]>
git.proxmox.com Git - pve-firewall.git/blob - src/pve-firewall
88d57f97a41aefbecb9caf3e3584ade4f37f6978
8 use Time
:: HiRes qw
( gettimeofday
);
9 use PVE
:: Tools
qw(dir_glob_foreach file_read_firstline) ;
12 use PVE
:: Cluster
qw(cfs_read_file) ;
13 use PVE
:: RPCEnvironment
;
16 use PVE
:: FirewallSimulator
;
19 use base
qw(PVE::Daemon) ;
21 $SIG { '__WARN__' } = sub {
26 syslog
( 'warning' , " %s " , $t );
30 my $cmdline = [ $0, @ARGV ];
32 my %daemon_options = ( restart_on_error
=> 5 , stop_wait_time
=> 5 );
34 my $daemon = __PACKAGE__-
> new ( 'pve-firewall' , $cmdline, %daemon_options );
36 my $rpcenv = PVE
:: RPCEnvironment-
> init ( 'cli' );
38 $rpcenv -> init_request ();
39 $rpcenv -> set_language ( $ENV { LANG
});
40 $rpcenv -> set_user ( 'root @pam ' );
42 my $nodename = PVE
:: INotify
:: nodename
();
46 PVE
:: Cluster
:: cfs_update
();
48 PVE
:: Firewall
:: init
();
51 my $restart_request = 0 ;
57 my $initial_memory_usage ;
62 syslog
( 'info' , "server closing" );
65 1 while ( waitpid (- 1 , POSIX
:: WNOHANG
()) > 0 );
67 syslog
( 'info' , "clear firewall rules" );
69 eval { PVE
:: Firewall
:: remove_pvefw_chains
(); };
72 $self -> exit_daemon ( 0 );
84 local $SIG { '__WARN__' } = 'IGNORE' ; # do not fill up logs
88 $next_update = time () + $updatetime ;
90 my ( $ccsec, $cusec ) = gettimeofday
();
92 PVE
:: Cluster
:: cfs_update
();
93 PVE
:: Firewall
:: update
();
98 syslog
( 'err' , "status update error: $err " );
101 my ( $ccsec_end, $cusec_end ) = gettimeofday
();
102 my $cptime = ( $ccsec_end - $ccsec ) + ( $cusec_end - $cusec )/ 1000000 ;
104 syslog
( 'info' , sprintf ( "firewall update time (%.3f seconds)" , $cptime ))
109 my $mem = PVE
:: ProcFSTools
:: read_memory_usage
();
111 if (! defined ( $initial_memory_usage ) || ( $cycle < 10 )) {
112 $initial_memory_usage = $mem ->{ resident
};
114 my $diff = $mem ->{ resident
} - $initial_memory_usage ;
115 if ( $diff > 5 * 1024 * 1024 ) {
116 syslog
( 'info' , "restarting server after $cycle cycles to " .
117 "reduce memory usage (free $mem ->{resident} ( $diff ) bytes)" );
118 $self -> restart_daemon ();
123 while (( time () < $next_update ) &&
124 ( $wcount < $updatetime ) && # protect against time wrap
125 ! $restart_request ) { $wcount++ ; sleep ( 1 ); };
127 $self -> restart_daemon () if $restart_request ;
131 $daemon -> register_start_command ( "Start the Proxmox VE firewall service." );
132 $daemon -> register_restart_command ( 1 , "Restart the Proxmox VE firewall service." );
133 $daemon -> register_stop_command ( "Stop firewall. This removes all Proxmox VE " .
134 "related iptable rules. " .
135 "The host is unprotected afterwards." );
137 __PACKAGE__-
> register_method ({
141 description
=> "Get firewall status." ,
143 additionalProperties
=> 0 ,
148 additionalProperties
=> 0 ,
152 enum
=> [ 'unknown' , 'stopped' , 'running' ],
155 description
=> "Firewall is enabled (in 'cluster.fw')" ,
159 description
=> "Set when there are pending changes." ,
168 local $SIG { '__WARN__' } = 'DEFAULT' ; # do not fill up syslog
172 my $status = $daemon -> running () ?
