1 package PVE
::Service
::pve_firewall
;
7 use Time
::HiRes qw
(gettimeofday usleep
);
10 use PVE
::Cluster
qw(cfs_read_file);
15 use PVE
::RPCEnvironment
;
17 use PVE
::Tools
qw(dir_glob_foreach file_read_firstline);
20 use PVE
::FirewallSimulator
;
22 use base
qw(PVE::Daemon);
24 my $cmdline = [$0, @ARGV];
26 my %daemon_options = (restart_on_error
=> 5, stop_wait_time
=> 5);
28 my $daemon = __PACKAGE__-
>new('pve-firewall', $cmdline, %daemon_options);
30 my $nodename = PVE
::INotify
::nodename
();
33 PVE
::Cluster
::cfs_update
();
35 PVE
::Firewall
::init
();
38 my ($next_update, $cycle, $restart_request) = (0, 0, 0);
41 my $initial_memory_usage;
46 syslog
('info' , "server shutting down");
49 1 while (waitpid(-1, POSIX
::WNOHANG
()) > 0);
51 syslog
('info' , "clear PVE-generated firewall rules");
53 eval { PVE
::Firewall
::remove_pvefw_chains
(); };
56 $self->exit_daemon(0);
68 local $SIG{'__WARN__'} = 'IGNORE'; # do not fill up logs
71 $next_update = time() + $updatetime;
73 my ($ccsec, $cusec) = gettimeofday
();
75 PVE
::Cluster
::cfs_update
();
76 PVE
::Firewall
::update
();
79 syslog
('err', "status update error: $err");
82 my ($ccsec_end, $cusec_end) = gettimeofday
();
83 my $cptime = ($ccsec_end-$ccsec) + ($cusec_end - $cusec)/1000000;
85 syslog
('info', sprintf("firewall update time (%.3f seconds)", $cptime))
90 my $mem = PVE
::ProcFSTools
::read_memory_usage
();
92 if (!defined($initial_memory_usage) || ($cycle < 10)) {
93 $initial_memory_usage = $mem->{resident
};
95 my $diff = $mem->{resident
} - $initial_memory_usage;
96 if ($diff > 5 * 1024 * 1024) {
97 syslog
('info', "restarting server after $cycle cycles to " .
98 "reduce memory usage (free $mem->{resident} ($diff) bytes)");
99 $self->restart_daemon();
104 while ((time() < $next_update) &&
105 ($wcount < $updatetime) && # protect against time wrap
106 !$restart_request) { $wcount++; sleep (1); };
108 $self->restart_daemon() if $restart_request;
112 $daemon->register_start_command("Start the Proxmox VE firewall service.");
113 $daemon->register_restart_command(1, "Restart the Proxmox VE firewall service.");
114 $daemon->register_stop_command(
115 "Stop the Proxmox VE firewall service. Note, stopping actively removes all Proxmox VE related"
116 ." iptable rules rendering the host potentially unprotected."
119 __PACKAGE__-
>register_method ({
123 description
=> "Get firewall status.",
125 additionalProperties
=> 0,
130 additionalProperties
=> 0,
134 enum
=> ['unknown', 'stopped', 'running'],
137 description
=> "Firewall is enabled (in 'cluster.fw')",
141 description
=> "Set when there are pending changes.",
150 local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
154 my $status = $daemon->running() ?
'running' : 'stopped';
156 my $res = { status
=> $status };
158 PVE
::Firewall
::set_verbose
(1); # show syntax errors
160 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
(undef);
161 $res->{enable
} = $cluster_conf->{options
}->{enable
} ?
