]> git.proxmox.com Git - pve-firewall.git/blob - PVE/Firewall.pm
projects / pve-firewall.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
only use --mark for OUT chain
[pve-firewall.git] / PVE / Firewall.pm
1 package PVE::Firewall;
2
3 use warnings;
4 use strict;
5 use Data::Dumper;
6 use Digest::SHA;
7 use PVE::Tools;
8 use PVE::QemuServer;
9 use File::Path;
10 use IO::File;
11 use Net::IP;
12 use PVE::Tools qw(run_command lock_file);
13
14 use Data::Dumper;
15
16 my $pve_fw_lock_filename = "/var/lock/pvefw.lck";
17
18 my $macros;
19
20 # todo: implement some kind of MACROS, like shorewall /usr/share/shorewall/macro.*
21 sub get_firewall_macros {
22
23 return $macros if $macros;
24
25 #foreach my $path (</usr/share/shorewall/macro.*>) {
26 # if ($path =~ m|/macro\.(\S+)$|) {
27 # $macros->{$1} = 1;
28 # }
29 #}
30
31 $macros = {}; # fixme: implemet me
32
33 return $macros;
34 }
35
36 my $etc_services;
37
38 sub get_etc_services {
39
40 return $etc_services if $etc_services;
41
42 my $filename = "/etc/services";
43
44 my $fh = IO::File->new($filename, O_RDONLY);
45 if (!$fh) {
46 warn "unable to read '$filename' - $!\n";
47 return {};
48 }
49
50 my $services = {};
51
52 while (my $line = <$fh>) {
53 chomp ($line);
54 next if $line =~m/^#/;
55 next if ($line =~m/^\s*$/);
56
57 if ($line =~ m!^(\S+)\s+(\S+)/(tcp|udp).*$!) {
58 $services->{byid}->{$2}->{name} = $1;
59 $services->{byid}->{$2}->{$3} = 1;
60 $services->{byname}->{$1} = $services->{byid}->{$2};
61 }
62 }
63
64 close($fh);
65
66 $etc_services = $services;
67
68
69 return $etc_services;
70 }
71
72 my $etc_protocols;
73
74 sub get_etc_protocols {
75 return $etc_protocols if $etc_protocols;
76
77 my $filename = "/etc/protocols";
78
79 my $fh = IO::File->new($filename, O_RDONLY);
80 if (!$fh) {
81 warn "unable to read '$filename' - $!\n";
82 return {};
83 }
84
85 my $protocols = {};
86
87 while (my $line = <$fh>) {
88 chomp ($line);
89 next if $line =~m/^#/;
90 next if ($line =~m/^\s*$/);
91
92 if ($line =~ m!^(\S+)\s+(\d+)\s+.*$!) {
93 $protocols->{byid}->{$2}->{name} = $1;
94 $protocols->{byname}->{$1} = $protocols->{byid}->{$2};
95 }
96 }
97
98 close($fh);
99
100 $etc_protocols = $protocols;
101
102 return $etc_protocols;
103 }
104
105 sub parse_address_list {
106 my ($str) = @_;
107
108 my $nbaor = 0;
109 foreach my $aor (split(/,/, $str)) {
110 if (!Net::IP->new($aor)) {
111 my $err = Net::IP::Error();
112 die "invalid IP address: $err\n";
113 }else{
114 $nbaor++;
115 }
116 }
117 return $nbaor;
118 }
119
120 sub parse_port_name_number_or_range {
121 my ($str) = @_;
122
123 my $services = PVE::Firewall::get_etc_services();
124 my $nbports = 0;
125 foreach my $item (split(/,/, $str)) {
126 my $portlist = "";
127 foreach my $pon (split(':', $item, 2)) {
128 if ($pon =~ m/^\d+$/){
129 die "invalid port '$pon'\n" if $pon < 0 && $pon > 65536;
130 }else{
131 die "invalid port $services->{byname}->{$pon}\n" if !$services->{byname}->{$pon};
132 }
133 $nbports++;
134 }
135 }
136
137 return ($nbports);
