6 use POSIX
":sys_wait_h";
9 use Time
::HiRes qw
(gettimeofday
);
10 use PVE
::Tools
qw(dir_glob_foreach file_read_firstline);
12 use PVE
::Cluster
qw(cfs_read_file);
13 use PVE
::RPCEnvironment
;
16 use PVE
::FirewallSimulator
;
19 use base
qw(PVE::CLIHandler);
21 my $pve_firewall_pidfile = "/var/run/pve-firewall.pid";
23 $SIG{'__WARN__'} = sub {
28 syslog
('warning', "WARNING: %s", $t);
32 initlog
('pve-firewall');
34 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
36 die "please run as root\n" if $> != 0;
38 PVE
::INotify
::inotify_init
();
40 my $rpcenv = PVE
::RPCEnvironment-
>init('cli');
42 $rpcenv->init_request();
43 $rpcenv->set_language($ENV{LANG
});
44 $rpcenv->set_user('root@pam');
46 my $nodename = PVE
::INotify
::nodename
();
48 my $commandline = [$0, @ARGV];
55 syslog
('info', "server shutdown (restart)");
57 $ENV{RESTART_PVE_FIREWALL
} = 1;
59 sleep($waittime) if $waittime; # avoid high server load due to restarts
61 PVE
::INotify
::inotify_close
();
64 exit (-1); # never reached?
68 unlink "$pve_firewall_pidfile.lock";
69 unlink $pve_firewall_pidfile;
74 my $lkfn = "$pidfile.lock";
76 if (!open (FLCK
, ">>$lkfn")) {
77 my $msg = "can't aquire lock on file '$lkfn' - $!";
82 if (!flock (FLCK
, LOCK_EX
|LOCK_NB
)) {
84 my $msg = "can't aquire lock '$lkfn' - $!";
93 if (!open (PIDFH
, ">$pidfile")) {
94 my $msg = "can't open pid file '$pidfile' - $!";
102 my $restart_request = 0;
108 my $initial_memory_usage;
113 # try to get the lock
114 lockpidfile
($pve_firewall_pidfile);
119 my $restart = $ENV{RESTART_PVE_FIREWALL
};
121 delete $ENV{RESTART_PVE_FIREWALL
};
123 PVE
::Cluster
::cfs_update
();
125 PVE
::Firewall
::init
();
127 if (!$param->{debug
}) {
128 open STDIN
, '</dev/null' || die "can't read /dev/null";
129 open STDOUT
, '>/dev/null' || die "can't write /dev/null";
132 if (!$restart && !$param->{debug
}) {
134 if (!defined ($spid)) {
135 my $msg = "can't put server into background - fork failed";
138 } elsif ($spid) { # parent
143 writepidfile
($pve_firewall_pidfile);
145 open STDERR
, '>&STDOUT' || die "can't close STDERR\n";
147 $SIG{INT
} = $SIG{TERM
} = $SIG{QUIT
} = sub {
148 syslog
('info' , "server closing");
150 $SIG{INT
} = 'DEFAULT';
153 1 while (waitpid(-1, POSIX
::WNOHANG
()) > 0);
155 syslog
('info' , "clear firewall rules");
156 eval { PVE
::Firewall
::remove_pvefw_chains
(); die "STOP";};
165 # wake up process, so this forces an immediate firewall rules update
166 syslog
('info' , "received signal HUP (restart)");
167 $restart_request = 1;
171 syslog
('info' , "restarting server");
173 syslog
('info' , "starting server");
180 local $SIG{'__WARN__'} = 'IGNORE'; # do not fill up logs
182 $next_update = time() + $updatetime;
184 my ($ccsec, $cusec) = gettimeofday
();
186 PVE
::Cluster
::cfs_update
();
187 PVE
::Firewall
::update
();
192 syslog
('err', "status update error: $err");
195 my ($ccsec_end, $cusec_end) = gettimeofday
();
196 my $cptime = ($ccsec_end-$ccsec) + ($cusec_end - $cusec)/1000000;
198 syslog
('info', sprintf("firewall update time (%.3f seconds)", $cptime))
203 my $mem = PVE
::ProcFSTools
::read_memory_usage
();
205 if (!defined($initial_memory_usage) || ($cycle < 10)) {
206 $initial_memory_usage = $mem->{resident
};
208 my $diff = $mem->{resident
} - $initial_memory_usage;
209 if ($diff > 5*1024*1024) {
210 syslog
('info', "restarting server after $cycle cycles to " .