1 : 0;
163 if ($status eq 'running') {
165 my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE
::Firewall
::compile
($cluster_conf, undef, undef);
167 PVE
::Firewall
::set_verbose
(0); # do not show iptables details
168 my (undef, undef, $ipset_changes) = PVE
::Firewall
::get_ipset_cmdlist
($ipset_ruleset);
169 my ($test, $ruleset_changes) = PVE
::Firewall
::get_ruleset_cmdlist
($ruleset->{filter
});
170 my (undef, $ruleset_changesv6) = PVE
::Firewall
::get_ruleset_cmdlist
($rulesetv6->{filter
}, "ip6tables");
171 my (undef, $ruleset_changes_raw) = PVE
::Firewall
::get_ruleset_cmdlist
($ruleset->{raw
}, undef, 'raw');
172 my (undef, $ruleset_changesv6_raw) = PVE
::Firewall
::get_ruleset_cmdlist
($rulesetv6->{raw
}, "ip6tables", 'raw');
173 my (undef, $ebtables_changes) = PVE
::Firewall
::get_ebtables_cmdlist
($ebtables_ruleset);
175 $res->{changes
} = ($ipset_changes || $ruleset_changes || $ruleset_changesv6 || $ebtables_changes || $ruleset_changes_raw || $ruleset_changesv6_raw) ?
1 : 0;
181 return PVE
::Firewall
::run_locked
($code);
184 __PACKAGE__-
>register_method ({
188 description
=> "Compile and print firewall rules. This is useful for testing.",
190 additionalProperties
=> 0,
193 returns
=> { type
=> 'null' },
198 local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
202 PVE
::Firewall
::set_verbose
(1);
204 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
(undef);
205 my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE
::Firewall
::compile
($cluster_conf, undef, undef);
207 print "ipset cmdlist:\n";
208 my (undef, undef, $ipset_changes) = PVE
::Firewall
::get_ipset_cmdlist
($ipset_ruleset);
210 print "\niptables cmdlist:\n";
211 my (undef, $ruleset_changes) = PVE
::Firewall
::get_ruleset_cmdlist
($ruleset->{filter
});
213 print "\nip6tables cmdlist:\n";
214 my (undef, $ruleset_changesv6) = PVE
::Firewall
::get_ruleset_cmdlist
($rulesetv6->{filter
}, "ip6tables");
216 print "\nebtables cmdlist:\n";
217 my (undef, $ebtables_changes) = PVE
::Firewall
::get_ebtables_cmdlist
($ebtables_ruleset);
219 print "\niptables table raw cmdlist:\n";
220 my (undef, $ruleset_changes_raw) = PVE
::Firewall
::get_ruleset_cmdlist
($ruleset->{raw
}, undef, 'raw');
222 print "\nip6tables table raw cmdlist:\n";
223 my (undef, $ruleset_changesv6_raw) = PVE
::Firewall
::get_ruleset_cmdlist
($rulesetv6->{raw
}, "ip6tables", 'raw');
226 if ($ipset_changes || $ruleset_changes || $ruleset_changesv6 || $ebtables_changes || $ruleset_changes_raw || $ruleset_changesv6_raw) {
227 print "detected changes\n";
229 print "no changes\n";
231 if (!$cluster_conf->{options
}->{enable
}) {
232 print "firewall disabled\n";
236 PVE
::Firewall
::run_locked
($code);
241 __PACKAGE__-
>register_method ({
245 description
=> "Print information about local network.",
247 additionalProperties
=> 0,
250 returns
=> { type
=> 'null' },
254 local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
256 my $nodename = PVE
::INotify
::nodename
();
257 print "local hostname: $nodename\n";
259 my $ip = PVE
::Cluster
::remote_node_ip
($nodename);
260 print "local IP address: $ip\n";
262 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
264 my $localnet = PVE
::Firewall
::local_network
() || '127.0.0.0/8';
265 print "network auto detect: $localnet\n";
266 if (my $local_network = $cluster_conf->{aliases
}->{local_network
}) {
267 print "using user defined local_network: $local_network->{cidr}\n";