138 }
139
140 my $bridge_firewall_enabled = 0;
141
142 sub enable_bridge_firewall {
143
144 return if $bridge_firewall_enabled; # only once
145
146 system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables");
147 system("echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables");
148
149 $bridge_firewall_enabled = 1;
150 }
151
152 my $rule_format = "%-15s %-30s %-30s %-15s %-15s %-15s\n";
153
154 sub iptables {
155 my ($cmd) = @_;
156
157 run_command("/sbin/iptables $cmd", outfunc => sub {}, errfunc => sub {});
158 }
159
160 sub iptables_restore_cmdlist {
161 my ($cmdlist) = @_;
162
163 run_command("/sbin/iptables-restore -n", input => $cmdlist);
164 }
165
166 sub iptables_get_chains {
167
168 my $res = {};
169
170 # check what chains we want to track
171 my $is_pvefw_chain = sub {
172 my $name = shift;
173
174 return 1 if $name =~ m/^PVEFW-\S+$/;
175
176 return 1 if $name =~ m/^tap\d+i\d+-(:?IN|OUT)$/;
177 return 1 if $name =~ m/^vmbr\d+-(:?IN|OUT)$/;
178 return 1 if $name =~ m/^GROUP-(:?[^\s\-]+)-(:?IN|OUT)$/;
179
180 return undef;
181 };
182
183 my $table = '';
184
185 my $parser = sub {
186 my $line = shift;
187
188 return if $line =~ m/^#/;
189 return if $line =~ m/^\s*$/;
190
191 if ($line =~ m/^\*(\S+)$/) {
192 $table = $1;
193 return;
194 }
195
196 return if $table ne 'filter';
197
198 if ($line =~ m/^:(\S+)\s/) {
199 my $chain = $1;
200 return if !&$is_pvefw_chain($chain);
201 $res->{$chain} = "unknown";
202 } elsif ($line =~ m/^-A\s+(\S+)\s.*--comment\s+\"PVESIG:(\S+)\"/) {
203 my ($chain, $sig) = ($1, $2);
204 return if !&$is_pvefw_chain($chain);
205 $res->{$chain} = $sig;
206 } else {
207 # simply ignore the rest
208 return;
209 }
210 };
211
212 run_command("/sbin/iptables-save", outfunc => $parser);
213
214 return $res;
215 }
216
217 sub iptables_chain_exist {
218 my ($chain) = @_;
219
220 eval{
221 iptables("-n --list $chain");
222 };
223 return undef if $@;
224
225 return 1;
226 }
227
228 sub iptables_rule_exist {
229 my ($rule) = @_;
230
231 eval{
232 iptables("-C $rule");
233 };
234 return undef if $@;
235
236 return 1;
237 }
238
239 sub ruleset_generate_rule {
240 my ($ruleset, $chain, $rule, $goto) = @_;
241
242 my $cmd = '';
243
244 $cmd .= " -m iprange --src-range" if $rule->{nbsource} && $rule->{nbsource} > 1;
245 $cmd .= " -s $rule->{source}" if $rule->{source};
246 $cmd .= " -m iprange --dst-range" if $rule->{nbdest} && $rule->{nbdest} > 1;
247 $cmd .= " -d $rule->{dest}" if $rule->{destination};
248 $cmd .= " -p $rule->{proto}" if $rule->{proto};
249 $cmd .= " --match multiport" if $rule->{nbdport} && $rule->{nbdport} > 1;
250 $cmd .= " --dport $rule->{dport}" if $rule->{dport};
251 $cmd .= " --match multiport" if $rule->{nbsport} && $rule->{nbsport} > 1;
252 $cmd .= " --sport $rule->{sport}" if $rule->{sport};
253
254 if (my $action = $rule->{action}) {
255 $goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK';
256 $cmd .= $goto ? " -g $action" : " -j $action";
257 };
258
259 ruleset_addrule($ruleset, $chain, $cmd) if $cmd;
