
{
1020 my ($filename, $fh) = @_;
1025 my $res = { in => [], out
=> [] };
1027 while (defined(my $line = <$fh>)) {
1028 next if $line =~ m/^#/;
1029 next if $line =~ m/^\s*$/;
1031 my $linenr = $fh->input_line_number();
1032 my $prefix = "$filename (line $linenr)";
1034 if ($line =~ m/^\[(in|out):(\S+)\]\s*$/i) {
1039 if (!$section || !$group) {
1040 warn "$prefix: skip line - no section";
1045 eval { $rules = parse_fw_rule
($line, 0, 0); };
1047 warn "$prefix: $err";
1051 push @{$res->{$group}->{$section}}, @$rules;
1058 my ($code, @param) = @_;
1062 my $res = lock_file
($pve_fw_lock_filename, $timeout, $code, @param);
1069 sub read_local_vm_config
{
1075 my $list = PVE
::QemuServer
::config_list
();
1077 foreach my $vmid (keys %$list) {
1078 my $cfspath = PVE
::QemuServer
::cfs_config_path
($vmid);
1079 if (my $conf = PVE
::Cluster
::cfs_read_file
($cfspath)) {
1080 $qemu->{$vmid} = $conf;
1084 my $vmdata = { openvz
=> $openvz, qemu
=> $qemu };
1089 sub read_vm_firewall_rules
{
1092 foreach my $vmid (keys %{$vmdata->{qemu
}}, keys %{$vmdata->{openvz
}}) {
1093 my $filename = "/etc/pve/firewall/$vmid.fw";
1094 my $fh = IO
::File-
>new($filename, O_RDONLY
);
1097 $rules->{$vmid} = parse_vm_fw_rules
($filename, $fh);
1104 my $vmdata = read_local_vm_config
();
1105 my $rules = read_vm_firewall_rules
($vmdata);
1107 my $group_rules = {};
1108 my $filename = "/etc/pve/firewall/groups.fw";
1109 if (my $fh = IO
::File-
>new($filename, O_RDONLY
)) {
1110 $group_rules = parse_group_fw_rules
($filename, $fh);
1113 #print Dumper($rules);
1117 ruleset_create_chain
($ruleset, "PVEFW-INPUT");
1118 ruleset_create_chain
($ruleset, "PVEFW-OUTPUT");
1119 ruleset_create_chain
($ruleset, "PVEFW-FORWARD");
1121 ruleset_create_chain
($ruleset, "PVEFW-SET-ACCEPT-MARK");
1122 ruleset_addrule
($ruleset, "PVEFW-SET-ACCEPT-MARK", "-j MARK --set-mark 1");
1124 my $enable_hostfw = 0;
1125 $filename = "/etc/pve/local/host.fw";
1126 if (my $fh = IO
::File-
>new($filename, O_RDONLY
)) {
1127 my $host_rules = parse_host_fw_rules
($filename, $fh);
1131 enablehostfw
($ruleset, $host_rules, $group_rules);
1134 # generate firewall rules for QEMU VMs
1135 foreach my $vmid (keys %{$vmdata->{qemu
}}) {
1136 my $conf = $vmdata->{qemu
}->{$vmid};
1138 next if !$rules->{$vmid};
1139 my $options = $rules->{$vmid}->{options
};
1140 next if defined($options->{enable
}) && ($options->{enable
} == 0);
1142 foreach my $netid (keys %$conf) {
1143 next if $netid !~ m/^net(\d+)$/;
1144 my $net = PVE
::QemuServer
::parse_net
($conf->{$netid});
1146 my $iface = "tap${vmid}i$1";
1148 my $bridge = $net->{bridge
};
1149 next if !$bridge; # fixme: ?