269 print "using detected local_network: $localnet\n";
272 if (PVE
::Corosync
::check_conf_exists
(1)) {
273 my $corosync_conf = PVE
::Cluster
::cfs_read_file
("corosync.conf");
274 my $corosync_node_found = 0;
276 print "\naccepting corosync traffic from/to:\n";
278 PVE
::Corosync
::for_all_corosync_addresses
($corosync_conf, undef, sub {
279 my ($curr_node_name, $curr_node_ip, undef, $key) = @_;
281 return if $curr_node_name eq $nodename;
283 $corosync_node_found = 1;
285 $key =~ m/(?:ring|link)(\d+)_addr/;
286 print " - $curr_node_name: $curr_node_ip (link: $1)\n";
289 if (!$corosync_node_found) {
290 print " - no nodes found\n";
297 __PACKAGE__-
>register_method ({
301 description
=> "Simulate firewall rules. This does not simulates the kernel 'routing' table,"
302 ." but simply assumes that routing from source zone to destination zone is possible.",
304 additionalProperties
=> 0,
307 description
=> "Verbose output.",
313 description
=> "Source zone.",
315 pattern
=> '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)',
317 default => 'outside',
320 description
=> "Destination zone.",
322 pattern
=> '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)',
327 description
=> "Protocol.",
329 pattern
=> '(tcp|udp)',
334 description
=> "Destination port.",
341 description
=> "Source port.",
348 description
=> "Source IP address.",
349 type
=> 'string', format
=> 'ipv4',
353 description
=> "Destination IP address.",
354 type
=> 'string', format
=> 'ipv4',
359 returns
=> { type
=> 'null' },
363 local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
365 PVE
::Firewall
::set_verbose
($param->{verbose
});
367 my ($ruleset, $ipset_ruleset, $rulesetv6, $ebtables_ruleset) = PVE
::Firewall
::compile
();
369 PVE
::FirewallSimulator
::debug
();
371 my $host_ip = PVE
::Cluster
::remote_node_ip
($nodename);
373 PVE
::FirewallSimulator
::reset_trace
();
374 print Dumper
($ruleset->{filter
}) if $param->{verbose
};
375 print Dumper
($ruleset->{raw
}) if $param->{verbose
};
378 from
=> $param->{from
},
380 proto
=> $param->{protocol
} || 'tcp',
381 source
=> $param->{source
},
382 dest
=> $param->{dest
},
383 dport
=> $param->{dport
},
384 sport
=> $param->{sport
},
387 if (!defined($test->{to
})) {
388 $test->{to
} = 'host';
389 PVE
::FirewallSimulator
::add_trace
("Set Zone: to => '$test->{to}'\n");
391 if (!defined($test->{from
})) {
392 $test->{from
} = 'outside',
393 PVE
::FirewallSimulator
::add_trace
("Set Zone: from => '$test->{from}'\n");
396 my $vmdata = PVE
::Firewall
::read_local_vm_config
();
398 print "Test packet:\n";
400 foreach my $k (qw(from to proto source dest dport sport)) {
401 printf(" %-8s: %s\n", $k, $test->{$k}) if defined($test->{$k});
404 $test->{action
} = 'QUERY';
406 my $res = PVE
::FirewallSimulator
::simulate_firewall
(
407 $ruleset->{filter
}, $ipset_ruleset, $host_ip, $vmdata, $test);
409 print "ACTION: $res\n";
415 start
=> [ __PACKAGE__
, 'start', []],
416 restart
=> [ __PACKAGE__
, 'restart', []],
417 stop
=> [ __PACKAGE__
, 'stop', []],
418 compile
=> [ __PACKAGE__
, 'compile', []],
419 simulate
=> [ __PACKAGE__
, 'simulate', []],
420 localnet
=> [ __PACKAGE__
, 'localnet', []],
421 status
=> [ __PACKAGE__
, 'status', [], undef, sub {
423 my $status = ($res->{enable
} ?
"enabled" : "disabled") . '/' . $res->{status
};
425 if ($res->{changes
}) {
426 print "Status: $status (pending changes)\n";
428 print "Status: $status\n";