260 }
261
262 sub ruleset_create_chain {
263 my ($ruleset, $chain) = @_;
264
265 die "Invalid chain name '$chain' (28 char max)\n" if length($chain) > 28;
266
267 die "chain '$chain' already exists\n" if $ruleset->{$chain};
268
269 $ruleset->{$chain} = [];
270 }
271
272 sub ruleset_chain_exist {
273 my ($ruleset, $chain) = @_;
274
275 return $ruleset->{$chain} ? 1 : undef;
276 }
277
278 sub ruleset_addrule {
279 my ($ruleset, $chain, $rule) = @_;
280
281 die "no such chain '$chain'\n" if !$ruleset->{$chain};
282
283 push @{$ruleset->{$chain}}, "-A $chain $rule";
284 }
285
286 sub ruleset_insertrule {
287 my ($ruleset, $chain, $rule) = @_;
288
289 die "no such chain '$chain'\n" if !$ruleset->{$chain};
290
291 unshift @{$ruleset->{$chain}}, "-A $chain $rule";
292 }
293
294 sub generate_bridge_chains {
295 my ($ruleset, $bridge) = @_;
296
297 if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-IN")){
298 ruleset_create_chain($ruleset, "PVEFW-BRIDGE-IN");
299 }
300
301 if (!ruleset_chain_exist($ruleset, "PVEFW-BRIDGE-OUT")){
302 ruleset_create_chain($ruleset, "PVEFW-BRIDGE-OUT");
303 }
304
305 if (!ruleset_chain_exist($ruleset, "PVEFW-FORWARD")){
306 ruleset_create_chain($ruleset, "PVEFW-FORWARD");
307
308 ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m state --state RELATED,ESTABLISHED -j ACCEPT");
309 ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-in --physdev-is-bridged -j PVEFW-BRIDGE-OUT");
310 ruleset_addrule($ruleset, "PVEFW-FORWARD", "-m physdev --physdev-is-out --physdev-is-bridged -j PVEFW-BRIDGE-IN");
311 }
312
313 if (!ruleset_chain_exist($ruleset, "$bridge-IN")) {
314 ruleset_create_chain($ruleset, "$bridge-IN");
315 ruleset_addrule($ruleset, "PVEFW-FORWARD", "-i $bridge -j DROP"); # disable interbridge routing
316 ruleset_addrule($ruleset, "PVEFW-BRIDGE-IN", "-j $bridge-IN");
317 ruleset_addrule($ruleset, "$bridge-IN", "-j ACCEPT");
318 }
319
320 if (!ruleset_chain_exist($ruleset, "$bridge-OUT")) {
321 ruleset_create_chain($ruleset, "$bridge-OUT");
322 ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -j DROP"); # disable interbridge routing
323 ruleset_addrule($ruleset, "PVEFW-BRIDGE-OUT", "-j $bridge-OUT");
324 }
325 }
326
327 sub generate_tap_rules_direction {
328 my ($ruleset, $group_rules, $iface, $netid, $macaddr, $rules, $bridge, $direction) = @_;
329
330 my $tapchain = "$iface-$direction";
331
332 ruleset_create_chain($ruleset, $tapchain);
333
334 ruleset_addrule($ruleset, $tapchain, "-m state --state INVALID -j DROP");
335 ruleset_addrule($ruleset, $tapchain, "-m state --state RELATED,ESTABLISHED -j ACCEPT");
336
337 if ($direction eq 'OUT' && defined($macaddr)) {
338 ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP");
339 }
340
341 if ($rules) {
342 foreach my $rule (@$rules) {
343 next if $rule->{iface} && $rule->{iface} ne $netid;
344 # we go to $bridge-IN if accept in out rules
345 if($rule->{action} =~ m/^(GROUP-(\S+))$/){
346 $rule->{action} .= "-$direction";
347 # generate empty group rule if don't exist