1151 $bridge .= "v$net->{tag}" if $net->{tag
};
1154 generate_bridge_chains
($ruleset, $bridge);
1156 my $macaddr = $net->{macaddr
};
1157 generate_tap_rules_direction
($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN');
1158 generate_tap_rules_direction
($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{out
}, $bridge, 'OUT');
1162 if ($enable_hostfw) {
1163 # allow traffic from lo (ourself)
1164 ruleset_addrule
($ruleset, "PVEFW-INPUT", "-i lo -j ACCEPT");
1170 sub get_ruleset_status
{
1171 my ($ruleset, $verbose) = @_;
1173 my $active_chains = iptables_get_chains
();
1175 my $statushash = {};
1177 foreach my $chain (sort keys %$ruleset) {
1178 my $digest = Digest
::SHA-
>new('sha1');
1179 foreach my $cmd (@{$ruleset->{$chain}}) {
1180 $digest->add("$cmd\n");
1182 my $sig = $digest->b64digest;
1183 $statushash->{$chain}->{sig
} = $sig;
1185 my $oldsig = $active_chains->{$chain};
1186 if (!defined($oldsig)) {
1187 $statushash->{$chain}->{action
} = 'create';
1189 if ($oldsig eq $sig) {
1190 $statushash->{$chain}->{action
} = 'exists';
1192 $statushash->{$chain}->{action
} = 'update';
1195 print "$statushash->{$chain}->{action} $chain ($sig)\n" if $verbose;
1196 foreach my $cmd (@{$ruleset->{$chain}}) {
1197 print "\t$cmd\n" if $verbose;
1201 foreach my $chain (sort keys %$active_chains) {
1202 if (!defined($ruleset->{$chain})) {
1203 my $sig = $active_chains->{$chain};
1204 $statushash->{$chain}->{action
} = 'delete';
1205 $statushash->{$chain}->{sig
} = $sig;
1206 print "delete $chain ($sig)\n" if $verbose;
1216 get_ruleset_status
($ruleset, 1);
1219 sub print_sig_rule
{
1220 my ($chain, $sig) = @_;
1222 # We just use this to store a SHA1 checksum used to detect changes
1223 return "-A $chain -m comment --comment \"PVESIG:$sig\"\n";
1227 my ($ruleset, $verbose) = @_;
1229 enable_bridge_firewall();
1231 my $cmdlist = "*filter
\n"; # we pass this to iptables-restore;
1233 my $statushash = get_ruleset_status($ruleset, $verbose);
1235 # create missing chains first
1236 foreach my $chain (sort keys %$ruleset) {
1237 my $stat = $statushash->{$chain};
1238 die "internal error
" if !$stat;
1239 next if $stat->{action} ne 'create';
1241 $cmdlist .= ":$chain - [0:0]\n";
1244 my $rule = "INPUT
-j PVEFW-INPUT
";
1245 if (!PVE::Firewall::iptables_rule_exist($rule)) {
1246 $cmdlist .= "-A
$rule\n";
1248 $rule = "OUTPUT
-j PVEFW-OUTPUT
";
1249 if (!PVE::Firewall::iptables_rule_exist($rule)) {
1250 $cmdlist .= "-A
$rule\n";
1253 $rule = "FORWARD
-j PVEFW-FORWARD
";
1254 if (!PVE::Firewall::iptables_rule_exist($rule)) {
1255 $cmdlist .= "-A
$rule\n";
1258 foreach my $chain (sort keys %$ruleset) {
1259 my $stat = $statushash->{$chain};
1260 die "internal error
" if !$stat;
1262 if ($stat->{action} eq 'update' || $stat->{action} eq 'create') {
1263 $cmdlist .= "-F
$chain\n";
1264 foreach my $cmd (@{$ruleset->{$chain}}) {
1265 $cmdlist .= "$cmd\n";
1267 $cmdlist .= print_sig_rule($chain, $stat->{sig});
1268 } elsif ($stat->{action} eq 'delete') {
1269 die "internal error
"; # this should not happen
1270 } elsif ($stat->{action} eq 'exists') {
1273 die "internal error
- unknown status
'$stat->{action}'";
1277 foreach my $chain (keys %$statushash) {
1278 next if $statushash->{$chain}->{action} ne 'delete';
1279 $cmdlist .= "-F
$chain\n";
1281 foreach my $chain (keys %$statushash) {
1282 next if $statushash->{$chain}->{action} ne 'delete';
1283 next if $chain eq 'PVEFW-INPUT';
1284 next if $chain eq 'PVEFW-OUTPUT';
1285 next if $chain eq 'PVEFW-FORWARD';
1286 $cmdlist .= "-X
$chain\n";
1289 $cmdlist .= "COMMIT
\n";
1291 print $cmdlist if $verbose;
1293 iptables_restore_cmdlist($cmdlist);
1295 # test: re-read status and check if everything is up to date
1296 $statushash = get_ruleset_status($ruleset);
1299 foreach my $chain (sort keys %$ruleset) {
1300 my $stat = $statushash->{$chain};
1301 if ($stat->{action} ne 'exists') {
1302 warn "unable to update chain
'$chain'\n";
1307 die "unable to apply firewall changes
\n" if $errors;
projects / pve-firewall.git / blob