211 "reduce memory usage (free $mem->{resident} ($diff) bytes)");
217 while ((time() < $next_update) &&
218 ($wcount < $updatetime) && # protect against time wrap
219 !$restart_request) { $wcount++; sleep (1); };
221 restart_server
() if $restart_request;
227 syslog
('err', "ERROR: $err");
234 __PACKAGE__-
>register_method ({
238 description
=> "Start the Proxmox VE firewall service.",
240 additionalProperties
=> 0,
243 description
=> "Debug mode - stay in foreground",
250 returns
=> { type
=> 'null' },
260 __PACKAGE__-
>register_method ({
264 description
=> "Stop firewall. This removes all Proxmox VE related iptable rules. The host is unprotected afterwards.",
266 additionalProperties
=> 0,
269 returns
=> { type
=> 'null' },
274 my $pid = int(PVE
::Tools
::file_read_firstline
($pve_firewall_pidfile) || 0);
277 if (PVE
::ProcFSTools
::check_process_running
($pid)) {
278 kill(15, $pid); # send TERM signal
279 # give max 5 seconds to shut down
280 for (my $i = 0; $i < 5; $i++) {
281 last if !PVE
::ProcFSTools
::check_process_running
($pid);
289 if (-f
$pve_firewall_pidfile) {
290 # try to get the lock
291 lockpidfile
($pve_firewall_pidfile);
299 __PACKAGE__-
>register_method ({
303 description
=> "Get firewall status.",
305 additionalProperties
=> 0,
310 additionalProperties
=> 0,
314 enum
=> ['unknown', 'stopped', 'running'],
317 description
=> "Firewall is enabled (in 'cluster.fw')",
321 description
=> "Set when there are pending changes.",
330 local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
334 my $pid = int(PVE
::Tools
::file_read_firstline
($pve_firewall_pidfile) || 0);
335 my $running = PVE
::ProcFSTools
::check_process_running
($pid);
337 my $status = $running ?
'running' : 'stopped';
339 my $res = { status
=> $status };
341 my $verbose = 1; # show syntax errors
342 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
(undef, $verbose);
343 $res->{enable
} = $cluster_conf->{options
}->{enable
} ?
1 : 0;
345 if ($status eq 'running') {
347 my ($ruleset, $ipset_ruleset, $rulesetv6) = PVE
::Firewall
::compile
($cluster_conf, undef, undef, $verbose);
349 $verbose = 0; # do not show iptables details
350 my (undef, undef, $ipset_changes) = PVE
::Firewall
::get_ipset_cmdlist
($ipset_ruleset, $verbose);
351 my ($test, $ruleset_changes) = PVE
::Firewall
::get_ruleset_cmdlist
($ruleset, $verbose);
353 $res->{changes
} = ($ipset_changes || $ruleset_changes) ?