348 if(!ruleset_chain_exist($ruleset, $rule->{action})){
349 generate_group_rules($ruleset, $group_rules, $2);
350 }
351 ruleset_generate_rule($ruleset, $tapchain, $rule);
352 ruleset_addrule($ruleset, $tapchain, "-m mark --mark 1 -g $bridge-IN")
353 if $direction eq 'OUT';
354 } else {
355 $rule->{action} = "$bridge-IN" if $rule->{action} eq 'ACCEPT' && $direction eq 'OUT';
356 ruleset_generate_rule($ruleset, $tapchain, $rule);
357 }
358 }
359 }
360
361 ruleset_addrule($ruleset, $tapchain, "-j LOG --log-prefix \"$tapchain-dropped: \" --log-level 4");
362 ruleset_addrule($ruleset, $tapchain, "-j DROP");
363
364 # plug the tap chain to bridge chain
365 my $physdevdirection = $direction eq 'IN' ? "out" : "in";
366 my $rule = "-m physdev --physdev-$physdevdirection $iface --physdev-is-bridged -j $tapchain";
367 ruleset_insertrule($ruleset, "$bridge-$direction", $rule);
368
369 if ($direction eq 'OUT'){
370 # add tap->host rules
371 my $rule = "-m physdev --physdev-$physdevdirection $iface -j $tapchain";
372 ruleset_addrule($ruleset, "PVEFW-INPUT", $rule);
373 }
374 }
375
376 sub enablehostfw {
377 my ($ruleset, $rules, $group_rules) = @_;
378
379 # fixme: allow security groups
380
381 # host inbound firewall
382 my $chain = "PVEFW-HOST-IN";
383 ruleset_create_chain($ruleset, $chain);
384
385 ruleset_addrule($ruleset, $chain, "-m state --state INVALID -j DROP");
386 ruleset_addrule($ruleset, $chain, "-m state --state RELATED,ESTABLISHED -j ACCEPT");
387 ruleset_addrule($ruleset, $chain, "-i lo -j ACCEPT");
388 ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
389 ruleset_addrule($ruleset, $chain, "-p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT");
390 ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
391
392 if ($rules->{in}) {
393 foreach my $rule (@{$rules->{in}}) {
394 # we use RETURN because we need to check also tap rules
395 $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT';
396 ruleset_generate_rule($ruleset, $chain, $rule);
397 }
398 }
399
400 ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-IN dropped: \" --log-level 4");
401 ruleset_addrule($ruleset, $chain, "-j DROP");
402
403 # host outbound firewall
404 $chain = "PVEFW-HOST-OUT";
405 ruleset_create_chain($ruleset, $chain);
406
407 ruleset_addrule($ruleset, $chain, "-m state --state INVALID -j DROP");
408 ruleset_addrule($ruleset, $chain, "-m state --state RELATED,ESTABLISHED -j ACCEPT");
409 ruleset_addrule($ruleset, $chain, "-o lo -j ACCEPT");
410 ruleset_addrule($ruleset, $chain, "-m addrtype --dst-type MULTICAST -j ACCEPT");
411 ruleset_addrule($ruleset, $chain, "-p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT");
412 ruleset_addrule($ruleset, $chain, "-p udp -m udp --dport 9000 -j ACCEPT"); #corosync
413
414 if ($rules->{out}) {
415 foreach my $rule (@{$rules->{out}}) {
416 # we use RETURN because we need to check also tap rules
417 $rule->{action} = 'RETURN' if $rule->{action} eq 'ACCEPT';
418 ruleset_generate_rule($ruleset, $chain, $rule);
419 }
420 }
421