'running' : 'stopped' ;
174 my $res = { status
=> $status };
176 my $verbose = 1 ; # show syntax errors
177 my $cluster_conf = PVE
:: Firewall
:: load_clusterfw_conf
( undef , $verbose );
178 $res ->{ enable
} = $cluster_conf ->{ options
}->{ enable
} ?
1 : 0 ;
180 if ( $status eq 'running' ) {
182 my ( $ruleset, $ipset_ruleset, $rulesetv6 ) = PVE
:: Firewall
:: compile
( $cluster_conf, undef , undef , $verbose );
184 $verbose = 0 ; # do not show iptables details
185 my ( undef , undef , $ipset_changes ) = PVE
:: Firewall
:: get_ipset_cmdlist
( $ipset_ruleset, $verbose );
186 my ( $test, $ruleset_changes ) = PVE
:: Firewall
:: get_ruleset_cmdlist
( $ruleset, $verbose );
187 my ( undef , $ruleset_changesv6 ) = PVE
:: Firewall
:: get_ruleset_cmdlist
( $rulesetv6, $verbose, "ip6tables" );
189 $res ->{ changes
} = ( $ipset_changes || $ruleset_changes || $ruleset_changesv6 ) ?
1 : 0 ;
195 return PVE
:: Firewall
:: run_locked
( $code );
198 __PACKAGE__-
> register_method ({
202 description
=> "Compile and print firewall rules. This is useful for testing." ,
204 additionalProperties
=> 0 ,
207 returns
=> { type
=> 'null' },
212 local $SIG { '__WARN__' } = 'DEFAULT' ; # do not fill up syslog
218 my $cluster_conf = PVE
:: Firewall
:: load_clusterfw_conf
( undef , $verbose );
219 my ( $ruleset, $ipset_ruleset, $rulesetv6 ) = PVE
:: Firewall
:: compile
( $cluster_conf, undef , undef , $verbose );
221 print "ipset cmdlist: \n " ;
222 my ( undef , undef , $ipset_changes ) = PVE
:: Firewall
:: get_ipset_cmdlist
( $ipset_ruleset, $verbose );
224 print " \n iptables cmdlist: \n " ;
225 my ( undef , $ruleset_changes ) = PVE
:: Firewall
:: get_ruleset_cmdlist
( $ruleset, $verbose );
227 print " \n ip6tables cmdlist: \n " ;
228 my ( undef , $ruleset_changesv6 ) = PVE
:: Firewall
:: get_ruleset_cmdlist
( $rulesetv6, $verbose, "ip6tables" );
230 if ( $ipset_changes || $ruleset_changes || $ruleset_changesv6 ) {
231 print "detected changes \n " ;
233 print "no changes \n " ;
235 if (! $cluster_conf ->{ options
}->{ enable
}) {
236 print "firewall disabled \n " ;
241 PVE
:: Firewall
:: run_locked
( $code );
246 __PACKAGE__-
> register_method ({
250 description
=> "Print information about local network." ,
252 additionalProperties
=> 0 ,
255 returns
=> { type
=> 'null' },
259 local $SIG { '__WARN__' } = 'DEFAULT' ; # do not fill up syslog
261 my $nodename = PVE
:: INotify
:: nodename
();
262 print "local hostname: $nodename\n " ;
264 my $ip = PVE
:: Cluster
:: remote_node_ip
( $nodename );
265 print "local IP address: $ip\n " ;
267 my $cluster_conf = PVE
:: Firewall
:: load_clusterfw_conf
();
269 my $localnet = PVE
:: Firewall
:: local_network
() || '127.0.0.0/8' ;
270 print "network auto detect: $localnet\n " ;
271 if ( $cluster_conf ->{ aliases
}->{ local_network
}) {
272 print "using user defined local_network: $cluster_conf ->{aliases}->{local_network}->{cidr} \n " ;
274 print "using detected local_network: $localnet\n " ;
280 __PACKAGE__-
> register_method ({