1 : 0;
359 return PVE
::Firewall
::run_locked
($code);
362 __PACKAGE__-
>register_method ({
366 description
=> "Compile and print firewall rules. This is useful for testing.",
368 additionalProperties
=> 0,
371 returns
=> { type
=> 'null' },
376 local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
382 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
(undef, $verbose);
383 my ($ruleset, $ipset_ruleset, $rulesetv6) = PVE
::Firewall
::compile
($cluster_conf, undef, undef, $verbose);
385 my (undef, undef, $ipset_changes) = PVE
::Firewall
::get_ipset_cmdlist
($ipset_ruleset, $verbose);
386 my (undef, $ruleset_changes) = PVE
::Firewall
::get_ruleset_cmdlist
($ruleset, $verbose);
388 if ($ipset_changes || $ruleset_changes) {
389 print "detected changes\n";
391 print "no changes\n";
393 if (!$cluster_conf->{options
}->{enable
}) {
394 print "firewall disabled\n";
399 PVE
::Firewall
::run_locked
($code);
404 __PACKAGE__-
>register_method ({
408 description
=> "Print information about local network.",
410 additionalProperties
=> 0,
413 returns
=> { type
=> 'null' },
417 local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
419 my $nodename = PVE
::INotify
::nodename
();
420 print "local hostname: $nodename\n";
422 my $ip = PVE
::Cluster
::remote_node_ip
($nodename);
423 print "local IP address: $ip\n";
425 my $cluster_conf = PVE
::Firewall
::load_clusterfw_conf
();
427 my $localnet = PVE
::Firewall
::local_network
() || '127.0.0.0/8';
428 print "network auto detect: $localnet\n";
429 if ($cluster_conf->{aliases
}->{local_network
}) {
430 print "using user defined local_network: $cluster_conf->{aliases}->{local_network}->{cidr}\n";
432 print "using detected local_network: $localnet\n";
438 __PACKAGE__-
>register_method ({
442 description
=> "Simulate firewall rules. This does not simulate kernel 'routing' table. Instead, this simply assumes that routing from source zone to destination zone is possible.",
444 additionalProperties
=> 0,
447 description
=> "Verbose output.",
453 description
=> "Source zone.",
455 pattern
=> '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)',
457 default => 'outside',
460 description
=> "Destination zone.",
462 pattern
=> '(host|outside|vm\d+|ct\d+|vmbr\d+/\S+)',
467 description
=> "Protocol.",
469 pattern
=> '(tcp|udp)',
474 description
=> "Destination port.",
481 description
=> "Source port.",
488 description
=> "Source IP address.",
489 type
=> 'string', format
=> 'ipv4',
493 description
=> "Destination IP address.",
494 type
=> 'string', format
=> 'ipv4',
499 returns
=> { type
=> 'null' },
503 local $SIG{'__WARN__'} = 'DEFAULT'; # do not fill up syslog
505 my ($ruleset, $ipset_ruleset, $rulesetv6) = PVE
::Firewall
::compile
(undef, undef, undef, $param->{verbose
});
507 PVE
::FirewallSimulator
::debug
($param->{verbose
} || 0);
509 my $host_ip = PVE
::Cluster
::remote_node_ip
($nodename);
511 PVE
::FirewallSimulator
::reset_trace
();
512 print Dumper
($ruleset) if $param->{verbose
};
515 from
=> $param->{from
},
517 proto
=> $param->{protocol
} || 'tcp',
518 source
=> $param->{source
},
519 dest
=> $param->{dest
},
520 dport
=> $param->{dport
},
521 sport
=> $param->{sport
},
524 if (!defined($test->{to
})) {
525 $test->{to
} = 'host';
526 PVE
::FirewallSimulator
::add_trace
("Set Zone: to => '$test->{to}'\n");
528 if (!defined($test->{from
})) {
529 $test->{from
} = 'outside',
530 PVE
::FirewallSimulator
::add_trace
("Set Zone: from => '$test->{from}'\n");
533 my $vmdata = PVE
::Firewall
::read_local_vm_config
();
535 print "Test packet:\n";
537 foreach my $k (qw(from to proto source dest dport sport)) {
538 printf(" %-8s: %s\n", $k, $test->{$k}) if defined($test->{$k});
541 $test->{action
} = 'QUERY';
543 my $res = PVE
::FirewallSimulator
::simulate_firewall
($ruleset, $ipset_ruleset,
544 $host_ip, $vmdata, $test);
546 print "ACTION: $res\n";
552 start
=> [ __PACKAGE__
, 'start', []],
553 stop
=> [ __PACKAGE__
, 'stop', []],
554 compile
=> [ __PACKAGE__
, 'compile', []],
555 simulate
=> [ __PACKAGE__
, 'simulate', []],
556 localnet
=> [ __PACKAGE__
, 'localnet', []],
557 status
=> [ __PACKAGE__
, 'status', [], undef, sub {
559 my $status = ($res->{enable
} ?
"enabled" : "disabled") . '/' . $res->{status
};
561 if ($res->{changes
}) {
562 print "Status: $status (pending changes)\n";
564 print "Status: $status\n";
571 PVE
::CLIHandler
::handle_cmd
($cmddef, $0, $cmd, \
@ARGV, undef, $0);
579 pve-firewall - PVE Firewall Daemon
587 This service updates iptables rules periodically.
589 =include pve_copyright