422 ruleset_addrule($ruleset, $chain, "-j LOG --log-prefix \"kvmhost-OUT dropped: \" --log-level 4");
423 ruleset_addrule($ruleset, $chain, "-j DROP");
424
425 ruleset_addrule($ruleset, "PVEFW-OUTPUT", "-j PVEFW-HOST-OUT");
426 ruleset_addrule($ruleset, "PVEFW-INPUT", "-j PVEFW-HOST-IN");
427 }
428
429 sub generate_group_rules {
430 my ($ruleset, $group_rules, $group) = @_;
431
432 my $rules = $group_rules->{$group};
433
434 die "no such security group '$group'\n" if !$rules;
435
436 my $chain = "GROUP-${group}-IN";
437
438 ruleset_create_chain($ruleset, $chain);
439
440 if ($rules->{in}) {
441 foreach my $rule (@{$rules->{in}}) {
442 ruleset_generate_rule($ruleset, $chain, $rule);
443 }
444 }
445
446 $chain = "GROUP-${group}-OUT";
447
448 ruleset_create_chain($ruleset, $chain);
449 ruleset_addrule($ruleset, $chain, "-j MARK --set-mark 0"); # clear mark
450
451 if ($rules->{out}) {
452 foreach my $rule (@{$rules->{out}}) {
453 # we go the PVEFW-SET-ACCEPT-MARK Instead of ACCEPT) because we need to
454 # check also other tap rules (and group rules can be set on any bridge,
455 # so we can't go to VMBRXX-IN)
456 $rule->{action} = 'PVEFW-SET-ACCEPT-MARK' if $rule->{action} eq 'ACCEPT';
457 ruleset_generate_rule($ruleset, $chain, $rule);
458 }
459 }
460 }
461
462 my $MAX_NETS = 32;
463 my $valid_netdev_names = {};
464 for (my $i = 0; $i < $MAX_NETS; $i++) {
465 $valid_netdev_names->{"net$i"} = 1;
466 }
467
468 sub parse_fw_rule {
469 my ($line, $need_iface, $allow_groups) = @_;
470
471 my $macros = get_firewall_macros();
472 my $protocols = get_etc_protocols();
473
474 my ($action, $iface, $source, $dest, $proto, $dport, $sport);
475
476 $line =~ s/#.*$//;
477
478 my @data = split(/\s+/, $line);
479 my $expected_elements = $need_iface ? 7 : 6;
480
481 die "wrong number of rule elements\n" if scalar(@data) > $expected_elements;
482
483 if ($need_iface) {
484 ($action, $iface, $source, $dest, $proto, $dport, $sport) = @data
485 } else {
486 ($action, $source, $dest, $proto, $dport, $sport) = @data;
487 }
488
489 die "incomplete rule\n" if !$action;
490
491 my $service;
492 if ($action =~ m/^(ACCEPT|DROP|REJECT)$/) {
493 # OK
494 } elsif ($allow_groups && $action =~ m/^GROUP-(:?\S+)$/) {
495 # OK
496 } elsif ($action =~ m/^(\S+)\((ACCEPT|DROP|REJECT)\)$/) {
497 ($service, $action) = ($1, $2);
498 if (!$macros->{$service}) {
499 die "unknown service '$service'\n";
500 }
501 } else {
502 die "unknown action '$action'\n";
503 }
504
505 if ($need_iface) {
506 $iface = undef if $iface && $iface eq '-';
507 die "unknown interface '$iface'\n"
508 if defined($iface) && !$valid_netdev_names->{$iface};
509 }
510
511 $proto = undef if $proto && $proto eq '-';
512 die "unknown protokol '$proto'\n" if $proto &&
513 !(defined($protocols->{byname}->{$proto}) ||
514 defined($protocols->{byid}->{$proto}));
515
516 $source = undef if $source && $source eq '-';
517 $dest = undef if $dest && $dest eq '-';
518
519 $dport = undef if $dport && $dport eq '-';
520 $sport = undef if $sport && $sport eq '-';