284 description
=> "Simulate firewall rules. This does not simulate kernel 'routing' table. Instead, this simply assumes that routing from source zone to destination zone is possible." ,
286 additionalProperties
=> 0 ,
289 description
=> "Verbose output." ,
295 description
=> "Source zone." ,
297 pattern
=> '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)' ,
299 default => 'outside' ,
302 description
=> "Destination zone." ,
304 pattern
=> '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)' ,
309 description
=> "Protocol." ,
311 pattern
=> '(tcp|udp)' ,
316 description
=> "Destination port." ,
323 description
=> "Source port." ,
330 description
=> "Source IP address." ,
331 type
=> 'string' , format
=> 'ipv4' ,
335 description
=> "Destination IP address." ,
336 type
=> 'string' , format
=> 'ipv4' ,
341 returns
=> { type
=> 'null' },
345 local $SIG { '__WARN__' } = 'DEFAULT' ; # do not fill up syslog
347 my ( $ruleset, $ipset_ruleset, $rulesetv6 ) = PVE
:: Firewall
:: compile
( undef , undef , undef , $param ->{ verbose
});
349 PVE
:: FirewallSimulator
:: debug
( $param ->{ verbose
} || 0 );
351 my $host_ip = PVE
:: Cluster
:: remote_node_ip
( $nodename );
353 PVE
:: FirewallSimulator
:: reset_trace
();
354 print Dumper
( $ruleset ) if $param ->{ verbose
};
357 from
=> $param ->{ from
},
359 proto
=> $param ->{ protocol
} || 'tcp' ,
360 source
=> $param ->{ source
},
361 dest
=> $param ->{ dest
},
362 dport
=> $param ->{ dport
},
363 sport
=> $param ->{ sport
},
366 if (! defined ( $test ->{ to
})) {
367 $test ->{ to
} = 'host' ;
368 PVE
:: FirewallSimulator
:: add_trace
( "Set Zone: to => ' $test ->{to}' \n " );
370 if (! defined ( $test ->{ from
})) {
371 $test ->{ from
} = 'outside' ,
372 PVE
:: FirewallSimulator
:: add_trace
( "Set Zone: from => ' $test ->{from}' \n " );
375 my $vmdata = PVE
:: Firewall
:: read_local_vm_config
();
377 print "Test packet: \n " ;
379 foreach my $k ( qw(from to proto source dest dport sport) ) {
380 printf ( " %-8s: %s\n " , $k, $test ->{ $k }) if defined ( $test ->{ $k });
383 $test ->{ action
} = 'QUERY' ;
385 my $res = PVE
:: FirewallSimulator
:: simulate_firewall
( $ruleset, $ipset_ruleset,
386 $host_ip, $vmdata, $test );
388 print "ACTION: $res\n " ;
394 start
=> [ __PACKAGE__
, 'start' , []],
395 restart
=> [ __PACKAGE__
, 'restart' , []],
396 stop
=> [ __PACKAGE__
, 'stop' , []],
397 compile
=> [ __PACKAGE__
, 'compile' , []],
398 simulate
=> [ __PACKAGE__
, 'simulate' , []],
399 localnet
=> [ __PACKAGE__
, 'localnet' , []],
400 status
=> [ __PACKAGE__
, 'status' , [], undef , sub {
402 my $status = ( $res ->{ enable
} ?
"enabled" : "disabled" ) . '/' . $res ->{ status
};
404 if ( $res ->{ changes
}) {
405 print "Status: $status (pending changes) \n " ;
407 print "Status: $status\n " ;
414 PVE
:: CLIHandler
:: handle_cmd
( $cmddef, $0, $cmd, \
@ARGV, undef , $0 );
422 pve-firewall - PVE Firewall Daemon
430 This service updates iptables rules periodically.
432 =include pve_copyright