521
522 my $nbdport = undef;
523 my $nbsport = undef;
524 my $nbsource = undef;
525 my $nbdest = undef;
526
527 $nbsource = parse_address_list($source) if $source;
528 $nbdest = parse_address_list($dest) if $dest;
529 $nbdport = parse_port_name_number_or_range($dport) if $dport;
530 $nbsport = parse_port_name_number_or_range($sport) if $sport;
531
532 return {
533 action => $action,
534 service => $service,
535 iface => $iface,
536 source => $source,
537 dest => $dest,
538 nbsource => $nbsource,
539 nbdest => $nbdest,
540 proto => $proto,
541 dport => $dport,
542 sport => $sport,
543 nbdport => $nbdport,
544 nbsport => $nbsport,
545 };
546 }
547
548 sub parse_vm_fw_rules {
549 my ($filename, $fh) = @_;
550
551 my $res = { in => [], out => [] };
552
553 my $section;
554
555 while (defined(my $line = <$fh>)) {
556 next if $line =~ m/^#/;
557 next if $line =~ m/^\s*$/;
558
559 if ($line =~ m/^\[(in|out)\]\s*$/i) {
560 $section = lc($1);
561 next;
562 }
563 if (!$section) {
564 warn "$filename (line $.): skip line - no section";
565 next;
566 }
567
568 my $rule;
569 eval { $rule = parse_fw_rule($line, 1, 1); };
570 if (my $err = $@) {
571 warn "$filename (line $.): $err";
572 next;
573 }
574
575 push @{$res->{$section}}, $rule;
576 }
577
578 return $res;
579 }
580
581 sub parse_host_fw_rules {
582 my ($filename, $fh) = @_;
583
584 my $res = { in => [], out => [] };
585
586 my $section;
587
588 while (defined(my $line = <$fh>)) {
589 next if $line =~ m/^#/;
590 next if $line =~ m/^\s*$/;
591
592 if ($line =~ m/^\[(in|out)\]\s*$/i) {
593 $section = lc($1);
594 next;
595 }
596 if (!$section) {
597 warn "$filename (line $.): skip line - no section";
598 next;
599 }
600
601 my $rule;
602 eval { $rule = parse_fw_rule($line, 1, 1); };
603 if (my $err = $@) {
604 warn "$filename (line $.): $err";
605 next;
606 }
607
608 push @{$res->{$section}}, $rule;
609 }
610
611 return $res;
612 }
613
614 sub parse_group_fw_rules {
615 my ($filename, $fh) = @_;
616
617 my $section;
618 my $group;
619
620 my $res = { in => [], out => [] };
621
622 while (defined(my $line = <$fh>)) {
623 next if $line =~ m/^#/;
624 next if $line =~ m/^\s*$/;
625
626 if ($line =~ m/^\[(in|out):(\S+)\]\s*$/i) {
627 $section = lc($1);
628 $group = lc($2);
629 next;
630 }
631 if (!$section || !$group) {
632 warn "$filename (line $.): skip line - no section";
633 next;
634 }
635
636 my $rule;
637 eval { $rule = parse_fw_rule($line, 0, 0); };
638 if (my $err = $@) {
639 warn "$filename (line $.): $err";
640 next;
641 }
642
643 push @{$res->{$group}->{$section}}, $rule;
644 }
645
646 return $res;
647 }
648
649 sub run_locked {
650 my ($code, @param) = @_;
651
652 my $timeout = 10;
653
654 my $res = lock_file($pve_fw_lock_filename, $timeout, $code, @param);
655
656 die $@ if $@;
657
658 return $res;
659 }
660
661 sub read_local_vm_config {
662
663 my $openvz = {};
664
665 my $qemu = {};
666
667 my $list = PVE::QemuServer::config_list();
668
669 foreach my $vmid (keys %$list) {
670 my $cfspath = PVE::QemuServer::cfs_config_path($vmid);
671 if (my $conf = PVE::Cluster::cfs_read_file($cfspath)) {
672 $qemu->{$vmid} = $conf;
673 }
674 }
675
676 my $vmdata = { openvz => $openvz, qemu => $qemu };
677
678 return $vmdata;
679 };
680
681 sub read_vm_firewall_rules {
682 my ($vmdata) = @_;
683 my $rules = {};
684 foreach my $vmid (keys %{$vmdata->{qemu}}, keys %{$vmdata->{openvz}}) {
685 my $filename = "/etc/pve/firewall/$vmid.fw";
686 my $fh = IO::File->new($filename, O_RDONLY);
687 next if !$fh;
688
689 $rules->{$vmid} = parse_vm_fw_rules($filename, $fh);
690 }
691
692 return $rules;
693 }
694
695 sub compile {
696 my $vmdata = read_local_vm_config();
697 my $rules = read_vm_firewall_rules($vmdata);
698
699 my $group_rules = {};
700 my $filename = "/etc/pve/firewall/groups.fw";
701 if (my $fh = IO::File->new($filename, O_RDONLY)) {
702 $group_rules = parse_group_fw_rules($filename, $fh);
703 }
704
705 #print Dumper($rules);
706
707 my $ruleset = {};
708
709 # setup host firewall rules
710 ruleset_create_chain($ruleset, "PVEFW-INPUT");
711 ruleset_create_chain($ruleset, "PVEFW-OUTPUT");
712
713 ruleset_create_chain($ruleset, "PVEFW-SET-ACCEPT-MARK");
714 ruleset_addrule($ruleset, "PVEFW-SET-ACCEPT-MARK", "-j MARK --set-mark 1");
715
716 $filename = "/etc/pve/local/host.fw";
717 if (my $fh = IO::File->new($filename, O_RDONLY)) {
718 my $host_rules = parse_host_fw_rules($filename, $fh);
719 enablehostfw($ruleset, $host_rules, $group_rules);
720 }
721
722 # generate firewall rules for QEMU VMs
723 foreach my $vmid (keys %{$vmdata->{qemu}}) {
724 my $conf = $vmdata->{qemu}->{$vmid};
725 next if !$rules->{$vmid};
726
727 foreach my $netid (keys %$conf) {
728 next if $netid !~ m/^net(\d+)$/;
729 my $net = PVE::QemuServer::parse_net($conf->{$netid});
730 next if !$net;
731 my $iface = "tap${vmid}i$1";
732
733 my $bridge = $net->{bridge};
734 next if !$bridge; # fixme: ?
735
736 $bridge .= "v$net->{tag}" if $net->{tag};
737
738 generate_bridge_chains($ruleset, $bridge);
739
740 my $macaddr = $net->{macaddr};
741 generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN');
742 generate_tap_rules_direction($ruleset, $group_rules, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT');
743 }
744 }
745 return $ruleset;
746 }
747
748 sub get_ruleset_status {
749 my ($ruleset, $verbose) = @_;
750
751 my $active_chains = iptables_get_chains();
752
753 my $statushash = {};
754
755 foreach my $chain (sort keys %$ruleset) {
756 my $digest = Digest::SHA->new('sha1');
757 foreach my $cmd (@{$ruleset->{$chain}}) {
758 $digest->add("$cmd\n");
759 }
760 my $sig = $digest->b64digest;
761 $statushash->{$chain}->{sig} = $sig;
762
763 my $oldsig = $active_chains->{$chain};
764 if (!defined($oldsig)) {
765 $statushash->{$chain}->{action} = 'create';
766 } else {
767 if ($oldsig eq $sig) {
768 $statushash->{$chain}->{action} = 'exists';
769 } else {
770 $statushash->{$chain}->{action} = 'update';
771 }
772 }
773 print "$statushash->{$chain}->{action} $chain ($sig)\n" if $verbose;
774 foreach my $cmd (@{$ruleset->{$chain}}) {
775 print "\t$cmd\n" if $verbose;
776 }
777 }
778
779 foreach my $chain (sort keys %$active_chains) {
780 if (!defined($ruleset->{$chain})) {
781 my $sig = $active_chains->{$chain};
782 $statushash->{$chain}->{action} = 'delete';
783 $statushash->{$chain}->{sig} = $sig;
784 print "delete $chain ($sig)\n" if $verbose;
785 }
786 }
787
788 return $statushash;
789 }
790
791 sub print_ruleset {
792 my ($ruleset) = @_;
793
794 get_ruleset_status($ruleset, 1);
795 }
796
797 sub print_sig_rule {
798 my ($chain, $sig) = @_;
799
800 # We just use this to store a SHA1 checksum used to detect changes
801 return "-A $chain -m comment --comment \"PVESIG:$sig\"\n";
802 }
803
804 sub apply_ruleset {
805 my ($ruleset, $verbose) = @_;
806
807 enable_bridge_firewall();
808
809 my $cmdlist = "*filter\n"; # we pass this to iptables-restore;
810
811 my $statushash = get_ruleset_status($ruleset, $verbose);
812
813 # create missing chains first
814 foreach my $chain (sort keys %$ruleset) {
815 my $stat = $statushash->{$chain};
816 die "internal error" if !$stat;
817 next if $stat->{action} ne 'create';
818
819 $cmdlist .= ":$chain - [0:0]\n";
820 }
821
822 my $rule = "INPUT -j PVEFW-INPUT";
823 if (!PVE::Firewall::iptables_rule_exist($rule)) {
824 $cmdlist .= "-A $rule\n";
825 }
826 $rule = "OUTPUT -j PVEFW-OUTPUT";
827 if (!PVE::Firewall::iptables_rule_exist($rule)) {
828 $cmdlist .= "-A $rule\n";
829 }
830
831 $rule = "FORWARD -j PVEFW-FORWARD";
832 if (!PVE::Firewall::iptables_rule_exist($rule)) {
833 $cmdlist .= "-A $rule\n";
834 }
835
836 foreach my $chain (sort keys %$ruleset) {
837 my $stat = $statushash->{$chain};
838 die "internal error" if !$stat;
839
840 if ($stat->{action} eq 'update' || $stat->{action} eq 'create') {
841 $cmdlist .= "-F $chain\n";
842 foreach my $cmd (@{$ruleset->{$chain}}) {
843 $cmdlist .= "$cmd\n";
844 }
845 $cmdlist .= print_sig_rule($chain, $stat->{sig});
846 } elsif ($stat->{action} eq 'delete') {
847 die "internal error"; # this should not happen
848 } elsif ($stat->{action} eq 'exists') {
849 # do nothing
850 } else {
851 die "internal error - unknown status '$stat->{action}'";
852 }
853 }
854
855 foreach my $chain (keys %$statushash) {
856 next if $statushash->{$chain}->{action} ne 'delete';
857 $cmdlist .= "-F $chain\n";
858 }
859 foreach my $chain (keys %$statushash) {
860 next if $statushash->{$chain}->{action} ne 'delete';
861 $cmdlist .= "-X $chain\n";
862 }
863
864 $cmdlist .= "COMMIT\n";
865
866 print $cmdlist if $verbose;
867
868 iptables_restore_cmdlist($cmdlist);
869
870 # test: re-read status and check if everything is up to date
871 $statushash = get_ruleset_status($ruleset);
872
873 my $errors;
874 foreach my $chain (sort keys %$ruleset) {
875 my $stat = $statushash->{$chain};
876 if ($stat->{action} ne 'exists') {
877 warn "unable to update chain '$chain'\n";
878 $errors = 1;
879 }
880 }
881
882 die "unable to apply firewall changes\n" if $errors;
883 }
884
885 1;
Firewall test scripts